Towards fresh re-keying with leakage-resilient PRFs: cipher design principles and analysis

Abstract

Leakage-resilient cryptography aims at developing new algorithms for which physical security against side-channel attacks can be formally analyzed. Following the work of Dziembowski and Pietrzak at FOCS 2008, several symmetric cryptographic primitives have been investigated in this setting. Most of them can be instantiated with a block cipher as underlying component. Such an approach naturally raises the question whether certain block ciphers are better suited for this purpose. In order to answer this question, we consider a leakage-resilient re-keying function, and evaluate its security at different abstraction levels. That is, we study possible attacks exploiting specific features of the algorithmic description, hardware architecture and physical implementation of this construction. These evaluations lead to two main outcomes. First, we complement previous works on leakage-resilient cryptography and further specify the conditions under which they actually provide physical security. Second, we take advantage of our analysis to extract new design principles for block ciphers to be used in leakage-resilient primitives. While our investigations focus on side-channel attacks in the first place, we hope these new design principles will trigger the interest of symmetric cryptographers to design new block ciphers combining good properties for secure implementations and security against black box (mathematical) cryptanalysis.

Appendices

Appendix A: Impact of key words repetitions

Let us denote by \(\fancyscript{S}\) a multiset of \(N_\mathrm{s}\) key words uniformly distributed in \([0\)...\(2^b-1]\). The number of permutations of these key words, or equivalently the complexity to order them, depends on the multiplicities of these key words in \(\fancyscript{S}\). We denote by \(m_j\) (with \(1\le j \le 2^b-1\)) the multiplicity of value \(j\), i.e., the number of times this value appears in the multiset \(\fancyscript{S}\). For instance, with \(\fancyscript{S}=\{3,3,5,8,8,8\}\) (\(N_\mathrm{s}=6\)), we have \(m_3=2\), \(m_5=1\), \(m_8=3\) and \(m_j=0\), \(\forall j \in [0,2^4-1]\backslash \{3,5,8\}\). Let us additionally denote by \(M_i^q\) the random variable representing the number of multiplicities equal to \(q\) when selecting the \(i\mathrm{th}\) key word (with \(1 \leqslant i \leqslant N\)). We can then write the following recursion formula that, under relevant boundary conditions, gives us the desired probabilities:

$$\begin{aligned}&\forall i,q,k \in [0..N_\mathrm{s}],~ {P}\left[ M_{i+1}^q = k\right] \\&\quad = \frac{k+1}{2^b}~ {P}\left[ M_i^q=k+1\right] + \sum _{l=0}^{N}~\left( {P}\left[ M_i^q=k-1\right] ~\frac{l}{2^b} \right. \\&\quad \quad \left. +\,\, {P}\left[ M_i^q=k\right] ~\left( 1-\frac{k+l}{2^b}\right) \right) ~ {P}\left[ M_i^{q-1}=l\right] . \end{aligned}$$

From these probabilities, we can deduce those of the time complexities of attacks for various parameters \(N_\mathrm{s}\) and \(b\). In practice, we used Monte Carlo sampling to evaluate the mean complexities thanks to the multiplicities distribution. That is, we drew a large (i.e., sufficient to have accurate estimates) number of independent random variables following a specific law to estimate its expectation using the law of large numbers.

Appendix B: Architecture’s design on a FPGA

Our analysis was conducted on a Xilinx Spartan 3 FPGA device manufactured in a 90 nm technology. We performed localized magnetic field measurements using a coil with a resolution of 100 m very closely positioned to the depackaged circuit’s front side surface. We performed \(27\times 27\) measurements covering the surface area confined by the conjunctions of the bonding wires. The architecture of the design is shown in Fig. 7.

Fig. 7

Prototype architecture for worst-case EM profiling

Appendix C: SNR maps of the \(32\) key words over the chip surface

See Figs. 8 and 9.

Fig. 8

Key word \(0\)–\(15\)

Fig. 9

Key word \(16\)–\(31\)