TY - JOUR AU - Guo, Chun AU - Standaert, François-Xavier AU - Wang, Weijia AU - Yu, Yu PY - 2020/01/31 Y2 - 2024/03/28 TI - Efficient Side-Channel Secure Message Authentication with Better Bounds JF - IACR Transactions on Symmetric Cryptology JA - ToSC VL - 2019 IS - 4 SE - Articles DO - 10.13154/tosc.v2019.i4.23-53 UR - https://tosc.iacr.org/index.php/ToSC/article/view/8452 SP - 23-53 AB - <p>We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when <em>most intermediate values during tag computation and verification are leaked</em> (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-then-MAC paradigm <em>T</em> = TGen<sub><em>K</em></sub>(H(<em>M</em>)). When the domain of the MAC function TGen<sub><em>K</em></sub> is {0, 1}<sup>128</sup>, e.g., when instantiated with the AES, forgery is possible within time 2<sup>64</sup> and data complexity 1. To dismiss such cheap attacks, we propose two modes: LRW1-based Hash-then-MAC (LRWHM) that is built upon the LRW1 tweakable blockcipher of Liskov, Rivest, and Wagner, and Rekeying Hash-then-MAC (RHM) that employs internal rekeying. Built upon secure AES implementations, LRWHM is provably secure up to (beyond-birthday) 2<sup>78.3</sup> time complexity, while RHM is provably secure up to 2<sup>121</sup> time. Thus in practice, their main security threat is expected to be side-channel key recovery attacks against the AES implementations. Finally, we benchmark the performance of instances of our modes based on the AES and SHA3 and confirm their efficiency.</p> ER -