Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks
Lecture Notes in Computer Science
A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded. In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom
... tions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakageresilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a "step" will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4 · (n + 1) r−2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary. 1 If the power-analysis just leaks the number of wires set to 1, then this is captured, but if the power-analysis leaks the number of wires that "switch" from 0 to 1, then this is no longer possible (cf. also Footnote 3 below.) 2 From : Our definitions allow for repeated computation to leak new information each time. However, the case can be made (e.g., due to proper hardware design) that some devices computing a given function f may leak the same information whenever f is evaluated at the same input x. This is actually implied by making the leakage function deterministic and independent of the adversary measurement. Fixed-leakage physically observable cryptography promises to be a very useful restriction of our general model (e.g., because, for memory efficiency, crucial cryptographic quantities are often reconstructed from small seeds, such as in the classical pseudorandom function of  ). 3 From : As a result, there are no variable intermediate values for DPA selections functions to exploit. Because selection functions cannot be applied, DPA-type attacks are no longer applicable. 4 The model considered is basically the random oracle model , but it is conceptually used in a different way. In the RO model, a uniformly random function is accessible to all parties, and security proofs only exploit the fact that a random oracle allows to efficiently access an exponential amount of true randomness. In contrast, in  the security proof exploits the fact that the adversarial leakage functions cannot query the random oracle.