It has long been known that computer systems leak some information through so-called side-channels. Observing the input-output behavior of a computer system may not provide any useful information on sensitive information, such as secret keys used by the computer system. But a computer system has other channels that may be observed, e.g., its power consumption or electromagnetic radiation; these channels are referred to as side-channels. For example, small variations in the power consumed by different instructions and variations in power consumed while executing instructions may be measured. The measured variation may be correlated to sensitive information, such as cryptographic keys. This additional information on secret information, beyond the observable and intended input-output behavior are termed side-channels.
Through a side-channel a computer system may ‘leak’ secret information during its use. Observing and analyzing a side-channel may give an attacker access to better information than may be obtained from cryptanalysis of input-output behavior only. One known type of side-channel attack is the so-called differential power analysis (DPA).
Both implementations of functionality in computer hardware and computer software are vulnerable to side-channel attacks. The problem is however most severe in software. Compared to hardware implementations, software is relatively slow and consumes a relatively large amount of power. Both factors favor side-channel attacks.
Attempts have been made to increase the resistance of computer programs against side-channel attacks by changing their compilation.
U.S. Pat. No. 7,996,671 suggests increasing the resistance of computer programs against side-channel attacks by improved compilation. Since power analysis attacks rely on measured power consumption, resistance is increased by compiling so as to reduce power consumption. The compiler predicts the compilation that is the most energy efficient and selects it. It is observed that energy consumption reduction increases the power noise/variation and improves side-channel resistance.
If the energy reduction approach alone is not enough to introduce enough power noise/variation, then the compiler approach that is used for energy optimization can be used to randomize the power cost in critical portions of codes such as cryptographic algorithms. This is accomplished at compile time by deliberately generating code with different power requirements.
Current approaches to the side-channel problem that introduce randomness in the computation have proved less than satisfactory. Even though obscured, some relationship between power consumption and sensitive computations remains. Given sufficient power-measurements and statistical analysis, countermeasures based on randomness may be ineffective.