Dates are inconsistent

Dates are inconsistent

187 results sorted by ID

2024/1969 (PDF) Last updated: 2024-12-05
SoK: Security of the Ascon Modes
Charlotte Lefevre, Bart Mennink
Secret-key cryptography

The Ascon authenticated encryption scheme and hash function of Dobraunig et al (Journal of Cryptology 2021) were recently selected as winner of the NIST lightweight cryptography competition. The mode underlying Ascon authenticated encryption (Ascon-AE) resembles ideas of SpongeWrap, but not quite, and various works have investigated the generic security of Ascon-AE, all covering different attack scenarios and with different bounds. This work systemizes knowledge on the mode security of...

2024/1876 (PDF) Last updated: 2024-11-17
Unbounded Leakage-Resilient Encryption and Signatures
Alper Çakan, Vipul Goyal
Foundations

Given the devastating security compromises caused by side-channel attacks on existing classical systems, can we store our private data encoded as a quantum state so that they can be kept private in the face of arbitrary side-channel attacks? The unclonable nature of quantum information allows us to build various quantum protection schemes for cryptographic information such as secret keys. Examples of quantum protection notions include copy-protection, secure leasing, and finally,...

2024/1864 (PDF) Last updated: 2024-11-29
Tweakable ForkCipher from Ideal Block Cipher
Sougata Mandal
Secret-key cryptography

In ASIACRYPT 2019, Andreeva et al. introduced a new symmetric key primitive called the $\textit{forkcipher}$, designed for lightweight applications handling short messages. A forkcipher is a keyed function with a public tweak, featuring fixed-length input and fixed-length (expanding) output. They also proposed a specific forkcipher, ForkSkinny, based on the tweakable block cipher SKINNY, and its security was evaluated through cryptanalysis. Since then, several efficient AEAD and MAC schemes...

2024/1813 (PDF) Last updated: 2024-11-23
Revisiting Leakage-Resilient MACs and Succinctly-Committing AEAD: More Applications of Pseudo-Random Injections
Mustafa Khairallah
Secret-key cryptography

Pseudo-Random Injections (PRIs) have been used in several applications in symmetric-key cryptography, such as in the idealization of Authenticated Encryption with Associated Data (AEAD) schemes, building robust AEAD, and, recently, in converting a committing AEAD scheme into a succinctly committing AEAD scheme. In Crypto 2024, Bellare and Hoang showed that if an AEAD scheme is already committing, it can be transformed into a succinctly committing scheme by encrypting part of the plaintext...

2024/1458 (PDF) Last updated: 2024-09-18
Providing Integrity for Authenticated Encryption in the Presence of Joint Faults and Leakage
Francesco Berti, Itamar Levi
Secret-key cryptography

Passive (leakage exploitation) and active (fault injection) physical attacks pose a significant threat to cryptographic schemes. Although leakage-resistant cryptography is well studied, there is little work on mode-level security in the presence of joint faults and leakage exploiting adversaries. In this paper, we focus on integrity for authenticated encryption (AE). First, we point out that there is an inherent attack in the fault-resilience model presented at ToSC 2023. This shows how...

2024/1432 (PDF) Last updated: 2024-09-13
On Multi-user Security of Lattice-based Signature under Adaptive Corruptions and Key Leakages
Masayuki Fukumitsu, Shingo Hasegawa
Public-key cryptography

We consider the multi-user security under the adaptive corruptions and key leakages ($\rm{MU^{c\&l}}$ security) for lattice-based signatures. Although there exists an $\rm{MU^{c\&l}}$ secure signature based on a number-theoretic assumption, or a leakage-resilient lattice-based signature in the single-user setting, $\rm{MU^{c\&l}}$ secure lattice-based signature is not known. We examine the existing lattice-based signature schemes from the viewpoint of $\rm{MU^{c\&l}}$ security, and find...

2024/1356 (PDF) Last updated: 2024-08-29
Leakage-Resilience of Circuit Garbling
Ruiyang Li, Yiteng Sun, Chun Guo, Francois-Xavier Standaert, Weijia Wang, Xiao Wang
Secret-key cryptography

Due to the ubiquitous requirements and performance leap in the past decade, it has become feasible to execute garbling and secure computations in settings sensitive to side-channel attacks, including smartphones, IoTs and dedicated hardwares, and the possibilities have been demonstrated by recent works. To maintain security in the presence of a moderate amount of leaked information about internal secrets, we investigate {\it leakage-resilient garbling}. We augment the classical privacy,...

2024/1309 (PDF) Last updated: 2024-08-21
R-STELLAR: A Resilient Synthesizable Signature Attenuation SCA Protection on AES-256 with built-in Attack-on-Countermeasure Detection
Archisman Ghosh, Dong-Hyun Seo, Debayan Das, Santosh Ghosh, Shreyas Sen
Applications

Side-channel attacks (SCAs) remain a significant threat to the security of cryptographic systems in modern embedded devices. Even mathematically secure cryptographic algorithms, when implemented in hardware, inadvertently leak information through physical side-channel signatures such as power consumption, electromagnetic (EM) radiation, light emissions, and acoustic emanations. Exploiting these side channels significantly reduces the attacker’s search space. In recent years, physical...

2024/1019 (PDF) Last updated: 2024-06-24
Exploiting Clock-Slew Dependent Variability in CMOS Digital Circuits Towards Power and EM SCA Resilience
Archisman Ghosh, Md. Abdur Rahman, Debayan Das, Santosh Ghosh, Shreyas Sen
Applications

Mathematically secured cryptographic implementations leak critical information in terms of power, EM emanations, etc. Several circuit-level countermeasures are proposed to hinder side channel leakage at the source. Circuit-level countermeasures (e.g., IVR, STELLAR, WDDL, etc) are often preferred as they are generic and have low overhead. They either dither the voltage randomly or attenuate the meaningful signature at $V_{DD}$ port. Although any digital implementation has two generic ports,...

