CASCA

Abstract

Implementing a cryptographic circuit poses challenges not always acknowledged in the backing mathematical theory. One of them is the vulnerability against side-channel attacks . A side-channel attack is a procedure that uses information leaked by the circuit through, for example, its own power consumption or electromagnetic emissions, to derive sensitive data (e.g, the secret key used for encryption). Nowadays, we design circuitry to keep this sensitive information from leaking (i.e., a countermeasure ), but the path from specification down to implementation is far from being fully automatic. As we know, manual refinement steps can be error prone and the sheer potential of these errors can be devastating in a scenario such as the one we are dealing with. In this article, we investigate whether a single embedded domain specific language (EDSL) can, at the same time, help us in specifying and enforcing the functionality of the circuit as well as its protection against side-channel attacks. The EDSL is a fundamental block of an original design flow (named Countermeasure Against Side-Channel Attacks, i.e., CASCA) whose aim is to complement an existing industrial scenario and to provide the necessary guarantee that a secure primitive is not vulnerable up to a first-order attack. As a practical case study, we will show how we applied the proposed tools to ensure both functional and extra-functional correctness of a composite-field Advanced Encryption Standard (AES) S-Box. To ensure the reproducibility of this research, this article is accompanied by an open source release of the EDSL 1 that contains the presented S-Box implementation and an additional 3-Shares threshold implementation of the Keccak χ function [7].