Improved Leakage-Resistant Authenticated Encryption based on Hardware AES Coprocessors

OCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with standard Differential Power Analysis (DPA) against some block cipher calls in its execution (namely, initialization, processing of associated data or last incomplete block and decryption). These attacks imply that at least these parts must be strongly protected thanks to countermeasures like masking. We next show that if these block cipher calls of the mode are protected, practical attacks on the remaining block cipher calls remain possible. A first option is to mount a DPA with unknown inputs. A more efficient option is to mount a DPA that exploits horizontal relations between consecutive input whitening values. It allows trading a significantly reduced data complexity for a higher key guessing complexity and turns out to be the best attack vector in practical experiments performed against an implementation of OCB3 in an ARM Cortex-M0. Eventually, we consider an implementation where all the block cipher calls are protected. We first show that exploiting the leakage of the whitening values requires mounting a Simple Power Analysis (SPA) against linear operations. We then show that despite being more challenging than when applied to non-linear operations, such an SPA remains feasible against 8-bit implementations, leaving its generalization to larger implementations as an interesting open problem. We last describe how recovering the whitening values can lead to strong attacks against the confidentiality and integrity of OCB3. Thanks to this comprehensive analysis, we draw concrete requirements for side-channel resistant implementations of OCB3.

Section: Resultsmentioning

confidence: 99%

A Finer-Grain Analysis of the Leakage (Non) Resilience of OCB

Berti

Bhasin

Breier

et al. 2021

“…So while an SPA attacker might have access to a large number of traces, the amount of distinct leakages is still limited. Therefore, countermeasures against this type of attack usually do not rely on masking, but rather on more cost-efficient shuffling [HOM06] or, if possible, exploit parallel leakages [BMPS21]. Note that in case of CC-SCA on Kyber, the SPA is still very powerful and requires costly protection to achieve the desired security level [ABH + 22].…”

Section: Side-channel Security Notionsmentioning

confidence: 99%

Post-Quantum Authenticated Encryption against Chosen-Ciphertext Side-Channel Attacks

Azouaoui

Kuzovkova

Schneider

et al. 2022

Over the last years, the side-channel analysis of Post-Quantum Cryptography (PQC) candidates in the NIST standardization initiative has received increased attention. In particular, it has been shown that some post-quantum Key Encapsulation Mechanisms (KEMs) are vulnerable to Chosen-Ciphertext Side-Channel Attacks (CC-SCA). These powerful attacks target the re-encryption step in the Fujisaki-Okamoto (FO) transform, which is commonly used to achieve CCA security in such schemes. To sufficiently protect PQC KEMs on embedded devices against such a powerful CC-SCA, masking at increasingly higher order is required, which induces a considerable overhead. In this work, we propose to use a conceptually simple construction, the ΕtS KEM, that alleviates the impact of CC-SCA. It uses the Encrypt-then-Sign (EtS) paradigm introduced by Zheng at ISW ’97 and further analyzed by An, Dodis and Rabin at EUROCRYPT ’02, and instantiates a postquantum authenticated KEM in the outsider-security model. While the construction is generic, we apply it to the CRYSTALS-Kyber KEM, relying on the CRYSTALSDilithium and Falcon signature schemes. We show that a CC-SCA-protected EtS KEM version of CRYSTALS-Kyber requires less than 10% of the cycles required for the CC-SCA-protected FO-based KEM, at the cost of additional data/communication overhead. We additionally show that the cost of protecting the EtS KEM against fault injection attacks, necessarily due to the added signature verification, remains negligible compared to the large cost of masking the FO transform at higher orders. Lastly, we discuss relevant embedded use cases for our EtS KEM construction.

“…With the goal to take advantage of efficient AES co-processors that are frequently available in embedded devices, the retrofitting mode of [USS + 20] and the LR-BC mode of [BMPS21] only rely on n-bit block cipher calls. These modes are in general less efficient than TBC-based modes due to this additional constraint, but they can lead to excellent performance in practice when these co-processors are indeed available.…”

Section: Related Workmentioning

confidence: 99%

“…Triplex is a one-pass AE mode based on TBCs with large tweaks. To achieve so-called Grade-2 leakage security (i.e., a combination of CCAmL1 for confidentiality and CIML2 for integrity), we combine an ephemeral key evolution process based on a compression function as in [BMPS21] with strengthened Key Derivation Function (KDF) and Tag Generation Function (TGF). On the one hand, the ephemeral key evolution allows iteratively processing each block of message with a fresh key, which is reminiscent of other designs conferring confidentiality guarantees in the presence of encryption leakage [BBC + 20].…”

Section: Specifications Of Triplexmentioning

confidence: 99%

“…Among the existing one-pass sponge-based designs, [BMPS21] highlights that Ascon and Spook achieve Grade-2 leakage security (i.e., CCAmL1 + CIML2), where the integrity holds in the unbounded leakage model. Like Triplex, that means that as long as the KDF and TGF functions are well-protected it is still infeasible to forge a ciphertext even if the full state leaks.…”

Section: A Proof Of Lemmamentioning

confidence: 99%

See 1 more Smart Citation

Triplex: an Efficient and One-Pass Leakage-Resistant Mode of Operation

Shen

Peters

Standaert

et al. 2022

Self Cite

This paper introduces and analyzes Triplex, a leakage-resistant mode of operation based on Tweakable Block Ciphers (TBCs) with 2n-bit tweaks. Triplex enjoys beyond-birthday ciphertext integrity in the presence of encryption and decryption leakage in a liberal model where all intermediate computations are leaked in full and only two TBC calls operating a long-term secret are protected with implementationlevel countermeasures. It provides beyond-birthday confidentiality guarantees without leakage, and standard confidentiality guarantees with leakage for a single-pass mode embedding a re-keying process for the bulk of its computations (i.e., birthday confidentiality with encryption leakage under a bounded leakage assumption). Triplex improves leakage-resistant modes of operation relying on TBCs with n-bit tweaks when instantiated with large-tweak TBCs like Deoxys-TBC (a CAESAR competition laureate) or Skinny (used by the Romulus finalist of the NIST lightweight crypto competition). Its security guarantees are maintained in the multi-user setting.