Cryptographic Key Reliable Lifetimes: Bounding the Risk of Key Exposure in the Presence of Faults

With physical attacks threatening the security of current cryptographic schemes, no security policy can be developed without taking into account the physical nature of computation. In this paper we adapt classical reliability modeling techniques to cryptographic systems. We do so by first introducing the notions of Cryptographic Key Failure Tolerance and Cryptographic Key Reliable Lifetimes. Then we offer a framework for the determination of reliable lifetimes of keys for any cryptographic scheme used in the presence of faults, given an accepted (negligible) error-bound to the risk of key exposure. Finally we emphasize the importance of selecting keys and designing schemes with good values of failure tolerance, and recommend minimal values for this metric. In fact, in standard environmental conditions, cryptographic keys that are especially susceptible to erroneous computations (e.g., RSA keys used with CRT-based implementations) are exposed with a probability greater than a standard error-bound (e.g., 2−−40) after operational times shorter than one year, if the failure-rate of the cryptographic infrastructure is greater than 1.04×10−−16failures/hours.

[1]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[2]  Ramesh Karri,et al.  Fault-based side-channel cryptanalysis tolerant Rijndael symmetric block cipher architecture , 2001, Proceedings 2001 IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems.

[3]  Paul E. Hoffman,et al.  Determining Strengths For Public Keys Used For Exchanging Symmetric Keys , 2004, RFC.

[4]  Israel Koren,et al.  On the propagation of faults and their detection in a hardware implementation of the Advanced Encryption Standard , 2002, Proceedings IEEE International Conference on Application- Specific Systems, Architectures, and Processors.

[5]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[6]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[7]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[8]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, Theory of Cryptography Conference.

[9]  Israel Koren,et al.  Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard , 2003, IEEE Trans. Computers.

[10]  Robert D. Silverman A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths RSA Labs bulletin , 2000 .

[11]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[12]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[13]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[14]  Security Rsa,et al.  TWIRL and RSA Key Size , 2003 .

[15]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[16]  Arjen K. Lenstra Memo on RSA signature generation in the presence of faults , 1996 .

[17]  E. Normand Single event upset at ground level , 1996 .

[18]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[19]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[20]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[21]  A S. r. l.,et al.  Upper Bounds for the Selection of the Cryptographic Key Lifetimes : Bounding the Risk of Key Exposure in the Presence of Faults , 2004 .

[22]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[23]  Richard J. Lipton,et al.  On the Importance of Checking Computations , 1996 .

[24]  Tim Howes,et al.  Internet X.509 Public Key Infrastructure LDAPv2 Schema , 1999, RFC.

[25]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[26]  Kishor S. Trivedi Probability and Statistics with Reliability, Queuing, and Computer Science Applications , 1984 .

[27]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[28]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[29]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[30]  Dieter Gollmann,et al.  Computer Security — ESORICS 94 , 1994, Lecture Notes in Computer Science.

[31]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[32]  Terry Williams,et al.  Probability and Statistics with Reliability, Queueing and Computer Science Applications , 1983 .

[33]  Emmanuelle Dottax Fault Attacks on NESSIE Signature and Identification Schemes , 2002 .

[34]  Ravishankar K. Iyer,et al.  Measurement-based analysis of software reliability , 1996 .

[35]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[36]  Arjen K. Lenstra,et al.  Unbelievable Security. Matching AES Security Using Public Key Systems , 2001, ASIACRYPT.