Page 1

Cryptography Resilient to Continual Memory Leakage

Zvika Brakerski∗

Yael Tauman Kalai†

Jonathan Katz‡

Vinod Vaikuntanathan§

Abstract

In recent years, there has been a major effort to design cryptographic schemes that remain

secure even if part of the secret key is leaked. This is due to a recent proliferation of side channel

attacks which, through various physical means, can recover part of the secret key. We explore

the possibility of achieving security even with continual leakage, i.e., even if some information

is leaked each time the key is used.

We show how to securely update a secret key while information is leaked: We construct

schemes that remain secure even if an attacker, at each time period, can probe the entire memory

(containing a secret key) and “leak” up to a (1 − o(1)) fraction of the secret key. The attacker

may also probe the memory during the updates, and leak O(logk) bits, where k is the security

parameter (relying on subexponential hardness allows k?bits of leakage during each update

process). All of the above is achieved without restricting the model as is done in previous works

(e.g. by assuming that “only computation leaks information” [Micali-Reyzin, TCC04]).

Specifically, under the decisional linear assumption on bilinear groups (which allows for a

leakage rate of (1/2−o(1))) or the symmetric external Diffie-Hellman assumption (which allows

for a leakage rate of (1 − o(1))), we achieve the above for public key encryption, identity-based

encryption, and signature schemes. Prior to this work, it was not known how to construct

public-key encryption schemes even in the more restricted model of [MR].

The main contributions of this work are (1) showing how to securely update a secret key

while information is leaked (in the more general model) and (2) giving a public key encryption

(and IBE) schemes that are resilient to continual leakage.

∗Weizmann Institute of Science and Microsoft Research, zvika.brakerski@weizmann.ac.il.

†Microsoft Research, yael@microsoft.com.

‡University of Maryland, jkatz@cs.umd.edu.

§IBM Research, vinodv@alum.mit.edu.

Page 2

1 Introduction

Modern cryptography, starting from the foundational work in the late 70s, has been a huge success,

leading to the definition and construction of various cryptographic primitives such as digital sig-

natures, public-key encryption, identity-based encryption, and so forth. The working assumption

in most of modern cryptography is that secret keys are generated using perfectly random bits,

and once they are generated, they are perfectly secret. However, it has been observed that this

assumption does not hold in practice, where attackers use different types of side-channel attacks

to leak information about the secret key. These attacks exploit the physical characteristics of the

execution of a cryptographic device, such as timing, power consumption, electro-magnetic radi-

ation, and so forth (see [Koc96, KJJ99, OST06, HSH+08] and the references therein). What’s

worse, many constructions that were proven to be secure under traditional cryptographic security

definitions are known to be completely insecure under many such attacks (see, e.g., [Koc96] for

how to break the RSA algorithm under timing attacks, and [HSH+08] for how to break RSA as

well as the Advanced Encryption Standard (AES) under cold-boot attacks). The focus of this work

is constructing cryptographic protocols that are provably secure in the presence of side-channel

attacks.

Recently, starting with the work of Ishai, Sahai and Wagner [ISW03] and Micali and Reyzin [MR04],

there has been a major effort by the cryptographic community to construct such protocols. The

influential work of Micali and Reyzin proposed to construct cryptographic protocols under the

assumption that

“any computation, and only computation, leaks information”.

Indeed, the vast variety of side-channel attacks lead to a myriad of different ways in which infor-

mation can leak every time the cryptographic device performs some computation. Thus, it seems

prudent to allow any computation to leak information – we will refer to this as the continual leakage

model. Furthermore, even though different side-channel attacks leak vastly different types of infor-

mation, the amount of information thus leaked is always assumed to be “bounded”. In short, to

account for the different side-channel attacks, we will allow the attacker to obtain any polynomial-

time computable function of the current internal state of the device in every time-period, as long as

the information thus obtained is “bounded”. Of course, it is easy to observe that achieving security

in this model requires that the secret key (or, its representation) be refreshed periodically.

The second clause of the Micali-Reyzin proposal turns out to be problematic. Roughly speaking,

the “only computation leaks information” assumption means that the parts of memory that are not

“touched” during a certain time-period do not leak during that time-period. Is it really true that

(temporarily) inactive memory does not leak information? Some recently proposed attacks such

as the cold-boot attack [HSH+08] leak information from the memory even when no computation

is taking place.In addition, various memory architectures leak information when there is no

explicit computation going on; for example, a dynamic random-access memory (DRAM) needs to

be automatically refreshed every once in a while (just to maintain the state of the memory), hard-

disks might leak information because of the electro-magnetic polarizations, and so on. This raises

the question:

Can we protect against continual leakage of information from all parts of the memory?

In other words, we would like to remove the “only computation leaks” assumption, and allow all

parts of memory – including the secret key, the random bits generated by the system, and the

intermediate bits of computation – to leak during all time-periods. This powerful model of leakage,

1

Page 3

which we refer to as the continual memory leakage model, is the focus of our work. Our main goal

will be to construct a variety of cryptographic schemes – public-key and identity-based encryption

schemes, and digital signature schemes – that are secure in the continual memory leakage model.

Before going any further, let us review two important lines of work that are vitally related to this

discussion.

Previous Work.

in the Micali-Reyzin model, that is, assuming that only computation leaks information. There

have been a few such constructions, including the work of Dziembowski and Pietrzak who con-

structed stream ciphers [DP08, Pie09], and the work of Faust et al. who constructed digital sig-

nature schemes [FKPR10]. In addition, the recent works of Faust et al. [FRR+10], Juma and

Vahlis [JV10], and Goldwasser and Rothblum [GR10] shows how to do general leakage-resilient

cryptography assuming access to secure (perfectly leakage-proof) hardware. We elaborate on these

results in Section 1.2, but here, we emphasize that there are several very basic cryptographic tasks,

such as public-key encryption schemes, for which we do not know of any construction that is secure

against continual leakage even assuming that “only computation leaks”.

A complementary line of work – initiated by Akavia, Goldwasser and Vaikuntanathan [AGV09]

– deals with the so-called bounded memory-leakage model. Here, the attacker chooses an arbitrary,

efficiently computable function f (possibly as a function of the public parameters of the system),

and receives the result of f applied to the secret key sk. Clearly, to have some secrecy left, we must

restrict the attacker to choose a function f that does not fully reveal the secret. This (apparently

necessary) condition has been modeled in several ways, leading to more and more general definitions,

by [AGV09], Naor and Segev [NS09] and Dodis, Kalai and Lovett [DKL09]. The important point

to note is that the information leakage here is one-shot – that is, the total amount of information

that the attacker obtains is fixed, regardless of the amount of computation that is going on within

the device. Many cryptographic schemes were proven secure in these bounded leakage models,

including weak pseudorandom functions, signature schemes, and public-key and identity-based

encryption schemes [DKL09, NS09, ADW09, KV09]. We elaborate on these in Section 1.2.

The first line of work constructs cryptographic schemes that are proven secure

The Best of Both Worlds – the Continual Memory Leakage Model.

propose the continual memory leakage model that combines the best features of both the continual

leakage model of [MR04, DP08, Pie09, FKPR10, JV10, GR10], and the bounded memory leakage

model of [AGV09, NS09, KV09, ADW09]. In particular, in the continual memory leakage model,

the leakage of information is unrestricted in time (thus, information leaks continuously over time)

and unrestricted in space (thus, every bit of the cryptographic device is liable to leak, regardless of

whether it is being used in computation or not). Let us pin down a little more precisely what we

mean by this.

For concreteness, let us illustrate the continual memory leakage model in the context of digital

signature schemes. We view the signing device as consisting of two types of memory:

In this work, we

1. Public memory that stores the public verification key, the public randomness used by the

system, and the inputs and outputs of the computation.

2. Secret memory that stores the secret key, the secret randomness used by the system, and the

intermediate steps in the (signature) computations.

The attacker can see the contents of the public memory in its entirety, while (as we will see) he is

allowed to obtain a limited amount of information about the secret memory.

2

Page 4

More specifically, we partition time to discrete time periods, where during each time period,

the signature device may sign many messages. During each time period (and during each signature

computation), we allow the attacker to choose an arbitrary (efficiently computable) leakage function,

and obtain as a result the leakage function applied to the internal state (namely, the secret key and

the internal randomness and the bits of the intermediate computation) of the device. Following

[AGV09], the only restriction we place on the leakage functions is that their total output length

during each time-period is at most a pre-specified fraction of the number of bits of the internal

state.1

At the end of each time-period, we “update” or “refresh” the secret key. Secret-key update is

a randomized procedure that takes as input a secret key sk corresponding to a public key pk, and

outputs a uniformly random secret key sk?for the same public key. As we argued above, tolerating

continual leakage necessitates such an update of the secret key. We emphasize that information

leakage could happen during the update of the secret key as well, and such leakage potentially

depends on the randomness used for the update procedure (among other things).

We refer the reader to Section 3 for a full-fledged and formal description of the model.

1.1 Our Results

We construct public-key and identity-based encryption schemes, as well as a signature scheme

secure in the continual memory leakage model, under the decisional linear assumption over bilinear

groups. More specifically, for any (arbitrarily small) constant ? > 0, we prove that our schemes

are resilient to continual memory leakage, where at each time period, any bounded (poly-time

computable) function of the secret-key sk can be leaked, as long as the leakage-rate is at most

1

4− ?; i.e., the size of the leakage is (1

during each secret-key update process, as long as this leakage contains only O(logk) bits, where

k is the security parameter. Furthermore, if we are willing to rely on subexponential hardness of

the linear assumption over bilinear groups, then we can tolerate up to O(k?) bits of leakage from

each update process. We note that while tolerating a logarithmic number of bits of leakage in

non-continual, one-shot memory attack model is quite easy (since this leakage can be guessed), this

is not the case in the continual leakage model (since in this model, guesses need to be made over

and over again).

We emphasize that when leakage occurs during a computation (such as during the update

procedure), a bounded function of all the memory content can leak; this includes the secret key,

but also all the randomness used by the procedure. It is the latter that makes it difficult to tolerate

leakage during a computation.

4− ?) · |sk|. Moreover, our schemes are resilient to leakage

Our Main Results: Public-key and Identity-based Encryption Schemes.

stone of all our results is the construction of a public-key encryption scheme secure against continual

memory leakage with the leakage parameters as described above. We then show the following.

The corner-

• We show how to modify the construction to create an identity-based encryption scheme secure

against continual memory leakage of the secret keys of individual users (see Section 2.3 and

Section 7; also, see below for more details).

• Given an encryption scheme that is resilient to continual memory leakage, we show how to

(relatively easily) construct a signature scheme that is resilient to continual memory leakage;

1We can in fact extend our results to the more general “leftover entropy” leakage model of Naor and Segev [NS09]

which requires only that the secret key has non-trivial min-entropy conditioned on the leakage.

3

Page 5

this follows the paradigm of Katz and Vaikuntanathan [KV09] (see Section 2.4 and Sec-

tion 8.1). The resulting scheme tolerates leakage from the memory, the key-generation and

update procedures, but not during the signing process. We then show how to modify this

scheme to tolerate leakage from the signing process as well, under additional computational

assumptions; see below for details.

We view the encryption (and IBE) schemes as the main results of this paper, and the signature

scheme as secondary, for several reasons: First, as mentioned above, it is relatively easy to construct

the signature scheme given our encryption scheme (at least without tolerating leakage from the

signing algorithm). Second, and more importantly, prior to this work, it was known how to construct

signature schemes that are secure in a continual leakage model assuming that only computation leaks

information [FKPR10]; however, it was not known how to construct encryption schemes that are

secure in a continual leakage model, even with the Micali-Reyzin assumption.

Finally, we would like to note that our public key encryption scheme gives rise to a symmetric

encryption scheme resilient against continual memory leakage (where the secret key contains both

the secret and public keys), where two parties can interact over an insecure channel, while indi-

vidually and independently updating their secret keys. In other words, at any point of time, the

two communicating parties might have completely different secret keys, and still they will be able

to communicate meaningfully. What’s more, this requires no interaction whatsoever! We defer an

elaborate treatment of this connection, and more, to the full version.

Remarks on the Identity-based Encryption Result.

encryption scheme, we can only tolerate leakage from the signing keys of the users, but cannot

tolerate leakage from the master secret key. On the one hand, one could argue that since the

master secret key is a much more appealing target (as it is related to the security of all the users),

it may attract more attention from attackers and thus deserves more protection. On the other

hand, the trusted authority has much more resources than the individual users, and can afford to

implement iron-clad counter-measures at the implementation level to prevent key leakage. That

said, we view the problem of finding identity-based encryption schemes that are resilient to the

leakage of the master secret-key as a very interesting open question.

We note that in our identity based

Remarks on the Signature Scheme.

the signing process (which is typically a randomized process) is highly non-trivial (this situation

should be contrasted with encryption schemes, where the decryption operation is deterministic,

and leakage from the decryption process can be interpreted as memory leakage). Indeed, our first

signature scheme (that we described above) cannot tolerate any leakage from the signing process.

However, we construct another signature scheme that can tolerate leakage from the signing

process relying on two additional assumptions. The first is that short non-interactive arguments

exist. We note that known constructions of such arguments, were proven to be secure only in the

random oracle model [Kil92, Mic00, BG08]. The second assumption is that there exists a family

of collision resistant hash functions that map strings in {0,1}∗to strings in {0,1}α(k), for some

α(k) ∈ N. Given these constructs, the scheme can then tolerate a leakage-rate of (1

(from both memory, and more significantly, also from the signing algorithm). Thus the smaller

the number α(k) is, the better the leakage-rate we get, but the stronger the assumption becomes.

We note that (as in the original signature scheme) this scheme can also tolerate leakage during

each update process, as long as this leakage contains only O(logk) bits (or k?bits if we rely on a

subexponential hardness assumption).

In the case of signature schemes, tolerating leakage from

4− ?) ·

1

α(k)

4

Page 6

Improving the Leakage Rate.

leakage-rate that we can tolerate is not optimal. For example, we can only tolerate a leakage-rate

of1

means that we should update our secret key more often.

Moreover, we mention that for signature schemes, we have an additional construction that

tolerates leakage-rate of 1 − ? between update procedures. unfortunately, this scheme relies on the

very strong and non-standard assumption, posed by Valiant [Val08], which assumes the existence

of a non-interactive CS proof-of-knowledge. Also, this scheme cannot tolerate any leakage from the

update procedure or the signature procedure. Since we view this result as inferior to the others

(due to the strong assumption it relies on and due to the fact that the update and signing processes

cannot tolerate any leakage), we omit the details of this construction from this version.

Finally, we note that the fact that our schemes can only tolerate logk bits of leakage from the

update procedure (or k?bits if we rely on subexponential hardness), is a drawback which we cannot

overcome. We leave the problem of improving this leakage parameter as an important open problem.

We note that the main drawback of our schemes is that the

4−? between each update procedure. We don’t view this as a serious drawback, since it simply

Finally, we mention that one of the technical tools we develop to achieve these results is a

new linear algebraic theorem (which is unconditional, and requires no computational assumptions),

stating that “random subspaces are leakage-resilient”. See Section 2.1 and Section 5 for details.

1.2 Related Work

It should not come as a surprise that the theory of cryptography community has been cognizant

of the issue of inadvertent information-leakage for quite a while. A number of early results address

this issue, although most of them do not explicitly mention side-channel attacks as a motivating

factor. Most notably, the line of work on exposure-resilient cryptography, initiated by Rivest and

Boyko [Riv97, Boy99], and continued in a number of other works [CDH+00, ISW03, IPSW06],

considers simple leakage functions that reveal a subset of the bits of the secret key or the inter-

nal memory of the cryptographic device. This line of research culminated in the works of Ishai,

Prabhakaran, Sahai and Wagner [ISW03, IPSW06] who show how to “compile” any cryptographic

algorithm into one that tolerates such types of leakage. In contrast to these works, that considers

leakage functions that act locally, the focus of later works has been to consider powerful leakage

functions that can perform some global computation on the secret key. In addition, several works

on “cryptography with imperfect randomness” [DOPS04] can also be construed as dealing with

information leakage.

The modern approach to dealing with leakage starts with the ground-breaking conceptual work

of Micali and Reyzin [MR04] who propose to construct and study formal models that capture

general types of leakage. This study has led to two distinct strands of work, which we describe

below.

The “Computational Leakage” Model.

and Reyzin proposed to study side-channel attacks under the assumption that only computation

leaks information. In other words, information leakage occurs whenever computation takes place

on the secrets; furthermore, the parts of memory that are not involved in computation, during

a certain time-period, are not subject to leakage during that time-period. A number of works

design cryptographic schemes that are resilient to leakage under this assumption. In particular,

the beautiful work of Dziembowski and Pietrzak [DP08, Pie09] constructs stream ciphers secure

in this model. Subsequently, Faust et al. [FKPR10] show a construction of signature schemes in

As described earlier in this section, the work of Micali

5

Page 7

this model as well. Notably, there have been no constructs of public-key encryption schemes that

tolerate continual leakage (even under the Micali-Reyzin axiom).

More recently, Juma and Vahlis [JV10] and Goldwasser and Rothblum [GR10] show how to

“compile” any cryptographic algorithm into one that is secure against continual leakage. These

works rely on the Micali-Reyzin axiom and make use of a (very simple) perfectly leakage-proof

hardware device (this device simply samples from a fixed distribution). In particular, these results

can be used to come up with leakage-resilient variants of popular cryptographic algorithms such as

RSA and AES. In contrast, the focal point of our work is to do away with the Micali-Reyzin axiom,

and avoid any type of secure hardware assumption; however, we construct specific cryptographic

primitives in this work, as opposed to [JV10, GR10] whose (more ambitious) goal is general leakage-

resilient computation.

The “Bounded Memory Leakage” Model.

leakage model that allows the adversary to obtain a function f of his choice applied the secret

key sk, as long as the output f(sk) “does not reveal the entire secret key”. This latter condition

has been formalized in many different ways, starting from the work of Akavia, Goldwasser and

Vaikuntanathan [AGV09] who restrict the leakage function f to have output length ?(|sk|) ? |sk|.2

A number of generalizations have been proposed, including the “leftover entropy model” of Naor

and Segev who consider the class of all functions f, for which sk has non-trivial min-entropy

conditioned on f(sk). An even more general model (and arguably, the most general model along

these lines) was given by Dodis, Kalai and Lovett [DKL09], who considered the class of all functions

f which are computationally hard to invert. The work on bounded retrieval model, initiated by

[CLW06], and explored in [ADW09, ADN+10] is also closely related to this line of research.

Quite significantly, in all these works (unlike this paper), the attacker can only obtain an a-priori

bounded amount of leakage from the secret key, regardless of the amount of computation taking

place in the system

The second line of work considers the bounded

Other Models and Results.

models that capture specific classes of side-channel attacks. The work of Faust et al. [FRR+10]

show how to compile any cryptographic algorithm into one that resists continual leakage, where

the leakage functions are computable by constant-depth AC0circuits. Their result assumes the use

of a simple leakage-proof hardware device as well. Standaert et al. [PSP+08] construct pseudoran-

dom generators that are secure against specific, naturally occuring, classes of leakage such as the

Hamming weight leakage.

