Efficient Public Key Cryptosystem Resilient to Key Leakage Chosen Ciphertext Attacks

Leakage-resilient public key encryption (PKE) schemes are designed to resist "memory attacks", i.e., the adversary recovers the cryptographic key in the memory adaptively, but subject to constraint that the total amount of leaked information about the key is bounded by some parameter λ. Among all the IND-CCA2 leakage-resilient PKE proposals, the leakage-resilient version of the Cramer-Shoup cryptosystem (CS-PKE), referred to as the KL-CS-PKE scheme proposed by Naor and Segev in Crypto09, is the most practical one. But, the key leakage parameter λ and plaintext length m of KL-CS-PKE are subject to λ+m≤logq−ω(logκ), where κ is security parameter and q is the prime order of the group on which the scheme is based. Such a dependence between λ and m is undesirable. For example, when λ (resp., m) approaches to logq, m (resp., λ) approaches to 0. In this paper, we designed a new variant of CS-PKE that is resilient to key leakage chosen ciphertext attacks. Our proposal is λ≤logq−ω(logκ) leakage-resilient, and the leakage parameter λ is independent of the plaintext space that has the constant size q (exactly the same as that in CS-PKE). The performance of our proposal is almost as efficient as the original CS-PKE. As far as we know, this is the first leakage-resilient CS-type cryptosystem whose plaintext length is independent of the key leakage parameter, and is also the most efficient IND-CCA2 PKE scheme resilient to up to logq−ω(logκ) leakage.

[1]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[2]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[3]  Moti Yung,et al.  A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[4]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[5]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[6]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[7]  Yevgeniy Dodis,et al.  Efficient Public-Key Cryptography in the Presence of Key Leakage , 2010, ASIACRYPT.

[8]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[9]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[10]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[11]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[12]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[13]  Yael Tauman Kalai,et al.  One-Time Programs , 2008, CRYPTO.

[14]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[15]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[16]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[17]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[18]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[19]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[20]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[21]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[22]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[23]  Graham A. Jullien,et al.  Complexity and Fast Algorithms for Multiexponentiations , 2000, IEEE Trans. Computers.

[24]  Oded Goldreich,et al.  Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity , 1988, SIAM J. Comput..

[25]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[26]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[27]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[28]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[29]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[30]  Moni Naor,et al.  Public-Key Cryptosystems Resilient to Key Leakage , 2009, SIAM J. Comput..

[31]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[32]  Victor Shoup,et al.  A computational introduction to number theory and algebra , 2005 .

[33]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[34]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[35]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.