Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks

Yevgeniy Dodis, Krzysztof Pietrzak

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded. In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom functions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakage-resilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a "step" will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4•(n+1) r-2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings
Pages21-40
Number of pages20
Volume6223 LNCS
DOIs
StatePublished - 2010
Event30th Annual International Cryptology Conference, CRYPTO 2010 - Santa Barbara, CA, United States
Duration: Aug 15 2010Aug 19 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6223 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other30th Annual International Cryptology Conference, CRYPTO 2010
CountryUnited States
CitySanta Barbara, CA
Period8/15/108/19/10

Fingerprint

Resilient Functions
Pseudorandom Function
Side Channel Attacks
Leakage
Query
Side channel attack
Hamming Weight
Block Ciphers
Invert
Block Cipher
Random Function
Resilience
Threefolds

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., & Pietrzak, K. (2010). Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. In Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings (Vol. 6223 LNCS, pp. 21-40). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6223 LNCS). https://doi.org/10.1007/978-3-642-14623-7_2

Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. / Dodis, Yevgeniy; Pietrzak, Krzysztof.

Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings. Vol. 6223 LNCS 2010. p. 21-40 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6223 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Pietrzak, K 2010, Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. in Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings. vol. 6223 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6223 LNCS, pp. 21-40, 30th Annual International Cryptology Conference, CRYPTO 2010, Santa Barbara, CA, United States, 8/15/10. https://doi.org/10.1007/978-3-642-14623-7_2
Dodis Y, Pietrzak K. Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. In Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings. Vol. 6223 LNCS. 2010. p. 21-40. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-14623-7_2
Dodis, Yevgeniy ; Pietrzak, Krzysztof. / Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings. Vol. 6223 LNCS 2010. pp. 21-40 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{e2020b7bee8f470c8a0ca7d09c75c635,
title = "Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks",
abstract = "A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded. In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom functions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakage-resilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a {"}step{"} will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4•(n+1) r-2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary.",
author = "Yevgeniy Dodis and Krzysztof Pietrzak",
year = "2010",
doi = "10.1007/978-3-642-14623-7_2",
language = "English (US)",
isbn = "3642146228",
volume = "6223 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "21--40",
booktitle = "Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings",

}

TY - GEN

T1 - Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks

AU - Dodis, Yevgeniy

AU - Pietrzak, Krzysztof

PY - 2010

Y1 - 2010

N2 - A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded. In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom functions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakage-resilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a "step" will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4•(n+1) r-2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary.

AB - A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded. In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom functions and permutations (i.e. block-ciphers). Our results are three fold: 1. We construct (from any standard PRF) a PRF which satisfies a relaxed notion of leakage-resilience where (1) the leakage function is fixed (and not adaptively chosen with each query.) and (2) the computation is split into several steps which leak individually (a "step" will be the invocation of the underlying PRF.) 2. We prove that a Feistel network with a super-logarithmic number of rounds, each instantiated with a leakage-resilient PRF, is a leakage resilient PRP. This reduction also holds for the non-adaptive notion just discussed, we thus get a block-cipher which is leakage-resilient (against non-adaptive leakage). 3. We propose generic side-channel attacks against Feistel networks. The attacks are generic in the sense that they work for any round functions (e.g. uniformly random functions) and only require some simple leakage from the inputs to the round functions. For example we show how to invert an r round Feistel network over 2n bits making 4•(n+1) r-2 forward queries, if with each query we are also given as leakage the Hamming weight of the inputs to the r round functions. This complements the result from the previous item showing that a super-constant number of rounds is necessary.

UR - http://www.scopus.com/inward/record.url?scp=77956996186&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77956996186&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-14623-7_2

DO - 10.1007/978-3-642-14623-7_2

M3 - Conference contribution

SN - 3642146228

SN - 9783642146220

VL - 6223 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 21

EP - 40

BT - Advances in Cryptology - CRYPTO 2010 - 30th Annual Cryptology Conference, Proceedings

ER -