Leakage-Resilient Cryptography in the Standard Model

We construct a stream-cipher S whose implementation is secure even if arbitrary (adversely chosen) information on the internal state of S is leaked during computation. This captures all possible side-channel attacks on S where the amount of information leaked in a given period is bounded, but overall can be arbitrary large, in particular much larger than the internal state of S. The only other assumption we make on the implementation of S is that only data that is accessed during computation leaks information. The construction can be based on any pseudorandom generator, and the only computational assumption we make is that this PRG is secure against non-uniform adversaries in the classical sense (i.e. when there are no side-channels). The stream-cipher S generates its output in chunksK1,K2, . . ., and arbitrary but bounded information leakage is modeled by allowing the adversary to adaptively chose a function fl : {0, 1} ∗ → {0, 1} before Kl is computed, she then gets fl(τl) where τl is the internal state of S that is accessed during the computation of Kl. One notion of security we prove for S is that Kl is indistinguishable from random when given K1, . . . ,Kl−1, f1(τ1), . . . , fl−1(τl−1) and also the complete internal state of S after Kl has been computed (i.e. our cipher is forward-secure). The construction is based on alternating extraction (previously used in the intrusionresilient secret-sharing scheme from FOCS’07). We move this concept to the computational setting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high min-entropy) even if arbitrary information about the seed is leaked. The amount of leakage λ that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of S if the PRG is exponentially hard. Preliminary Version – May 28, 2008 – 21:11

[1]  Amit Sahai,et al.  On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.

[2]  Yuval Ishai,et al.  Private Circuits II: Keeping Secrets in Tamperable Circuits , 2006, EUROCRYPT.

[3]  Giovanni Di Crescenzo,et al.  Perfectly Secure Password Protocols in the Bounded Retrieval Model , 2006, TCC.

[4]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[5]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[6]  David Zuckerman,et al.  DETERMINISTIC EXTRACTORS FOR BIT-FIXING SOURCES AND EXPOSURE-RESILIENT CRYPTOGRAPHY , 2003 .

[7]  Ueli Maurer,et al.  A Provably-Secure Strongly-Randomized Cipher , 1991, EUROCRYPT.

[8]  David Cash,et al.  Intrusion-Resilient Key Exchange in the Bounded Retrieval Model , 2007, TCC.

[9]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[10]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[11]  Moti Yung,et al.  A Block Cipher based PRNG Secure Against Side-Channel Key Recovery , 2007, IACR Cryptol. ePrint Arch..

[12]  Stefan Dziembowski,et al.  Intrusion-Resilience Via the Bounded-Storage Model , 2006, TCC.

[13]  Stefan Dziembowski,et al.  On Forward-Secure Storage , 2006, CRYPTO.

[14]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[15]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[16]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[17]  Ueli Maurer,et al.  On Generating the Initial Key in the Bounded-Storage Model , 2004, EUROCRYPT.

[18]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[19]  Stefan Dziembowski,et al.  Intrusion-Resilient Secret Sharing , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[20]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[21]  Avi Wigderson,et al.  Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[22]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[23]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[24]  J. Neumann Zur Theorie der Gesellschaftsspiele , 1928 .

[25]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[26]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .