Advanced extraction and exploitation of side-channel information in cryptographic implementations

(eng) With technology scaling, electronic devices are becoming ubiquitous in everyday applications (smartcards, car keys,...). Many of these applications require security or privacy features for which cryptography is an essential building block. In the context of small embedded devices like smartcards, the security of cryptographic primitives is usually assessed using different types of cryptanalyses. For example, classical cryptanalysis targets the algorithm as a mathematical object. However, these devices are often physically accessible to the adversary, additionally allowing him to target the implementations of cryptographic algorithms, with physical cryptanalyses. In this setting, side-channel attacks exploiting (for example) the power consumption of microelectronic circuits have received increasing attention since their introduction 15 years ago, as they raise important challenges for secure hardware manufacturers Evaluating the side-channel security of an implementation is a non-trivial task: there are no hard-and-fast rules to decide what is the optimal way to extract information from a side-channel leakage, or how to efficiently exploit it to break a cryptosystem. This thesis tackles this problem and aims at developing and analyzing new tools and metrics in order to better answer both questions. In the extraction part, we present a refined metric for evaluating the quantity of information available in actual side-channel measurements. We illustrate its importance by adapting it to the evaluation of various countermeasures introduced in the literature. In the exploitation part, we develop a new attack called Algebraic Side-Channel Attack that exploits at the same time all the information available in the leakages and the adversary's computational power. It can succeed in very challenging scenarios using as few as one single leakage trace. We also present a new enumeration algorithm that can be integrated into any DPA attack in order to increase its success rate at the cost of more intense computations. We finally combine these observations by arguing about the need of new and properly defined classes of physical adversaries.