2024/1009 (PDF) Last updated: 2024-08-26
Improved Reductions from Noisy to Bounded and Probing Leakages via Hockey-Stick Divergences
Maciej Obremski, João Ribeiro, Lawrence Roy, François-Xavier Standaert, Daniele Venturi
Attacks and cryptanalysis

There exists a mismatch between the theory and practice of cryptography in the presence of leakage. On the theoretical front, the bounded leakage model, where the adversary learns bounded-length but noiseless information about secret components, and the random probing model, where the adversary learns some internal values of a leaking implementation with some probability, are convenient abstractions to analyze the security of numerous designs. On the practical front, side-channel attacks...

2024/751 (PDF) Last updated: 2024-05-16
Simultaneous Haar Indistinguishability with Applications to Unclonable Cryptography
Prabhanjan Ananth, Fatih Kaleoglu, Henry Yuen
Foundations

Unclonable cryptography is concerned with leveraging the no-cloning principle to build cryptographic primitives that are otherwise impossible to achieve classically. Understanding the feasibility of unclonable encryption, one of the key unclonable primitives, satisfying indistinguishability security in the plain model has been a major open question in the area. So far, the existing constructions of unclonable encryption are either in the quantum random oracle model or are based on new...

2024/339 (PDF) Last updated: 2024-03-04
From Random Probing to Noisy Leakages Without Field-Size Dependence
Gianluca Brian, Stefan Dziembowski, Sebastian Faust
Foundations

Side channel attacks are devastating attacks targeting cryptographic implementations. To protect against these attacks, various countermeasures have been proposed -- in particular, the so-called masking scheme. Masking schemes work by hiding sensitive information via secret sharing all intermediate values that occur during the evaluation of a cryptographic implementation. Over the last decade, there has been broad interest in designing and formally analyzing such schemes. The random probing...

2024/332 (PDF) Last updated: 2024-05-16
Leakage-Tolerant Circuits
Yuval Ishai, Yifan Song
Foundations

A leakage-resilient circuit for $f:\{0,1\}^n\to\{0,1\}^m$ is a randomized Boolean circuit $C$ mapping a randomized encoding of an input $x$ to an encoding of $y=f(x)$, such that applying any leakage function $L\in \cal L$ to the wires of $C$ reveals essentially nothing about $x$. A leakage-tolerant circuit achieves the stronger guarantee that even when $x$ and $y$ are not protected by any encoding, the output of $L$ can be simulated by applying some $L'\in \cal L$ to $x$ and $y$ alone....

2024/294 (PDF) Last updated: 2024-02-21
Multiplex: TBC-based Authenticated Encryption with Sponge-Like Rate
Thomas Peters, Yaobin Shen, François-Xavier Standaert
Secret-key cryptography

Authenticated Encryption (AE) modes of operation based on Tweakable Block Ciphers (TBC) usually measure efficiency in the number of calls to the underlying primitive per message block. On the one hand, many existing solutions reach a primitive-rate of 1, meaning that each n-bit block of message asymptotically needs a single call to the TBC with output length n. On the other hand, while these modes look optimal in a blackbox setting, they become less attractive when leakage comes into play,...

2024/218 (PDF) Last updated: 2024-02-16
Lightweight Leakage-Resilient PRNG from TBCs using Superposition
Mustafa Khairallah, Srinivasan Yadhunathan, Shivam Bhasin
Secret-key cryptography

In this paper, we propose a leakage-resilient pseudo-random number generator (PRNG) design that leverages the rekeying techniques of the PSV-Enc encryption scheme and the superposition property of the Superposition-Tweak-Key (STK) framework. The random seed of the PRNG is divided into two parts; one part is used as an ephemeral key that changes every two calls to a tweakable block cipher (TBC), and the other part is used as a static long-term key. Using the superposition property, we show...

2024/190 (PDF) Last updated: 2024-02-08
Constructing Committing and Leakage-Resilient Authenticated Encryption
Patrick Struck, Maximiliane Weishäupl
Secret-key cryptography

The main goal of this work is to construct authenticated encryption (AE) that is both committing and leakage-resilient. As a first approach for this we consider generic composition as a well-known method for constructing AE schemes. While the leakage resilience of generic composition schemes has already been analyzed by Barwell et al. (AC'17), for committing security this is not the case. We fill this gap by providing a separate analysis of the generic composition paradigms with respect to...

2023/1965 (PDF) Last updated: 2023-12-28
More Efficient Public-Key Cryptography with Leakage and Tamper Resilience
Shuai Han, Shengli Liu, Dawu Gu
Public-key cryptography

In this paper, we study the design of efficient signature and public-key encryption (PKE) schemes in the presence of both leakage and tampering attacks. Firstly, we formalize the strong leakage and tamper-resilient (sLTR) security model for signature, which provides strong existential unforgeability, and deals with bounded leakage and restricted tampering attacks, as a counterpart to the sLTR security introduced by Sun et al. (ACNS 2019) for PKE. Then, we present direct constructions...

