RCB: leakage-resilient authenticated encryption via re-keying

Abstract

The security of modern cryptosystems relies on the secrecy of the keys. Against the expectation that the keys used in cryptographic algorithms are perfectly secure, the keys can get compromised when implemented on physical devices. Because of the computational leakages from the execution of cryptographic algorithms, a variety of side-channel measurements can lead to full breaks of the targeted physical devices. Leakage-resilient cryptography aims at defining leakages in a generic model and designing provably secure primitives to capture side-channel attacks. For this purpose, several re-keying schemes are proposed to prevent encryption scheme from using the same key many times. In this paper, we propose a leakage-resilient authenticated encryption scheme, called Re-keying Code Book (RCB), that is secure against the side-channel attacks by combining with existing re-keying schemes. Our approach is to find efficient composition by combining two independent primitives, authenticated encryption, and re-keying schemes, rather than designing new algorithms. We also give the precise definitions of privacy and authenticity for authenticated encryption in a leakage-resilient model, and then, we provide the security proofs for RCB in a leakage-resilient model.

Appendix

1.1 Proof of Lemma 1

In Sect. 2, Lemma 1 states that multi-oracle family of one-time leakage-resilient PRFs is secure. The following depicts the proof.

Proof

To prove this lemma, we use the hybrid argument. (This proof goes similar to the Lemma 3.3 given in [32]) Let F be a function family from \(\{0, 1\}^m\) to \(\{0, 1\}^n\), and key length be k, and let \(m \ge 1\). We also let , and let . We construct an algorithm \(\mathcal {C}_\mathcal {A}\): given black-box access to an adversary \(\mathcal {C}\) with advantage \({\mathsf {Adv}}_{mF}^{\mathrm {ot-lr-prf}}(\mathcal {C})\), and algorithm \(\mathcal {C}_\mathcal {A}\) defines an adversary \(\mathcal {A}\) with advantage \({\mathsf {Adv}}_{f}^{\mathrm {ot-lr-prf}}(\mathcal {A}) \ge {\mathsf {Adv}}_{mF}^{\mathrm {ot-lr-prf}}({\mathcal {C}})/m\).

Adversary \(\mathcal {C}\), given oracle f, first chooses an integer at random. Next, it chooses functions from F uniformly and independently. It sets \(f_i\) to its oracle function f with leakage function L. It also chooses random functions \(f_{i+1}, \ldots , f_m\) from \(\mathcal {R}\). It now runs adversary \(\mathcal {A}\) with oracles \(f_1, \ldots , f_m\): when the query is to jth oracle, it answers via \(g_j\) and invokes its oracle when \(j = i\) and otherwise uses its one of the chosen functions. Adversary \(\mathcal {C}\) outputs the same answer as whatever \(\mathcal {A}\) outputs.

To choose, \(f_1, \ldots , f_{i-1}\) from F meant to choose randomly \(i - 1\) keys \(K_1\), \(\ldots \), \(K_{i - 1}\) and reply to jth query x, for \(j < i\) by \(f_j(x)\). Furthermore, \(\mathcal {A}\) cannot choose random functions. Therefore, whenever \(\mathcal {B}\) asks a jth query x, for \(j > i\), it chooses a random string of length k if x is not queried before, add to the record list, and returns it; else if it is already chosen, then answers taken from the record list.

Now, let for \(i = 1, \ldots , m\), \(G_i = F \times \cdots F \times \mathcal {R} \times \cdots \times \mathcal {R}\), where there are i copies of F and \(m - i\) copies of \(\mathcal {R}\). To pick a vector \((f_1, \ldots , f_m)\) of functions at random from this space means choosing \(f_j\) at random from F for \(j = 1, \ldots i\) and \(g_j\) at random from \(\mathcal {R}\) for \(j = i+1, \ldots , m\). We let

$$\begin{aligned} p_i= & {} \underset{(f_1, \ldots , f_m) \xleftarrow {\$} G_i}{\mathrm {Pr}} \left[ \mathcal {C}^{\left[ f_1, f_1^L\right] (\cdot ), \ldots , \left[ f_1, f_1^L\right] (\cdot )} = 1 \right] \end{aligned}$$

be the probability that \(\mathcal {B}\) outputs one when its oracles are chosen randomly from \(G_i\). Let \(\mathcal {B}[i]\) denote the operation of \(\mathcal {B}\) with fixed input i. Now, notice that for \(i = 1, \ldots , m\):

$$\begin{aligned} \underset{f \xleftarrow {\$} \mathcal {R}}{\mathrm {Pr}} \left[ \mathcal {A}^{[f, f_L](\cdot )}[i] = 1 \right]= & {} p_{i - 1} \\ \underset{f \xleftarrow {\$} F}{\mathrm {Pr}} \left[ \mathcal {A}^{[f, f^L](\cdot )}[i] = 1 \right]= & {} p_i. \end{aligned}$$

Thus

$$\begin{aligned} \underset{f \xleftarrow {\$} \mathcal {R}}{\mathrm {Pr}} \left[ \mathcal {A}^{[f, f_L](\cdot )} = 1 \right]= & {} (1/m). \sum _{j = 1}^m p_{j-1} \\ \underset{f \xleftarrow {\$} F}{\mathrm {Pr}} \left[ \mathcal {A}^{[f, f^L](\cdot )} = 1 \right]= & {} (1/m). \sum _{j = 1}^m p_{j} . \end{aligned}$$

Thus, the advantage of \(\mathcal {A}\) is

$$\begin{aligned} \mathsf {Adv}_{f}^{\mathrm {ot-lr-prf}}(\mathcal {B})= & {} \underset{f \xleftarrow {\$} \mathcal {R}}{\mathrm {Pr}} \left[ \mathcal {A}^{[f, f_L](\cdot )} = 1 \right] - \underset{f \xleftarrow {\$} \mathcal {R}}{\mathrm {Pr}} \left[ \mathcal {B}^{[f, f_L](\cdot )} = 1 \right] \\= & {} (1/m).(p_m - p_0) . \end{aligned}$$

Now, observe from the assumption that

$$\begin{aligned} p_m= & {} \underset{(f_1, \ldots , f_m) \xleftarrow {\$} F}{\mathrm {Pr}} \left[ \mathcal {C}^{\left[ f_1, f_1^L\right] (\cdot ), \ldots , \left[ f_m, f_m^L\right] (\cdot )} = 1 \right] \\= & {} \underset{f \xleftarrow {\$} mF}{\mathrm {Pr}} \left[ \mathcal {C}^{[f, f^L](\cdot )} = 1 \right] \end{aligned}$$

and

$$\begin{aligned} p_0= & {} \underset{(f_1, \ldots , f_m) \xleftarrow {\$} \mathcal {R}}{\mathrm {Pr}} \left[ \mathcal {C}^{[f_1, f_1^L](\cdot ), \ldots , \left[ f_m, f_m^L\right] (\cdot )} = 1 \right] \\= & {} \underset{f \xleftarrow {\$} m\mathcal {R}}{\mathrm {Pr}} \left[ \mathcal {C}^{[f, f^L](\cdot )} = 1 \right] . \end{aligned}$$

Therefore, we have \(\mathsf {Adv}_{f}^{\mathrm {ot-lr-prf}}(\mathcal {A}) \ge (1/m).\mathsf {Adv}_{mF}^{\mathrm {ot-lr-prf}}(\mathcal {C})\) as required.

\(\square \)

1.2 Proof of Theorem 1

In Sect. 4, Theorem 1 states that the authenticated encryption scheme RCB composed of re-keying scheme and block cipher, as shown in Fig. 1, is secure in real or random sense. The following depicts the proof.

