Berti, Francesco
[UCL]
Koeune, François
[UCL]
Pereira, Olivier
[UCL]
Peters, Thomas
[UCL]
Standaert, François-Xavier
[UCL]
Leakage resilience (LR) and misuse resistance (MR) are two important properties for the deployment of authenticated encryption (AE) schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss the interactions and incompatibilities between these two properties. We start from the usual definition of MR for AE schemes from Rogaway and Shrimpton, and argue that it may be overly demanding in the presence of leakages. As a result, we turn back to the basic security requirements for AE: ciphertext integrity (INT-CTXT) and CPA security, and propose to focus on a new notion of CIML security, which is an extension of INT-CTXT in the presence of misuse and leakages. We discuss the extent to which CIML security is offered by previous proposals of MR AE schemes, conclude by the negative, and propose two new efficient CIML-secure AE schemes: the DTE scheme offers security in the standard model, while the DCE scheme offers security in the random oracle model, but comes with some efficiency benefits. On our way, we observe that these constructions are not trivial, and show for instance that the composition of a LR MAC and a LR encryption scheme, while providing a (traditional) MR AE scheme, can surprisingly lose the MR property in the presence of leakages and does not achieve CIML security. Eventually, we show the LR CPA security of DTE and DCE.
- Yu Yu, Standaert Fran çois-Xavier, Pereira Olivier, Yung Moti, Practical leakage-resilient pseudorandom generators, 10.1145/1866307.1866324
- Yu Yu, Standaert François-Xavier, Practical Leakage-Resilient Pseudorandom Objects with Minimum Public Randomness, Topics in Cryptology – CT-RSA 2013 (2013) ISBN:9783642360947 p.223-238, 10.1007/978-3-642-36095-4_15
- Veyrat-Charvillon Nicolas, Medwed Marcel, Kerckhof Stéphanie, Standaert François-Xavier, Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note, Advances in Cryptology – ASIACRYPT 2012 (2012) ISBN:9783642349607 p.740-757, 10.1007/978-3-642-34961-4_44
- Veyrat-Charvillon Nicolas, Gérard Benoît, Standaert François-Xavier, Soft Analytical Side-Channel Attacks, Lecture Notes in Computer Science (2014) ISBN:9783662456101 p.282-296, 10.1007/978-3-662-45611-8_15
- Standaert François-Xavier, Pereira Olivier, Yu Yu, Leakage-Resilient Symmetric Cryptography under Empirically Verifiable Assumptions, Advances in Cryptology – CRYPTO 2013 (2013) ISBN:9783642400407 p.335-352, 10.1007/978-3-642-40041-4_19
- Rogaway Phillip, Shrimpton Thomas, A Provable-Security Treatment of the Key-Wrap Problem, Advances in Cryptology - EUROCRYPT 2006 (2006) ISBN:9783540345466 p.373-390, 10.1007/11761679_23
- P. Rogaway and T. Shrimpton. Deterministic authenticated-encryption: A provable-security treatment of the key-wrap problem. IACR Cryptology ePrint Archive, 2006:221, 2006.
- Rivain Matthieu, Prouff Emmanuel, Provably Secure Higher-Order Masking of AES, Cryptographic Hardware and Embedded Systems, CHES 2010 (2010) ISBN:9783642150302 p.413-427, 10.1007/978-3-642-15031-9_28
- E. Rescorla. The transport layer security (tls) protocol version 1.3. https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html, July 2017.
- Pietrzak Krzysztof, A Leakage-Resilient Mode of Operation, Advances in Cryptology - EUROCRYPT 2009 (2009) ISBN:9783642010002 p.462-482, 10.1007/978-3-642-01001-9_27
- Pereira Olivier, Standaert François-Xavier, Vivek Srinivas, Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives, 10.1145/2810103.2813626
- K. G. Paterson and N. J. AlFardan. Plaintext-recovery attacks against datagram TLS. In NDSS, 2012.
