Leakage-Resilient Symmetric Encryption via Re-keying
In the paper, we study whether it is possible to construct an efficient leakage-resilient symmetric scheme using the AES block cipher. We aim at bridging the gap between the theoretical leakage-resilient symmetric primitives used to build encryption schemes and the practical schemes that do not have any security proof against side-channel adversaries. Our goal is to construct an as efficient as possible leakage-resilient encryption scheme, but we do not want to change the cryptographic schemes already implemented. The basic idea consists in adding a leakage-resilient re-keying scheme on top of the encryption scheme and has been already suggested by Kocher to thwart differential power analysis techniques. Indeed, in such analysis, the adversary queries the encryption box and from the knowledge of the plaintext/ciphertext, she can perform a divide-and-conquer key recovery attack. The method consisting in changing the key for each or after a small number of encryption with the same key is known as re-keying. It prevents DPA adversaries but not SPA attacks which uses one single leakage trace. Here, we prove that using a leakage-resilient re-keying scheme on top of a secure encryption scheme in the standard model, leads to a leakage-resilient encryption scheme. The main advantage of the AES block cipher is that its implementations are generally heuristically-secure against SPA adversaries. This assumption is used in many concrete instantiations of leakage-resilient symmetric primitives. Consequently, if we use it and change the key for each new message block, the adversary will not be able to recover any key if the re-keying scheme is leakage-resilient. There is mainly two different techniques for re-keying scheme, either parallel or sequential, but if we want to avoid the adversary having access to many inputs/outputs, only the sequential method is possible. However, the main drawback of the latter technique is that in case of de-synchronization, many useless computations are required. In our re-keying scheme, we use ideas from the skip-list data structure to efficiently recover a specific key.
Keywordsleakage-resilience symmetric encryption re-keying synchronization
Unable to display preview. Download preview PDF.
- 1.Abdalla, M., Belaïd, S., Fouque, P.-A.: Leakage-Resilient Symmetric Encryption via Re-Keying. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 471–488. Springer, Heidelberg (2013)Google Scholar
- 3.Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption. In: FOCS, pp. 394–403 (1997)Google Scholar
- 4.Bernstein, D.J.: Implementing ”Practical leakage-resilient symmetric cryptography”. In: CHES 2012 Rump Session (2012), http://cr.yp.to/talks/2012.09.10/slides.pdf
- 5.Biryukov, A., Khovratovich, D.: Two New Techniques of Side-Channel Cryptanalysis. In: Paillier, Verbauwhede (eds.) , pp. 195–208Google Scholar
- 8.Dziembowski, S., Pietrzak, K.: Leakage-Resilient Cryptography. In: FOCS, pp. 293–302 (2008)Google Scholar
- 10.Gérard, B., Standaert, F.-X.: Unified and Optimized Linear Collision Attacks and Their Application in a Non-profiled Setting. In: Prouff, Schaumont (eds.) , pp. 175–192Google Scholar
- 14.Impagliazzo, R.: A Personal View of Average-Case Complexity. In: Structure in Complexity Theory Conference, pp. 134–147 (1995)Google Scholar
- 16.Jaffe, J.: A first-order dpa attack against aes in counter mode with unknown initial counter. In: Paillier, Verbauwhede (eds.) , pp. 1–13Google Scholar
- 17.Kocher, P.C.: Leak-resistant cryptographic indexed key update. Patent, US 6539092 (March 2003)Google Scholar
- 33.Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive, 2004:332 (2004)Google Scholar
- 34.Standaert, F.-X., Pereira, O., Yu, Y., Quisquater, J.-J., Yung, M., Oswald, E.: Leakage Resilient Cryptography in Practice. In: Towards Hardware-Intrinsic Security. Information Security and Cryptography, pp. 99–134 (2010)Google Scholar