Public-Key Cryptosystems Resilient to Key Leakage.

SIAM Journal on Computing (Impact Factor: 0.76). 01/2009; 2009(4):105. DOI: 10.1007/978-3-642-03356-8_2
Source: DBLP

ABSTRACT Most of the work in the analysis of cryptographic schemes is concentrated in abstract ad- versarial models that do not capture side-channel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent side-channel attacks, especially the \cold boot attacks" of Halderman et al. (USENIX Security '08), Akavia, Goldwasser and Vaikuntanathan (TCC '09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of side- channel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al. showed that Regev's lattice-based scheme (STOC '05) is resilient to any leakage of L=polylog(L) bits, where L is the length of the secret key. In this paper we revisit the above-mentioned framework and our main results are as follows: † We present a generic construction of a public-key encryption scheme that is resilient to key leakage from any universal hash proof system. The construction does not rely on additional computational assumptions, and the resulting scheme is as e-cient as the un- derlying hash proof system. Existing constructions of hash proof systems imply that our construction can be based on a variety of number-theoretic assumptions, including the decisional Di-e-Hellman assumption (and its progressively weaker d-Linear variants), the quadratic residuosity assumption, and Paillier's composite residuosity assumption. † We construct a new hash proof system based on the decisional Di-e-Hellman assumption (and its d-Linear variants), and show that the resulting scheme is resilient to any leakage of L(1¡o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO '08), constructed to be a \circular-secure" encryption scheme, flts our generic approach and is also resilient to any leakage of L(1 ¡ o(1)) bits. † We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting as well, and obtain as a corollary encryption schemes that are CCA2-secure with any leakage of L(1 ¡ o(1)) bits. On the practical side, we prove that variants of the Cramer- Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with any leakage of L=4 bits, and CCA2-secure with any leakage of L=6 bits.

  • [Show abstract] [Hide abstract]
    ABSTRACT: A leakage-resilient public-key encryption (PKE) scheme provides security even if an adversary obtains some information on the secret key. In recent years, much attention has been focused on designing provably secure PKE in the presence of key-leakage and almost all the constructions rely on an important building block namely hash proof system (HPS). However, in the setting of adaptive chosen-ciphertext attacks (CCA2), there are not many HPS-based leakage-resilient PKE schemes available. Moreover, most of them have an unsatisfactory leakage rate. In this study, the authors propose a new method of constructing leakage-resilient CCA2-secure PKE scheme from any tag-based strongly universal(2) HPS. The striking advantage of the authors scheme is the leakage rate, which is the best one among all known HPS-based indistinguishability key leakage CCA2-secure constructions. In particular, they present an instantiation under the n-linear assumption. In the cases of n = 1 (resp. n = 2), they actually obtain a decisional Diffie-Hellman (DDH)-based [resp. decisional linear (DLIN)-based] PKE scheme, where the leakage rate can be made to 1/4 (resp. 1/6). The authors DDH-based scheme achieves the best leakage rate among all known DDH-based (Cramer-Shoup-type) schemes. Their DLIN-based scheme is the first one that can achieve leakage of L/6 bits without pairing, where L is the length of the secret key.
    IET Information Security 01/2014; 9(1). DOI:10.1049/iet-ifs.2013.0173 · 0.63 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: When an adversary can measure the physical memory storing the decryption key, decryption functionality often comes in handy. Halevi and Lin (TCC'11) studied after-the-fact (pr post-challenge) leakage in public-key encryption (PKE), in which an adversary can make leakage queries from a split state after seeing the challenge ciphertext, but left security against chosen-ciphertext attacks (CCA) as a future work. In this paper, we follow their work and formulate the definition of entropic leakage-resilient CCA-secure PKE, which we show can be realized by the Naor-Yung “double encryption” paradigm (STOC'90). We then leverage it to get a CCA-secure key-encapsulation mechanism in the presence of post-challenge leakage, in the same model of bounded memory leakage from a split state. Finally, we prove that the hybrid encryption framework is still applicable by presenting a construction of CCA-secure PKE in the presence of post-challenge leakage. As additional results, we extend these concepts to the identity-based setting, where many identity-based secret-keys can be leaked after the adversary got the challenge, and give a construction of identity-based encryption in the presence of post-challenge leakage in the split-state model, which can be instantiated by the identity-based hash proof systems of Alwen et al. (Eurocrypt'10) and Chow et al. (CCS'10).
    Theoretical Computer Science 01/2015; 572. DOI:10.1016/j.tcs.2015.01.010 · 0.52 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In order to tolerate possible leakage of secret keys, leakage-resilient cryptosystem models a class of attractive leakage output by allowing an adversary to provide any computable leakage function and learning the partial keys or other possible internal states from the output of function. In this work, we present an adaptively secure broadcast encryption resilient to key continual leakage in the standard model. Our scheme provides the tolerance of continual leakage, in which any user can generate multiple private keys per user by periodically updating the key. We use the dual system encryption mechanism to implement the leakage resilience and adaptive security, and intrinsically set an algorithm to refresh a key and produce a same distributed new key. We also give the evaluation of the leakage bound and leakage fraction, and the simulations show that our scheme can tolerate about 71% leakage fraction with 3.34 × 10−52 failure probability in standard 80-bit security level when we adjust the leakage factor to allow the private key to be 100 Kb.
    Frontiers of Computer Science (print) 06/2014; 8(3):456-468. DOI:10.1007/s11704-014-3271-y · 0.41 Impact Factor

Preview (2 Sources)

Available from