In addition to these works, there have been a small number of

Contemporaneous Work of Dodis et al. [DHLAW10].

work of Dodis et al., which constructs efficient signature schemes, identification schemes and au-

thenticated key agreement that are secure in the continual leakage model (and similarly to us, do

not rely on the only computation leaks information assumption). Their signature scheme is secure

with leakage-rate1

assumption. Unlike this work, they do not address the issue of leakage from the update process

and, furthermore, they do not construct public-key or IBE encryption schemes that are secure in

the continual leakage model.

We finally mention the concurrent

2−? in each time period, under the SXDH assumption, or1

3−? under the linear

2In this work, we follow the [AGV09] approach, and restrict the leakage function to have bounded output length

during every time period.

6

Page 8

2 Overview of Our Results

In this section, we provide an extended overview of our results, constructions, proofs and techniques.

Our notational conventions are mostly standard. The notation gX, where X is a matrix and g is

a group element (typically a generator), denotes a matrix where (gX)i,j= g(X)i,j. We rely on (the

matrix form of) the linear assumption in bilinear groups stating that the ensembles gX, gYare

computationally indistinguishable if X,Y have the same dimensions and if X is a random rank-d

matrix (d ≥ 2) and Y is a random rank-(d+t) matrix (t ≥ 0). This assumption is widely assumed

to hold even in groups with bilinear maps. We refer the reader to Section 4 for more details on

conventions and assumptions.

We start by describing our linear-algebraic tool in Section 2.1 and then move on to describe our

public-key encryption scheme in Section 2.2, our identity based encryption scheme in Section 2.3,

and finally our signature scheme in Section 2.4.

2.1 Random Subspaces are Leakage Resilient

We first provide an algebraic tool that is crucial to our leakage resilient constructions.

specifically, we give two algebraic theorems that essentially say that random subspaces are resilient

to continual leakage. These are information theoretic theorems (i.e., they do not rely on any

cryptographic assumption). We believe that these theorems are interesting on their own, and may

find further applications.

Consider a random subspace X of dimension at least 2 of a given linear space. For concreteness,

think of X as a random subspace of Zm

represented as a rank-? matrix in Zm×?

q

, whose columns form a basis of the subspace. A leakage on

X is given in the following form: an arbitrary leakage function f (that must not depend on X) is

applied to a random vector v in the subspace X. We show a bound linking the size of the range of

the leakage function f (i.e. the amount of information it reveals on v), to the statistical distance

between the pair (X,f(v)) and the pair (X,f(u)), where u is a random vector in Zm

we show that if the leakage f(v) reveals “bounded” information about v, then the pairs (X,f(v))

and (X,f(u)) are statistically close. In the latter pair, the leakage function reveals nothing about

the subspace X, and therefore we conclude that applying a “bounded” leakage function (such as a

length-restricted leakage function) to a random vector in the subspace X is leakage resilient in the

sense it does not reveal information about X.

We also consider the case where the leakage function is applied to two random vectors in X. In

other words, the leakage function is applied to a random dimension-2 subspace, Y, of X (using a

matrix notation, Y = X·T, where T is a random rank-2 matrix in Z?×2

assume that the subspace X is of dimension ? ≥ 4.

More generally, the dimension of X needs to be at least twice the dimension of the subspace

leaked. Namely, if the leakage function is applied to a random subspace of X of dimension d then

we would need X to be of dimension ? ≥ 2d. This requirement stems from the fact that random

dimension-d subspaces of X are (almost) pairwise independent assuming X is of dimension ? ≥ 2d.

We formally state the two theorems below. The first theorem considers the case where the

leakage function is applied to one random vector in X (or a random one-dimensional subspace of

X), and the second theorem considers the case where the leakage function is applied to a random

two-dimensional subspace of X. In what follows, we denote by dist the statistical distance, and

denote by Rk2(Z?×2

q

) the set of all rank-2 matrices in Z?×2

More

q of dimension ? ≥ 2. For notational convenience, X is

q. In particular,

q

). In this case, we need to

q

.

Theorem 2.1. Let m,? ∈ N, m ≥ ? ≥ 2 and let q be a prime. Let X

$← Zm×?

q

, let r

$← Z?

qand let

7

Page 9

u

$← Zm

q. Let f : Zm

q→ W be some function. Then,

dist?(X,f(X · r)), (X,f(u))?≤ ?,

|W| ≤ q?−1· ?2.

Theorem 2.2. Let m,? ∈ N, m ≥ ? ≥ 4 and let q be a prime. Let X

and let Y

q

. Let f : Zm×2

q

→ W be some function. Then,

dist?(X,f(X · T)), (X,f(Y))?≤ ?,

as long as

as long as

$← Zm×?

q

, let T

$← Rk2(Z?×2

q

)

$← Zm×2

|W| ≤ q?−3· ?2.

We note that our original proofs resulted in parameters that are slightly worse than those

given in Theorems 2.1 and 2.2. The proofs which achieve the improved parameters (as stated in

Theorems 2.1 and 2.2) were pointed to us independently by Gil Segev, Yevgeniy Dodis and Daniel

Wichs, and follow the proof of the “generalized crooked leftover hash lemma” [DS05, BFO08].

In what follows we give an outline of our original analysis. The outline is for Theorem 2.1,

however the outline for Theorem 2.2 is essentially the same.

Proof outline. We note that the (marginal) distributions f(X · r) and f(u) are identical. We call

this component w, and concentrate on the conditional distribution of X conditioned on w. In the

case where w = f(u), the conditional distribution of X is of course uniform. We will prove that

this is also the case when w = f(X · r) (up to ? statistical distance), and the theorem will follow.

The proof uses the fact that for almost all fixed values of r1,r2, it holds that X · r1, X · r2are

independent. Consider the distribution of X conditioned on f(X · r) = w. The probability of a

specific X is proportional to the number of vectors r for which f(X · r) = w. Since this can be

written as a sum of (almost) pairwise independent random variables, it follows that the number of

such r’s is well concentrated around its mean value. Therefore, the said conditional distribution of

X is close to uniform.

For more details, see Section 5.

2.2A Continual-Leakage Secure Encryption Scheme

We next present our public-key encryption schemes L and L∗that are secure against continual

leakage attacks. These schemes are parameterized by a polynomially bounded integer ? that allows

for a tradeoff between the sizes of keys and ciphertexts, and the maximal tolerable leakage rate.

The scheme L is secure under the decisional linear assumption in bilinear groups, as long as at

most 1/2 − o(1) fraction of the memory leaks between any two consecutive secret-key updates.

The security of L∗relies on the less standard SXDH assumption (described below), however it can

tolerate leakage of almost the entire secret key (in particular, a 1 − o(1) fraction thereof) between

consecutive key-updates. See below for a more detailed explanation on parameters. The scheme

L∗is somewhat simpler than L and one can think of it as a “toy example” for L. However, since

it is based on a less standard assumption, we will focus our attention mostly on L. We stress that

the analyses of L and L∗are very similar and differ almost only in the use of the correct linear

algebraic tool (Theorem 2.2 is used for L and Theorem 2.1 is used for L∗).

8

Page 10

As we described above, the amount of tolerable leakage is measured by the ratio between the

total number of bits being leaked at each time period and the total amount of “secret memory” being

used at that time period. We distinguish between the leakage rates in 3 phases of the algorithm, and

thus characterize the scheme’s leakage resiliency using 3 parameters: (1) the leakage rate during

the key generation, denoted by ρG, which is the total amount of leakage during the key generation

divided by the total amount of secret randomness required for this procedure; (2) the leakage rate

during key updates, denoted by ρU, which is the total amount of leakage during a key-update

procedure, divided by the size of the secret-key (which is a “secret input” to the procedure) and

the size of the secret randomness used; and (3) the memory leakage rate between updates, denoted

by ρM, which is the leakage during “normal operation” of the scheme, this is the total number of

bits leaked between consecutive updates divided by the size of the secret-key (which is the only

secret information during this phase).

We show that our schemes are resilient to leakage of constant rate from the memory and very

small leakage (of sub-constant rate) from the key-update procedure. The same amount of leakage

can also be tolerated in the key-generation procedure. Recalling our notation, this corresponds to

a case where ρM= Ω(1), ρG= ρU= o(1).

The leakage parameters for L[?].

be as high as

2?

rate of 1/4 − γ, while the keys and ciphertexts only contain a constant number of group elements.

Taking ? to be asymptotically increasing, on the other hand, makes the keys and ciphertexts sizes

asymptotically increase but makes the tolerable leakage rate 1/2−o(1) (as mentioned above, based

on the SXDH assumption, a rate of 1 − o(1) can be achieved).

The value of ρUfor general ? is ω

?logp

, where k is the security parameter and p is the order

of the group relative to which we work. We cannot provide an explicit expression for ρU, but rather

we show that for all c > 0, the scheme is resilient in the case where ρU=c·logk

O(logk) bits of leakage during each update procedure. In fact, our argument can be generalized

in a straightforward manner to imply resiliency of ρU= Ω

bits of leakage during each update procedure) if one is willing to assume that the linear assumption

is hard for adversaries that run in time (roughly) T(k). Similar techniques show that the same

amount of leakage (i.e., any O(logk) bits under a standard assumption or Ω(logT(k)) bits under

a strengthened one) can be tolerated from the key-generation procedure, implying ρG= ω

in this case as well.

To put these results in context, we recall that tolerating a leakage of a logarithmic number of

bits in non-continual memory attacks, while not completely trivial, is fairly simple: the leakage

value can be guessed and then the adversary has to be simulated in order to make sure that the

value guessed is indeed correct (since a success in the security game for encryption is not verifiable).

It is important to notice that this is no longer the case in a model with memory leakage and key

updates. Here, even a one time leakage of logarithmic size is not necessarily trivial: the reduction

cannot simulate the adversary by itself to check the validity of the leakage value guessed. Therefore,

even just logarithmic leakage from the key-generation, for example, is non-trivial. The situation

becomes even worse when considering leakage from the key-update procedure, since the reduction

now needs to make guesses over and over again, and will almost for sure guess wrong at some

point. Therefore we view the ability to withstand even such minimal amounts of leakage as an

accomplishment.

In the scheme L[?], the value of ρM for a general ? can

, for all γ > 0. For example, taking ? = 12 guarantees resiliency to leakage

?−6−γ

?

logk

?

?logp. This translates to

?logT(k)

?logp

?

(corresponding to Ω(logT(k))

?

logk

?logp

?

9

Page 11

The Scheme L[?].

to use the fact that under the linear assumption, random rank-2 matrices in the exponent are

indistinguishable from random rank-3 matrices.

We start by setting the public-key to gA, where A is a random 2×? matrix in Z2×?

p is the order of the group element g. The ciphertexts are of the form gvT, where v ∈ Z?

the public-key and the ciphertext together form a (3×?) matrix in the exponent. Our scheme has

the property that this (3 × ?) matrix is random rank-2 for encryptions of 0, and random rank-3

for encryptions of 1, and thus we can use the indistinguishability argument to achieve (semantic)

security. To get this property, our encryption algorithm operates as follows: To encrypt 0 set gvT

to be a linear combination of the rows of gA; to encrypt 1 set gvTto be a random vector. One can

see that the resulting distributions are statistically close to the prescribed ones. Thus, security is

achieved.

The next question, of course, is figuring out how to decrypt such ciphertexts. We notice that

any non-zero vector y in the kernel of A can be used to decrypt: simply compute gvT·yand see if

the result equals to g0. This will always be the case for encryptions of 0 and will only happen with

negligible probability for encryptions of 1. This suggests that such y can be used as a secret-key.

However, it is not clear how such a secret-key can be safely updated.

In order to allow for updates, we use a secret key of the form gY, where Y has two column

vectors, Y = [y1?y2] ∈ Z?×2

the vectors are given in the exponent means that we cannot compute the product gvT·yias suggested

before. We thus work over groups with bilinear maps, which enable computing e(g,g)vT·Yinstead.

The key update operation is done by “rotating” the matrix Y: sample a random 2 × 2 full

rank matrix R ∈ Z2×2

the exponent, the update operation is indistinguishable from sampling a fresh random secret-key,

which turns out to be a useful property.

The scheme L[?] is formally presented in Figure 1.

Let us overview the main ideas behind the structure of our scheme. We want

p

, and where

p. Namely,

p

, and y1,y2∈ Z?

pare random vectors in the kernel of A. The fact that

p

, and set the new secret key to gY·R. Intuitively, since everything is done in

Encryption scheme L[?]

Parameters. The scheme is parameterized by groups G,GTof prime order p, such that there exists

a bilinear map e : G × G → GT. Let g be a generator of G (and so e(g,g) is a generator for GT).

An additional parameter ? ≥ 7 is polynomial in the security parameter. Setting different values for

? will enables a tradeoff between efficiency and the rate of tolerable leakage.

Key-generation. The key-generation algorithm samples A

Z?×2

p

) (note that this is easy to sample since A is known). It sets pk = gAand sk = gY.

$← Z2×?

p

and Y

$← ker2(A) (i.e. Y ∈

Key-update. To update the secret key sk = gY∈ G?×2, sample R

sk?= gY·R.

$← Rk2(Z2×2

p

) and then set

Encryption. Given a public-key pk = gA∈ G2×?, encrypting the bit 0 is done by sampling r

and setting the output ciphertext to c = grT·A. Encrypting the bit 1 is done by setting the ciphertext

to c = guTwhere u

$← Z2

p

$← Z?

p.

Decryption. Given a ciphertext c = gvTand a secret-key sk = gY, the decryption process computes

e(g,g)vT·Y. If the result is equal to e(g,g)0, then output 0 and otherwise output 1.

Figure 1: Encryption scheme in the CML model.

Theorem 2.3. Under the linear assumption, for every ? ≥ 7, the encryption scheme L[?] (described

10

Page 12

in Figure 1) has the following security guarantee: For all constants γ,c > 0, L[?] is secure in the

continual leakage model with leakage rate

?c · logk

We refer the reader to Section 6 for details. The proof overview of Theorem 2.3 can be found

in Section 6.2, and the formal proof can be found in Section 6.3.

(ρG,ρU,ρM) =

4? · logp,

c · logk

(2? + 4) · logp,

? − 6 − γ

2?

?

.

The Scheme L∗[?]: a simpler scheme with better guarantees under the SXDH assump-

tion.

It was recently pointed out to us by Daniel Wichs that a simpler variant of our scheme,

which we initially used for explanatory purposes, can in fact be proven secure under the symmetric

external Diffie-Hellman (SXDH) assumption in bilinear groups. Moreover, the simplified scheme

enjoys better leakage resilience – it achieves security against a leakage rate of 1−o(1) from memory

between secret-key updates (the amount of sustainable leakage during the key generation and key

updates remains the same as in our original scheme).

Let G1,G2,GT be groups of equal prime order p such that there exists a bilinear map e :

G1×G2→ GT. The SXDH assumption says that the decisional Diffie-Hellman (DDH) assumption

holds in both G1and G2. Translating into matrix notation, as we use in our original scheme, the

SXDH assumption says that it is hard to distinguish random rank-1 matrices from random rank-2

matrices (of the same dimensions) in the exponent, in both the groups G1and G2.

Since the SXDH assumption is not as widely used as the linear assumption, and to avoid

repeating essentially the same proof twice, we present our SXDH based scheme L∗[?] in Figure 2

and state its properties below, without proof.

Encryption scheme L∗[?]

Parameters. The scheme is parameterized by groups G1,G2,GT of prime order p, such that there

exists a bilinear map e : G1× G2 → GT. Let g1,g2 be generators of G1,G2 respectively (and

so e(g1,g2) is a generator for GT). An additional parameter ? ≥ 3 is polynomial in the security

parameter. Setting different values for ? will enables a tradeoff between efficiency and the rate of

tolerable leakage.

Key-generation. The key-generation algorithm samples a

(note that this is easy to sample since a is known). It sets pk = ga

$← Z?

pand y

1and sk = gy

$← ker(a) (i.e. y ∈ Z?

2.

p)

Key-update. To update the secret key sk = gy

2∈ G?

1, encrypting the bit 0 is done by sampling a number

1. Encrypting the bit 1 is done by setting the

2, sample r

$← Zpand set sk?= gry

2.

Encryption. Given a public-key pk = ga

r

ciphertext to c = guT

1

1∈ G?

$← Zpand setting the output ciphertext to c = gra

where u

$← Z?

p.

Decryption. Given a ciphertext c = gvT

e(g1,g2)vT·y. If the result is equal to e(g1,g2)0, then output 0 and otherwise output 1.

Figure 2: Encryption scheme in the CML model, based on the SXDH assumption.

1

and a secret-key sk = gy

2, the decryption process computes

Theorem 2.4. Under the SXDH assumption, for every ? ≥ 3, the encryption scheme L∗[?] (de-

scribed in Figure 2) has the following security guarantee: For all constants γ,c > 0, L∗[?] is secure

in the continual leakage model with leakage rate

?c · logk

(ρG,ρU,ρM) =

2? · logp,

c · logk

(? + 2) · logp,

? − 2 − γ

?

?

.

11

Page 13

The proof of this theorem is almost identical to that of Theorem 2.3 above (see Section 6 for

more details and proof of the latter), except for the usage of Theorem 2.1 instead of Theorem 2.2

inside the proof.

2.3A Continual-Leakage Secure IBE Scheme

We present an identity based encryption (IBE) scheme that is secure against continual leakage. This

scheme can be seen as a combination of our encryption scheme described above and the d-linear

IBE scheme of Brakerski and Kalai [BK10].

We recall that in the context of IBE there are two types of “entities” holding secrets: a trusted

authority holding a master secret-key that enables producing specific secret-keys per user; and

individual users, each holding their own secret-key. In this work, we only allow leakage from the

memory of the individual users. For a more detailed discussion on identity based encryption schemes

and the associated security notions under continual leakage, we refer the reader to Section 7.

In our construction, we consider an IBE scheme where the set of identities is {0,1}m. The

public parameters of the scheme is a set of 2m+1 matrices of dimension 2×2 in the exponent (gA0,

{gAi,b}i∈[m],b∈{0,1}). Identity id ∈ {0,1}mis associated with the matrix Aid= [A0?Aid1?···?Aidm].

Specifically, we use gAidin order to encrypt messages for id. To decrypt, the user corresponding to id

uses the secret-key skid:=g[y1?y2], where y1,y2

with a pair of keys corresponding to L[?], defined by its identity and the public parameters (recall

that L[?] is our public-key encryption scheme defined in Section 2.2). We notice that the trusted

authority only needs to know msk = A0in order to produce secret-keys for all users. The encryption

and decryption algorithms are similar to the ones in L[?].

