Overcoming the Hole In The Bucket: PublicKey Cryptography Resilient to Continual Memory Leakage.
ABSTRACT In recent years, there has been a major efiort to design cryptographic schemes that remain secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel attacks which, through various physical means, can recover part of the secret key. We explore the possibility of achieving security even with continual leakage, i.e., even if some information is leaked each time the key is used. We show how to securely update a secret key while information is leaked: We construct schemes that remain secure even if an attacker, at each time period, can probe the entire memory (containing a secret key) and \leak" up to a (1 ¡ o(1)) fraction of the secret key. The attacker may also probe the memory during the updates, and leak O(logk) bits, where k is the security parameter (relying on subexponential hardness allows k † bits of leakage during each update

Article: Key continualleakage resilient broadcast cryptosystem from dual system in broadcast networks
[Show abstract] [Hide abstract]
ABSTRACT: In order to tolerate possible leakage of secret keys, leakageresilient cryptosystem models a class of attractive leakage output by allowing an adversary to provide any computable leakage function and learning the partial keys or other possible internal states from the output of function. In this work, we present an adaptively secure broadcast encryption resilient to key continual leakage in the standard model. Our scheme provides the tolerance of continual leakage, in which any user can generate multiple private keys per user by periodically updating the key. We use the dual system encryption mechanism to implement the leakage resilience and adaptive security, and intrinsically set an algorithm to refresh a key and produce a same distributed new key. We also give the evaluation of the leakage bound and leakage fraction, and the simulations show that our scheme can tolerate about 71% leakage fraction with 3.34 × 10−52 failure probability in standard 80bit security level when we adjust the leakage factor to allow the private key to be 100 Kb.Frontiers of Computer Science (print) 06/2014; 8(3):456468. · 0.41 Impact Factor  SourceAvailable from: uwspace.uwaterloo.ca
 The Journal of Supercomputing 12/2014; 70(3):14051432. · 0.84 Impact Factor
Page 1
Cryptography Resilient to Continual Memory Leakage
Zvika Brakerski∗
Yael Tauman Kalai†
Jonathan Katz‡
Vinod Vaikuntanathan§
Abstract
In recent years, there has been a major effort to design cryptographic schemes that remain
secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel
attacks which, through various physical means, can recover part of the secret key. We explore
the possibility of achieving security even with continual leakage, i.e., even if some information
is leaked each time the key is used.
We show how to securely update a secret key while information is leaked: We construct
schemes that remain secure even if an attacker, at each time period, can probe the entire memory
(containing a secret key) and “leak” up to a (1 − o(1)) fraction of the secret key. The attacker
may also probe the memory during the updates, and leak O(logk) bits, where k is the security
parameter (relying on subexponential hardness allows k?bits of leakage during each update
process). All of the above is achieved without restricting the model as is done in previous works
(e.g. by assuming that “only computation leaks information” [MicaliReyzin, TCC04]).
Specifically, under the decisional linear assumption on bilinear groups (which allows for a
leakage rate of (1/2−o(1))) or the symmetric external DiffieHellman assumption (which allows
for a leakage rate of (1 − o(1))), we achieve the above for public key encryption, identitybased
encryption, and signature schemes. Prior to this work, it was not known how to construct
publickey encryption schemes even in the more restricted model of [MR].
The main contributions of this work are (1) showing how to securely update a secret key
while information is leaked (in the more general model) and (2) giving a public key encryption
(and IBE) schemes that are resilient to continual leakage.
∗Weizmann Institute of Science and Microsoft Research, zvika.brakerski@weizmann.ac.il.
†Microsoft Research, yael@microsoft.com.
‡University of Maryland, jkatz@cs.umd.edu.
§IBM Research, vinodv@alum.mit.edu.
Page 2
1Introduction
Modern cryptography, starting from the foundational work in the late 70s, has been a huge success,
leading to the definition and construction of various cryptographic primitives such as digital sig
natures, publickey encryption, identitybased encryption, and so forth. The working assumption
in most of modern cryptography is that secret keys are generated using perfectly random bits,
and once they are generated, they are perfectly secret. However, it has been observed that this
assumption does not hold in practice, where attackers use different types of sidechannel attacks
to leak information about the secret key. These attacks exploit the physical characteristics of the
execution of a cryptographic device, such as timing, power consumption, electromagnetic radi
ation, and so forth (see [Koc96, KJJ99, OST06, HSH+08] and the references therein). What’s
worse, many constructions that were proven to be secure under traditional cryptographic security
definitions are known to be completely insecure under many such attacks (see, e.g., [Koc96] for
how to break the RSA algorithm under timing attacks, and [HSH+08] for how to break RSA as
well as the Advanced Encryption Standard (AES) under coldboot attacks). The focus of this work
is constructing cryptographic protocols that are provably secure in the presence of sidechannel
attacks.
Recently, starting with the work of Ishai, Sahai and Wagner [ISW03] and Micali and Reyzin [MR04],
there has been a major effort by the cryptographic community to construct such protocols. The
influential work of Micali and Reyzin proposed to construct cryptographic protocols under the
assumption that
“any computation, and only computation, leaks information”.
Indeed, the vast variety of sidechannel attacks lead to a myriad of different ways in which infor
mation can leak every time the cryptographic device performs some computation. Thus, it seems
prudent to allow any computation to leak information – we will refer to this as the continual leakage
model. Furthermore, even though different sidechannel attacks leak vastly different types of infor
mation, the amount of information thus leaked is always assumed to be “bounded”. In short, to
account for the different sidechannel attacks, we will allow the attacker to obtain any polynomial
time computable function of the current internal state of the device in every timeperiod, as long as
the information thus obtained is “bounded”. Of course, it is easy to observe that achieving security
in this model requires that the secret key (or, its representation) be refreshed periodically.
The second clause of the MicaliReyzin proposal turns out to be problematic. Roughly speaking,
the “only computation leaks information” assumption means that the parts of memory that are not
“touched” during a certain timeperiod do not leak during that timeperiod. Is it really true that
(temporarily) inactive memory does not leak information? Some recently proposed attacks such
as the coldboot attack [HSH+08] leak information from the memory even when no computation
is taking place.In addition, various memory architectures leak information when there is no
explicit computation going on; for example, a dynamic randomaccess memory (DRAM) needs to
be automatically refreshed every once in a while (just to maintain the state of the memory), hard
disks might leak information because of the electromagnetic polarizations, and so on. This raises
the question:
Can we protect against continual leakage of information from all parts of the memory?
In other words, we would like to remove the “only computation leaks” assumption, and allow all
parts of memory – including the secret key, the random bits generated by the system, and the
intermediate bits of computation – to leak during all timeperiods. This powerful model of leakage,
1
Page 3
which we refer to as the continual memory leakage model, is the focus of our work. Our main goal
will be to construct a variety of cryptographic schemes – publickey and identitybased encryption
schemes, and digital signature schemes – that are secure in the continual memory leakage model.
Before going any further, let us review two important lines of work that are vitally related to this
discussion.
Previous Work.
in the MicaliReyzin model, that is, assuming that only computation leaks information. There
have been a few such constructions, including the work of Dziembowski and Pietrzak who con
structed stream ciphers [DP08, Pie09], and the work of Faust et al. who constructed digital sig
nature schemes [FKPR10]. In addition, the recent works of Faust et al. [FRR+10], Juma and
Vahlis [JV10], and Goldwasser and Rothblum [GR10] shows how to do general leakageresilient
cryptography assuming access to secure (perfectly leakageproof) hardware. We elaborate on these
results in Section 1.2, but here, we emphasize that there are several very basic cryptographic tasks,
such as publickey encryption schemes, for which we do not know of any construction that is secure
against continual leakage even assuming that “only computation leaks”.
