45 research outputs found
Leakage-Resilient Cryptography
We construct a stream-cipher SC whose \emph{implementation} is secure even if arbitrary (adversely chosen) information on the internal state of SC is leaked during computation. This captures \emph{all} possible side-channel attacks on SC where the amount of information leaked in a given period is bounded, but overall cankbe arbitrary large, in particular much larger than the internalkstate of SC. The only other assumption we make on the \emph{implementation} of SC is that only data that is accessedkduring computation leaks information. The construction can be based on any pseudorandom generator, and the only computational assumption we make is that this PRG is secure against non-uniform adversaries in the classical sense (i.e. when there are no side-channels).
The stream-cipher SC generates its output in chunks , and arbitrary but bounded information leakage is modeled by allowing the adversary to adaptively chose a function before is computed, she then gets where is the internal state of \SC that is accessed during the computation of . One notion of security we prove for \SC is that is indistinguishable from random when given , and also the complete internal state of SC after has been computed (i.e. our cipher is forward-secure).
The construction is based on alternating extraction (previously used in the intrusion-resilient secret-sharing scheme from FOCS'07). We move this concept to the computational setting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high min-entropy) even if arbitrary information about the seed is leaked. The amount of leakage \leak that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of SC if the PRG is exponentially hard
LIPIcs
De, Trevisan and Tulsiani [CRYPTO 2010] show that every distribution over n-bit strings which has constant statistical distance to uniform (e.g., the output of a pseudorandom generator mapping n-1 to n bit strings), can be distinguished from the uniform distribution with advantage epsilon by a circuit of size O( 2^n epsilon^2). We generalize this result, showing that a distribution which has less than k bits of min-entropy, can be distinguished from any distribution with k bits of delta-smooth min-entropy with advantage epsilon by a circuit of size O(2^k epsilon^2/delta^2). As a special case, this implies that any distribution with support at most 2^k (e.g., the output of a pseudoentropy generator mapping k to n bit strings) can be distinguished from any given distribution with min-entropy k+1 with advantage epsilon by a circuit of size O(2^k epsilon^2). Our result thus shows that pseudoentropy distributions face basically the same non-uniform attacks as pseudorandom distributions
Simulating Auxiliary Inputs, Revisited
For any pair of correlated random variables we can think of as a
randomized function of . Provided that is short, one can make this
function computationally efficient by allowing it to be only approximately
correct. In folklore this problem is known as \emph{simulating auxiliary
inputs}. This idea of simulating auxiliary information turns out to be a
powerful tool in computer science, finding applications in complexity theory,
cryptography, pseudorandomness and zero-knowledge. In this paper we revisit
this problem, achieving the following results:
\begin{enumerate}[(a)] We discuss and compare efficiency of known results,
finding the flaw in the best known bound claimed in the TCC'14 paper "How to
Fake Auxiliary Inputs". We present a novel boosting algorithm for constructing
the simulator. Our technique essentially fixes the flaw. This boosting proof is
of independent interest, as it shows how to handle "negative mass" issues when
constructing probability measures in descent algorithms. Our bounds are much
better than bounds known so far. To make the simulator
-indistinguishable we need the complexity in time/circuit size, which is better by a
factor compared to previous bounds. In particular, with our
technique we (finally) get meaningful provable security for the EUROCRYPT'09
leakage-resilient stream cipher instantiated with a standard 256-bit block
cipher, like .Comment: Some typos present in the previous version have been correcte
Leakage-Resilient Cryptography
We construct a stream-cipher SC whose \emph{implementation} is secure even if arbitrary (adversely chosen) information on the internal state of SC is leaked during computation. This captures \emph{all} possible side-channel attacks on SC where the amount of information leaked in a given period is bounded, but overall cankbe arbitrary large, in particular much larger than the internalkstate of SC. The only other assumption we make on the \emph{implementation} of SC is that only data that is accessedkduring computation leaks information. The construction can be based on any pseudorandom generator, and the only computational assumption we make is that this PRG is secure against non-uniform adversaries in the classical sense (i.e. when there are no side-channels).
