Leakage-Resilient and Misuse-Resistant Authenticated Encryption

Leakage-resilience and misuse-resistance are two important properties for the deployment of authenticated encryption schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss their interactions and incompatibilities. For this purpose, we first show a generic composition mode of a MAC with an encryption scheme that leads to a misuse-resistant authenticated encryption scheme, and also show that misuse-resistance does not hold anymore in the presence of leakages, even when relying on leakage-resilient MACs and encryption schemes. Next, we argue that full misuse-resistance with leakage may be impossible to achieve with simple primitives such as hash functions and block ciphers. As a result, we formalize a new security notion of ciphertext integrity with misuse and leakage, which seems to be the best that can be achieved in a symmetric cryptographic setting, and describe first efficient constructions satisfying it.

[1]  François-Xavier Standaert,et al.  Practical Leakage-Resilient Pseudorandom Objects with Minimum Public Randomness , 2013, CT-RSA.

[2]  Ariel Hamlin,et al.  Unifying Leakage Classes: Simulatable Leakage and Pseudoentropy , 2015, ICITS.

[3]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[4]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[5]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[6]  François-Xavier Standaert,et al.  Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks , 2011, CARDIS.

[7]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[8]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  François-Xavier Standaert,et al.  Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions , 2013, IACR Cryptol. ePrint Arch..

[10]  Stefan Mangard,et al.  Hardware Countermeasures against DPA ? A Statistical Analysis of Their Effectiveness , 2004, CT-RSA.

[11]  François-Xavier Standaert,et al.  Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note , 2012, ASIACRYPT.

[12]  Stefan Dziembowski,et al.  Towards Sound Fresh Re-keying with Hard (Physical) Learning Problems , 2016, CRYPTO.

[13]  Antoine Joux,et al.  Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs , 2012, CHES.

[14]  Martijn Stam,et al.  The Symbiosis between Collision and Preimage Resistance , 2011, IMACC.

[15]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[16]  Moti Yung,et al.  Practical leakage-resilient pseudorandom generators , 2010, CCS '10.

[17]  François-Xavier Standaert,et al.  Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices , 2010, AFRICACRYPT.

[18]  Ventzislav Nikov,et al.  Unknown-Input Attacks in the Parallel Setting: Improving the Security of the CHES 2012 Leakage-Resilient PRF , 2016, ASIACRYPT.

[19]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[20]  Thomas Peyrin,et al.  Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers , 2016, CRYPTO.

[21]  Srinivas Vivek,et al.  Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives , 2015, CCS.

[22]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[23]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[24]  Yevgeniy Dodis,et al.  Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks , 2010, CRYPTO.

[25]  François-Xavier Standaert,et al.  Soft Analytical Side-Channel Attacks , 2014, ASIACRYPT.

[26]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[27]  François-Xavier Standaert,et al.  ASCA, SASCA and DPA with Enumeration: Which One Beats the Other and When? , 2015, ASIACRYPT.

[28]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[29]  Thai Duong,et al.  Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET , 2011, 2011 IEEE Symposium on Security and Privacy.

[30]  Kenneth G. Paterson,et al.  Plaintext-Recovery Attacks Against Datagram TLS , 2012, NDSS.

[31]  Stefan Mangard,et al.  One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[32]  François-Xavier Standaert,et al.  LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations , 2014, FSE.

[33]  Kenneth G. Paterson,et al.  Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS , 2016, EUROCRYPT.

[34]  Sebastian Faust,et al.  Practical Leakage-Resilient Symmetric Cryptography , 2012, CHES.

[35]  Florian Mendel,et al.  Towards Fresh and Hybrid Re-Keying Schemes with Beyond Birthday Security , 2015, CARDIS.

[36]  Florian Mendel,et al.  ISAP - Authenticated Encryption Inherently Secure Against Passive Side-Channel Attacks , 2016, IACR Cryptol. ePrint Arch..

[37]  María Naya-Plasencia,et al.  Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[38]  Michael Tunstall,et al.  SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip , 2015, CHES.

[39]  François-Xavier Standaert,et al.  Masking and leakage-resilient primitives: One, the other(s) or both? , 2015, Cryptography and Communications.

[40]  François-Xavier Standaert,et al.  Leakage-Resilient Symmetric Cryptography- Overview of the ERC Project CRASH, Part II - , 2016 .

[41]  Elisabeth Oswald,et al.  Authenticated Encryption in the Face of Protocol and Side Channel Leakage , 2017, ASIACRYPT.

[42]  Ingrid Verbauwhede,et al.  DPA, Bitslicing and Masking at 1 GHz , 2015, IACR Cryptol. ePrint Arch..

[43]  W. Marsden I and J , 2012 .

[44]  Claude Carlet,et al.  PICARO - A Block Cipher Allowing Efficient Higher-Order Side-Channel Resistance , 2012, ACNS.

[45]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.