A complementary line of work – initiated by Akavia, Goldwasser and Vaikuntanathan [AGV09]
– deals with the socalled bounded memoryleakage model. Here, the attacker chooses an arbitrary,
efficiently computable function f (possibly as a function of the public parameters of the system),
and receives the result of f applied to the secret key sk. Clearly, to have some secrecy left, we must
restrict the attacker to choose a function f that does not fully reveal the secret. This (apparently
necessary) condition has been modeled in several ways, leading to more and more general definitions,
by [AGV09], Naor and Segev [NS09] and Dodis, Kalai and Lovett [DKL09]. The important point
to note is that the information leakage here is oneshot – that is, the total amount of information
that the attacker obtains is fixed, regardless of the amount of computation that is going on within
the device. Many cryptographic schemes were proven secure in these bounded leakage models,
including weak pseudorandom functions, signature schemes, and publickey and identitybased
encryption schemes [DKL09, NS09, ADW09, KV09]. We elaborate on these in Section 1.2.
The first line of work constructs cryptographic schemes that are proven secure
The Best of Both Worlds – the Continual Memory Leakage Model.
propose the continual memory leakage model that combines the best features of both the continual
leakage model of [MR04, DP08, Pie09, FKPR10, JV10, GR10], and the bounded memory leakage
model of [AGV09, NS09, KV09, ADW09]. In particular, in the continual memory leakage model,
the leakage of information is unrestricted in time (thus, information leaks continuously over time)
and unrestricted in space (thus, every bit of the cryptographic device is liable to leak, regardless of
whether it is being used in computation or not). Let us pin down a little more precisely what we
mean by this.
For concreteness, let us illustrate the continual memory leakage model in the context of digital
signature schemes. We view the signing device as consisting of two types of memory:
In this work, we
1. Public memory that stores the public verification key, the public randomness used by the
system, and the inputs and outputs of the computation.
2. Secret memory that stores the secret key, the secret randomness used by the system, and the
intermediate steps in the (signature) computations.
The attacker can see the contents of the public memory in its entirety, while (as we will see) he is
allowed to obtain a limited amount of information about the secret memory.
2
Page 4
More specifically, we partition time to discrete time periods, where during each time period,
the signature device may sign many messages. During each time period (and during each signature
computation), we allow the attacker to choose an arbitrary (efficiently computable) leakage function,
and obtain as a result the leakage function applied to the internal state (namely, the secret key and
the internal randomness and the bits of the intermediate computation) of the device. Following
[AGV09], the only restriction we place on the leakage functions is that their total output length
during each timeperiod is at most a prespecified fraction of the number of bits of the internal
state.1
At the end of each timeperiod, we “update” or “refresh” the secret key. Secretkey update is
a randomized procedure that takes as input a secret key sk corresponding to a public key pk, and
outputs a uniformly random secret key sk?for the same public key. As we argued above, tolerating
continual leakage necessitates such an update of the secret key. We emphasize that information
leakage could happen during the update of the secret key as well, and such leakage potentially
depends on the randomness used for the update procedure (among other things).
We refer the reader to Section 3 for a fullfledged and formal description of the model.
1.1Our Results
We construct publickey and identitybased encryption schemes, as well as a signature scheme
secure in the continual memory leakage model, under the decisional linear assumption over bilinear
groups. More specifically, for any (arbitrarily small) constant ? > 0, we prove that our schemes
are resilient to continual memory leakage, where at each time period, any bounded (polytime
computable) function of the secretkey sk can be leaked, as long as the leakagerate is at most
1
4− ?; i.e., the size of the leakage is (1
during each secretkey update process, as long as this leakage contains only O(logk) bits, where
k is the security parameter. Furthermore, if we are willing to rely on subexponential hardness of
the linear assumption over bilinear groups, then we can tolerate up to O(k?) bits of leakage from
each update process. We note that while tolerating a logarithmic number of bits of leakage in
noncontinual, oneshot memory attack model is quite easy (since this leakage can be guessed), this
is not the case in the continual leakage model (since in this model, guesses need to be made over
and over again).
We emphasize that when leakage occurs during a computation (such as during the update
procedure), a bounded function of all the memory content can leak; this includes the secret key,
but also all the randomness used by the procedure. It is the latter that makes it difficult to tolerate
leakage during a computation.
