Ciphertext Integrity with Misuse and Leakage: Definition and Efficient Constructions with Symmetric Primitives
Autor: | Berti, Francesco, Koeune, François, Pereira, Olivier, Peters, Thomas, Standaert, François-Xavier, 2018 Asia Conference on Computer and Communications Security (AsiaCCS 2018) |
---|---|
Přispěvatelé: | UCL - SST/ICTM/ELEN - Pôle en ingénierie électrique |
Jazyk: | angličtina |
Rok vydání: | 2018 |
Předmět: |
Authenticated encryption
Computer science business.industry 0102 computer and information sciences 02 engineering and technology Encryption Computer security computer.software_genre 01 natural sciences Random oracle 010201 computation theory & mathematics Ciphertext 0202 electrical engineering electronic engineering information engineering 020201 artificial intelligence & image processing business computer Leakage-resilient cryptography Misuse resistance Randomness Leakage (electronics) |
Zdroj: | Asia-CCS 2018 Proceedings of the 2018 on Asia Conference on Computer and Communications Security-ASIACCS 18 Proceedings of the 2018 on Asia Conference on Computer and Communications Security-ASIACCS '18 AsiaCCS |
Popis: | Leakage resilience (LR) and misuse resistance (MR) are two important properties for the deployment of authenticated encryption (AE) schemes. They aim at mitigating the impact of implementation flaws due to side-channel leakages and misused randomness. In this paper, we discuss the interactions and incompatibilities between these two properties. We start from the usual definition of MR for AE schemes from Rogaway and Shrimpton, and argue that it may be overly demanding in the presence of leakages. As a result, we turn back to the basic security requirements for AE: ciphertext integrity (INT-CTXT) and CPA security, and propose to focus on a new notion of CIML security, which is an extension of INT-CTXT in the presence of misuse and leakages. We discuss the extent to which CIML security is offered by previous proposals of MR AE schemes, conclude by the negative, and propose two new efficient CIML-secure AE schemes: the DTE scheme offers security in the standard model, while the DCE scheme offers security in the random oracle model, but comes with some efficiency benefits. On our way, we observe that these constructions are not trivial, and show for instance that the composition of a LR MAC and a LR encryption scheme, while providing a (traditional) MR AE scheme, can surprisingly lose the MR property in the presence of leakages and does not achieve CIML security. Eventually, we show the LR CPA security of DTE and DCE. |
Databáze: | OpenAIRE |
Externí odkaz: |