Results 1  10
of
51
Appendonly signatures
 in International Colloquium on Automata, Languages and Programming
, 2005
"... Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we pu ..."
Abstract

Cited by 35 (10 self)
 Add to MetaCart
Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we put forward the notion of “leakageresilient signatures, ” which strengthens the standard security notion by giving the adversary the additional power to learn a bounded amount of arbitrary information about the secret state that was accessed during every signature generation. This notion naturally implies security against all sidechannel attacks as long as the amount of information leaked on each invocation is bounded and “only computation leaks information.” The main result of this paper is a construction which gives a (treebased, stateful) leakageresilient signature scheme based on any 3time signature scheme. The amount of information that our scheme can safely leak per signature generation is 1/3 of the information the underlying 3time signature scheme can leak in total. Signature schemes that remain secure even if a bounded total amount of information is leaked were recently constructed, hence instantiating our construction with these schemes gives the first constructions of provably secure leakageresilient signature schemes. The above construction assumes that the signing algorithm can sample truly random bits, and thus an implementation would need some special hardware (randomness gates). Simply generating this randomness using a leakageresilient streamcipher will in general not work. Our second contribution is a sound general principle to replace uniform random bits in any leakageresilient construction with pseudorandom ones: run two leakageresilient streamciphers (with independent keys) in parallel and then apply a twosource extractor to their outputs. 1
Signature schemes with bounded leakage resilience
 In ASIACRYPT
, 2009
"... A leakageresilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − nǫ ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
A leakageresilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − nǫ bits of information about the secret key, and a more efficient onetime signature scheme that tolerates leakage of ( 1 4 −ǫ) ·n bits of information about the signer’s entire state. The latter construction extends to give a leakageresilient ttime signature scheme. All these constructions are in the standard model under general assumptions. 1
More constructions of lossy and correlationsecure trapdoor functions. Cryptology ePrint Archive, Report 2009/590
, 2009
"... We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as ..."
Abstract

Cited by 24 (8 self)
 Add to MetaCart
We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as follows: • Lossy trapdoor functions based on the quadratic residuosity assumption. Our construction relies on modular squaring, and whereas previous such constructions were based on seemingly stronger assumptions, we present the first construction that is based solely on the quadratic residuosity assumption. We also present a generalization to higher order power residues. • Lossy trapdoor functions based on the composite residuosity assumption. Our construction guarantees essentially any required amount of lossiness, where at the same time the functions are more efficient than the matrixbased approach of Peikert and Waters. • Lossy trapdoor functions based on the dLinear assumption. Our construction both simplifies the DDHbased construction of Peikert and Waters, and admits a generalization to the whole family of dLinear assumptions without any loss of efficiency. • Correlationsecure trapdoor functions related to the hardness of syndrome decoding. Keywords: Publickey encryption, lossy trapdoor functions, correlationsecure trapdoor functions. An extended abstract of this work appears in Public Key Cryptography — PKC 2010, Springer LNCS 6056
Semantic security under relatedkey attacks and applications
 Cited on page 4.) 16 M. Bellare. New proofs for NMAC and HMAC: Security without collisionresistance. In C. Dwork, editor, CRYPTO 2006, volume 4117 of LNCS
, 2011
"... In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general de ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the adversary can choose the linear relation adaptively during the attack. More concretely, we present two approaches for constructing RKAsecure encryption schemes. The first is based on standard randomized encryption schemes which additionally satisfy a natural “keyhomomorphism” property. We instantiate this approach under numbertheoretic or latticebased assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is based on RKAsecure pseudorandom generators. This approach can yield either deterministic, onetime use schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by constructing a simple RKAsecure pseurodandom generator
Reconstructing rsa private keys from random key bits
 In CRYPTO
, 2009
"... We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algori ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments. 1
Publickey encryption schemes with auxiliary inputs
 In TCC. 2010. [Fei02] U. Feige. Relations