The proof of security is by reduction to the security of L[?] for ? = 2m + 2. Specifically we

prove that our scheme is selectively secure with continual leakage (then, standard techniques can

be used to achieve other, stronger, notions of security). In selective security we assume that the

attacker decided on the identity it wants to attack before seeing the public-parameters. Let id∗be

that identity. This enables generating the public parameters such that all matrices Ai,1−id∗

all matrices that do not “play” in Aid∗) are explicitly known, and a public key for L[2m + 2] is

“embedded” in the public parameters as the matrix gAid∗. This enables the adversary to know

everything about all other identities (since it is sufficient to explicitly know one sub-matrix of

Aidin order to generate a corresponding secret-key) while knowing nothing about id∗. Thus, an

adversary that breaks the security of id∗, even with continual leakage, actually breaks the security

of L[2m + 2].

For full details on our construction, see Section 7.

$← ker(Aid). In other words, each user is associated

i(i.e.

2.4A Continual-Leakage Secure Signature Scheme

We show how to use any encryption scheme secure with continual leakage (such as the encryption

scheme L[?] presented in Section 2.2) to construct a signature scheme that is secure with continual

leakage. When discussing continual leakage in signature schemes, we must also take into account

the signing operation. This operation involves the secret-key and additional secret randomness and

may potentially leak extra information. Therefore, we are concerned with an additional parameter

of leakage resiliency, namely the leakage rate during the signing process, which we denote by ρS.

This is defined as the total amount of information leaked during signing, divided by the total size of

the secret-key and secret-randomness used by the signing procedure. For a more detailed discussion

and for the full constructions, see Section 8.

Our first construction is essentially applying the paradigm of Katz and Vaikuntanathan [KV09]

12

Page 14

to our encryption scheme, to obtain a signature scheme that preserves the leakage guarantees of the

underlying encryption scheme, but does not allow any leakage during the signing process (ρS= 0).

The signing key now contains a secret-key sk for the encryption scheme, and the verification key

contains the public-key pk, as well as an additional public-key pk?for a (not necessarily leakage-

resilient) public-key encryption scheme, and a common random string crs for a non-interactive

simulation-sound zero-knowledge (NIZK) proof system. A signature for a message m contains an

encryption of sk using pk?and a NIZK proof that the contents of the ciphertext are indeed a valid

secret-key for the leakage resilient encryption scheme. The dependence on the message m comes

from properly defining the language for the simulation-sound NIZK proof, as is done in [KV09].

We show that we can use a successful forger for this scheme to break the security of the leakage

resilient encryption scheme. In the security reduction, we simulate all NIZK proofs and sample

pk?together with a respective secret-key sk?. We can then provide valid looking signatures for

a successful forger without it being able to tell the difference. Then we can take its successful

forged signature, which must contain an encryption of a valid secret-key for the leakage resilient

encryption scheme, decrypt it using sk?, and obtain a valid sk that enables breaking the security

of the leakage resilient encryption scheme. For more details on this construction, see Section 8.1.

Our second construction does tolerate leakage from the signing algorithm. In this case, the

signatures cannot be simulated. However, we construct the scheme such that each signature (in-

formation theoretically) reveals very little information about the secret key, and therefore can be

obtained as leakage queries. To this end, we rely on the existence of short non-interactive arguments

(see Definition 4.3). We note that all known constructions of the latter, were proven to be secure

only in the random oracle model [Kil92, Mic00, BG08]. For more details on this construction, see

Section 8.2.

3 A Model for Continual Memory Leakage

In this section, we discuss several ways to model cryptography with continual memory leakage.

We begin by explaining the basic principles that underlie the choice of our model, and based on

these principles, derive formal models for secure encryption and digital signatures in the context of

continual memory leakage. While the discussion below is rather general and could apply to many

cryptographic primitives, we use digital signatures as the running example.

Suppose that we have some cryptographic application (e.g., a signature scheme) that performs

computation on some secret information, and runs in an environment where an adversary may be

able to extract some information about the internal secret state by “probing” the memory (e.g.,

the locations where the signing key is stored). This can be done either when the system is idle or

during the computation itself (e.g., during the execution of the signing algorithm). If the adversary’s

probing is not limited in any way, then it can “copy” the entire internal state of the device, thus

breaking any reasonable security requirement (e.g., if the adversary attains the signing key, it can

then trivially sign any message). This leads to an understanding that some restrictions need to be

imposed on the probing process.

A first such model, suggested by Micali and Reyzin [MR04], introduced the “axiom” that only

computation leaks information. This axiom asserts that an area in memory that is not accessed at

a certain time period, cannot be probed during that time period. This enables “shielding” parts

of the secret-state from leaking at certain time periods by not letting the adversary access them at

that time. In particular, if at every time-slot, some (different) part of the secret is shielded, then

this shielded part is uncorrelated with the leakage that occurred during this time-slot, and therefore

can be used to “refresh” the remainder of the secret. Making this assumption, therefore, suggests

13

Page 15

a methodology for coping with leakage even when it is continual. However, while this axiom may

be justifiable in certain situations, there are known attacks that do not adhere to it. Specifically,

these include “memory attacks”, such as the cold-boot attack [HSH+08], where the content of the

memory is “dumped”, almost entirely, and probed by the attacker.

One approach to address the issue of “memory attacks” mentioned above, is to allow the secret

state of the scheme (e.g., the signing-key) to be leaked in an arbitrary (efficient) way, so long as the

amount of information revealed to the attacker is bounded. Hence, we do not assume that parts of

the state are untouched during certain periods of time, only that the adversary learns a bounded

amount of information – which seems necessary as otherwise the entire secret state can be leaked.

However, since we allow the leakage to be continual (letting the adversary learn additional

bounded amount of information at any time period), then the secret-key must be periodically re-

freshed,3since otherwise it will eventually be completely leaked. Moreover, we must allow deletions,

since otherwise the adversary can choose to (gradually) leak the initial secret-state from which ev-

erything can be derived. In such case, refreshing the state is useless because the adversary will leak

from the original state and not the refreshed one. For example, in the case of digital signatures,

the adversary will choose to leak bits from the initial signing key at every time slot, and eventually

will gain the ability to sign messages of its choosing. Since the public verification key does not

change, the initial key must still be “valid” for signing, even if it has so far been refreshed. It

seems that the only way to prevent such an attack, without changing the leakage model (i.e., while

still allowing the adversary to select an arbitrary efficient leakage function at every time slot), is to

allow information to be safely deleted.

We therefore, consider the model of continual memory leakage with deletions (and refer to it

as the CML model). A computation in this model can be thought of as a Turing machine that

has a special “secret tape”, with content s. All other tapes of the machine are readable by the

adversary at all times. The deletion operation is implicit in the model as cells in the tape of a

Turing machine can be deleted/rewritten. At any time period, the adversary can obtain some

“bounded” information f(s) about the secret state s.

There are several ways to define “bounded” in this context:4The first, is using the definition of

Akavia, Goldwasser, and Vaikuntanathan [AGV09], which says that f(s) is “bounded” if|f(s)|

for some predefined bound ρ < 1. The second, is the slightly more general definition due to Naor

and Segev [NS09], which says that f(s) is “bounded” if s high min-entropy, conditioned on f(s).

The third, is the most general one due to Dodis et al. [DKL09], which says that f(s) is “bounded”

if f is hard-to-invert with probability 2−t, for some parameter t = t(k).

In our definitions below (both in Section 3.1, and in Section 3.2), we use the [AGV09] definition

for “bounded” functions, though all of our results hold also with the slightly stronger definition

of [NS09]; we choose to present the definitions using the former only for the sake of simplicity. We

note in Section 8.2, we even make use of the fact our encryption scheme from Section 6 is secure

even if we use the slightly stronger definition of [NS09] for “bounded” functions. Finally, we note

that we do not know how to prove our results using the [DKL09] definition for “bounded” functions,

and leave this as an important open problem.

|s|

≤ ρ

3.1 Public-Key Encryption in the CML Model

An encryption scheme in the CML model contains the following ppt algorithms.

• Key-generation. Takes as input 1k(where k is the security parameter) and produces a secret-

3This should be done without modifying the public key.

4In what follows, think of the secret key as being truly random.

14

Page 16

key sk and a public-key pk. We denote this by (sk,pk) ← Gen(1k).

• Encryption. Takes as input a public-key pk and a message m and outputs a ciphertext c. We

denote this by c ← Encpk(m).

• Decryption. Takes as input the secret-key sk and a ciphertext c and outputs a message m?.

We denote this by m?← Decsk,pk(c).

• Key-update. Takes as input a secret-key sk and outputs a “refreshed” secret-key sk?such

that

??sk???= |sk|.5We denote this by sk?← Updatepk(sk).

schemes. The key-update algorithm is an addition that allows for continual leakage resilience.

The correctness requirement is that for all m and a polynomially bounded t ∈ N, setting

(sk0,pk) ← Gen(1k), ski← Updatepk(ski−1) for i ∈ [t], c ← Encpk(m), m?← Decskt,pk(c), it holds

that m = m?with all but negligible probability (where the probability is over all randomness in

the experiment).

We next define semantic security in the CML model. Formally, leakage in this model is as-

sociated with three leakage parameters (ρG,ρU,ρM), where ρG bounds the leakage rate from the

key-generation process, ρUbounds the leakage rate from the update process, and ρMis a “global”

(relative) memory leakage bound that is enforced between key updates. Taking ρG = ρU = 0

corresponds to allowing leakage only from the memory and not from the key-generation or update

processes.

The first three algorithms are identical to the standard definition of public-key encryption

Definition 3.1. An encryption scheme (Gen,Enc,Dec,Update) is semantically secure in the CML

model with leakage rate (ρG,ρU,ρM), if any ppt adversary succeeds in the following game with

probability 1/2 + negl(k).

1. Initialize. The adversary specifies a key-generation leakage circuit f with |f(r,p)| ≤ ρG·|r| for

all r,p. The challenger chooses “secret randomness” r and “public randomness” p, generates

(sk0,pk) ← Gen(1k;r,p), sends (pk,p,f(r,p)) to the adversary, and sets i := 0 and L0:=

|f(r,p)|.

2. Leakage and updates. The forger makes queries of the following type:

• Update queries (update,f), where f is a circuit with |f(sk,r,p)| ≤ ρU· (|sk| + |r|) for

all sk,r,p. The challenger chooses “secret randomness” r and “public randomness” p,

and computes ski+1 := Updatepk(ski;r,p). If Li+ |f(ski,r,p)| ≤ ρM· |ski| then the

challenger returns (p,f(ski,r,p)) to the adversary, sets i := i + 1, and sets Li+1 :=

|f(ski,r,p)|. Otherwise, the challenger aborts.

• Leakage queries (leak,f), where f is a circuit. If Li+ |f(ski)| ≤ ρM· |ski| then the

challenger returns f(ski) to the adversary and sets Li:= Li+ |f(ski)|. Otherwise, the

challenger aborts.

3. Challenge. The adversary sends two messages m0,m1to the challenger. The challenger flips

a coin b

$← {0,1} and computes c ← Encpk(mb). It sends c to the adversary.

4. Finish. The adversary outputs a “guess” b?∈ {0,1}.

The adversary succeeds if b?= b.

5This requirement is in order to prevent the secret-key from “blowing up”.

15

Page 17

3.2Digital Signatures in the CML Model

A digital signature scheme in the CML model comprises the following ppt algorithms:

• The key-generation algorithm Gen takes as input the security parameter 1k, and outputs a

pair of signing/verification keys sk,vk; we denote this by (sk,pk) ← Gen(1k).

• The signing algorithm Sign takes as input a signing key sk, a verification key vk, and a message

m in some message space M, and outputs a signature σ. We denote this by σ ← Signsk,vk(m).

• The deterministic verification algorithm Ver takes as input the verification key vk, a message

m ∈ M and a signature σ and outputs a bit b denoting acceptance or rejection. We denote

this by b := Vervk(m,σ).

• The key-update algorithm Update takes as input a signing key sk and a verification key vk, and

outputs a “refreshed” signing key sk?with??sk???= |sk|. We denote this by sk?← Updatevk(sk).

Gen(1k) and then computing ski← Updatevk(ski−1) for i ∈ [t], we have Vervk(m,Signskt,vk(m)) = 1

except with negligible probability. (where the probability is over all randomness in the experiment).

Next we define security in the CML model. We consider the standard notion of existential

unforgeability under adaptive chosen message attack, but in the presence of leakage. Allowable

leakage is specified by four parameters ρG,ρS,ρU that specify, respectively, the (relative) leakage

allowed from the key-generation, signing, and update processes, as well as a “global” (relative)

memory leakage bound ρMthat is enforced between key updates.

The correctness requirement is that for all m ∈ M and any polynomial t, setting (sk0,vk) ←

Definition 3.2. Signature scheme (Gen,Sign,Ver,Update) is existentially unforgeable under adap-

tive chosen message attack in the CML model, with leakage rate (ρG,ρU,ρS,ρM), if any ppt forger

succeeds in the following game with only negligible probability.

1. Initialize. The forger specifies a circuit f with |f(r,p)| ≤ ρG· |r| for all r,p. The chal-

lenger chooses “secret randomness” r and “public randomness” p, generates (sk0,vk) ←

Gen(1k;r,p), sends (vk,p,f(r,p)) to the forger, and sets i := 0 and L0:= |f(r,p)|.

2. Signatures, leakage, and updates. The forger makes queries of the following types:

• Update queries (update,f), where f is a circuit with |f(sk,r,p)| ≤ ρU· (|sk| + |r|) for

all sk,r,p. The challenger chooses “secret randomness” r and “public randomness” p,

and computes ski+1:= Updatevk(ski;r,p). If Li+|f(ski,r,p)| ≤ ρM·|ski| then the chal-

lenger returns (p,f(ski,r,p)) to the forger, sets i := i+1, and sets Li+1:= |f(ski,r,p)|.

Otherwise, the challenger aborts.

• Signing queries (sign,m,f), where f is a circuit with |f(sk,r,p)| ≤ ρS· (|sk| + |r|) for

all sk,r,p. The challenger chooses “secret randomness” r and “public randomness” p,

and computes σ := Signski,vk(m;r,p). If Li+|f(ski,r,p)| ≤ ρM·|ski| then the challenger

returns (σ,p,f(ski,r,p)) to the forger and sets Li:= Li+ |f(ski,r,p)|. Otherwise, the

challenger aborts.

• Leakage queries (leak,f), where f is a circuit. If Li+ |f(ski)| ≤ ρM· |ski| then the

challenger returns f(ski) to the forger and sets Li := Li+ |f(ski)|. Otherwise, the

challenger aborts.

3. Finish. Assuming the challenger did not abort, the forger outputs (m∗,σ∗).

The forger succeeds if it never made the query (sign,m∗), and Vervk(m∗,σ∗) = 1 .

16

Page 18

4 Preliminaries

We use the following notational conventions. Bold uppercase denotes matrices (X ∈ Zn×k

bold lowercase denotes vectors (x ∈ Zn

by xT. For a scalar (usually a group element) g and a matrix X ∈ Zk×n(or a vector, as a special

case), we let gXdenote a k × n matrix such that (gX)i,j= g(X)i,j.

Let X be a probability distribution over a domain S, we write x

sampled from the distribution X. The uniform distribution over a set S is denoted U(S). We use

x

random variable (or corresponding distribution) obtained by sampling x

The min-entropy of a (discrete) random variable X is H∞(X) = minx∈S{−logPr[X = x]}.

We write negl(k) to denote an arbitrary negligible function, i.e. one that vanishes faster than

the inverse of any polynomial.

The statistical distance between two distributions X,Y (or random variables with those dis-

tributions) over a common domain S is defined as dist(X,Y )

Two ensembles X = {Xk}k, Y = {Yk}kare ? = ?(k)-close if the statistical distance between them

is at most ?(k), this is also denoted by X

tributed). They are called statistically indistinguishable if ?(k) = negl(k). An ensemble X = {Xk}k

over domains S = {Sk}kis ? = ?(k)-uniform in S if it is ?-close to the uniform ensemble over S (we

sometimes omit S when it is clear from the context). X = {Xk}k, Y = {Yk}kare computationally

indistinguishable if every poly(k)-time adversary A has negligible distinguishing advantage:

|Pr[A(Xk) = 1] − Pr[A(Yk) = 1]| = negl(k) .

q

) and

q). All vectors are column vectors, row vectors are denoted

$← X to indicate that x is

$← S as abbreviation for x

$← U(S). For any function f with domain S we let f(X) denote the

$← X and outputting f(x).

.= maxA⊆S|Pr[X ∈ A] − Pr[Y ∈ A]|.

?≡ Y (where X ≡ Y means that X,Y are identically dis-

4.1Linear Algebra

We make extensive use of linear algebra over finite fields of the form Zqfor a prime q. Some of our

results apply to any finite field.

For a linear subspace of column vectors S ⊆ Zn

whose every column is an element in S. If S ⊆ Zn

symmetrically.

The dimension of a linear subspace S ⊆ Zn

vectors in S. The basis of a linear subspace S ⊆ Zn

matrix B ∈ Zn×d

of B. We sometimes consider linear subspaces of row vectors, in such case, the basis will be a

matrix B ∈ Zd×n

The rank of a matrix is the maximal number of linearly independent rows (or columns) in the

matrix. The set of (n×k)-matrices having rank-d is denoted by Rkd(Zn×k

M ⊆ Zn×k

row span and of the column span (see below) of a matrix are equal to its rank.

We use the term span of a matrix to indicate its row span, i.e. for A ∈ Zn×k

Span(A) = {zT· A : z ∈ Zn

span, this corresponds to defining ker(A) = {x ∈ Zk

We will also use the following simple fact (see e.g. [BK10]), we provide the proof for complete-

ness.

q, we let Sk⊆ Zn×k

qis a row subspace then Sk⊆ Zk×n

q

denote the set of matrices

q

is defined

qis the maximal number of linearly independent

qwith dimension d ≤ n is represented by a

q

whose columns are the basis vectors, i.e. S is the span (see below) of the columns

q

whose rows are the basis vectors.

p

). Given a set of matrices

p

, we use Rkd(M) to denote the set of all rank-d matrices in M. The dimension of the

q

, we denote

q}. The kernel of a matrix is the linear space that is orthogonal to its

q: A · x = 0}.

Lemma 4.1. Consider a finite field F of order q. For any n,m ∈ N such that m ≥ n, the distance

between the distributions U(Fn×m) and U(Rkn(Fn×m)) is at most 1/(qm−n· (q − 1)).

17

Page 19

Proof. Consider sampling the matrix row by row. The probability that row i is a linear combination

of previous rows is at most q−m· qi−1. Applying the union bound gives the result.

4.2Hardness Assumptions in Bilinear Groups

Consider multiplicative groups G1, G2, GT, all of prime order p, and let g1,g2be generators for

G1,G2respectively. A bilinear map e : G1× G2→ GT has the following properties. Bilinearity:

for all x ∈ G1,y ∈ G2, a,b ∈ Z it holds that e(xa,yb) = e(x,y)ab; Non-degeneracy: e(g1,g2) ?= 1.

The symmetric external Diffie-Hellman (SXDH) assumption.

{Gi,k}k∈N be a family of groups, where each group Gi,k is of order p, and where p is a k-bit

prime. Fix (arbitrary) generators gi= gi,kfor Gi,k(we omit the subscript k to avoid cluttering of

notation).

