Improving the Design and Evaluation of Cryptographic Implementations against Leakage — Can Open Source Help and How?

Abstract:

In this talk, I will (1) argue that taking full advantage of research progresses in embedded security through (ideally standardized) countermeasures may strongly benefit from open source implementations maintained and publicly evaluated over time, and (2) describe a model of development that can serve such purposes by complementing the industrial ecosystem rather than competing with it, enabling a gradual integration of open source solutions when they become sufficiently stable over time.

On the one hand, it is expected that combining the longer-term quantitative evaluations that open source designs enable with shorter-term certifications to assess their integration will give rise to stronger technological building blocks in a foreseeable future. On the other hand, it is expected that identifying some open source designs as practically-relevant targets can serve as a constructive interface between academic research and industrial developments, limiting the need of hardly productive discussions about research being unpractical and, as a result, the need to target deployed products as a counter-argument (with all the responsible disclosure issues that it raises).

Note that while the examples in the talk will primarily focus on side-channel security, the general ideas put forward could be applicable to other physical (e.g., fault) attacks.