Advances in Cryptology - CRYPTO 2009 pp 36-54
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model
- Cite this paper as:
- Alwen J., Dodis Y., Wichs D. (2009) Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model. In: Halevi S. (eds) Advances in Cryptology - CRYPTO 2009. Lecture Notes in Computer Science, vol 5677. Springer, Berlin, Heidelberg
We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution. Our AKA protocol can be used as an interactive encryption scheme with qualitatively stronger privacy guarantees than non-interactive encryption schemes (constructed in prior and concurrent works), which are inherently insecure if the adversary can perform leakage attacks after seing a ciphertext.
Secret key size is ℓ(1 + δ) + O(λ).
Public key size is O(λ), and independent of ℓ.
Communication complexity is O(λ/δ), and independent of ℓ.
Computation reads O(λ/δ2) locations of the secret key, independent of ℓ.
Lastly, we show that our schemes allow for repeated “invisible updates” of the secret key, allowing us to tolerate up to ℓ bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short “master update key” (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.