Modelling cryptographic side-channels with Julia types
2021-07-28, 17:30–17:40 (UTC), Red

In cryptographic embedded systems, power-line or RF emissions can leak secrets. We use Julia to model both attacks and defenses. Some of our custom integer and array types record information observable by attackers, such as Hamming weights of values. Others implement counter-measures, such as masking values across randomized shares. Julia’s parametric type system conveniently allows us to stack these types without syntactic overhead when exploring or teaching side-channel security.

In hardware security, side-channel attackers can monitor analog signals, like the per-instruction power consumed. They can record this data during the execution of a cryptographic algorithm to gain additional information. Such leakage data can depend on intermediate values of the cipher, which themselves depend on the secret key. Hence, with such side-channel data, reconstructing the key of the cipher may become feasible.

In this talk, we focus on using Julia’s type system to create a framework for generating, analyzing and protecting such side-channel data. For this purpose, we create custom types that behave like integers or arrays. When passing values of these types to a Julia implementation of a cryptographic algorithm, multiple dispatch automatically produces an instrumented or transformed version of that algorithm. Usually, this process does not require modifications to the algorithm’s original implementation.

We look in particular at two different functionalities that we can integrate via such custom types:
- To simulate potential side-channel attacks, it is useful to generate data traces that depend on intermediate values. We will show how to construct types that log a trace of information about the values processed. This reduces the need for access to analog recording hardware, which is particularly useful when teaching side-channel security concepts in student practicals.
- To explore protection against side-channel attacks, values that depend on the secret key should never appear in memory without protection. We explore how integer and array-like types can be created to implement a range of techniques for splitting register values into multiple shares, to reduce the dependence of leakage data on the actual values processed.

Julia’s parametric type system allows us to arbitrarily stack those types on top of each other. For instance, protection types can be stacked on top of logging types. This construction allows us to conveniently collect traces of protected data which can be, for example, used to verify the effectiveness of the protection.




Postgraduate computer science student at the University of Cambridge, currently working with Markus Kuhn.

Senior Lecturer (associate professor) with the University of Cambridge Department of Computer Science.