Leakage-Resilient Cryptography

We construct a stream-cipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state ofS is leaked during computation. This captures all possible side-channel attacks on S where the amount of information leaked in a given period is bounded, but overall can be arbitrary large. The only other assumption we make on the implementation of S is that only data that is accessed during computation leaks information. The stream-cipher S generates its output in chunks K1, K2, . . . and arbitrary but bounded information leakage is modeled by allowing the adversary to adaptively chose a function fl : {0,1}* rarr {0, 1}lambda before Kl is computed, she then gets fl(taul) where taul is the internal state ofS that is accessed during the computation of Kg. One notion of security we prove for S is that Kg is indistinguishable from random when given K1,..., K1-1,f1(tau1 ),..., fl-1(taul-1) and also the complete internal state of S after Kg has been computed (i.e. S is forward-secure). The construction is based on alternating extraction (used in the intrusion-resilient secret-sharing scheme from FOCS'07). We move this concept to the computational setting by proving a lemma that states that the output of any PRG has high HILLpseudoentropy (i.e. is indistinguishable from some distribution with high min-entropy) even if arbitrary information about the seed is leaked. The amount of leakage lambda that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of S if the PRG is exponentially hard.

[1]  Moti Yung,et al.  A Block Cipher based PRNG Secure Against Side-Channel Key Recovery , 2007, IACR Cryptol. ePrint Arch..

[2]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[3]  Stefan Dziembowski,et al.  Intrusion-Resilience Via the Bounded-Storage Model , 2006, TCC.

[4]  David Cash,et al.  Intrusion-Resilient Key Exchange in the Bounded Retrieval Model , 2007, TCC.

[5]  Yael Tauman Kalai,et al.  One-Time Programs , 2008, CRYPTO.

[6]  Bruce Schneier,et al.  Side Channel Cryptanalysis of Product Ciphers , 1998, J. Comput. Secur..

[7]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[8]  Yevgeniy Dodis,et al.  Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[9]  Stefan Dziembowski,et al.  On Forward-Secure Storage , 2006, CRYPTO.

[10]  R. Ostrovsky,et al.  Smooth Histograms for Sliding Windows , 2007, FOCS 2007.

[11]  Ueli Maurer,et al.  On Generating the Initial Key in the Bounded-Storage Model , 2004, EUROCRYPT.

[12]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[13]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[14]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[15]  Giovanni Di Crescenzo,et al.  Perfectly Secure Password Protocols in the Bounded Retrieval Model , 2006, TCC.

[16]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[17]  Luca Trevisan,et al.  Guest column: additive combinatorics and theoretical computer science , 2009, SIGA.

[18]  Ueli Maurer,et al.  A universal statistical test for random bit generators , 1990, Journal of Cryptology.

[19]  W. T. Gowers,et al.  Decompositions, approximate structure, transference, and the Hahn–Banach theorem , 2008, 0811.3103.

[20]  Moti Yung,et al.  A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[21]  Amit Sahai,et al.  On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.

[22]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[23]  Ran Canetti,et al.  How to Protect Yourself without Perfect Shredding , 2008, ICALP.

[24]  Avi Wigderson,et al.  Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[25]  Ueli Maurer,et al.  A Provably-Secure Strongly-Randomized Cipher , 1991, EUROCRYPT.

[26]  Stefan Dziembowski,et al.  Intrusion-Resilient Secret Sharing , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[27]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[28]  David Zuckerman,et al.  DETERMINISTIC EXTRACTORS FOR BIT-FIXING SOURCES AND EXPOSURE-RESILIENT CRYPTOGRAPHY , 2003 .

[29]  Madhur Tulsiani,et al.  Dense Subsets of Pseudorandom Sets , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[30]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[31]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography in the Standard Model , 2008, IACR Cryptol. ePrint Arch..

[32]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[33]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[34]  J. Neumann Zur Theorie der Gesellschaftsspiele , 1928 .

[35]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[36]  Yuval Ishai,et al.  Private Circuits II: Keeping Secrets in Tamperable Circuits , 2006, EUROCRYPT.

[37]  T. Tao,et al.  The primes contain arbitrarily long arithmetic progressions , 2004, math/0404188.

[38]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.