Abstract
State-of-the-art re-keying schemes can be viewed as a tradeoff between efficient but heuristic solutions based on binary field multiplications, that are only secure if implemented with a sufficient amount of noise, and formal but more expensive solutions based on weak pseudorandom functions, that remain secure if the adversary accesses their output in full. Recent results on “crypto dark matter” (TCC 2018) suggest that low-complexity pseudorandom functions can be obtained by mixing linear functions over different small moduli. In this paper, we conjecture that by mixing some matrix multiplications in a prime field with a physical mapping similar to the leakage functions exploited in side-channel analysis, we can build efficient re-keying schemes based on “crypto-physical dark matter”, that remain secure against an adversary who can access noise-free measurements. We provide first analyzes of the security and implementation properties that such schemes provide. Precisely, we first show that they are more secure than the initial (heuristic) proposal by Medwed et al. (AFRICACRYPT 2010). For example, they can resist attacks put forward by Belaid et al. (ASIACRYPT 2014), satisfy some relevant cryptographic properties and can be connected to a “Learning with Physical Rounding” problem that shares some similarities with standard learning problems. We next show that they are significantly more efficient than the weak pseudorandom function proposed by Dziembowski et al. (CRYPTO 2016), by exhibiting hardware implementation results.
Highlights
Countermeasures like masking [CJRR99, ISW03] are expensive in software [GR17] and hardware [GMK17]. They are error prone due to physical defaults such as glitches [MPG05, NRS08] or transitions [CGP+12, BGG+14], and due to composability issues [CPRR13, BBD+16]. This situation is caused by the complex nature of the block ciphers: while the linear parts of an implementation can be trivially secret-shared with limited complexity overheads, the secure execution of their nonlinear parts typically implies overheads that are quadratic in the number of shares and requires refreshing algorithms that increase their randomness cost
While the Learning With Physical Rounding (LWPR) problem is stated for noise-free leakages, the secure implementation of masking generally requires a certain level of noise
Its main idea is to combine simple computations in a medium size prime field with a physical leakage function that we assume operating in a sufficiently different field. We show that such a combination ensures a number of relevant cryptographic properties for the well known Hamming weight leakage function, and that it leads to excellent performances in hardware, leading to a number of stimulating research challenges that we detail
Summary
We highlight the excellent implementation properties that a re-keying scheme based on such a crypto-physical dark matter enables These properties are due to the fact that contrary to re-keying schemes in the model of Figure 2(c) where the mapping/rounding has to be computed securely (e.g., thanks to masking), the (physical) mapping/rounding we introduce never has to be computed securely in the model of Figure 2(b), since it is performed by a leakage function. As usual when introducing a new cryptographic primitive, our focus in this work is to exhibit relevant security & implementation properties which may open new research directions In this respect, our claim is that the proposed re-keying scheme is at the same time more secure than the one of Medwed et al [MSGR10] under reasonable (e.g., Hamming weight) leakage models and more efficient than the one of Dziembowski et al [DFH+16] thanks to a significantly shorter key. It does not rely on key-homomorphism and rather aims at limiting the manipulation of the long-term key in order to limit the attack vectors to Simple Power Analysis (SPA) attacks
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
