Article

Overcoming the Hole In The Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage.

Foundations of Computer Science, 1975., 16th Annual Symposium on 01/2010; 2010:278. DOI: 10.1109/FOCS.2010.55
Source: DBLP

ABSTRACT In recent years, there has been a major efiort to design cryptographic schemes that remain secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel attacks which, through various physical means, can recover part of the secret key. We explore the possibility of achieving security even with continual leakage, i.e., even if some information is leaked each time the key is used. We show how to securely update a secret key while information is leaked: We construct schemes that remain secure even if an attacker, at each time period, can probe the entire memory (containing a secret key) and \leak" up to a (1 ¡ o(1)) fraction of the secret key. The attacker may also probe the memory during the updates, and leak O(logk) bits, where k is the security parameter (relying on subexponential hardness allows k † bits of leakage during each update

0 Bookmarks
 · 
90 Views
  • Source
    Cryptography and Security: From Theory to Applications - Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday; 01/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The laws of quantum mechanics allow unconditionally secure key distribution protocols. Nevertheless, security proofs of traditional quantum key distribution (QKD) protocols rely on a crucial assumption, the trustworthiness of the quantum devices used in the protocol. In device-independent QKD, even this last assumption is relaxed: the devices used in the protocol may have been adversarially prepared, and there is no a priori guarantee that they perform according to specification. Proving security in this setting had been a central open problem in quantum cryptography. We give the first device-independent proof of security of a protocol for quantum key distribution that guarantees the extraction of a linear amount of key even when the devices are subject to a constant rate of noise. Our only assumptions are that the laboratories in which each party holds his or her own device are spatially isolated, and that both devices, as well as the eavesdropper, are bound by the laws of quantum mechanics. All previous proofs of security relied either on the use of many independent pairs of devices, or on the absence of noise.
    Computing Research Repository - CORR. 10/2012;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosen-message attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of side-channel attacks. One of the main challenges in constructing fully leakage-resilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the random-oracle model. Moreover, even in the random-oracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct fully leakage-resilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1–o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific number-theoretic assumptions. In addition, we show that our approach extends to the continual-leakage model, recently introduced by Dodis, Haralambiev, Lopez-Alt and Wichs (FOCS ’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS ’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.
    05/2011: pages 89-108;

Full-text

View
0 Downloads
Available from