Common use of Our Contribution Clause in Contracts

Our Contribution. The contributions of this paper are manifold. First, in Sect. 3, we describe a security model for leakage resilient duplexing. To do so, we start from the “ideal equivalent” of the keyed duplex of Daemen et al. [15], called an ideal extendable input function (IXIF), and present an adjusted version AIXIF. AIXIF is semantically equivalent to the IXIF if there is no leak- age, but it allows to properly model leakage resilience of the keyed duplex. The model of leakage resilience of the duplex is now conceptually simple: as we argue in detail in Sect. 3.4, we consider a scheme leakage resilient if no attacker can distinguish a keyed duplex that leaks for every query from the random AIXIF. Here, we focus on non-adaptive leakage, where the leakage function is fixed in advance, akin to [17, 19, 35, 37, 41]. At this point our approach seems to be dif- ferent from the typical models: the typical approach is to give a distinguisher access to a leaky version and a leak-free version of the cryptographic construc- tion, and it has to distinguish the latter from a random function. The reason that we adopted a different model is that the duplex is just used as building block for encryption, authenticated encryption, or other types of functionalities. To prove that the use of a leakage resilient duplex gives rise to a leakage resilient construction with one of above-mentioned functionalities, the typical approach to give a distinguisher access to a leaky version and a leak-free version of the cryptographic construction has to be used again, as we will show later. Second, in Sect. 5, we perform an in-depth and fine-grained analysis of the keyed duplex in the newly developed model. We take inspiration from Daemen et al. [15], who presented a detailed analysis of the keyed duplex in the black-box scenario, but the proof is not quite the same. To the contrary, due to various obstacles, it is not possible to argue similar to Daemen et al., nor to reduce the leakage resilience of a keyed duplex to its black-box security. Instead, we adopt ideas from the analysis of the NORX authenticated encryption scheme of ▇▇▇▇▇▇▇▇▇ et al. [26], and reason about the security of the keyed duplex in a sequential manner. One of the difficulties then is to determine the amount of min-entropy of a state in the duplex construction, given that the distinguisher may learn leakage from a duplex construction at different points in time. On the way, in Sect. 4 we give a detailed and accessible rationale of how leakage resilience proofs are performed in general and in our case. Third, in Sect. 6, we interpret our results on the leakage resilience of the keyed duplex in the context of the proposals of Taha and Schaumont [38] and Isap [16]. In a nutshell, these proposals can be seen to consist of a sequential evaluation of two duplex constructions: one that “gains entropy” by absorbing a nonce with small portions at a time, and one that “maintains entropy” in the sense that after the nonce is absorbed any state that will be visited by the duplex has high entropy and will be visited only once. We will then have a closer look at one use case of such a keyed duplex, nonce-based stream encryption, in Sect. 7. We build this scheme using aforementioned ideas, and prove that it is leakage resilient in the conventional security model. The proof is hybrid and reduces security of the stream cipher to that of the underlying duplex.