The SXDH assumption is that the DDH problem is hard in G1and in G2. Let us explicitly

present a linear algebraic form of this assumption which will allow for a better intuitive under-

standing of our constructions. Let x,x?

dimension n and let α

the assumption that for i = 1,2, the distributions (gx

indistinguishable.

For i = 1,2, let Gi =

$← Zn

pbe uniformly distributed vectors of any (polynomial)

$← Zp be a uniform scalar. Then the SXDH assumption is equivalent to

i,gα·x

i

) and (gx

i,gx?

i) are computationally

The linear assumption.

that was introduced in [NS09] and proven ([NS09, Lemma A.1]) to be implied by the standard form.

Throughout this work, the term “linear assumption” refers to the matrix form described below.

While this assumption can be stated for the general case of groups G1,G2,GT as above, we only

present the simpler case where G1= G2= G. Our results extend to the general case as well.

Let G = {Gk}k∈N be a family of groups as above with a fixed generator g. Consider the

distribution Dr (r ∈ {2,3}) defined by the following sampling process: sample A

and output gA. The linear assumption is that D2and D3are computationally indistinguishable.

In other words, it is hard to distinguish a random 3× 3 rank-2 matrix from a random such rank-3

matrix, if given in the exponent of a group generator.

An immediate corollary of the above definition (see e.g. [NS09, Appendix A]) is that under the

linear assumption, for all polynomially-bounded m,? ≥ 3, r ≥ 2, t ≥ 0, a random (m × ?) rank-r

matrix is computationally indistinguishable from a random such rank-(r + t) matrix, when given

in the exponent.

This assumption was first introduced in [BBS04], we use a matrix form

$← Rkd(Z3×3

p

)

4.3 Simulation Sound NIZK Proofs

We define the notion of simulation-sound NIZK, a notion that was introduces by Sahai [Sah99].

Intuitively, a simulation-sound NIZK proof system is a NIZK proof system with the extra property

that a polynomially bounded cheating prover is incapable of convincing the verifier of a false

statement, even after seeing any (polynomial) number of simulated proofs of her choosing.

Throughout this paper, when we refer to a NIZK proof system we always mean adaptive NIZK,

as defined below.

Definition 4.1. [FLS90, BFM88, BSMP91]: Π = (?,P,V,S = (S1,S2)) is an efficient adaptive

NIZK proof system for a language L ∈ NP with witness relation R if ? is a polynomial, P,V,S1,S2

are all ppt algorithms, and there exists a negligible function µ such that for all n the following

three requirements hold.

18

Page 20

• Completeness: For all x ∈ L of length n, and all w such that R(x,w) = 1, and for all

strings r ∈ {0,1}?(n),

V (x,P(x,w,r),r) = 1.

• Adaptive Soundness: For all adversaries A, if r ∈R {0,1}?(n)is chosen uniformly at

random, then the probability that A(r) will output a pair (x,π) such that x ?∈ L and yet

V (x,π,r) = 1, is at most µ(n).

• Adaptive Zero-Knowledge: For all ppt adversaries A,

??Pr[ExptA(n) = 1] − Pr[ExptS

A(n) = 1]??≤ µ(n),

where the experiment ExptA(n) is defined by:

r ← {0,1}?(n)

Return AP(·,·,r)(r)

and the experiment ExptS

A(n) is defined by:

(r,τ) ← S1(1n)

Return AS?(·,·,r,τ)(r),

where S?(x,w,r,τ) = S2(x,r,τ).

We next define the notion of simulation-sound NIZK.

Definition 4.2 ([Sah99]). Let Π = (?,P,V,S = (S1,S2)) be an efficient adaptive NIZK proof

system for a language L ∈ NP. We say that Π is simulation sound if for all ppt adversaries A we

have that

Pr[ExptA,Π(n) = 1] = negl(n),

where ExptA,Π(n) is the following experiment:

(r,τ) ← S1(1n)

(x,π) ← AS2(·,r,τ)(r)

Let Q be the list of proofs given by S2above

Return 1 iff (π ?∈ Q and x ?∈ L and V (x,π,r) = 1)

As was shown by Sahai [Sah99], every language in NP has a simulation-sound NIZK proof

assuming the existence of enhanced trapdoor permutations.

4.4Short Non-Interactive Arguments

Definition 4.3. A non-interactive argument system for an NP language L is defined by a

polynomial p and a pair of ppt Turing machines (P,V ) satisfying the following properties:

• Completeness. If (x,w) ∈ RLthen for all crs ∈ {0,1}p(k)we have Vcrs(x,Pcrs(x,w)) = 1.

• Computational (adaptive) soundness. For every (non-uniform) polynomial-time P?, the

following is negligible:

?

Pr

crs ← {0,1}p(k);(x,π) ← P?(crs) : Vcrs(x,π) = 1

?

x ?∈ L

?

.

19

Page 21

The argument system has proofs of length ? if for all k, all crs ∈ {0,1}p(k), and all (x,w) ∈ RL

it holds that |Pcrs(x,w)| ≤ ?(k).

The results of [Kil92, Mic00, BG08] imply that for any fixed NP language L, there exists a

non-interactive argument system for L with proofs of length ω(log2k) in the random oracle model

(and, in fact, with the crs being the emptystring). Nevertheless, use of the random oracle here

does not appear to be inherent and one could hope to base the existence of short non-interactive

arguments on cryptographic/complexity-theoretic assumptions

4.5 Lossy Trapdoor Functions

The notion of lossy trapdoor functions (LTDF) was first defined by Peikert and Waters [PW08]. Let

n(k) = poly(k) represent the input length of the function and ?(k) ≤ n(k) represent the lossiness

of the collection. For convenience, we also define the residual leakage r(k) := n(k) − ?(k). For all

these quantities, we often omit the dependence on k.

In this work, we require a family of lossy trapdoor functions with the additional special property

of oblivious sampling. Essentially this means that the description of a random function from

the family (either the lossy or injective) is computationally indistinguishable from the uniform

distribution. It turns out that known constructions indeed have this property.

Definition 4.4 (Lossy trapdoor functions with oblivious sampling). A collection of (n,?)-lossy

trapdoor functions is given by a tuple of ppt algorithms (Sinj,Sloss,G,G−1) having the properties

below.

• Easy to sample an injective function with trapdoor: Sinjtakes as input a security parameter 1k

and outputs a pair (s,t), where s is a function index and t is the associated trapdoor, such

that Gs(·) is an injective function over the domain {0,1}n, with inverse G−1

• Easy to sample a lossy function: Slosstakes as input a security parameter 1kand outputs

(s,⊥), where s is a function index and Gs(·) is a function gs(·) over the domain {0,1}n

whose image has size at most 2r= 2n−?.

t(·).

• Hard to distinguish injective from lossy: The first outputs of Sinjand Slossare computationally

indistinguishable. More formally, let Xkdenote the distribution of s from Sinj, and let Yk

denote the distribution of s from Sloss. Then {Xk}k∈N

We require an additional property:

c≈ {Yk}k∈N.

• Oblivious sampling: The first outputs of Sinjand Slossare computationally indistinguishable

from the uniform distribution.

We remark that the families of lossy trapdoor functions presented in [PW08], that are based on

the DDH and LWE assumptions have this property, under the same assumptions. In addition, the

d-linear based construction of [FGK+09] also has this property.

5 Random Subspaces are Leakage Resilient

In this section, we provide a linear algebraic tool that is crucial to our leakage resilient constructions,

but is rather general and may also be usable elsewhere.

20

Page 22

Informally, we consider a random subspace X of dimension at least 2 of a given linear space. A

leakage on X is given in the following form: an arbitrary leakage function (that must not depend

on X) is applied to a random vector v in X. We show a bound linking the size of the range of

the leakage function (i.e. the amount of information it reveals about v) to the statistical distance

between this experiment and the case where v is sampled uniformly at random in the entire linear

space (independently of X). In the latter case, the leakage function reveals nothing on the subspace

X, and therefore we conclude that applying a length-restricted leakage function to a random vector

in the subspace is leakage resilient, in the sense it does not reveal information about the subspace

that it originated from.

We also consider the case where the leakage function is applied to two random vectors in the

subspace. In this case, it is required that the subspace X is of dimension at least 4. More generally,

if the leakage function is applied to d random vectors in the subspace, we need the random subspace

to be of dimension 2d. This requirement stems from our analysis, which uses the fact that random

dimension-d subspaces of X are (almost) pairwise independent, which indeed holds in the case

where the dimension of X is at least twice that of the sampled subspaces.

We formally state the two theorem below. The first is for the case that the leakage is applied

to one random vector, and the second is for the case that the leakage is applied to two random

vectors.

Theorem 5.1. Let m,? ∈ N, m ≥ ? ≥ 2 and let q be a prime. Let X

u

dist?(X,f(X · r)), (X,f(u))?≤ ?,

as long as

$← Zm×?

q

, let r

$← Z?

qand let

$← Zm

q. Let f : Zm

q→ W be some function. Then,

|W| ≤ q?−1· ?2.

Theorem 5.2. Let m,? ∈ N, m ≥ ? ≥ 4 and let q be a prime. Let X

and let Y

q

. Let f : Zm×2

q

→ W be some function. Then,

dist?(X,f(X · T)), (X,f(Y))?≤ ?,

as long as

$← Zm×?

q

, let T

$← Rk2(Z?×2

q

)

$← Zm×2

|W| ≤ q?−3· ?2.

We note that our original proofs result in parameters that are slightly worse than the ones

given in Theorems 5.1 and 5.2. The proofs which achieve the improved parameters (as stated in

Theorems 5.1 and 5.2) were pointed to us independently by Gil Segev, Daniel Wichs and Yevgeniy

Dodis, and follow the proof of the “generalized crooked leftover hash lemma” [DS05, BFO08]. In

Section 5.1 we give an outline of our original proofs. The formal proofs (using our original analysis,

and thus yielding slightly worse parameters) are given in Section 5.2. A proof with tight parameters

appears in Appendix A.

5.1 Proof Overview

The proofs of Theorems 5.1 and 5.2 are essentially the same (both our original proofs which yield

worse parameters, and the improved ones). For simplicity, in what follows, we focus on Theorem 5.1.

The two distributions considered in this theorem can be described by the following experiment.

First X is uniformly sampled, then a vector v ∈ Zm

q is generated by either sampling a random

21

Page 23

vector r

setting v = u (in the second distribution). Then, the function f is applied to v to obtain w = f(v).

Finally, (X,w) is output.

We need to prove that even though the distributions of (X,v) in the two experiments are very

distinct in terms of statistical distance, it still holds that the distributions of (X,w) are very close.

To prove this, let us fix the value of w ∈ W and consider the conditional distribution of X (since the

marginal distribution of w is the same in both experiments, this will enable us to later average on w

and get the full result). In the second experiment, X is independent of v,w and thus the conditional

distribution of X is uniform. We need to prove, therefore, that the conditional distribution of X

in the first experiment is close to uniform as well. From now on we focus on the first experiment,

i.e. v = X · r.

Conditioned on w, the probability for any (fixed) subspace X is proportional to the probability

that, for a random r, it holds that f(X·r) = w. We show that for almost all X, this probability is

very close to its expected value (which is, of course, the probability that f(v) = w for a random v).

To see this, fix any r1,r2. Note that if r1,r2are linearly independent, then X · r1and X · r1

are independent (where the probabilities are now taken only over X). Moreover, note that if r1,r2

were chosen uniformly at random, then they would indeed be linearly independent with very high

probability. Thus, the probability that f(X · r) = w can be written as a sum (or expectancy) of

almost pairwise independent random variables. Applying Chebyshev’s inequality implies that such

variables are concentrated around their expected value.

We get, therefore, a bound on the distance between the two distributions conditioned on w. As

explained above, averaging over all values w and appropriately selecting the parameters implies the

theorem.

In what follows, we give the formal proofs which yields slightly weaker parameters than these

guaranteed by Theorems 5.1 and 5.2. In the formal treatment we focus on Theorem 5.2 (as opposed

to Theorem 5.1). The reason is that Theorem 5.2 is used to obtain our results based on the linear

assumption, and Theorem 5.1 is used to obtain our results based on the symmetric external Diffie-

Hellman (SXDH) assumption. Since the former assumption appears to be more standard, we give

all the formal proofs needed for these results. The proofs needed for our results based on the SXDH

assumption are essentially the same.

$← Z?

qand setting v = X · r (in the first distribution) or sampling a random u

$← Zm

qand

5.2 Formal Proof

In what follows we give the formal proof of a weaker version of Theorem 5.2, stated below.

Theorem 5.3. Let m,? ∈ N, m ≥ ? ≥ 4 and let q be a prime. Let X

and let Y

q

. Let f : Zm×2

q

→ W be some function. Then it holds that

dist?(X,f(X · T)), (X,f(Y))?≤ ?

as long as

$← Zm×?

q

, let T

$← Rk2(Z?×2

q

)

$← Zm×2

|W| ≤q

?−3

2 · ?3/2

√2

.

Relating the formal proof of this theorem to the overview above, Lemma 5.4 gives the Chebyshev-

based concentration bound discussed above (where the set S in the lemma statement is the set of all

Z ∈ Zm×2

the conditional distribution of X and the uniform distribution. The remainder of the proof, namely

the weighted average on the values of w is provided in the actual body of the proof of the theorem.

q

such that f(Z) = w). Lemma 5.5 uses this concentration bound to bound the distance of

22

Page 24

As discussed in the overview above, we provide two required lemmas first and then derive the

proof of the theorem. The first lemma shows that the “intersection” of a random subspace X with

any set is well concentrated around its expected value.

Lemma 5.4. Let m,? ∈ N, m ≥ ? ≥ 4 and let q be a prime. Consider S ⊆ Zm×2

ρ = PrY$

←Zm×2

dS(X) =

T$

←Rk2(Z?×2

Then for all δ > 0

Pr

X$

←Zm×?

Proof. Let T1,T2∈ Rk2(Z?×2

random variables, when X is a random matrix. This holds since if we define R = [T1?T2], then

X · R is exactly the first 4 columns of X under some basis-change. Since X is uniform, it is also

uniform under any basis change, and specifically the first 4 columns are random and therefore

independent.

We note that by definition

q

and let

q

[Y ∈ S]. Define, for all X ∈ Zm×?

q

,

Pr

q

)

[X · T ∈ S] .

q

???dS(X) − ρ??≥ δ

) such that Rk([T1?T2]) = 4. Then X·T1and X·T2are independent

?

≤

2ρ

δ2· q?−3.

q

dS(X) = Pr

T$

←Rk2(Z?×2

q

)

[X · T ∈ S] = ET$

←Rk2(Z?×2

q

)[?X·T∈S] .

Therefore, it holds that E[dS(X)] = EX,T[?X·T∈S] = ρ. Furthermore, letting F denote the event

that [T1?T2] is full rank (and¯F denote its complement),

V[dS(X)]=

EX[(dS(X) − ρ)2]

=

EX

?

=

ET1,T2

EX

=

ET1,T2[CovX[?X·T1∈S,?X·T2∈S]]

= Pr[¯F] · E(T1,T2)|¯F[CovX[?X·T1∈S,?X·T2∈S]] + Pr[F] · E(T1,T2)|F[CovX[?X·T1∈S,?X·T2∈S]]

??ET1[?X·T1∈S− ρ]?·?ET2[?X·T2∈S− ρ]??

ET1,T2

?

=

EX

???X·T1∈S− ρ???X·T2∈S− ρ???

???X·T1∈S− ρ???X·T2∈S− ρ???

?

???

=0 (since X · T1and X · T2are independent)

=Pr[¯F] · E(T1,T2)|¯F[CovX[?X·T1∈S,?X·T2∈S]]

Pr[¯F] · E(T1,T2)|¯F[VX[?X·T1∈S]]

Pr[¯F] · ET1[VX[?X·T1∈S]]

Pr[¯F] · (ρ − ρ2)

Pr[¯F] · ρ .

To bound Pr[¯F] = PrT1,T2[¯F] = PrT1,T2[Rk([T1?T2]) < 4], fix T1∈ Rk2(Z?×2

$← Rk2(Z?×2

column of T2. Both t1and t2are uniform in Zm

≤

=

=

≤

q

) and consider

qdenote the second

T2

q

). Let t1∈ Z?

qdenote the first column of T2and let t2∈ Z?

q\ {0}. By the union bound,

Pr

T1,T2[¯F] ≤

Pr

t1

$

←Z?q\{0}

[t1 ∈ Span(T1)] + Pr

t2

$

←Z?q\{0}

[t2 ∈ Span(T1,t1)] ≤

q2

q?+q3

q?≤

2q3

q?.

23

Page 25

We can therefore apply Chebyshev’s inequality and conclude that

Pr

X[|dS(X) − ρ| ≥ δ] ≤

2ρ

δ2· q?−3.

The second lemma uses the concentration obtained above to conclude that the conditional

distribution of X, given that f(X · T) = w, is close to uniform.

Lemma 5.5. Let m,? ∈ N, m ≥ ? ≥ 4 and let q be a prime. Consider S ⊆ Zm×2

ρ = PrY$

←Zm×2

the event X · T ∈ S. Then

q

and let

q

[Y ∈ S]. Consider the distributions X

$← Zm×?

q

, T

$← Rk2(Z?×2

q

), conditioned on

dist(X,U(Zm×?

q

)) ≤

?

2

ρ2· q?−3

?1/3

.

Proof. For convenience, let us denote α =??Zm×?

Pr[X = A|X · T ∈ S] =Pr[(X = A) ∧ (X · T ∈ S)]

q

??−1= q−m?. Consider the conditional distribution

α · PrT$

q

ρ

of X, it holds that for all A ∈ Zm×?

q

Pr[X · T ∈ S]

=

←Rk2(Z?×2

)[A · T ∈ S]

=α · dS(A)

ρ

.

Where dSis as defined in Lemma 5.4.

The statistical distance from uniform is therefore

dist(X,U(Zm×?

q

)) =1

2·

?

A∈Zm×?

q

????

α · dS(A)

ρ

− α

????=

1

2ρ· EA$

←Zm×?

q

[|dS(A) − ρ|] .

Using Lemma 5.4, together with Bayes’ theorem, we get that for all δ > 0,

dist(X,U(Zm×?

q

)) ≤

1

2ρ·

?

δ +

2ρ

δ2· q?−3

?

.

Setting δ =

?

2ρ

q?−3

?1/3, the result follows.

We can now prove the theorem by averaging on the values of w.

Proof of Theorem 5.3. For all w ∈ W, denote Sw = {Y : f(Y) = w}, ρw = PrY[Y ∈ Sw].

Using Lemma 5.5, the statistical distance, conditioned on the second element being w, is at

most

ρ2

w·q?−3

?

?

w∈W

assuming

|W| ≤q

?

2

?1/3. Averaging over all values w ∈ W, we get

dist?(X,f(X · T)), (X,f(Y))?≤

?

?1/3

w∈W

ρw·

2

ρ2

w· q?−3

?1/3

=

=

2

q?−3

·

?

ρ1/3

w

≤

?

