Open ghost opened 3 years ago
Starting a conversation, here are some initial thoughts:
Attack model
The following assumptions are (commonly) used:
Choose SC Characterizing different side-channel vulnerabilities based on a collection of factors (inspired by CVSS3.1):
These factors take a "base" value. Modified values can be derived from base ones when specific environmental factors are assummed.
Environmental factors considered so far:
The following table lists SCs and their characterization. It is meant as a tool to help us decide which SC to consider. For the modified values, the relevant environmmental factor is in parenthesis.
Vulnerability | Priviledges Required |
Attack Vector |
Attack Complexity |
Scalability | Modified Priviledges Required |
Modified Attack Vector |
Modified Attack Complexity |
Modified Scalability |
---|---|---|---|---|---|---|---|---|
1 | Timing Analysis | None | Network | Low | High | |||
2 | Simple Power Analysis (SPA) | None | Physical | High | Low | Medium (template) | ||
3 | Differential/Correlation Power Analysis (DPA/CPA) | None | Physical | Very High | Low | High (template) | ||
4 | EM Analysis (EMA) | None | Physical | Very High | Low | High (template) | ||
5 | Fault Analysis (FA) | None | Physical | Very High | Low | |||
6 | SW-based Power Analysis | Low | Local | Medium | Low | None (cohosting) | Network (cohosting) | High (cohosting) |
7 | $\mu$-architectural (cache-timing, speculative) |
Low | Local | High | Low | None (cohosting) | Network (cohosting) | High (cohosting) |
3 & 4. PoI & RCA Being thorough here; Start by considering all caclulations that includes a secret quantity and continue by removing the non vulnerable.
Could poi-tpke and poi-polyeval be combined?
epoch
as the period between key refresh.
Since Ferveo is intended to be an "online" protocol and some/many primitives being used are not constant-time/may have other side-channel vulnerabilities, there should be an analysis and potential mitigations investigated (as needed).
Fortunately Ferveo is not like TLS where the latency is highly important, so hopefully this should be straightforward.