nach oben

Journal of Cryptology

Erschienen in:

01.07.2016

Leakage-Resilient Cryptography from Minimal Assumptions

verfasst von: Carmit Hazay, Adriana López-Alt, Hoeteck Wee, Daniel Wichs

Erschienen in: Journal of Cryptology | Ausgabe 3/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We present new constructions of leakage-resilient cryptosystems, which remain provably secure even if the attacker learns some arbitrary partial information about their internal secret-key. For any polynomial $\ell $, we can instantiate these schemes so as to tolerate up to $\ell $ bits of leakage. While there has been much prior work constructing such leakage-resilient cryptosystems under concrete number-theoretic and algebraic assumptions, we present the first schemes under general and minimal assumptions. In particular, we construct:

Leakage-resilient public-key encryption from any standard public-key encryption.
Leakage-resilient weak pseudorandom functions, symmetric-key encryption, and message-authentication codes from any one-way function.

These are the first constructions of leakage-resilient symmetric-key primitives that do not rely on public-key assumptions. We also get the first constructions of leakage-resilient public-key encryption from “search assumptions,” such as the hardness of factoring or CDH. Although our schemes can tolerate arbitrarily large amounts of leakage, the tolerated rate of leakage (defined as the ratio of leakage amount to key size) is rather poor in comparison with prior results under specific assumptions. As a building block of independent interest, we study a notion of weak hash-proof systems in the public-key and symmetric-key settings. While these inherit some of the interesting security properties of standard hash-proof systems, we can instantiate them under general assumptions.

Vorheriger Artikel An Optimally Fair Coin Toss

Nächster Artikel Garbling XOR Gates “For Free” in the Standard Model

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

This simple argument works for “unpredictability” applications such as signatures. A more subtle argument also works for many “indistinguishability” applications, including public-key encryption, weak PRFs and symmetric-key CPA encryption (but not, e.g., one-time encryption). See [23] for a general treatment of this question.

This weaker variant of HPS was discussed implicitly but not defined formally in [42]. The work of [2] explicitly defined a notion of “identity-based HPS” which corresponds to an extension of our notion of wHPS to the identity-based setting. In both works, the distinction between the “weak” and “full” notions of HPS was not considered important beyond simplifying exposition, and all of the given instantiations in these works even achieve the “full” notion. In other words, although these works notice that weak HPS is sufficient, they do not get any extra benefits from this observation.

We insist on a circuit representation to ensure that a poly-time attacker can only query poly-sized circuits, meaning that the leakage is poly-time computable.

We can set $\mathcal {M}= \{0,1\}^{\lceil \log (m)\rceil }$ and naturally interpret it as containing $\mathbb {Z}_m$.

Without loss of generality, we can also assume that the attacker only makes a single call to the leakage oracle $\mathcal {O}^{\ell }_{K}(\cdot )$ after making all of its calls to the wPRF oracle $F_K(\$)$.

If $m$ is a power of 2, then we can just identify the elements of $\mathbb {Z}_m$ with those of $\{0,1\}^{\log (m)}$ in a natural way. Therefore, the existence of such wPRFs does not require any special assumptions.

Since we cannot efficiently measure the amount of “leakiness” of a function, the leakage oracle cannot efficiently verify the above condition. Instead, we simply insist that the attacker satisfies this condition and is agnostic to how this is ensured. In other words, we quantify over all attackers that satisfy the above condition.

Although that work does not use the term “weak” HPS, the abstraction there matches the natural extension of our notion of wHPS to the identity-based setting.

D. Agrawal, B. Archambeault, J.R. Rao, P. Rohatgi, The EM side-channel(s). in B.S. Kaliski Jr., Ç.K. Koç, C. Paar, editors, CHES, Lecture Notes in Computer Science, vol. 2523 (Springer, Berlin) pp. 29–45, August 13–15 2002

J. Alwen, Y. Dodis, M. Naor, G. Segev, S. Walfish, D. Wichs, Public-key encryption in the bounded-retrieval model. in H. Gilbert, editor, Advances in Cryptology—EUROCRYPT 2010, Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 113–134

J. Alwen, Y. Dodis, D. Wichs, Leakage-resilient public-key cryptography in the bounded-retrieval model. in Advances in Cryptology (CRYPTO) 2009, 29th Annual International Cryptology Conference (Santa Barbara, CA, 2009), pp. 36–54

A. Akavia, S. Goldwasser, V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks. in O. Reingold, editor, Sixth Theory of Cryptography Conference—TCC 2007, Lecture Notes in Computer Science, vol. 5444 (Springer, Berlin, 2009)

N. Bitansky, R. Canetti, S. Halevi, Leakage-tolerant interactive protocols. in 9th Theory of Cryptography Conference (TCC) (Taormina, Sicily, 2012), pp. 266–284