2

q?−3

?1/3

· |W|2/3=

?√2 · |W|

q

?−3

2

?2/3

≤ ? ,

?−3

2 · ?3/2

√2

.

24

Page 26

6An Encryption Scheme Secure Against Continual Leakage

In this section, we present the first public-key encryption scheme L that is secure against continual

leakage attacks. Our scheme is based on the linear assumption in bilinear groups. It is param-

eterized by a polynomially bounded integer ? ≥ 7 that allows for a tradeoff between the sizes of

keys and ciphertexts and the maximal tolerable leakage rate: the public and secret keys contain 2?

group elements and a ciphertext contains ? group elements.

We show that our scheme is resilient to leakage of constant rate from the memory and leakage of

sub-constant rate from the key-update procedure and from the key generation procedure. Recalling

Definition 3.1, this corresponds to a case where ρM= Ω(1) and ρG= ρU= o(1).

More specifically, the value of ρM for a general ? can be as high as

For example, taking ? = 12 guarantees resiliency to leakage rate of 1/4 − γ, while the keys and

ciphertexts only contain a constant number of group elements. Taking ? to be asymptotically

increasing, on the other hand, makes the keys and ciphertexts sizes asymptotically increase but

makes the tolerable leakage rate 1/2 − o(1).

The value of ρG,ρU for general ? is ω

?logp

order of the group relative to which we work. We cannot provide explicit expressions for ρG,ρU, but

rather we show that for all c > 0, the scheme is resilient in the case where ρG,ρU=c·logk

our argument can be generalized in a straightforward manner to imply resiliency of Ω

one is willing to assume that the linear assumption is hard for adversaries that run in time (roughly)

T(k). We note that while tolerating such leakage in non-continual memory attacks is trivial, this

is not the case in the continual model.

We remind the reader that a simpler scheme with better parameters can be achieved based on

the less standard SXDH assumption, as described in Section 2.2.

Our scheme is described in Section 6.1. We provide a high-level overview of the security proof

in Section 6.2 and then present the formal proof in Section 6.3.

?−6−γ

2?

, for all γ > 0.

?

logk

?

, where k is the security parameter and p is the

?logp. In fact,

?logT(k)

?logp

?

if

6.1 The Scheme L[?]

Let us overview the main ideas behind the structure of our scheme. We want to use the fact that

under the linear assumption, random rank-2 matrices in the exponent are indistinguishable from

random rank-3 matrices.

We therefore set the public-key to gA, where A a random 2 × ? matrix. The ciphertexts are of

the form gvT, where v is a vector of length ?. Namely, the public-key and the ciphertext together

form a (3 × ?) matrix in the exponent. If this matrix is random rank-2 for encryptions of 0 and

random rank-3 for encryptions of 1, then we could use the indistinguishability argument to achieve

(semantic) security. We do this by encrypting 0 by setting gvTto be a linear combination of the

rows of gA; and encrypting 1 by setting gvTto be a random vector. One can see that the resulting

distributions are statistically close to the prescribed ones. Thus, security is achieved.

The next question, of course, is figuring out how to decrypt such ciphertexts. We notice a

non-zero vector y in the kernel of A can be used to distinguish the two cases: we can compute

gvT·yand see if the result equals to g0. This will always be the case for encryptions of 0 and will

only happen with negligible probability for encryptions of 1. This suggests that such y can be used

as a secret-key, but it is not clear how such a secret-key can be safely refreshed.

In order to be able to refresh, we use a secret key of the form gY, where Y = [y1?y2] and y1,y2

are random vectors in the kernel of A. The fact that the vectors are given in the exponent means

that we cannot compute the product gvT·yias suggested before. We thus work over groups with

25

Page 27

bilinear maps, which enable computing e(g,g)vT·Yinstead.

The key refresh operation is done by “rotating” the matrix Y: we sample a 2 × 2 full rank

matrix R, and set the new secret key to gY·R. Intuitively, since everything is done in the exponent,

the update operation is indistinguishable from sampling a fresh random secret-key, which turns out

to be a useful property.

The scheme L[?] is formally presented in Figure 3. Correctness (with all but negligible proba-

bility) follows almost immediately by the explanations above.

Encryption scheme L[?]

Parameters. The scheme is parameterized by groups G,GTof prime order p, such that there exists

a bilinear map e : G × G → GT. Let g be a generator of G (and so e(g,g) is a generator for GT).

An additional parameter ? ≥ 7 is polynomial in the security parameter. Setting different values for

? will enable us a tradeoff between efficiency and the rate of tolerable leakage.

Key-generation. The key-generator runs as follows. It samples A

Y ∈ Z?×2

Key-update. To update the secret key sk = gY∈ G?×2, sample R

sk?= gY·R.

$← Z2×?

p

and Y

$← ker2(A) (i.e.

p

) (note that this is easy to sample since A is known). It sets pk = gAand sk = gY.

$← Rk2(Z2×2

p

) and then set

Encryption. Given a public-key pk = gA∈ G2×?, encrypting the bit 0 is done by sampling r

and setting the output ciphertext to c = grT·A. Encrypting the bit 1 is done by setting the ciphertext

to c = guTwhere u

$← Z2

p

$← Z?

p.

Decryption. Given a ciphertext c = gvTand a secret-key sk = gY, the decryption process computes

e(g,g)vT·Y. If the result is equal to e(g,g)0, then output 0 and otherwise output 1.

Figure 3: Encryption scheme in the CML model, based on the linear assumption.

6.2 Overview of the Security Proof

As explained above, our scheme is resilient to leakage from memory, from the key-update procedure

and from the key generation procedure. We will leave handling with leakage from key-generation

to the end. Thus assume from this point that ρG= 0 until we mention otherwise.

Let us start by considering a possible proof for standard CPA security of L[?] (as already sketched

in Section 6.1 above). The public-key gAcontains a random 2 × ? matrix (in the exponent), and

the challenge ciphertext is either a linear combination of the rows of A or a random vector of

length ?. The joint distribution of the public-key and ciphertext (we can consider this to be a

matrix V ∈ Z3×?

statistically close to either a random rank-2 matrix or a random rank-3 matrix (in the exponent),

respectively. An adversary that distinguishes these distributions, therefore, immediately breaks the

linear assumption.

Trying to make the argument above leakage resilient, we will need to somehow simulate the

leakage from the secret-key. This seems self defeating, as having a secret-key for the scheme should

mean that the CPA adversary becomes useless (as we can use the secret-key and decrypt the

ciphertext ourselves). We show that the above discouraging intuition is not accurate. To this end,

we rely on the fact that our scheme does not have perfect correctness, but rather has a negligible

probability of being incorrect.

Consider, at this point, the case where no update queries are made, i.e. the same secret-key is

p

whose first 2 rows are the matrix A and its last row is the challenge vT) is

26

Page 28

used throughout the attack. At a very high level, what we will do is show how to generate keys

and a challenge ciphertext in such a way that the secret-key, while being appropriately distributed

respective to the public-key, is useless against our challenge ciphertext. Namely, the distributions

(pk,sk) and (pk,c) are proper, but (pk,sk,c) is far from being proper, in the sense that the secret

key sk is useless in decrypting the specific ciphertext c (c will always decrypt to 0 using sk).6

Hence, a CPA adversary that decrypts c correctly can actually be useful in breaking the linear

assumption.

We then show that if the amount of leakage is sufficiently bounded, then an adversary cannot

gain sufficient information about the secret key sk to discriminate the ciphertext c from a random

ciphertext, and thus should indeed decrypt c correctly (with non-negligible probability). We explain

this in detail below and then explain how to extend this to the continual leakage scenario where

key-updates occur (and thus multiple secret-keys are used and are leaked during the attack).

Let us explain how to generate keys and a challenge ciphertext, such that the keys are properly

distributed but are still useless against the challenge ciphertext, so that a successful CPA adversary

can be used to break the linear assumption. Consider an instance of the linear assumption, this is

a matrix (in the exponent) gC, where C ∈ Z3×3

CPA adversary A to construct a ppt algorithm B that distinguishes between the case that C is of

rank 2 and the case that C is of rank 3.

The algorithm B, on input gCdoes the following. It samples ? − 3 random vectors {xi}

(with all but negligible probability, these vectors are linearly independent), and generates a 3 × ?

matrix (in the exponent) gVthat has the following properties: (1) If C is a random rank-2 matrix,

then V is a random rank-2 matrix; (2) If C is a random rank-3 matrix, then V is a random rank-3

matrix; (3) The vectors {xi} are uniformly distributed in the kernel of V.

This can be done using linear algebra, as follows. Let X denote the ? × (? − 3) matrix whose

ithcolumn is xi. Let B be a basis for the linear subspace {wT∈ Z?

efficiently computable given X. Setting gV= gC·B, it holds that V has the same rank as C. By

symmetry, the vectors {xi} are uniformly distributed in ker(V) as required.

The algorithm B feeds the adversary A with the first two rows of gVas the public-key, denoting

it by gA. It generates a secret-key gy1,gy2by choosing at random y1,y2

randomly sampling from the column span of X. Then, it feeds A with the challenge ciphertext gvT,

which is the last row of gV. Notice that our secret-key will always decrypt the challenge ciphertext

gvTto 0, even if vTis independent of the rows of A and hence should be decrypted to 1 (thus, our

secret key is “crippled” w.r.t. the ciphertext gvT). A CPA adversary that succeeds in decrypting c

correctly (in spite of getting leakage from a “crippled” secret-key) will, therefore, break the linear

assumption by determining if V (and hence C) is rank-2 or rank-3.

Next, we explain why the adversary A, which is given leakage from our “crippled” secret key,

should nevertheless decrypt c correctly (with non-negligible probability). That is, we explain why

it cannot distinguish the “crippled” secret key distribution from the genuine one (given that the

leakage is small enough). To this end, we use the algebraic tool that we develop in Section 5, to show

that a small enough leakage statistically hides the subspace X that the secret-key is sampled from,

making it statistically hard to distinguish our secret-key distribution and the legal distribution

where y1,y2

“crippled” secret-key and a genuine one. This completes the proof for the non-continual problem.

We now address the fact that the leakage is continual, namely that there is a sequence of phases

in which leakage occurs, each followed by a refresh operation. At this point, however, we still

p

is either rank-2 or rank-3. We will use a successful

$← Z?

p

p: wT· X = 0}. Note that B is

$← {X · t : t ∈ Z?−3

p

}, i.e.

$← ker(A). Thus, the adversary cannot use the leakage to distinguish between our

6It is here that we use the fact that our scheme does not have perfect completeness.

27

Page 29

assume that the key update procedure does not leak (i.e. ρU= 0). While our “legal” key-update

operation never changes the column span of the secret-key,7we notice that it is computationally

indistinguishable from one that re-samples new vectors y1,y2from the column span of X at every

update operation.8

Indistinguishability holds as one can consider the legal key distribution as

setting sk?= gX?·Twhere X?is random rank-2, distinguishing gXand gX?is hard by the linear

assumption, and this holds even in the presence of the matrix A. (Jumping ahead, it is this

indistinguishability argument that is troublesome when leakage from the key-update procedure is

allowed.) Note that this “improper” update can be simulated, since we explicitly know X. This

enables us to apply the above argument consecutively: at each phase, we will leak from new vectors

in the column span of X, which will be statistically close to leaking from y1,y2

is, in turn, indistinguishable from the “legal” key distribution.

Lastly, we are left with treating leakage from the update process (i.e. ρU> 0). Any amount of

such leakage seems to completely break the indistinguishability argument of the previous paragraph.

Intuitively, the adversary is getting leakage from the input to the update procedure (including the

random tape used), and thus may have some information on what the legal output should be. Then,

once the adversary sees some memory leakage from an improper secret-key, used for the security

reduction, it can compare it to what it knows about the legal secret-key, thus catching any attempt

for a switch of distributions as above. In order to overcome this barrier, we must come up with a

way to simulate the leakage from the update, in such a way that will ease the mind of the adversary

A and make it behave properly in spite of the discrepancy between the distributions.

The key observation is that whether or not A’s mind is at ease is an efficiently checkable event.

We can simulate the remainder of the security game, using the proposed improper secret key and

some candidate leakage value (as if everything from this point and on is done legitimately) and

see if A’s success probability decreases or not. If the number of bits being leaked is small enough,

specifically O(logk), we can efficiently go over all possible values until we find the one that works.

This looks good and well, but what if no leakage value works? In this case, we recall again

that the improper key distribution used in our reduction is indistinguishable from the original one.

Therefore, since in the original distribution there is always a good leakage value — the legal value,9

this should also be the case with the improper one. This holds since the event of not finding

an acceptable leakage value is also efficiently checkable (again, by simulating A). A change in

behavior in this respect yields a distinguisher between the real and improper distributions, which

is impossible under our hardness assumption.

We get, therefore, that a leakage of O(logk) bits from the update procedure can indeed be

tolerated. This can be generalized in a straightforward manner to imply a tolerable leakage of

O(logT(k)) bits, if we assume that the linear assumption is hard for (roughly) T(k)-time adver-

saries.

The last thing to do is handle leakage from the key-generation. At this point, however, it is

clear how this can be done (for O(logk) bits of leakage). We use the same technique we use for

updates: after generating our initial secret-key, we go over all possible values of key-generation

leakage, and find one for which A works well.

7Recall that the update procedure takes sk = gYand outputs sk?= gY·Rfor an invertible R.

8The new key distribution sets sk?= gX·T, for a properly sampled matrix T, regardless of the previous sk.

9In fact, this is only true with noticeable probability over the sampling of the secret key, and therefore we may

need to try a few keys before we find a good one.

$← ker(A), which

28

Page 30

6.3 Proof of Security of Encryption Scheme L[?]

Theorem 6.1. Under the linear assumption, for every ? ≥ 7, the encryption scheme L[?] (described

in Figure 3) has the following security guarantee: For all constants γ,c > 0, L[?] is secure in the

CML model with leakage rate

?c · logk

Proof. Suppose, towards contradiction, that there exist constants c,γ > 0 and a ppt adversary A

such that A succeeds in breaking security in the CML model with leakage rate

?c · logk

That is, A succeeds in the security game with probability1

(polynomial) upper bound on A’s running time. This, specifically, is also an upper bound on the

number of update queries made by A.

We construct a ppt algorithm B that runs in time poly(k,t,1/?,kc) = poly(k) and breaks the

linear assumption with probability1

First, let us explicitly bound the absolute number of bits that can leak at every update operation

(as opposed to the relative bound ρU). The total bit-length of the secret-key and randomness used

in the update process is 2?logp+4logp. Thus the absolute number of bits that can be leaked is at

most ρU·(2?+4)logp = c·logk. This means that the image of the leakage function has cardinality

at most kc= poly(k). Similarly, the total number of bits that can leak during the key generation

process is also bounded by clogk.

The algorithm B takes as input a matrix (in the exponent) gC, where C ∈ Z3×3

the distribution of C is the following: a bit b

C

p

) (i.e., C is a random rank 2 matrix); if b = 1 then C

random rank 3 matrix). B will output a guess b?as to the value of the bit b, such that

Pr[b?= b] ≥1

(ρG,ρU,ρM) =

4? · logp,

c · logk

(2? + 4) · logp,

? − 6 − γ

2?

?

.

(ρG,ρU,ρM) =

4? · logp,

c · logk

(2? + 4) · logp,

? − 6 − γ

2?

?

.

2+ ?, for ? ≥ 1/poly(k). Let t be some

2+?2

32− negl(k).

p

, and where

$← {0,1} is sampled uniformly; if b = 0 then

$← Rk3(Z3×3

$← Rk2(Z3×3

p

) (i.e., C is a

2+?2

32− negl(k) ≥1

2+ 1/poly(k) ,

and thus break the assumption.

We actually assume that C is slightly differently distributed: The first two rows of C always

form a random rank-2 matrix, and the last row is either a random linear combination of the first

two rows, in the case that b = 0, or is a truly random vector, in the case that b = 1. We can assume

this w.l.o.g. since this distribution is statistically indistinguishable from the original one.

The algorithm B, on input gC, makes a guess b?as to the value of the bit b, as follows:

1. Generate a matrix X, and matrices gV,gA, where X ∈ Z?×(?−3)

that

p

, V ∈ Z3×?

p

, A ∈ Z2×?

p

, such

(a) X is uniformly distributed in Rk?−3(Z?×(?−3)

(b) A is a random full-rank matrix such that A · X = 0.

(c) The first two rows of V are identical to A, and the last row, denoted by vT, is distributed

as follows: If C is a rank-2 matrix then vTis a random linear combination of the rows

of A; and if C is a rank-3 matrix then vTis a random vector such that vT· X = 0.

p

).

29

Page 31

This is done by sampling X

matrix whose rows form a basis of the subspace {wT: wT· X = 0}, and letting gAbe the

first two rows of gV.

$← Rk?−3(Z?×(?−3)

p

), letting gV= gC·B, where B ∈ Z3×?

p

is a

2. Let pk = gA, and compute a corresponding secret key by choosing a random full-rank matrix

T0

p

) and setting sk0

is statistically close to that of a “legal” key pair, generated by the original key generation

algorithm.

$← Rk2(Z(?−3)×2

.= gY0:=gX·T0. The distribution of the key pair (pk,sk0)

3. Test the success probability of A on the key pair (sk0,pk) with all possible values of leakage

from the key generation, as follows. Define M

the security game with A, conditioned on (sk0,pk) and on α’s being the answer to the key

generation leakage, for M times. For each κ ∈ [M], let Zκbe an indicator variable for the

event that A succeeded in the κthemulation. Set¯Z0,α:=1

If¯Z0,α≥1

property, then B aborts and returns a random bit b?

4. Feed the adversary A with the public key gA.

5. In what follows we explain how B answers A’s queries. To this end, B maintains a value for the

current secret-key ski, which he uses to answer leakage queries. Jumping ahead, B emulates

update queries differently than the legal Update procedure, which results in the distribution

of the ski’s being different from the distribution of the secret-keys in the original game. As

a result, the emulation of the leakage from the update procedure will require special care to

prevent A from noticing the change.

• The leakage queries of A are answered by computing the leakage function on the current

secret-key ski.Namely, if in time period i the adversary A sends a leakage query

(leak,fi), then B returns the answer fi(ski).

• To answer update queries, B does the following. Consider the distribution DXdefined

by sampling a random full-rank matrix T

remark that sk0was sampled in the same way).

Upon receiving the ithupdate query (update,fi), B updates the secret key as follows.

It samples gYi

the possible leakage values (note that there are only kcpossibilities). For each possible

leakage value α ∈ {0,1}c·logk, it tests if it is a “good” leakage w.r.t. ski= gYi. A good

leakage is one that (almost) preserves the success probability of A in spite of using the

wrong key-distribution. If no such good leakage is found, we try sampling gYi

anew. We will have to show below that with high probability, a good gYiis found after

a sufficiently small number of trials.

In what follows, we show how B estimates the success probability of A, conditioned on

(gYi,α), in order to determine whether α is a good leakage w.r.t. gYi. This is done

similarly to the way B tested the success probability of A (conditioned on the key pair

(sk0,pk)) in Step 3. Recall our definition of M =k·t2

.=

k·t2

?2. For all α ∈ {0,1}clogk, emulate

M

?

i∈[M]Zκ.