Proof

Let \(\mathsf {AE} = \mathsf {(KG, E, D)}\) be an authenticated encryption scheme as defined in Sect. 2.3. Our AE scheme is composed of two parts—the re-keying scheme g and the block cipher f. For the non-adaptive granular leakage-resilient model, our AE scheme is split into time steps which leak independently. The adversary \(\mathcal {A}\) is allowed to choose a leakage function \(L = (L_1, L_2)\) with components for each of these time steps: \(L_1\) for re-keying scheme and \(L_2\) for the block cipher. Then, he submit q distinct queries to his oracle. For each query, he gets back either the real or random output of his query with leakage which is exactly the output of the leakage function L he chose. (We put a restriction on adversary \(\mathcal {A}\) that he cannot make query to re-keying oracle without asking queries to encryption oracle). We show that our scheme is leakage-resilient secure. We organize our security proof as a sequence of games [33]. We start with game \(G_0\) as a real game. We make transitions in game \(G_0\) to convert it into the random game \(G_n\) for some n. We say \(\text {Pr}[G_i]\) as the winning event that the game \(G_i\) outputs 1 for \(i = 0, 1, 2, \ldots \).

Game \(G_0\): This game simulates the real game, i.e., when the adversary \(\mathcal {A}\) gets both the leakage and the real outputs of his queries. It directly corresponds to the left hand side of the probability in Definition 3 for an adversary \(\mathcal {A}\) having access to the oracle. Thus, we have

$$\begin{aligned} \text {Pr}[G_0]= & {} \underset{K^* \xleftarrow {\$} \{0, 1\}^k}{\mathrm {Pr}} \left[ \mathcal {A}^{\left[ \mathsf {E}_{K^*}, \mathsf {E}_{K^*}^L\right] (\cdot )} = 1 \right] . \end{aligned}$$

(1)

Game \(G_1\): In this game, we make a small change to the above game. Instead of computing the intermediate keys from leakage-resilient re-keying scheme g, we generate them using a random function or we can say that the intermediate keys are uniformly and independently chosen from \(\{0, 1\}^k\). Refer to Fig. 7.

Let us assume that an adversary \(\mathcal {A}\) who distinguish these two games. We build an adversary \(\mathcal {B}\) against the re-keying scheme g who uses adversary \(\mathcal {A}\). The process is as shown in Fig. 6.

Adversary game \(\mathcal {B}_\mathcal {A}^{[\mathcal {O}, g_{K^*}^{L}](\cdot )}\): First, adversary \(\mathcal {A}\) chooses a leakage function \(L = (L_1, L_2)\) and send it to the adversary \(\mathcal {B}\) who transmits it to his challenger. The challenger chooses the keys \(K_i\) for \(i \in [q]\) representing either the real keys or random keys. Now, the adversary \(\mathcal {B}_\mathcal {A}\) is provided the oracle access \(\mathcal {O}\) which generates the fresh keys to encrypt the queries submitted by adversary \(\mathcal {A}\). For each query \(M_i\), adversary \(\mathcal {B}\) computes \(f(K_i, M_i)\) and the leakage \(L_2(K_i, M_i)\) and replies to adversary \(\mathcal {A}\) with the answer \((\mathsf {E}(K_i, M_i)\), \(L_1(K, ctr_i)\), \(L_2(K_i, M_i))\).

Finally, \(\mathcal {A}\) receives the ciphertexts with the leakage for his queries either with the real keys or random keys. This situation perfectly simulates the game \(G_0\) if the keys are real, i.e., the keys generated by re-keying scheme. Therefore, we have

$$\begin{aligned} \text {Pr}[G_0]= & {} \underset{K^* \xleftarrow {\$} \{0, 1\}^k}{\mathrm {Pr}}\left[ \mathcal {B}_\mathcal {A}^{\left[ g_{K^*}, g_{K^*}^L\right] (\cdot )} = 1\right] . \end{aligned}$$

(2)

