NSERC has approved the funding of the project entitled ‘Side-Channel Secure Designs and Implementations of Cryptographic Algorithms in Embedded Systems’ at $140K.
The massive deployment of embedded systems and the Internet of Things (IoT), not only in our homes, cars, and workplaces but also in manufacturing lines, hospitals, and power plants, rely critically on their secure operation. Although the underlying mathematical foundations of the popular cryptographic algorithms are sound and well-understood, recent research has shown that the current implementations of cryptographic algorithms can leak sensitive information through several side and covert channels to possible adversaries. For instance, consider a keyfob that uses a cryptographic algorithm to establish secure communication with a particular car. If we can capture the instantaneous power consumption of the keyfob by probing the battery connections or capture its near-field electromagnetic radiation, we can analyze these traces using various statistical tools to recover the secret keys used in the communication. Other sources of information leaks include variations in the execution time, photonic emissions, acoustic waves, and response to induced faults. This group of attacks is called Implementation Attacks, where the adversary exploits weaknesses in the underlying implementation of a cryptographic algorithm rather than its mathematical structure. Implementation Attacks can be passive or active. Passive implementation attacks, also known as Side-Channel Analysis, do not alter the normal operation of the target device. Active implementation attacks can be realized by injecting a controlled fault into the target system and analyzing the faulty output, representing Fault Attacks.
The proposed research program seeks a deeper and more quantified understanding of side and covert information analysis and implementation attacks against critical embedded and IoT systems and proposes novel design methodologies and robust implementations that are secured against these attacks without violating usability, cost or real-time constraints.