2+3?

4−

?

2(t+1)then set η0:=¯Z0,αand continue to the next step. If no α has this

$← {0,1}.

$← Rk2(Z(?−3)×2

p

), and outputting gX·T(we

$← DX.10Then, to compute a corresponding leakage, B goes over all

$← DX

?2.

10We only refer to the distribution DX explicitly in the proof of Claim 6.2 below. Until then, one can just consider

setting gYi:=gX·Tifor Ti

← Rk2(Z(?−3)×2

$

p

).

30

Page 32

(a) For each κ ∈ [M], emulate a (fresh) continuation of A while simulating the rest of

its queries legally.

That is, upon receiving an update query (update,fj) in time period j > i, sam-

ple Rj

p

), set skj:=Update(skj−1;Rj), and leak the prescribed value

fj(skj−1,Rj). Upon receiving a leakage query (leak,fj) in time period j, feed A

with the answer fj(skj). Finally, when A asks for the challenge ciphertext, choose

a random bit β

If A’s output is equal to the bit β, then set Zκ= 1; otherwise set Zκ= 0.

(b) Compute¯Z(i,α,gYi):=1

M

(c) If¯Z(i,α,gYi)≥ ηi−1−

is “bad”.

After a good leakage value α has been found w.r.t. some secret key gYi, B will set

ski:=gYi, answer the update query of A with the leakage value α, and will continue the

simulation of A.

To ensure that a good leakage value is found with high probability, B repeats this trial

several times, as follows. Recall the value of η0set above. Similarly to η0, the value of

ηi(in item (b) below) is an estimation of the success probability of A, conditioned on

its state after the first i updates.

$← Rk2(Z2×2

$← {0,1}, and give A an encryption c ← Enc(gA,β).

?M

κ=1Zκ.

?

2(t+1)then we say that α is “good”. Otherwise we say that it

(a) Sample gYi

(b) Go over all α ∈ {0,1}clogkin some arbitrary order (say lexicographic), and test

whether α is “good” with respect to the secret key gYi. If a “good” α is found then

the response to the ithleakage query is set to α and the new secret key is set to

ski:=gYi. In addition, set ηi:=¯Z(i,α,gYi).

(c) Otherwise, if all the possible α’s are “bad”, then go back to step (a). If more

than J

b?

$← DX

.=tk

?values of gYihave been tried, then abort and output a random guess

$← {0,1}.

6. When A asks for the challenge ciphertext, B sends gvTas the challenge ciphertext.

7. Finally, when A outputs a guess b?, then B outputs the same value b?.

We argue that B guesses the bit b (i.e., b?= b) with probability1

This will follow in a straightforward manner by combining the following 3 claims (the event Λ

will be defined below).

2+?2

32− negl(k).

Claim 6.2. Under the linear assumption,

Pr[B doesn’t abort |Λ] ≥ ?/4 − negl(k) .

Claim 6.3. It holds that

Pr[b?= b|B doesn’t abort ,Λ] ≥1

2+ ?/8 − negl(k) .

Claim 6.4. It holds that

Pr[Λ] = 1 − negl(k) .

We start by defining the event Λ and proving Claim 6.4. For all i ∈ {0} ∪ [t], α ∈ {0,1}clogk,

and for every possible value gYisampled during the running of B, we define P(i,α,gYi), as follows.

31

Page 33

Fix the coin tosses of B until it receives the i’th update query from A. Conditioned on this fixing,

P(i,α,gYi)is the probability of A’s success in an emulated game in which the first i updates are

emulated by B with the ithsecret key set to gYiand leakage value for the ithupdate set to α,

and the remainder of the game is emulated as perscribed (i.e. key updates are performed using

the procedure Update and leakage values are computed by definition). We note that P(i,α,gYi)is

not a well defined value in its own right, but rather a function of the coin tosses of B until (and

including) the ithupdate. The value P0,αis defined to be the success probability of A in a game,

fixing (sk0,pk) and taking α as the value of the key-generation leakage. We also denote by Pithe

value of P(i,α,gYi)for the (α,gYi) that are finally selected by B to be used as leakage value and ski

respectively (P0is defined analogously to be P0,αfor the α that is actually used).

Throughout B’s emulation of the security game with A, it tries to estimate the values of Piby

sampling M continuations of A and checking the success rate. The event Λ indicates that all such

estimations are sufficiently close to the correct value. Formally, the event Λ holds if and only if

both for all α ∈ {0,1}clogk,

?? ¯Z0,α− P0,α

and for every i ∈ {0} ∪ [t], every α ∈ {0,1}clogk, and all the {gYi} chosen by B,

???¯Z(i,α,gYi)− P(i,α,gYi)

Note that as a special case, Λ implies that for all i ∈ {0} ∪ [t] it holds that |ηi− Pi| ≤

Claim 6.4, therefore, is a straightforward application of the Chernoff bound. The formal argu-

ment follows.

??≤

?

8t

??? ≤

?

8t.

?

8t.

Proof of Claim 6.4. By Chernoff,11for all i,α,gYi,

????¯Z(i,α,gYi)− P(i,α,gYi)

at most t · kc· J + kc= poly(k), the claim follows by the union bound.

We move on to proving Claim 6.3.

Pr

??? >

?

8t

?

≤ 2e−?2M/(32t2)= 2e−k/32,

and the same also holds for¯Z0,αand P0,α. Since the total number of such (i,α,gYi) (and¯Z0,α) is

?

Proof of Claim 6.3. Recall that this claim considers a probability space where B does not abort

and the event Λ occurs (i.e. all ηi’s are close to the respective Pi’s). In such case, by definition

ηt≥ ηt−1−

?

2(t + 1)≥ ηt−2−

2?

2(t + 1)≥ ··· ≥ η0−

t?

2(t + 1)≥

?1

2+3?

4−

?

2(t + 1)

?

−

t?

2(t + 1)=12+?

4.

Since Λ holds, it implies that Pt≥ ηt−?

However, we are not done because Ptrefers to the success probability of A given a legal challenge

ciphertext, while B feeds it with gvTwhich is malformed. For example, in the case where b = 1, a

legal challenge ciphertext is uniformly distributed, while the ciphertext gvTalways satisfies vT·Yi=

0, for any secret key of the form gYi= gX·Ti.

It remains to show, therefore, that using such malformed challenge can only change the success

probability of A by a negligible amount. If b = 0 (i.e. the matrix C is of rank 2) then this

11Recall that the (additive) Chernoff bound implies that if X1,X2,...,XM are indicator random variables such

that E(Xi) = µ. Then, Pr[?? ¯ X − µ??> ?] ≤ 2e−2?2M.

8t≥1

2+?

4−?

8t≥1

2+?

8.

32

Page 34

immediately follows: in such case, the distribution of vTis identical to that of a valid challenge

ciphertext. Proving this for b = 1 (where C has rank 3) is highly non-trivial, and is proved using

the algebraic tool developed in Section 5, as follows.

Consider the linear space ker(A). Notice that X and gAare sampled in such a way that the

columns of X are within negligible statistical distance from a set of ?−3 random vectors in ker(A).

We apply Theorem 5.3 inside the linear space ker(A), one can think of the representation of X and

all other elements relative to some basis of ker(A). The amount of total allowed leakage from each

gYiconsists of the leakage α from the update procedure, and of the leakage fi(gYi) from memory.

This amounts to

ρM· |sk| + ρU(|sk| + |r|) = ρM· 2? · logp + c · logk .

An important delicate point is that we also need to consider the “leakage” from the gYithat ended

up not being used, because the very fact that they are not used affected the view of the adversary

(since another value was used instead). One can consider these values as leaking a single bit saying

that they are “not good” (which is clearly less than what leaks from the ones that are actually

used, so we will just use the bound above). Therefore, we need to consider leakage from J · t + 1

values of the form gYi= gX·Ti(recall that sk0also leaks).

Let u

(this is the dimension of ker(A)),ˆ? = ? − 3 (this is the number of random vectors in the subspace

that are contained in X), and with functions hi,12whose range is of cardinality |W| = p2?·ρM· kc,

we get

$← Z?

pand let Zi

$← ker2(A) for all i. Applying Theorem 5.3 with parameters ˆ m = ? − 2

?A,v,h0(gX·T0),h1(gX·T1),...? δ≡

?A,u,h0(gZ0),h1(gZ1),...? δ≡

(1)

(2)

?A,v,h0(gZ0),h1(gZ1),...?≡

?A,u,h0(gX·T0),h1(gX·T1),...?

(3)

(4)

.

The transitions from (1) to (2) and from (3) to (4) follow immediately from Theorem 5.3 (in fact,

these also hold if X is a part of the distribution). The transition from (2) to (3) follows from the

fact that b = 1, and thus the distribution of v, even conditioned on A, is uniform in Z?

The value of δ is derived from Theorem 5.2

?

p.

δ

.= J · t ·

|W|

p?−6+ negl(k) = J · t · 21/3·

?

p2?·ρM· kc

p?−6

+ negl(k) ,

where the additional negl(k) comes from X’s being only statistically close to uniform. Assigning

our value of ρM=?−6−γ

2?

, we get δ = Jt · kc/2· p−γ/2+ negl(k) = negl(k).

This concludes the proof of the claim.

?

Finally, we prove Claim 6.2.

Proof of Claim 6.2. We need to prove that B does not abort with sufficient probability. To see

this, we use the fact that an abort is an efficiently recognizeable event. Our strategy, therefore, is

to replace B with an appropriate B?that produces a computationally indistinguishable distribution

and bounding the abortion probability of B?. The claim on B will then immediately follow.

12Think of hi as containing the total amount of leakage on ski, including memory leakage and update leakage.

Namely, hi(gX·Ti)

.= (αi,fi(gX·Ti)).

33

Page 35

Specifically, we define B?as identical to B with the exception that the probability DX, that is

used in step 5, is replaced by a distribution D?that is defined by the following sampling process:

sample R

p

) and output gY0·R(recall that sk0= gY0). This means that in B?, the up-

dated secret-keys are sampled from the correct distribution, but the leakage value is still computed

using the “trial and error” mechanism. It should be clear (as will be formally proven below) that

if the keys are sampled legally, then a good leakage value has to exist (with sufficient probability).

The indistinguishability of B and B?follows from the indistinguishability of the two distributions

DXand D?. This indistinguishability holds even given V, by the following argument. Let V be

a known matrix. Let B ∈ Z?×(?−3)

basis contains either ? − 2 or ? − 3 vectors), and let T

M ∈ Z(?−3)×(?−3)

implies that distinguishing the two cases given only gMis hard. Note that if M is of rank 2 then

gB·M·Tis distributed according to D?. On the other hand, if M is of rank ? − 3 then gB·M·Tis

distributed according to DX. Indistinguishability follows and thus,

$← Rk2(Z2×2

p

be the first ? − 3 columns of a random basis for ker(V) (such

$← Rk2(Z(?−3)×2

and is either random of rank 2 or random of rank ? − 3. The linear assumption

p

). Let gMbe such that

p

Pr[B doesn’t abort |Λ] ≥ Pr[B?doesn’t abort |Λ] − negl(k) .

We move on to bound Pr[B?doesn’t abort |Λ]. From now on, all events are conditioned on Λ.

We first notice that a standard Markov argument implies that

?

It follows that the test in step 3 passes with at least that probability (up to a negligible distance),

since (sk0,pk) are statistically indistinguishable from the proper distribution and therefore, since

Λ holds, when trying the “correct” key-generation leakage value, the test will pass.

Let us now recursively bound the probability of abortion in step i conditioned on no abortion in

previous steps. No abortion in previous steps implies that ηi−1is well defined and Pi−1≥ ηi−1−?

A Markov argument implies that with probability

“real” leakage value is used. Such skiwill surely pass the test (recall that event Λ guarantees that

all Chernoff estimates are close to their respective values). Trying J =tk

such gYiis sampled with all but negligible probability.

It follows that

Pr[B?doesn’t abort |Λ] ≥?

and the claim follows.

Pr

P0≥1

2+3?

4

?

≥ ?/4.

8t.

?

8tover skiit holds that Pi≥ ηi−1−?

4twhen the

?times guarantees that

4− negl(k) ,

?

This completes the proof of the theorem.

7 A Continual-Leakage Secure Identity-Based Encryption Scheme

In this section we present a definition for identity based encryption in the CML model. We then

show how to extend the scheme presented in Section 6 to obtain an identity based encryption

scheme.

First, in Section 7.1, we discuss what the correct definition of IBE in the CML model needs to be,

leading, in Section 7.2, to the formal security definition to be used in this work. Our construction

is presented at a high level in Section 7.3 and is formally stated in Figure 4. We provide a sketch

for the proof of security in Section 7.4 (we do not give a formal proof as it is a straightforward

combination of our encryption scheme, from Section 6, and the linear-based IBE of [BK10]).

34

Page 36

Interestingly, the simplified scheme L∗(see Section 2.2) does not seem to extend to an IBE

scheme the way our main scheme L does.

7.1Modeling IBE in the CML Model

In identity based encryption, a trusted authority holds a master secret-key (msk) and posts a set

of public parameters (pp). The public parameters enable anyone to encrypt messages, knowing

only the identity (id) of the intended recipient. The trusted authority can use its master secret key

to produce a respective secret-key (skid) for the user whose identity is id. This secret-key enables

decrypting messages intended for user id.

When applying the CML model to this framework, we notice a significant difference from the

cases of encryption or signatures discussed above. While in the aforementioned cases, only one

entity was holding secret information and thus susceptible to leakage (the decryptor and the signer,

respectively), in the IBE case, we have a “hierarchy” of secrets: The trusted authority holds

msk, naturally breaching its security could imply loss of security for all users; the individual users

have their own secret-keys skidwhich can also leak just as in the standard context of public-key

encryption. We stress that leakage from one user’s secret-key should have no effect on the security

of another’s. This is because even in the standard definition of security for IBE (with no leakage),

the attacker can access any secret-key of its choosing, except for that of the user being attacked.

The discussion above suggests that a proper definition of IBE in the CML model should address

the issues of leakage from the msk as well as leakage from the individual secret keys skid. While

we present the general model, our solution can only handle the latter leakage type, namely one

from the individual secret-keys skid. On one hand, one could argue that since the msk is a much

more appealing target (as it is related to the security of all users), it may attract more attention

from attackers and thus deserves more protection. This point of view makes our solution seem

less appealing. On the other hand, a situation where the trusted authority does not leak can be

justified by arguing that in real-life situations, the trusted authority has much more resources than

the specific users, and therefore can afford to take counter-measures at the implementation level

to prevent key leakage. In any case, finding schemes that are resilient to the more general class of

attacks remains an interesting open problem.

Most generally, an IBE scheme in the CML model consists of the algorithms Setup, Extract,

Updatemaster, Enc, Dec, Updateuser, where Setup,Extract,Enc,Dec are identical to those in the stan-

dard definition of IBE, the new algorithms Updatemaster,Updateusercorrespond to the key-update

procedures of the trusted authority and of an individual user, respectively. The input-output func-

tionalities of these procedures are similar to that of the update procedure in the encryption case. In

the interest of keeping the discussion at an abstract level, we refrain from giving formal definitions.

An attack on an IBE scheme in the CML, therefore, is modeled as follows. The trusted authority

uses the Setup procedure to generate (msk,pp). The setup process may leak some information to

the adversary. The attacker can then (adaptively) specify as many values of id for which it wants to

see skid. In addition, it can make additional leakage queries to msk (Updatemasteris used to refresh

msk when required and this update process may also leak). After this query phase, the attacker

decides which identity id∗it wants to attack. The trusted authority uses the Extract procedure to

compute skid∗ (this is, of course, not revealed to the adversary). This process may also leak. At

this point, the adversary can make more queries as above. It of course cannot ask for the secret-key

of id∗but can ask for leakage from it (Updateuseris used to update skid∗ when required, and may

also leak). After this second query phase, the adversary decides on messages m0,m1and receives

the challenge ciphertext cb, which is an encryption of mb, where b is a random bit sampled by the

challenger. A third query phase now commences, but now no leakage queries are allowed, only skid

35

Page 37

queries for id ?= id∗. After this final query phase, the adversary makes its guess b?as to the value

of b.

As explained above, in this work we only present a solution for the case where In the case where

no leakage from msk is allowed. This means no leakage from the Setup and Extract procedures as

well. In such case, the above attack becomes simpler (specifically, the types of queries the adversary

can make significantly reduces). We will in fact consider an even weaker security definition that

corresponds to the CML version of selective identity security (or just selective security for short).

In selective security, the adversary is required to decide on the value of id∗at the beginning of

the experiment (before the public parameters are generated). A trivial reduction shows that a

selective-secure scheme with identity space {0,1}m, where m is polynomially related to the security

parameter (m = k?), can be extended to a fully-secure scheme with identity space {0,1}∗using a

family of collision resistant hash function, with a loss of 2−mfactor in security. It is easy to see that

this transformation carries over to the CML model (at least in the case where there is no leakage

from msk). This transformation is rather standard and we will not describe it here in detail.

We give a formal definition of selective security in the CML model in Section 7.2.

7.2Selective IBE Security in the CML Model — Definition

We formally define the model of attack for selective secure IBE in the CML model. The definition

is in the spirit of the discussion in Section 7.1 above.

Definition 7.1. An IBE scheme (Setup,Extract,Updateuser,Enc,Dec) is selectively secure under

chosen plaintext attack in the CML model, with leakage rate (ρM,ρU), if any ppt adversary succeeds

in the following game with probability negligibly close to1

2.

1. Identity selection. The adversary decides on an identity id∗for which it wants to break the

security of the encryption. It sends id∗to the challenger.

2. Setup. The challenger runs Setup(1k) to generate (msk,pp) and sends pp to the adversary.

3. Secret-key generation. The challenger runs skid∗,0← Extract(msk,pp,id∗). It further sets

i := 0 and L0:= 0.

4. Query 1. The adversary makes queries of the following types:

• Extraction queries (extract,id) where id ?= id∗. The challenger generates skid:= Extract(sk,pp,id)

and sends this value to the adversary.

• Leakage queries (leak,f), where f is a circuit. If Li+??f(skid∗,i)??≤ ρM·??skid∗,i

the challenger aborts.

• Update queries of the form (update,f), where f is a poly-size circuit. The challenger

chooses randomness r for the updating process, and computes f(skid∗,i,r). If |f(skid∗,i,r)| >

ρU· |skid∗,i| or if Li+ |f(skid∗,i,r)| > ρU·

turns f(skid∗,i,r) to the adversary, and it sets skid∗,i+1 ← Updateuser(skid∗,i,pp,r),

Li+1← |f(skid∗,i,r)|, and i ← i + 1.

5. Challenge. The adversary sends two messages m0,m1to the challenger. The challenger flips

a coin b

??then the

challenger returns f(skid∗,i) to the adversary and sets Li:= Li+??f(skid∗,i)??. Otherwise,

??skid∗,i

??then it aborts. Otherwise, it re-

$← {0,1} and computes c ← Enc(pk,mb). It sends c to the adversary.

