Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis

Belaïd, Sonia; Santis, Fabrizio De; Heyszl, Johann; Mangard, Stefan; Medwed, Marcel; Schmidt, Jörn-Marc; Standaert, François‐Xavier; Tillich, Stefan

doi:10.1007/s13389-014-0079-5

Cited by 11 publications

(15 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A simple, but unsatisfactory solution to prevent this kind of attacks is to increase the master key, session key and nonce sizes to twice the security level each. More promising approaches focus on the properties of g, in particular the hardness to invert g(·, r) to deduce the key k, as in the scheme by Belaid et al [4]. Our results show that designing secure, efficient re-keying functions remains a challenging task, and that frequent re-keying opens up problems of its own that are not yet fully understood.…”

Section: Application To Other Fresh Re-keying Schemesmentioning

confidence: 84%

“…This is clearly not compatible with resource-constrained application scenarios. The alternative is to fix the construction by using a function g that is hard to invert, as for instance the one suggested in [4]. It should be hard to recover the master key k from the knowledge of one or a few session keys k * and corresponding nonces r. However, this raises the question how such a cryptographically strong function can be constructed without in turn being very costly to protect against side-channel attacks.…”

Section: Fixing the Schemementioning

confidence: 99%

“…In fact, several articles [1,4,7] treat the question of how to construct a key derivation function that can be implemented efficiently and that at the same time provides a high level of protection against differential attacks. Finding such a function is a central research question in the field of side-channel attacks and countermeasures.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Dobraunig

Eichlseder

Mangard

et al. 2015

Smart Card Research and Advanced Applications

Self Cite

View full text Add to dashboard Cite

Abstract. At AFRICACRYPT 2010 and CARDIS 2011, fresh re-keying schemes to counter side-channel and fault attacks were introduced. The idea behind those schemes is to shift the main burden of side-channel protection to a re-keying function g that is easier to protect than the main block cipher. This function produces new session keys based on the secret master key and random nonces for every block of message that is encrypted. In this paper, we present a generic chosen-plaintext keyrecovery attack on both fresh re-keying schemes. The attack is based on two observations: Since session key collisions for the same message are easy to detect, it is possible to recover one session key with a simple time-memory trade-off strategy; and if the re-keying function is easy to invert (such as the suggested multiplication constructions), the attacker can use the session key to recover the master key. The attack has a complexity of about 2 · 2 n/2 (instead of the expected 2 n ) for an n-bit key. For the typically employed block cipher AES-128, this would result in a key-recovery attack complexity of only 2 65 . If weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.

show abstract

Section: Application To Other Fresh Re-keying Schemesmentioning

confidence: 84%

Section: Fixing the Schemementioning

confidence: 99%

See 1 more Smart Citation

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Dobraunig

Eichlseder

Mangard

et al. 2015

Smart Card Research and Advanced Applications

Self Cite

View full text Add to dashboard Cite

show abstract

“…Focusing on the role of key-updating in leakage resilient cryptographic schemes, high-diffusion was proposed as the only mathematical condition required for secure key-updating [8], [15]. Here, we show that this condition is not sufficient with a counter example, and propose new conditions.…”

Section: Security Analysismentioning

confidence: 83%

Key Updating for Leakage Resiliency With Application to AES Modes of Operation

Taha

Schaumont

2015

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Side-channel analysis(SCA) exploits the information leaked through unintentional outputs (e.g., power consumption) to reveal the secret key of cryptographic modules. The real threat of SCA lies in the ability to mount attacks over small parts of the key and to aggregate information over different encryptions. The threat of SCA can be thwarted by changing the secret key at every run. Indeed, many contributions in the domain of leakage resilient cryptography tried to achieve this goal. However, the proposed solutions were computationally intensive and were not designed to solve the problem of the current cryptographic schemes. In this paper, we propose a generic framework of lightweight key updating that can protect the current cryptographic standards and evaluate the minimum requirements for heuristic SCA-security. Then, we propose a complete solution to protect the implementation of any standard mode of Advanced Encryption Standard. Our solution maintains the same level of SCA-security (and sometimes better) as the state of the art, at a negligible area overhead while doubling the throughput of the best previous work.Index Terms-Hardware security (side channels).

show abstract

“…In more detail, it is widely accepted that very small data complexities, i.e., q = 1 and q = 2, have sufficiently small side-channel leakage and do not allow for successful key recovery from DPA attacks [7,46,53,56].…”

Section: Frequent Re-keyingmentioning

confidence: 99%

MEAS: memory encryption and authentication secure against side-channel attacks

2018

Self Cite

View full text Add to dashboard Cite

Memory encryption is used in many devices to protect memory content from attackers with physical access to a device. However, many current memory encryption schemes can be broken using differential power analysis (DPA). In this work, we present Meas-the first Memory Encryption and Authentication Scheme providing security against DPA attacks. The scheme combines ideas from fresh re-keying and authentication trees by storing encryption keys in a tree structure to thwart first-order DPA without the need for DPA-protected cryptographic primitives. Therefore, the design strictly limits the use of every key to encrypt at most two different plaintext values. Meas prevents higher-order DPA without changes to the cipher implementation by using masking of the plaintext values. Meas is applicable to all kinds of memory, e.g., NVM and RAM. For RAM, we give two concrete Meas instances based on the lightweight primitives Ascon, PRINCE, and QARMA. We implement and evaluate both instances on a Zynq XC7Z020 FPGA showing that Meas has memory and performance overhead comparable to existing memory authentication techniques without DPA protection.

show abstract

Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis

Cited by 11 publications

References 34 publications

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

Key Updating for Leakage Resiliency With Application to AES Modes of Operation

MEAS: memory encryption and authentication secure against side-channel attacks

Contact Info

Product

Resources

About