Interactive Side-Channel Analysis

The modern, always-online world relies on numerous electronic devices. Ensuring the unobstructed operation of transactions is quintessential, yet non-trivial to achieve. Devices operate in resource-constraint environments, often trying to achieve security with very narrow margins. Physical attacks such as side-channel cryptanalysis and fault injection pose a serious threat against their security. Techniques such as Differential Power Analysis and Template Attacks exploit physical observables of embedded targets, compromising cryptography in otherwise secure mathematical ciphers. To meet the security needs of our society, numerous countermeasures have been deployed. Masking and shuffling rank among the most popular choices, yet they do not come for free. Deploying them can make the implementation cost prohibitive, leading to situations where only partially secure products are used in the field. Therefore, this thesis puts forward the following contribution points. First, it develops efficient masking and shuffling countermeasures. To do so, it relies on high speed assembly-based implementations that push the limit of ARM/AVR devices. It also investigates closely the security level, aiming to remove leakage effects that hinder countermeasures. Second, instead of viewing countermeasures as isolated components, it promotes a holistic approach that examines the interactions between countermeasures, security and performance of a cryptographic implementation. Through information-theoretic analysis, we establish the tradeoff between randomness and masking/shuffling countermeasures, culminating in Reduced Randomness Masking/Shuffling schemes. Likewise, we link the fault injection resistance of duplication, infective protection and build-in fault detection to the side-channel security. Such tradeoffs can assist the designer and result in effective, yet affordable security. Third, it integrates new attack vectors to the existing arsenal. It inspects closely the location-based attacks on ARM devices and assesses their real-world impact. Concurrently, we take steps towards modeling location leakage, aiming to understand its root cause and once again to establish tradeoffs between attack parameters and attack impact.