On Provable Security of wPRF-Based Leakage-Resilient Stream Ciphers

Maciej Skórski

doi:10.1007/978-3-319-26059-4_22

ProvSec 2015: Provable Security pp 391-411 | Cite as

On Provable Security of wPRF-Based Leakage-Resilient Stream Ciphers

Authors
Authors and affiliations

Maciej SkórskiEmail author

Conference paper

First Online: 28 November 2015

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9451)

Abstract

Weak pseudorandom functions (wPRFs) found an important application as main building blocks for leakage-resilient ciphers (EUROCRYPT’09 and later works). Several security bounds, based on different techniques and different assumptions, were given to those stream ciphers. The aim of this paper is twofold. First, we present a clear comparison of quantitatively different security bounds in the literature, obtained by means of time-to-success ratio analysis. Second, we revisit the current proof techniques and answer the natural question of how far we are from meaningful and provable security guarantees, when instantiating weak PRFs with standard primitives (block ciphers or hash functions). In particular, we attempt to fix some flaws in the recent analysis of the EUROCRYPT’09 stream cipher (TCC’14), applying new proof techniques to the problem of simulating auxiliary inputs. For one bit of leakage, for the first time, we achieve meaningful security of 60 bits when the cipher is build on the AES.

Keywords

Leakage-resilient cryptography Stream ciphers Simulating side information Convex approximation

This is a preview of subscription content, to check access.

Supplementary material

Open image in new window

A Proof of Theorem 1

We notice that we are looking for the biggest value $k'$ such that for every $(s',\epsilon ')$ satysfying $s'\geqslant 1,\ \epsilon '\geqslant 0,\ 2^{k'}\geqslant s'/\epsilon '$ there exist some values $(s,\epsilon )$ such that $s\geqslant 1$, $\epsilon \geqslant 0$, $s'\leqslant p(s,\epsilon )$, $\epsilon '\geqslant q(s,\epsilon )$ and $2^{k}\geqslant s/\epsilon $. For given values $(s',\epsilon ')$ we can choose $(s,\epsilon )$ so that the ratio $s'/\epsilon '$ is possibly maximal, provided that the constraint $s/\epsilon \leqslant 2^k$ is satisfied. Next, we chose the worst $(s',\epsilon ')$ to obtain the worst-case guarantees as in Definition 4. Thuss, we maximize over the choice of profiles $(s,\epsilon )$ for P, and then minimize over profiles $(s',\epsilon ')$ for $P'$.

B Proof of Theorem 2

Proof

Consider the program in Theorem 1. In our setting we have

$$\begin{aligned} \begin{array}{l} p(s,\epsilon ) = s\cdot c\epsilon ^{C} - b\epsilon ^{-B} \\ q(s,\epsilon ) = a\epsilon ^A \end{array} \end{aligned}$$

The constraint $s' \geqslant 1$ is equivalent to

$$\begin{aligned} s \geqslant c^{-1}(1+b\epsilon ^{-B})\epsilon ^{-C} \end{aligned}$$

(6)

Thus, the all constraints on s can be written as

$$\begin{aligned} c^{-1}(1+b\epsilon ^{-B})\epsilon ^{-C} \leqslant s,\quad s \leqslant 2^{k}\epsilon ,\quad s'\leqslant p(s,\epsilon ). \end{aligned}$$

By definition $p(\cdot )$ is increasing in s. Therefore we can assume that

$$\begin{aligned} s\epsilon ^{-1} = 2^{k}. \end{aligned}$$

(7)

The constraint $\epsilon '\geqslant 0$ reduces to $\epsilon \geqslant 0$. Thus, the all constraints with $\epsilon $ are

$$\begin{aligned} 0 \leqslant \epsilon ,\quad s \leqslant 2^{k}\epsilon ,\quad q(s,\epsilon ) \leqslant \epsilon ' \end{aligned}$$

Since $q(\cdot )$ is increasing, we can assume that $\epsilon ' = q(s,\epsilon )$, or in other words that

$$\begin{aligned} \epsilon ' = a\epsilon ^A. \end{aligned}$$

(8)

