scholarly journals Improved Leakage-Resistant Authenticated Encryption based on Hardware AES Coprocessors

2021 ◽  
pp. 641-676
Author(s):  
Olivier Bronchain ◽  
Charles Momin ◽  
Thomas Peters ◽  
François-Xavier Standaert
Keyword(s):  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Mode Of Operation ◽  
Secure Software ◽  
Software Updates ◽  
Leakage Resilient

We revisit Unterstein et al.’s leakage-resilient authenticated encryption scheme from CHES 2020. Its main goal is to enable secure software updates by leveraging unprotected (e.g., AES, SHA256) coprocessors available on low-end microcontrollers. We show that the design of this scheme ignores an important attack vector that can significantly reduce its security claims, and that the evaluation of its leakage-resilient PRF is quite sensitive to minor variations of its measurements, which can easily lead to security overstatements. We then describe and analyze a new mode of operation for which we propose more conservative security parameters and show that it competes with the CHES 2020 one in terms of performances. As an additional bonus, our solution relies only on AES-128 coprocessors, an

scholarly journals On Leakage-Resilient Authenticated Encryption with Decryption Leakages

2017 ◽  
pp. 271-293 ◽  
Author(s):  
Francesco Berti ◽  
Olivier Pereira ◽  
Thomas Peters ◽  
François-Xavier Standaert
Keyword(s):  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Cryptographic Primitives ◽  
Leakage Resilient ◽  
New Construction

At CCS 2015, Pereira et al. introduced a pragmatic model enabling the study of leakage-resilient symmetric cryptographic primitives based on the minimal use of a leak-free component. This model was recently used to prove the good integrity and confidentiality properties of an authenticated encryption scheme called DTE when the adversary is only given encryption leakages. In this paper, we extend this work by analyzing the case where decryption leakages are also available. We first exhibit attacks exploiting such leakages against the integrity of DTE (and variants) and show how to mitigate them. We then consider message confidentiality in a context where an adversary can observe decryption leakages but not the corresponding messages. The latter is motivated by applications such as secure bootloading and bitstream decryption. We finally formalize the confidentiality requirements that can be achieved in this case and propose a new construction satisfying them, while providing integrity properties with leakage that are as good as those of DTE.

Improvement of Tseng et al.'s authenticated encryption scheme with message linkages

2005 ◽  
Vol 162 (3) ◽  
pp. 1475-1483 ◽  
Author(s):  
Zhang Zhang ◽  
Shunsuke Araki ◽  
Guozhen Xiao
Keyword(s):  
Encryption Scheme ◽  
Authenticated Encryption

scholarly journals Cryptanalysis of PMACx, PMAC2x, and SIVx

2017 ◽  
pp. 162-176
Author(s):  
Kazuhiko Minematsu ◽  
Tetsu Iwata
Keyword(s):  
Provable Security ◽  
Block Cipher ◽  
Query Complexity ◽  
Block Length ◽  
Encryption Scheme ◽  
Authenticated Encryption ◽  
Pseudorandom Functions ◽  
Tweakable Block Cipher ◽  
Deterministic Authenticated Encryption ◽  
Provably Secure

At CT-RSA 2017, List and Nandi proposed two variable input length pseudorandom functions (VI-PRFs) called PMACx and PMAC2x, and a deterministic authenticated encryption scheme called SIVx. These schemes use a tweakable block cipher (TBC) as the underlying primitive, and are provably secure up to the query complexity of 2n, where n denotes the block length of the TBC. In this paper, we falsify the provable security claims by presenting concrete attacks. We show that with the query complexity of O(2n/2), i.e., with the birthday complexity, PMACx, PMAC2x, and SIVx are all insecure.

Sign in / Sign up

Export Citation Format

Share Document