Projects per year
Abstract
At AFRICACRYPT 2010 and CARDIS 2011, fresh re-keying schemes to counter side-channel and fault attacks were introduced. The idea behind those schemes is to shift the main burden of side-channel protection to a re-keying function g that is easier to protect than the
main block cipher. This function produces new session keys based on the secret master key and random nonces for every block of message that is encrypted. In this paper, we present a generic chosen-plaintext key-recovery attack on both fresh re-keying schemes. The attack is based on
two observations: Since session key collisions for the same message are easy to detect, it is possible to recover one session key with a simple time-memory trade-off strategy; and if the re-keying function is easy to invert (such as the suggested multiplication constructions), the attacker can use the session key to recover the master key. The attack has a complexity of about 2 · 2n/2 (instead of the expected 2n) for an n-bit key.
For the typically employed block cipher AES-128, this would result in a key-recovery attack complexity of only 265. If weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.
main block cipher. This function produces new session keys based on the secret master key and random nonces for every block of message that is encrypted. In this paper, we present a generic chosen-plaintext key-recovery attack on both fresh re-keying schemes. The attack is based on
two observations: Since session key collisions for the same message are easy to detect, it is possible to recover one session key with a simple time-memory trade-off strategy; and if the re-keying function is easy to invert (such as the suggested multiplication constructions), the attacker can use the session key to recover the master key. The attack has a complexity of about 2 · 2n/2 (instead of the expected 2n) for an n-bit key.
For the typically employed block cipher AES-128, this would result in a key-recovery attack complexity of only 265. If weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.
Original language | English |
---|---|
Title of host publication | Smart Card Research and Advanced Applications - CARDIS 2014 |
Place of Publication | Cham |
Publisher | Springer |
Pages | 233-244 |
ISBN (Print) | 978-3-319-16762-6 |
DOIs | |
Publication status | Published - 2014 |
Event | 2014 International Conference on Smart Card Research and Advanced Applications: CARDIS 2014 - Paris, France Duration: 5 Nov 2014 → 7 Nov 2014 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 8968 |
Conference
Conference | 2014 International Conference on Smart Card Research and Advanced Applications |
---|---|
Abbreviated title | CARDIS 2014 |
Country/Territory | France |
City | Paris |
Period | 5/11/14 → 7/11/14 |
Fields of Expertise
- Information, Communication & Computing
Treatment code (Nähere Zuordnung)
- Basic - Fundamental (Grundlagenforschung)
Fingerprint
Dive into the research topics of 'On the Security of Fresh Re-Keying to Counteract Side-Channel and Fault Attacks'. Together they form a unique fingerprint.Projects
- 3 Finished
-
FWF - AE - Design and Analysis of Next Generation Authenticated Encryption Algorithms
Mendel, F., Dobraunig, C. E. & Eichlseder, M.
1/10/14 → 30/09/17
Project: Research project
-
SCALAS - Secure Contactless Applications based on Leakage-resilient cryptographic Schemes
Peßl, P. & Mangard, S.
1/07/14 → 31/12/16
Project: Research project
-
Cryptography
Schläffer, M., Oswald, M. E., Lipp, P., Dobraunig, C. E., Mendel, F., Eichlseder, M., Nad, T., Posch, R., Lamberger, M., Rijmen, V. & Rechberger, C.
1/01/95 → 31/01/19
Project: Research area