Cryptology ePrint Archive: Report 2011/348
Extractors Against Side-Channel Attacks: Weak or Strong?
Marcel Medwed and Francois-Xavier Standaert
Abstract: Randomness extractors are important tools in cryptography. Their goal is to compress a high-entropy source into a more uniform output. Beyond their theoretical interest, they have recently gained attention because of their use in the design and proof of leakage-resilient primitives, such as stream ciphers and pseudorandom functions. However, for these proofs of leakage resilience to be meaningful in practice, it is important to instantiate and implement the components they are based on. In this context, while numerous works have investigated the implementation properties of block ciphers such as the AES Rijndael, very little is known about the application of side-channel attacks against extractor implementations.
In order to close this gap, this paper instantiates a low-cost hardware extractor and analyzes it both from a performance and from a side-channel security point of view.
Our investigations lead to contrasted conclusions. On the one hand, extractors can be efficiently implemented and protected with masking. On the other hand, they provide adversaries with many more exploitable leakage samples than, e.g. block ciphers. As a result, they can ensure high security margins against standard (non-profiled) side-channel attacks and turn out to be much weaker against profiled attacks. From a methodological point of view, our analysis consequently raises the question of which attack strategies should be considered in security evaluations.
Category / Keywords: implementation / Randomness extractors, Side-channel analysis, Countermeasures
Publication Info: Full version of the paper published at CHES 2011
Date: received 27 Jun 2011, last revised 28 Jul 2011
Contact author: marcel medwed at uclouvain be
Available format(s): PDF | BibTeX Citation
Version: 20110728:072532 (All versions of this report)
Short URL: ia.cr/2011/348
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]