Now, if intermediate keys are randomly chosen from \(\{0, 1\}^k\). This situation perfectly simulates the game \(G_1\). Thus, we have

$$\begin{aligned} \text {Pr}[G_1]= & {} \underset{K^* \xleftarrow {\$} \{0, 1\}^k}{\mathrm {Pr}}\left[ \mathcal {B}_\mathcal {A}^{\left[ R, g_{K^*}^L\right] (\cdot )} = 1\right] . \end{aligned}$$

(3)

From Eqs. (2), (3), and (4), the distinguishing advantage of \(\mathcal {A}\) in games \(G_0\) and \(G_1\) is bounded by the advantage of adversary \(\mathcal {B}\) against the leakage-resilient re-keying scheme. Therefore, we have

(4)

Game \(G_2\): We modify the game 1 by replacing all the invocations of block cipher f by invocations of a truly random functions R chosen independently from \(\mathcal {R}(m, n)\). That is, for each query submitted by adversary \(\mathcal {A}\), the answers are given as the output of random functions.

Let us assume that an adversary \(\mathcal {A}\) who distinguish these two games \(G_1\) and \(G_2\). We build an adversary \(\mathcal {C}\) against the block cipher f who uses adversary \(\mathcal {A}\). The process is as shown in Fig. 7.

Adversary \(\mathcal {C}_\mathcal {A}^{[\mathcal {MO}, f_{K^*}^L](\cdot )}\): First, adversary \(\mathcal {A}\) chooses a leakage function \(L = (L_1, L_2)\) and send it to the adversary \(\mathcal {B}\) who transmits it to his challenger. Now, the challenger generates the master key K and the counter values uniformly at random and uses them to compute the leakage of re-keying scheme g and the intermediate keys. For each query \(M_i\), \(i \in [q]\) submitted by adversary \(\mathcal {A}\), challenger directly computes the leakage of the whole encryption. Adversary \(\mathcal {B}\) gets back the corresponding leakage and outputs send to \(\mathcal {A}\) as \((\mathsf {E}(K_i, M_i), L_1(K, ctr_i), L_2(K_i, M_i))\).

Finally, \(\mathcal {A}\) receives the ciphertexts either generated by the block cipher or generated by the random function R with the leakage for his queries. In Fig. 8, we define random function R as a subroutine random function for easy simulation. We call these functions f or R as the functions of multi-oracles families of functions. If the ciphertexts are generated by the block cipher, then this situation perfectly simulates the game \(G_1\). Therefore, we have

$$\begin{aligned} \text {Pr}[G_1]= & {} \underset{(K_1, \ldots , K_w) \xleftarrow {\$} \{0, 1\}^k}{\mathrm {Pr}}\left[ \mathcal {C}_\mathcal {A}^{\left[ f_{K_1}, f_{K_1}^L\right] (\cdot ), \ldots , \left[ f_{K_w}, f_{K_w}^L\right] (\cdot )} = 1\right] . \end{aligned}$$

(5)

Now, if the ciphertexts are the output of the random functions on input query \(M_i\), then this situation perfectly simulates the game \(G_2\). Therefore, we have

$$\begin{aligned} \text {Pr}[G_2]= & {} \underset{(R_1, \ldots , R_w) \xleftarrow {\$} \mathcal {R}(m, n), (K_1, \ldots , K_w) \xleftarrow {\$} \{0, 1\}^k}{\mathrm {Pr}}\left[ \mathcal {C}_\mathcal {A}^{\left[ R_1, f_{K_1}^L\right] (\cdot ), \ldots , \left[ R_w, f_{K_w}^L\right] (\cdot )} = 1\right] .\nonumber \\ \end{aligned}$$

(6)

From Eqs. (4), (5), and (6), the distinguishing advantage of \(\mathcal {A}\) in games \(G_1\) and \(G_2\) is bounded by the advantage of adversary \(\mathcal {C}\) against the multi-oracle family of one-time leakage-resilient PRFs. Therefore, we have

(7)

From the result of Lemma 1 given in Sect. 2, we have

$$\begin{aligned} |\text {Pr}[G_1] - \text {Pr}[G_2] |\le & {} q(w+1)\mathsf {Adv}_{f}^{\mathrm {ot-lr-prf}}(\mathcal {C}) \end{aligned}$$

(8)

where q is the total number of queries asked to the encryption oracle, and \((w+1)\) be the total number of invocations of block cipher on a message query.

