aet lr rate 1 leakage resilient aead based on the romulus
play

AET-LR: Rate-1 Leakage-Resilient AEAD based on the Romulus Family - PowerPoint PPT Presentation

Nov 23, 2022 •517 likes •815 views

AET-LR: Rate-1 Leakage-Resilient AEAD based on the Romulus Family Extended Abstract Chun Guo, Mustafa Khairallah and Thomas Peyrin Shandong University, Shandong, China 201999900076@sdu.edu.cn Nanyang Technological University, Singapore, Singapore

  1. AET-LR: Rate-1 Leakage-Resilient AEAD based on the Romulus Family Extended Abstract Chun Guo, Mustafa Khairallah and Thomas Peyrin Shandong University, Shandong, China 201999900076@sdu.edu.cn Nanyang Technological University, Singapore, Singapore Temasek Laboratories@NTU, Singapore, Singapore mustafam001@e.ntu.edu.sg , thomas.peyrin@ntu.edu.sg October 20, 2020

  2. Outline Background AET-LR Security of AET-LR against Leakage Adversaries INT-RUP (In)security of rate-1 AEAD

  3. Outline Background AET-LR Security of AET-LR against Leakage Adversaries INT-RUP (In)security of rate-1 AEAD

  4. Tweakable-Block Ciphers I Interest in Tweakable Block Ciphers has been rising over the past few years. I Six round 2 candidates use a TBC as their building block: Estate, ForkAE, LOTUS-AEAD and LOCUS-AEAD, Romulus, Skinny-AEAD and Spook. I Some Candidates, e.g. GIFT-COFB, use TBCs as a tool in their analysis.

  5. Leakage Resilience

  6. Leakage Resilience I Encryption Leakage vs. Decryption Leakage. I Challenge leakage. I Leak-free components.

  7. Leakage Resilience from TBCs I Recently, Berti et. al. [BGP + 19] proposed TEDT as a TBC-based mode that is targeted towards leakage resilience. However, it required 4 TBC calls per message block. I Independently, Naito et. al. [NSS20] studied the cost of masking TBCs, showing they exhibit a performance advantage over block ciphers and permutations.

  8. Leakage Resilience Security Targets I Bellizia et. al. [BBC + 20] proposed a group of targets for leakage resilience Ciphertext Integrity (CI) and confidentiality against Chosen Ciphertext Attacks (CCA). I The targets can be classified according to three parameters: nonce, challenge-leakage and decryption-leakage. I Possible combinations of first two parameters: Nonce Respecting (.) Misuse-Resist. (M) Misuse-Resilience (m) Leakage Leak-Free (.) Leakage-Resist. (L) Leakage-Resilience (l) I A suffix 1 is used in the absence of decryption leakage and a suffix 2 is used in the presence of decryption leakage.

  9. Leveled Implementations M, AD K N K K Encryption N KDF TGF T C N

  10. Integrity I Security against CIML2 adversaries is the highest target the designer can hope for in terms of integrity. I Achieving CIML2 security with a leveled implementation is a desirable goal as it reduces the implementation cost significantly. I Modes like TEDT and Spook achieve this goal, with rate 1/4 and 1/2 respectively.

  11. Confidentiality I CCAML2 is impossible to achieve [GPPS19]. I A more relaxed target is CCAmL2 achieved by TEDT. It requires a two-pass mode. I For online modes, CCAmL1 and CCAml1 are more relaxed targets. However, they require decryption to be leak-free. Hence, they are good for modes where encryption is more resource constrained compared to decryption. Both are achieved by Spook.

  12. Outline Background AET-LR Security of AET-LR against Leakage Adversaries INT-RUP (In)security of rate-1 AEAD

  13. AET-LR The philosophy of the design is to maintain the minimum lightweight performance for TBC: 1. Optimal computational efficiency, i.e. rate-1 operation. 2. Minimum state size of a TBC mode, i.e. ( n + t + k )-bit for n -bit block, t -bit tweak and k -bit key TBC. Simultaneously, the design adopts the leveled implementation philosophy, where only the first and last TBC calls need to be heavily protected against physical attacks.

