Leakage-resilient public-key cryptography in the bounded-retrieval model

Joël Alwen, Yevgeniy Dodis, Daniel Wichs

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution. Our AKA protocol can be used as an interactive encryption scheme with qualitatively stronger privacy guarantees than non-interactive encryption schemes (constructed in prior and concurrent works), which are inherently insecure if the adversary can perform leakage attacks after seing a ciphertext. Moreover, our schemes can be flexibly extended to the Bounded-Retrieval Model, allowing us to tolerate very large absolute amount of adversarial leakage ℓ (potentially many gigabytes of information), only by increasing the size of the secret key and without any other loss of efficiency in communication or computation. Concretely, given any leakage parameter ℓ, security parameter λ, and any desired fraction 0 < δ ≤ 1, our schemes have the following properties: Secret key size is ℓ(1 + δ) + O(λ). Public key size is O(λ), and independent of ℓ. Communication complexity is O(λ/δ), and independent of ℓ. Computation reads O(λ/δ 2) locations of the secret key, independent of ℓ. Lastly, we show that our schemes allow for repeated "invisible updates" of the secret key, allowing us to tolerate up to ℓ bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short "master update key" (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings
Pages36-54
Number of pages19
Volume5677 LNCS
DOIs
StatePublished - 2009
Event29th Annual International Cryptology Conference, CRYPTO 2009 - Santa Barbara, CA, United States
Duration: Aug 16 2009Aug 20 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5677 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other29th Annual International Cryptology Conference, CRYPTO 2009
CountryUnited States
CitySanta Barbara, CA
Period8/16/098/20/09

Fingerprint

Public key cryptography
Public Key Cryptography
Leakage
Cryptography
Retrieval
Update
Communication
Key Agreement Protocol
Public key
Attack
Model
Encryption
Identification Scheme
Communication Complexity
Random Oracle Model
Signature Scheme
Privacy
Concurrent

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Alwen, J., Dodis, Y., & Wichs, D. (2009). Leakage-resilient public-key cryptography in the bounded-retrieval model. In Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings (Vol. 5677 LNCS, pp. 36-54). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5677 LNCS). https://doi.org/10.1007/978-3-642-03356-8_3

Leakage-resilient public-key cryptography in the bounded-retrieval model. / Alwen, Joël; Dodis, Yevgeniy; Wichs, Daniel.

Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. Vol. 5677 LNCS 2009. p. 36-54 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5677 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Alwen, J, Dodis, Y & Wichs, D 2009, Leakage-resilient public-key cryptography in the bounded-retrieval model. in Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. vol. 5677 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5677 LNCS, pp. 36-54, 29th Annual International Cryptology Conference, CRYPTO 2009, Santa Barbara, CA, United States, 8/16/09. https://doi.org/10.1007/978-3-642-03356-8_3
Alwen J, Dodis Y, Wichs D. Leakage-resilient public-key cryptography in the bounded-retrieval model. In Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. Vol. 5677 LNCS. 2009. p. 36-54. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-03356-8_3
Alwen, Joël ; Dodis, Yevgeniy ; Wichs, Daniel. / Leakage-resilient public-key cryptography in the bounded-retrieval model. Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings. Vol. 5677 LNCS 2009. pp. 36-54 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{a975c499505b4568aeb5ce9bc20ee254,
title = "Leakage-resilient public-key cryptography in the bounded-retrieval model",
abstract = "We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution. Our AKA protocol can be used as an interactive encryption scheme with qualitatively stronger privacy guarantees than non-interactive encryption schemes (constructed in prior and concurrent works), which are inherently insecure if the adversary can perform leakage attacks after seing a ciphertext. Moreover, our schemes can be flexibly extended to the Bounded-Retrieval Model, allowing us to tolerate very large absolute amount of adversarial leakage ℓ (potentially many gigabytes of information), only by increasing the size of the secret key and without any other loss of efficiency in communication or computation. Concretely, given any leakage parameter ℓ, security parameter λ, and any desired fraction 0 < δ ≤ 1, our schemes have the following properties: Secret key size is ℓ(1 + δ) + O(λ). Public key size is O(λ), and independent of ℓ. Communication complexity is O(λ/δ), and independent of ℓ. Computation reads O(λ/δ 2) locations of the secret key, independent of ℓ. Lastly, we show that our schemes allow for repeated {"}invisible updates{"} of the secret key, allowing us to tolerate up to ℓ bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short {"}master update key{"} (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.",
author = "Jo{\"e}l Alwen and Yevgeniy Dodis and Daniel Wichs",
year = "2009",
doi = "10.1007/978-3-642-03356-8_3",
language = "English (US)",
isbn = "3642033555",
volume = "5677 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "36--54",
booktitle = "Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings",

}

TY - GEN

T1 - Leakage-resilient public-key cryptography in the bounded-retrieval model

AU - Alwen, Joël

AU - Dodis, Yevgeniy

AU - Wichs, Daniel

PY - 2009

Y1 - 2009

N2 - We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution. Our AKA protocol can be used as an interactive encryption scheme with qualitatively stronger privacy guarantees than non-interactive encryption schemes (constructed in prior and concurrent works), which are inherently insecure if the adversary can perform leakage attacks after seing a ciphertext. Moreover, our schemes can be flexibly extended to the Bounded-Retrieval Model, allowing us to tolerate very large absolute amount of adversarial leakage ℓ (potentially many gigabytes of information), only by increasing the size of the secret key and without any other loss of efficiency in communication or computation. Concretely, given any leakage parameter ℓ, security parameter λ, and any desired fraction 0 < δ ≤ 1, our schemes have the following properties: Secret key size is ℓ(1 + δ) + O(λ). Public key size is O(λ), and independent of ℓ. Communication complexity is O(λ/δ), and independent of ℓ. Computation reads O(λ/δ 2) locations of the secret key, independent of ℓ. Lastly, we show that our schemes allow for repeated "invisible updates" of the secret key, allowing us to tolerate up to ℓ bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short "master update key" (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.

AB - We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution. Our AKA protocol can be used as an interactive encryption scheme with qualitatively stronger privacy guarantees than non-interactive encryption schemes (constructed in prior and concurrent works), which are inherently insecure if the adversary can perform leakage attacks after seing a ciphertext. Moreover, our schemes can be flexibly extended to the Bounded-Retrieval Model, allowing us to tolerate very large absolute amount of adversarial leakage ℓ (potentially many gigabytes of information), only by increasing the size of the secret key and without any other loss of efficiency in communication or computation. Concretely, given any leakage parameter ℓ, security parameter λ, and any desired fraction 0 < δ ≤ 1, our schemes have the following properties: Secret key size is ℓ(1 + δ) + O(λ). Public key size is O(λ), and independent of ℓ. Communication complexity is O(λ/δ), and independent of ℓ. Computation reads O(λ/δ 2) locations of the secret key, independent of ℓ. Lastly, we show that our schemes allow for repeated "invisible updates" of the secret key, allowing us to tolerate up to ℓ bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short "master update key" (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.

UR - http://www.scopus.com/inward/record.url?scp=70350340328&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350340328&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-03356-8_3

DO - 10.1007/978-3-642-03356-8_3

M3 - Conference contribution

SN - 3642033555

SN - 9783642033551

VL - 5677 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 36

EP - 54

BT - Advances in Cryptology - CRYPTO 2009 - 29th Annual International Cryptology Conference, Proceedings

ER -