Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

Medwed, Marcel; Petit, Christophe; Regazzoni, Francesco; Renauld, Mathieu; Standaert, François‐Xavier

doi:10.1007/978-3-642-27257-8_8

Cited by 28 publications

(27 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, we show that the requirements for the key derivation function that have been formulated in [12,13] are not sufficient. In fact, we present a simple key-recovery attack on the fresh re-keying schemes proposed in [12,13]. The basic idea of the attack is that since the scheme changes the block cipher key for every encrypted message block, a time-memory trade-off strategy is possible.…”

Section: Introductionmentioning

confidence: 99%

“…Medwed et al provide several arguments for this in [12,13]. In fact, they argue that it is not necessary to have a cryptographic algorithm for the key derivation and propose to use a modular multiplication for the key derivation.…”

Section: Introductionmentioning

confidence: 99%

“…In [12,13], Medwed et al propose a re-keying scheme that prevents DPA and DFA attacks by preventing multiple executions of an algorithm with the same key. The basic idea of this re-keying scheme is to never use a long-term key k directly in a cryptographic algorithm, but to derive a fresh session key k * from k upon each invocation of the algorithm.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Dobraunig

Eichlseder

Mangard

et al. 2015

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

Abstract. At AFRICACRYPT 2010 and CARDIS 2011, fresh re-keying schemes to counter side-channel and fault attacks were introduced. The idea behind those schemes is to shift the main burden of side-channel protection to a re-keying function g that is easier to protect than the main block cipher. This function produces new session keys based on the secret master key and random nonces for every block of message that is encrypted. In this paper, we present a generic chosen-plaintext keyrecovery attack on both fresh re-keying schemes. The attack is based on two observations: Since session key collisions for the same message are easy to detect, it is possible to recover one session key with a simple time-memory trade-off strategy; and if the re-keying function is easy to invert (such as the suggested multiplication constructions), the attacker can use the session key to recover the master key. The attack has a complexity of about 2 · 2 n/2 (instead of the expected 2 n ) for an n-bit key. For the typically employed block cipher AES-128, this would result in a key-recovery attack complexity of only 2 65 . If weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Dobraunig

Eichlseder

Mangard

et al. 2015

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

show abstract

“…For a given signal-to-noise ratio, this forces an attacker to develop more effective attacks rather than simply using more traces; when combined with conventional countermeasures, it can effectively prevent such attacks. One can view this process as playing a similar role to key refresh [18,17], but without the need for synchronization. In addition, we add the first secure authentication payload, HMAC [20], to the list of applications implemented as Yao circuits.…”

Section: Introductionmentioning

confidence: 99%

On Secure Embedded Token Design

Hoerder

Järvinen

Page

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Within a broader context of mobile and embedded computing, the design of practical, secure tokens that can store and/or process security-critical information remains an ongoing challenge. One aspect of this challenge is the threat of information leakage through side-channel attacks, which is exacerbated by any resource constraints. Along these lines, this paper extends previous work on use of Yao circuits via two contributions. First, we show how careful analysis can fix the maximum number of leakage occurrences observed during a DPA attack, effectively bounding leakage from a Yao-based token. To achieve this we use modularised Yao circuits, which also support our second contribution: the first Yao-based implementation of a secure authentication payload, namely HMAC based on SHA-256.

show abstract

“…This means that reaching acceptable noise levels for the masking countermeasure to become effective requires additional shuffling, e.g. as proposed in [24] and leading to significant performance overheads (in the 10th of thousands cycles). These preliminary investigations suggest with good confidence that in a hardware context, the fresh re-keying based the construction we describe in this paper had good potential to lead to a better performance vs. security tradeoff than a masked modular multiplication.…”

Section: An Open Source and Generic Vhdl Codementioning

confidence: 99%

Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis

Belaïd¹,

Santis²,

Heyszl³

et al. 2014

J Cryptogr Eng

Self Cite

View full text Add to dashboard Cite

Abstract. Leakage-resilient cryptography aims at developing new algorithms for which physical security against side-channel attacks can be formally analyzed. Following the work of Dziembowski and Pietrzak at FOCS 2008, several symmetric cryptographic primitives have been investigated in this setting. Most of them can be instantiated with a block cipher as underlying component. Such an approach naturally raises the question whether certain block ciphers are better suited for this purpose. In order to answer this question, we consider a leakage-resilient rekeying function, and evaluate its security at different abstraction levels. That is, we study possible attacks exploiting specific features of the algorithmic description, hardware architecture and physical implementation of this construction. These evaluations lead to two main outcomes. First, we complement previous works on leakage-resilient cryptography and further specify the conditions under which they actually provide physical security. Second, we take advantage of our analysis to extract new design principles for block ciphers to be used in leakage-resilient primitives. While our investigations focus on side-channel attacks in the first place, we hope these new design principles will trigger the interest of symmetric cryptographers to design new block ciphers combining good properties for secure implementations and security against black box (mathematical) cryptanalysis.

show abstract

Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks

Cited by 28 publications

References 25 publications

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

On Secure Embedded Token Design

Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis

Contact Info

Product

Resources

About