Overcoming the Hole In The Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage.

Foundations of Computer Science, 1975., 16th Annual Symposium on 01/2010; 2010:278. DOI: 10.1109/FOCS.2010.55
Source: DBLP

ABSTRACT In recent years, there has been a major efiort to design cryptographic schemes that remain secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel attacks which, through various physical means, can recover part of the secret key. We explore the possibility of achieving security even with continual leakage, i.e., even if some information is leaked each time the key is used. We show how to securely update a secret key while information is leaked: We construct schemes that remain secure even if an attacker, at each time period, can probe the entire memory (containing a secret key) and \leak" up to a (1 ¡ o(1)) fraction of the secret key. The attacker may also probe the memory during the updates, and leak O(logk) bits, where k is the security parameter (relying on subexponential hardness allows k † bits of leakage during each update

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Side-channel attacks have often proven to have a devastating effect on the security of cryptographic schemes. In this paper, we address the problem of storing cryptographic keys and computing on them in a manner that preserves security even when the adversary is able to obtain information leakage during the computation on the key. Using any fully homomorphic encryption with re-randomizable ciphertexts, we show how to encapsulate a key and repeatedly evaluate arbitrary functions on it so that no adversary can gain any useful information from a large class of side-channel attacks. We work in the model of Micali and Reyzin, assuming that only the active part of memory during computation leaks information. Our construction makes use of a single “leak-free” hardware token that samples from a distribution that does not depend on the protected key or the function that is evaluated on it. Our construction is the first general compiler to achieve resilience against polytime leakage functions without performing any leak-free computation on the protected key. Furthermore, the amount of computation our construction must perform does not grow with the amount of leakage the adversary is able to obtain; instead, it suffices to make a stronger assumption about the security of the fully homomorphic encryption.
    08/2010: pages 41-58;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The laws of quantum mechanics allow unconditionally secure key distribution protocols. Nevertheless, security proofs of traditional quantum key distribution (QKD) protocols rely on a crucial assumption, the trustworthiness of the quantum devices used in the protocol. In device-independent QKD, even this last assumption is relaxed: the devices used in the protocol may have been adversarially prepared, and there is no a priori guarantee that they perform according to specification. Proving security in this setting had been a central open problem in quantum cryptography. We give the first device-independent proof of security of a protocol for quantum key distribution that guarantees the extraction of a linear amount of key even when the devices are subject to a constant rate of noise. Our only assumptions are that the laboratories in which each party holds his or her own device are spatially isolated, and that both devices, as well as the eavesdropper, are bound by the laws of quantum mechanics. All previous proofs of security relied either on the use of many independent pairs of devices, or on the absence of noise.
    Computing Research Repository - CORR. 10/2012;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosen-message attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of side-channel attacks. One of the main challenges in constructing fully leakage-resilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the random-oracle model. Moreover, even in the random-oracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct fully leakage-resilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1–o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific number-theoretic assumptions. In addition, we show that our approach extends to the continual-leakage model, recently introduced by Dodis, Haralambiev, Lopez-Alt and Wichs (FOCS ’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS ’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.
    05/2011: pages 89-108;


Available from