Unifying Leakage Classes: Simulatable Leakage and Pseudoentropy

Fuller, Benjamin; Hamlin, Ariel

doi:10.1007/978-3-319-17470-9_5

Cited by 9 publications

(3 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, strict comparisons with these previous works is not possible due to their different leakage models. In particular, as recently discussed in [10], simulatable leakage and bounded leakage are not implied by each other.…”

Section: Security Of Mac1mentioning

confidence: 79%

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Pereira

Standaert

Vivek

2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Leakage-resilient cryptosystems aim to maintain security in situations where their implementation leaks physical information about their internal secrets. Because of their efficiency and usability on a wide range of platforms, solutions based on symmetric primitives (such as block ciphers) are particularly attractive in this context. So far, the literature has mostly focused on the design of leakage-resilient pseudorandom objects (e.g. PRGs, PRFs, PRPs). In this paper, we consider the complementary and practically important problem of designing secure authentication and encryption schemes. For this purpose, we follow a pragmatic approach based on the advantages and limitations of existing leakageresilient pseudorandom objects, and rely on the (arguably necessary, yet minimal) use of a leak-free component. The latter can typically be instantiated with a block cipher implementation protected by traditional countermeasures, and we investigate how to combine it with the more intensive use of a much more efficient (less protected) block cipher implementation. Based on these premises, we propose and analyse new constructions of leakage-resilient MAC and encryption schemes, which allow fixing security and efficiency drawbacks of previous proposals in this direction. For encryption, we additionally provide a detailed discussion of why previously proposed (indistinguishability based) security definitions cannot capture actual side-channel attacks, and suggest a relaxed and more realistic way to quantify leakage-resilience in this case, by reducing the security of many iterations of the primitive to the security of a single iteration, independent of the security notion guaranteed by this single iteration (that remains hard to define).

show abstract

Section: Security Of Mac1mentioning

confidence: 79%

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Pereira

Standaert

Vivek

2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…The analysis is made in the ideal permutation model since there is no other choice at present (see Section 3.4), and we naturally focus on oracle-free leakage functions-as in [YSPY10] and in the concurrent work [DM19]. As a compensation for this idealized analysis, all results are obtained under the weakest and easiest to validate leakage assumption, namely non-invertibility [FH15]. Building upon these, we prove security bounds that are expressive and easy-to-understand, translating to the classical ≈ 2 c/2 bound.…”

Section: Can We Design a Single-pass Leakage-resistant Ae Mode And Hmentioning

confidence: 99%

“…They investigate the security of the keyed duplex construction based on this assumption, and apply their methodology to ISAP and other schemes, focusing on confidentiality in the setting of nonce respecting and encryption leaking. Anticipating on the discussions below, our analysis of the keyed sponge construction is based on a strictly weaker assumption of hard-to-invert leakage (see [FH15]). This leads to a slightly more complicated security analysis, and it is certainly interesting to be able to compare the two approaches.…”

Section: Introductionmentioning

confidence: 99%

Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction

Guo¹,

Pereira²,

Peters³

et al. 2020

ToSC

View full text Add to dashboard Cite

The ongoing NIST lightweight cryptography standardization process highlights the importance of resistance to side-channel attacks, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight sidechannel secure implementations. To address this challenge, our first contribution is to investigate the leakage-resistance of a generic duplex-based stream cipher. When the capacity of the duplex is of c bits, we prove the classical bound, i.e., ≈ 2c/2, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode TETSponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. It offers: (i) provable integrity (resp. confidentiality) guarantees in the presence of leakage during both encryption and decryption (resp. encryption only), (ii) some level of nonce misuse robustness. We conclude that TETSponge is an appealing option for the implementation of low-energy AE in settings where side-channel attacks are a concern. We also provides the first rigorous methodology for the leakage-resistance of sponge/duplex-based AEs based on a minimal non-invertibility assumption on leakages, which leads to various insights on designs and implementations.

show abstract