Given Eqs. (7) and (8) the maximum part of the optimization is eliminated. Our task reduces to minimizing the following expression

$$\begin{aligned} \frac{s'}{\epsilon '}&= s\cdot \frac{c}{a}\epsilon ^{C-A} - \frac{b}{a}\epsilon ^{-B-A} = \epsilon ^{-A}\left( \frac{c}{a}\cdot 2^k\epsilon ^{C+1} - \frac{b}{a}\epsilon ^{-B}\right) . \end{aligned}$$

over $(s',\epsilon ')$ or equivalenty over $s,\epsilon $ (given the equalities (7) and (8)), provided that Eq. (6) is satisfied. Thus we obtain the following problem

$$\begin{aligned} \begin{array}{rl} \underset{\epsilon }{\mathrm {minimize}} &{} \quad a^{-1}\epsilon ^{-A}\left( 2^k c\cdot \epsilon ^{C+1} - b\epsilon ^{-B}\right) \\ \text {s.t.} &{} \quad 2^k c\cdot \epsilon ^{C+1} - b\epsilon ^{-B} \geqslant 1. \end{array} \end{aligned}$$

(9)

Now everything depends on the behavior of the objective function

$$\begin{aligned} f(u) = \frac{2^k c}{a}\cdot u^{C+1-A} - \frac{b}{a} \cdot u^{-B-A} \end{aligned}$$

However the condition (4) implies that f(u) is increasing. Thus, it attains its minimum on the boundary point, which is given by

$$\begin{aligned} 2^k c\cdot \epsilon ^{C+1} - b\epsilon ^{-B} =1 . \end{aligned}$$

(10)

The objective function evaluated at this point gives us

$$\begin{aligned} f(\epsilon ) = a^{-1}\epsilon ^{-A} \end{aligned}$$

(11)

Note that from Eq. (10) it follows that

$$\begin{aligned} 2^kc\cdot \epsilon ^{B+C+1} = b+\epsilon ^{B} \end{aligned}$$

If $b\geqslant 1$ we obtain $\epsilon ^{B+C+1} \approx 2^{-k} b c^{-1}$ (up to a multiplicative factor of at most 2). If $b=0$ then $\epsilon ^{C+1} \approx 2^{-k}c^{-1}$.

C Proof of Theorem 4

We give a proof for real-valued circuits of size s. This class can be simulated by probabilistic boolean distinguishers of size $\approx s$.

Proof

We first show how to build a simulator $h=h^{\textsc {D}}$ for one circuit $\textsc {D}$.

Claim 1

(A perfect simulator for any fixed real-valued distinguisher). For any [0, 1]-valued $\textsc {D}$ of size s there exists a function $h_{\textsc {D}}:\mathcal {X}\rightarrow \{0,1\}^\lambda $ of complexity $O\left( s\cdot 2^{\lambda } \right) $ such that $ {{\mathrm{\mathbb {E}}}}\textsc {D}(X,Z) = {{\mathrm{\mathbb {E}}}}\textsc {D}(X,h(X))$.

Proof

(of Claim 1 ). Let ${h}^{+}_{\textsc {D}}$ and ${h}^{-}_{\textsc {D}}$ be functions such that

$$\begin{aligned} \textsc {D}( x, {h}^{-}_{\textsc {D}}(x)) = \min _{z} \textsc {D}(x,z), \quad \textsc {D}(x, {h}^{+}_{\textsc {D}}(x)) = \max _{z} \textsc {D}(x,z) \end{aligned}$$

Both functions can be computed by enumerating over all $z\in \{0,1\}^{\lambda }$, using $2\cdot 2^{\lambda }$ calls to $\textsc {D}$. For any X, Z we have

$$\begin{aligned} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\leftarrow X} \textsc {D}(x, h^{-}_{\textsc {D}}(x)) \leqslant {{\mathrm{\mathbb {E}}}}\textsc {D}(X,Z) \leqslant \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\leftarrow X} \textsc {D}(x, h^{+}_{\textsc {D}}(x) ) \end{aligned}$$

Therefore there exists a number $\gamma _{\textsc {D}} \in [0,1]$ such that

$$\begin{aligned} {{\mathrm{\mathbb {E}}}}\textsc {D}(X,Z) = \gamma _{\textsc {D}} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\leftarrow X} \textsc {D}(x, h^{-}_{\textsc {D}}(x)) + (1-\gamma _{\textsc {D}})\mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\leftarrow X} \textsc {D}(x,h^{+}_{\textsc {D}}(x)). \end{aligned}$$

We define $h(x)=h_{\textsc {D}}(x)$ as follows: sample $r\in [0,1]$; if $r\leqslant \gamma $ then we output $h^{-}_{\textsc {D}}(x)$ else we output $h^{+}_{\textsc {D}}(x)$.

