Side Channel Analysis and Evaluation on Cryptographic Products

As a kind of important information security products, the cryptographic technique adopted by cryptographic products guarantees the confidentiality, integrity and non-repudiation of information. The side channel attack is an important security threat against cryptographic products. It mainly utilizes the leakage of side information (such as time, power consumption, etc.) during the operation of cryptographic algorithm, and attacks by analyzing the dependence between side information and secret information. It has become an important test content to evaluate the ability of cryptographic products to defend against the side channel attack. The development of side channel evaluation of cryptographic products is introduced from three aspects of attack test, general evaluation and formal verification. The attack test is the most popular way adopted in side channel evaluation, which aims to recover the secret imformation such as the key by executing specific attack process. The latter two methods are not for the purpose of recovering secret information, but focus on assessing whether there is any side information leakage in the cryptographic implementation. They are more general than the attack test because they do not require the evaluator to go into the details of the attack process and implementation. The general evaluation is to describe the degree of information leakage by means of statistical test and information entropy calculation. For example, Test Vector Leakage Assessment (TVLA) technology is widely used at present. The formal method is a new development direction to evaluate the effectiveness of side channel protection strategy which has the advantage that it can automatically/semiautomatically evaluate whether the cryptographic implementation has side channel attack vulnerability. The latest results of formal verification for different protection strategies such as software mask, hardware mask and fault protection is introduced in this paper, mainly including program verification, type inference and model counting.