6. Query 2. The adversary makes additional extraction queries (extract,id) (with id ?= id∗) to

which the challenger answers the same as above.

36

Page 38

7. Finish. The adversary outputs a guess b?∈ {0,1} as to the value of b.

The adversary succeeds if b?= b.

7.3 Our Construction

We adapt our CML secure public-key encryption scheme into a CML secure IBE scheme. From now

on, we focus our attention on the case of selective security where no leakage from msk is allowed,

as described above. Our scheme can be seen as a combination of our basic scheme from Section 6

and the d-linear IBE scheme of [BK10].

Consider the following simplified version of the [BK10] construction. The public parameters

are a set of 2m + 1 random 2 × 2 matrices in the exponent (where ID = {0,1}mis the identity

space): gA0, {gAi,b}i∈[m],b∈{0,1}. The “public key” that corresponds to identity id (i.e. the part of

the public parameters that is required to encrypt for id) is gAidwhere Aid= [A0?Aid1?···?Aidm].

The corresponding secret key skidis a random vector in ker(Aid). Encryption and decryption are

performed very similarly to our scheme L[?]: the ciphertext is a vector in the exponent gvTwhere

an encryption of 0 uses vTthat is uniform in Span(A) and and an encryption of 1 uses a completely

uniform vT. The master secret key is the matrix A0(in explicit representation). It is immediate

that using A0, one can sample uniformly from ker(Aid) for all id.

The proof of security in [BK10] is as follows. Since we consider the case of selective security,

the attacker decides on id∗before the public parameters are generated. This enables generating

the public parameters such that all matrices Ai,1−id∗

are explicitly known, the matrix gAid∗is generated together with the challenge ciphertext gvTsuch

that a successful adversary decides whether the matrix whose first two rows are gAid∗and its third

row is gvTis of rank 2 or 3, thus breaking the linear assumption. Clearly for all id ?= id∗, the

matrices that are explicitly known can be used to sample from ker(Aid) and thus one can answer

the adversary’s queries.

Adapting this idea to achieve key resiliency is straightforward using what we know of L[?]. We

now rather than generating the secret key as a single vector in ker(Aid), generate it as two such

vectors. This will enable Updateuseroperations just as we do in L[?]. Therefore we can reduce the

CML security of the resulting IBE scheme to the CML security of L[?].

We formally define our IBE scheme IBL[m] in Figure 4. Correctness immediately follows. We

discuss its security guarantees below.

i(i.e. all matrices that do not “play” in Aid∗)

7.4Overview of the Security Proof

The following theorem establishes the selective security of our scheme in the CML model (with no

leakage from the master key). Since the proof is just a combination of ideas from Section 6 and

from [BK10], we only sketch it here.

Theorem 7.1. For any polynomially bounded parameter m, the IBE scheme IBL[m] is selective

secure under chosen plaintext attack in the CML model, such that for all γ,c > 0 the scheme is

secure with leakage rate

?c · logk

Proof sketch. We prove by reducing the security of IBL[m] to that of the scheme L[?] presented

in Section 6, with parameter ?

Theorem 6.1 immediately implies the leakage parameters in the theorem statement above.

(ρU,ρM) =

? · logp,m − 2 − γ

2(m + 1)

?

.

.= 2m + 2. Assigning the said value of ? into the parameters of

37

Page 39

Identity-based encryption scheme IBL[m]

• Parameters. The scheme is parameterized by groups G,GTof prime order p such that there

exists a bilinear map e : G×G → GT. Let g be a canonic generator for G (and thus e(g,g) is

a generator for GT).

The identity space of the scheme is ID = {0,1}m, where m ∈ N is polynomially related to the

security parameter. We require an exponential identity space so that it is possible to apply

known methods for obtaining fully secure IBE from a selective-secure one.

Our scheme is a bit-encryption scheme, namely its message space is M = {0,1}.

• Setup. The setup procedure runs as follows. It samples A0

A0is not invertible, the procedure fails).

It then samples gAi,b

of Ai,bis required). The public parameters are set to pp:={gA0,{gAi,b}i,b}.

We denote Aid

$← Z2×2

p

and sets msk ← A−1

0

(if

$← G2×2for all i ∈ [m] and b ∈ {0,1} (note that no explicit generation

.= [A0?Aid1?···?Aidm]

• Extract. To extract a secret key for identity id ∈ {0,1}mwe sample x1,x2

set gX:=[gx1?gx2]. We then define skid

In order to sample x

p

Aidthat does not contain A0and recall that A0is invertible and msk = A−1

distribution of any 2m elements in the vector x is uniform. Therefore we sample r

and set

gx:=

$← ker(Aid) and

.= gX.

, we define Bid

$← ker(Aid) ⊆ Z2m+2

.= [Aid1?···?Aidm] to be the part of

0. The marginal

$← Z2m

p

?

gr

0·Bid·r

g−A−1

?

.

• Update (user). To update a secret-key skid= gX, we sample T

sk?

$← Rk2(Z2×2

p

) and output

id= gX·T.

• Encrypt. To encrypt a message µ ∈ {0,1} for identity id, using the public parameters

pp = {gA0,{gAi,b}i,b}, we compute the ciphertext c

that

vT

Z2m+2

p

.= gvTwhere gvT∈ G2m+2is defined such

if µ = 0

if µ = 1

$←

?

Span(Aid)

.

Clearly, gvTcan be efficiently sampled in both cases.

• Decrypt. To decrypt a ciphertext c = gvTusing secret key skid= gX, we use the bilinear

map to compute e(gvT,gX) = e(g,g)vT·Xand output µ = 0 if the result is equal to e(g,g)0

and µ = 1 otherwise.

Figure 4: IBE scheme in the CML model.

Consider an adversary A for the selective IBE security in the CML model of IBL[m]. Then an

adversary B for the semantic security of L[2m+2], with essentially the same success probability can

be defined as follows. The adversary B will use the challenger of L[2m+2] to simulate a challenger

for IBL[m].

1. B simulates A to receive the value of the target identity id∗.

2. B gets a public key for L[2m + 2] from the challenger. This public key is of the form gAfor

A

p

. B interprets this value as gAid∗. This interpretation defines values for gA0

and {gAi,id∗

$← Z2×(2m+2)

i}i.

38

Page 40

3. B samples matrices Ai,1−id∗

and sends this to A as the set of public parameters for the scheme IBL[m]. Note that the

distribution of pp here is exactly as prescribed.

i

$← Z2×2

p

for all i ∈ [m]. It then sets pp := {gA0, {gAi,b}i,b}

4. The first query phase of A is simulated. For the queries made by A, B answers as follows.

• Extraction queries of the form (extract,id) for id ?= id∗can be answered by B by consid-

ering a location i?∈ [m] for which idi? ?= id∗

to B who can use it to generate skid(assuming that Ai?,idis invertible which is the case

with all but negligible probability).

• Leakage queries of the form (leak,f) and update queries of the form (update,f) are

forwarded to the challenger of L[2m+2] as leakage and update queries. The challenger’s

answer is then forwarded back to A.

We notice that by definition, the distribution of answers that A gets in this simulation

is identical to that produced by a “legal” challenger for IBL[m].

5. B simulates the challenge phase of A to obtain the messages µ0,µ1. It forwards these messages

to the challenger to obtain the challenge ciphertext c, which is forwarded to A.13

6. The second query phase of A is simulated exactly as the first one.

7. When A terminates and returns a guess b?, B terminates as well and returns the same b?.

It is straightforward that the simulation of A’s view is accurate up to a negligible term and also

that if A wins in its experiment then so does B in its. The result thus follows.

i?. This implies that Ai?,idis explicitly known

8Continual Leakage Resilience: From Encrypting to Signing

In this section, we show how to construct a signature scheme that is secure against continual leakage,

using as a building block any encryption scheme secure against continual leakage. Specifically, given

an encryption scheme that is semantically secure in the CML model with leakage rate (ρG,ρU,ρM),

we construct a signature scheme that is existentially unforgeable under adaptive chosen message

attacks in the CML model, with leakage rate (ρG,ρU,ρS,ρM), where the value of ρS, which is the

leakage rate from the signing algorithm, is given below.

In fact, our construction only relies on the ability to verify that a key-pair (sk,pk) is valid, and

our security proof reduces the unforgeability of the signature scheme to actually finding a valid sk

for the encryption scheme. Thus a much weaker primitive (a “leakage resilient one-way function”)

could have been used. In the interest of keeping the presentation simple, we do not explicitly define

this “middle stage” and work directly with an encryption scheme.

Throughout this section, we assume a stronger leakage resilience property on the CML secure

encryption scheme that underlies our construction: We assume that the scheme remains secure even

if the size of the leakage is unbounded, so long as the image of the leakage function has bounded

cardinality. Namely, we allow the leakage to be arbitrarily long, but require that the secret key sk

has “enough” min-entropy left conditioned on the leakage. We stress that our encryption scheme,

presented in Section 6, is indeed secure with respect to this (stronger) security definition.

First, in Section 8.1, we construct such a signature scheme with ρS= 0; i.e., the scheme does

not tolerate any leakage from the signing process. In addition to relying on an encryption scheme

13Since both schemes encrypt bit by bit, one can just assume that µ0 = 0 and µ1 = 1, however we chose to give a

more general description.

39

Page 41

secure against continual leakage, here we also rely on the existence of an unbounded simulation-

sound NIZK proof system (see Definition 4.2). This scheme follows the paradigm of Katz and

Vaikuntanathan [KV09] for constructing leakage-resilient signature schemes in the bounded leakage

model, although we must modify the scheme appropriately so as to tolerate continual leakage.

Then, in Section 8.2, we construct such a signature scheme with ρS= ρM/α(k), where α(k) =

ω(logk), and the smaller α(k) is, the stronger the underlying assumption is. Namely, we rely

on the assumption that there exists a family H = {Hk}k∈Nof collision resistant hash functions

such that for every h ∈ Hk, h : {0,1}∗→ {0,1}α(k). Moreover, we rely on the existence of lossy

trapdoor functions with oblivious representation (see Definition 4.4), and we rely on the existence

of short non-interactive arguments (see Definition 4.3). We note that all known constructions of

the latter, were proven to be secure only in the random oracle model [Kil92, Mic00, BG08]. Finally,

we note that in order to deal with leakage from the signing process we generalize the CML model,

as explained in Section 8.2 (see Definition 8.1).

8.1Continual Leakage Resilience — No Leakage from Signing Process

In this section we construct a signature scheme T1= (Gen,Sign,Ver,Update) that is existentially un-

forgeable under adaptive chosen message attack in the CML model with leakage rate (ρG,ρU,0,ρM).

Our signature scheme relies on the following ingredients:

• A public-key encryption scheme L = (L-Gen,L-Enc,L-Dec,L-Update) that is semantically

secure in the CML model with leakage rate (ρG,ρU,ρM). We assume the encryption scheme

L has the following property:14

polynomial-time predicate T such that T(pk,sk) = 1 iff (pk,sk) ← L-Gen(1k) or sk cor-

rectly decrypts ciphertexts encrypted using pk except with probability µ(k)).

there exists a negligible function µ and a deterministic

• A dense public-key encryption scheme E = (Gen,Enc,Dec) that is semantically secure (with

no leakage guarantees). The “dense” property means that the public key is indistinguishable

from a random string, and so public keys (or at least strings indistinguishable from valid

public keys) can be sampled “obliviously” without knowledge of the corresponding secret key.

Such schemes are known to exist e.g. under the DDH or the LWE assumptions (e.g. [Gam84,

Reg05]). In fact, even our scheme from Section 6 has this property.

• An unbounded simulation-sound NIZK proof system Π = (?,P,V,S1,S2) for the following

language L:

L =?(m,c,pk?,pk) : ∃sk,r s.t. c = Encpk?(sk;r) and T(pk,sk) = 1?.

Namely, (m,c,pk?,pk) ∈ L if and only if c is an encryption (using encryption scheme E and

the public key pk?) of a secret key sk that corresponds to pk (with respect to encryption

scheme L).15

Our signature scheme T1= (Gen,Sign,Ver,Update) is defined in Figure 5.

14In fact, we can use a slightly weaker property that all encryption schemes have, but for the sake of readability,

we make this simplifying assumption.

15One may notice that the m part of the input does not participate in the verification process. Namely, whether

(m,c,pk?,pk) ∈ L, or not, is independent of the value of m. As demonstrated in [KV09], having m as a part of the

input makes the NIZK proof attached to a specific message, and prevents “cut and paste” attacks.

40

Page 42

Signature scheme T1

Key generation. The key-generation algorithm Gen does as follows:

1. Sample a key-pair for the leakage-resilient encryption scheme (pk,sk) ← L-Gen(1k), using

secret/public randomness as specified by L-Gen.

2. Using public randomness, sample (obliviously) a public key pk?for the (ordinary) encryption

scheme E.

3. Using public randomness, sample a string crs

$← {0,1}?(k).

The signing key is sk, and the verification key is vk = (pk,pk?,crs).

Signing. Given inputs m, a secret key sk, and a verification key vk = (pk,pk?,crs), do:

1. Choose a random string r and compute c ← Encpk?(sk;r).

2. Compute a proof π for the statement (m,c,pk?,pk) ∈ L, with respect to the common random

string crs, using (sk,r) as the witness. Namely, compute π ← Pcrs((m,c,pk?,pk),(sk,r)).

Output σ = (c,π) as a signature for m.

Verifying. To verify a signature σ = (c,π) on a message m with respect to the verification key

vk = (pk,pk?,crs), check whether π is a valid proof of the statement (m,c,pk?,pk) ∈ L with respect

to the common random string crs.

Updates.

cret/public randomness as specified by L-Update.

Figure 5: Signature scheme in the CML model.

The update procedure Update is identical to the update procedure of L, using se-

Theorem 8.1. Let L be a semantically secure public-key encryption scheme in the CML model,

with leakage rate (ρG,ρU,ρM); let E be a semantically secure dense public-key encryption scheme;

and let Π be an unbounded simulation-sound NIZK proof system. Then signature scheme T1 =

(Gen,Sign,Ver,Update) described in Figure 5 is existentially unforgeable under adaptive chosen

message attacks in the CML model, with leakage rate (ρG,ρU,0,ρM).

Proof. Let F be a ppt forger attacking T1with the specified leakage rate. We consider a sequence

of experiments, and let Pri[·] denote the probability of an event in Experiment i. We let Succ

denote the event that F succeeds, as in Definition 3.2.

Experiment 0. This is the experiment of Definition 3.2.

Experiment 1. We introduce the following differences with respect to the preceding experiment:

when setting up the public key, we now generate the common random string crs of the simulation-

sound NIZK by computing (crs,τ) ← S1(1k). We also generate the public key pk?by running the

key-generation algorithm (pk?,sk?) ← Gen(1k). Note that when answering leakage queries of F,

the secret randomness is unchanged and crs,pk?are treated as public randomness just as in the

previous experiment. It follows easily that the difference |Pr1[Succ] − Pr0[Succ]| is negligible.

Experiment 2. We modify the preceding experiment by answering signing queries as follows: to

sign m, generate c ← Encpk?(sk) as before but then compute π as π ← S2((m,c,pk?,pk),crs,τ).

The (adaptive) zero-knowledge property of Π implies that |Pr2[Succ]−Pr1[Succ]| is negligible. Note

that we rely here on the fact that there is no leakage from the signing process (i.e., ρS= 0).

Experiment 3. We modify the preceding experiment by answering signing queries as follows:

to sign m, now compute c ← Encpk?(0|sk|) (and then compute π as in Experiment 2). Semantic

41

Page 43

security of encryption scheme E implies that |Pr3[Succ] − Pr2[Succ]| is negligible. Again, we rely

here on the fact that there is no leakage from the signing process.

We now prove that Pr3[Succ] is negligible, by reduction to the semantic security of public-key

encryption scheme L in the CML model. Construct the following ppt adversary A attacking L:

1. Generate (pk?,sk?) ← Gen(1k) and (crs,τ) ← S1(1k).

2. Run F as a subroutine. Given f as output by F, define fL(·,·)

the leakage function fL. (Note that fL(r,p) ≤ ρG· |r| iff f(r,p,pk?,crs) ≤ ρG· |r|.) Obtain in

return a public key pk, public randomness p, and leakage fL(r,p). Give to F the verification

key (pk,pk?,crs), public randomness p,pk?,crs, and leakage fL(r,p) = f(r,p,pk?,crs).

3. Continue running F, responding to its signing queries as specified in Experiment 3. (Recall

that we do not allow leakage during signing queries.)

.= f(·,·,pk?,crs) and output

4. When F makes a leakage query (leak,f), adversary A forwards this query to its own leakage

oracle and then forwards the response to F. Note that the size of the secret key in T1 is

identical to the size of the secret key in L, so the relative leakage bound ρMis respected.

5. When F makes an update query (update,f), adversary A forwards this query to own update

oracle and then forwards the response to F.

6. Assuming the challenger has not aborted, F outputs a pair (m,σ) with σ = (c,π). If F

succeeds, then A uses the secret key sk?to decrypt the ciphertext c and obtain sk := Decsk?(c).

If (pk,sk) is not a valid key-pair, then A aborts. Otherwise, A outputs two distinct messages

m0,m1and receives a challenge ciphertext cb← L-Encpk(mb). It then uses the secret key sk

to decrypt cband thus guess b.

Note that A provides a perfect simulation of Experiment 3 for F. Therefore, F succeeds in

outputting a valid forgery with probability exactly Pr3[Succ]. Simulation soundness of Π, together

with the fact that σ = (c,π) is a valid signature, implies that (pk,sk) is a valid key-pair with all

but negligible probability. Thus,

Pr[A succeeds]

≥

≥

Pr[A succeeds |F succeeds in Experiment 3] · Pr[F succeeds in Experiment 3]

(1 − negl(k)) · Pr[F succeeds in Experiment 3] ,

and so Pr3[Succ] must be negligible, as desired.

8.2Continual Leakage Resilience — With Leakage from the Signing Process

The construction in the previous section is not necessarily resilient to leakage that occurs during

the signing process. In particular, if part of the randomness used to encrypt sk (during the course

of computing a signature) is leaked, then there is no longer any guarantee that sk remains secret.

Similarly, if part of the randomness used to compute the NIZK proof is leaked then there is no

longer any guarantee that the witness (which includes sk) remains hidden.

Here we show how to modify the signature scheme so as to obtain security against continual

leakage, even if it occurs during the signing process. Interestingly, we solve this by making our

scheme leak more: In our new scheme, the signatures themselves leak information about the signing-

key. Thus the scheme does not even conform with the standard definition of security (without

leakage). In the CML model, however, this caveat is tolerable, since we have a method for refreshing

42

Page 44

the key. We have to require, however, that the signing-key is periodically refreshed, even regardless

of any adversarial action, resulting in a variant of CML security. In addition, we need to rely on

stronger assumptions. We discuss these in turn.

