Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Pereira, Olivier; Standaert, François‐Xavier; Vivek, S. Sree

doi:10.1145/2810103.2813626

Cited by 58 publications

(41 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1 to design DPA-secure schemes from unprotected primitives are the leakage-resilient encryption schemes in [46,53,56] and the leakage-resilient MAC in [45]. Block-cipher-based instantiations of these schemes have a data complexity of q = 2 in order to prohibit successful key recovery via DPA attacks.…”

Section: Frequent Re-keyingmentioning

confidence: 99%

“…Using existing proposals of leakage-resilient block encryption [56] and a leakage-resilient MAC [45], both E NC and AE can be easily obtained from unprotected cryptographic implementations of standard primitives like AES and SHA-2 and the generic composition encrypt-then-MAC [8]. However, for the encryption and authentication of RAM, more lightweight constructions for E NC and AE are desirable.…”

Section: Instantiationmentioning

confidence: 99%

“…Using existing memory encryption and authentication schemes with DPA-protected implementations, on the other hand, would result in overheads of a factor of four to a few hundred [6,10,42,45] and thus be far more expensive, eventually rendering memory encryption and authentication in many applications impractical.…”

Section: Memory Overheadmentioning

confidence: 99%

“…However, protecting implementations of cryptographic primitives against DPA is expensive and a tough problem in an active field of research existing for almost two decades. The massive overheads for DPA-protected implementations range between a factor of four and a few hundred [6,10,42,45] and would thus render current memory encryption and authentication schemes in latency sensitive applications impractical. In contrast, more efficient solutions are in sight when considering side-channel protection throughout the cryptographic design and looking for potential synergies.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

MEAS: memory encryption and authentication secure against side-channel attacks

2018

View full text Add to dashboard Cite

Memory encryption is used in many devices to protect memory content from attackers with physical access to a device. However, many current memory encryption schemes can be broken using differential power analysis (DPA). In this work, we present Meas-the first Memory Encryption and Authentication Scheme providing security against DPA attacks. The scheme combines ideas from fresh re-keying and authentication trees by storing encryption keys in a tree structure to thwart first-order DPA without the need for DPA-protected cryptographic primitives. Therefore, the design strictly limits the use of every key to encrypt at most two different plaintext values. Meas prevents higher-order DPA without changes to the cipher implementation by using masking of the plaintext values. Meas is applicable to all kinds of memory, e.g., NVM and RAM. For RAM, we give two concrete Meas instances based on the lightweight primitives Ascon, PRINCE, and QARMA. We implement and evaluate both instances on a Zynq XC7Z020 FPGA showing that Meas has memory and performance overhead comparable to existing memory authentication techniques without DPA protection.

show abstract

Section: Frequent Re-keyingmentioning

confidence: 99%

Section: Instantiationmentioning

confidence: 99%

Section: Memory Overheadmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MEAS: memory encryption and authentication secure against side-channel attacks

2018

View full text Add to dashboard Cite

show abstract

“…In the bounded retrieval model, Bellare et al [7] proved the security of a symmetric encryption scheme that provides authenticated encryption in the leak free case, and indistinguishability when leakage is involved. Pereira et al [43] proposed what is, to our knowledge, the first and only leakage resilient encryption scheme in the simulatable leakage model. However, the construction requires a leak free component and in practice relies on the existence of efficient simulators of the leakage from (e.g.)…”

Section: Related Workmentioning

confidence: 99%

Authenticated Encryption in the Face of Protocol and Side Channel Leakage

Barwell

Martin

Oswald

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Authenticated encryption schemes in practice have to be robust against adversaries that have access to various types of leakage, for instance decryption leakage on invalid ciphertexts (protocol leakage), or leakage on the underlying primitives (side channel leakage). This work includes several novel contributions: we augment the notion of nonce-base authenticated encryption with the notion of continuous leakage and we prove composition results in the face of protocol and side channel leakage. Moreover, we show how to achieve authenticated encryption that is simultaneously both misuse resistant and leakage resilient, based on a sufficiently leakage resilient PRF, and finally we propose a concrete, pairing-based instantiation of the latter.

show abstract