Abstract
Fresh re-keying is a type of protocol which aims at splitting the task of protecting an encryption/authentication scheme against side-channel attacks in two parts. One part, a re-keying function, has to satisfy a minimum set of properties (such as good diffusion), and is based on an algebraic structure that is easy to protect against side-channel attacks with countermeasures such as masking. The other part, a block cipher, brings resistance against mathematical cryptanalysis, and only has to be secure against single-measurement attacks. Since fresh re-keying schemes are cheap and stateless, they are convenient to use in practice and do not require any synchronization between communication parties. However, it has been shown that their first instantiation (from Africacrypt 2010) only provides birthday security because of a (mathematical only) collision-based key recovery attack recently put forward by Dobraunig et al. (CARDIS 2014). In this paper, we provide two provably secure (in the ideal cipher model) solutions to avoid such collision attacks. The first one is based on classical block ciphers, but does not achieve beyond-birthday CPA security (i.e. it only provably prevents the CARDIS 2014 key recovery attack) and requires an additional block cipher execution in the protocol. The second one is based on tweakable block ciphers and provides tight CPA security while also being more efficient. As a complement, we also show that our reasoning extends to hybrid schemes, where the communication party to protect against side-channel attacks is stateful. We illustrate this claim by describing a collision attack against an example of a hybrid scheme patented by Kocher, and presenting a tweak leading to beyond birthday security. We conclude the paper by discussing the use of fresh/hybrid re-keying for encryption and authentication, together with a cautionary note on their side-channel resistance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
As usual, we assume that both \(\mathcal {O}\) and \(\mathcal {O'}\) act consistently: when receiving an input corresponding to a previous query, they simply replay the previous output (when \(\mathcal {O}\) implements \(\mathsf {F}\), its consistency is a direct consequence of the consistency of \(\mathcal {O'}\)).
- 2.
That is, for each T, \(\varPi (T,\cdot )\) is a random permutation of the message space.
- 3.
The tweak \(r'_i\), however, is randomly chosen by \(\mathcal {O}\).
- 4.
The authors thank Marcel Medwed for pointing this out during this paper’s presentation.
References
Abdalla, M., Bellare, M.: Increasing the lifetime of a key: a comparative analysis of the security of re-keying techniques. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 546–559. Springer, Heidelberg (2000)
Belaïd, S., De Santis, F., Heyszl, J., Mangard, S., Medwed, M., Schmidt, J., Standaert, F., Tillich, S.: Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis. J. Cryptographic Eng. 4(3), 157–171 (2014)
Belaïd, S., Grosso, V., Standaert, F.: Masking and leakage-resilient primitives: one, the other(s) or both? Crypt. Commun. 7(1), 163–184 (2015)
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)
Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptology 23(4), 519–545 (2010)
Brenner, H., Gaspar, L., Leurent, G., Rosen, A., Standaert, F.-X.: FPGA implementations of SPRING. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 414–432. Springer, Heidelberg (2014)
Competition, C. http://competitions.cr.yp.to/caesar-submissions.html
Dobraunig, C., Eichlseder, M., Mangard, S., Mendel, F.: On the security of fresh re-keying to counteract side-channel and fault attacks. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 233–244. Springer, Heidelberg (2015)
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS 2008, pp. 293–302. IEEE Computer Society (2008)
Grosso, V., Standaert, F., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? J. Cryptographic Eng. 4(1), 47–57 (2014)
Jean, J., Nikolic, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014)
Kocher, P.C.: Leak-resistant cryptographic indexed key update. US Patent 6,539,092 (2003)
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)
Medwed, M., Petit, C., Regazzoni, F., Renauld, M., Standaert, F.-X.: Fresh re-keying II: securing multiple parties against side-channel and fault attacks. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 115–132. Springer, Heidelberg (2011)
Medwed, M., Standaert, F.-X., Großschädl, J., Regazzoni, F.: Fresh re-keying: security against side-channel and fault attacks for low-cost devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 279–296. Springer, Heidelberg (2010)
Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015). http://dx.doi.org/10.1007/978-3-662-48116-5_21
Yu, Y., Standaert, F., Pereira, O., Yung, M.: Practical leakage-resilient pseudorandom generators. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) CCS 2010, pp. 141–151. ACM (2010)
Acknowledgments
The authors thank Christophe Petit for useful advice. This work has been supported in part by the Austrian Science Fund (project P26494-N15), by the Austrian Research Promotion Agency (FFG) under grant number 845589 (SCALAS), by the Brussels Region Research Funding Agency through the program Secur’IT and by the European Commission through the ERC project 280141 (CRASH) and the COST Action CRYPTACUS. F.-X. Standaert is a research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Dobraunig, C., Koeune, F., Mangard, S., Mendel, F., Standaert, FX. (2016). Towards Fresh and Hybrid Re-Keying Schemes with Beyond Birthday Security. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-31271-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31270-5
Online ISBN: 978-3-319-31271-2
eBook Packages: Computer ScienceComputer Science (R0)