Please use this identifier to cite or link to this item:
Full metadata record
DC FieldValueLanguage
dc.contributor.authorBerti, Francescoen_US
dc.contributor.authorBhasin, Shivamen_US
dc.contributor.authorBreier, Jakuben_US
dc.contributor.authorHou, Xiaoluen_US
dc.contributor.authorPoussier, Romainen_US
dc.contributor.authorStandaert, François-Xavieren_US
dc.contributor.authorUdvarhelyi, Balaszen_US
dc.identifier.citationBerti, F., Bhasin, S., Breier, J., Hou, X., Poussier, R., Standaert, F. & Udvarhelyi, B. (2021). A finer-grain analysis of the leakage (non) resilience of OCB. IACR Transactions On Cryptographic Hardware and Embedded Systems, 2022(1), 461-481.
dc.description.abstractOCB3 is one of the winners of the CAESAR competition and is among the most popular authenticated encryption schemes. In this paper, we put forward a fine-grain study of its security against side-channel attacks. We start from trivial key recoveries in settings where the mode can be attacked with standard Differential Power Analysis (DPA) against some block cipher calls in its execution (namely, initialization, processing of associated data or last incomplete block and decryption). These attacks imply that at least these parts must be strongly protected thanks to countermeasures like masking. We next show that if these block cipher calls of the mode are protected, practical attacks on the remaining block cipher calls remain possible. A first option is to mount a DPA with unknown inputs. A more efficient option is to mount a DPA that exploits horizontal relations between consecutive input whitening values. It allows trading a significantly reduced data complexity for a higher key guessing complexity and turns out to be the best attack vector in practical experiments performed against an implementation of OCB3 in an ARM Cortex-M0. Eventually, we consider an implementation where all the block cipher calls are protected. We first show that exploiting the leakage of the whitening values requires mounting a Simple Power Analysis (SPA) against linear operations. We then show that despite being more challenging than when applied to non-linear operations, such an SPA remains feasible against 8-bit implementations, leaving its generalization to larger implementations as an interesting open problem. We last describe how recovering the whitening values can lead to strong attacks against the confidentiality and integrity of OCB3. Thanks to this comprehensive analysis, we draw concrete requirements for side-channel resistant implementations of OCB3.en_US
dc.description.sponsorshipNational Research Foundation (NRF)en_US
dc.relation.ispartofIACR Transactions on Cryptographic Hardware and Embedded Systemsen_US
dc.rights© 2021 Francesco Berti, Shivam Bhasin, Jakub Breier, Xiaolu Hou, Romain Poussier, François-Xavier Standaert, Balasz Udvarhelyi. Licensed under Creative Commons License CC-BY 4.0.en_US
dc.subjectEngineering::Computer science and engineeringen_US
dc.titleA finer-grain analysis of the leakage (non) resilience of OCBen_US
dc.typeJournal Articleen
dc.description.versionPublished versionen_US
dc.subject.keywordsSide-Channel Attacksen_US
dc.description.acknowledgementThis work has been funded in parts by the ERC project 724725 (SWORD). The authors acknowledge partial support from the Singapore National Research Foundation (“SOCure” grant NRF2018NCR-NCR002-0001 – François-Xavier Standaertis a senior associate researcher of the Belgian Fund for Scientific Research.en_US
item.fulltextWith Fulltext-
Appears in Collections:TL Journal Articles
Files in This Item:
File Description SizeFormat 
TCHES2022_1_17.pdf421.2 kBAdobe PDFThumbnail

Page view(s)

Updated on Mar 29, 2023


Updated on Mar 29, 2023

Google ScholarTM




Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.