2023/1520 (PDF) Last updated: 2024-04-09
Kirby: A Robust Permutation-Based PRF Construction
Charlotte Lefevre, Yanis Belkheyar, Joan Daemen
Secret-key cryptography

We present a construction, called Kirby, for building a variable-input-length pseudorandom function (VIL-PRF) from a $b$-bit permutation. For this construction we prove a tight bound of $b/2$ bits of security on the PRF distinguishing advantage in the random permutation model and in the multi-user setting. Similar to full-state keyed sponge/duplex, it supports full-state absorbing and additionally supports full-state squeezing, while the sponge/duplex can squeeze at most $b-c$ bits per...

2023/1401 (PDF) Last updated: 2024-11-05
On the Multi-User Security of LWE-based NIKE
Roman Langrehr
Public-key cryptography

Non-interactive key exchange (NIKE) schemes like the Diffie-Hellman key exchange are a widespread building block in several cryptographic protocols. Since the Diffie-Hellman key exchange is not post-quantum secure, it is important to investigate post-quantum alternatives. We analyze the security of the LWE-based NIKE by Ding et al. (ePrint 2012) and Peikert (PQCrypt 2014) in a multi-user setting where the same public key is used to generate shared keys with multiple other users. The...

2023/1373 (PDF) Last updated: 2024-10-10
Reframing and Extending the Random Probing Expandibility to Make Probing-Secure Compilers Tolerate a Constant Noise
Giuseppe Manzoni
Foundations

In the context of circuits leaking the internal state due to hardware side-channels, the $p$-random probing model has an adversary who can see the value of each wire with probability $p$. In this model, for a fixed $p$, it is possible to reach an arbitrary security by 'expanding' a stateless circuit via iterated compilation, reaching a security of $2^{-\kappa}$ with a polynomial size in $\kappa$. An artifact of the existing proofs of the expansion is that the worst security is assumed for...

2023/1220 (PDF) Last updated: 2024-10-15
Quasilinear Masking to Protect ML-KEM Against Both SCA and FIA
Pierre-Augustin Berthet, Yoan Rougeolle, Cédric Tavernier, Jean-Luc Danger, Laurent Sauvage

The recent technological advances in Post-Quantum Cryptography (PQC) raise the questions of robust implementations of new asymmetric cryptography primitives in today's technology. This is the case for the lattice-based Module Lattice-Key Encapsulation Mechanism (ML-KEM) algorithm which is proposed by the National Institute of Standards and Technology (NIST) as the first standard for Key Encapsulation Mechanism (KEM), taking inspiration from CRYSTALS-Kyber. We must ensure that the ML-KEM...

2023/1213 (PDF) Last updated: 2023-12-05
Fallen Sanctuary: A Higher-Order and Leakage-Resilient Rekeying Scheme
Rei Ueno, Naofumi Homma, Akiko Inoue, Kazuhiko Minematsu
Secret-key cryptography

This paper presents a provably secure, higher-order, and leakage-resilient (LR) rekeying scheme named LR Rekeying with Random oracle Repetition (LR4), along with a quantitative security evaluation methodology. Many existing LR primitives are based on a concept of leveled implementation, which still essentially require a leak-free sanctuary (i.e., differential power analysis (DPA)-resistant component(s)) for some parts. In addition, although several LR pseudorandom functions (PRFs) based on...

2023/1143 (PDF) Last updated: 2023-07-24
Combined Fault and Leakage Resilience: Composability, Constructions and Compiler
Sebastian Berndt, Thomas Eisenbarth, Sebastian Faust, Marc Gourjon, Maximilian Orlt, Okan Seker

Real-world cryptographic implementations nowadays are not only attacked via classical cryptanalysis but also via implementation attacks, including passive attacks (observing side-channel information about the inner computation) and active attacks (inserting faults into the computation). While countermeasures exist for each type of attack, countermeasures against combined attacks have only been considered recently. Masking is a standard technique for protecting against passive side-channel...

2023/1017 (PDF) Last updated: 2023-09-15
Stronger Lower Bounds for Leakage-Resilient Secret Sharing
Charlotte Hoffmann, Mark Simkin
Foundations

Threshold secret sharing allows a dealer to split a secret $s$ into $n$ shares, such that any $t$ shares allow for reconstructing $s$, but no $t-1$ shares reveal any information about $s$. Leakage-resilient secret sharing requires that the secret remains hidden, even when an adversary additionally obtains a limited amount of leakage from every share. Benhamouda et al. (CRYPTO'18) proved that Shamir's secret sharing scheme is one bit leakage-resilient for reconstruction threshold...

2023/1007 (PDF) Last updated: 2023-06-28
On Provable White-Box Security in the Strong Incompressibility Model
Estuardo Alpirez Bock, Chris Brzuska, Russell W. F. Lai
Foundations

Incompressibility is a popular security notion for white-box cryptography and captures that a large encryption program cannot be compressed without losing functionality. Fouque, Karpman, Kirchner and Minaud (FKKM) defined strong incompressibility, where a compressed program should not even help to distinguish encryptions of two messages of equal length. Equivalently, the notion can be phrased as indistinguishability under chosen-plaintext attacks and key-leakage (LK-IND-CPA), where the...

2023/920 (PDF) Last updated: 2024-07-01
Beware Your Standard Cells! On Their Role in Static Power Side-Channel Attacks
Jitendra Bhandari, Likhitha Mankali, Mohammed Nabeel, Ozgur Sinanoglu, Ramesh Karri, Johann Knechtel
Applications

Static or leakage power, which is especially prominent in advanced technology nodes, enables so-called static power side-channel attacks (S-PSCA). While countermeasures exist, they often incur considerable overheads. Besides, hardware Trojans represent another threat. Although the interplay between static power, down-scaling of technology nodes, and the vulnerability to S-PSCA is already established, an important detail was not covered yet: the role of the components at the heart of this...

2023/805 (PDF) Last updated: 2023-06-01
New Bounds on the Local Leakage Resilience of Shamir's Secret Sharing Scheme
Ohad Klein, Ilan Komargodski
Foundations

We study the local leakage resilience of Shamir's secret sharing scheme. In Shamir's scheme, a random polynomial $f$ of degree $t$ is sampled over a field of size $p>n$, conditioned on $f(0)=s$ for a secret $s$. Any $t$ shares $(i, f(i))$ can be used to fully recover $f$ and thereby $f(0)$. But, any $t-1$ evaluations of $f$ at non-zero coordinates are completely independent of $f(0)$. Recent works ask whether the secret remains hidden even if say only 1 bit of information is leaked from each...

2023/705 (PDF) Last updated: 2023-05-26
Deniable Cryptosystems: Simpler Constructions and Achieving Leakage Resilience
Zhiyuan An, Haibo Tian, Chao Chen, Fangguo Zhang
Public-key cryptography

Deniable encryption (Canetti et al. CRYPTO ’97) is an intriguing primitive, which provides security guarantee against coercion by allowing a sender to convincingly open the ciphertext into a fake message. Despite the notable result by Sahai and Waters STOC ’14 and other efforts in functionality extension, all the deniable public key encryption (DPKE) schemes suffer from intolerable overhead due to the heavy building blocks, e.g., translucent sets or indistinguishability obfuscation. Besides,...

2023/410 (PDF) Last updated: 2023-10-24
Unbounded Leakage-Resilience and Intrusion-Detection in a Quantum World
Alper Cakan, Vipul Goyal, Chen-Da Liu-Zhang, João Ribeiro
Foundations

Can an adversary hack into our computer and steal sensitive data such as cryptographic keys? This question is almost as old as the Internet and significant effort has been spent on designing mechanisms to prevent and detect hacking attacks. Once quantum computers arrive, will the situation remain the same or can we hope to live in a better world? We first consider ubiquitous side-channel attacks, which aim to leak side information on secret system components, studied in the...

2023/153 (PDF) Last updated: 2023-02-09
Almost Tight Multi-User Security under Adaptive Corruptions & Leakages in the Standard Model
Shuai Han, Shengli Liu, Dawu Gu
Public-key cryptography

In this paper, we consider tight multi-user security under adaptive corruptions, where the adversary can adaptively corrupt some users and obtain their secret keys. We propose generic constructions for a bunch of primitives, and the instantiations from the matrix decision Diffie-Hellman (MDDH) assumptions yield the following schemes: (1) the first digital signature (SIG) scheme achieving almost tight strong EUF-CMA security in the multi-user setting with adaptive corruptions in the...

2023/050 (PDF) Last updated: 2023-07-17
Exploiting Intermediate Value Leakage in Dilithium: A Template-Based Approach
Alexandre Berzati, Andersson Calle Viera, Maya Chartouny, Steven Madec, Damien Vergnaud, David Vigilant
Attacks and cryptanalysis

This paper presents a new profiling side-channel attack on CRYSTALS-Dilithium, the new NIST primary standard for quantum-safe digital signatures. An open source implementation of CRYSTALS-Dilithium is already available, with constant-time property as a consideration for side-channel resilience. However, this implementation does not protect against attacks that exploit intermediate data leakage. We show how to exploit a new leakage on a vector generated during the signing process, for which...

2022/1524 (PDF) Last updated: 2022-11-07
Shielding Probabilistically Checkable Proofs: Zero-Knowledge PCPs from Leakage Resilience
Mor Weiss
Foundations

Probabilistically Checkable Proofs (PCPs) allow a randomized verifier, with oracle access to a purported proof, to probabilistically verify an input statement of the form ``$x\in\mathcal{L}$'' by querying only few proof bits. Zero-Knowledge PCPs (ZK-PCPs) enhance standard PCPs to additionally guarantee that the view of any (possibly malicious) verifier querying a bounded number of proof bits can be efficiently simulated up to a small statistical distance. The first ZK-PCP construction of...

2022/1340 (PDF) Last updated: 2023-05-23
Understanding the Duplex and Its Security
Bart Mennink
Secret-key cryptography

At SAC 2011, Bertoni et al. introduced the keyed duplex construction as a tool to build permutation based authenticated encryption schemes. The construction was generalized to full-state absorption by Mennink et al. (ASIACRYPT 2015). Daemen et al. (ASIACRYPT 2017) generalized it further to cover much more use cases, and proved security of this general construction, and Dobraunig and Mennink (ASIACRYPT 2019) derived a leakage resilience security bound for this construction. Due to its...

2022/1292 (PDF) Last updated: 2022-09-28
Bet-or-Pass: Adversarially Robust Bloom Filters
Moni Naor, Noa Oved
Foundations

A Bloom filter is a data structure that maintains a succinct and probabilistic representation of a set $S\subseteq U$ of elements from a universe $U$. It supports approximate membership queries. The price of the succinctness is allowing some error, namely false positives: for any $x\notin S$, it might answer `Yes' but with a small (non-negligible) probability. When dealing with such data structures in adversarial settings, we need to define the correctness guarantee and formalize the...

2022/1231 (PDF) Last updated: 2022-09-16
Continuously Non-Malleable Codes against Bounded-Depth Tampering
Gianluca Brian, Sebastian Faust, Elena Micheli, Daniele Venturi
Foundations

Non-malleable codes (Dziembowski, Pietrzak and Wichs, ICS 2010 & JACM 2018) allow protecting arbitrary cryptographic primitives against related-key attacks (RKAs). Even when using codes that are guaranteed to be non-malleable against a single tampering attempt, one obtains RKA security against poly-many tampering attacks at the price of assuming perfect memory erasures. In contrast, continuously non-malleable codes (Faust, Mukherjee, Nielsen and Venturi, TCC 2014) do not suffer from this...

2022/1055 (PDF) Last updated: 2022-11-26
Exploring Integrity of AEADs with Faults: Definitions and Constructions
Sayandeep Saha, Mustafa Khairallah, Thomas Peyrin
Secret-key cryptography

Implementation-based attacks are major concerns for modern cryptography. For symmetric-key cryptography, a significant amount of exploration has taken place in this regard for primitives such as block ciphers. Concerning symmetric-key operating modes, such as Authenticated Encryption with Associated Data (AEAD), the state- of-the-art mainly addresses the passive Side-Channel Attacks (SCA) in the form of leakage resilient cryptography. So far, only a handful of work address Fault Attacks (FA)...

2022/649 (PDF) Last updated: 2022-05-25
IBE with Incompressible Master Secret and Small Identity Secrets
Nico Döttling, Sanjam Garg, Sruthi Sekar, Mingyuan Wang
Public-key cryptography

Side-stepping the protection provided by cryptography, exfiltration attacks are becoming a considerable real-world threat. With the goal of mitigating the exfiltration of cryptographic keys, big-key cryptosystems have been developed over the past few years. These systems come with very large secret keys which are thus hard to exfiltrate. Typically, in such systems, the setup time must be large as it generates the large secret key. However, subsequently, the encryption and decryption...

2022/593 Last updated: 2022-05-25
On the Security Proof of CKO+21 Secret Sharing Scheme
Yupu Hu, Shanshan Zhang, Baocang Wang, Siyue Dong
Cryptographic protocols

On CRYPTO2021, Nishanth Chandran, Bhavana Kanukurthi, Sai Lakshmi Bhavana Obattu, and Sruthi Sekar presented a novel secret sharing scheme, called CKO+21 scheme. This scheme makes use of Shamir secret sharing schemes and randomness extractors as its basic components, to generate a multi-layer encapsulation structure. The authors claimed that CKO+21 scheme satisfied “leakage resilience”, that is, the privacy still held under both “not enough revealing” and “appropriate leakage”. More...

2022/497 (PDF) Last updated: 2022-04-28
Protecting Distributed Primitives against Leakage: Equivocal Secret Sharing and More
Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss
Applications

Leakage-resilient cryptography aims to protect cryptographic primitives from so-called "side channel attacks" that exploit their physical implementation to learn their input or secret state. Starting from the works of Ishai, Sahai and Wagner (CRYPTO`03) and Micali and Reyzin (TCC`04), most works on leakage-resilient cryptography either focus on protecting general computations, such as circuits or multiparty computation protocols, or on specific non-interactive primitives such as storage,...

2022/461 (PDF) Last updated: 2022-05-16
Information Leakage in Code-based Masking: A Systematic Evaluation by Higher-Order Attacks
Wei Cheng, Sylvain Guilley, Jean-Luc Danger
Implementation

Code-based masking is a recent line of research on masking schemes aiming at provably counteracting side-channel attacks. It generalizes and unifies many masking schemes within a coding-theoretic formalization. In code-based masking schemes, the tuning parameters are the underlying linear codes, whose choice significantly affects the side-channel resilience. In this paper, we investigate the exploitability of the information leakage in code-based masking and present attack-based evaluation...

2022/023 (PDF) Last updated: 2022-01-08
Transitional Leakage in Theory and Practice - Unveiling Security Flaws in Masked Circuits
Nicolai Müller, David Knichel, Pascal Sasdrich, Amir Moradi
Applications

Accelerated by the increased interconnection of highly accessible devices, the demand for effective and efficient protection of hardware designs against SCA is ever rising, causing its topical relevance to remain immense in both, academia and industry. Among a wide range of proposed countermeasures against SCA, masking is a highly promising candidate due to its sound foundations and well-understood security requirements. In addition, formal adversary models have been introduced, aiming to...

2021/1340 (PDF) Last updated: 2022-11-29
TEDT2 - Highly Secure Leakage-resilient TBC-based Authenticated Encryption
Eik List
Secret-key cryptography

Leakage-resilient authenticated encryption (AE) schemes received considerable attention during the previous decade. Two core security models of bounded and unbounded leakage have evolved, where the latter has been motivated in a very detailed and practice-oriented manner. In that setting, designers often build schemes based on (tweakable) block ciphers due to the small state size, such as the recent two-pass AE scheme TEDT from TCHES 1/2020. TEDT is interesting due to its high security...

2021/1250 (PDF) Last updated: 2021-09-20
Efficient Leakage-Resilient MACs without Idealized Assumptions
Francesco Berti, Chun Guo, Thomas Peters, François-Xavier Standaert
Secret-key cryptography

The security proofs of leakage-resilient MACs based on symmetric building blocks currently rely on idealized assumptions that hardly translate into interpretable guidelines for the cryptographic engineers implementing these schemes. In this paper, we first present a leakage-resilient MAC that is both efficient and secure under standard and easily interpretable black box and physical assumptions. It only requires a collision resistant hash function and a single call per message...

2021/1128 (PDF) Last updated: 2021-09-06
Continuously Non-Malleable Secret Sharing: Joint Tampering, Plain Model and Capacity
Gianluca Brian, Antonio Faonio, Daniele Venturi
Foundations

We study non-malleable secret sharing against joint leakage and joint tampering attacks. Our main result is the first threshold secret sharing scheme in the plain model achieving resilience to noisy-leakage and continuous tampering. The above holds under (necessary) minimal computational assumptions (i.e., the existence of one-to-one one-way functions), and in a model where the adversary commits to a fixed partition of all the shares into non-overlapping subsets of at most $t-1$ shares...

2021/802 (PDF) Last updated: 2022-09-19
On Secret Sharing, Randomness, and Random-less Reductions for Secret Sharing
Divesh Aggarwal, Eldon Chung, Maciej Obremski, João Ribeiro
Foundations

Secret-sharing is one of the most basic and oldest primitives in cryptography, introduced by Shamir and Blakely in the 70s. It allows to strike a meaningful balance between availability and confidentiality of secret information. It has a host of applications most notably in threshold cryptography and multi-party computation. All known constructions of secret sharing (with the exception of those with a pathological choice of parameters) require access to uniform randomness. In practice, it...

2021/717 (PDF) Last updated: 2023-05-30
Ablation Analysis for Multi-device Deep Learning-based Physical Side-channel Analysis
Lichao Wu, Yoo-Seung Won, Dirmanto Jap, Guilherme Perin, Shivam Bhasin, Stjepan Picek
Implementation

Deep learning-based side-channel analysis is an effective way of performing profiling attacks on power and electromagnetic leakages, even against targets protected with countermeasures. While many research papers have reported successful results, they typically focus on profiling and attacking a single device, assuming that leakages are similar between devices of the same type. However, this assumption is not always realistic due to variations in hardware and measurement setups, creating...

2021/614 (PDF) Last updated: 2021-05-17
Unprovability of Leakage-Resilient Cryptography Beyond the Information-Theoretic Limit
Rafael Pass
Foundations

In recent years, leakage-resilient cryptography---the design of cryptographic protocols resilient to bounded leakage of honest players' secrets---has received significant attention. A major limitation of known provably-secure constructions (based on polynomial hardness assumptions) is that they require the secrets to have sufficient actual (i.e., information-theoretic), as opposed to computational, min-entropy even after the leakage. In this work, we present barriers to provably-secure...

2021/606 (PDF) Last updated: 2022-07-15
ZK-PCPs from Leakage-Resilient Secret Sharing
Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss
Foundations

Zero-Knowledge PCPs (ZK-PCPs; Kilian, Petrank, and Tardos, STOC `97) are PCPs with the additional zero-knowledge guarantee that the view of any (possibly malicious) verifier making a bounded number of queries to the proof can be efficiently simulated up to a small statistical distance. Similarly, ZK-PCPs of Proximity (ZK-PCPPs; Ishai and Weiss, TCC `14) are PCPPs in which the view of an adversarial verifier can be efficiently simulated with few queries to the input. Previous ZK-PCP...

2021/402 (PDF) Last updated: 2021-03-27
Leakage Resilient Value Comparison With Application to Message Authentication
Christoph Dobraunig, Bart Mennink

Side-channel attacks are a threat to secrets stored on a device, especially if an adversary has physical access to the device. As an effect of this, countermeasures against such attacks for cryptographic algorithms are a well-researched topic. In this work, we deviate from the study of cryptographic algorithms and instead focus on the side-channel protection of a much more basic operation, the comparison of a known attacker-controlled value with a secret one. Comparisons sensitive to...

2021/186 (PDF) Last updated: 2021-03-02
Leakage-resilience of the Shamir Secret-sharing Scheme against Physical-bit Leakages
Hemanta K. Maji, Hai H. Nguyen, Anat Paskin-Cherniavsky, Tom Suad, Mingyuan Wang
Foundations

Efficient Reed-Solomon code reconstruction algorithms, for example, by Guruswami and Wootters (STOC--2016), translate into local leakage attacks on Shamir secret-sharing schemes over characteristic-2 fields. However, Benhamouda, Degwekar, Ishai, and Rabin (CRYPTO--2018) showed that the Shamir secret sharing scheme over prime-fields is leakage resilient to one-bit local leakage if the reconstruction threshold is roughly 0.87 times the total number of parties. In several application scenarios,...

2020/1517 (PDF) Last updated: 2021-06-28
Constructing Locally Leakage-resilient Linear Secret-sharing Schemes
Hemanta Maji, Anat Paskin-Cherniavsky, Tom Suad, Mingyuan Wang
Foundations

Innovative side-channel attacks have repeatedly falsified the assumption that cryptographic implementations are opaque black-boxes. Therefore, it is essential to ensure cryptographic constructions' security even when information leaks via unforeseen avenues. One such fundamental cryptographic primitive is the secret-sharing schemes, which underlies nearly all threshold cryptography. Our understanding of the leakage-resilience of secret-sharing schemes is still in its preliminary stage. This...

2020/1455 (PDF) Last updated: 2020-11-19
An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage
Yan Yan, Elisabeth Oswald, Srinivas Vivek
Implementation

In the last few years a new design paradigm, the so-called ARX (modular addition, rotation, exclusive-or) ciphers, have gained popularity in part because of their non-linear operation's seemingly `inherent resilience' against Differential Power Analysis (DPA) Attacks: the non-linear modular addition is not only known to be a poor target for DPA attacks, but also the computational complexity of DPA-style attacks grows exponentially with the operand size and thus DPA-style attacks quickly...

2020/1353 (PDF) Last updated: 2020-11-27
Adaptive-secure identity-based inner-product functional encryption and its leakage-resilience
Linru Zhang, Xiangning Wang, Yuechen Chen, Siu-Ming Yiu
Public-key cryptography

There are lots of applications of inner-product functional encryption (IPFE). In this paper, we consider two important extensions of it. One is to enhance IPFE with access control such that only users with a pre-defined identity are allowed to compute the inner product, referred as identity-based inner-product functional encryption (IBIPFE). We formalize the definition of IBIPFE, and propose the first adaptive-secure IBIPFE scheme from Decisional Bilinear Diffie-Hellman (DBDH) assumption. In...

