Results 1  10
of
23
Least we remember: Cold boot attacks on encryption keys
 In USENIX Security Symposium
, 2008
"... For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit ..."
Abstract

Cited by 105 (3 self)
 Add to MetaCart
For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit
Leakageresilient cryptography
 In 49th FOCS
, 2008
"... We construct a streamcipher SC whose implementation is secure even if a bounded amount of arbitrary (adaptively, adversarially chosen) information about the internal state of SC is leaked during computation of each output block. This captures all possible sidechannel attacks on SC where (1) the am ..."
Abstract

Cited by 81 (7 self)
 Add to MetaCart
We construct a streamcipher SC whose implementation is secure even if a bounded amount of arbitrary (adaptively, adversarially chosen) information about the internal state of SC is leaked during computation of each output block. This captures all possible sidechannel attacks on SC where (1) the amount of information leaked in a given period is bounded, but overall can be arbitrary large and (2) “only computation leaks information”. The construction is based on alternating extraction (used in the intrusionresilient secretsharing scheme from FOCS’07). We move this concept to the computational setting by proving a lemma that states that the output of any pseudorandom generator (PRG) has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high minentropy) even if arbitrary information about the seed is leaked. The amount of leakage λ that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of SC if the PRG is exponentially hard. 1.
Extracting randomness from samplable distributions
 In Proceedings of the 41st Annual IEEE Symposium on Foundations of Computer Science
, 2000
"... The standard notion of a randomness extractor is a procedure which converts any weak source of randomness into an almost uniform distribution. The conversion necessarily uses a small amount of pure randomness, which can be eliminated by complete enumeration in some, but not all, applications. Here, ..."
Abstract

Cited by 55 (8 self)
 Add to MetaCart
The standard notion of a randomness extractor is a procedure which converts any weak source of randomness into an almost uniform distribution. The conversion necessarily uses a small amount of pure randomness, which can be eliminated by complete enumeration in some, but not all, applications. Here, we consider the problem of deterministically converting a weak source of randomness into an almost uniform distribution. Previously, deterministic extraction procedures were known only for sources satisfying strong independence requirements. In this paper, we look at sources which are samplable, i.e. can be generated by an efficient sampling algorithm. We seek an efficient deterministic procedure that, given a sample from any samplable distribution of sufficiently large minentropy, gives an almost uniformly distributed output. We explore the conditions under which such deterministic extractors exist. We observe that no deterministic extractor exists if the sampler is allowed to use more computational resources than the extractor. On the other hand, if the extractor is allowed (polynomially) more resources than the sampler, we show that deterministic extraction becomes possible. This is true unconditionally in the nonuniform setting (i.e., when the extractor can be computed by a small circuit), and (necessarily) relies on complexity assumptions in the uniform setting. One of our uniform constructions is as follows: assuming that there are problems in���ÌÁÅ�ÇÒthat are not solvable by subexponentialsize circuits with¦� gates, there is an efficient extractor that transforms any samplable distribution of lengthÒand minentropy Ò into an output distribution of length ÇÒ, whereis any sufficiently small constant. The running time of the extractor is polynomial inÒand the circuit complexity of the sampler. These extractors are based on a connection be
Deterministic Extractors for BitFixing Sources and ExposureResilient Cryptography
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... Abstract. We give an efficient deterministic algorithm that extracts Ω(n2γ) almostrandom bits from sources where n 1 2 +γ of the n bits are uniformly random and the rest are fixed in advance. This improves upon previous constructions, which required that at least n/2 of the bits be random in order ..."
Abstract

Cited by 55 (3 self)
 Add to MetaCart
Abstract. We give an efficient deterministic algorithm that extracts Ω(n2γ) almostrandom bits from sources where n 1 2 +γ of the n bits are uniformly random and the rest are fixed in advance. This improves upon previous constructions, which required that at least n/2 of the bits be random in order to extract many bits. Our construction also has applications in exposureresilient cryptography, giving explicit adaptive exposureresilient functions and, in turn, adaptive allornothing transforms. For sources where instead of bits the values are chosen from [d], for d>2, we give an algorithm that extracts a constant fraction of the randomness. We also give bounds on extracting randomness for sources where the fixed bits can depend on the random bits.
Traitor Tracing with Constant Transmission Rate
, 2002
"... Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor T ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two publickey traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of “copyrighted function ” which was presented by Naccache, Shamir and Stern. We first solve the open problem of discretelogbased and publickeybased “copyrighted function.” Then, we observe the simple yet crucial relation between (publickey) copyrighted encryption and (publickey) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant
Publickey encryption schemes with auxiliary inputs
 In TCC. 2010. [Fei02] U. Feige. Relations
"... Abstract. We construct publickey cryptosystems that remain secure even when the adversary is given any computationally uninvertible function of the secret key as auxiliary input (even one that may reveal the secret key informationtheoretically). Our schemes are based on the decisional DiffieHellma ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. We construct publickey cryptosystems that remain secure even when the adversary is given any computationally uninvertible function of the secret key as auxiliary input (even one that may reveal the secret key informationtheoretically). Our schemes are based on the decisional DiffieHellman (DDH) and the Learning with Errors (LWE) problems. As an independent technical contribution, we extend the GoldreichLevin theorem to provide a hardcore (pseudorandom) value over large fields. 1
Intrusionresilient key exchange in the bounded retrieval model
 TCC 2007: 4th Theory of Cryptography Conference, volume 4392 of Lecture
"... Abstract. We construct an intrusionresilient symmetrickey authenticated key exchange (AKE) protocol in the bounded retrieval model. The model employs a long shared private key to cope with an active adversary who can repeatedly compromise the user’s machine and perform any efficient computation on ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We construct an intrusionresilient symmetrickey authenticated key exchange (AKE) protocol in the bounded retrieval model. The model employs a long shared private key to cope with an active adversary who can repeatedly compromise the user’s machine and perform any efficient computation on the entire shared key. However, we assume that the attacker is communication bounded and unable to retrieve too much information during each successive breakin. In contrast, the users read only a small portion of the shared key, making the model quite realistic in situations where storage is much cheaper than bandwidth. The problem was first studied by Dziembowski [Dzi06a], who constructed a secure AKE protocol using random oracles. We present a general paradigm for constructing intrusionresilient AKE protocols in this model, and show how to instantiate it without random oracles. The main ingredients of our construction are UCsecure password authenticated key exchange and tools from the bounded storage model. 1
Robustness of the learning with errors assumption
 In ICS. 2010. [GPV08] [GRS08
, 2008
"... Abstract: Starting with the work of IshaiSahaiWagner and MicaliReyzin, a new goal has been set within the theory of cryptography community, to design cryptographic primitives that are secure against large classes of sidechannel attacks. Recently, many works have focused on designing various cryp ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract: Starting with the work of IshaiSahaiWagner and MicaliReyzin, a new goal has been set within the theory of cryptography community, to design cryptographic primitives that are secure against large classes of sidechannel attacks. Recently, many works have focused on designing various cryptographic primitives that are robust (retain security) even when the secret key is “leaky”, under various intractability assumptions. In this work we propose to take a step back and ask a more basic question: which of our cryptographic assumptions (rather than cryptographic schemes) are robust in presence of leakage of their underlying secrets? Our main result is that the hardness of the learning with error (LWE) problem implies its hardness with leaky secrets. More generally, we show that the standard LWE assumption implies that LWE is secure even if the secret is taken from an arbitrary distribution with sufficient entropy, and even in the presence of hardtoinvert auxiliary inputs. We exhibit various applications of this result. 1. Under the standard LWE assumption, we construct a symmetrickey encryption scheme that is robust to secret key leakage, and more generally maintains security even if the secret key is taken from an arbitrary distribution with sufficient entropy (and even in the presence of hardtoinvert auxiliary inputs).
Bounded CCA2secure encryption
 In Advances in Cryptology  ASIACRYPT ’07
, 2007
"... Abstract. Whereas encryption schemes withstanding passive chosenplaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of encryption schemes withstanding adaptive chosenciphertext attacks (CCA2). Towards ad ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. Whereas encryption schemes withstanding passive chosenplaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of encryption schemes withstanding adaptive chosenciphertext attacks (CCA2). Towards addressing this asymmetry, we consider a weakening of the CCA2 model — bounded CCA2security — wherein security needs only hold against adversaries that make an apriori bounded number of queries to the decryption oracle. Regarding this notion we show (without any further assumptions): – For any polynomial q, a simple blackbox construction of qbounded INDCCA2secure encryption schemes, from any INDCPAsecure encryption scheme. When instantiated with the Decisional DiffieHellman (DDH) assumption, this construction additionally yields encryption schemes with very short ciphertexts. – For any polynomial q, a (nonblack box) construction of qbounded NMCCA2secure encryption schemes, from any INDCPAsecure encryption scheme. BoundedCCA2 nonmalleability is the strongest notion of security yet known to be achievable assuming only the existence of INDCPA secure encryption schemes. Finally, we show that nonmalleability and indistinguishability are not equivalent under boundedCCA2 attacks (in contrast to general CCA2 attacks). 1
Survey: Leakage resilience and the bounded retrieval model
 In ICITS
, 2009
"... Abstract. This survey paper studies recent advances in the field of LeakageResilient Cryptography. This booming area is concerned with the design of cryptographic primitives resistant to arbitrary sidechannel attacks, where an attacker can repeatedly and adaptively learn information about the secr ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. This survey paper studies recent advances in the field of LeakageResilient Cryptography. This booming area is concerned with the design of cryptographic primitives resistant to arbitrary sidechannel attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. We start by surveying recent results in the so called Relative Leakage Model, where all the parameters of the system are allowed to depend on ℓ, and the goal is to make ℓ large relative to the length of the secret key. We conclude by showing how to extend the relative leakage results to the Bounded Retrieval Model (aka “Absolute Leakage Model”), where only the secret key length is allowed to be slightly larger than ℓ, but all other system parameters (e.g., publickey, communication, etc.) are independent of the absolute value of ℓ. Throughout the presentation we will emphasize the informationtheoretic techniques used in leakageresilient cryptography. 1