Parallel Repetition for Leakage Resilience Amplification Revisited

  • Abhishek Jain
  • Krzysztof Pietrzak
Conference paper

DOI: 10.1007/978-3-642-19571-6_5

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6597)
Cite this paper as:
Jain A., Pietrzak K. (2011) Parallel Repetition for Leakage Resilience Amplification Revisited. In: Ishai Y. (eds) Theory of Cryptography. TCC 2011. Lecture Notes in Computer Science, vol 6597. Springer, Berlin, Heidelberg

Abstract

If a cryptographic primitive remains secure even if ℓ bits about the secret key are leaked to the adversary, one would expect that at least one of n independent instantiations of the scheme remains secure given n·ℓ bits of leakage. This intuition has been proven true for schemes satisfying some special information-theoretic properties by Alwen et al. [Eurocrypt’10]. On the negative side, Lewko and Waters [FOCS’10] construct a CPA secure public-key encryption scheme for which this intuition fails.

The counterexample of Lewko and Waters leaves open the interesting possibility that for any scheme there exists a constant c > 0, such that n fold repetition remains secure against c·n·ℓ bits of leakage. Furthermore, their counterexample requires the n copies of the encryption scheme to share a common reference parameter, leaving open the possibility that the intuition is true for all schemes without common setup.

In this work we give a stronger counterexample ruling out these possibilities. We construct a signature scheme such that:

  1. 1

    a single instantiation remains secure given ℓ = log(k) bits of leakage where k is a security parameter.

     
  2. 2

    any polynomial number of independent instantiations can be broken (in the strongest sense of key-recovery) given ℓ′ = poly(k) bits of leakage. Note that ℓ′ does not depend on the number of instances.

     

The computational assumption underlying our counterexample is that non-interactive computationally sound proofs exist. Moreover, under a stronger (non-standard) assumption about such proofs, our counterexample does not require a common reference parameter.

The underlying idea of our counterexample is rather generic and can be applied to other primitives like encryption schemes.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Abhishek Jain
    • 1
  • Krzysztof Pietrzak
    • 2
  1. 1.UCLAUSA
  2. 2.CWIAmsterdamNetherlands

Personalised recommendations