Journal of Cryptology

, Volume 30, Issue 1, pp 152–190 | Cite as

Bounded Tamper Resilience: How to Go Beyond the Algebraic Barrier

  • Ivan Damgård
  • Sebastian Faust
  • Pratyay Mukherjee
  • Daniele VenturiEmail author


Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an a-priori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. (1) We show that standard ID and signature schemes constructed from a large class of \(\Sigma \)-protocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters. (2) We show a bounded tamper and leakage resilient CCA-secure public key cryptosystem based on the DDH assumption. We first define a weaker CCA-like security notion that we can instantiate based on DDH, and then we give a general compiler that yields CCA security with tamper and leakage resilience. This requires a public tamper-proof common reference string. (3) Finally, we explain how to boost bounded tampering and leakage resilience [as in (1) and (2) above] to continuous tampering and leakage resilience, in the so-called floppy model where each user has a personal hardware token (containing leak- and tamper-free information) which can be used to refresh the secret key. We believe that bounded tampering is a meaningful and interesting alternative to avoid known impossibility results and can provide important insights into the security of existing standard cryptographic schemes.


Related key security Bounded tamper resilience Public key encryption Identification schemes 



This work was done while the last author was a postdoc at the Computer Science Department of Aarhus University, supported by the Danish Council for Independent Research (under the DFF Starting Grant 10-081612). Ivan Damgård acknowledges support from the Danish National Research Foundation, the National Science Foundation of China (under the Grant 61061130540), and also from the CFEM research center. Sebastian Faust was partially funded by the above grants. Pratyay Mukherjee’s work at Aarhus University was supported by a European Research Commission Starting Grant (no. 279447) and the above grants. Part of this work was done while this author was at the University of Warsaw and was supported by the WELCOME/2010-4/2 Grant founded within the framework of the EU Innovative Economy Operational Programme.


  1. 1.
    D. Aggarwal, Y. Dodis, T. Kazana, M. Obremski, Non-malleable reductions and applications, in STOC (2015)Google Scholar
  2. 2.
    D. Aggarwal, Y. Dodis, S. Lovett, Non-malleable codes from additive combinatorics, in STOC, (2014), pp. 774–783Google Scholar
  3. 3.
    D. Aggarwal, S. Dziembowski, T. Kazana, M. Obremski, Leakage-resilient non-malleable codes, in TCC, (2015), pp. 398–426Google Scholar
  4. 4.
    S. Agrawal, D. Gupta, H.K. Maji, O. Pandey, M. Prabhakaran, Explicit non-malleable codes against bit-wise tampering and permutations, in CRYPTO, (2015), pp 538–557.Google Scholar
  5. 5.
    S. Agrawal, D. Gupta, H.K. Maji, O. Pandey, M. Prabhakaran, A rate-optimizing compiler for non-malleable codes against bit-wise tampering and permutations, in TCC, (2015), pp. 375–397Google Scholar
  6. 6.
    S. Agrawal, Y. Dodis, V. Vaikuntanathan, D. Wichs, On continual leakage of discrete log representations, in ASIACRYPT, (2013), pp. 401–420Google Scholar
  7. 7.
    J. Alwen, Y. Dodis, D. Wichs, Leakage-resilient public-key cryptography in the bounded-retrieval model, in CRYPTO, (2009), pp. 36–54Google Scholar
  8. 8.
    R. Anderson, M. Kuhn, Tamper resistance: a cautionary note, in WOEC’96: Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, (USENIX Association, Berkeley, 1996), p. 1Google Scholar
  9. 9.
    B. Applebaum, D. Harnik, Y. Ishai, Semantic security under related-key attacks and applications, in ICS, (2011), pp. 45–60Google Scholar
  10. 10.
    M. Bellare, D. Cash, Pseudorandom functions and permutations provably secure against related-key attacks, in CRYPTO, (2010), pp. 666–684Google Scholar
  11. 11.
    M. Bellare, D. Cash, R. Miller, Cryptography secure against related-key attacks and tampering. In ASIACRYPT, (2011), pp. 486–503Google Scholar
  12. 12.
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in EUROCRYPT, (2003), pp. 491–506Google Scholar
  13. 13.
    M. Bellare, K.G. Paterson, S. Thomson. RKA security beyond the linear barrier: IBE, encryption and signatures, in ASIACRYPT, (2012), pp. 331–348Google Scholar
  14. 14.
    R. Bhattacharyya, A. Roy, Secure message authentication against related key attack, in FSE (2013)Google Scholar
  15. 15.
    D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of eliminating errors in cryptographic computations. J. Cryptol., 14(2):101–119 (2001)Google Scholar
  16. 16.
    D. Boneh, S. Halevi, M. Hamburg, R. Ostrovsky, Circular-secure encryption from decision diffie-hellman, in CRYPTO, (2008), pp. 108–125Google Scholar
  17. 17.
    J. Camenisch, N. Chandran, V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks, in EUROCRYPT, (2009), pp. 351–368Google Scholar
  18. 18.
    E. Chattopadhyay, D. Zuckerman. Non-malleable codes against constant split-state tampering, in FOCS, (2014), pp. 306–315Google Scholar
  19. 19.
    M. Cheraghchi, V. Guruswami, Capacity of non-malleable codes, in Innovations in Theoretical Computer Science, ITCS, (2014), pp. 155–168Google Scholar
  20. 20.
    M. Cheraghchi, V. Guruswami, Non-malleable coding against bit-wise and split-state tampering, in TCC, (2014), pp. 440–464Google Scholar
  21. 21.
    S.G. Choi, A. Kiayias, T. Malkin, BiTR: Built-in tamper resilience, in ASIACRYPT, (2011), pp. 740–758Google Scholar
  22. 22.
    S. Coretti, Y. Dodis, B. Tackmann, D. Venturi, Non-malleable encryption: simpler, shorter, stronger. IACR Cryptol. ePrint Archive, 772 (2015)Google Scholar
  23. 23.
    S. Coretti, U. Maurer, B. Tackmann, D. Venturi, From single-bit to multi-bit public-key encryption via non-malleable codes, in TCC, (2015), pp. 532–560Google Scholar
  24. 24.
    R. Cramer, Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis, University of Amsterdam, (1996)Google Scholar
  25. 25.
    G. Di Crescenzo, R.J. Lipton, S. Walfish, Perfectly secure password protocols in the bounded retrieval model, in TCC, (2006), pp. 225–244Google Scholar
  26. 26.
    D. Dachman-Soled, Y.T. Kalai, Securing circuits against constant-rate tampering, in CRYPTO, (2012), pp. 533–551Google Scholar
  27. 27.
    D. Dachman-Soled, Y.T. Kalai, Securing circuits and protocols against 1/poly(k) tampering rate, in TCC, (2014), pp. 540–565Google Scholar
  28. 28.
    D. Dachman-Soled, F.-H. Liu, E. Shi, H.-S. Zhou, Locally decodable and updatable non-malleable codes and their applications, in TCC, (2015), pp. 427–450Google Scholar
  29. 29.
    I. Damgård, S. Faust, P. Mukherjee, D. Venturi, Bounded tamper resilience: How to go beyond the algebraic barrier, in ASIACRYPT, (2013), pp. 140–160Google Scholar
  30. 30.
    I. Damgård, S. Faust, P. Mukherjee, D. Venturi, The chaining lemma and its application, in ICITS, (2015), pp. 181–196Google Scholar
  31. 31.
    Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs, Cryptography against continuous memory attacks, in FOCS, (2010), pp. 511–520Google Scholar
  32. 32.
    Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs, Efficient public-key cryptography in the presence of key leakage, in ASIACRYPT, (2010), pp. 613–631Google Scholar
  33. 33.
    Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith, Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)Google Scholar
  34. 34.
    S. Dziembowski, Intrusion-resilience via the bounded-storage model, in TCC, (2006), pp. 207–224Google Scholar
  35. 35.
    S. Dziembowski, T. Kazana, M. Obremski, Non-malleable codes from two-source extractors, in CRYPTO, (2013), pp. 239–257Google Scholar
  36. 36.
    S. Dziembowski, T. Kazana, D. Wichs, One-time computable self-erasing functions, in TCC, (2011), pp. 125–143Google Scholar
  37. 37.
    S. Dziembowski, K. Pietrzak, D. Wichs, Non-malleable codes, in ICS, (2010), pp. 434–452Google Scholar
  38. 38.
    S. Faust, M. Kohlweiss, G.A. Marson, D. Venturi, On the non-malleability of the fiat-shamir transform, in INDOCRYPT, (2012), pp. 60–79Google Scholar
  39. 39.
    S. Faust, P. Mukherjee, J.B. Nielsen, D. Venturi, Continuous non-malleable codes, in TCC (2014)Google Scholar
  40. 40.
    S. Faust, P. Mukherjee, J.B. Nielsen, D. Venturi, A tamper and leakage resilient von Neumann architecture, in PKC, (2015), pp. 579–603Google Scholar
  41. 41.
    S. Faust, P. Mukherjee, D. Venturi, D. Wichs, Efficient non-malleable codes and key-derivation for poly-size tampering circuits, in EUROCRYPT, (2014), pp. 111–128Google Scholar
  42. 42.
    S. Faust, K. Pietrzak, D. Venturi, Tamper-proof circuits: How to trade leakage for tamper-resilience. In ICALP (1), (2011), pp. 391–402Google Scholar
  43. 43.
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in CRYPTO, (1986), pp. 186–194Google Scholar
  44. 44.
    M. Fischlin, R. Fischlin, The representation problem based on factoring, in CT-RSA, (2002), pp. 96–113Google Scholar
  45. 45.
    D. Genkin, Y. Ishai, M. Prabhakaran, A. Sahai, E. Tromer, Circuits resilient to additive attacks with applications to secure computation, in STOC, (2014), pp. 495–504Google Scholar
  46. 46.
    R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, T. Rabin, Algorithmic tamper-proof (ATP) security: theoretical foundations for security against hardware tampering, in TCC, (2004), pp. 258–277Google Scholar
  47. 47.
    V. Goyal, A. O’Neill, V. Rao, Correlated-input secure hash functions, in TCC, (2011), pp. 182–200Google Scholar
  48. 48.
    J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in ASIACRYPT, (2006), pp. 444–459Google Scholar
  49. 49.
    L.C. Guillou, J.-J. Quisquater, A “paradoxical” identity-based signature scheme resulting from zero-knowledge, in CRYPTO, (1988), pp. 216–231Google Scholar
  50. 50.
    Y. Ishai, M. Prabhakaran, A. Sahai, D. Wagner, Private circuits II: keeping secrets in tamperable circuits, in EUROCRYPT, (2006), pp. 308–327Google Scholar
  51. 51.
    Z. Jafargholi, D. Wichs, Tamper detection and continuous non-malleable codes, in TCC, (2015), pp. 451–480,Google Scholar
  52. 52.
    Y.T. Kalai, B. Kanukurthi, A. Sahai, Cryptography with tamperable and leaky memory, in CRYPTO, (2011), pp. 373–390Google Scholar
  53. 53.
    J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience, In ASIACRYPT, (2009), pp. 703–720Google Scholar
  54. 54.
    A. Kiayias, Y. Tselekounis, Tamper resilient circuits: the adversary at the gates, in ASIACRYPT, (2013), pp. 161–180Google Scholar
  55. 55.
    F.-H. Liu, A. Lysyanskaya, Tamper and leakage resilience in the split-state model, in CRYPTO, (2012), pp. 517–532Google Scholar
  56. 56.
    S. Lucks, Ciphers secure against related-key attacks, in FSE, (2004), pp. 359–370Google Scholar
  57. 57.
    M. Naor, G. Segev, Public-key cryptosystems resilient to key leakage, in CRYPTO, (2009), pp. 18–35Google Scholar
  58. 58.
    T. Okamoto, Provably secure and practical identification schemes and corresponding signature schemes, in CRYPTO, (1992), pp. 31–53Google Scholar
  59. 59.
    K. Pietrzak, Subspace LWE, in TCC, (2012), pp. 548–563Google Scholar
  60. 60.
    S. Pohlig, M. Hellman, An improved algorithm for computing logarithms over and its cryptographic significance. IEEE Trans. Inform. Theory, 24(1), 106–110 (1978)Google Scholar
  61. 61.
    B. Qin, S. Liu, T.H. Yuen, R.H. Deng, K. Chen, Continuous non-malleable key derivation and its application to related-key security, in PKC, (2015), pp. 557–578Google Scholar
  62. 62.
    H. Wee, Public key encryption against related key attacks, in PKC, (2012), pp. 262–279Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Ivan Damgård
    • 1
  • Sebastian Faust
    • 2
  • Pratyay Mukherjee
    • 1
  • Daniele Venturi
    • 3
    Email author
  1. 1.Department of Computer ScienceAarhus UniversityAarhusDenmark
  2. 2.Horst Görtz InstituteRuhr-University BochumBochumGermany
  3. 3.Department of Computer ScienceSapienza University of RomeRomeItaly

Personalised recommendations