4− ?) · sk. Moreover, our schemes are resilient to leakage
Our Main Results: Publickey and Identitybased Encryption Schemes.
stone of all our results is the construction of a publickey encryption scheme secure against continual
memory leakage with the leakage parameters as described above. We then show the following.
The corner
• We show how to modify the construction to create an identitybased encryption scheme secure
against continual memory leakage of the secret keys of individual users (see Section 2.3 and
Section 7; also, see below for more details).
• Given an encryption scheme that is resilient to continual memory leakage, we show how to
(relatively easily) construct a signature scheme that is resilient to continual memory leakage;
1We can in fact extend our results to the more general “leftover entropy” leakage model of Naor and Segev [NS09]
which requires only that the secret key has nontrivial minentropy conditioned on the leakage.
3
Page 5
this follows the paradigm of Katz and Vaikuntanathan [KV09] (see Section 2.4 and Sec
tion 8.1). The resulting scheme tolerates leakage from the memory, the keygeneration and
update procedures, but not during the signing process. We then show how to modify this
scheme to tolerate leakage from the signing process as well, under additional computational
assumptions; see below for details.
We view the encryption (and IBE) schemes as the main results of this paper, and the signature
scheme as secondary, for several reasons: First, as mentioned above, it is relatively easy to construct
the signature scheme given our encryption scheme (at least without tolerating leakage from the
signing algorithm). Second, and more importantly, prior to this work, it was known how to construct
signature schemes that are secure in a continual leakage model assuming that only computation leaks
information [FKPR10]; however, it was not known how to construct encryption schemes that are
secure in a continual leakage model, even with the MicaliReyzin assumption.
Finally, we would like to note that our public key encryption scheme gives rise to a symmetric
encryption scheme resilient against continual memory leakage (where the secret key contains both
the secret and public keys), where two parties can interact over an insecure channel, while indi
vidually and independently updating their secret keys. In other words, at any point of time, the
two communicating parties might have completely different secret keys, and still they will be able
to communicate meaningfully. What’s more, this requires no interaction whatsoever! We defer an
elaborate treatment of this connection, and more, to the full version.
Remarks on the Identitybased Encryption Result.
encryption scheme, we can only tolerate leakage from the signing keys of the users, but cannot
tolerate leakage from the master secret key. On the one hand, one could argue that since the
master secret key is a much more appealing target (as it is related to the security of all the users),
it may attract more attention from attackers and thus deserves more protection. On the other
hand, the trusted authority has much more resources than the individual users, and can afford to
implement ironclad countermeasures at the implementation level to prevent key leakage. That
said, we view the problem of finding identitybased encryption schemes that are resilient to the
leakage of the master secretkey as a very interesting open question.
We note that in our identity based
Remarks on the Signature Scheme.
the signing process (which is typically a randomized process) is highly nontrivial (this situation
should be contrasted with encryption schemes, where the decryption operation is deterministic,
and leakage from the decryption process can be interpreted as memory leakage). Indeed, our first
signature scheme (that we described above) cannot tolerate any leakage from the signing process.
However, we construct another signature scheme that can tolerate leakage from the signing
process relying on two additional assumptions. The first is that short noninteractive arguments
exist. We note that known constructions of such arguments, were proven to be secure only in the
random oracle model [Kil92, Mic00, BG08]. The second assumption is that there exists a family
of collision resistant hash functions that map strings in {0,1}∗to strings in {0,1}α(k), for some
α(k) ∈ N. Given these constructs, the scheme can then tolerate a leakagerate of (1
(from both memory, and more significantly, also from the signing algorithm). Thus the smaller
the number α(k) is, the better the leakagerate we get, but the stronger the assumption becomes.
We note that (as in the original signature scheme) this scheme can also tolerate leakage during
each update process, as long as this leakage contains only O(logk) bits (or k?bits if we rely on a
subexponential hardness assumption).
In the case of signature schemes, tolerating leakage from
4− ?) ·
1
α(k)
4