Annual Cryptology Conference

CRYPTO 2011: Advances in Cryptology – CRYPTO 2011 pp 373-390

Cryptography with Tamperable and Leaky Memory

  • Yael Tauman Kalai
  • Bhavana Kanukurthi
  • Amit Sahai
Conference paper

DOI: 10.1007/978-3-642-22792-9_21

Volume 6841 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Kalai Y.T., Kanukurthi B., Sahai A. (2011) Cryptography with Tamperable and Leaky Memory. In: Rogaway P. (eds) Advances in Cryptology – CRYPTO 2011. CRYPTO 2011. Lecture Notes in Computer Science, vol 6841. Springer, Berlin, Heidelberg


A large and growing body of research has sought to secure cryptographic systems against physical attacks. Motivated by a large variety of real-world physical attacks on memory, an important line of work was initiated by Akavia, Goldwasser, and Vaikuntanathan [1] where security is sought under the assumptions that: (1) all memory is leaky, and (2) leakage can be an arbitrarily chosen (efficient) function of the memory.

However, physical attacks on memory are not limited to leakagethrough side-channels, but can also include active tampering attacks through a variety of physical attacks, including heat and EM radiation. Nevertheless, protection against the analogous model for tampering – where (1) all memory is tamperable, and (2) where the tampering can be an arbitrarily chosen (efficient) function applied to the memory – has remained an elusive target, despite significant effort on tampering-related questions.

In this work, we tackle this question by considering a model where we assume that both of these pairs of statements are true – that all memory is both leaky and (arbitrarily) tamperable. Furthermore, we assume that this leakage and tampering can happen repeatedly and continually (extending the model of [10,7] in the context of leakage). We construct a signature scheme and an encryption scheme that are provably secure against such attacks, assuming that memory can be updated in a randomized fashion between episodes of tampering and leakage. In both schemes we rely on the linear assumption over bilinear groups.

We also separately consider a model where only continual and repeated tampering (but only bounded leakage) is allowed, and we are able to obtain positive results assuming only that “self-destruct” is possible, without the need for memory updates.

Our results also improve previous results in the continual leakage regime without tampering [10,7]. Whereas previous schemes secure against continual leakage (of arbitrary bounded functions of the secret key), could tolerate only 1/2 − ε leakage-rate between key updates under the linear assumption over bilinear groups, our schemes can tolerate 1 − ε leakage-rate between key updates, under the same assumption.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Yael Tauman Kalai
    • 1
  • Bhavana Kanukurthi
    • 2
  • Amit Sahai
    • 3
  1. 1.Microsoft ResearchUSA
  2. 2.Boston UniversityUSA
  3. 3.University of California (UCLA)USA