Results 1 
5 of
5
A leakageresilient mode of operation
 In EUROCRYPT
, 2009
"... Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attack ..."
Abstract

Cited by 77 (5 self)
 Add to MetaCart
(Show Context)
Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attacks, that is they remain secure even if a bounded amount of information about the secret key is leaked to the adversary. As an application of this result we propose a simple mode of operation which – when instantiated with any wPRF – gives a leakageresilient streamcipher. Such a cipher is secure against any sidechannel attack, as long as the amount of information leaked per round is bounded, but overall can be arbitrary large. This construction is simpler than the only previous one (DziembowskiPietrzak FOCS’08) as it only uses a single primitive (a wPRF) in a straight forward manner. 1
Appendonly signatures
 in International Colloquium on Automata, Languages and Programming
, 2005
"... Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we pu ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
(Show Context)
Abstract. The strongest standard security notion for digital signature schemes is unforgeability under chosen message attacks. In practice, however, this notion can be insufficient due to “sidechannel attacks ” which exploit leakage of information about the secret internal state. In this work we put forward the notion of “leakageresilient signatures, ” which strengthens the standard security notion by giving the adversary the additional power to learn a bounded amount of arbitrary information about the secret state that was accessed during every signature generation. This notion naturally implies security against all sidechannel attacks as long as the amount of information leaked on each invocation is bounded and “only computation leaks information.” The main result of this paper is a construction which gives a (treebased, stateful) leakageresilient signature scheme based on any 3time signature scheme. The amount of information that our scheme can safely leak per signature generation is 1/3 of the information the underlying 3time signature scheme can leak in total. Signature schemes that remain secure even if a bounded total amount of information is leaked were recently constructed, hence instantiating our construction with these schemes gives the first constructions of provably secure leakageresilient signature schemes. The above construction assumes that the signing algorithm can sample truly random bits, and thus an implementation would need some special hardware (randomness gates). Simply generating this randomness using a leakageresilient streamcipher will in general not work. Our second contribution is a sound general principle to replace uniform random bits in any leakageresilient construction with pseudorandom ones: run two leakageresilient streamciphers (with independent keys) in parallel and then apply a twosource extractor to their outputs. 1
Leakage Resilient ElGamal Encryption
"... Abstract. Blinding is a popular and wellknown countermeasure to protect publickey cryptosystems against sidechannel attacks. The high level idea is to randomize an exponentiation in order to prevent multiple measurements of the same operation on different data, as such measurements might allow th ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Blinding is a popular and wellknown countermeasure to protect publickey cryptosystems against sidechannel attacks. The high level idea is to randomize an exponentiation in order to prevent multiple measurements of the same operation on different data, as such measurements might allow the adversary to learn the secret exponent. Several variants of blinding have been proposed in the literature, using additive or multiplicative secretsharing to blind either the base or the exponent. These countermeasures usually aim at preventing particular sidechannel attacks (mostly power analysis) and come without any formal security guarantee. In this work we investigate to which extend blinding can provide provable security against a general class of sidechannel attacks. Surprisingly, it turns out that in the context of publickey encryption some blinding techniques are more suited than others. In particular, we consider a multiplicatively blinded version of ElGamal publickey encryption where – we prove that the scheme, instantiated over bilinear groups of prime order p (where p−1 is not smooth) is leakage resilient in the genericgroup model. Here we consider the model of chosenciphertext security in the presence of continuous leakage, i.e., the scheme remains chosenciphertext secure even if with every decryption query the adversary can learn a bounded amount (roughly log(p)/2 bits) of arbitrary, adversarially chosen information about the computation. – we conjecture that the scheme, instantiated over arbitrary groups of prime order p (where p − 1 is not smooth) is leakage resilient. Previous to this work no encryption scheme secure against continuous leakage was known. Constructing a scheme that can be proven secure in the standard model remains an interesting open problem. 1
On (Destructive) Impacts of Mathematical Realizations over the Security of Leakage Resilient ElGamal Encryption
"... Abstract. Leakage resilient cryptography aims to address the issue of inadvertent and unexpected information leakages from physical cryptographic implementations. At Asiacrypt 2010, E.Kiltz et al. [1] presented a multiplicatively blinded version of ElGamal publickey encryption scheme, which is prov ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Leakage resilient cryptography aims to address the issue of inadvertent and unexpected information leakages from physical cryptographic implementations. At Asiacrypt 2010, E.Kiltz et al. [1] presented a multiplicatively blinded version of ElGamal publickey encryption scheme, which is proved to be leakage resilient in the generic group model against roughly 0.50 *log(p) bits of arbitrary, adversarially chosen information leakage about the computation, when the scheme is instantiated over bilinear groups of prime order p (denoted BEG ∗). Nonetheless, for the same scheme instantiated over arbitrary groups of prime order p (denoted EG ∗), no leakage resilience bound is given, and was only conjectured to be leakage resilient. In this paper, we show that, when some of the leakage happens within the computation of pseudo random number generator (PRNG) used by EG ∗ , the leakage tolerance of EG ∗ is far worse than expected. We used three instances of internationally
On the Impacts of Mathematical Realization over Practical Security of Leakage Resilient Cryptographic Schemes
"... Abstract. In real world, in order to transform an abstract and generic cryptographic scheme into actual physical implementation, one usually undergoes two processes: mathematical realization at algorithmic level and physical realization at implementation level. In the former process, the abstract an ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In real world, in order to transform an abstract and generic cryptographic scheme into actual physical implementation, one usually undergoes two processes: mathematical realization at algorithmic level and physical realization at implementation level. In the former process, the abstract and generic cryptographic scheme is transformed into an exact and specific mathematical scheme, while in the latter process the output of mathematical realization is being transformed into a physical cryptographic module runs as a piece of software, or hardware, or combination of both. In blackbox model (i.e. leakagefree setting), a cryptographic scheme can be mathematically realized without affecting its theoretical security as long as the mathematical components meet the required cryptographic properties. However, up to now, no previous work formally show that whether one can mathematically realize a leakage resilient cryptographic scheme in existent ways without affecting its practical security.