Yu Yu
Moti Yung
ABSTRACT
Cryptographic systems and protocols are the core of many Internet security procedures (such as SSL, SSH, IPSEC, DNSSEC, secure mail, etc.). At the heart of all cryptographic functions is a good source of randomness, and for efficiency, the primitive of pseudorandom generator (PRG). PRG can also be used in the design of stream ciphers, for secure communications. The Internet is nowadays composed of many types of devices with very different hardware and software characteristics. Hence, one of the concerns in such open environments is the information "leakage" and its exploitation via the so-called "side channel attacks".
A very extensive and current research direction is designing basic cryptographic operations that are resistant to such attacks. Recent works on leakage-resilient PRG and stream ciphers did significant progresses in providing tools for the analysis of side-channel attacks in the standard cryptographic setting. But in the absence of a completely sound model for the leakages, the only constructions that can be proven secure require tweaks that do not correspond to the physical intuition. For example, constructions using an alternating structure, in which a key bit-size of $2n$ can only guarantee a security of at most $2^n$, have been designed for this purpose.
In this paper, we provide two methodological contributions, allowing to get rid of these tweaks, or to reduce their impact towards negligible performance overheads. First, we show that the leakage-resilience of a natural, i.e. conform to engineering experience, stateful PRG can be proven under a random oracle based assumption. We then discuss the relevance of this assumption, and argue that it nicely captures the reality of actual side-channel attacks. Second, we provide the first construction of a PRG without alternating structure, that exploits the keying material to its full length and that can be proven leakage-resilient in the standard model. For this purpose, we only need to assume a non adaptive leakage function and a small public memory. We also argue that such an assumption is not only realistic, but necessary for any leakage-resilient primitive that grants adversaries with a (stateless) reinitialization capability. Together with weaker requirements for practical implementations, these contributions further reduce the gap between the theory and practice of physically observable cryptography.
- }}Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In Omer Reingold, editor, TCC, volume 5444 of Lecture Notes in Computer Science, pages 474--495. Springer, 2009. Google Scholar
Digital Library
- }}M.L. Akkar, R. B évan, P. Dischamp, and D. Moyart. Power analysis, what is now possible\dots. In Proceedings of ASIACRYPT 2001, volume 1976 of LNCS, pages 489--502, Kyoto, Japan, dec 2001. Google ScholarDigital Library
- }}Jo ël Alwen, Yevgeniy Dodis, and Daniel Wichs. Leakage-resilient public-key cryptography in the bounded-retrieval model. In Halevi DBLP:conf/crypto/2009, pages 36--54. Google ScholarDigital Library
- }}Frederik Armknecht, Roel Maes, Ahmad-Reza Sadeghi, Berk Sunar, and Pim Tuyls. Memory leakage-resilient encryption based on physically unclonable functions. In Matsui DBLP:conf/asiacrypt/2009, pages 685--702. Google ScholarDigital Library
- }}Giovanni Di Crescenzo, Richard J. Lipton, and Shabsi Walfish. Perfectly secure password protocols in the bounded retrieval model. In Shai Halevi and Tal Rabin, editors, Third Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 225--244. Springer, 2006. Google ScholarDigital Library
- }}Y. Dodis, Y. Tauman Kalai, and S. Lovett. On cryptography with auxiliary input. In Proceedings of STOC 2009, pages 621--630, Bethesda, Maryland, jun 2009. ACM. Google ScholarDigital Library
- }}Yevgeniy Dodis, Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert, and Vinod Vaikuntanathan. Public-key encryption schemes with auxiliary inputs. In Micciancio DBLP:conf/tcc/2010, pages 361--381. Google ScholarDigital Library
- }}Stefan Dziembowski. Intrusion-resilience via the bounded-storage model. In Shai Halevi and Tal Rabin, editors, Third Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 207--224. Springer, 2006. Google ScholarDigital Library
- }}Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. In FOCS, pages 293--302. IEEE Computer Society, 2008. Google ScholarDigital Library
- }}Sebastian Faust, Eike Kiltz, Krzysztof Pietrzak, and Guy N. Rothblum. Leakage-resilient signatures. In Micciancio DBLP:conf/tcc/2010, pages 343--360. Google ScholarDigital Library
- }}Sebastian Faust, Leonid Reyzin, and Eran Tromer. Protecting circuits from computationally-bounded leakage. Cryptology ePrint Archive, Report 2009/379, 2009. http://eprint.iacr.org/.Google Scholar
- }}Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. One-time programs. In David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 39--56. Springer, 2008. Google ScholarDigital Library
- }}J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Paul C. van Oorschot, editor, USENIX Security Symposium, pages 45--60. USENIX Association, 2008. Google ScholarDigital Library
- }}Shai Halevi, editor. Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16--20, 2009. Proceedings, volume 5677 of Lecture Notes in Computer Science. Springer, 2009. Google ScholarDigital Library
- }}Shai Halevi, Steven Myers, and Charles Rackoff. On seed-incompressible functions. In Ran Canetti, editor, TCC, volume 4948 of Lecture Notes in Computer Science, pages 19--36. Springer, 2008. Google ScholarDigital Library