2020/1083 (PDF) Last updated: 2020-10-02
A Fast and Compact RISC-V Accelerator for Ascon and Friends
Stefan Steinegger, Robert Primas
Implementation

Ascon-p is the core building block of Ascon, the winner in the lightweight category of the CAESAR competition. With ISAP, another Ascon-p-based AEAD scheme is currently competing in the 2nd round of the NIST lightweight cryptography standardization project. In contrast to Ascon, ISAP focuses on providing hardening/protection against a large class of implementation attacks, such as DPA, DFA, SFA, and SIFA, entirely on mode-level. Consequently, Ascon-p can be used to realize a wide range of...

2020/1024 (PDF) Last updated: 2022-03-28
Factoring and Pairings are not Necessary for iO: Circular-Secure LWE Suffices
Zvika Brakerski, Nico Döttling, Sanjam Garg, Giulio Malavolta
Foundations

We construct indistinguishability obfuscation (iO) solely under circular-security properties of encryption schemes based on the Learning with Errors (LWE) problem. Circular-security assumptions were used before to construct (non-leveled) fully-homomorphic encryption (FHE), but our assumption is stronger and requires circular randomness-leakage-resilience. In contrast with prior works, this assumption can be conjectured to be post-quantum secure; yielding the first provably secure iO...

2020/960 (PDF) Last updated: 2020-08-11
Retrofitting Leakage Resilient Authenticated Encryption to Microcontrollers
Florian Unterstein, Marc Schink, Thomas Schamberger, Lars Tebelmann, Manuel Ilg, Johann Heyszl
Cryptographic protocols

The security of Internet of Things (IoT) devices relies on fundamental concepts such as cryptographically protected firmware updates. In this context attackers usually have physical access to a device and therefore side-channel attacks have to be considered. This makes the protection of required cryptographic keys and implementations challenging, especially for commercial off-the-shelf (COTS) microcontrollers that typically have no hardware countermeasures. In this work, we demonstrate how...

2020/771 (PDF) Last updated: 2020-06-24
Leakage-Resilient Key Exchange and Two-Seed Extractors
Xin Li, Fermi Ma, Willy Quach, Daniel Wichs
Foundations

Can Alice and Bob agree on a uniformly random secret key without having any truly secret randomness to begin with? Here we consider a setting where Eve can get partial leakage on the internal state of both Alice and Bob individually before the protocol starts. They then run a protocol using their states without any additional randomness and need to agree on a shared key that looks uniform to Eve, even after observing the leakage and the protocol transcript. We focus on non-interactive (one...

2020/736 (PDF) Last updated: 2024-01-18
Forward Security under Leakage Resilience, Revisited
Suvradip Chakraborty, Harish Karthikeyan, Adam O'Neill, C. Pandu Rangan
Public-key cryptography

As both notions employ the same key-evolution paradigm, Bellare \emph{et al.} (CANS 2017) study combining forward security with leakage resilience. The idea is for forward security to serve as a hedge in case at some point the full key gets exposed from the leakage. In particular, Bellare \emph{et al.} combine forward security with \emph{continual} leakage resilience, dubbed FS+CL. Our first result improves on Bellare \emph{et al.}'s FS+CL secure PKE scheme by building one from any...

2020/603 (PDF) Last updated: 2021-09-07
Masking in Fine-Grained Leakage Models: Construction, Implementation and Verification
Gilles Barthe, Marc Gourjon, Benjamin Gregoire, Maximilian Orlt, Clara Paglialonga, Lars Porth

We propose a new approach for building efficient, provably secure, and practically hardened implementations of masked algorithms. Our approach is based on a Domain Specific Language in which users can write efficient assembly implementations and fine-grained leakage models. The latter are then used as a basis for formal verification, allowing for the first time formal guarantees for a broad range of device-specific leakage effects not addressed by prior work. The practical benefits of our...

2020/473 (PDF) Last updated: 2020-04-28
Bounded Collusion Protocols, Cylinder-Intersection Extractors and Leakage-Resilient Secret Sharing
Ashutosh Kumar, Raghu Meka, David Zuckerman
Foundations

In this work we study bounded collusion protocols (BCPs) recently introduced in the context of secret sharing by Kumar, Meka, and Sahai (FOCS 2019). These are multi-party communication protocols on $n$ parties where in each round a subset of $p$-parties (the collusion bound) collude together and write a function of their inputs on a public blackboard. BCPs interpolate elegantly between the well-studied number-in-hand (NIH) model ($p=1$) and the number-on-forehead (NOF) model ($p=n-1$)....

2020/280 (PDF) Last updated: 2020-07-17
Leakage-Resilient Authenticated Encryption from Leakage-Resilient Pseudorandom Functions
Juliane Krämer, Patrick Struck
Secret-key cryptography

In this work we study the leakage resilience of authenticated encryption schemes. We show that, if one settles for non-adaptive leakage, leakage-resilient authenticated encryption schemes can be built solely from leakage-resilient pseudorandom functions. Degabriele et al. (ASIACRYPT 2019) introduce the FGHF' construction which allows to build leakage-resilient authenticated encryption schemes from functions which, under leakage, retain both pseudorandomness and unpredictability. We revisit...

