Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

Medwed, Marcel; Standaert, François‐Xavier; Großschädl, Johann; Regazzoni, Francesco

doi:10.1007/978-3-642-12678-9_17

Cited by 101 publications

(107 citation statements)

References 29 publications

Supporting

Mentioning

101

Contrasting

Order By: Relevance

“…We approach the topic with a detailed analysis of the security of fresh re-keying [33,39] as a promising mechanism to prevent DPA on memory encryption. While re-keying completely thwarts DPA on the cryptographic key, our major result here is that re-keying provides merely first-order DPA security for the memory content itself.…”

Section: Contributionmentioning

confidence: 99%

“…Therefore, frequent rekeying [33,39] tries to limit the number of different processed inputs per key, i.e., the data complexity.…”

Section: Frequent Re-keyingmentioning

confidence: 99%

“…1 prevent DPA, but require the initialization with a fresh key and thus secure key synchronization between the communicating parties. A common approach to this synchronization is to derive a fresh key from a shared master secret k and a public, random nonce n [21,39,53]. However, this approach shifts the DPA problem to the key derivation, which thus needs DPA protection through mechanisms like masking.…”

Section: The Re-keying Operationmentioning

confidence: 99%

See 2 more Smart Citations

MEAS: memory encryption and authentication secure against side-channel attacks

2018

View full text Add to dashboard Cite

Memory encryption is used in many devices to protect memory content from attackers with physical access to a device. However, many current memory encryption schemes can be broken using differential power analysis (DPA). In this work, we present Meas-the first Memory Encryption and Authentication Scheme providing security against DPA attacks. The scheme combines ideas from fresh re-keying and authentication trees by storing encryption keys in a tree structure to thwart first-order DPA without the need for DPA-protected cryptographic primitives. Therefore, the design strictly limits the use of every key to encrypt at most two different plaintext values. Meas prevents higher-order DPA without changes to the cipher implementation by using masking of the plaintext values. Meas is applicable to all kinds of memory, e.g., NVM and RAM. For RAM, we give two concrete Meas instances based on the lightweight primitives Ascon, PRINCE, and QARMA. We implement and evaluate both instances on a Zynq XC7Z020 FPGA showing that Meas has memory and performance overhead comparable to existing memory authentication techniques without DPA protection.

show abstract

Section: Contributionmentioning

confidence: 99%

“…Therefore, frequent rekeying [33,39] tries to limit the number of different processed inputs per key, i.e., the data complexity.…”

Section: Frequent Re-keyingmentioning

confidence: 99%

Section: The Re-keying Operationmentioning

confidence: 99%

See 1 more Smart Citation

MEAS: memory encryption and authentication secure against side-channel attacks

2018

View full text Add to dashboard Cite

show abstract

“…Whereas the scheme is efficient for long messages, the initialization effort might render it impractical for smartcard and RFID applications. More recently, a fresh rekeying scheme was presented at Africacrypt 2010 [19]. It combines the re-keying used in leakage-resilient cryptography with easy to protect low-cost mappings in order to remove the initialization overhead.…”

Section: Introductionmentioning

confidence: 99%

“…It essentially encrypts every message block m under a fresh session key k * , with a block cipher. The session key is generated from the master key k and a public random nonce r, with a function g. At first sight, it may seem that one just shifts the problem of protecting the block cipher f against physical attacks to the one of protecting the function g. Interestingly, it is argued in [19] that a proper selection of g may lead this scheme to be significantly easier to protect against such attacks than the underlying block cipher f . Namely, g does not need to be cryptographically strong.…”

Section: Introductionmentioning

confidence: 99%

Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

Medwed

Petit

Regazzoni

et al. 2011

Smart Card Research and Advanced Applications

Self Cite

View full text Add to dashboard Cite

Abstract. Security-aware embedded systems are widespread nowadays and many applications, such as payment, pay-TV and automotive applications rely on them. These devices are usually very resource constrained but at the same time likely to operate in a hostile environment. Thus, the implementation of low-cost protection mechanisms against physical attacks is vital for their market relevance. An appealing choice, to counteract a large family of physical attacks with one mechanism, seem to be protocol-level countermeasures. At last year's Africacrypt, a fresh re-keying scheme has been presented which combines the advantages of re-keying with those of classical countermeasures such as masking and hiding. The contribution of this paper is threefold: most importantly, the original fresh re-keying scheme was limited to one low-cost party (e.g. an RFID tag) in a two party communication scenario. In this paper we extend the scheme to n low-cost parties and show that the scheme is still secure. Second, one unanswered question in the original paper was the susceptibility of the scheme to algebraic SPA attacks. Therefore, we analyze this property of the scheme. Finally, we implemented the scheme on a common 8-bit microcontroller to show its efficiency in software.

show abstract

A Privacy-Preserving Device Tracking System Using a Low-Power Wide-Area Network

Ashur

Delvaux

Lee

et al. 2018

Cryptology and Network Security

View full text Add to dashboard Cite

This paper presents the design and implementation of a lowpower privacy-preserving device tracking system based on Internet of Things (IoT) technology. The system consists of low-power nodes and a set of dedicated beacons. Each tracking node broadcasts pseudonyms and encrypted versions of observed beacon identifiers over a Low-Power Wide-Area Network (LPWAN). Unlike most commercial systems, our solution ensures that the device owners are the only ones who can locate their devices. We present a detailed design and validate the result with a prototype implementation that considers power and energy consumption as well as side-channel attacks. Our implementation uses Physically Unclonable Function (PUF) technology for secure key-storage in an innovative way. We build and evaluate a complete demonstrator with off-the-shelf IoT nodes, Bluetooth Low Energy (BLE) beacons, and LoRa long distance communication (LPWAN). We validate the setup for a bicycle tracking application and also estimate the requirements for a low-cost ASIC node.

show abstract

Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices

Cited by 101 publications

References 29 publications

MEAS: memory encryption and authentication secure against side-channel attacks

MEAS: memory encryption and authentication secure against side-channel attacks

Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

A Privacy-Preserving Device Tracking System Using a Low-Power Wide-Area Network

Contact Info

Product

Resources

About