In our modified model of continual leakage resilience, we add an additional ?-bit leakage that

occurs each time a signature is generated; this leakage is in addition to any leakage explicitly

specified by the adversary. As explained above, this additional leakage represents information

included in the signature itself (that is needed in order to verify). To ensure meaningful security, as

usual, we need to ensure that the total leakage is some bounded fraction of the secret-key length.

As a consequence, the signer must now run the update operation every time it issues a certain

number of signatures, even if it is willing to assume that no additional leakage occurred. A formal

definition, for the case of general ?, follows.

Definition 8.1. Signature scheme (Gen,Sign,Ver,Update) is existentially unforgeable under adap-

tive chosen message attack in the CML model, with leakage rate (ρG,ρU,ρS,ρM) and signature

leakage ? = ?(k), if any ppt forger succeeds in the following game with only negligible probability.

1. Initialize. The forger specifies a circuit f with |f(r,p)| ≤ ρG· |r| for all r,p. The chal-

lenger chooses “secret randomness” r and “public randomness” p, generates (sk0,vk) ←

Gen(1k;r,p), sends (vk,p,f(r,p)) to the forger, and sets i := 0 and L0:= |f(r,p)|.

2. Signatures, leakage, and updates. The forger makes queries of the following types:

• Signing queries (sign,m,f), where f is a circuit with |f(sk,r,p)| ≤ ρS· (|sk| + |r|) for

all sk,r,p. The challenger chooses “secret randomness” r and “public randomness” p,

and computes σ ← Signski,vk(m;r,p). If Li+ |f(ski,r,p)| + ? ≤ ρM· |ski| then the

challenger returns (σ,p,f(ski,r,p)) to the forger and sets Li:= Li+ |f(ski,r,p)| + ?.

Otherwise, the challenger aborts.

• Update queries (update,f), where f is a circuit with |f(sk,r,p)| ≤ ρU· (|sk| + |r|) for

all sk,r,p. The challenger chooses “secret randomness” r and “public randomness” p,

and computes ski+1:= Updatevk(ski;r,p). If Li+|f(ski,r,p)| ≤ ρM·|ski| then the chal-

lenger returns (p,f(ski,r,p)) to the forger, sets i := i+1, and sets Li+1:= |f(ski,r,p)|.

Otherwise, the challenger aborts.

• Leakage queries (leak,f), where f is a circuit. If Li+ |f(ski)| ≤ ρM· |ski| then the

challenger returns f(ski) to the forger and sets Li := Li+ |f(ski)|. Otherwise, the

challenger aborts.

3. Finish. Assuming the challenger did not abort, the forger outputs (m∗,σ∗).

The forger succeeds if it never made the query (sign,m∗), and Vervk(m∗,σ∗) = 1 .

Note that Definition 8.1 generalizes Definition 3.2, and the two coincide for ? = 0.

Our construction, presented in Figure 6, can be viewed as modifying the scheme from the

previous section in two ways:

• Recall that in our previous construction, each signature contained an encryption of sk — the

secret-key of the underlying leakage-resilient encryption scheme. Now, rather than using a

public-key encryption scheme to encrypt sk, we “encrypt” it using a family of lossy trapdoor

functions (Sinj,Sloss,G,G−1), in a particular way (see Figure 6).

43

Page 45

• Instead of using a (simulation-sound) NIZK proof system, we use a (non-interactive) argument

system with short proofs; i.e., proofs that are significantly shorter than the witness size.

Intuitively, even though we cannot say much about what information might be leaked by a

proof of some statement, we can bound the leakage by the length of the proof. (For our

purposes, we can obtain proofs of size ω(log2k).) Proofs are with respect to the following

NP language: L?=??{yi}k

yi= Gsi(ri)

i=1,{si}k

i=1,pk??for which there exist sk,{ri} such that:

i=1ri= skT(pk,sk) = 1.

??k

?

The scheme we describe achieves only a weaker notion of security, termeda-priori unforgeability

against chosen-message attacks (a-cma) in [BK10], where the adversary is given a random “chal-

lenge” message m in advance, can request signatures on any messages other than m, and then

succeeds only if it outputs a forgery on m. We then apply a recent transformation from [BK10] to

obtain a scheme satisfying Definition 8.1.

Signature scheme T2

Key Generation. The key-generation algorithm Gen does as follows:

1. The message space of the scheme is {0,1}nwhere n ∈ N is related to the security parameter

k by some function n = α(k) to be determined later.

2. Sample a pair of keys for the leakage-resilient encryption scheme (pk,sk) ← L-Gen(1k), using

secret/public randomness as specified by L-Gen.

3. For i ∈ [n] and b ∈ {0,1}, sample (obliviously, using public randomness) a key si,bfor a lossy

trapdoor function.

4. Using public randomness, choose a string crs for a non-interactive argument system.

The signing key is sk, and the verification key is vk = (pk,{si,b},crs).

Signing. Given inputs m, a secret key sk, and a verification key (pk,{si,b},crs), do:

1. Using secret randomness, choose n random strings r1,...,rnsuch that?n

2. Compute yi:= Gsi,mi(ri) for all i.

3. Using public randomness, compute a non-interactive argument π for the statement

({yi}n

Output σ = ({yi}n

Verifying. To verify a signature σ = ({yi},π) on a message m, with respect to the verification key

(pk,{si,b},crs), check whether π is a valid proof of the statement ({yi}n

respect to crs.

i=1ri= sk.

i=1,{si,mi}n

i=1,pk) ∈ L?, using sk,{ri}n

i=1,π) as a signature for m.

i=1as the witness.

i=1,{si,mi}n

i=1,pk) ∈ L?with

Updating. The update procedure Update is identical to the update procedure of the underlying

leakage-resilient encryption scheme L, using public/secret randomness as directed by L-Update.

Figure 6: Signature scheme in the CML model.

Theorem 8.2. Let L be a semantically secure public-key encryption scheme in the CML model,

with leakage rate (ρG,ρU,ρM); let (Sinj,Sloss,G,G−1) be a family of LTDF with oblivious sampling

(see Definition 4.4) with lossy parameter ?/2; and let Π be a non-interactive argument system with

proofs of length ?/2. Then signature scheme T2described in Figure 6 is a priori unforgeable under

chosen-message attacks in the CML model, with leakage rate (ρG,ρU,ρS,ρM), where ρS= ρM, and

signature leakage ?.

44

Page 46

Proof. Let F be a ppt forger attacking T2, and let Pr[Succ] denote the success probability of F

with respect to the notion of a priori unforgeability (and the stated leakage parameters).

We first modify the experiment in the following way: Let m = m1···mn be the random

(challenge) message given to the adversary. Instead of generating all seeds {si,b} obliviously, we

now generate the seeds {si,mi}n

properties of the LTDF immediately imply that this has only a negligible effect on the success

probability of F. Let Pr?[Succ] denote the success probability of F in this modified experiment.

We show that Pr?[Succ] is negligible, by reduction to the semantic security of L in the CML

model. Construct the following ppt adversary A attacking L:

1. Choose a random message m ← {0,1}nand give it to F.

2. For all i, compute (si,mi,ti) ← Sinj(1n) and (si, ¯ mi,⊥) ← Sloss(1n). Also choose a random crs

for the non-interactive argument system.

i=1using Sinj, and generate the remaining seeds using Sloss. The

3. Run F as a subroutine. Given f as output by F, define fL(·,·)

the leakage function fL. (Note that fL(r,p) ≤ ρG· |r| iff f(r,p,pk?,crs) ≤ ρG· |r|.) Obtain in

return a public key pk, public randomness p, and leakage fL(r,p). Give to A the verification

key (pk,{si,b},crs), public randomness (p,{si,b},crs), and leakage fL(r,p) = f(r,p,{si,b},crs).

4. When F makes a signing query for a message m?with leakage function f, adversary A answers

it as follows.

.= f(·,·,{si,b},crs) and output

(a) Find an index i such that m?

(b) For all j ?= i, choose random rjand compute yj:= Gsj,m?

(c) Choose randomness r for the non-interactive argument system.

(d) Make a leakage query (leak,g) where the circuit g has the values {rj}j?=ihard-wired into

it, and on input sk it computes the following:

• Set ri:= sk ⊕?

L?with respect to crs, using witness (sk,{ri}n

• Compute f(sk,{ri}n

Finally, the circuit g on input sk outputs (yi,π,f(sk,{ri}n

(e) Give to F the signature ({yi}n

The total leakage of A’s query (in an information-theoretic sense) is |f(sk,{ri},r)| + ?/2 +

?/2 = |f(sk,{ri},r)|+? bits, where ?/2 bits are due to the leakage16from yiand ?/2 bits are

due to π.

i?= mi.

j(rj).

j?=irjand compute yi

.= Gsi,m?

i(ri).

• Compute a non-interactive argument π for the statement ({yi}n

i=1,{si,m?

i}n

i=1,pk) ∈

i=1) and randomness r.

i=1,r).

i=1,r)).

i=1,π), public randomness r, and leakage f(sk,{ri}n

i=1,r).

5. When F makes a leakage query (leak,f), adversary A forwards this query to its own leakage

oracle and then forwards the response to F. Since the size of the secret key in T2is identical

to the size of the secret key in L, the global bound on the relative leakage is respected.

6. When F makes an update query (update,f), adversary A forwards this query to own update

oracle and then forwards the response to F.

16Although |yi| > ?/2, the value yi only leaks ?/2 bits (with all but negligible probability) in an information-

theoretic sense.

45

Page 47

7. Assuming the challenger has not aborted, F outputs a signature σ = ({yi},π). If F succeeds

(and so, in particular, the proof π is valid), then A uses the trapdoors {ti} to compute

{ri := G−1

aborts. Otherwise, A outputs two distinct messages m0,m1and receives a challenge ciphertext

cb← L-Encpk(mb). It then uses the secret key sk to decrypt cband thus guess b.

Note that A provides a perfect simulation of the modified experiment for F. Therefore, F

succeeds in outputting a valid forgery with probability exactly Pr?[Succ]. Computational soundness

of Π, together with the fact that σ = ({yi},π) is a valid signature, implies that (pk,sk) is a valid

key-pair with overwhelming probability. The theorem follows easily.

si,mi(yi)} and finally sk =

?n

i=1ri. If (pk,sk) is not a valid key-pair, then A

We now relate security in the model of a priori unforgeability to security against the standard

notion of existential unforgeability.

Theorem 8.3. Assume that there exists a signature scheme T2 (for messages of length at least

n = α(k)) that is a priori unforgeable under adaptive chosen-message attacks in the CML model,

with leakage rate (ρG,ρU,ρS,ρM) and signature leakage ?, and assume the existence of collision-

resistant hash functions mapping strings of length k to strings of length α(k). Then there exists

a signature scheme T?

leakage rate (ρG,ρU,

2that is existentially unforgeable under adaptive chosen-message attacks with

ρS

α(k),ρM) and signature leakage ? · α(k).

Note that α(k) can be made as small as ω(logk), at the price of relying on an exponential

hardness assumption.

This theorem follows from a very recent work of [BK10], which shows how to convert any signature

scheme that is a priori unforgeable under adaptive chosen message attacks, into one which is exis-

tentially unforgeable under adaptive chosen message attacks.17Looking into their transformation,

it is easy to see that their transformation also works for signature schemes in the CML model, with

the following parameters.

Corollary 8.4 ([BK10]). There exists a generic transformation for converting any signature scheme T2

that is a priori unforgeable under adaptive chosen message attacks in the CML model with leak-

age rate (ρG,ρU,ρS,ρM) and signature leakage ?, into a new signature scheme T?

tentially unforgeable under adaptive chosen message attacks in the CML model with leakage rate

(ρG,ρU,

{0,1}α(k).

Very loosely speaking, the new signing algorithm signs all the prefixes of the message to be

signed (actually, it signs a universal hash function applied to each prefix, where the universal hash

function is added to the verification key). This intuitively explains the loss in the leakage rate from

the signing algorithm and the loss in the signature leakage. The key generation of T?

identical to that of T2, except that T?

key, but the private randomness used by the key generation of T?

the secret keys in both schemes are identical). Moreover, the update algorithm of T?

that of T2. This explains why the rest of the parameters ρG,ρU,ρMare left unchanged.

Proof of Theorem 8.3. First, using the collision resistant hash family H, one can assume without

loss of generality that the message space of T2is contained in {0,1}α(k), by first hashing the message

17Actually, the transformation of [BK10] converts any signature scheme that is a priori unforgeable under static

message attacks into one which is existentially unforgeable under adaptive chosen message attacks. But we will only

apply it to schemes which are a priori unforgeable under adaptive chosen message attacks.

2that is exis-

ρS

α(k),ρM) and signature leakage ? · α(k), assuming the message space of T2is contained in

2is almost

2has the additional universal hash function in its verification

2is identical to that of T2(and

2is identical to

46

Page 48

and then signing it. Then, Corollary 8.4 immediately implies that there exists a signature scheme

T?

leakage rate (ρG,ρU,

2that is existentially unforgeable under adaptive chosen message attacks in the CML model with

ρS

α(k),ρM) and signature leakage ? · α(k), as desired.

Finally, we combine Theorem 8.2 and Theorem 8.3, to obtain the main result of this subsection.

Theorem 8.5. Assume the existence of: (1) a semantically secure public-key encryption scheme

in the CML model, with leakage rate (ρG,ρU,ρM); (2) a family of LTDF with oblivious sampling

with lossy parameter ?/2; (3) a non-interactive argument system with proofs of length ?/2; (4) a

collision-resistant hash functions mapping strings of length k to strings of length α(k). Then there

exists a signature scheme that is existentially unforgeable under adaptive chosen message attacks in

the CML model, with leakage rate (ρG,ρU,ρS,ρM), where ρS=

ρM

α(k), and signature leakage ? · α(k).

47

Page 49

References

[ADN+10]Joel Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, and Daniel Wichs.

Public-key encryption in the bounded-retrieval model. To Appear in Eurocrypt 2010,

2010.

[ADW09] Jo¨ el Alwen, Yevgeniy Dodis, and Daniel Wichs. Leakage-resilient public-key cryptog-

raphy in the bounded-retrieval model. In Halevi [Hal09], pages 36–54.

[AGV09] Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. Simultaneous hardcore

bits and cryptography against memory attacks. In Omer Reingold, editor, TCC,

volume 5444 of Lecture Notes in Computer Science, pages 474–495. Springer, 2009.

[BBS04]Dan Boneh, Xavier Boyen, and Hovav Shacham.

Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer

Science, pages 41–55. Springer, 2004.

Short group signatures.In

[BFM88]

Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge and

its applications (extended abstract). In STOC, pages 103–112. ACM, 1988.

[BFO08]

Alexandra Boldyreva, Serge Fehr, and Adam O’Neill. On notions of security for

deterministic encryption, and efficient constructions without random oracles. In David

Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages

335–359. Springer, 2008.

[BG08] Boaz Barak and Oded Goldreich. Universal arguments and their applications. SIAM

J. Comput., 38(5):1661–1694, 2008.

[BK10]

Zvika Brakerski and Yael Tauman Kalai. A framework for efficient signatures, ring

signatures and identity based encryption in the standard model. Cryptology ePrint

Archive, Report 2010/086, 2010. http://eprint.iacr.org/.

[Boy99] Victor Boyko. On the security properties of oaep as an all-or-nothing transform. In

CRYPTO, pages 503–518, 1999.

[BSMP91]

Manuel Blum, Alfredo De Santis, Silvio Micali, and Giuseppe Persiano. Noninteractive

zero-knowledge. SIAM J. Comput., 20(6):1084–1118, 1991.

[CDH+00]

Ran Canetti, Yevgeniy Dodis, Shai Halevi, Eyal Kushilevitz, and Amit Sahai.

Exposure-resilient functions and all-or-nothing transforms. In EUROCRYPT, pages

453–469, 2000.

[CLW06] Giovanni Di Crescenzo, Richard J. Lipton, and Shabsi Walfish. Perfectly secure pass-

word protocols in the bounded retrieval model. In TCC, pages 225–244, 2006.

[DHLAW10] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt, and Daniel Wichs. Cryp-

tography against continuous memory attacks. Manuscript, 2010.

[DKL09]Yevgeniy Dodis, Yael Tauman Kalai, and Shachar Lovett. On cryptography with

auxiliary input. In Michael Mitzenmacher, editor, STOC, pages 621–630. ACM, 2009.

[DOPS04]Yevgeniy Dodis, Shien Jin Ong, Manoj Prabhakaran, and Amit Sahai.

(im)possibility of cryptography with imperfect randomness. In FOCS, pages 196–

205, 2004.

On the

48

Page 50

[DP08]Stefan Dziembowski and Krzysztof Pietrzak.

FOCS, pages 293–302. IEEE Computer Society, 2008.

Leakage-resilient cryptography.In

[DS05]Yevgeniy Dodis and Adam Smith. Correcting errors without leaking partial informa-

tion. In Gabow and Fagin [GF05], pages 654–663.

[FGK+09]David Mandell Freeman, Oded Goldreich, Eike Kiltz, Alon Rosen, and Gil Segev.

More constructions of lossy and correlation-secure trapdoor functions. Cryptology

ePrint Archive, Report 2009/590, 2009. http://eprint.iacr.org/.

[FKPR10]

Sebastian Faust, Eike Kiltz, Krzysztof Pietrzak, and Guy N. Rothblum. Leakage-

resilient signatures. In TCC, pages 343–360, 2010.

[FLS90]Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledge

proofs based on a single random string (extended abstract). In FOCS, volume I, pages

308–317. IEEE, 1990.

[FRR+10]Sebastian Faust, Tal Rabin, Leonid Reyzin, Eran Tromer, and Vinod Vaikuntanathan.

Protecting against leakage: the computationally bounded and noisy cases. To Appear

in Eurocrypt 2010, 2010.

[Gam84]Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete

logarithms. In CRYPTO, pages 10–18, 1984.

[GF05]

Harold N. Gabow and Ronald Fagin, editors. Proceedings of the 37th Annual ACM

Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005. ACM,

2005.

[GR10]Shafi Goldwasser and Guy Rothblum. How to play mental solitaire under continuous

side-channels: A completeness theorem using secure hardware. Manuscript, 2010.

[Hal09]Shai Halevi, editor. Advances in Cryptology - CRYPTO 2009, 29th Annual Interna-

tional Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Pro-

ceedings, volume 5677 of Lecture Notes in Computer Science. Springer, 2009.

[HSH+08]J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William

Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W.

Felten. Lest we remember: Cold boot attacks on encryption keys. In USENIX Security

Symposium, pages 45–60, 2008.

[IPSW06] Yuval Ishai, Manoj Prabhakaran, Amit Sahai, and David Wagner. Private circuits ii:

Keeping secrets in tamperable circuits. In EUROCRYPT, pages 308–327, 2006.

[ISW03] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware

against probing attacks. In CRYPTO, pages 463–481, 2003.

[JV10]Ali Juma and Yevgeniy Vahlis. Leakage-resilient key proxies. Manuscript, 2010.

[Kil92]Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended ab-

stract). In STOC, pages 723–732. ACM, 1992.

[KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In

CRYPTO, pages 388–397, 1999.

49