Efficient Public-Key Cryptography in the Presence of Key Leakage

  • Yevgeniy Dodis
  • Kristiyan Haralambiev
  • Adriana López-Alt
  • Daniel Wichs
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6477)


We study the design of cryptographic primitives resistant to a large class of side-channel attacks, called “memory attacks”, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. Although the study of such primitives was initiated only recently by Akavia et al. [2], subsequent work already produced many such “leakage-resilient” primitives [48,4,42], including signature, encryption, identification (ID) and authenticated key agreement (AKA) schemes. Unfortunately, every existing scheme, — for any of the four fundamental primitives above, — fails to satisfy at least one of the following desirable properties:

  • Efficiency. While the construction may be generic, it should have some efficient instantiations, based on standard cryptographic assumptions, and without relying on random oracles.

  • Strong Security. The construction should satisfy the strongest possible definition of security (even in the presence of leakage). For example, encryption schemes should be secure against chosen ciphertext attack (CCA), while signatures should be existentially unforgeable.

  • Leakage Flexibility. It should be possible to set the scheme parameters so that the leakage bound ℓ can come arbitrarily close to the secret-key size.

In this work we design the first signature, encryption, ID and AKA schemes which overcome these limitations, and satisfy all the properties above. Moreover, all our constructions are generic, in several cases elegantly simplifying and generalizing the prior constructions (which did not have any efficient instantiations). We also introduce several tools of independent interest, such as the abstraction (and constructions) of true-simulation extractable NIZK arguments, and a new deniable DH-based AKA protocol based on any CCA-secure encryption.


Encryption Scheme Signature Scheme Random Oracle Decryption Oracle Choose Ciphertext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    In: Proceedings of 44th Symposium on Foundations of Computer Science (FOCS 2003), IEEE Computer Society, Los Alamitos (2003)Google Scholar
  2. 2.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S., Wichs, D.: Public-key encryption in the bounded-retrieval model. In: Gilbert [28], pp. 113–134 (2010)Google Scholar
  4. 4.
    Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Halevi [35], pp. 36–54 (2009)Google Scholar
  5. 5.
    Alwen, J., Dodis, Y., Wichs, D.: Survey: Leakage resilience and the bounded retrieval model. In: Kurosawa, K. (ed.) Information Theoretic Security. LNCS, vol. 5973, pp. 1–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Ballard, L., Green, M., de Medeiros, B., Monrose, F.: Correlation-resistant storage via keyword-searchable encryption. Cryptology ePrint Archive, Report 2005/417 (2005)Google Scholar
  7. 7.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC, pp. 103–112. ACM, New York (1988)Google Scholar
  9. 9.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults (extended abstract). In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux [39], pp. 351–368 (2009)Google Scholar
  12. 12.
    Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A.: Exposure-resilient functions and all-or-nothing transforms. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 453–469. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: STOC, pp. 494–503 (2002)Google Scholar
  14. 14.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  15. 15.
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Crescenzo, G.D., Lipton, R.J., Walfish, S.: Perfectly secure password protocols in the bounded retrieval model. In: Halevi [36], pp. 225–244 (2006)Google Scholar
  17. 17.
    Dodis, Y., Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio [47], pp. 361–381 (2010)Google Scholar
  18. 18.
    Dodis, Y., Haralambiev, K., Lopez-Alt, A., Wichs, D.: Efficient public-key cryptography in the presence of key leakage. Cryptology ePrint Archive, Report 2010/154 (2010)Google Scholar
  19. 19.
    Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: Mitzenmacher, M. (ed.) STOC, pp. 621–630. ACM, New York (2009)Google Scholar
  20. 20.
    Dodis, Y., Sahai, A., Smith, A.: On perfect and adaptive security in exposure-resilient cryptography. In: Pfitzmann [52], pp. 301–324 (2001)Google Scholar
  21. 21.
    Dziembowski, S.: Intrusion-resilience via the bounded-storage model. In: Halevi and Rabin [36], pp. 207–224 (2006)Google Scholar
  22. 22.
    Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS, pp. 293–302. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  23. 23.
    Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.N.: Leakage-resilient signatures. In: Micciancio [47], pp. 343–360 (2010)Google Scholar
  24. 24.
    Faust, S., Rabin, T., Reyzin, L., Tromer, E., Vaikuntanathan, V.: Protecting circuits from leakage: the computationally-bounded and noisy cases. In: Gilbert [28], pp. 135–156 (2010)Google Scholar
  25. 25.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  26. 26.
    Galbraith, S.D., Rotger, V.: Easy decision-diffie-hellman groups. LMS Journal of Computation and Mathematics 7 (2004)Google Scholar
  27. 27.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Gilbert, H. (ed.): EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  29. 29.
    Goldwasser, S., Kalai, Y., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption. In: Innovations in Computer Science, ICS (2010)Google Scholar
  30. 30.
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the fiat-shamir paradigm. In: FOCS [1], p. 102 (2003)Google Scholar
  31. 31.
    Groth, J.: Simulation-sound nizk proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  34. 34.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. ACM Commun. 52(5), 91–98 (2009)CrossRefGoogle Scholar
  35. 35.
    Halevi, S. (ed.): CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  36. 36.
    Halevi, S., Rabin, T. (eds.): TCC 2006. LNCS, vol. 3876. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  37. 37.
    Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  38. 38.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  39. 39.
    Joux, A. (ed.): EUROCRYPT 2009. LNCS, vol. 5479. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  40. 40.
    Juma, A., Vahlis, Y.: Protecting cryptographic keys against continual leakage. In: Rabin, T. (ed.) Advances in Cryptology – CRYPTO 2010. LNCS, vol. 6223, pp. 41–58. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Kamp, J., Zuckerman, D.: Deterministic extractors for bit-fixing sources and exposure-resilient cryptography. In: FOCS [1], pp. 92–101 (2003)Google Scholar
  42. 42.
    Katz, J., Vaikuntanathan, V.: Signature schemes with bounded leakage resilience. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 703–720. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  43. 43.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  44. 44.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  45. 45.
    Lindell, Y.: A simpler construction of cca2-secure public-keyencryption under general assumptions. J. Cryptology 19(3), 359–377 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  46. 46.
    Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  47. 47.
    Micciancio, D. (ed.): TCC 2010. LNCS, vol. 5978. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  48. 48.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi [35], pp. 18–35 (2009)Google Scholar
  49. 49.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437. ACM, New York (1990)Google Scholar
  50. 50.
    Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: FOCS, pp. 563–572. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  51. 51.
    Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: Gabow, H.N., Fagin, R. (eds.) STOC, pp. 533–542. ACM, New York (2005)Google Scholar
  52. 52.
    Pfitzmann, B. (ed.): EUROCRYPT 2001. LNCS, vol. 2045. Springer, Heidelberg (2001)zbMATHGoogle Scholar
  53. 53.
    Pietrzak, K.: A leakage-resilient mode of operation. In: Joux [39], pp. 462–482 (2009)Google Scholar
  54. 54.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (ema): Measures and counter-measures for smart cards. In: Attali, I., Jensen, T.P. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  55. 55.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  56. 56.
    Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS, pp. 543–553 (1999)Google Scholar
  57. 57.
    Santis, A.D., Crescenzo, G.D., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  58. 58.
    Santis, A.D., Persiano, G.: Zero-knowledge proofs of knowledge without interaction (extended abstract). In: FOCS, pp. 427–436. IEEE, Los Alamitos (1992)Google Scholar
  59. 59.
    Scott, M.: Authenticated id-based key exchange and remote log-in with simple token and pin number. Cryptology ePrint Archive, Report 2002/164 (2002)Google Scholar
  60. 60.
    Shacham, H.: A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007)Google Scholar
  61. 61.
    Verheul, E.R.: Evidence that xtr is more secure than supersingular elliptic curve cryptosystems. J. Cryptology 17(4), 277–296 (2004)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Kristiyan Haralambiev
    • 1
  • Adriana López-Alt
    • 1
  • Daniel Wichs
    • 1
  1. 1.New York UniversityUSA

Personalised recommendations