Limits of a conjecture on a leakage-resilient cryptosystem

Recently it was conjectured that an ElGamal-based public-key encryption scheme with stateful decryption resists lunch-time chosen ciphertext and leakage attacks in the only computation leaks information model. We give a non-trivial upper bound on the amount of leakage tolerated by this conjecture. More precisely, we prove that the conjecture does not hold if more than a ( 3 8 + o ( 1 ) ) fraction of the bits are leaked at every decryption step, by showing a lunch-time attack that recovers the full secret key. The attack uses a new variant of the Hidden Number Problem, that we call Hidden Shares - Hidden Number Problem, which is of independent interest. We introduce the Hidden Shares Number Problem, a variant of the Hidden Number Problem.We give a leakage-resilience bound for ElGamal cryptosystem with stateful decryption.We have implemented our attack and give some details about our implementation.

[1]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[2]  T. Scharping Hide-and-seek: China's elusive population data , 2001 .

[3]  Phong Q. Nguyen Hermite's Constant and Lattice Algorithms , 2010, The LLL Algorithm.

[4]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[5]  Eike Kiltz,et al.  Leakage Resilient ElGamal Encryption , 2010, ASIACRYPT.

[6]  Dan Boneh,et al.  The Modular Inversion Hidden Number Problem , 2001, ASIACRYPT.

[7]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[8]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[9]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[10]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[11]  Yevgeniy Dodis,et al.  Cryptography against Continuous Memory Attacks , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[12]  Ie Shparlinski Playing "hide-and-seek" with numbers: the hidden number problem, lattices and exponential sums , 2005 .

[13]  Igor E. Shparlinski,et al.  Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation , 2003, Math. Comput..

[14]  Feng-Hao Liu,et al.  Tamper and Leakage Resilience in the Split-State Model , 2012, IACR Cryptol. ePrint Arch..

[15]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[16]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[17]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[18]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[19]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.