Public-Key Cryptosystems Resilient to Key Leakage.

SIAM Journal on Computing (Impact Factor: 0.8). 01/2009; 2009:105. DOI: 10.1007/978-3-642-03356-8_2
Source: DBLP

ABSTRACT Most of the work in the analysis of cryptographic schemes is concentrated in abstract ad- versarial models that do not capture side-channel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent side-channel attacks, especially the \cold boot attacks" of Halderman et al. (USENIX Security '08), Akavia, Goldwasser and Vaikuntanathan (TCC '09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of side- channel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al. showed that Regev's lattice-based scheme (STOC '05) is resilient to any leakage of L=polylog(L) bits, where L is the length of the secret key. In this paper we revisit the above-mentioned framework and our main results are as follows: † We present a generic construction of a public-key encryption scheme that is resilient to key leakage from any universal hash proof system. The construction does not rely on additional computational assumptions, and the resulting scheme is as e-cient as the un- derlying hash proof system. Existing constructions of hash proof systems imply that our construction can be based on a variety of number-theoretic assumptions, including the decisional Di-e-Hellman assumption (and its progressively weaker d-Linear variants), the quadratic residuosity assumption, and Paillier's composite residuosity assumption. † We construct a new hash proof system based on the decisional Di-e-Hellman assumption (and its d-Linear variants), and show that the resulting scheme is resilient to any leakage of L(1¡o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO '08), constructed to be a \circular-secure" encryption scheme, flts our generic approach and is also resilient to any leakage of L(1 ¡ o(1)) bits. † We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting as well, and obtain as a corollary encryption schemes that are CCA2-secure with any leakage of L(1 ¡ o(1)) bits. On the practical side, we prove that variants of the Cramer- Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with any leakage of L=4 bits, and CCA2-secure with any leakage of L=6 bits.

  • [Show abstract] [Hide abstract]
    ABSTRACT: Traditional definitions of the security of encryption schemes assume that the messages encrypted are chosen independently of the randomness used by the encryption scheme. Recent works, implicitly by Myers and Shelat (FOCS'09) and Bellare et al (AsiaCrypt'09), and explicitly by Hemmenway and Ostrovsky (ECCC'10), consider randomness-dependent message (RDM) security of encryption schemes, where the message to be encrypted may be selected as a function—referred to as the RDM function—of the randomness used to encrypt this particular message, or other messages, but in a circular way. We carry out a systematic study of this notion. Our main results demonstrate the following: · Full RDM security—where the RDM function may be an arbitrary polynomial-size circuit—is not possible. · Any secure encryption scheme can be slightly modified, by just performing some pre-processing to the randomness, to satisfy bounded-RDM security, where the RDM function is restricted to be a circuit of a priori bounded polynomial size. The scheme, however, requires the randomness r needed to encrypt a message m to be slightly longer than the length of m (i.e., |r|>|m|+ω(logk), where k is the security parameter). · We present a black-box provability barrier to compilations of arbitrary public-key encryption into RDM-secure ones using just pre-processing of the randomness, whenever |m|>|r|+ω(logk). On the other hand, under the DDH assumption, we demonstrate the existence of bounded-RDM secure schemes that can encrypt arbitrarily 'long' messages using 'short' randomness. We finally note that the existence of public-key encryption schemes imply the existence of a fully RDM-secure encryption scheme in an 'ultra-weak' Random-Oracle Model—where the security reduction need not 'program' the oracle, or see the queries made by the adversary to the oracle; combined with our impossibility result, this yields the first example of a cryptographic task that has a secure implementation in such a weak Random-Oracle Model, but does not have a secure implementation without random oracles.
    Proceedings of the 10th theory of cryptography conference on Theory of Cryptography; 03/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this work, we show how to construct IBE schemes that are secure against a bounded number of collusions, starting with underlying PKE schemes which possess linear homomorphisms over their keys. In particular, this enables us to exhibit a new (bounded-collusion) IBE construction based on the quadratic residuosity assumption, without any need to assume the existence of random oracles. The new IBE's public parameters are of size O(tλlogI) where I is the total number of identities which can be supported by the system, t is the number of collusions which the system is secure against, and λ is a security parameter. While the number of collusions is bounded, we note that an exponential number of total identities can be supported. More generally, we give a transformation that takes any PKE satisfying Linear Key Homomorphism, Identity Map Compatibility, and the Linear Hash Proof Property and translates it into an IBE secure against bounded collusions. We demonstrate that these properties are more general than our quadratic residuosity-based scheme by showing how a simple PKE based on the DDH assumption also satisfies these properties.
    Proceedings of the 9th international conference on Theory of Cryptography; 03/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Side-channel attacks are a major issue for implementation of secure cryptographic schemes. Among these, key-leakage attacks describe a scenario in which an adversary is allowed to learn arbitrary information about the private key, the only constraint being the number of bits learned. In this work, we study key-leakage resilience according to the model presented by Akavia, Goldwasser and Vaikuntanathan at TCC '09. As our main contribution, we present a code-based hash proof system; we obtain our construction by relaxing some of the requirements from the original de�nition of Cramer and Shoup. We then propose a leakageresilient public-key encryption scheme that makes use of this hash proof system. To do so, we adapt a framework featured in a previous work by Alwen et al. regarding identity-based encryption (EUROCRYPT '10). Our construction features error-correcting codes as a technical tool, and, as opposed to previous work, does not require the use of a randomness extractor.
    Lecture Notes in Computer Science 09/2013; 8128:44-54. · 0.51 Impact Factor

Full-text (2 Sources)

Available from