Public-Key Cryptosystems Resilient to Key Leakage.

SIAM Journal on Computing (Impact Factor: 0.76). 01/2009; 2009(4):105. DOI: 10.1007/978-3-642-03356-8_2
Source: DBLP

ABSTRACT Most of the work in the analysis of cryptographic schemes is concentrated in abstract ad- versarial models that do not capture side-channel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent side-channel attacks, especially the \cold boot attacks" of Halderman et al. (USENIX Security '08), Akavia, Goldwasser and Vaikuntanathan (TCC '09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of side- channel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al. showed that Regev's lattice-based scheme (STOC '05) is resilient to any leakage of L=polylog(L) bits, where L is the length of the secret key. In this paper we revisit the above-mentioned framework and our main results are as follows: † We present a generic construction of a public-key encryption scheme that is resilient to key leakage from any universal hash proof system. The construction does not rely on additional computational assumptions, and the resulting scheme is as e-cient as the un- derlying hash proof system. Existing constructions of hash proof systems imply that our construction can be based on a variety of number-theoretic assumptions, including the decisional Di-e-Hellman assumption (and its progressively weaker d-Linear variants), the quadratic residuosity assumption, and Paillier's composite residuosity assumption. † We construct a new hash proof system based on the decisional Di-e-Hellman assumption (and its d-Linear variants), and show that the resulting scheme is resilient to any leakage of L(1¡o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO '08), constructed to be a \circular-secure" encryption scheme, flts our generic approach and is also resilient to any leakage of L(1 ¡ o(1)) bits. † We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting as well, and obtain as a corollary encryption schemes that are CCA2-secure with any leakage of L(1 ¡ o(1)) bits. On the practical side, we prove that variants of the Cramer- Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with any leakage of L=4 bits, and CCA2-secure with any leakage of L=6 bits.

  • [Show abstract] [Hide abstract]
    ABSTRACT: Leakage-resilient public key encryption (PKE) schemes are designed to resist “memory attacks”, i.e., the adversary recovers the cryptographic key in the memory adaptively, but subject to constraint that the total amount of leaked information about the key is bounded by some parameter λ. Among all the IND-CCA2 leakage-resilient PKE proposals, the leakage-resilient version of the Cramer-Shoup cryptosystem (CS-PKE), referred to as the KL-CS-PKE scheme proposed by Naor and Segev in Crypto09, is the most practical one. But, the key leakage parameter λ and plaintext length m of KL-CS-PKE are subject to λ+m≤logq-ω(logκ), where κ is security parameter and q is the prime order of the group on which the scheme is based. Such a dependence between λ and m is undesirable. For example, when λ (resp., m) approaches to logq,m (resp., λ) approaches to 0. In this paper, we designed a new variant of CS-PKE that is resilient to key leakage chosen ciphertext attacks. Our proposal is λ≤logq-ω(logκ) leakage-resilient, and the leakage parameter λ is independent of the plaintext space that has the constant size q (exactly the same as that in CS-PKE). The performance of our proposal is almost as efficient as the original CS-PKE. As far as we know, this is the first leakage-resilient CS-type cryptosystem whose plaintext length is independent of the key leakage parameter, and is also the most efficient IND-CCA2 PKE scheme resilient to up to logq-ω(logκ) leakage.
  • [Show abstract] [Hide abstract]
    ABSTRACT: When an adversary can measure the physical memory storing the decryption key, decryption functionality often comes in handy. Halevi and Lin (TCC'11) studied after-the-fact (pr post-challenge) leakage in public-key encryption (PKE), in which an adversary can make leakage queries from a split state after seeing the challenge ciphertext, but left security against chosen-ciphertext attacks (CCA) as a future work. In this paper, we follow their work and formulate the definition of entropic leakage-resilient CCA-secure PKE, which we show can be realized by the Naor-Yung “double encryption” paradigm (STOC'90). We then leverage it to get a CCA-secure key-encapsulation mechanism in the presence of post-challenge leakage, in the same model of bounded memory leakage from a split state. Finally, we prove that the hybrid encryption framework is still applicable by presenting a construction of CCA-secure PKE in the presence of post-challenge leakage. As additional results, we extend these concepts to the identity-based setting, where many identity-based secret-keys can be leaked after the adversary got the challenge, and give a construction of identity-based encryption in the presence of post-challenge leakage in the split-state model, which can be instantiated by the identity-based hash proof systems of Alwen et al. (Eurocrypt'10) and Chow et al. (CCS'10).
    Theoretical Computer Science 01/2015; 572. DOI:10.1016/j.tcs.2015.01.010 · 0.52 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In order to tolerate possible leakage of secret keys, leakage-resilient cryptosystem models a class of attractive leakage output by allowing an adversary to provide any computable leakage function and learning the partial keys or other possible internal states from the output of function. In this work, we present an adaptively secure broadcast encryption resilient to key continual leakage in the standard model. Our scheme provides the tolerance of continual leakage, in which any user can generate multiple private keys per user by periodically updating the key. We use the dual system encryption mechanism to implement the leakage resilience and adaptive security, and intrinsically set an algorithm to refresh a key and produce a same distributed new key. We also give the evaluation of the leakage bound and leakage fraction, and the simulations show that our scheme can tolerate about 71% leakage fraction with 3.34 × 10−52 failure probability in standard 80-bit security level when we adjust the leakage factor to allow the private key to be 100 Kb.
    Frontiers of Computer Science (print) 06/2014; 8(3):456-468. DOI:10.1007/s11704-014-3271-y · 0.41 Impact Factor

Preview (2 Sources)

Available from