Evaluating and Designing against Side-Channel Leakage: White Box or Black Box?

Side-channel analysis is an important concern for the security of cryptographic implementations, and may lead to powerful key recovery attacks if no countermeasures are deployed. Therefore, various types of protection mechanisms have been proposed over the last 20 years. In view of the cost and performance overheads caused by these protections, their fair evaluation and scarce use are a primary concern for hardware and software designers. Yet, the physical nature of side-channel analysis also renders the security evaluation of cryptographic implementations very different from the one of cryptographic algorithms against mathematical cryptanalysis. That is, while the latter can be quantified based on (well-defined) time, data and memory complexities, the evaluation of side-channel security additionally requires to quantify the informativeness and exploitability of the physical leakages. This implies that a part of these security evaluations is inherently heuristic and dependent on engineering expertise. It also raises the question of the capabilities given to the adversary/evaluator. For example, should she get full (unrestricted) access to the implementation to gain a precise understanding of its functioning (which I will denote as the white box approach) or should she be more restricted? In this talk, I will argue that a white box approach is not only desirable in order to avoid designing and evaluating implementations with a "false sense of security" but also that such designs become feasible in view of the research progresses made over the last two decades.