Robust and Efficient Approaches to Evaluating Side Channel and Fault Attack Resilience

Implementing cryptography on embedded devices is an ongoing challenge. Over the last two decades a new type of adversary has emerged, relying on side channel leakage such as of response times, power or EM signals, etc. To account for such adversaries, sophisticated security certification and evaluation methods (Common Criteria, EMVCo, FIPS…) have been established to give users assurance that security claims have withstood independent evaluation. Recently the reliability of these evaluations has come into the spotlight: the Taiwanese citizen card proved to be insecure, and Snowden’s revelations about NSA's tampering with FIPS standards eroded public confidence.

REASSURE pursued 4 objectives:

The first objective was to increase the quality of all aspects of the vulnerability analysis component of existing evaluation schemes. We aimed to deliver a novel, structured detect-map-exploit approach that should improve the assurance in evaluation outcomes and the comparability of independently conducted evaluations as well as increase the effectiveness of the process.

The second objective was to cater for emerging areas such as the far more dynamic software development practices associated with the developing Internet-of-Things (IoT). Developers in these fields typically do not possess the expertise level nor equipment that (e.g.) smart card manufacturers developed over the last 20 years. Yet, IoT devices represent a more and more critical asset that cannot ignore the threat of physical attacks. Our goal was to help them by researching possibilities for the automation of leakage assessment practices, such that together with suitable leakage simulators, IoT developers could early on assess leakage properties of their code without needing immediate access to a testing lab.

The third objective was to deliver practical tools, data sets and shared best-practice within the community of stakeholders, with the expectation that this will improve the quality of the assessment and characterization provided for newly-discovered attacks.

Finally, the fourth objective was to get existing stakeholders to adopt the novel technologies and methodologies emerging from this project as well as to provide input into new standardization efforts to ensure that they benefit from the knowledge created by this project.

Regarding improvements of evaluation schemes, we delivered a novel evaluation strategy that works “backwards” from a well-defined worst-case adversary. This has the potential to maximise the assurance in evaluations by instantiating adversaries whose success can be bounded. We also significantly contributed to the understanding of deep learning-based evaluation, and to the use of leakage detection tools in the context of our structured testing regime.

In order to help IoT developers, we assessed the suitability of shortcut formulas as techniques enabling efficient a priori approximation of attack outcomes; we thoroughly analysed the use of leakage detection for conformance testing; we analysed how to automate leakage detection, which is one of the first steps of an evaluation. We also delivered a free introductive training on side-channel attacks, as well as a more advance training on leakage detection, first delivered during a workshop aligned with CARDIS 2018, before becoming a free self-led online training course (both of which can be accessed from the project website reassure.eu).
Many of the aforementioned results were integrated into tools, as targeted by our third objective. To help developers and researchers test attacks, and to improve the comparability of results, we published reference data sets (for AES and ECC), one software implementation for AES and a corresponding set of data sets for deep learning (the ASCAD database). We also released an open-source leakage simulator (ELMO) based on instruction-level profiles for a processor relevant for the IoT (used by NCSC, NXP, now underpins the ROSITA tool), an open source toolbox for SCA (JuliaSCA), an open source implementation for shortcut formulas, scripts related to shortcut formulas for ECC implementations, keyless rank estimation and local random probing model (belief propagation) for the worst-case analysis of ECC countermeasures. Finally, we developed Inspector Cloud, an online tool allowing to perform side-channel attacks.

Regarding dissemination towards the main stakeholders and standardization efforts, we provided comments to 2 ISO standards (20085-1 and -2) that matured during the lifetime of REASSURE. Our work on leakage detection also directly impacted on ISO 17825, which is now undergoing a revision. We presented our results at several meetings with JHAS and also exchanged with EMVCO, Global Platform and the European Union Agency for Cybersecurity (ENISA).

REASSURE techniques have been integrated into the processes of industrial partners, yielding significant performance improvements.

With the increase of interconnected and therefore typically security sensitive products in the context of IoT, but also with the rise of existing cyber-physical systems, there is a pressing need to transfer existing knowledge from the highly-sophisticated smart card community to other communities in these emerging areas. Furthermore, experts are still in need for more efficient, reliable side-channel evaluation methodologies, providing assurance that their outcomes can be relied upon, and that the security metrics they yield are comparable.

REASSURE results gave birth to 30 scientific publications. Several of our techniques were integrated by consortium members, bringing significant improvement in their internal procedures. Yet, REASSURE had the ambition of providing useful contributions, not only to its participants, but also to the community. The tools we produced have been downloaded several hundreds of times over the few months since they were put online. At the end of the project, we believe our combined effort enabled significant improvements in the common understanding of physical attacks.