Authenticated Ciphers and Resistance against Side-Channel Attacks – BRUTUS

Symmetric cryptosystems are widely used because they are the only ones that can achieve some major functionalities such as high-speed or low-cost encryption, fast message authentication, and efficient hashing. Today, symmetric algorithms are used in mobile phones, in credit cards, in WLAN connections, and symmetric cryptology is a very active research area. These cryptosystems rely on the use of cryptographic primitives, such as block ciphers, stream ciphers and hash functions. The design of secure and efficient block ciphers is partly believed to be well understood: ciphers designed more than a decade ago still withstand any cryptanalytic attempt in traditional security settings. The Advanced Encryption Standard (AES), which is the most widely deployed symmetric primitive, is a good example of such a cipher. Its resistance to well-known statistical attacks has been proved, and it can be implemented efficiently enough for a wide variety of use cases.

However, the design of block ciphers is limited to the definition of a keyed permutation. In traditional security settings, the security of such a primitive can be informally defined as the impossibility to distinguish the outputs of such a function from random strings. This leaves several problems open when it comes to building a full cryptosystem. In many new applications, cryptography is used in a context where adversaries have access to so-called side-channel information, which is not covered by traditional security analyses. For instance, an implementation of a pay-per-view TV system must be secure against an adversary with physical access to the device. She can measure some physical quantities during the cryptographic computation and use this information to recover the key (side-channel attack). If she has full access to the device, she might even be able to read the memory and extract any secret keys. In such a context, it appears that many implementations of block ciphers are vulnerable to practical attacks: for example, a cache-timing attack has been shown against the OpenSSL table-based AES implementation. Another property of block ciphers is that their scope is limited to the mathematical definition of a keyed permutation. They are often used to protect the confidentiality or the integrity of data, but they have to be composed with an appropriate mode of operation. Nowadays, most applications that require data confidentiality also have to ensure its authenticity, leading to a strong need for a mode of operation combining these two properties. However, it appears that the most widely used mechanism for authenticated encryption, AES-GCM, is not very efficient for high speed networks. Also, the security of the GCM mode collapses when an IV is reused, or when it is used to encrypt too long messages. An international competition named CAESAR, partly supported by the NIST, has been launched in order to define some new authenticated encryption schemes. It has led to the definition of innovative mechanism, which security still needs to be assessed.

The Brutus project aims at investigating the security of authenticated encryption systems. We aim to evaluate carefully the security of the most promising candidates, by trying to attack the underlying primitives or to build security proofs of modes of operation. We target the traditional black-box setting, but also more "hostile" environments, including the hardware platforms where some side-channel information is available. We also aim at quantifying the impact of not respecting implementation hypotheses such as not reusing a nonce. Finally, a more constructive goal of the Brutus project will be to advise solutions in each of these scenarios, including the choice of a cryptosystem and implementation aspects. This constructive task will be extended to the field of white box cryptography, which aims at hiding the key even if the full implementation is available, including any secret data.