Leakage-resilient pseudorandom functions and side-channel attacks on Feistel networks
Yevgeniy Dodis,Krzysztof Pietrzak +1 more
- pp 21-40
Reads0
Chats0
TLDR
It is proved that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP, and generic side-channel attacks against Feistels are proposed.Abstract:
A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded.
In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom functions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakage-resilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a "step" will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4ċ(n+1)r-2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary.read more
Citations
More filters
Book ChapterDOI
BiTR: built-in tamper resilience
TL;DR: The notion of Built-in Tamper Resilience (BiTR) was introduced in this paper for cryptographic protocols, capturing the idea that the protocol that is encapsulated in a hardware token is designed in such a way so that tampering gives no advantage to an adversary.
Journal ArticleDOI
Introduction to differential power analysis
TL;DR: This paper examines how information leaked through power consumption and other side channels can be analyzed to extract secret keys from a wide range of devices and introduces approaches for preventing DPA attacks and for building cryptosystems that remain secure even when implemented in hardware that leaks.
Book ChapterDOI
Masking against Side-Channel Attacks: A Formal Security Proof
Emmanuel Prouff,Matthieu Rivain +1 more
TL;DR: It is proved that the information gained by observing the leakage from one execution can be made negligible (in the masking order) and a formal security proof for masked implementations of block ciphers is provided.
Proceedings ArticleDOI
Practical leakage-resilient identity-based encryption from simple assumptions
TL;DR: This work designs the first Leakage-Resilient Identity-Based Encryption (LR-IBE) systems from static assumptions in the standard model, and derives these schemes by applying a hash proof technique from Alwen et.al. (Eurocrypt '10) to variants of the existing IBE schemes of Boneh-Boyen, Waters, and Lewko-Waters.
Book ChapterDOI
Achieving leakage resilience through dual system encryption
TL;DR: In this paper, the authors show that strong leakage resilience for cryptosystems with advanced functionalities can be obtained quite naturally within the methodology of dual system encryption, recently introduced by Waters.
References
More filters
Book ChapterDOI
Differential Power Analysis
TL;DR: In this paper, the authors examine specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. And they also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
Proceedings ArticleDOI
Random oracles are practical: a paradigm for designing efficient protocols
Mihir Bellare,Phillip Rogaway +1 more
TL;DR: It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Book ChapterDOI
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
TL;DR: By carefully measuring the amount of time required to perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems.
Journal ArticleDOI
How to construct random functions
TL;DR: In this paper, a constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented, which is a deterministic polynomial-time algorithm that transforms pairs (g, r), where g is any one-way function and r is a random k-bit string, to computable functions.