Now we apply the min-max theorem in a standard way, changing quantifiers.

Claim 2

(One simulator for all distinguishers). There exists a distribution $\overline{{h}}$ on functions h of complexity $O\left( s\cdot 2^\lambda \right) $ such that $\left| {{\mathrm{\mathbb {E}}}}\textsc {D}(X,Z) - {{\mathrm{\mathbb {E}}}}_{h\leftarrow \bar{h}}\textsc {D}(X,h(X))\right| \leqslant \epsilon $ for all $\textsc {D}$ of size $s\epsilon ^2$.

Proof

By a standard application of the min-max theorem combined with the Chernoff Bound (see [BSW03] for this technique) we get that there is a distribution $\overline{h}$ such that for all $\textsc {D}$ of size $s\epsilon ^2$ we have ${{\mathrm{\mathbb {E}}}}\textsc {D}(X,Z) - {{\mathrm{\mathbb {E}}}}_{h\leftarrow \bar{h}}\textsc {D}(X,h(X)) \leqslant \epsilon $. Since this holds for $\textsc {D}$ and $\textsc {D}^c$ for any $\textsc {D}$ of size s, the result follows.

In the last step we approximate this possibly inefficient simulator.

Claim 3

(One efficient simulator for all distinguishers). There exists a simulator $\mathsf {h}$ of complexity $O\left( s\cdot 2^{2\lambda }\epsilon ^{-2} \right) $ such that $|{{\mathrm{\mathbb {E}}}}\textsc {D}(X,Z) - {{\mathrm{\mathbb {E}}}}\textsc {D}(X,h(X))| \leqslant 2\epsilon $ for all $\textsc {D}$ of size $s\epsilon ^2$.

Proof

(Proof of Claim 3 ). Let $h_0$ be the inefficient simulator guaranteed by Claim 2. We know that $h_0$ for every pair (x, z) satisfies

$$\begin{aligned} \mathbf {P}_{X,h_0(X)}(x,z) = \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{h\leftarrow \bar{h}}\mathbf {P}_{X,h(X)}(x,z) \end{aligned}$$

(12)

Fix a number t and sample $h_j \leftarrow \bar{h}$ for $j=1,\ldots ,t$. For a fixed choice of $h_1,\ldots ,h_t$ we define the randomized function $\tilde{\mathsf {h}}(x)$ as follows: $\mathbf {P}_{\tilde{\mathsf {h}}(x)}(z) = t^{-1}\sum _{j=1}^{t}\mathbf {P}_{\mathsf {h}_j(x)}(z)$ (it simply takes $i\leftarrow \{1,\ldots ,t\}$ and outputs $h_i$). Below we assume that x is sampled according to X. Let us compute

$$\begin{aligned} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{\{h_j\}_{j=1}^{t}}\mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x}\left\| \mathbf {P}_{\mathsf {\tilde{h}}(x)}(\cdot )- \mathbf {P}_{\bar{h}(x)}(\cdot )\right\| _2^2&= t^{-2} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x}\mathop {{{\mathrm{\mathbb {E}}}}}\limits _{\{h_i\}_{i=1}^{t}}\left\| \sum _{j=1}^{t}\left( \mathbf {P}_{h_j(x)}(\cdot )- \mathbf {P}_{\bar{h}(x)}(\cdot )\right) \right\| ^{2}_2 \nonumber \\ =&\,\, t^{-2} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x }\left[ \sum _{j=1}^{t} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{h_j}\left\| \mathbf {P}_{h_j(x)}(\cdot )- \mathbf {P}_{\bar{h}(x)}(\cdot )\right\| ^{2}_2\right] \nonumber \\ =&\,\, t^{-1} \left( \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{h\leftarrow \bar{h}} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x }\left\| \mathbf {P}_{h(x)}(\cdot ) \right\| ^2_2 - \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x}\left\| \mathbf {P}_{\bar{h}(x)}(\cdot ) \right\| ^2_2\right) . \end{aligned}$$

Therefore for some choice of $h_1,\ldots ,h_t$ we have

$$\begin{aligned} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x}\left\| \mathbf {P}_{\tilde{\mathsf {h}}(x)}(\cdot )- \mathbf {P}_{\bar{h}(x)}(\cdot )\right\| _2^2 \leqslant \frac{1}{t} \end{aligned}$$

(13)

Note that the simple probabilistic proof of Eq. (13) resembles the proof of Maurey-Jones-Barron Theorem (see Lemma 1 in [Bar93]) on approximating convex hulls in Hilbert spaces. Using the triangle inequality, the fact that $|\textsc {D}(\cdot ,\cdot ) | \leqslant 1$ and inequality between the first and the second norm

$$\begin{aligned} \left| {{\mathrm{\mathbb {E}}}}\textsc {D}(X,\tilde{\mathsf {h}}(X))-{{\mathrm{\mathbb {E}}}}\textsc {D}(X,\bar{h}(X))\right|&\leqslant \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x }\left| {{\mathrm{\mathbb {E}}}}\textsc {D}(x,\tilde{\mathsf {h}}(x))-{{\mathrm{\mathbb {E}}}}\textsc {D}(x,\bar{h}(x)) \right| \nonumber \\&\leqslant \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x}\left\| \mathbf {P}_{\tilde{\mathsf {h}}(x)}(\cdot )-\mathbf {P}_{\bar{h}(x)} (\cdot ) \right\| _1 \nonumber \\&\leqslant 2^{\lambda /2}\cdot \left( \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x }\left\| \mathbf {P}_{\tilde{\mathsf {h}}(x)}(\cdot )-\mathbf {P}_{\bar{h}(x)}(\cdot ) \right\| _2\right) ^{\frac{1}{2}} \end{aligned}$$

(14)

Combining Eqs. (13) and (14) we get for some choices of $h_1,\ldots ,h_{t}$

$$\begin{aligned} \left| {{\mathrm{\mathbb {E}}}}\textsc {D}(X,\tilde{\mathsf {h}}(X))-{{\mathrm{\mathbb {E}}}}\textsc {D}(X,\bar{h}(X))\right| \leqslant \left( 2^{\lambda }t^{-1}\right) ^{\frac{1}{2}} \end{aligned}$$

(15)

Setting $t = 2^{\lambda }\epsilon ^{-2}$ we finish the proof.

The result follows now directly from Claim 3.

D Proof of Theorem 5

Below we prove our Theorem 5. The claimed security of the EUROCRYPT’09 stream cipher follows by Remark 3. For technical convenience, we will prove that for every $g:\mathcal {X}\times \mathcal {Z}\rightarrow [0,1]$ satisfying $\sum _{z}g(x,z)=1$ for every x, and for every distinguisher class $\mathcal {D}$ there exists h satisfying the same restrictions as g, being of complexity $O(\epsilon ^{-2})$ with respect to $\mathcal {D}$, and such that

$$\begin{aligned} \left| \sum _{z} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\sim X} \left[ \textsc {D}(x,z)\cdot ( g(x,z)-h(x,z) ) \right] \right| \leqslant \epsilon \end{aligned}$$

(16)

for every $\textsc {D}\in \mathcal {D}$. To this end, it suffices to prove

$$\begin{aligned} \sum _{z} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\sim X} \left[ \textsc {D}(x,z)\cdot ( g(x,z)-h(x,z) ) \right] \leqslant \epsilon \end{aligned}$$

(17)

for every $\textsc {D}\in \mathcal {D}\cup -\mathcal {D}$ (where the class $-\mathcal {D}$ contains all the functions from $\mathcal {D}$ taken with the negative sign). Given this, the result follows by taking g to be a randomized function such that $\Pr [g(x)=z] = \Pr [X=x|Z=z]$. The sketch of the construction is shown in Algorithm 1

Proof

Consider ${h}^{t}$. Denote for shortness $\overline{\textsc {D}}^{t}(x,z)=\textsc {D}^{t}(x,z)-{{\mathrm{\mathbb {E}}}}_{z'\leftarrow U_{\mathcal {Z}}}\textsc {D}(x,z')$ and $\tilde{h}^{t+1}(x,z) \overset{def}{=} h^{t}(x,z)+\gamma \cdot \overline{\textsc {D}}^{t+1}(x,z)$. According to Algorithm 1, we have

$$\begin{aligned} {h}^{t+1}(x,z) = {h}^{t}(x,z) + \gamma \cdot \overline{\textsc {D}}^{t+1}(x,z) + \theta ^{t+1}(x,z) \end{aligned}$$

(18)

with the correction term $\theta ^{t+1}(x,z)$ computed as (see Line 13 in Algorithm 1)

$$\begin{aligned} \begin{array}{rl} \theta ^{t,0}(x,z) &{} = 0 \\ \theta ^{t+1}(x,z) &{} = \left\{ \begin{array}{rl} -\min \left( h^{t}(x,z) + \gamma \cdot \overline{\textsc {D}}^{t+1}(x,z),0\right) , &{} \text { if } z= z_{\text {min}}^{t}(x)\\ {\min \left( h^{t}(x,z_{\text {min}}^{t}(x))+\gamma \cdot \overline{\textsc {D}}^{t+1}(x,z_{\text {min}}^{t}(x)),0\right) } &{} \text { if }z \not = z_{\text {min}}^{t}(x) \end{array} \right. \quad t=0,1,\ldots \end{array} \end{aligned}$$

(19)

where $z_{\text {min}}^{t}(x)$ is one of the points z minimizing $ h^{t}(x,z)+\overline{\textsc {D}}^{t+1}(x,z) $. For the sake of concreteness we can choose it to have the smallest Hamming weight

$$\begin{aligned} z_{\text {min}}^{t}(x) \in \mathrm {argmin}_{z}\left\{ h^{t}(x,z)+\gamma \cdot \overline{\textsc {D}}^{t+1}(x,z) \right\} \end{aligned}$$

(20)

In particular

$$\begin{aligned} h^{t}(x,z_{\text {min}}^{t}(x)))+\gamma \overline{\textsc {D}}^{t+1}(x,z_{\text {min}}^{t}(x)) < 0 \Longleftrightarrow \exists z: \ h^{t}(x,z)+\gamma \overline{\textsc {D}}^{t+1}(x,z)<0 \end{aligned}$$

(21)

Notation. For notational convenience we indenify the functions $\overline{\textsc {D}}^{t}(x,z)$, $\theta ^{t}(x,z)$, $\tilde{h}^{t}(x,z)$ and $h^{t}(x,z)$ with matrices where x are columns and z are rows.

Claim 4

(Complextity of Algorithm 1). T executions of the “while loop” can be realized with time $O\left( T \cdot \mathrm {size}(\mathcal {D})\right) $ and memory O(1)⁴.

Claim 5

(Energy function). Define the auxiliary function

$$\begin{aligned} \varDelta ^{t} = \sum _{i=0}^{t-1} \mathop {{{\mathrm{\mathbb {E}}}}}\limits _{x\sim X} \left[ \overline{\textsc {D}}^{i+1}_x\cdot \left( g_x-h^{i}_x\right) \right] . \end{aligned}$$

(22)

Then we have $ \varDelta ^{t} = E_1 + E_2 $ where

$$\begin{aligned} \begin{array}{l} E_1 =\frac{1}{\gamma }{{\mathrm{\mathbb {E}}}}_{x\sim X}\left[ \left( h^{t}_x-h^{0}_x\right) \cdot g_x + \frac{1}{2}\sum \nolimits _{i=0}^{t-1}\left( h^{i+1}_x - h^{i}_x\right) ^2-\frac{1}{2}\left( \left( h^{t}_x\right) ^2-\left( h^{0}_x\right) ^2 \right) \right] \\ E_2 = \frac{1}{\gamma }{{\mathrm{\mathbb {E}}}}_{x\sim X}\left[ -\sum \nolimits _{i=0}^{t-1} \theta ^{i+1}_x\cdot \left( g_x-h^{i+1}_x\right) - \sum \nolimits _{i=0}^{t-1} \theta ^{i+1}_x\cdot \left( h^{i+1}_x-h^{i}_x\right) \right] \end{array} \end{aligned}$$

(23)

The proof is based on simple algebraic manipulations and is ommited.

Remark 4

(Technical issues and intuitions). From Eq. (23) it is clear that we need two important properties

(a)

Boundness of correction terms, that is $|\theta ^{i}(x.z)| = O(\gamma )$.
(b)

Acute angle between the correction and error vectors, that is $\theta ^{i}_x\cdot (g_x-h^{i}_x) \geqslant 0$.

Indeed, with these assumptions we can prove that

$$\begin{aligned} E_1 + E_2 = O \left( t \gamma + \gamma ^{-1}\right) . \end{aligned}$$

Since in the other hand we have $t\epsilon \leqslant \varDelta ^{t} $, setting $\gamma = \epsilon $ we get that the algorithm terminates after $T = O(\epsilon ^{-2})$ steps. We stress that it outputs a probability measure, because in the final round the (only) negative mass is corrected. We also note that condition (b) means that mass cuts should go in the right direction, as it is much simpler to prove that Algorithm 1 terminates when there are no correction terms $\theta ^{t}$; thus we don’t want to go in a wrong direction and ruin the energy gain. Property (a) is trivial, concrete bounds on (b) are given in Claim 6.

Claim 6

(The angle formed by the correction and the difference vector is acute). For every x, t we have $\textsf {Angle}\left( \theta ^{t+1}_x,g_x-{h}^{t+1}_x\right) \in \left[ -\frac{\pi }{2},\frac{\pi }{2}\right] $.

Proof

(of Claim 6 ). If $\theta ^{t+1}(x,z) = 0$ then there is nothing to prove. Suppose that $\theta ^{t+1}(x,z) < 0$. Let $z_0=z_{\text {min}}^{t}(x)$ (see Eq. (20)) and $z_1=1-z_0$. According to Eq. (19) we have $\theta ^{t+1}(x,z_0) = -\tilde{h}^{t+1}(x,z_0)$ and $\theta ^{t+1}(x,z_1) = \tilde{h}^{t+1}(x,z_0)$. Therefore

$$\begin{aligned} \theta ^{t+1}_x\cdot \left( g_x-\tilde{h}^{t+1}_x\right)&= -\tilde{h}^{t+1}(x,z_0)\left( g(x,z_0)-\tilde{h}^{t+1}(x,z_0)\right) \nonumber \\&\quad +\tilde{h}^{t+1}(x,z_0)\left( g(x,z_1)-\tilde{h}^{t+1}(x,z_1)\right) \nonumber \\&= -2\tilde{h}^{t+1}(x,z_0)\left( g(x,z_0)-\tilde{h}^{t+1}(x,z_0)\right) . \end{aligned}$$

(24)

and

$$\begin{aligned} -\theta ^{t+1}_x\cdot \theta ^{t+1}_x = -2 \tilde{h}^{t+1}(x,z_0)\cdot \tilde{h}^{t+1}(x,z_0). \end{aligned}$$

(25)

Adding Eqs. (24) and (25) by sides we obtain

$$\begin{aligned} \theta ^{t+1}_x\cdot \left( g_x-h^{t+1}_x\right)&= \theta ^{t+1}_x\cdot \left( g_x-\tilde{h}^{t+1}_x\right) -\theta ^{t+1}_x\cdot \theta ^{t+1}_x = -2\tilde{h}^{t+1}(x,z_0)\cdot g(x,z_0) \end{aligned}$$

which is non-negative because $\tilde{h}^{t+1}(x,z_0)<0$ and $g(x,z_0) \geqslant 0$. This proves Claim 6.

Proof

The result follows now by combining the claims, as discussed. The problem with extending the algorithm to many bits is the complexity of the correction term. Having two points we have only one way to rearrange the mass.

References

ADW09.
Alwen, J., Dodis, Y., Wichs, D.: Survey: leakageresilience and the bounded retrieval model (2009)Google Scholar
Bar93.
Barron, A.R.: Universal approximation bounds for superpositions of a sigmoidal function. IEEE Trans. Inf. Theory 39, 930–945 (1993)MathSciNetCrossRefMATHGoogle Scholar
BBKN12.
Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. In: Proceedings of the IEEE (2012)Google Scholar
BL13.
Buldas, A., Laanoja, R.: Security proofs for hash tree time-stamping using hash functions with small output size. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 235–250. Springer, Heidelberg (2013) CrossRefGoogle Scholar
BR96.
Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996) CrossRefGoogle Scholar
BSW03.
Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: Arora, S., Jansen, K., Rolim, J.D.P., Sahai, A. (eds.) RANDOM 2003 and APPROX 2003. LNCS, vol. 2764, pp. 200–215. Springer, Heidelberg (2003) Google Scholar
CDH+00.
Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A.: Exposure-resilient functions and all-or-nothing transforms. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 453. Springer, Heidelberg (2000) CrossRefGoogle Scholar
DGK+10.
Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010) CrossRefGoogle Scholar
DKL09.
Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: STOC (2009)Google Scholar
DP08.
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS (2008)Google Scholar
DP10.
Dodis, Y., Pietrzak, K.: Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 21–40. Springer, Heidelberg (2010) CrossRefGoogle Scholar
DSS01.
Dodis, Y., Sahai, A., Smith, A.: On perfect and adaptive security in exposure-resilient cryptography. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 301–324. Springer, Heidelberg (2001) CrossRefGoogle Scholar
DTT09.
De, A., Trevisan, L., Tulsiani, M.: Non-uniform attacks against one-way functions and prgs. In: ECCC, vol. 16, p. 113 (2009)Google Scholar
DY13.
Dodis, Y., Yu, Y.: Overcoming weak expectations. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 1–22. Springer, Heidelberg (2013) CrossRefGoogle Scholar
FPS12.
Faust, S., Pietrzak, K., Schipper, J.: Practical leakage-resilient symmetric cryptography. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 213–232. Springer, Heidelberg (2012) CrossRefGoogle Scholar
HSH+08.
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Cal, J.A., Feldman, A.J., Felten, E.W.: Least we remember: cold boot attacks on encryption keys. USENIX (2008)Google Scholar
ISW03.
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003) CrossRefGoogle Scholar
JP14.
Jetchev, D., Pietrzak, K.: How to fake auxiliary input. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 566–590. Springer, Heidelberg (2014) CrossRefGoogle Scholar
KJJ99.
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) CrossRefGoogle Scholar
Koc96.
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) Google Scholar
LM94.
Luby, M.G., Michael, L.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton (1994) MATHGoogle Scholar
Mol10.
Mol, P.: Leakage-resilient cryptography: a survey of recent advances 2010. http://cseweb.ucsd.edu/~pmol/Documents/RE.pdf
MR04.
Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004) CrossRefGoogle Scholar
MS11.
Medwed, M., Standaert, F.-X.: Extractors against side-channel attacks: weak or strong? In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 256–272. Springer, Heidelberg (2011) CrossRefGoogle Scholar
MSJ12.
Medwed, M., Standaert, F.-X., Joux, A.: Towards super-exponential side-channel security with efficient leakage-resilient PRFs. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 193–212. Springer, Heidelberg (2012) CrossRefGoogle Scholar
Pie09.
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009) CrossRefGoogle Scholar
Pie15.
Pietrzak, K.: Private communication (2015)Google Scholar
Sta10.
Standaert, F.-X.: How leaky is an extractor? In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 294–304. Springer, Heidelberg (2010) CrossRefGoogle Scholar
VZ13.
Vadhan, S., Zheng, C.J.: A uniform min-max theorem with applications in cryptography. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 93–110. Springer, Heidelberg (2013) CrossRefGoogle Scholar
YS13.
Yu, Y., Standaert, F.-X.: Practical leakage-resilient pseudorandom objects with minimum public randomness. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 223–238. Springer, Heidelberg (2013) CrossRefGoogle Scholar
YSPY10.
Yu, Y., Standaert, F.-X., Pereira, O., Yung, M.: Practical leakage-resilient pseudorandom generators. In: CCS (2010)Google Scholar

Copyright information

Authors and Affiliations

Maciej Skórski
- 1
Email author

1.Cryptology and Data Security GroupUniversity of WarsawWarsawPoland

On Provable Security of wPRF-Based Leakage-Resilient Stream Ciphers

Abstract

Keywords

Supplementary material

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper