Adaptive chosen all inputs model for analyzing key derivation functions against bit-flip and timing side-channel attacks

Cryptographic keys are vital to ensure secure communication and secure electronic transaction. Key Derivation Function (KDF) is used to generate these cryptographic keys from a private string, salt and context information. A salt is a random string while the context information is the application specific data such as identities of communicating parties. Due to the importance of the KDF, it is mandatory to ensure the design of KDF may withstand any types of attacks. Nowadays, there are five security models used to analyze the security of KDF proposals. However, none of these security models take into account the KDF analysis against the bit-flipping attack and timing side-channel attack. Therefore, this research proposes a new security model, namely Adaptive Chosen All Inputs Model (ACAM) for analyzing the security of KDF proposals against these attacks. This research proves the implication relationship and non-implication relationship between the ACAM and the existing security model, namely Adaptive Chosen Public Inputs Model with Multiple Salts (CPM). The ACAM analyzes the security of KDF proposals in terms of the bit-flipping attack and timing side-channel attack. The result showed that only the stream cipher based KDF is vulnerable to the bit-flipping attack. However, all the existing KDFs are vulnerable to the timing side-channel attack. Finally, this research conducts the practical timing side-channel attack on KDFs that are constructed using hash functions, stream ciphers, and block ciphers. Different constructions of KDFs have resulted in different timing variation. The timing variation can reveal the length of private string and the types of cryptographic primitives used to build the KDFs. Hence, this research proposes a randomness timing solution based on the concept of random ‘for’ loop to the KDFs. The randomness timing solution protects the security of KDFs but decreases the performance of KDFs. This research brings benefits to the security researchers in which ACAM security model can be used as the benchmark to determine whether the design of KDFs consists of security weakness in terms of bit-flipping attack and timing side-channel attack. v

Computationally Data-Independent Memory Hard Functions

Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at most ?((N^2 log log N)/log N). By contrast, the dMHF scrypt achieves maximal CMC ?(N^2) - though the CMC of scrypt would be reduced to just ?(N) after a side-channel attack. In this paper, we introduce the notion of computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (randomized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker - even if the attacker selects the initial input. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC ?(N^2). Surprisingly, we answer the question in the affirmative when the ciMHF evaluation algorithm is executed on a two-tiered memory architecture (RAM/Cache). We introduce the notion of a k-restricted dynamic graph to quantify the continuum between unrestricted dMHFs (k=n) and iMHFs (k=1). For any ? > 0 we show how to construct a k-restricted dynamic graph with k=?(N^(1-?)) that provably achieves maximum cumulative pebbling cost ?(N^2). We can use k-restricted dynamic graphs to build a ciMHF provided that cache is large enough to hold k hash outputs and the dynamic graph satisfies a certain property that we call "amenable to shuffling". In particular, we prove that the induced memory access pattern is indistinguishable to a polynomial time attacker who can monitor the locations of read/write requests to RAM, but not cache. We also show that when k=o(N^(1/log log N))then any k-restricted graph with constant indegree has cumulative pebbling cost o(N^2). Our results almost completely characterize the spectrum of k-restricted dynamic graphs