On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks

  • Christoph Dobraunig
  • Maria Eichlseder
  • Stefan Mangard
  • Florian Mendel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8968)

Abstract

At AFRICACRYPT 2010 and CARDIS 2011, fresh re-keying schemes to counter side-channel and fault attacks were introduced. The idea behind those schemes is to shift the main burden of side-channel protection to a re-keying function \(g\) that is easier to protect than the main block cipher. This function produces new session keys based on the secret master key and random nonces for every block of message that is encrypted. In this paper, we present a generic chosen-plaintext key-recovery attack on both fresh re-keying schemes. The attack is based on two observations: Since session key collisions for the same message are easy to detect, it is possible to recover one session key with a simple time-memory trade-off strategy; and if the re-keying function is easy to invert (such as the suggested multiplication constructions), the attacker can use the session key to recover the master key. The attack has a complexity of about \(2 \cdot 2^{n/2}\) (instead of the expected \(2^n\)) for an \(n\)-bit key. For the typically employed block cipher AES-128, this would result in a key-recovery attack complexity of only \(2^{65}\). If weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.

Keywords

Side-channel attacks Fresh re-keying Key-recovery attack 

References

  1. 1.
    Abdalla, M., Belaïd, S., Fouque, P.-A.: Leakage-resilient symmetric encryption via re-keying. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 471–488. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  3. 3.
    Ali, S., Mukhopadhyay, D., Tunstall, M.: Differential fault analysis of AES: towards reaching its limits. J. Cryptographic Eng. 3(2), 73–97 (2013)CrossRefGoogle Scholar
  4. 4.
    Belaïd, S., Santis, F.D., Heyszl, J., Mangard, S., Medwed, M., Schmidt, J., Standaert, F., Tillich, S.: Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis. J. Cryptographic Eng. 4(3), 157–171 (2014)Google Scholar
  5. 5.
    Bogdanov, A., Dobraunig, C., Eichlseder, M., Lauridsen, M., Mendel, F., Schläffer, M., Tischhauser, E.: Key Recovery Attacks on Recent Authenticated Ciphers. In: Aranha, D., Menezes, A. (eds.) LATINCRYPT. LNCS, Springer (2014) (to appear)Google Scholar
  6. 6.
    Brent, R.P.: An improved Monte Carlo factorization algorithm. BIT, Nord. Tidskr. Inf.-behandl. 20, 176–184 (1980)MATHMathSciNetGoogle Scholar
  7. 7.
    Grosso, V., Poussier, R., Standaert, F.X., Gaspar, L.: Combining leakage-resilient PRFs and shuffling (Towards Bounded Security for Small Embedded Devices). IACR Cryptology ePrint Archive 2014, p. 411 (2014)Google Scholar
  8. 8.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)CrossRefMATHMathSciNetGoogle Scholar
  9. 9.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  10. 10.
    Kocher, P.: Leak-resistant cryptographic indexed key update (Mar 25 2003). http://www.google.com/patents/US6539092. US Patent 6,539,092
  11. 11.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, New York (2007)MATHGoogle Scholar
  12. 12.
    Medwed, M., Petit, C., Regazzoni, F., Renauld, M., Standaert, F.-X.: Fresh re-keying II: Securing multiple parties against side-channel and fault attacks. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 115–132. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  13. 13.
    Medwed, M., Standaert, F.-X., Großschädl, J., Regazzoni, F.: Fresh re-keying: Security against side-channel and fault attacks for low-cost devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 279–296. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  14. 14.
    Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  15. 15.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: ACM Conference on Computer and Communications Security, pp. 210–218 (1994)Google Scholar
  16. 16.
    Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. New results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990) Google Scholar
  18. 18.
    Tiri, K., Verbauwhede, I.: Securing encryption algorithms against DPA at the logic level: Next generation smart card technology. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 125–136. Springer, Heidelberg (2003) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Christoph Dobraunig
    • 1
  • Maria Eichlseder
    • 1
  • Stefan Mangard
    • 1
  • Florian Mendel
    • 1
  1. 1.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations