Theory of Cryptography

Volume 5444 of the series Lecture Notes in Computer Science pp 474-495

Simultaneous Hardcore Bits and Cryptography against Memory Attacks

  • Adi AkaviaAffiliated withIAS and DIMACS
  • , Shafi GoldwasserAffiliated withMIT and Weizmann Insitute
  • , Vinod VaikuntanathanAffiliated withMIT and IBM Research


This paper considers two questions in cryptography.

Cryptography Secure Against Memory Attacks. A particularly devastating side-channel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES.

We show that the public-key encryption scheme of Regev (STOC 2005), and the identity-based encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secret-key, or more generally, can compute an arbitrary function of the secret-key of bounded output length. This is done without increasing the size of the secret-key, and without introducing any complication of the natural encryption and decryption routines.

Simultaneous Hardcore Bits. We say that a block of bits of x are simultaneously hard-core for a one-way function f(x), if given f(x) they cannot be distinguished from a random string of the same length. Although any candidate one-way function can be shown to hide one hardcore bit and even a logarithmic number of simultaneously hardcore bits, there are few examples of one-way or trapdoor functions for which a linear number of the input bits have been proved simultaneously hardcore; the ones that are known relate the simultaneous security to the difficulty of factoring integers.

We show that for a lattice-based (injective) trapdoor function which is a variant of function proposed earlier by Gentry, Peikert and Vaikuntanathan, an N − o(N) number of input bits are simultaneously hardcore, where N is the total length of the input.

These two results rely on similar proof techniques.