Page 1

Cryptography Resilient to Continual Memory Leakage

Zvika Brakerski∗

Yael Tauman Kalai†

Jonathan Katz‡

Vinod Vaikuntanathan§

Abstract

In recent years, there has been a major effort to design cryptographic schemes that remain

secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel

attacks which, through various physical means, can recover part of the secret key. We explore

the possibility of achieving security even with continual leakage, i.e., even if some information

is leaked each time the key is used.

We show how to securely update a secret key while information is leaked: We construct

schemes that remain secure even if an attacker, at each time period, can probe the entire memory

(containing a secret key) and “leak” up to a (1 − o(1)) fraction of the secret key. The attacker

may also probe the memory during the updates, and leak O(logk) bits, where k is the security

parameter (relying on subexponential hardness allows k?bits of leakage during each update

process). All of the above is achieved without restricting the model as is done in previous works

(e.g. by assuming that “only computation leaks information” [Micali-Reyzin, TCC04]).

Specifically, under the decisional linear assumption on bilinear groups (which allows for a

leakage rate of (1/2−o(1))) or the symmetric external Diffie-Hellman assumption (which allows

for a leakage rate of (1 − o(1))), we achieve the above for public key encryption, identity-based

encryption, and signature schemes. Prior to this work, it was not known how to construct

public-key encryption schemes even in the more restricted model of [MR].

The main contributions of this work are (1) showing how to securely update a secret key

while information is leaked (in the more general model) and (2) giving a public key encryption

(and IBE) schemes that are resilient to continual leakage.

∗Weizmann Institute of Science and Microsoft Research, zvika.brakerski@weizmann.ac.il.

†Microsoft Research, yael@microsoft.com.

‡University of Maryland, jkatz@cs.umd.edu.

§IBM Research, vinodv@alum.mit.edu.

Page 2

1 Introduction

Modern cryptography, starting from the foundational work in the late 70s, has been a huge success,

leading to the definition and construction of various cryptographic primitives such as digital sig-

natures, public-key encryption, identity-based encryption, and so forth. The working assumption

in most of modern cryptography is that secret keys are generated using perfectly random bits,

and once they are generated, they are perfectly secret. However, it has been observed that this

assumption does not hold in practice, where attackers use different types of side-channel attacks

to leak information about the secret key. These attacks exploit the physical characteristics of the

execution of a cryptographic device, such as timing, power consumption, electro-magnetic radi-

ation, and so forth (see [Koc96, KJJ99, OST06, HSH+08] and the references therein). What’s

worse, many constructions that were proven to be secure under traditional cryptographic security

definitions are known to be completely insecure under many such attacks (see, e.g., [Koc96] for

how to break the RSA algorithm under timing attacks, and [HSH+08] for how to break RSA as

well as the Advanced Encryption Standard (AES) under cold-boot attacks). The focus of this work

is constructing cryptographic protocols that are provably secure in the presence of side-channel

attacks.

Recently, starting with the work of Ishai, Sahai and Wagner [ISW03] and Micali and Reyzin [MR04],

there has been a major effort by the cryptographic community to construct such protocols. The

influential work of Micali and Reyzin proposed to construct cryptographic protocols under the

assumption that

“any computation, and only computation, leaks information”.

Indeed, the vast variety of side-channel attacks lead to a myriad of different ways in which infor-

mation can leak every time the cryptographic device performs some computation. Thus, it seems

prudent to allow any computation to leak information – we will refer to this as the continual leakage

model. Furthermore, even though different side-channel attacks leak vastly different types of infor-

mation, the amount of information thus leaked is always assumed to be “bounded”. In short, to

account for the different side-channel attacks, we will allow the attacker to obtain any polynomial-

time computable function of the current internal state of the device in every time-period, as long as

the information thus obtained is “bounded”. Of course, it is easy to observe that achieving security

in this model requires that the secret key (or, its representation) be refreshed periodically.

The second clause of the Micali-Reyzin proposal turns out to be problematic. Roughly speaking,

the “only computation leaks information” assumption means that the parts of memory that are not

“touched” during a certain time-period do not leak during that time-period. Is it really true that

(temporarily) inactive memory does not leak information? Some recently proposed attacks such

as the cold-boot attack [HSH+08] leak information from the memory even when no computation

is taking place.In addition, various memory architectures leak information when there is no

explicit computation going on; for example, a dynamic random-access memory (DRAM) needs to

be automatically refreshed every once in a while (just to maintain the state of the memory), hard-

disks might leak information because of the electro-magnetic polarizations, and so on. This raises

the question:

Can we protect against continual leakage of information from all parts of the memory?

In other words, we would like to remove the “only computation leaks” assumption, and allow all

parts of memory – including the secret key, the random bits generated by the system, and the

intermediate bits of computation – to leak during all time-periods. This powerful model of leakage,

1

Page 3

which we refer to as the continual memory leakage model, is the focus of our work. Our main goal

will be to construct a variety of cryptographic schemes – public-key and identity-based encryption

schemes, and digital signature schemes – that are secure in the continual memory leakage model.

Before going any further, let us review two important lines of work that are vitally related to this

discussion.

Previous Work.

in the Micali-Reyzin model, that is, assuming that only computation leaks information. There

have been a few such constructions, including the work of Dziembowski and Pietrzak who con-

structed stream ciphers [DP08, Pie09], and the work of Faust et al. who constructed digital sig-

nature schemes [FKPR10]. In addition, the recent works of Faust et al. [FRR+10], Juma and

Vahlis [JV10], and Goldwasser and Rothblum [GR10] shows how to do general leakage-resilient

cryptography assuming access to secure (perfectly leakage-proof) hardware. We elaborate on these

results in Section 1.2, but here, we emphasize that there are several very basic cryptographic tasks,

such as public-key encryption schemes, for which we do not know of any construction that is secure

against continual leakage even assuming that “only computation leaks”.

A complementary line of work – initiated by Akavia, Goldwasser and Vaikuntanathan [AGV09]

– deals with the so-called bounded memory-leakage model. Here, the attacker chooses an arbitrary,

efficiently computable function f (possibly as a function of the public parameters of the system),

and receives the result of f applied to the secret key sk. Clearly, to have some secrecy left, we must

restrict the attacker to choose a function f that does not fully reveal the secret. This (apparently

necessary) condition has been modeled in several ways, leading to more and more general definitions,

by [AGV09], Naor and Segev [NS09] and Dodis, Kalai and Lovett [DKL09]. The important point

to note is that the information leakage here is one-shot – that is, the total amount of information

that the attacker obtains is fixed, regardless of the amount of computation that is going on within

the device. Many cryptographic schemes were proven secure in these bounded leakage models,

including weak pseudorandom functions, signature schemes, and public-key and identity-based

encryption schemes [DKL09, NS09, ADW09, KV09]. We elaborate on these in Section 1.2.

The first line of work constructs cryptographic schemes that are proven secure

The Best of Both Worlds – the Continual Memory Leakage Model.

propose the continual memory leakage model that combines the best features of both the continual

leakage model of [MR04, DP08, Pie09, FKPR10, JV10, GR10], and the bounded memory leakage

model of [AGV09, NS09, KV09, ADW09]. In particular, in the continual memory leakage model,

the leakage of information is unrestricted in time (thus, information leaks continuously over time)

and unrestricted in space (thus, every bit of the cryptographic device is liable to leak, regardless of

whether it is being used in computation or not). Let us pin down a little more precisely what we

mean by this.

For concreteness, let us illustrate the continual memory leakage model in the context of digital

signature schemes. We view the signing device as consisting of two types of memory:

In this work, we

1. Public memory that stores the public verification key, the public randomness used by the

system, and the inputs and outputs of the computation.

2. Secret memory that stores the secret key, the secret randomness used by the system, and the

intermediate steps in the (signature) computations.

The attacker can see the contents of the public memory in its entirety, while (as we will see) he is

allowed to obtain a limited amount of information about the secret memory.

2

Page 4

More specifically, we partition time to discrete time periods, where during each time period,

the signature device may sign many messages. During each time period (and during each signature

computation), we allow the attacker to choose an arbitrary (efficiently computable) leakage function,

and obtain as a result the leakage function applied to the internal state (namely, the secret key and

the internal randomness and the bits of the intermediate computation) of the device. Following

[AGV09], the only restriction we place on the leakage functions is that their total output length

during each time-period is at most a pre-specified fraction of the number of bits of the internal

state.1

At the end of each time-period, we “update” or “refresh” the secret key. Secret-key update is

a randomized procedure that takes as input a secret key sk corresponding to a public key pk, and

outputs a uniformly random secret key sk?for the same public key. As we argued above, tolerating

continual leakage necessitates such an update of the secret key. We emphasize that information

leakage could happen during the update of the secret key as well, and such leakage potentially

depends on the randomness used for the update procedure (among other things).

We refer the reader to Section 3 for a full-fledged and formal description of the model.

1.1 Our Results

We construct public-key and identity-based encryption schemes, as well as a signature scheme

secure in the continual memory leakage model, under the decisional linear assumption over bilinear

groups. More specifically, for any (arbitrarily small) constant ? > 0, we prove that our schemes

are resilient to continual memory leakage, where at each time period, any bounded (poly-time

computable) function of the secret-key sk can be leaked, as long as the leakage-rate is at most

1

4− ?; i.e., the size of the leakage is (1

during each secret-key update process, as long as this leakage contains only O(logk) bits, where

k is the security parameter. Furthermore, if we are willing to rely on subexponential hardness of

the linear assumption over bilinear groups, then we can tolerate up to O(k?) bits of leakage from

each update process. We note that while tolerating a logarithmic number of bits of leakage in

non-continual, one-shot memory attack model is quite easy (since this leakage can be guessed), this

is not the case in the continual leakage model (since in this model, guesses need to be made over

and over again).

We emphasize that when leakage occurs during a computation (such as during the update

procedure), a bounded function of all the memory content can leak; this includes the secret key,

but also all the randomness used by the procedure. It is the latter that makes it difficult to tolerate

leakage during a computation.

4− ?) · |sk|. Moreover, our schemes are resilient to leakage

Our Main Results: Public-key and Identity-based Encryption Schemes.

stone of all our results is the construction of a public-key encryption scheme secure against continual

memory leakage with the leakage parameters as described above. We then show the following.

The corner-

• We show how to modify the construction to create an identity-based encryption scheme secure

against continual memory leakage of the secret keys of individual users (see Section 2.3 and

Section 7; also, see below for more details).

• Given an encryption scheme that is resilient to continual memory leakage, we show how to

(relatively easily) construct a signature scheme that is resilient to continual memory leakage;

1We can in fact extend our results to the more general “leftover entropy” leakage model of Naor and Segev [NS09]

which requires only that the secret key has non-trivial min-entropy conditioned on the leakage.

3

Page 5

this follows the paradigm of Katz and Vaikuntanathan [KV09] (see Section 2.4 and Sec-

tion 8.1). The resulting scheme tolerates leakage from the memory, the key-generation and

update procedures, but not during the signing process. We then show how to modify this

scheme to tolerate leakage from the signing process as well, under additional computational

assumptions; see below for details.

We view the encryption (and IBE) schemes as the main results of this paper, and the signature

scheme as secondary, for several reasons: First, as mentioned above, it is relatively easy to construct

the signature scheme given our encryption scheme (at least without tolerating leakage from the

signing algorithm). Second, and more importantly, prior to this work, it was known how to construct

signature schemes that are secure in a continual leakage model assuming that only computation leaks

information [FKPR10]; however, it was not known how to construct encryption schemes that are

secure in a continual leakage model, even with the Micali-Reyzin assumption.

Finally, we would like to note that our public key encryption scheme gives rise to a symmetric

encryption scheme resilient against continual memory leakage (where the secret key contains both

the secret and public keys), where two parties can interact over an insecure channel, while indi-

vidually and independently updating their secret keys. In other words, at any point of time, the

two communicating parties might have completely different secret keys, and still they will be able

to communicate meaningfully. What’s more, this requires no interaction whatsoever! We defer an

elaborate treatment of this connection, and more, to the full version.

Remarks on the Identity-based Encryption Result.

encryption scheme, we can only tolerate leakage from the signing keys of the users, but cannot

tolerate leakage from the master secret key. On the one hand, one could argue that since the

master secret key is a much more appealing target (as it is related to the security of all the users),

it may attract more attention from attackers and thus deserves more protection. On the other

hand, the trusted authority has much more resources than the individual users, and can afford to

implement iron-clad counter-measures at the implementation level to prevent key leakage. That

said, we view the problem of finding identity-based encryption schemes that are resilient to the

leakage of the master secret-key as a very interesting open question.

We note that in our identity based

Remarks on the Signature Scheme.

the signing process (which is typically a randomized process) is highly non-trivial (this situation

should be contrasted with encryption schemes, where the decryption operation is deterministic,

and leakage from the decryption process can be interpreted as memory leakage). Indeed, our first

signature scheme (that we described above) cannot tolerate any leakage from the signing process.

However, we construct another signature scheme that can tolerate leakage from the signing

process relying on two additional assumptions. The first is that short non-interactive arguments

exist. We note that known constructions of such arguments, were proven to be secure only in the

random oracle model [Kil92, Mic00, BG08]. The second assumption is that there exists a family

of collision resistant hash functions that map strings in {0,1}∗to strings in {0,1}α(k), for some

α(k) ∈ N. Given these constructs, the scheme can then tolerate a leakage-rate of (1

(from both memory, and more significantly, also from the signing algorithm). Thus the smaller

the number α(k) is, the better the leakage-rate we get, but the stronger the assumption becomes.

We note that (as in the original signature scheme) this scheme can also tolerate leakage during

each update process, as long as this leakage contains only O(logk) bits (or k?bits if we rely on a

subexponential hardness assumption).

In the case of signature schemes, tolerating leakage from

4− ?) ·

1

α(k)

4