The stream-cipher SC generates its output in chunks , and arbitrary but bounded information leakage is modeled by allowing the adversary to adaptively chose a function before is computed, she then gets where is the internal state of \SC that is accessed during the computation of . One notion of security we prove for \SC is that is indistinguishable from random when given , and also the complete internal state of SC after has been computed (i.e. our cipher is forward-secure).
The construction is based on alternating extraction (previously used in the intrusion-resilient secret-sharing scheme from FOCS'07). We move this concept to the computational setting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high min-entropy) even if arbitrary information about the seed is leaked. The amount of leakage \leak that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of SC if the PRG is exponentially hard
On the Complexity of Breaking Pseudoentropy
Pseudoentropy has found a lot of important applications to cryptography and complexity theory.
In this paper we focus on the foundational problem that has not been investigated so far, namely
by how much pseudoentropy (the amount seen by computationally bounded attackers) differs from its information-theoretic counterpart (seen by unbounded observers), given certain limits on attacker\u27s computational power?
We provide the following answer for HILL pseudoentropy, which exhibits a \emph{threshold behavior}
around the size exponential in the entropy amount:
\begin{itemize}
\item If the attacker size () and advantage () satisfy where is the claimed amount of pseudoentropy, then the pseudoentropy boils down to the information-theoretic smooth entropy
\item If then pseudoentropy could be arbitrarily bigger than the information-theoretic smooth entropy
\end{itemize}
Besides answering the posted question, we show an elegant application of our result to the complexity theory, namely
that it implies the classical result on the existence of functions hard to approximate (due to Pippenger).
In our approach we utilize non-constructive techniques: the duality of linear programming and the probabilistic method
Leakage-Resilient Cryptography in the Standard Model
We construct a stream-cipher \SC whose \emph{implementation} is
secure even if arbitrary (adversely chosen) information on the
internal state of \SC is leaked during computation. This captures
\emph{all} possible side-channel attacks on \SC where the amount
of information leaked in a given period is bounded, but overall can
be arbitrary large, in particular much larger than the internal
state of \SC. The only other assumption we make on the
\emph{implementation} of \SC is that only data that is accessed
during computation leaks information.
The construction can be based on any pseudorandom generator, and the
only computational assumption we make is that this PRG is secure
against non-uniform adversaries in the classical
sense (i.e. when there are no side-channels).
The stream-cipher \SC generates its output in chunks
, and arbitrary but bounded information leakage is
modeled by allowing the adversary to adaptively chose a function
f_\ell:\bin^*\rightarrow\bin^\lambda before is computed,
she then gets where is the internal
state of \SC that is accessed during the computation of
.
One notion of security we prove for \SC is that
is indistinguishable from random when given ,
and also the complete
internal state of \SC after has been computed
(i.e. our cipher is forward-secure).
The construction is based on alternating extraction (previously
used in the intrusion-resilient secret-sharing scheme from
FOCS\u2707). We move this concept to the computational setting by
proving a lemma that states that the output of any PRG has high HILL
pseudoentropy (i.e. is indistinguishable from some distribution with
high min-entropy) even if arbitrary information about the seed is
leaked. The amount of leakage \leak that we can tolerate in each
step depends on the strength of the underlying PRG, it is at least
logarithmic, but can be as large as a constant fraction of the
internal state of \SC if the PRG is exponentially hard
Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions
Leakage-resilient cryptography aims at formally proving the security of cryptographic implementations against large classes of side-channel adversaries. One important challenge for such an approach to be relevant is to adequately connect the formal models used in the proofs with the practice of side-channel attacks. It raises the fundamental problem of finding reasonable restrictions of the leakage functions that can be empirically verified by evaluation laboratories. In this paper, we first argue that the previous ``bounded leakage requirements used in leakage-resilient cryptography are hard to fulfill by hardware engineers. We then introduce a new, more realistic and empirically verifiable assumption of simulatable leakage, under which security proofs in the standard model can be obtained. We finally illustrate our claims by analyzing the physical security of an efficient pseudorandom generator (for which security could only be proven under a random oracle based assumption so far). These positive results come at the cost of (algorithm-level) specialization, as our new assumption is specifically defined for block ciphers. Nevertheless, since block ciphers are the main building block of many leakage-resilient
cryptographic primitives, our results also open the way towards more realistic constructions and proofs for other pseudorandom objects