A Practical Treatise on Secrets in Implementations

Type de soutenance
Date de début
Date de fin
IRISA Rennes
Mohamed SABT (SPICY)

ATTENTION  dans le cadre du plan VIGIPIRATE la règle suivante s'applique pour cet évènement :

L’accès du public à cette soutenance est contraint à une inscription préalable obligatoire auprès de aurelie [*] patieratirisa [*] fr (aurelie[dot]patier[at]irisa[dot]fr)

– L’accès ne sera pas autorisé sans inscription préalable. Par ailleurs, les visiteurs ne porteront ni bagage ni sac.


Many argue that security all comes down to keeping secrets; just see to it that users' passwords or cryptographic keys remain secret. Unfortunately, decades of experience suggest that secrets are hard to protect even if we specify and implement enforcing rules with rigor. This is due to the fact that the real world offers more paths to secret storage and more observable artifacts than can anticipate any theoretical model. One foundational problem is that general-purpose protection solutions usually fall short of their intended goals, since leakage and exploitability also depend on the secret semantics.

This thesis explores the challenges in protecting secrets in security systems considering leaky hardware, analyzing vulnerabilities in widely deployed implementations, and the limitations of current protection methods. It questions the impact of proprietary systems on user security and the gap between theory and practice given constant-time programming. The goal is not to blame developers for all revealed vulnerabilities and flaws, but to hopefully highlight the need for a more nuanced approach to security in real-world systems.

Composition du jury
Aurélien FRANCILLON Professeur des Universités, EURECOM, France
Prof. Dr. Thorsten HOLZ , Faculty Member, CISPA, Allemagne
Maryline LAURENT, Professeure des Universités, Télécom SudParis, France
Chitchanok CHUENGSATIANSUP, Senior Lecturer, University of Melbourne, Autstralie
Gildas AVOINE, Professeur des Universités, INSA Rennes, France