Cryptographic algorithms and protocols are widely implemented in practice and guarantee data confidentiality and integrity. They help to prevent fraud in, e.g., electronic payment systems, and play a fundamental role in daily life. Modern cryptography analyzes the security of cryptographic algorithms using a mathematical framework based on formal security definitions and a proof-driven security analysis. To this end, an adversarial model is defined that specifies the capabilities of an attacker and describes the environment in which cryptographic algorithms are executed. The most prominent security model is the black-box model, where cryptographic algorithms are assumed to be executed in a highly idealized environment.Unfortunately, many examples illustrate that the idealized assumptions made in the black-box model often cease to hold when adversaries attack cryptographic implementations. This gap between idealized security models and the practical security of cryptographic implementations is in particular shown by the following shortcomings:- A) Bad randomness: The black-box model typically assumes that a uniform source of randomness is available. In practice, however good randomness is hard to get, and many real world random sources are imperfect.- B) Side-channel attacks: In the black-box model cryptographic algorithms are run in a fully trusted environment. With access to the implementation an adversary can deploy side-channel attacks which violate the trust assumptions of the black-box model.- C) Faulty and malicious implementations: A security analysis in the black-box model provides no guarantees for the implementation process. The implementation process, however, is one of the major sources for security breaches, and can be error-prone and sometimes even malicious.The main goal of the Emmy Noether project is to overcome the above shortcomings and to develop a sound theory for the analysis of cryptographic implementations. The expected outcome of the project are new cryptographic techniques and security models for developing the next generation of cryptographic implementations. To achieve these goals, we will extend the black-box security analysis to the implementation-level by developing methods for mitigating the problem of bad randomness (shortcoming A), and designing sound countermeasures that can protect against implementation attacks (shortcoming B). We will also address issues of the implementation process itself by designing verification tools and providing defence mechanisms against malicious implementors (shortcoming B).

DFG Programme Independent Junior Research Groups