### A Cautionary Note Regarding the Usage of Leakage Detection Tests in Security Evaluation

Carolyn Whitnall and Elisabeth Oswald

##### Abstract

An established ingredient in the security evaluation of cryptographic devices is leakage detection, whereby physically observable characteristics such as the power consumption are measured during operation and statistically analysed in search of sensitive data dependencies. However, depending on its precise execution, this approach potentially suffers several drawbacks: a risk of false positives, a difficulty interpreting negative outcomes, and the infeasibility of covering every possible eventuality. Moreover, efforts to mitigate for these drawbacks can be costly with respect to the data complexity of the testing procedures. In this work, we clarify the (varying) goals of leakage detection and assess how well-geared current practice is towards meeting each of those goals. We introduce some new innovations on existing methodologies and make recommendations for best practice. Ultimately, though, we find that many of the obstacles cannot be fully overcome according to existing statistical procedures, so that it remains to be highly cautious and to clearly state the limitations of the methods used when reporting outcomes.

Available format(s)
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
side-channel analysisleakage detectionsecurity certificationstatistical power analysis
Contact author(s)
carolyn whitnall @ bris ac uk
History
2019-09-06: last of 2 revisions
See all versions
Short URL
https://ia.cr/2019/703

CC BY

BibTeX

@misc{cryptoeprint:2019/703,
author = {Carolyn Whitnall and Elisabeth Oswald},
title = {A Cautionary Note Regarding the Usage of Leakage Detection Tests in Security Evaluation},
howpublished = {Cryptology ePrint Archive, Paper 2019/703},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/703}},
url = {https://eprint.iacr.org/2019/703}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.