Barriers in cryptography with weak, correlated and leaky sources

There has been much recent progress in constructing cryptosystems that maintain their security without requiring uniform randomness and perfect secrecy. These schemes are motivated by a diverse set of problems such as providing resilience to side-channel leakage, using weak physical sources of randomness as secret keys, and allowing deterministic encryption for high-entropy messages. Nevertheless, despite this progress, some basic and seemingly achievable security properties have eluded our reach. For example, we are unable to prove the security of basic tools for manipulating weak/leaky random sources, such as as pseudo-entropy generators and seed-dependent computational condensers. We also do not know how to prove leakage-resilient security of any cryptosystem with a uniquely determined secret key. In the context of deterministic encryption we do not have a standard-model constructions achieving the strongest notion of security proposed by Bellare, Boldyreva and O'Neill (CRYPTO '07), that would allow us to encrypt arbitrarily correlated messages of sufficiently large individual entropy. We provide broad black-box separation results, showing that the security of such primitives cannot be proven under virtually any standard cryptographic hardness assumption via a reduction that treats the adversary as a black box. We do so by formalizing the intuition that "the only way that a reduction can simulate the correctly distributed view for an attacker is to know all the secrets, in which case it does not learn anything useful from the attack". Such claims are often misleading and clever way of getting around them allow us to achieve a wealth of positive results with imperfect/leaky randomness. However, in this work we show that this intuition can be formalized and that it indeed presents a real barrier for the examples given above.

[1]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[2]  Yevgeniy Dodis,et al.  Survey: Leakage Resilience and the Bounded Retrieval Model , 2009, ICITS.

[3]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[4]  Rafael Pass,et al.  Limits of provable security from standard assumptions , 2011, STOC '11.

[5]  Yuval Ishai,et al.  Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[6]  Vinod Vaikuntanathan,et al.  Signature Schemes with Bounded Leakage Resilience , 2009, ASIACRYPT.

[7]  Daniel Wichs,et al.  Fully Leakage-Resilient Signatures , 2011, Journal of Cryptology.

[8]  Yevgeniy Dodis,et al.  On the Instantiability of Hash-and-Sign RSA Signatures , 2012, TCC.

[9]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[10]  Marc Fischlin,et al.  Black-Box Reductions and Separations in Cryptography , 2012, AFRICACRYPT.

[11]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[12]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[13]  Yael Tauman Kalai,et al.  Overcoming the Hole in the Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[14]  Zvika Brakerski,et al.  Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting , 2011, Journal of Cryptology.

[15]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[16]  Kenneth G. Paterson Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings , 2011, EUROCRYPT.

[17]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[18]  Yael Tauman Kalai,et al.  Leaky Pseudo-Entropy Functions , 2011, ICS.

[19]  Moni Naor,et al.  Public-Key Cryptosystems Resilient to Key Leakage , 2012, SIAM J. Comput..

[20]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[21]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[22]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[23]  Adam O'Neill,et al.  A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy , 2012, Journal of Cryptology.

[24]  Avi Wigderson,et al.  Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[25]  Adam O'Neill,et al.  Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles , 2008, CRYPTO.

[26]  Yevgeniy Dodis,et al.  On the Generic Insecurity of the Full Domain Hash , 2005, CRYPTO.

[27]  Serge Fehr,et al.  On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles , 2008, CRYPTO.

[28]  Rafail Ostrovsky,et al.  Correlated Product Security From Any One-Way Function and the New Notion of Decisional Correlated Product Security , 2012, IACR Cryptol. ePrint Arch..

[29]  Madhur Tulsiani,et al.  Dense Subsets of Pseudorandom Sets , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[30]  Shai Halevi,et al.  After-the-Fact Leakage in Public-Key Encryption , 2011, IACR Cryptol. ePrint Arch..

[31]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[32]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[33]  Mihir Bellare,et al.  Deterministic and Efficiently Searchable Encryption , 2007, CRYPTO.

[34]  Adam O'Neill,et al.  Correlated-Input Secure Hash Functions , 2011, TCC.

[35]  Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, San Jose, CA, USA, 6-8 June 2011 , 2011, STOC.

[36]  Thomas Holenstein,et al.  On the (Im)Possibility of Key Dependent Encryption , 2009, TCC.

[37]  Gil Segev,et al.  Chosen-Ciphertext Security via Correlated Products , 2009, SIAM J. Comput..

[38]  Yevgeniy Dodis,et al.  Cryptography against Continuous Memory Attacks , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[39]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[40]  Moni Naor,et al.  Public-Key Encryption in the Bounded-Retrieval Model , 2010, EUROCRYPT.

[41]  Aggelos Kiayias,et al.  A Little Honesty Goes a Long Way - The Two-Tier Model for Secure Multiparty Computation , 2015, TCC.

[42]  Yevgeniy Dodis,et al.  Randomness Condensers for Efficiently Samplable, Seed-Dependent Sources , 2012, TCC.

[43]  Yevgeniy Dodis,et al.  Efficient Public-Key Cryptography in the Presence of Key Leakage , 2010, ASIACRYPT.

[44]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[45]  Tal Malkin,et al.  On the impossibility of basing trapdoor functions on trapdoor predicates , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[46]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[47]  Ran Raz,et al.  On recycling the randomness of states in space bounded computation , 1999, STOC '99.

[48]  Yael Tauman Kalai,et al.  Robustness of the Learning with Errors Assumption , 2010, ICS.

[49]  Guy N. Rothblum,et al.  How to Compute in the Presence of Leakage , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[50]  Marc Fischlin,et al.  On the Impossibility of Three-Move Blind Signature Schemes , 2010, EUROCRYPT.

[51]  Yevgeniy Dodis,et al.  Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[52]  Zvika Brakerski,et al.  Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back) , 2010, IACR Cryptol. ePrint Arch..

[53]  J. Davenport Editor , 1960 .

[54]  Ronald Cramer Theory of cryptography : 9th theory of cryptography conference, TCC 2012, Taormina, Sicily, Italy, March 19-21, 2012 : proceedings , 2012 .

[55]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[56]  Jean-Sébastien Coron,et al.  Security Proof for Partial-Domain Hash Signature Schemes , 2002, CRYPTO.

[57]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.