Tightening Leakage Resilience of the Suffix Keyed Sponge

IACR Transactions on Symmetric Cryptology Pub Date : 2024-03-01 DOI:10.46586/tosc.v2024.i1.459-496

Henk Berendsen, Bart Mennink

{"title":"Tightening Leakage Resilience of the Suffix Keyed Sponge","authors":"Henk Berendsen, Bart Mennink","doi":"10.46586/tosc.v2024.i1.459-496","DOIUrl":null,"url":null,"abstract":"Lightweight cryptographic constructions are often optimized on multiple aspects that put the security bounds to the limit. In this respect, it is important to obtain security bounds that are tight and give an accurate and exact indication of the generic security. However, whereas for black-box security bounds it has become common practice to argue tightness of security bounds, for leakage resilience security bounds this is not the case. This is unfortunate, as for leakage resilience results, tightness is even more important as there is already a lossiness incurred in capturing the actual leakage by a theoretical model in the first place.In this work, we consider the SuKS (Suffix Keyed Sponge) PRF construction and investigate tightness of the leakage resilience bound of Dobraunig and Mennink (ToSC 2019). We observe that, although their black-box security result is tight, their leakage resilience bound is not tight in their bounded leakage term λ. We observe that this is caused by the fact that parts of the security bound contain a term covering multicollisions and a term covering leakage, but an adversary is unable to combine both. We next consider improved security of the SuKS for two types of leakage: fixed position leakage, where the adversary directly learns the value of λ bits of a secret state, and Hamming weight leakage, where the Hamming weight of a fixed part of the state is leaked. For fixed position leakage, a very generous form of bounded leakage, we improve the original bound by making wise use of the multicollision limit function of Daemen et al. (ASIACRYPT 2017). For the more realistic setting of Hamming weight leakage, we structurally revisit the multicollision limit function analysis by including Hamming weight in the computation, a problem that is difficult on its own due to the non-uniform character of this type of leakage. In both cases, we improve and tighten the leakage resilience bound of Dobraunig and Mennink. The improved bound for the SuKS has immediate consequences for the leakage resilience of the NIST lightweight cryptography competition finalist ISAP v2, an authenticated encryption scheme that uses the SuKS internally.","PeriodicalId":502677,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"13 3","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Symmetric Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2024.i1.459-496","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Lightweight cryptographic constructions are often optimized on multiple aspects that put the security bounds to the limit. In this respect, it is important to obtain security bounds that are tight and give an accurate and exact indication of the generic security. However, whereas for black-box security bounds it has become common practice to argue tightness of security bounds, for leakage resilience security bounds this is not the case. This is unfortunate, as for leakage resilience results, tightness is even more important as there is already a lossiness incurred in capturing the actual leakage by a theoretical model in the first place.In this work, we consider the SuKS (Suffix Keyed Sponge) PRF construction and investigate tightness of the leakage resilience bound of Dobraunig and Mennink (ToSC 2019). We observe that, although their black-box security result is tight, their leakage resilience bound is not tight in their bounded leakage term λ. We observe that this is caused by the fact that parts of the security bound contain a term covering multicollisions and a term covering leakage, but an adversary is unable to combine both. We next consider improved security of the SuKS for two types of leakage: fixed position leakage, where the adversary directly learns the value of λ bits of a secret state, and Hamming weight leakage, where the Hamming weight of a fixed part of the state is leaked. For fixed position leakage, a very generous form of bounded leakage, we improve the original bound by making wise use of the multicollision limit function of Daemen et al. (ASIACRYPT 2017). For the more realistic setting of Hamming weight leakage, we structurally revisit the multicollision limit function analysis by including Hamming weight in the computation, a problem that is difficult on its own due to the non-uniform character of this type of leakage. In both cases, we improve and tighten the leakage resilience bound of Dobraunig and Mennink. The improved bound for the SuKS has immediate consequences for the leakage resilience of the NIST lightweight cryptography competition finalist ISAP v2, an authenticated encryption scheme that uses the SuKS internally.

查看原文本刊更多论文

后缀键控海绵的拧紧抗渗漏性

轻量级密码构造通常在多个方面进行优化，这使得安全边界达到极限。因此，获得严密的安全边界并准确无误地说明通用安全性非常重要。然而，对于黑盒安全边界，争论安全边界的严密性已成为一种惯例，而对于泄漏弹性安全边界，情况却并非如此。这是令人遗憾的，因为对于泄漏弹性结果来说，严密性更为重要，因为首先通过理论模型捕捉实际泄漏已经产生了损失。在这项工作中，我们考虑了 SuKS（Suffix Keyed Sponge）PRF 结构，并研究了 Dobraunig 和 Mennink（ToSC 2019）的泄漏弹性边界的严密性。我们观察到，虽然他们的黑盒安全性结果是严密的，但他们的泄漏弹性约束在其有界泄漏项 λ 中并不严密。我们观察到，造成这种情况的原因是安全约束的部分内容包含一个涵盖多重碰撞的项和一个涵盖泄漏的项，但对手无法将两者结合起来。接下来，我们考虑了 SuKS 在两种泄漏情况下的安全性改进：固定位置泄漏，即对手直接得知秘密状态中 λ 比特的值，以及汉明权重泄漏，即状态固定部分的汉明权重被泄漏。对于固定位置泄漏这种非常宽松的有界泄漏形式，我们通过明智地利用 Daemen 等人（ASIACRYPT 2017）的多重碰撞限制函数，改进了原始界值。对于更现实的汉明权重泄漏设置，我们通过在计算中加入汉明权重，从结构上重新审视了多重碰撞极限函数分析，由于这种类型泄漏的非均匀性，这个问题本身就很困难。在这两种情况下，我们都改进并收紧了 Dobraunig 和 Mennink 的泄漏弹性边界。改进后的 SuKS 界值对 NIST 轻量级密码学竞赛入围作品 ISAP v2（一种内部使用 SuKS 的验证加密算法）的抗泄漏能力有直接影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Symmetric Cryptology

自引率

0.00%

发文量