H. Bar-El, Known attacks against smartcards, 2003. Last accessed: August 26, 2009. http://www.hbarel.com/publications/Known_Attacks_Against_Smartcards.pdf

Z. Brakerski, S. Goldwasser, Circular and leakage resilient public-key encryption under subgroup indistinguishability—(or: Quadratic residuosity strikes back). in T. Rabin, editor, CRYPTO, Lecture Notes in Computer Science, vol. 6223 (Springer, Berlin, 2010), pp. 1–20

M. Braverman, A. Hassidim, Y.T. Kalai, Leaky pseudo-entropy functions. in B. Chazelle, editor, ICS, (Tsinghua University Press, 2011), pp. 353–366

Z. Brakerski, Y.T. Kalai, A parallel repetition theorem for leakage resilience. in Cramer [15], pp. 248–265

10.

Z. Brakerski, J. Katz, Y. Kalai, V. Vaikuntanathan, Overcoming the hole in the bucket: Public-key cryptography against resilient to continual memory leakage. in FOCS [36], pp. 501–510

11.

E. Boyle, G. Segev, D. Wichs, Fully leakage-resilient signatures. in K.G. Paterson editor, EUROCRYPT, Lecture Notes in Computer Science, vol. 6632 (Springer, Berlin, 2011), pp. 89–108

12.

D. Cash, Y.Z. Ding, Y. Dodis, W. Lee, R.J. Lipton, S. Walfish, Intrusion-resilient key exchange in the bounded retrieval model. in S.P. Vadhan, editor, TCC, Lecture Notes in Computer Science, vol. 4392 (Springer, Berlin, 2007), pp. 479–498

13.

S.S.M. Chow, Y. Dodis, Y. Rouselakis, B. Waters, Practical leakage-resilient identity-based encryption from simple assumptions. in E. Al-Shaer, A.D. Keromytis, V. Shmatikov, editors, ACM Conference on Computer and Communications Security, (ACM, 2010), pp. 152–161

14.

R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. in L. Knudsen, editor, Advances in Cryptology—EUROCRYPT 2002, LNCS, vol. 2332 (Springer, Berlin) pp. 45–64, 28 April–2 May 2002

15.

G. Di Crescenzo, R. J. Lipton, S. Walfish, Perfectly secure password protocols in the bounded retrieval model. in Third Theory of Cryptography Conference (TCC) (New York, NY, 2006), pp. 225–244

16.

Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs, Cryptography against continuous memory attacks. in 51th Annual (IEEE) Symposium on Foundations of Computer Science (FOCS) (Las Vegas, NV, 2010), pp. 511–520

17.

Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs, Efficient public-key cryptography in the presence of key leakage. in M. Abe, editor, ASIACRYPT, Lecture Notes in Computer Science, vol. 6477 (Springer, Berlin, 2010), pp. 613–631

18.

Y. Dodis, E. Kiltz, K. Pietrzak, D. Wichs, Message authentication, revisited. in D. Pointcheval, T. Johansson, editor EUROCRYPT, Lecture Notes in Computer Science, vol. 7237, (Springer, Berlin 2012), pp. 355–374

19.

Y. Dodis, A.B. Lewko, B. Waters, D. Wichs, Storing secrets on continually leaky devices. in R. Ostrovsky, editor, FOCS, (IEEE, 2011), pp. 688–697

20.

I. Damgård, J.B. Nielsen, Improved non-committing encryption schemes based on a general complexity assumption. in M. Bellare, editor, CRYPTO, Lecture Notes in Computer Science, vol. 1880 (Springer, Berlin, 2000), pp. 432–450

21.

Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith, Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1):97–139 (2008)

22.

S. Dziembowski, K. Pietrzak, Leakage-resilient cryptography. in 49th Symposium on Foundations of Computer Science, Philadelphia, PA, USA (IEEE Computer Society) pp. 293–302, 25–28 October 2008

23.

Y. Dodis, Y. Yu, Overcoming weak expectations. in ITW, 2012. http://www.cs.nyu.edu/dodis/ps/weak-expe.pdf

24.

S. Dziembowski, Intrusion-resilience via the bounded-storage model. in Third Theory of Cryptography Conference (TCC) (New York, NY, 2006), pp. 207–224

25.

S. Dziembowski, Intrusion-resilience via the bounded-storage model. in Halevi and Rabin [34], pp. 207–224

26.

ECRYPT, Side channel cryptanalysis lounge. Last accessed: May 1, 2011. http://www.emsec.rub.de/research/projects/sclounge/

27.

O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. Journal of the ACM, 33(4):792–807, October 1986

28.

S. Goldwasser, Y.T. Kalai, C. Peikert, V. Vaikuntanathan, Robustness of the learning with errors assumption. in A.C.-C. Yao editor, ICS, (Tsinghua University Press, 2010), pp. 230–240

29.

