Paper 2024/1458

Providing Integrity for Authenticated Encryption in the Presence of Joint Faults and Leakage

Francesco Berti, Bar-Ilan University
Itamar Levi, Bar-Ilan University
Abstract

Passive (leakage exploitation) and active (fault injection) physical attacks pose a significant threat to cryptographic schemes. Although leakage-resistant cryptography is well studied, there is little work on mode-level security in the presence of joint faults and leakage exploiting adversaries. In this paper, we focus on integrity for authenticated encryption (AE). First, we point out that there is an inherent attack in the fault-resilience model presented at ToSC 2023. This shows how fragile the freshness condition of a forgery is when faults are injected into either the tag-generation or the encryption algorithm. Therefore, we provide new integrity definitions for AE in the presence of leakage and faults, and we follow the atomic model, in which the scheme is divided into atoms (or components, e.g. a call to a block cipher) and allows the adversary to inject a fault only into the inputs of an atom. We envision this model as a first step for leveled implementations in the faults context, the granularity of atoms can be made finer or coarser (for example, instead of considering a call to a block cipher, we can consider atoms to be rounds of the block cipher). We hold the underlying belief that it would be easier to protect smaller blocks than a full scheme. The proposed model is very flexible and allows us to understand where to apply faults countermeasures (in some very interesting cases this model can reduce faults inside atoms to faults on their outputs, as we discuss). We then show that an AE-scheme using a single call to a highly leakage-protected (and thus very expensive) component, CONCRETE (presented at Africacrypt 2019), maintains integrity in the presence of leakage in both encryption and decryption, and faults only in decryption.On the other hand, a single fault in encryption is enough to forge. Therefore, we first introduce a weaker definition (which restricts the meaning of freshness), weak integrity, which CONCRETE achieves even if the adversary can introduce faults in the encryption queries (with some restrictions on the number and type of faults). Finally, we provide a variant, CONCRETE2, which is slightly more computationally expensive, but still uses a single call to a strongly protected component that provides integrity in the presence of leakage and faults.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
AE · Fault InjectionFault-resistanceIntegrityLeakage-resistanceModel-Level SecuritySide ChannelsSCA
Contact author(s)
francesco berti @ biu ac il
itamar levi @ biu ac il
History
2024-09-21: approved
2024-09-18: received
See all versions
Short URL
https://ia.cr/2024/1458
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1458,
      author = {Francesco Berti and Itamar Levi},
      title = {Providing Integrity for Authenticated Encryption in the Presence of Joint Faults and Leakage},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1458},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1458}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.