- }}Johan H åstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364--1396, 1999. Google ScholarDigital Library
- }}Antoine Joux, editor. Advances in Cryptology - EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26--30, 2009. Proceedings, volume 5479 of Lecture Notes in Computer Science. Springer, 2009.Google ScholarCross Ref
- }}Pascal Junod and Serge Vaudenay. Fox : A new family of block ciphers. In Helena Handschuh and M. Anwar Hasan, editors, Selected Areas in Cryptography, volume 3357 of Lecture Notes in Computer Science, pages 114--129. Springer, 2004. Google ScholarDigital Library
- }}Jonathan Katz and Vinod Vaikuntanathan. Signature schemes with bounded leakage resilience. In Matsui DBLP:conf/asiacrypt/2009, pages 703--720. Google ScholarDigital Library
- }}P. Kocher. Leak resistant cryptographic indexed key update. US Patent 6539092.Google Scholar
- }}Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Michael J. Wiener, editor, CRYPTO, volume 1666 of Lecture Notes in Computer Science, pages 388--397. Springer, 1999. Google ScholarDigital Library
- }}Mitsuru Matsui, editor. Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6--10, 2009. Proceedings, volume 5912 of Lecture Notes in Computer Science. Springer, 2009. Google ScholarDigital Library
- }}Silvio Micali and Leonid Reyzin. Physically observable cryptography (extended abstract). In Moni Naor, editor, TCC, volume 2951 of Lecture Notes in Computer Science, pages 278--296. Springer, 2004.Google Scholar
- }}Daniele Micciancio, editor. Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9--11, 2010. Proceedings, volume 5978 of Lecture Notes in Computer Science. Springer, 2010. Google ScholarDigital Library
- }}Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. In Halevi DBLP:conf/crypto/2009, pages 18--35. Google ScholarDigital Library
- }}Jesper Buus Nielsen. Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. In Advances in Cryptology - CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 111--126. Springer, 2002. Google ScholarDigital Library
- }}ECRYPT Networck of Excellence in Cryptology. The estream project. http://www.ecrypt.eu.org/stream/, 2008.Google Scholar
- }}Christophe Petit, Fran çois-Xavier Standaert, Olivier Pereira, Tal Malkin, and Moti Yung. A block cipher based pseudo random number generator secure against side-channel key recovery. In Masayuki Abe and Virgil D. Gligor, editors, ASIACCS, pages 56--65. ACM, 2008. Google ScholarDigital Library
- }}Krzysztof Pietrzak. A leakage-resilient mode of operation. In Joux DBLP:conf/eurocrypt/2009, pages 462--482. Google ScholarDigital Library
- }}Jean-Jacques Quisquater and David Samyde. Eddy current for Magnetic Analysis with Active Sensor. In Esmart 2002, Nice, France, 2002.Google Scholar
- }}M. Renauld and F.-X. Standaert. Algebraic side-channel attacks. to appear in the proceedings of Inscrypt 2009, Lecture Notes in Computer Science, Behing, China, December 2009, Springer, Cryptology ePrint Archive, Report 2009/279. http://eprint.iacr.org/2009/279.Google Scholar
- }}M. Renauld, F.-X. Standaert, and N. Veyrat-Charvillon. Algebraic side-channel attacks on the aes: Why time also matters in dpa. In Proceedings of CHES 2009, volume 5746 of LNCS, pages 97--111, Lausanne, Switzerland, sep 2009. Springer. Google ScholarDigital Library
- }}Fran çois-Xavier Standaert, Tal Malkin, and Moti Yung. A unified framework for the analysis of side-channel key recovery attacks. In Joux DBLP:conf/eurocrypt/2009, pages 443--461. Google ScholarDigital Library
- }}Francois-Xavier Standaert. How leaky is an extractor? in the proceedings of LatinCrypt 2010, Lecture Notes in Computer Science, vol 6212, Puebla, Mexico, August 2010. Google ScholarDigital Library
- }}Francois-Xavier Standaert, Olivier Pereira, Yu Yu, Jean-Jacques Quisquater, Moti Yung, and Elisabeth Oswald. Leakage resilient cryptography in practice. in "Towards Hardware Intrinsic Security: Foundation and Practice", pp 105- 139, Springer, 2010, Cryptology ePrint Archive, Report 2009/341, 2009. http://eprint.iacr.org/.Google ScholarCross Ref
- }}Serge Vaudenay. Decorrelation: A theory for block cipher security. J. Cryptology, 16(4):249--286, 2003.Google ScholarDigital Library
- }}Yu Yu, Olivier Pereira, and Francois-Xavier Standaert. Leakage-resilient stream ciphers: Bridge the gap. UCL Crypto Group Technical Report, 2010.Google Scholar
Index Terms
- Practical leakage-resilient pseudorandom generators
Recommendations
Practical leakage-resilient identity-based encryption from simple assumptions
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityWe design the first Leakage-Resilient Identity-Based Encryption (LR-IBE) systems from static assumptions in the standard model. We derive these schemes by applying a hash proof technique from Alwen et.al. (Eurocrypt '10) to variants of the existing IBE ...
Black-box constructions of signature schemes in the bounded leakage setting
To simplify the certificate management procedures in public key infrastructure, Shamir introduced the concept of identity-based cryptography. However, it suffers from the key escrow problem. To solve the problem, Al-Riyami and Paterson introduced the ...
Public-Key Cryptosystems Resilient to Key Leakage
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture side-channel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical ...
Comments