Page 1

Public-Key Cryptosystems Resilient to Key Leakage

Moni Naor∗

Gil Segev†

Abstract

Most of the work in the analysis of cryptographic schemes is concentrated in abstract ad-

versarial models that do not capture side-channel attacks. Such attacks exploit various forms

of unintended information leakage, which is inherent to almost all physical implementations.

Inspired by recent side-channel attacks, especially the “cold boot attacks”, Akavia, Goldwasser

and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of

encryption schemes against a wide class of side-channel attacks in which adversarially cho-

sen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al.

showed that Regev’s lattice-based scheme (STOC ’05) is resilient to any leakage of L/polylog(L)

bits, where L is the length of the secret key.

In this paper we revisit the above-mentioned framework and our main results are as follows:

• We present a generic construction of a public-key encryption scheme that is resilient to key

leakage from any universal hash proof system. The construction does not rely on additional

computational assumptions, and the resulting scheme is as efficient as the underlying proof

system. Existing constructions of such proof systems imply that our construction can be

based on a variety of number-theoretic assumptions, including the decisional Diffie-Hellman

assumption (and its progressively weaker d-Linear variants), the quadratic residuosity

assumption, and Paillier’s composite residuosity assumption.

• We construct a new hash proof system based on the decisional Diffie-Hellman assumption

(and its d-Linear variants), and show that the resulting scheme is resilient to any leakage

of L(1−o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO

’08), constructed to be a “circular-secure” encryption scheme, is resilient to any leakage of

L(1−o(1)) bits. These two proposed schemes complement each other in terms of efficiency.

• We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On

the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting

as well, and obtain as a corollary encryption schemes that are CCA2-secure with any

leakage of L(1 − o(1)) bits. On the practical side, we prove that variants of the Cramer-

Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with

any leakage of L/4 bits, and CCA2-secure with any leakage of L/6 bits.

∗Incumbent of the Judith Kleeman Professorial Chair, Department of Computer Science and Applied Mathematics,

Weizmann Institute of Science, Rehovot 76100, Israel. Email: moni.naor@weizmann.ac.il. Research supported in

part by a grant from the Israel Science Foundation.

†Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,

Israel. Email: gil.segev@weizmann.ac.il. Research supported by the Adams Fellowship Program of the Israel

Academy of Sciences and Humanities, and by a grant from the Israel Science Foundation.

Page 2

Contents

1 Introduction

1.1Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.3 Paper Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

2

5

6

2Preliminaries, Assumptions, and Tools

2.1 Computational Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2Randomness Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3 Hash Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6

6

7

7

3Defining Key-Leakage Attacks

3.1 Chosen-Plaintext Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .

3.2 Chosen-Ciphertext Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . .

3.3 Weak Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

9

10

11

4A Generic Construction from Hash Proof Systems

4.1The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.2 Example: A DDH-Based Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . .

11

12

13

5Improved Resilience Based on DDH and d-Linear

5.1Proposal 1: A New Hash Proof System . . . . . . . . . . . . . . . . . . . . . . . . . .

5.2 Proposal 2: The BHHO Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.3Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14

14

16

17

6Protecting Against Chosen-Ciphertext Key-Leakage Attacks

6.1A Generic Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.2 An Efficient CCA1-Secure Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.3An Efficient CCA2-Secure Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

18

22

25

7Protecting Against Weak Key-Leakage Attacks 30

8Protecting Against Generalized Forms of Key-Leakage Attacks

8.1Noisy Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8.2 Leakage of Intermediate Values from the Key-Generation Process . . . . . . . . . . .

8.3Keys Generated using Weak Random Sources . . . . . . . . . . . . . . . . . . . . . .

8.4 Leakage of Intermediate Values from the Decryption Process

32

32

32

33

34 . . . . . . . . . . . . .

A The Matrix d-Linear Assumption37

1

Page 3

1Introduction

Proving the security of a cryptographic scheme consists of two main ingredients: (1) an adver-

sarial model that specifies the adversarial access to the system and the adversary’s computational

capabilities, and (2) a notion of security that specifies what it means to “break” the security of

the scheme. Whereas notions of security have significantly evolved over the years (following the

seminal work of Goldwasser and Micali [18]), the vast majority of cryptographic schemes are ana-

lyzed in abstract adversarial models that do not capture side-channel attacks. Such attacks exploit

unintended leakage of information which is inherent to almost all physical implementations. Over

the years side-channel attacks exposed crucial vulnerabilities of systems that are considered secure

in standard adversarial models (see, for example, [3, 5, 30, 31]).

Countermeasures for protecting against side-channel attacks are taken on two complementing

levels: the hardware level and the software level. Preventing unintended leakage on the hardware

level is typically rather inefficient and expensive, and is even impossible in some cases. It is thus

highly desirable to protect, as much as possible, against side-channel attacks on the software level

by modeling such attacks using abstract notions of computation.

Physically observable cryptography.

forward a powerful and comprehensive framework for modeling security against side-channel at-

tacks. Their framework captures any such attack in which leakage of information occurs as a result

of computation. The framework relies on the basic assumption that computation and only compu-

tation leaks information, that is, there is no leakage of information in the absence of computation.

This assumption has led to the construction of various cryptographic primitives that are robust to

“computational” leakage (see, for example, [16, 19, 35, 37, 38]).

In their pioneering work, Micali and Reyzin [35] put

Memory-leakage attacks.

violate the basic assumption underlying the framework of Micali and Reyzin. Halderman et al.

showed that, contrary to popular assumptions, a computer’s memory is not erased when it loses

power. They demonstrated that ordinary DRAMs typically lose their contents gradually over a

period of seconds, and that residual data can be recovered using simple, non-destructive techniques

that require only momentary physical access to the machine. Halerman et al. presented attacks

that exploit DRAM remanence effects to recover cryptographic keys held in memory. Specifically,

their “cold boot” attacks showed that a significant fraction of the bits of a cryptographic key can

be recovered if the key is ever stored in memory. Halderman et al. managed to completely com-

promise the security of several popular disk encryption systems (including BitLocker, TrueCrypt,

and FileVault), and to reconstruct DES, AES, and RSA keys (see also the improved RSA key

reconstruction by Heninger and Shacham [23]).

Inspired by the cold boot attacks, Akavia, Goldwasser and Vaikuntanathan [2] formalized a

general framework for modeling “memory attacks” in which adversarially chosen functions of the

secret key are leaked in an adaptive fashion, with the only restriction that the total amount of

leakage is bounded. Akavia et al. showed that the lattice-based public-key encryption scheme of

Regev [39] is resilient to such key leakage (to an extent that depends on the amount of leakage) by

slightly strengthening the computational assumption that is required by the original scheme.

Recently, Halderman et al. [21] presented a suite of attacks that

1.1 Our Contributions

In this work we revisit the framework of key-leakage attacks introduced by Akavia et al. in the setting

of public-key encryption. We present a generic construction of a public-key encryption scheme that

2

Page 4

is resilient to key leakage, and show that the construction can be based on a variety of number-

theoretic assumptions (see below). Moreover, we demonstrate that our approach leads to encryption

schemes that are both resilient to significantly large amounts of leakage, and that are very efficient

and can be used in practice (see, in particular, the instantiation in Section 4.2 that is based on

the decisional Diffie-Hellman assumption). In addition, we extend the framework of key-leakage

attacks to the setting of chosen-ciphertext attacks. We present both a generic transformation from

chosen-plaintext security to chosen-ciphertext security in the context of key-leakage attacks, and

efficient schemes that are based on specific number-theoretic assumptions.

In what follows we present a more elaborated exposition of our results, but first, we briefly

describe the framework of Akavia et al. and their results. Informally, an encryption scheme is

resilient to key-leakage attacks if it is semantically secure even when the adversary obtains sensitive

leakage information. This is modeled by providing the adversary with access to a leakage oracle:

the adversary can submit any function f and receive f(sk), where sk is the secret key (we note that

the leakage functions can be chosen depending on the public key, which is known to the adversary).

The adversary can query the leakage oracle adaptively, with only one restriction: the sum of output

lengths of all the leakage functions has to be bounded by a predetermined parameter λ (clearly,

λ has to be less than the length of the secret key)1. A formal definition is provided in Section 3.

Akavia et al. showed that Regev’s public-key encryption scheme is resilient to any key leakage of

L/polylog(L) bits, where L is the length of the secret key. We are now ready to state our results

more clearly:

A generic construction.

that is resilient to key leakage from any universal hash proof system, a very useful primitive in-

troduced by Cramer and Shoup [8]. The construction does not rely on additional computational

assumptions, and the resulting scheme is as efficient as the underlying proof system. Existing

constructions of such proof systems [8, 29, 43] imply that our construction can be based on a va-

riety of number-theoretic assumptions, including the decisional Diffie-Hellman (DDH) assumption

and its progressively weaker d-Linear variants, the quadratic residuosity assumption, and Paillier’s

composite residuosity assumption. The natural approach for achieving security against partial key

leakage is to add redundancy to the private key, so that every (short) function of it will still keep

many possibilities for the “real secret”. Hash proof systems yield a convenient method for doing

just that.

