Seminar on Security of Embedded Electronic Systems

Home     Presentation     Previous years

François-Xavier Standaert

Hardware countermeasures strike back

Soon after the publication of the first DPA/EMA attacks, various hardware countermeasures have been proposed in order to mitigate them. The results of early security evaluations for these countermeasures frequently turned out to be disappointing, leading to the informal statement that "combining countermeasures" is the best way to obtain concrete security against side-channel attacks. In the following years, algorithmic solutions (such as masking, shuffling, ...) and cryptographic ones (e.g. leakage-resilience) have consequently attracted more and more attention.

In this talk, I will first argue that one reason for the disappointing conclusions about early hardware countermesures could be that we simply were too ambitious (i.e. expecting that they would prevent key recovery, typically). Next, I will take the example of masking and shuffling (and possibly leakage-resilience) to underline that such algorithmic/cryptographic countermeasures are all based on (sometimes strong) hardware assumptions. As a result, I will conclude that hardware countermeasures may still have an important role to play to protect future implementations: not to directly face the threat of key recovery, but rather to make sure that the (hopefully easier to reach) assumptions of algorithmic/cryptographic countermeasures can be met in practice.