Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases

  • Sebastian Faust
  • Tal Rabin
  • Leonid Reyzin
  • Eran Tromer
  • Vinod Vaikuntanathan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6110)


Physical computational devices leak side-channel information that may, and often does, reveal secret internal states. We present a general transformation that compiles any circuit into a new, functionally equivalent circuit which is resilient against well-defined classes of leakage. Our construction requires a small, stateless and computation-independent leak-proof component that draws random elements from a fixed distribution. In essence, we reduce the problem of shielding arbitrarily complex circuits to the problem of shielding a single, simple component.

Our approach is based on modeling the adversary as a powerful observer that inspects the device via a limited measurement apparatus. We allow the apparatus to access all the bits of the computation (except those inside the leak-proof component) and the amount of leaked information to grow unbounded over time. However, we assume that the apparatus is limited either in its computational ability (namely, it lacks the ability to decode certain linear encodings and outputs a limited number of bits per iteration), or its precision (each observed bit is flipped with some probability). While our results apply in general to such leakage classes, in particular, we obtain security against:

  • Constant depth circuits leakage, where the measurement apparatus can be implemented by an AC 0 circuit (namely, a constant depth circuit composed of NOT gates and unbounded fan-in AND and OR gates), or an ACC 0[p] circuit (which is the same as AC 0, except that it also uses MOD p gates) which outputs a limited number of bits.

  • Noisy leakage, where the measurement apparatus reveals all the bits of the state of the circuit, perturbed by independent binomial noise. Namely, each bit of the computation is perturbed with probability p, and remains unchanged with probability 1 − p.


Security Parameter Boolean Circuit Output Length Parity Gate Constant Depth Circuit 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: \(\sum_1^1\)-formulae on finite structures. Annals of Pure and Applied Logic 24(1), 48 (1983)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Ajtai, M.: Approximate counting with uniform constant-depth circuits (1993)Google Scholar
  3. 3.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)Google Scholar
  4. 4.
    Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 36–54. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2005),
  6. 6.
    Blakley, G.R.: Safeguarding cryptographic keys 48, 313–317 (1979)Google Scholar
  7. 7.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  8. 8.
    Davì, F., Dziembowski, S.: Leakage-resilient storage. Cryptology ePrint Archive, Report 2009/399 (2009),
  9. 9.
    Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: STOC 2009, pp. 621–630. ACM, New York (2009)CrossRefGoogle Scholar
  10. 10.
    Dubrov, B., Ishai, Y.: On the randomness complexity of efficient sampling. In: STOC 2006, pp. 711–720. ACM, New York (2006)CrossRefGoogle Scholar
  11. 11.
    Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS 2008, pp. 293–302. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  12. 12.
    Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.N.: Leakage-resilient signatures. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 343–360. Springer, Heidelberg (2010)Google Scholar
  13. 13.
    Furst, M.L., Saxe, J.B., Sipser, M.: Parity, circuits, and the polynomial-time hierarchy. In: SFCS 1981: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, Washington, DC, USA, pp. 260–270. IEEE Computer Society, Los Alamitos (1981)CrossRefGoogle Scholar
  14. 14.
    Furst, M.L., Saxe, J.B., Sipser, M.: Parity, circuits, and the polynomial-time hierarchy. Mathematical Systems Theory 17(1), 13–27 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Goldreich, O.: Towards a theory of software protection and simulation by oblivious rams. In: STOC, pp. 182–194 (1987)Google Scholar
  16. 16.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM 43(3), 431–473 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008)Google Scholar
  18. 18.
    Håstad, J.: Almost optimal lower bounds for small depth circuits. In: STOC, pp. 6–20 (1986)Google Scholar
  19. 19.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)Google Scholar
  20. 20.
    Karchmer, M., Wigderson, A.: On span programs. In: Structure in Complexity Theory Conference, pp. 102–111 (1993)Google Scholar
  21. 21.
    Katz, J., Vaikuntanathan, V.: Signature schemes with bounded leakage resilience. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 703–720. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  23. 23.
    Kuhn, M.G.: Compromising emanations: eavesdropping risks of computer displays. PhD thesis, University of Cambridge, Technical Report UCAM-CL-TR-577 (2003)Google Scholar
  24. 24.
    Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)Google Scholar
  25. 25.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: The case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Percival, C.: Cache missing for fun and profit. Presented at BSDCan 2005, Ottawa (2005);
  28. 28.
    Petit, C., Standaert, F.-X., Pereira, O., Malkin, T., Yung, M.: A block cipher based pseudo random number generator secure against side-channel key recovery. In: ASIACCS, pp. 56–65 (2008)Google Scholar
  29. 29.
    Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009, vol. 5479, pp. 462–482. Springer, Heidelburg (2009)CrossRefGoogle Scholar
  30. 30.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): Measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Razborov, A.: Lower bounds for the size of circuits of bounded depth with basis and xor. Math. Notes of the Academy of Science of the USSR 41 (1987)Google Scholar
  32. 32.
    Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    Shamir, A., Tromer, E.: Acoustic cryptanalysis: on nosy people and noisy machines. Presented at the Eurocrypt 2004 rump session (2004),
  34. 34.
    Smolensky, R.: Algebraic methods in the theory of lower bounds for boolean circuit complexity. In: STOC, pp. 77–82 (1987)Google Scholar
  35. 35.
    Standaert, F.-X., Malkin, T., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Sebastian Faust
    • 1
  • Tal Rabin
    • 2
  • Leonid Reyzin
    • 3
  • Eran Tromer
    • 4
  • Vinod Vaikuntanathan
    • 2
  1. 1.K.U. Leuven ESAT-COSIC/IBBT 
  2. 2.IBM Research 
  3. 3.Boston University 
  4. 4.MIT 

Personalised recommendations