S. Goldwasser, G.N. Rothblum, How to compute in the presence of leakage. Electronic Colloquium on Computational Complexity (ECCC), 19:10, 2012

30.

J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, Construction of pseudorandom generator from any one-way function. SIAM Journal on Computing, 28(4):1364–1396, 1999

31.

S. Halevi, H. Lin, After-the-fact leakage in public-key encryption. in 8th Theory of Cryptography Conference (TCC) (Providence, RI, 2011), pp. 107–124

32.

J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten, Lest we remember: Cold-boot attacks on encryption keys. Commun. ACM, 52(5):91–98, 2009

33.

Y. Ishai, A. Sahai, D. Wagner, Private circuits: Securing hardware against probing attacks. in D. Boneh, editor, Advances in Cryptology—CRYPTO 2003, LNCS, vol. 2729 (Springer, Berlin, 2003)

34.

A. Jain, S. Garg, A. Sahai, Leakage-resilient zero knowledge. in Advances in Cryptology–CRYPTO 2011, 31st Annual Cryptology Conference (Santa Barbara, CA, 2011), pp. 297–315

35.

A. Jain, K. Pietrzak, Parallel repetition for leakage resilience amplification revisited. in 8th Theory of Cryptography Conference (TCC) (Providence, RI, 2011), pp. 58–69

36.

P. Kocher, J. Jaffe, B. Jun, Differential power analysis. in M. Wiener, editor, Advances in Cryptology—CRYPTO’99, LNCS, vol. 1666, (Springer, Berlin) 15–19 August 1999, pp. 388–397

37.

P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. in N. Koblitz, editor, Advances in Cryptology-CRYPTO 96, LNCS, vol. 1109 (Springer, Berlin) 18–22 August 1996, pp. 104–113

38.

J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience. in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009, LNCS (Springer, Berlin, 2009), to appear

39.

A.B. Lewko, M. Lewko, B. Waters, How to leak on key updates. in Proceedings of the 43rd ACM Symposium on Theory of Computing (STOC) (San Jose, CA, 2011), pp. 725–734

40.

A. Lewko, B. Waters, On the insecurity of parallel repetition for leakage resilience. in 51th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (Las Vegas, NV, 2010), pp. 521–530

41.

S. Micali, L. Reyzin, Physically observable cryptography (extended abstract). in M. Naor, editor, First Theory of Cryptography Conference—TCC 2004, LNCS, vol. 2951 (Springer, Berlin), February 19–21 2004, pp. 278–296

42.

M. Naor, G. Segev, Public-key cryptosystems resilient to key leakage. in Halevi [31], pp. 18–35

43.

M. Naor, G. Segev, Public-key cryptosystems resilient to key leakage. SIAM Journal on Computing, 41(4):772–814, 2012. A preliminary version appeared in Advances in Cryptology—CRYPTO’09, pp. 18–35, 2009

44.

N. Nisan, D. Zuckerman, Randomness is linear in space. Journal of Computer and System Sciences, 52(1):43–53, 1996

45.

K. Pietrzak, A leakage-resilient mode of operation. in A. Joux, editor, Advances in Cryptology—EUROCRYPT 2009, LNCS, vol. 5479 (Springer, Berlin, 2009) pp. 462–482

46.

J.-J. Quisquater. F. Koene, Side channel attacks: State of the art, October 2002. http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1047_Side_Channel_report.pdf. Last accessed: August 26, 2009

47.

J.-J. Quisquater, D. Samyde, Electromagnetic analysis (ema): Measures and counter-measures for smart cards. in I. Attali, T.P. Jensen, editors, E-smart, LNCS, vol. 2140 (Springer, Berlin), September 19–21 2001, pp. 200–210

48.

Reliable Computing Laboratory, Boston University. Side channel attacks database. http://www.sidechannelattacks.com. Last accessed: August 26, 2009

49.

F.-X. Standaert, How leaky is an extractor? in M. Abdalla, P.S.L.M. Barreto, editor, LATINCRYPT, Lecture Notes in Computer Science, vol. 6212 (Springer, Berlin, 2010), pp. 294–304

50.

S.P. Vadhan, On constructing locally computable extractors and cryptosystems in the bounded storage model. in D. Boneh, editor, CRYPTO, Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 61–77

Titel: Leakage-Resilient Cryptography from Minimal Assumptions
verfasst von: Carmit Hazay
Adriana López-Alt
Hoeteck Wee
Daniel Wichs
Publikationsdatum: 01.07.2016
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 3/2016
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-015-9200-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2016

An Optimally Fair Coin Toss

A Dichotomy for Local Small-Bias Generators

Practical Cryptanalysis of ISO 9796-2 and EMV Signatures

Tightly Secure Signatures From Lossy Identification Schemes

Garbling XOR Gates “For Free” in the Standard Model

Premium Partner