Improved Side-channel Leakage Detection and its Suitability with ISO/IEC 17825 Methodology (G12b)
Side-channels are non-intentional physical emanations which might leak sensitive information out of the boundary of chip. The threat is well-known: even if cryptographic keys are kept safe while at rest, they can be recovered by an attacker which would record so-called side-channel traces, and resort to sophisticated statistical techniques to extract the key from those traces, even though they are noisy and the device is fully black-box. As often in the context of cryptography, the attacker can choose its exploitation tool amongst a very large toolbox (differential power/electromagnetic analysis, correlation, mutual information, machine learning, etc.) From the defense side, at the opposite, the mere leakage can be fatal. This explains why modern approaches to testing side-channel resort to “detection techniques”. Indeed, those are agnostic of the subsequent mathematical analysis an attacker would leverage to make sense of the captured traces. Such method is promoted in ISO/IEC 17825 standards, which shall be seen as the “side-channel companion” of ISO/IEC 19790 (aka NIST FIPS 140-3). Recently, the ISO/IEC 17825 has entered into a formal revision process. We list hereafter the improvements that would be eligible to be find place in an updated version of this International Standard. First of all, it is important that the user of ISO/IEC 17825 understands the significance of the tests. Namely, no test can detect with 100% nor falsely report a leakage which is none. Rather, the tests shall be configured with requirements in this respect, namely values of false positive and false negative rates. Second, the tests shall be aware of the traces it analyses. In particular, the effort in terms of number of traces to analyze shall relate to their signal-to-noise ratio. This remark can typically be captured by the estimation of an “effect size”. Advantages of the suggested novel methods are the following. The test outcome (pass/fail) comes with a quantifiable confidence. For instance, tests which pass or fail borderline are considered less of an issue compared to tests which pass/fail with large margin. Moreover, the new method comes, as a byproduct, with a forecast of the number of traces to break the key. Eventually, this new method still fits in the former framework, thereby ensuring backward compatibility of current test equipments.