  14. AET-LR 0 t E 0 , 0 � N K ′ K A [1] A [2] A [3] A [4] A [ a − 2] A [ a − 1] pad ( A [ a ]) N n ρ � ρ � ρ � ρ E w A ,a � 0 n E 8 , 1 E 8 , 3 E 8 ,a − 2 S n n K ′ K ′ K ′ K ′ M [1] N M [2] N pad ( M [ m ]) N N n ρ E 4 , 1 � ρ E 4 , 2 � ρ E 4 ,m � E w M ,m � S T K ′ K n n K ′ K ′ n C [1] C [2] C [ m ]

  15. AET-LR I AET-LR can be seen as a slight adaptation of the Romulus-N [IKMP19] AEAD mode. I The main difference with the Romulus-N mode is simply a feed-forward of the message block into the tweak input of the TBC calls.

  16. Outline Background AET-LR Security of AET-LR against Leakage Adversaries INT-RUP (In)security of rate-1 AEAD

  17. CIML2 Security of AET-LR Theorem (CIML2 Security of AET-LR) Assume that E is an ideal cipher with n -bit blocks and 3 n -bit tweakey, then 6( σ priv + p + 1)( σ priv + p ) Adv CIML2 AET − LR E ( σ priv , q d , p ) ≤ . 2 n

  18. INT-RUP Security of AET-LR Theorem (INT-RUP Security of AET-LR) Assume that E is an ideal cipher with n -bit blocks and 3 n -bit tweakey, then 6( σ priv + p + 1)( σ priv + p ) Adv INT - RUP AET − LR E ( σ priv , q d , p ) ≤ . 2 n

  19. CCAml Security of AET-LR The CCAml1 security of AET-LR is studied under the following assumptions: 1. The Key Derivation Function (KDF) and Tag Generation Function (TGF) are leak-free. In practice, they are heavily protected against complex side-channel attacks, such as Differential Power Analysis (DPA). 2. The rest of the encryption operations of the mode leak everything. 3. The decryption operations are leak-free. In practice, they are heavily protected against complex side-channel attacks, such as Differential Power Analysis (DPA).

  20. CCAml Security of AET-LR The security of AET-LR under these assumptions can be reduced to the security of the KDF. Adv CCAml1 AET − LR E ( σ priv , q d , p ) ≤ Adv TPRP ( q e + q d ) + Adv NAE AET − LR E ( σ, q e , q d , p ) E where Adv TPRP ( q e + q d ) refers to the security of the KDF function and E Adv NAE AET − LR E ( σ, q e , q d , p ) refers to the black box security of AET-LR in the nonce-respecting model.

  21. Outline Background AET-LR Security of AET-LR against Leakage Adversaries INT-RUP (In)security of rate-1 AEAD

  22. INT-RUP Insecurity of rate-1 BC-based AEAD In CT-RSA 2016, Chakraborti et. al. [CDN16] presented two results about rate-1 BC-based AEAD: I Any rate-1 BC-based AEAD scheme is INT-RUP insecure. I Any rate-1 BC-based AEAD scheme is not integrity-secure against Nonce-repeating adversaries.

  23. INT-RUP Insecurity of rate-1 BC-based AEAD I Chakraborti et. al. [CDN16] propose a generalization of rate-1 BC-based AEAD modes. I A significant feature is that the key κ [ i ] assigned to a BC call of index i depends on the master key K , nonce N and associated data AD . I If K , N and AD are fixed, then each key κ [ i ] is fixed, irrespective of the plaintext. I In order to, break such relation, κ [ i ] has to depend on the plaintext, which would normally require processing part of the plaintext beforehand. Hence, it would not be a rate-1 mode.

  24. INT-RUP Insecurity of rate-1 BC-based AEAD I The results from Chakraborti et. al. [CDN16] do not apply to AET-LR, as the tweakey at index i can be defined as κ [ i ] = M [ i ] k N k K k D k B where D and B are the counter and domain separation values. I Due to the ability of TBCs to process extra inputs without extra computational costs. I This allows TBC-based modes to break some of the barriers on BC-based modes.