Game \(G_3\): In this game, we define a “\(\mathsf {bad}\)” event in subroutine on the repetition of randomly chosen answers from \(\{0, 1\}^n\), in case, query–response pair does not exist in the set \(I_R\). If \(\mathsf {bad}\) event occurs and no action is taken, then games \(G_2\) and \(G_3\) behave exactly similar. Thus, we have

$$\begin{aligned} \text {Pr}[G_2]= & {} \text {Pr}[G_3] . \end{aligned}$$

(9)

Game \(G_4\): In this game, we define a “\(\mathsf {bad}\)” event in subroutine sets to be \(\mathsf {true}\) and again, the new random response is taken from \(\{0, 1\}^n\). Therefore, the distinguishing advantages of adversary \(\mathcal {A}\) in games \(G_3\) and \(G_4\) are bounded by the probability of \(\mathsf {bad}\) event. Thus, we have

$$\begin{aligned} |\text {Pr}[G_3] - \text {Pr}[G_4] |\le & {} \text {Pr}[\mathsf {bad}] \nonumber \\\le & {} \frac{q^2(w+1)^2}{2^{n + 1}} . \end{aligned}$$

(10)

Game \(G_5\): This game perfectly simulates the random game in random world. Now, in Game \(G_5\), the ciphertext is completely random, i.e., independent of the output of real game.

$$\begin{aligned} \text {Pr}[G_4]= & {} \text {Pr}[G_5] . \end{aligned}$$

(11)

and, the winning advantage of \(\mathcal {A}\) in game \(G_5\) is the same as in random game and defined by

$$\begin{aligned} \text {Pr}[G_5]= & {} \underset{K^* \xleftarrow {\$} \{0, 1\}^k}{\mathrm {Pr}} \left[ \mathcal {A}^{\mathsf {AE}^R(K^*, \cdot ), \mathsf {AE}^L(K^*, \cdot )} = 1 \right] . \end{aligned}$$

(12)

On summing up all the equations from (2) to (12), the distinguishing advantage of adversary \(\mathcal {A}\) against RCB described in Theorem 1 follows. \(\square \)

Fig. 6

Game \(G_0\) and adversary game \(\mathcal {B}_\mathcal {A}^{[\mathcal {O}, g_{K^*}^L](\cdot )}\)

Fig. 7

Game \(G_1\) and adversary game \(\mathcal {C}_\mathcal {A}^{[\mathcal {MO}, f_{K^*}^L](\cdot )}\)

Fig. 8

Game \(G_{2}\)

Fig. 9

Games \(G_3\) and \(G_4\)

Fig. 10

Game \(G_5\)

1.3 Proof of Theorem 2

In Sect. 4, Theorem 2 states that the authenticated encryption scheme RCB composed of re-keying scheme and block cipher, as shown in Fig. 1, is unforgeable in leakage-resilient model. The following depicts the proof.

Proof

Let \(\mathsf {AE} = \mathsf {(KG, E, D)}\) be an authenticated encryption scheme as defined in §2. Let \(\mathcal {A}\) be a PPT adversary who has access to encryption oracle and tries to forge the authenticity of the messages. We show that our AE scheme is unforgeable. We organize our security proof as a sequence of games [33]. We start with game \(G_0\) as a real game. We make transitions in game \(G_0\) to convert it into the random game \(G_5\). The transitions from game \(G_0\) to game \(G_5\) are exactly similar as in the privacy proof. After this, we do case-by-case analysis.

For easiness, we make an assumption that all the input–output blocks of messages are of full length, including the tag generation block. Thus, the last block will always use \(\mathsf {len}(\cdot )\) as a constant value, say, const. Now, adversary \(\mathcal {A}\) can make at most q valid encryption queries and gets the corresponding answers as \(\chi = (ind||C||T)\). These all queries–responses \((M, \chi = (ind||C||T))\) are maintained in the set \(I_F\). Next, adversary’s goal is to produce a valid forgery \((M^*, (ind^*||C^*||T^*))\) for which \(\not \exists M^*\), s.t., \((M^*, \chi = (ind^*||C^*||T^*)) \in I_F\), and it is accepted by the decryption oracle.

Let \(\lambda \) denotes an element in the set \(I_F\), such that \(\lambda \) is a valid input–output response in the form (M, (ind||C||T)) which adversary \(\mathcal {A}\) has. For q encryption queries made by adversary \(\mathcal {A}\), the input–output responses are denoted by \(\lambda _1, \ldots , \lambda _q\). Now, since \(I_F\) be an ordered set due to the order of the indices, these \(\lambda _i\), \(i \in [q]\) are also contained in the set \(I_F\) in an ordered way. For a fixed i, if we partition the \(\lambda _i\) into block-by-block input–output responses, then we will have a set \(S_i\) as \(S_i = \{(ind_i,M_i[1],C_[1]) \ldots ((ind_i+w_i-1),M_i[w_i-1],C_i[w_i-1])), ((ind_i+w_i+1),const \oplus ind_i, Y), ((ind_i+w_i+2),checksum,T) \}\), where \(M_i = M_i[1] || \cdots M_i[w_i]\), \(Y= C_i[w_i] \oplus M_i[w_i]\) and \(\mathsf {checksum} = M_i[1] \oplus M_i[2]\oplus \cdots \oplus M_i[w_i] \); and where \(w_i\) represents the number of n-bits message blocks in \(M_i\). Similarly, for each \(\lambda _j\), \(j \in [q]\), we will have a set \(S_j\) which contain \(w_i + 1\) pairs.

Let \(I_R\) be the set containing all the elements of each \(S_i\), \(i \in [q]\). Each element of \(I_R\) is represented as (ctr, X, Y). Now, no two sets \(S_i\) and \(S_j\) will have the same ctr and every \(S_i\) is an ordered subset of \(I_R\). Due to the design of RCB (skipping a key before the invocation of last message block), we know that the last element is dependent on all previous element in \(S_i\) and second last element dependent on first element in \(S_i\); therefore, any subset \(S^*\) of \(S_i\) will be resulted into random X or Y correspond to the last and second last element due to different Y or X in \((ctr, \star , \star ) \in I_R\). Therefore, matching probability of calculated Y in last element of \(S^*\) and a valid Y in \(S^*\) is equal to \(1/2^\tau \).

The last possible case is when \( S^* \) have elements from two different sets \( S_i \) and \( S_{j} \). In this case, the second last block element of \( S^* \) will not match with \( S_{j} \) and results into random X or Y correspond to calculated last and second last element of \( S^* \) due to different Y or X to particular \( (ctr, \star , \star ) \in I_R\). If they match, then the matching probability of calculated Y in last element of \( S^* \) and proposed last element in \( S^* \) is equivalent to \( 1/2^\tau \) (Figs. 9, 10).

Therefore, \( S^* \) to be a valid forgery query that contains elements which does not belong to \( I_R \) and is still accepted by the decryption oracle is equivalent to collision on last block input or output. Hence, probability of forgery is \( \dfrac{1}{ 2^n } \) which is maximum bound by \(\dfrac{1}{ 2^{\tau } }\) when we consider the last block length is less than the complete block length. \(\square \)

1.4 Games for privacy and authenticity proofs for RCB

Here, we make sequence of games used in security proofs of Theorems 1 and 2.