Side-channel resistance

Side-channel attacks are an increasingly important threat to the security of embedded systems. There exist several types of side-channel attacks. The most important side channels are observable timing behavior, power consumption, and emitted radiation of a processor chip. To counter these attacks, cryptographic code must implement constant-time execution, PC-secure execution, and table-free execution of all operations that process secret data. These countermeasures prevent the leaking of secret information through the side channels. Correctly applying these countermeasures is a hard problem, unless much execution speed can be sacrificed.

All relevant operations in ocrypto have been designed from the outset for fast constant-time, PC-secure, and table-free execution. This makes the library side channel resistant even for microcontrollers with data caches. Moreover, it guarantees correctness and completeness (correct output for all edge cases) for elliptic curves, which is notoriously difficult in a highly efficient implementation. Achieving this uncompromising level of resistance to side-channel attacks, without introducing massive overhead, is what makes ocrypto unique in the industry. Check out these benchmarks to see what we mean.

Illustration of how power measurements can provide information about the data being processed

Formal proofs

We have created formal correctness proofs for our novel algorithmic approaches to modular reduction and had them reviewed by an independent authority (Prof. W. Meier, one of the designers of the BLAKE hashing algorithm). Our proofs were found “in all parts mathematically and formally correct”. Proof and review documents are available to licensees.

Excerpt from the review of our formal correctness proofs

Testing

An extensive test suite is being used for validating ocrypto, with standard test vectors, test vectors for border cases, negative tests and random tests. The test suite is available to licensees.