Periodic Reporting for period 4 - SWORD (Security Without Obscurity for Reliable Devices)
Reporting period: 2022-03-01 to 2023-08-31
Overall, the projects’ achievements are in four directions: mathematical aspects: primitives & definitions; physical assumptions; open source hardware and software; evaluation & verification. Strong achievements have been obtained in all directions, as suggested by the list of papers published. In summary, the main advances during the first part of the project can be described as follows:
For the mathematical aspects, strong efforts have been paid towards understanding security definitions for leakage-resistant authenticated encryption and designs that can satisfy this definition. Our team also invested significant time in extending the formal analysis of masking schemes (in terms of composability and resistance against physical defaults).
The understanding of the noise and independence assumptions that are required for algorithmic countermeasures such as masking to deliver security were at the core of our investigation regarding physical assumptions, together with the analysis of new learning problems (in particular the Learning Parity with Physical Noise problem).
Most of our ideas were tested based on open prototype implementations. This includes software (e.g. ARM Cortex) and FPGA implementations, but also the tape out of a prototype chip of which we analysed he noise and leakage characteristics.
Finally, the sound evaluation of physical security remains an important challenge. Major steps have been obtained in order to enable strict bounds for the information leakage of an implementation (and several other results to pinpoint limitations in other approaches).
In the second part of the project, these four directions have been further extended in order to confirm the general feasibility of the “security without obscurity” vision that the project put forward, and combined into solutions that best combine protection levels at different abstraction levels.
Among the many results obtained, we would like the mention the few following ones.
More on the mathematical side, we compared and improved the efficiency of leakage-resistant modes of operation (e.g. with the Triplex mode or efforts towards avoiding idealized assumptions that are not verifiable/falsifiable). We made significant improvements towards improving the tightness of masking security proofs in the random probing and noisy leakage model, up to the point where they can directly be combined with practical evaluation tools. We also proposed a first model for the analysis of combined (side-channel and fault) attacks. We finally made significant progress towards masked gadgets that are composable and resistant against physical defaults.
On the physical aspect, a very innovative part of the project was the work on “hard physical learning problems” that mimic the well-known “hard learning problems” used in cryptography with physical functions. This can be used as a provocative way to implement primitives relying on hard learning problems, as formalized by the Learning Parity with Physical Noise (LPPN) assumption or the Learning with Physical Errors (LWPE) one. As an important contribution in this direction, we succeeded in reducing a broad class of physical problems to the standard (LPN) assumption. An even more promising direction is the introduction of the Learning with Physical Rounding (LWPR) problem, which can serve as a basis for strong re-keying schemes and was latterly found to have potential applications in post-quantum cryptography.
Finally, from the evaluation viewpoint, we developed new information theoretic bounds that can capture the profiling complexity of a side-channel attack and tools aimed to bound worst-case security level. We also tackled the evaluation of challenging targets (e.g. breaking 32-bit masked software implementations of the AES) and developed statistical tools such as the regression-based linear discriminant analysis that allows modelling the leakage of such implementations without artificially introducing algorithmic noise caused by small models.
We believe the combination of these results demonstrates the feasibility of developing cryptographic implementations of which the physical security depends on sound and reproducible principles rather than on closed-source heuristics. It turns out they also opened new research avenues since some of these results were found to have great potential for application in post-quantum cryptography. This has led to the submission of an ERC Advanced Grant which was awarded to the PI.