- NIST. FIPS PUB 186--4 Digital Signature Standard (DSS). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186--4.pdf, 2013.
- Namprempre Chanathip, Rogaway Phillip, Shrimpton Thomas, Reconsidering Generic Composition, Advances in Cryptology – EUROCRYPT 2014 (2014) ISBN:9783642552199 p.257-274, 10.1007/978-3-642-55220-5_15
- S. Micali and L. Reyzin. Physically observable cryptography (extended abstract). In TCC, pages 278--296, 2004.
- M. Medwed, F. Standaert, J. Großsch"adl, and F. Regazzoni. Fresh re-keying: Security against side-channel and fault attacks for low-cost devices. In AFRICACRYPT, pages 279--296, 2010.
- Martin Daniel P., Oswald Elisabeth, Stam Martijn, Wójcik Marcin, A Leakage Resilient MAC, Cryptography and Coding (2015) ISBN:9783319272382 p.295-310, 10.1007/978-3-319-27239-9_18
- Mangard S., Oswald E., Standaert F.-X., One for all – all for one: unifying standard differential power analysis attacks, 10.1049/iet-ifs.2010.0096
- S. Mangard. Hardware countermeasures against DPA? A statistical analysis of their effectiveness. In CT-RSA, pages 222--235, 2004.
- Longo J., De Mulder E., Page D., Tunstall M., SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip, Lecture Notes in Computer Science (2015) ISBN:9783662483237 p.620-640, 10.1007/978-3-662-48324-4_31
- J. Longo, D. P. Martin, E. Oswald, D. Page, M. Stam, and M. Tunstall. Simulatable leakage: Analysis, pitfalls, and new constructions. In ASIACRYPT, Part I, pages 223--242, 2014.
- J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes of operation. In FSE, pages 284--299, 2000.
- ISO/IEC 19772:2009. Information technology -- security techniques -- authenticated encryption. https://www.iso.org/standard/46345.html, 2009.
- V. T. Hoang, T. Krovetz, and P. Rogaway. Robust authenticated-encryption AEZ and the problem that it solves. In EUROCRYPT, volume 9056 of LNCS, pages 15--44. Springer, 2015.
- Gueron Shay, Lindell Yehuda, GCM-SIV : Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte, 10.1145/2810103.2813613
- D. Gruss, R. Spreitzer, and S. Mangard. Cache template attacks: Automating attacks on inclusive last-level caches. In USENIX Security, pages 897--912, 2015.
- B. Fuller and A. Hamlin. Unifying leakage classes: Simulatable leakage and pseudoentropy. In ICITS, pages 69--86, 2015.
- Faust Sebastian, Pietrzak Krzysztof, Schipper Joachim, Practical Leakage-Resilient Symmetric Cryptography, Cryptographic Hardware and Embedded Systems – CHES 2012 (2012) ISBN:9783642330261 p.213-232, 10.1007/978-3-642-33027-8_13
- Dziembowski Stefan, Pietrzak Krzysztof, Leakage-Resilient Cryptography, 10.1109/focs.2008.56
- Duong Thai, Rizzo Juliano, Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET, 10.1109/sp.2011.42
- C. Dobraunig, F. Koeune, S. Mangard, F. Mendel, and F. Standaert. Towards fresh and hybrid re-keying schemes with beyond birthday security. In CARDIS, pages 225--241, 2015.
- C. Dobraunig, M. Eichlseder, S. Mangard, F. Mendel, and T. Unterluggauer. ISAP - towards side-channel secure authenticated encryption. IACR Trans. Symmetric Cryptol., 2017(1):80--105, 2017.
- S. Chari, J. R. Rao, and P. Rohatgi. Template attacks. In B. S. K. Jr., cC. K. Kocc, and C. Paar, editors, CHES, volume 2523 of LNCS, pages 13--28. Springer, 2002.
