Towards Fresh and Hybrid Re-Keying Schemes with Beyond Birthday Security
Fresh re-keying is a type of protocol which aims at splitting the task of protecting an encryption/authentication scheme against side-channel attacks in two parts. One part, a re-keying function, has to satisfy a minimum set of properties (such as good diffusion), and is based on an algebraic structure that is easy to protect against side-channel attacks with countermeasures such as masking. The other part, a block cipher, brings resistance against mathematical cryptanalysis, and only has to be secure against single-measurement attacks. Since fresh re-keying schemes are cheap and stateless, they are convenient to use in practice and do not require any synchronization between communication parties. However, it has been shown that their first instantiation (from Africacrypt 2010) only provides birthday security because of a (mathematical only) collision-based key recovery attack recently put forward by Dobraunig et al. (CARDIS 2014). In this paper, we provide two provably secure (in the ideal cipher model) solutions to avoid such collision attacks. The first one is based on classical block ciphers, but does not achieve beyond-birthday CPA security (i.e. it only provably prevents the CARDIS 2014 key recovery attack) and requires an additional block cipher execution in the protocol. The second one is based on tweakable block ciphers and provides tight CPA security while also being more efficient. As a complement, we also show that our reasoning extends to hybrid schemes, where the communication party to protect against side-channel attacks is stateful. We illustrate this claim by describing a collision attack against an example of a hybrid scheme patented by Kocher, and presenting a tweak leading to beyond birthday security. We conclude the paper by discussing the use of fresh/hybrid re-keying for encryption and authentication, together with a cautionary note on their side-channel resistance.
KeywordsBlock Cipher Compression Function Cryptographic Hash Function Collision Attack Fault Attack
The authors thank Christophe Petit for useful advice. This work has been supported in part by the Austrian Science Fund (project P26494-N15), by the Austrian Research Promotion Agency (FFG) under grant number 845589 (SCALAS), by the Brussels Region Research Funding Agency through the program Secur’IT and by the European Commission through the ERC project 280141 (CRASH) and the COST Action CRYPTACUS. F.-X. Standaert is a research associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.).
- 2.Belaïd, S., De Santis, F., Heyszl, J., Mangard, S., Medwed, M., Schmidt, J., Standaert, F., Tillich, S.: Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis. J. Cryptographic Eng. 4(3), 157–171 (2014)Google Scholar
- 7.Brenner, H., Gaspar, L., Leurent, G., Rosen, A., Standaert, F.-X.: FPGA implementations of SPRING. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 414–432. Springer, Heidelberg (2014)Google Scholar
- 8.Competition, C. http://competitions.cr.yp.to/caesar-submissions.html
- 9.Dobraunig, C., Eichlseder, M., Mangard, S., Mendel, F.: On the security of fresh re-keying to counteract side-channel and fault attacks. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 233–244. Springer, Heidelberg (2015)Google Scholar
- 10.Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS 2008, pp. 293–302. IEEE Computer Society (2008)Google Scholar
- 12.Jean, J., Nikolic, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014)Google Scholar
- 13.Kocher, P.C.: Leak-resistant cryptographic indexed key update. US Patent 6,539,092 (2003)Google Scholar
- 18.Yu, Y., Standaert, F., Pereira, O., Yung, M.: Practical leakage-resilient pseudorandom generators. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) CCS 2010, pp. 141–151. ACM (2010)Google Scholar