On Leakage-Resilient Authenticated Encryption with Decryption Leakages

Authors

  • Francesco Berti Université catholique de Louvain (UCLouvain) , Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM) – Crypto Group, B-1348 Louvain-la-Neuve, Belgium
  • Olivier Pereira Université catholique de Louvain (UCLouvain) , Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM) – Crypto Group, B-1348 Louvain-la-Neuve, Belgium
  • Thomas Peters Université catholique de Louvain (UCLouvain) , Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM) – Crypto Group, B-1348 Louvain-la-Neuve, Belgium
  • François-Xavier Standaert Université catholique de Louvain (UCLouvain) , Institute of Information and Communication Technologies, Electronics and Applied Mathematics (ICTEAM) – Crypto Group, B-1348 Louvain-la-Neuve, Belgium

DOI:

https://doi.org/10.13154/tosc.v2017.i3.271-293

Keywords:

Leakage-resilience, authenticated encryption, secure bootloading

Abstract

At CCS 2015, Pereira et al. introduced a pragmatic model enabling the study of leakage-resilient symmetric cryptographic primitives based on the minimal use of a leak-free component. This model was recently used to prove the good integrity and confidentiality properties of an authenticated encryption scheme called DTE when the adversary is only given encryption leakages. In this paper, we extend this work by analyzing the case where decryption leakages are also available. We first exhibit attacks exploiting such leakages against the integrity of DTE (and variants) and show how to mitigate them. We then consider message confidentiality in a context where an adversary can observe decryption leakages but not the corresponding messages. The latter is motivated by applications such as secure bootloading and bitstream decryption. We finally formalize the confidentiality requirements that can be achieved in this case and propose a new construction satisfying them, while providing integrity properties with leakage that are as good as those of DTE.

Published

2017-09-19

Issue

Section

Articles

How to Cite

On Leakage-Resilient Authenticated Encryption with Decryption Leakages. (2017). IACR Transactions on Symmetric Cryptology, 2017(3), 271-293. https://doi.org/10.13154/tosc.v2017.i3.271-293