Leakage Resilient Value Comparison with Application to Message Authentication

Dobraunig, Christoph; Mennink, Bart

doi:10.1007/978-3-030-77886-6_13

Cited by 9 publications

(5 citation statements)

References 53 publications

(93 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The previous positive result heavily relies on the inverse-based verification of LR-MAC1. In this subsection, we show that such a positive result is not always obtained by exhibiting attacks against other verification algorithms that recompute the correct tag like analyzed in [DM21]. Those are typically encountered in permutation-based designs like Ascon [DEMS21] or ISAP [DEM + 20].…”

Section: Attacks Against Other Macsmentioning

confidence: 98%

“…Attacking a SPA-secure Design with DPA. Consider Figure 1 in [DM21]. The high-level idea of this leakage-resilient tag verification algorithm is that it maintains the message integrity if the inputs S and T (corresponding to the tag) of a permutation are secure against Simple Power Analysis (i.e., single-input attacks, roughly).…”

Section: Attacks Against Other Macsmentioning

confidence: 99%

See 1 more Smart Citation

Secure Message Authentication in the Presence of Leakage and Faults

Guo¹,

Peters²,

Shen³

et al. 2023

ToSC

View full text Add to dashboard Cite

Security against side-channels and faults is a must for the deployment of embedded cryptography. A wide body of research has investigated solutions to secure implementations against these attacks at different abstraction levels. Yet, to a large extent, current solutions focus on one or the other threat. In this paper, we initiate a mode-level study of cryptographic primitives that can ensure security in a (new and practically-motivated) adversarial model combining leakage and faults. Our goal is to identify constructions that do not require a uniform protection of all their operations against both attack vectors. For this purpose, we first introduce a versatile and intuitive model to capture leakage and faults. We then show that a MAC from Asiacrypt 2021 natively enables a leveled implementation for fault resilience where only its underlying tweakable block cipher must be protected, if only the tag verification can be faulted. We finally describe two approaches to amplify security for fault resilience when also the tag generation can be faulted. One is based on iteration and requires the adversary to inject increasingly large faults to succeed. The other is based on randomness and allows provable security against differential faults.

show abstract

Section: Attacks Against Other Macsmentioning

confidence: 98%

Section: Attacks Against Other Macsmentioning

confidence: 99%

Secure Message Authentication in the Presence of Leakage and Faults

Guo¹,

Peters²,

Shen³

et al. 2023

ToSC

View full text Add to dashboard Cite

show abstract

“…This assumption is made for Slae and its generic construction FGHF ′ [DJS19,KS20]. Methods to achieve this are presented in [DM21].…”

Section: Leakage Security Notionsmentioning

confidence: 99%

Constructing Committing and Leakage-Resilient Authenticated Encryption

Struck,

Weishäupl

2024

ToSC

View full text Add to dashboard Cite

The main goal of this work is to construct authenticated encryption (AE) hat is both committing and leakage-resilient. As a first approach for this we consider generic composition as a well-known method for constructing AE schemes. While the leakage resilience of generic composition schemes has already been analyzed by Barwell et al. (Asiacrypt’17), for committing security this is not the case. We fill this gap by providing a separate analysis of the generic composition paradigms with respect to committing security, giving both positive and negative results: By means of a concrete attack, we show that Encrypt-then-MAC is not committing. Furthermore, we prove that Encrypt-and-MAC is committing, given that the underlying schemes satisfy security notions we introduce for this purpose. We later prove these new notions achievable by providing schemes that satisfy them. MAC-then-Encrypt turns out to be more difficult due to the fact that the tag is not outputted alongside the ciphertext as it is done for the other two composition methods. Nevertheless, we give a detailed heuristic analysis of MAC-then-Encrypt with respect to committing security, leaving a definite result as an open task for future work. Our results, in combination with the fact that only Encrypt-then-MAC yields leakage-resilient AE schemes, show that one cannot obtain AE schemes that are both committing and leakage-resilient via generic composition. As a second approach for constructing committing and leakage-resilient AE, we develop a generic transformation that turns an arbitrary AE scheme into one that fulfills both properties. The transformation relies on a keyed function that is both binding, i.e., it is hard to find key-input pairs that result in the same output, and leakage-resilient pseudorandom.

show abstract

“…Theoretical treatments of block cipher based or TBC-based designs include [BKP + 18, BPPS17, PSV15] and [BGPS21]. Theoretical treatments of permutation-based designs include [DJS19, DM19, GPPS20] and [DM21]. Examples of grade-3 designs (which enable leveled implementations with CIML2 and CCAmL2 guarantees) include TEDT and TEDT2 which are TBC-based [BGP + 20, Lis21] and ISAP which is permutation-based [DEM + 20].…”

Section: Related Workmentioning

confidence: 99%

Multiplex: TBC-Based Authenticated Encryption with Sponge-Like Rate

Shen,

Peters,

Standaert

2024

ToSC

View full text Add to dashboard Cite

Authenticated Encryption (AE) modes of operation based on Tweakable Block Ciphers (TBC) usually measure efficiency in the number of calls to the underlying primitive per message block. On the one hand, many existing solutions reach a primitive-rate of 1, meaning that each n-bit block of message asymptotically needs a single call to the TBC with output length n. On the other hand, while these modes look optimal in a blackbox setting, they become less attractive when leakage comes into play, since all these calls must then be equally well protected to maintain security. Leakage-resistant modes improve this situation, by generating ephemeral keys every constant number of calls. However, rekeying is inherently suboptimal in primitive-rate, since a TBC call can only be used either to refresh a key or to encrypt a block. Even worse, existing solutions achieving almost n bits of security for n-bit secret keys have at most a primitive-rate 2/3. Hence the question: Can we design a highly-secure TBC-based rekeying mode with “nearly optimal” primitive-rate? We answer this question positively with Multiplex, a new mode that has primitive-rate d/(d + 1) given a TBC with a dn-bit tweak. Multiplex achieves n − log2(dn) bits of security for both (i) misuse-resilience CCA confidentiality security in the blackbox setting and (ii) Ciphertext Integrity with Misuse-resistant and unbounded Leakage in encryption and decryption (CIML2). It also provides (iii) confidentiality with leakage up to the birthday bound. Furthermore, Multiplex can run d + 1 calls in parallel in each iteration. The combination of these features gives a mode of operation that inherits most of the good implementation features and flexibility of a sponge construction – therefore paving the way towards sound comparisons between TBC-based and permutation-based AE.

show abstract

Leakage Resilient Value Comparison with Application to Message Authentication

Cited by 9 publications

References 53 publications

Secure Message Authentication in the Presence of Leakage and Faults

Secure Message Authentication in the Presence of Leakage and Faults

Constructing Committing and Leakage-Resilient Authenticated Encryption

Multiplex: TBC-Based Authenticated Encryption with Sponge-Like Rate

Contact Info

Product

Resources

About