Side-channel resistance

Side-channel attacks are an increasingly important threat to the security of embedded systems. There exist several types of side-channel attacks. The most important side channels are observable timing behavior, power consumption, and emitted radiation of a processor chip. To counter these attacks, cryptographic code must implement constant-time execution and table-free execution of all operations that process secret data. These countermeasures prevent the leaking of secret information through the side channels. Achieving constant-time and table-free execution is a hard problem, unless much execution speed can be sacrificed.

All relevant operations in ocrypto have been designed from the outset for fast constant-time and table-free execution. This property is guaranteed even for microcontrollers with data caches. Moreover, it is guaranteed for all edge cases, which is notoriously difficult in particular for NIST curves. Achieving this uncompromising level of resistance to side-channel attacks, without introducing massive overhead, is what makes ocrypto unique in the industry.

Illustration of how power measurements can provide information about the data being processed

Formal proofs

We have created formal correctness proofs for our novel algorithmic approaches to modular reduction and had them reviewed by an independent authority (Prof. W. Meier, one of the designers of the BLAKE hashing algorithm). Our proofs were found “in all parts mathematically and formally correct”. Proof and review documents are available to licensees.

Excerpt from the review of our formal correctness proofs

Testing

An extensive test suite is being used for validating ocrypto, with standard test vectors, test vectors for border cases, negative tests and random tests. The test suite is available to licensees.