Analysis and implementation of side-channel countermeasures for NIST lightweight cryptography finalists

The information age is seeing an increasing number of embedded applications, ranging from sensor networks to distributed control systems, not forgetting the IoT. What all these environments share in common is the use of connected devices in constrained environments to transmit information that may be sensitive while offering easy access to the physical device. Current NIST standards can be implented to fit these applications at the cost of being sub-optimal and not meeting the security challenges coming from a deployed environment. For these reasons a lightweight cryptographic competition was launched in 2016 and the winner is expected to be revealed in late 2022. Among the criteria stated by the NIST is security against side-channel attacks. In this thesis, we explore the leakage resistance of 9 of the 10 candidates in two steps. First, we use evaluate the high-level leakage properties of the candidates’ modes of operations. This high-level analysis allows us to observe that 6 candidates can mostly rely on implementation-level countermeasures. By contrast, 3 candidates (Ascon, ISAP and Romulus-T) have leakage-resistant features enabling efficient implementations, where different parts of the mode require different implementation-level countermeasures. Second, we investigate the hardware performances of these 3 leakage- resistant modes of operation and evaluate their leveled implementation. For Ascon and Romulus-T, we protect crucial parts of the design against Differ- ential Power Analysis (DPA) with Hardware Private Circuits (HPC), a state- of-the-art masking scheme that jointly provides resistance against physical defaults and composability. For ISAP, these parts are based on a leakage- resilient PRF that embeds a fresh re-keying mechanism such that they only require security against Simple Power Analysis (SPA). The latter is natively obtained thanks to parallelism in hardware. We conclude that if quantitative comparison of the finalists is an interesting discussion, the main criteria that should guide the NIST in selecting a leakage- resistant lightweight cryptography standard are qualitative. The limited relevance of quantitative comparisons at this stage of the competition follows from two facts. For ciphers that rely on comparable countermeasures (like Ascon and Romulus-T), the performance gap is limited and predictable from simple proxies such as the number of and gates or the latency per round of execution. For ciphers that rely on different countermeasures (like ISAP), we currently lack tools that would allow a definitive comparison.