We then emphasize a specific instantiation with a simple and efficient DDH-based hash proof

system. The resulting encryption scheme is resilient to any leakage of L(1/2 − o(1)) bits, where L

is the length of the secret key. Although one can instantiate our construction with any hash proof

system, we find this specific instantiation rather elegant (we refer the reader to Section 4.2).

The schemes that result from our generic construction satisfy in fact a more general notion of

leakage resilience: these schemes are secure even if the leakage functions chosen by the adversary

are applied to the random bits used by the key generation algorithm. This clearly generalizes

the framework of Akavia et al. and guarantees security even in case that intermediate values from

the process of generating the secret and public keys are leaked2. In addition, we consider several

We present a generic construction of a public-key encryption scheme

1Akavia et al. refer to such attacks as adaptive memory attacks. They also define the notion of non-adaptive

memory attacks which we discuss later on.

2We note that it is not clear that Regev’s scheme is resilient to leakage of intermediate key-related values, or at

least, the proof of security of Akavia et al. does not seem to generalize to this setting. The main reason is that their

proof of security involves an indistinguishability argument over the public key, and an adversary that has access to

the randomness of the key generation algorithm (via leakage queries) can identify that the public key was not sampled

from its specified distribution.

3

Page 5

other important generalizations of the framework of Akavia et al. that are satisfied by our schemes.

These include a scenario in which the adversary obtains a noisy version of all of the memory as in

the attack of Halderman et al. (i.e., the leakage may be as long as the whole memory and not of

bounded length), and a scenario in which partial results of the decryption process are leaked (we

refer the reader to Section 8 for a more elaborated discussion on our generalizations).

Improved key-leakage resilience.

resilient to any key leakage of L(1 − o(1)) bits, where L is the length of the secret key. Our

proposals are based on the observation that our generic construction from hash proof systems can

in fact be based on hash proof systems with a slightly weaker universality property. When viewing

hash proof systems as key-encapsulation mechanisms, relaxing the universality property enables us

to achieve essentially the best possible ratio between the length of the secret key and the length

of the encapsulated symmetric key. This ratio translates to the relative amount of key leakage to

which the encryption schemes are resilient3.

For our first proposal we construct a new hash proof system based on the decisional Diffie-

Hellman assumption (and more generally, on any of the d-Linear assumptions) that satisfies this

weaker universality property. The resulting encryption scheme is then obtained by instantiating

our generic construction with this hash proof system. For our second proposal, we show the recent

“circular-secure” encryption scheme of Boneh et al. [6] fits into our generic approach using a different

hash proof system (that satisfies the same weaker universality property). We then compare our two

proposals both conceptually and practically, indicating that they complement each other in terms

of efficiency.

We propose two public-key encryption schemes that are

Chosen-ciphertext security.

ciphertext security. Technically, this is a very natural extension by providing the adversary with

access to both a leakage oracle and a decryption oracle (a formal definition is provided in Section

3). On the theoretical side, we show that the Naor-Yung “double encryption” paradigm [14, 36] can

be used as a general transformation from chosen-plaintext security to chosen-ciphertext security in

the presence of key leakage. As an immediate corollary of our above-mentioned results, we obtain

a scheme that is CCA2-secure with any leakage of L(1 − o(1)) bits, where L is the length of the

secret key.

The schemes resulting from the Naor-Yung paradigm are rather inefficient due to the usage

of generic non-interactive zero-knowledge proofs. To complement this situation, on the practical

side, we prove that variants of the Cramer-Shoup cryptosystem [9] (along the lines of our generic

transformation from hash proof systems) are CCA1-secure with any leakage of L(1/4 − o(1)) bits,

and CCA2-secure with any leakage of L(1/6−o(1)) bits. It is left as an open problem to construct

a practical CCA-secure scheme that is resilient to any leakage of L(1−o(1)) bits (where a possible

approach is to examine recent refinements of the Cramer-Shoup cryptosystem [1, 29, 32]).

We extend the framework of key leakage to the setting of chosen-

“Weak” key-leakage security.

leakage (which they refer to as “non-adaptive” leakage): a leakage function f with output length

λ is chosen by the adversary ahead of time (without any knowledge of the public key), and then

the adversary is given (pk,f(sk)). That is, in a “weak” key-leakage attack the leakage function f

is chosen independently of pk. Akavia et al. proved that Regev’s encryption scheme is resilient to

any weak key leakage of L(1 − o(1)) bits.

3We do not argue that such a relaxation is in fact necessary for achieving the optimal ratio.

Akavia et al. also considered the following weaker notion of key

4