2010 | OriginalPaper | Buchkapitel
Leakage Resilient ElGamal Encryption
verfasst von : Eike Kiltz, Krzysztof Pietrzak
Erschienen in: Advances in Cryptology - ASIACRYPT 2010
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Blinding is a popular and well-known countermeasure to protect public-key cryptosystems against side-channel attacks. The high level idea is to randomize an exponentiation in order to prevent multiple measurements of the same operation on different data, as such measurements might allow the adversary to learn the secret exponent. Several variants of blinding have been proposed in the literature, using additive or multiplicative secret-sharing to blind either the base or the exponent. These countermeasures usually aim at preventing particular side-channel attacks (mostly power analysis) and come without any formal security guarantee.
In this work we investigate to which extend blinding can provide
provable security
against a
general class
of side-channel attacks. Surprisingly, it turns out that in the context of public-key encryption some blinding techniques are more suited than others. In particular, we consider a
multiplicatively blinded
version of ElGamal public-key encryption where
– we
prove
that the scheme, instantiated over bilinear groups of prime order
p
(where
p
− − 1 is not smooth) is leakage resilient in the generic-group model. Here we consider the model of
chosen-ciphertext security
in the presence of
continuous leakage
, i.e., the scheme remains chosen-ciphertext secure even if with
every
decryption query the adversary can learn a bounded amount (roughly log(
p
)/2 bits) of arbitrary, adversarially chosen information about the computation.
– we
conjecture
that the scheme, instantiated over arbitrary groups of prime order
p
(where
p
− − 1 is not smooth) is leakage resilient.
Previous to this work no encryption scheme secure against continuous leakage was known. Constructing a scheme that can be
proven
secure in the
standard model
remains an interesting open problem.