TCC 2011: Theory of Cryptography pp 58-69

# Parallel Repetition for Leakage Resilience Amplification Revisited

• Abhishek Jain
• Krzysztof Pietrzak
Conference paper

DOI: 10.1007/978-3-642-19571-6_5

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6597)
Cite this paper as:
Jain A., Pietrzak K. (2011) Parallel Repetition for Leakage Resilience Amplification Revisited. In: Ishai Y. (eds) Theory of Cryptography. TCC 2011. Lecture Notes in Computer Science, vol 6597. Springer, Berlin, Heidelberg

## Abstract

If a cryptographic primitive remains secure even if ℓ bits about the secret key are leaked to the adversary, one would expect that at least one of n independent instantiations of the scheme remains secure given n·ℓ bits of leakage. This intuition has been proven true for schemes satisfying some special information-theoretic properties by Alwen et al. [Eurocrypt’10]. On the negative side, Lewko and Waters [FOCS’10] construct a CPA secure public-key encryption scheme for which this intuition fails.

The counterexample of Lewko and Waters leaves open the interesting possibility that for any scheme there exists a constant c > 0, such that n fold repetition remains secure against c·n·ℓ bits of leakage. Furthermore, their counterexample requires the n copies of the encryption scheme to share a common reference parameter, leaving open the possibility that the intuition is true for all schemes without common setup.

In this work we give a stronger counterexample ruling out these possibilities. We construct a signature scheme such that:

1. 1

a single instantiation remains secure given ℓ = log(k) bits of leakage where k is a security parameter.

2. 2

any polynomial number of independent instantiations can be broken (in the strongest sense of key-recovery) given ℓ′ = poly(k) bits of leakage. Note that ℓ′ does not depend on the number of instances.

The computational assumption underlying our counterexample is that non-interactive computationally sound proofs exist. Moreover, under a stronger (non-standard) assumption about such proofs, our counterexample does not require a common reference parameter.

The underlying idea of our counterexample is rather generic and can be applied to other primitives like encryption schemes.