Public-Key Cryptosystems Resilient to Key Leakage

SIAM Journal on Computing (Impact Factor: 0.74). 08/2009; 2009(4):105. DOI: 10.1007/978-3-642-03356-8_2
Source: DBLP


Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture side-channel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent side-channel attacks, especially the “cold boot attacks”, Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of side-channel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al. showed that Regev’s lattice-based scheme (STOC ’05) is resilient to any leakage of L / polylog(L) bits, where L is the length of the secret key.
In this paper we revisit the above-mentioned framework and our main results are as follows:
We present a generic construction of a public-key encryption scheme that is resilient to key leakage from any universal hash proof system. The construction does not rely on additional computational assumptions, and the resulting scheme is as efficient as the underlying proof system. Existing constructions of such proof systems imply that our construction can be based on a variety of number-theoretic assumptions, including the decisional Diffie-Hellman assumption (and its progressively weaker d-Linear variants), the quadratic residuosity assumption, and Paillier’s composite residuosity assumption.
We construct a new hash proof system based on the decisional Diffie-Hellman assumption (and its d-Linear variants), and show that the resulting scheme is resilient to any leakage of L(1 − o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO ’08), constructed to be a “circular-secure” encryption scheme, is resilient to any leakage of L(1 − o(1)) bits. These two proposed schemes complement each other in terms of efficiency.
We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting as well, and obtain as a corollary encryption schemes that are CCA2-secure with any leakage of L(1 − o(1)) bits. On the practical side, we prove that variants of the Cramer-Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with any leakage of L/4 bits, and CCA2-secure with any leakage of L/6 bits.

  • Source
    • "The leakage rate of Naor and Segev (2009) is flexible range over [0, 1). The open problem of leakage resilient chosen ciphertext attacks (CCA) secure 1 PKE was also solved by Naor and Segev (2009), which is relied on the HPSs with leakage rate 1/6. Later, some new variants (Li et al., 2012; Liu et al., 2013) of Cramer and Shoup system (Cramer and Shoup, 2002) by using HPSs are show to be leakage resilient CCA secure with leakage rate 1/4. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The goal of this paper is to design an ID-based encryption (IBE) scheme that can flexibly tolerate leakage bounds, by only increasing the size of secret key proportionally, and the security level can be achieved to be against chosen-ciphertext attacks (CCA). As our main technical tool for CCA security, we introduce an initiation of all-but-one lossy filter, which is a simple version of all-but-many lossy filter to the leakage resilient settings. As our main result, we use the all-but-one lossy filter to construct an IBE scheme that is secure against leakage resilient chosen-ciphertext attacks (CCA), and the leakage rate is 1/2 − o(1). Reference to this paper should be made as follows: Wang, Z. (xxxx) 'Leakage resilient CCA secure IBE with all-but-one lossy filter', Int.
    Full-text · Article · Oct 2015 · International Journal of Ad Hoc and Ubiquitous Computing
  • Source
    • "Many cryptographic schemes have been proposed in the leakage-resilient cryptography setting based on different leakage models, for example, leakage-resilient stream ciphers [29], leakage-resilient zero knowledge [30], leakage-resilient PKE [31] [32], leakage-resilient IBE [33] [34], and leakageresilient signatures [35] [36] [37] [38] [39] [40]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: A mobile agent can sign a message in a remote server on behalf of a customer without exposing its secret key; it can be used not only to search for special products or services, but also to make a contract with a remote server. Hence a mobile agent system can be used for electronic commerce as an important key technology. In order to realize such a system, Lee et al. showed that a secure mobile agent can be constructed using proxy signatures. Intuitively, a proxy signature permits an entity (delegator) to delegate its signing right to another entity (proxy) to sign some specified messages on behalf of the delegator. However, the proxy signatures are often used in scenarios where the signing is done in an insecure environment, for example, the remote server of a mobile agent system. In such setting, an adversary could launch side-channel attacks to exploit some leakage information about the proxy key or even other secret states. The proxy signatures which are secure in the traditional security models obviously cannot provide such security. Based on this consideration, in this paper, we design a leakage-resilient proxy signature scheme for the secure mobile agent systems.
    Full-text · Article · Jan 2015 · Mobile Information Systems
  • Source
    • "As noted previously, standard privacy amplification (e.g., postprocessing using a randomness extractor) does not work in this setting, because the adversary also knows the seed for the extractor. However, there are other ways of solving this problem, for instance by assuming the availability of a random oracle, or by using something similar to leakage-resilient encryption [31] [32] (but with a different notion of leakage, where the " leakage function " is restricted to use only LOCC operations, but is allowed access to side-information). "
    [Show abstract] [Hide abstract]
    ABSTRACT: One-time memories (OTM’s) are simple, tamper-resistant cryptographic devices, which can be used to implement sophisticated functionalities such as one-time programs. Can one construct OTM’s whose security follows from some physical principle? This is not possible in a fully-classical world, or in a fully-quantum world, but there is evidence that OTM’s can be built using “isolated qubits” — qubits that cannot be entangled, but can be accessed using adaptive sequences of single-qubit measurements. Here we present new constructions for OTM’s using isolated qubits, which improve on previous work in several respects: they achieve a stronger “single-shot” security guarantee, which is stated in terms of the (smoothed) min-entropy; they are proven secure against adversaries who can perform arbitrary local operations and classical communication (LOCC); and they are efficiently implementable. These results use Wiesner’s idea of conjugate coding, combined with error-correcting codes that approach the capacity of the q-ary symmetric channel, and a high-order entropic uncertainty relation, which was originally developed for cryptography in the bounded quantum storage model.
    Preview · Article · Jan 2014
Show more