Petr Svenda

Masaryk University, Czech Republic
a man with glasses
© Petr Svenda
On value of large-scale blackbox analysis of software and hardware cryptographic implementations
Tue 30 Jul | 13:00 - 14:30 | SR08

Petr Svenda 01/01

Petr Svenda is an associate professor at Masaryk University, Czech Republic. He first touched the domain of cryptographic implementations in 2002 while working on side-channel analysis and has kept his passion for cryptographic smartcards ever since. His team systematic analyses of (mostly) black box implementations resulted in the discovery of a range of real-world vulnerabilities like ROCA or Minerva, as well as a suite of tools to support developers of more secure cryptographic implementations.

On value of large-scale blackbox analysis of software and hardware cryptographic implementations

The security analysis of cryptographic implementations is vital for building secure systems atop core hardware components. Yet, it is also frequently more challenging to assess due to the general closeness of the hardware industry. The resulting black box analysis is typically more complicated to set up, execute, and interpret the observed results. If analyzing only a single device, the likelihood of ending empty-handed is high -- the situation not favorable for academic researchers, further decreasing the pool of people motivated to perform independent security analysis. The talk will present lessons learned from large-scale analysis of cryptographic smartcards, Trusted Platform Modules, cryptographic libraries, and cryptocurrency hardware wallets performed over the past decade, which resulted in several high-profile, responsibly disclosed vulnerabilities against RSA and ECC implementations. Such an analysis approach increases the likelihood of a successful attack being found and provides realistic inputs for designing new attack methods. Additionally, the results obtained from all devices can be used to reason about the situation and weaknesses of the whole ecosystem instead of just reporting a single vulnerable device.
Join ARES 2025!

Join us at ARES 2025 in Ghent, Belgium