  25. Conclusions I AET-LR (Romulus-LR) provides a safe-guard against some side-channel attacks, achieving integrity with leakage and misuse resistance through CIML2 and confidentiality with misuse and leakage resilience through CCAml1. I Strongest security notions possible (CIML2+CCAmL2) can be achieved using TBCs using TEDT (Romulus-LR-TEDT).

  26. Bibliography I Davide Bellizia, Olivier Bronchain, Ga¨ etan Cassiers, Vincent Grosso, Chun Guo, Charles Momin, Olivier Pereira, Thomas Peters, and Fran¸ cois-Xavier Standaert. Mode-Level vs. Implementation-Level Physical Security in Symmetric Cryptography. In Advances in Cryptology – CRYPTO 2020 , 2020.

  27. Bibliography II Francesco Berti, Chun Guo, Olivier Pereira, Thomas Peters, and Fran¸ cois-Xavier Standaert. TEDT, a Leakage-Resist AEAD Mode for High Physical Security Applications. IACR Transactions on Cryptographic Hardware and Embedded Systems , 2020(1), 2019. Avik Chakraborti, Nilanjan Datta, and Mridul Nandi. INT-RUP Analysis of Block-cipher Based Authenticated Encryption Schemes. In Topics in Cryptology - CT-RSA 2016 , 2016. Chun Guo, Olivier Pereira, Thomas Peters, and Fran¸ cois-Xavier Standaert. Authenticated Encryption with Nonce Misuse and Physical Leakage: Definitions, Separation Results and First Construction. In Progress in Cryptology – LATINCRYPT 2019 , 2019.

  28. Bibliography III Tetsu Iwata, Mustafa Khairallah, Kazuhiko Minematsu, and Thomas Peyrin. Romulus v1. Submission to NIST Lightweight Cryptography Project , 2019. Yusuke Naito, Yu Sasaki, and Takeshi Sugawara. Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation. In Advances in Cryptology – EUROCRYPT 2020 , 2020.

Recommend

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient Cryptography Traditional Cryptography: adv has only black-box access to a cryptosystem I O LR-Cryptography: open the black-box more

279 views • 25 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable Codes Dana Dachman-Soled University of Maryland Joint work with: Mukul Kulkarni and Aria Shahverdi, University of Maryland Talk is also based on

572 views • 35 slides
New Results on Romulus T. Iwata, M. Khairallah, K. Minematsu and T. Peyrin NIST LWC 2020 Virtual

New Results on Romulus T. Iwata, M. Khairallah, K. Minematsu and T. Peyrin NIST LWC 2020 Virtual

New Results on Romulus T. Iwata, M. Khairallah, K. Minematsu and T. Peyrin NIST LWC 2020 Virtual - October 19, 2020 s : nonce-respecting s : BBB nonce-respecting AEAD A [1] A [2] A [3] A [4] A [ a

275 views • 25 slides
Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Groschdl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of

712 views • 33 slides
Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient in the random oracle

668 views • 27 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 51 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.2k views • 104 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.29k views • 116 slides
Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan Dziembowski, Tomasz Kazana, Micha Zaj c , Maciej Zdanowicz Estonian Computer Science Theory Days Jekla 2-4.10.2015 Computers can be

542 views • 32 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of Science Israel Foundations of Cryptography Rigorous analysis of the security of cryptographic schemes Adversarial model Notion of security

428 views • 20 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides
Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

1.45k views • 20 slides
Authenticated Encryption in Practice mcgrew@cisco.com History Interface AEAD in standards

Authenticated Encryption in Practice mcgrew@cisco.com History Interface AEAD in standards

History Interface AEAD in standards AEAD in security architectures Desiderata Conclusions Authenticated Encryption in Practice mcgrew@cisco.com History Interface AEAD in standards AEAD in security architectures Desiderata Conclusions

959 views • 50 slides
Investigation of the Fatigue Cracking and Leakage Rate potential of U-Bend Tube Bundles subjected

Investigation of the Fatigue Cracking and Leakage Rate potential of U-Bend Tube Bundles subjected

Background Elements of Investigation Numerical Simulations Results Investigation of the Fatigue Cracking and Leakage Rate potential of U-Bend Tube Bundles subjected to Flow-Induced Vibrations University of Guelph Fluid-Structure Interaction

709 views • 57 slides

More recommend