- CAESAR. Competition for authenticated encryption: Security, applicability, and robustness. https://competitions.cr.yp.to/caesar.html, 2012.
- A. Boldyreva, J. P. Degabriele, K. G. Paterson, and M. Stam. On symmetric encryption with distinguishable decryption failures. In FSE 2013, volume 8424 of LNCS, pages 367--390. Springer, 2013.
- Bertoni Guido, Daemen Joan, Peeters Michaël, Van Assche Gilles, On the Indifferentiability of the Sponge Construction, Advances in Cryptology – EUROCRYPT 2008 (2008) ISBN:9783540789666 p.181-197, 10.1007/978-3-540-78967-3_11
- F. Berti, O. Pereira, T. Peters, and F. Standaert. On leakage-resilient authenticated encryption with decryption leakages. IACR Trans. Symmetric Cryptol., 2017(3):271--293, 2017.
- F. Berti, F. Koeune, O. Pereira, T. Peters, and F. Standaert. Leakage-resilient and misuse-resistant authenticated encryption. IACR Cryptology ePrint Archive, 2016:996, 2016.
- Bellare Mihir, Namprempre Chanathip, Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm, 10.1007/s00145-008-9026-x
- Belaïd Sonia, Grosso Vincent, Standaert François-Xavier, Masking and leakage-resilient primitives: One, the other(s) or both?, 10.1007/s12095-014-0113-6
- G. Barwell, D. Page, and M. Stam. Rogue decryption failures: Reconciling AE robustness notions. In IMACC 2015, volume 9496 of LNCS, pages 94--111. Springer, 2015.
- Barwell Guy, Martin Daniel P., Oswald Elisabeth, Stam Martijn, Authenticated Encryption in the Face of Protocol and Side Channel Leakage, Advances in Cryptology – ASIACRYPT 2017 (2017) ISBN:9783319706931 p.693-723, 10.1007/978-3-319-70694-8_24
- J. Balasch, B. Gierlichs, O. Reparaz, and I. Verbauwhede. DPA, bitslicing and masking at 1 GHz. In T. Güneysu and H. Handschuh, editors, CHES, volume 9293 of LNCS, pages 599--619. Springer, 2015.
- Andreeva Elena, Stam Martijn, The Symbiosis between Collision and Preimage Resistance, Cryptography and Coding (2011) ISBN:9783642255151 p.152-171, 10.1007/978-3-642-25516-8_10
- E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, N. Mouha, and K. Yasuda. How to securely release unverified plaintext in authenticated encryption. In ASIACRYPT 2014, volume 8873 of LNCS, pages 105--125. Springer, 2014.
- Albrecht Martin R., Paterson Kenneth G., Watson Gaven J., Plaintext Recovery Attacks against SSH, 10.1109/sp.2009.5
- Albrecht Martin R., Paterson Kenneth G., Lucky Microseconds: A Timing Attack on Amazon’s s2n Implementation of TLS, Advances in Cryptology – EUROCRYPT 2016 (2016) ISBN:9783662498897 p.622-643, 10.1007/978-3-662-49890-3_24
Bibliographic reference |
Berti, Francesco ; Koeune, François ; Pereira, Olivier ; Peters, Thomas ; Standaert, François-Xavier. Ciphertext Integrity with Misuse and Leakage: Definition and Efficient Constructions with Symmetric Primitives.2018 Asia Conference on Computer and Communications Security (AsiaCCS 2018) (Incheon, Republic of Korea, du 04/06/2018 au 08/06/2018). In: Asia-CCS 2018, In: Jong Kim, Gail-Joon Ahn, Seungjoo Kim, Yongdae Kim, Javier L'opez, Taesoo Kim, Proceedings of the 2018 on Asia Conference on Computer and Communications Security, Association for Computing Machinery (ACM)2018, p. 37-50 |
Permanent URL |
http://hdl.handle.net/2078.1/199233 |