On (Destructive) Impacts of Mathematical Realizations over the Security of Leakage Resilient ElGamal Encryption

Leakage resilient cryptography aims to address the issue of inadvertent and unexpected information leakages from physical cryptographic implementations. At Asiacrypt 2010, E.Kiltz et al. [1] presented a multiplicatively blinded version of ElGamal public-key encryption scheme, which is proved to be leakage resilient in the generic group model against roughly 0.50*log(p) bits of arbitrary, adversarially chosen information leakage about the computation, when the scheme is instantiated over bilinear groups of prime order p (denoted BEG∗). Nonetheless, for the same scheme instantiated over arbitrary groups of prime order p (denoted EG∗), no leakage resilience bound is given, and was only conjectured to be leakage resilient. In this paper, we show that, when some of the leakage happens within the computation of pseudo random number generator (PRNG) used by EG∗, the leakage tolerance of EG∗ is far worse than expected. We used three instances of internationally standardized PRNGs to analyze the leakage resilience of different mathematical realizations of EG∗, namely ANSI X9.17 PRNG, ANSI X9.31 PRNG using AES-128, and FIPS 186 PRNG for DSA premessage secrets, respectively. For ANSI X9.17 PRNG and ANSI X9.31 PRNG using AES-128 (resp. DSA PRNG) considered, when the size of p is 1024 bits (resp. 1120 bits), one can successfully recover the longterm secret key x if he learns only 0.2988*log(p) and 0.2832*log(p) (resp. 0.2929*log(p)) bits of leakages of the computation respectively. This shows that mathematical realizations of EG∗ can have significant impacts on its leakage resilience. In addition, by presenting non-generic attacks, this paper also gives some upper bounds of the amount of leakages that these mathematical realizations of EG∗ can tolerate, and these upper bounds are the best known so far.

[1]  David Cash,et al.  Intrusion-Resilient Key Exchange in the Bounded Retrieval Model , 2007, TCC.

[2]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[3]  Elena Trichina,et al.  Implementation of Elliptic Curve Cryptography with Built-In Counter Measures against Side Channel Attacks , 2002, CHES.

[4]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[5]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[6]  Eike Kiltz,et al.  Leakage Resilient ElGamal Encryption , 2010, ASIACRYPT.

[7]  Moni Naor,et al.  Public-Key Cryptosystems Resilient to Key Leakage , 2009, SIAM J. Comput..

[8]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[9]  Allison Bishop,et al.  How to leak on key updates , 2011, STOC '11.

[10]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[11]  François-Xavier Standaert How Leaky Is an Extractor? , 2010, LATINCRYPT.

[12]  Yael Tauman Kalai,et al.  Overcoming the Hole in the Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[13]  Jean-Pierre Seifert,et al.  Information Leakage Attacks against Smart Card Implementations of the Elliptic Curve Digital Signature Algorithm , 2001, E-smart.

[14]  Stefan Dziembowski,et al.  Intrusion-Resilient Secret Sharing , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[15]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[16]  Moni Naor,et al.  Public-Key Encryption in the Bounded-Retrieval Model , 2010, EUROCRYPT.

[17]  Yevgeniy Dodis,et al.  Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[18]  Moti Yung,et al.  Leakage Resilient Cryptography in Practice , 2010, Towards Hardware-Intrinsic Security.

[19]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[20]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[21]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[22]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[23]  Stefan Dziembowski,et al.  On Forward-Secure Storage Extended Abstract , 2006 .

[24]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[25]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[26]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[27]  Christophe Clavier,et al.  Universal Exponentiation Algorithm , 2001, CHES.

[28]  Moti Yung,et al.  A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[29]  Stefan Dziembowski,et al.  Intrusion-Resilience Via the Bounded-Storage Model , 2006, TCC.

[30]  Igor E. Shparlinski,et al.  Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation , 2003, Math. Comput..

[31]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.