Efficient Side-Channel Secure Message Authentication with Better Bounds

We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when most intermediate values during tag computation and verification are leaked (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-thenMAC paradigm T = TGenK(H(M)). When the domain of the MAC function TGenK is {0, 1}128, e.g., when instantiated with the AES, forgery is possible within time 264 and data complexity 1. To dismiss such cheap attacks, we propose two modes: LRW1-based Hash-then-MAC (LRWHM) that is built upon the LRW1 tweakable blockcipher of Liskov, Rivest, and Wagner, and Rekeying Hash-then-MAC (RHM) that employs internal rekeying. Built upon secure AES implementations, LRWHM is provably secure up to (beyond-birthday) 278.3 time complexity, while RHM is provably secure up to 2121 time. Thus in practice, their main security threat is expected to be side-channel key recovery attacks against the AES implementations. Finally, we benchmark the performance of instances of our modes based on the AES and SHA3 and confirm their efficiency.

[1]  Carmit Hazay,et al.  Leakage-Resilient Cryptography from Minimal Assumptions , 2013, EUROCRYPT.

[2]  François-Xavier Standaert,et al.  LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations , 2014, FSE.

[3]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[5]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[6]  Kazuhiko Minematsu,et al.  Beyond-Birthday-Bound Security Based on Tweakable Block Cipher , 2009, FSE.

[7]  Elisabeth Oswald,et al.  A Leakage Resilient MAC , 2015, IMACC.

[8]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[9]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[10]  François-Xavier Standaert,et al.  Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA , 2009, CHES.

[11]  Jean-Sébastien Coron,et al.  Secure Conversion between Boolean and Arithmetic Masking of Any Order , 2014, CHES.

[12]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[13]  Thomas Peters,et al.  On Leakage-Resilient Authenticated Encryption with Decryption Leakages , 2017, IACR Trans. Symmetric Cryptol..

[14]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[15]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[16]  Kan Yasuda,et al.  A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier , 2009, EUROCRYPT.

[17]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[18]  Erez Petrank,et al.  CBC MAC for Real-Time Data Sources , 2015, Journal of Cryptology.

[19]  Goutam Paul,et al.  Single Key Variant of PMAC_Plus , 2017, IACR Trans. Symmetric Cryptol..

[20]  Minematsu Kazuhiko,et al.  ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication , 2017 .

[21]  Shu-jen H. Chang,et al.  SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash , 2016 .

[22]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[23]  Bart Mennink,et al.  Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security , 2017, CRYPTO.

[24]  Bart Mennink,et al.  Leakage Resilience of the Duplex Construction , 2019, IACR Cryptol. ePrint Arch..

[25]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[26]  Mridul Nandi,et al.  ZMAC+ - An Efficient Variable-output-length Variant of ZMAC , 2017, IACR Trans. Symmetric Cryptol..

[27]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[28]  Thomas Shrimpton,et al.  Salvaging Weak Security Bounds for Blockcipher-Based Constructions , 2016, ASIACRYPT.

[29]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[30]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[31]  Thomas Peters,et al.  Authenticated Encryption with Nonce Misuse and Physical Leakages : Definitions , Separation Results , and Leveled Constructions , 2018 .

[32]  Benoit Cogliati,et al.  New Constructions of MACs from (Tweakable) Block Ciphers , 2017, IACR Trans. Symmetric Cryptol..

[33]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[34]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[35]  Thomas Peyrin,et al.  Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers , 2016, CRYPTO.

[36]  Kan Yasuda,et al.  Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC , 2018, IACR Cryptol. ePrint Arch..

[37]  Stefan Mangard,et al.  An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order , 2017, CT-RSA.

[38]  Zheng Guo,et al.  Ridge-Based DPA: Improvement of Differential Power Analysis For Nanoscale Chips , 2018, IEEE Transactions on Information Forensics and Security.

[39]  Thomas Peters,et al.  TEDT, a Leakage-Resilient AEAD mode for High (Physical) Security Applications , 2019, IACR Cryptol. ePrint Arch..

[40]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[41]  Moti Yung,et al.  Practical leakage-resilient pseudorandom generators , 2010, CCS '10.

[42]  Moti Yung,et al.  A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[43]  Srinivas Vivek,et al.  Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives , 2015, CCS.

[44]  François-Xavier Standaert,et al.  Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction , 2020, IACR Trans. Symmetric Cryptol..

[45]  Mahesh Sooriyabandara,et al.  Low Power Wide Area Networks: An Overview , 2016, IEEE Communications Surveys & Tutorials.

[46]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[47]  Goutam Paul,et al.  Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF , 2018, IACR Cryptol. ePrint Arch..

[48]  Thomas Shrimpton,et al.  Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[49]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[50]  Joachim Schipper,et al.  Leakage-resilient authentication. , 2011 .

[51]  John P. Steinberger,et al.  Message Authentication Codes from Unpredictable Block Ciphers , 2009, CRYPTO.

[52]  G. Edward Suh,et al.  FPGA-Based Remote Power Side-Channel Attacks , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[53]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[54]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[55]  Thomas Peters,et al.  Ciphertext Integrity with Misuse and Leakage: Definition and Efficient Constructions with Symmetric Primitives , 2018, AsiaCCS.

[56]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[57]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.

[58]  Dragos Rotaru,et al.  Modes of Operation Suitable for Computing on Encrypted Data , 2017, IACR Trans. Symmetric Cryptol..

[59]  Benoit Cogliati,et al.  EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC , 2016, CRYPTO.

[60]  Elisabeth Oswald,et al.  Authenticated Encryption in the Face of Protocol and Side Channel Leakage , 2017, ASIACRYPT.

[61]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[62]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[63]  Florian Mendel,et al.  ISAP - Towards Side-Channel Secure Authenticated Encryption , 2017, IACR Trans. Symmetric Cryptol..

[64]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[65]  François-Xavier Standaert,et al.  Soft Analytical Side-Channel Attacks , 2014, ASIACRYPT.

[66]  Bart Mennink,et al.  Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory , 2017, CRYPTO.

[67]  Matthieu Rivain,et al.  How Fast Can Higher-Order Masking Be in Software? , 2017, EUROCRYPT.

[68]  John P. Steinberger,et al.  Domain Extension for MACs Beyond the Birthday Barrier , 2011, EUROCRYPT.

[69]  Jean-Sébastien Coron,et al.  Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity , 2015, FSE.

[70]  François-Xavier Standaert,et al.  Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions , 2013, IACR Cryptol. ePrint Arch..

[71]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[72]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.