Efficient Leakage-Resilient MACs Without Idealized Assumptions

Berti, Francesco; Guo, Chun; Peters, Thomas; Standaert, François‐Xavier

doi:10.1007/978-3-030-92075-3_4

Cited by 10 publications

(8 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…First, we show that the recent LR-MAC1 leakage-resilient MAC proposed as Asiacrypt 2021 [BGPS21] natively offers good features for this purpose that is also fault-resilient. Precisely, its tag verification can be implemented such that only the Tweakable Block Cipher (TBC) that manipulates its long-term secret requires security against leakage and faults.…”

Section: Introductionmentioning

confidence: 92%

“…The proof is based on the observation that in order to find a fresh and valid pair (m, τ ) against LR-MAC1, the adversary needs to either find a collision against the hash function H, or to find a fresh and valid tuple (tw, x, y) against the SUP-L2 security of TBC F even with the power of injecting faults in tag verification. In the proof, the adversary is deemed to win the game if any of her q V + 1 verification queries can be associated to a valid predication against the TBC F. This is to capture the power of the adversary on tag verification since now the adversary can inject any fault on the hash value h and thus has the full control of the input to the TBC F, which is essentially different from Berti et al's [BGPS21] model where the adversary can only see what h is but cannot modify it. Our analysis implies that the inversion of TBC in tag verification not only helps to improve the security against side-channel attack, but also significantly improves the security against fault attacks.…”

Section: Secure Verificationmentioning

confidence: 99%

“…The leakage models we use for this purpose are the (standard) ones proposed in [BGPS21]: we mix unbounded leakage for the non-sensitive computations and require unpredictability for the TBCs manipulating long-term secrets. As for the fault models, we use a simplified version of the ones proposed in [FG20,AOTZ20] that easily translates into interpretable leveled implementation guidelines.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Secure Message Authentication in the Presence of Leakage and Faults

Guo¹,

Peters²,

Shen³

et al. 2023

ToSC

View full text Add to dashboard Cite

Security against side-channels and faults is a must for the deployment of embedded cryptography. A wide body of research has investigated solutions to secure implementations against these attacks at different abstraction levels. Yet, to a large extent, current solutions focus on one or the other threat. In this paper, we initiate a mode-level study of cryptographic primitives that can ensure security in a (new and practically-motivated) adversarial model combining leakage and faults. Our goal is to identify constructions that do not require a uniform protection of all their operations against both attack vectors. For this purpose, we first introduce a versatile and intuitive model to capture leakage and faults. We then show that a MAC from Asiacrypt 2021 natively enables a leveled implementation for fault resilience where only its underlying tweakable block cipher must be protected, if only the tag verification can be faulted. We finally describe two approaches to amplify security for fault resilience when also the tag generation can be faulted. One is based on iteration and requires the adversary to inject increasingly large faults to succeed. The other is based on randomness and allows provable security against differential faults.

show abstract

Section: Introductionmentioning

confidence: 92%

Section: Secure Verificationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Secure Message Authentication in the Presence of Leakage and Faults

Guo¹,

Peters²,

Shen³

et al. 2023

ToSC

View full text Add to dashboard Cite

show abstract

“…Our current security proof relies on the idealized primitives. A standard model-based proof would provide additional confidence (see e.g., [BGPS21]). It might be possible to remove a (pseudo)random property for G as observed by MSGR.…”

Section: Future Workmentioning

confidence: 99%

Fallen Sanctuary: A Higher-Order and Leakage-Resilient Rekeying Scheme

Ueno,

Homma,

Inoue

et al. 2023

TCHES

View full text Add to dashboard Cite

This paper presents a provably secure, higher-order, and leakage-resilient (LR) rekeying scheme named LR Rekeying with Random oracle Repetition (LR4), along with a quantitative security evaluation methodology. Many existing LR primitives are based on a concept of leveled implementation, which still essentially require a leak-free sanctuary (i.e., differential power analysis (DPA)-resistant component(s)) for some parts. In addition, although several LR pseudorandom functions (PRFs) based on only bounded DPA-resistant components have been developed, their validity and effectiveness for rekeying usage still need to be determined. In contrast, LR4 is formally proven under a leakage model that captures the practical goal of side-channel attack (SCA) protection (e.g., masking with a practical order) and assumes no unbounded DPA-resistant sanctuary. This proof suggests that LR4 resists exponential invocations (up to the birthday bound of key size) without using any unbounded leak-free component, which is the first of its kind. Moreover, we present a quantitative SCA success rate evaluation methodology for LR4 that combines the bounded leakage models for LR cryptography and a state-of-the-art information-theoretical SCA evaluation method. We validate its soundness and effectiveness as a DPA countermeasure through a numerical evaluation; that is, the number of secure calls of a symmetric primitive increases exponentially by increasing a security parameter under practical conditions.

show abstract

“…This very first call to Hir inside KDF forces the initial state (h 1 , k 1 ) to diverge for distinct pairs (N, P ) even if some collision on k 0 occurs. For the TGF in Figure 5(B), we borrow the recent LR-MAC due to [BGPS21] which already leverages double-size tweak to get an elegant and simple beyond-birthday authentication mechanism. For checking the validity of the tag in decryption, this LR-MAC relies on the invertibility of the TBC in order to avoid leaking any information on the right tag given any adversarially chosen invalid ciphertexts, as formalized in [BPPS17].…”

Section: Design Blueprintmentioning

confidence: 99%

Triplex: an Efficient and One-Pass Leakage-Resistant Mode of Operation

Shen

Peters

Standaert

et al. 2022

TCHES

Self Cite

View full text Add to dashboard Cite

This paper introduces and analyzes Triplex, a leakage-resistant mode of operation based on Tweakable Block Ciphers (TBCs) with 2n-bit tweaks. Triplex enjoys beyond-birthday ciphertext integrity in the presence of encryption and decryption leakage in a liberal model where all intermediate computations are leaked in full and only two TBC calls operating a long-term secret are protected with implementationlevel countermeasures. It provides beyond-birthday confidentiality guarantees without leakage, and standard confidentiality guarantees with leakage for a single-pass mode embedding a re-keying process for the bulk of its computations (i.e., birthday confidentiality with encryption leakage under a bounded leakage assumption). Triplex improves leakage-resistant modes of operation relying on TBCs with n-bit tweaks when instantiated with large-tweak TBCs like Deoxys-TBC (a CAESAR competition laureate) or Skinny (used by the Romulus finalist of the NIST lightweight crypto competition). Its security guarantees are maintained in the multi-user setting.

show abstract

Efficient Leakage-Resilient MACs Without Idealized Assumptions

Cited by 10 publications

References 32 publications

Secure Message Authentication in the Presence of Leakage and Faults

Secure Message Authentication in the Presence of Leakage and Faults

Fallen Sanctuary: A Higher-Order and Leakage-Resilient Rekeying Scheme

Triplex: an Efficient and One-Pass Leakage-Resistant Mode of Operation

Contact Info

Product

Resources

About