"... Abstract. We construct publickey cryptosystems that remain secure even when the adversary is given any computationally uninvertible function of the secret key as auxiliary input (even one that may reveal the secret key informationtheoretically). Our schemes are based on the decisional DiffieHellma ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. We construct publickey cryptosystems that remain secure even when the adversary is given any computationally uninvertible function of the secret key as auxiliary input (even one that may reveal the secret key informationtheoretically). Our schemes are based on the decisional DiffieHellman (DDH) and the Learning with Errors (LWE) problems. As an independent technical contribution, we extend the GoldreichLevin theorem to provide a hardcore (pseudorandom) value over large fields. 1
Achieving leakage resilience through dual system encryption
 In TCC
, 2011
"... In this work, we show that strong leakage resilience for cryptosystems with advanced functionalities can be obtained quite naturally within the methodology of dual system encryption, recently introduced by Waters. We demonstrate this concretely by providing fully secure IBE, HIBE, and ABE systems wh ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
In this work, we show that strong leakage resilience for cryptosystems with advanced functionalities can be obtained quite naturally within the methodology of dual system encryption, recently introduced by Waters. We demonstrate this concretely by providing fully secure IBE, HIBE, and ABE systems which are resilient to bounded leakage from each of many secret keys per user, as well as many master keys. This can be realized as resilience against continual leakage if we assume keys are periodically updated and no (or logarithmic) leakage is allowed during the update process. Our systems are obtained by applying a simple modification to previous dual system encryption constructions: essentially this provides a generic tool for making dual system encryption schemes leakageresilient. 1
Securing computation against continuous leakage
 In CRYPTO
, 2010
"... Abstract. We present a general method to compile any cryptographic algorithm into one which resists side channel attacks of the only computation leaks information variety for an unbounded number of executions. Our method uses as a building block a semantically secure subsidiary bit encryption scheme ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. We present a general method to compile any cryptographic algorithm into one which resists side channel attacks of the only computation leaks information variety for an unbounded number of executions. Our method uses as a building block a semantically secure subsidiary bit encryption scheme with the following additional operations: key refreshing, oblivious generation of cipher texts, leakage resilience regeneration, and blinded homomorphic evaluation of one single complete gate (e.g. NAND). Furthermore, the security properties of the subsidiary encryption scheme should withstand bounded leakage incurred while performing each of the above operations. We show how to implement such a subsidiary encryption scheme under the DDH intractability assumption and the existence of a simple secure hardware component. The hardware component is independent of the encryption scheme secret key. The subsidiary encryption scheme resists leakage attacks where the leakage is computable in polynomial time and of length bounded by a constant fraction of the security parameter. 1
Better security for deterministic publickey encryption: The auxiliaryinput setting
 CRYPTO 2011, volume 6841 of LNCS
, 2011
"... Deterministic publickey encryption, introduced by Bellare, Boldyreva, and O’Neill (CRYPTO ’07), provides an alternative to randomized publickey encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Deterministic publickey encryption, introduced by Bellare, Boldyreva, and O’Neill (CRYPTO ’07), provides an alternative to randomized publickey encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful notion of security when the plaintext is distributed over a small set. Bellare et al. addressed this difficulty by requiring semantic security to hold only when the plaintext has high minentropy from the adversary’s point of view. In many applications, however, an adversary may obtain auxiliary information that is related to the plaintext. Specifically, when deterministic encryption is used as a building block of a larger system, it is rather likely that plaintexts do not have high minentropy from the adversary’s point of view. In such cases, the framework of Bellare et al. might fall short from providing robust security guarantees. We formalize a framework for studying the security of deterministic publickey encryption schemes with respect to auxiliary inputs. Given the trivial requirement that the plaintext should not be efficiently recoverable from the auxiliary input, we focus on hardtoinvert auxiliary inputs.
Fully LeakageResilient Signatures
, 2010
"... A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throu ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of sidechannel attacks. One of the main challenges in constructing fully leakageresilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the randomoracle model. Moreover, even in the randomoracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct the first fully leakageresilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1 − o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific numbertheoretic