[Cryptography] Power analysis hardening of AES through choice of mode and IV construction
sebastien riou
matic at nimp.co.uk
Sat Aug 13 10:37:25 EDT 2022
>
> Perhaps if we designed a mode with integrated masking???
>
>
This is the way to go in my opinion but not everybody is convinced yet. For
example in NIST's LWC competition
<https://csrc.nist.gov/Projects/lightweight-cryptography>, the rounds have
been defined as follow:
- round1: select candidate with sound cryptographic properties (eliminate
the ones with forgeries for example)
- round2: select candidate based on performances benchmark (hardware and
software)
- round3: select candidate based on performances benchmark of
implementation protected against side channel
Since an AEAD with builtin protection against side channel is likely to be
much slower than a regular AEAD, such candidate were bound to be eliminated
at round 2.
Nevertheless, two candidates followed that path:
- ISAP
<https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf>:
It performed poorly in the performances benchmark of round 2 nevertheless
it made it to round3 because it reuses the primitive of ASCON
<https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf>,
a very efficient but unprotected AEAD, and because it has been pointed out
that it would most likely shine in the performance benchmark of round3.
- DryGASCON
<https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/drygascon-spec-round2.pdf>:
much better performances than ISAP (and even some unprotected AEADs) but
was eliminated at round2. Not sure of the reason but I think it was the low
number of cryptanalysis papers that has been the cause of elimination. It
turned out to have a set of weak keys which can lead to forgeries, so it is
not fit for deployment as it is, but the principles used against side
channel and fault attacks seems sound.
Why is it so much better than protecting at implementation level ?
- quality of implementation depend on the designer
- security against side channel is hard to test
- On cipher like AES, protection against both side channel and fault
attacks requires a huge overhead in area and performance (something like
10x is common).
Now if you want to stick to AES I would recommend considering the two
approaches below:
- Attempt to fit AES in the ISAP structure: you would get a protected AEAD
usable for pretty much any AEAD use case, but much slower than any current
AES AEAD.
- ECDH key exchange + SPAE <https://eprint.iacr.org/2019/1007>: you would
get a protected AEAD usable to protect communication use cases, with
performances comparable to OCB. The rational is that each key is used
exactly once (just one block).
Links:
https://csrc.nist.gov/projects/lightweight-cryptography
https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/ascon-spec-final.pdf
https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/isap-spec-final.pdf
https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/drygascon-spec-round2.pdf
https://eprint.iacr.org/2019/1007
Sebastien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220813/cc369dda/attachment.htm>
More information about the cryptography
mailing list