Unknown-Input Attacks in the Parallel Setting: Improving the Security of the CHES 2012 Leakage-Resilient PRF [chapter]

Marcel Medwed, François-Xavier Standaert, Ventzislav Nikov, Martin Feldhofer
2016 Lecture Notes in Computer Science  
In this work we present a leakage-resilient PRF which makes use of parallel block cipher implementations with unknown-inputs. To the best of our knowledge this is the first work to study and exploit unknown-inputs as a form of key-dependent algorithmic noise. It turns out that such noise renders the problem of side-channel key recovery intractable under very little and easily satisfiable assumptions. That is, the construction stays secure even in a noise-free setting and independent of the
more » ... r of traces and the used power model. The contributions of this paper are as follows. First, we present a PRF construction which offers attractive security properties, even when instantiated with the AES. Second, we study the effect of unknown-input attacks in parallel implementations. We put forward their intractability and explain it by studying the inevitable model errors obtained when building templates in such a scenario. Third, we compare the security of our construction to the CHES 2012 one and show that it is superior in many ways. That is, a standard block cipher can be used, the security holds for all intermediate variables and it can even partially tolerate local EM attacks and some typical implementation mistakes or hardware insufficiencies. Finally, we discuss the performance of a standard-cell implementation. independent and sufficiently noisy [7, 10, 15, 26] . (Note that the condition of independent leakages is typically hard to guarantee, both in software and hardware implementations [2, 8, 17, 18] ). Threshold implementations are a specialization of masking that reduces the independence requirement (by ensuring that glitches do not harm the security of the masked implementations) [5, 23] , which can also lead to some performance gains with low number of shares [6, 22] . At CHES 2012, a quite different tradeoff was introduced. Namely, and starting from the observation that leakage-resilience via re-keying alone is not sufficient to efficiently protect stateless symmetric cryptographic primitives such as block ciphers (later formalized in [3]), Medwed et al. proposed a tweaked construction of an AES-based leakage-resilient PRF, inspired from more formal works such as [1, 9, 11, 28, 32] , which additionally requires that the AES is implemented in parallel and that its S-boxes have similar leakage models [20] . In this respect, and while the parallel implementation setting is easy to guarantee (and can even be emulated thanks to shuffling [14]), the "similar leakage assumption" turned out to be harder to evaluate. Later results showed that despite not easy to attack, such a solution may not be best suited the AES [4].
doi:10.1007/978-3-662-53887-6_22 fatcat:xgkxmjtj6rcpxkieojdppb5ccu