2020/200 (PDF) Last updated: 2022-10-03
Leakage and Tamper Resilient Permutation-Based Cryptography
Christoph Dobraunig, Bart Mennink, Robert Primas
Secret-key cryptography

Implementation attacks such as power analysis and fault attacks have shown that, if potential attackers have physical access to a cryptographic device, achieving practical security requires more considerations apart from just cryptanalytic security. In recent years, and with the advent of micro-architectural or hardware-oriented attacks, it became more and more clear that similar attack vectors can also be exploited on larger computing platforms and without the requirement of physical...

2019/1424 (PDF) Last updated: 2019-12-10
Efficient Side-Channel Secure Message Authentication with Better Bounds
Chun Guo, François-Xavier Standaert, Weijia Wang, Yu Yu
Secret-key cryptography

We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when most intermediate values during tag computation and verification are leaked (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-then-MAC paradigm $T=MAC_K(H(M))$. When the domain of the MAC function $MAC_K$ is $\{0,1\}^{128}$, e.g., when instantiated with the AES, forgery is possible within time $2^{64}$...

2019/1034 (PDF) Last updated: 2020-03-11
Sponges Resist Leakage: The Case of Authenticated Encryption
Jean Paul Degabriele, Christian Janson, Patrick Struck
Secret-key cryptography

In this work we advance the study of leakage-resilient Authenticated Encryption with Associated Data (AEAD) and lay the theoretical groundwork for building such schemes from sponges. Building on the work of Barwell et al. (ASIACRYPT 2017), we reduce the problem of constructing leakage-resilient AEAD schemes to that of building fixed-input-length function families that retain pseudorandomness and unpredictability in the presence of leakage. Notably, neither property is implied by the other in...

2019/653 (PDF) Last updated: 2023-04-18
On the Local Leakage Resilience of Linear Secret Sharing Schemes
Fabrice Benhamouda, Akshay Degwekar, Yuval Ishai, Tal Rabin
Foundations

We consider the following basic question: to what extent are standard secret sharing schemes and protocols for secure multiparty computation that build on them resilient to leakage? We focus on a simple local leakage model, where the adversary can apply an arbitrary function of a bounded output length to the secret state of each party, but cannot otherwise learn joint information about the states. We show that additive secret sharing schemes and high-threshold instances of Shamir’s secret...

2019/602 (PDF) Last updated: 2019-09-24
Continuously Non-Malleable Secret Sharing for General Access Structures
Gianluca Brian, Antonio Faonio, Daniele Venturi
Foundations

We study leakage-resilient continuously non-malleable secret sharing, as recently introduced by Faonio and Venturi (CRYPTO 2019). In this setting, an attacker can continuously tamper and leak from a target secret sharing of some message, with the goal of producing a modified set of shares that reconstructs to a message related to the originally shared value. Our contributions are two fold. -- In the plain model, assuming one-to-one one-way functions, we show how to obtain...

2019/573 (PDF) Last updated: 2019-11-21
Security of the Suffix Keyed Sponge
Christoph Dobraunig, Bart Mennink
Secret-key cryptography

We formalize and analyze the general suffix keyed sponge construction, a pseudorandom function built on top of a cryptographic permutation. The construction hashes its data using the (keyless) sponge construction, transforms part of the state using the secret key, and generates the tag from the output of a final permutation call. In its simplest form, if the key and tag size are at most the rate of the sponge, one can see the suffix keyed sponge as a simple sponge function evaluation whose...

2019/512 (PDF) Last updated: 2019-05-23
Tight Leakage-Resilient CCA-Security from Quasi-Adaptive Hash Proof System
Shuai Han, Shengli Liu, Lin Lyu, Dawu Gu
Public-key cryptography

We propose the concept of quasi-adaptive hash proof system (QAHPS), where the projection key is allowed to depend on the specific language for which hash values are computed. We formalize leakage-resilient(LR)-ardency for QAHPS by defining two statistical properties, including LR-<L_0,L_1>-universal and LR-<L_0,L_1>-key-switching. We provide a generic approach to tightly leakage-resilient CCA (LR-CCA) secure public-key encryption (PKE) from LR-ardent QAHPS. Our approach is reminiscent of...

2019/451 (PDF) Last updated: 2019-05-08
Reducing the Cost of Authenticity with Leakages: a CIML2-Secure AE Scheme with One Call to a Strongly Protected Tweakable Block Cipher
Francesco Berti, Olivier Pereira, François-Xavier Standaert
Secret-key cryptography

This paper presents CONCRETE (Commit-Encrypt-Send-the-Key) a new Authenticated Encryption mode that offers CIML2 security, that is, ciphertext integrity in the presence of nonce misuse and side-channel leakages in both encryption and decryption. CONCRETE improves on a recent line of works aiming at leveled implementations, which mix a strongly protected and energy demanding implementation of a single component, and other weakly protected and much cheaper components. Here, these components...

2019/450 (PDF) Last updated: 2019-05-08
HMAKE: Legacy-Compliant Multi-factor Authenticated Key Exchange from Historical Data
Chenglu Jin, Zheng Yang, Sridhar Adepu, Jianying Zhou
Cryptographic protocols

In this paper, we introduce two lightweight historical data based multi-factor authenticated key exchange (HMAKE) protocols in the random oracle model. Our HMAKE protocols use a symmetric secret key, as their first authentication factor, together with their second authentication factor, historical data exchanged between the two parties in the past, and the third authentication factor, a set of secret tags associated with the historical data, to establish a secure communication channel...

2019/379 (PDF) Last updated: 2019-04-16
Non-Malleable Codes for Decision Trees
Marshall Ball, Siyao Guo, Daniel Wichs
Foundations

We construct efficient, unconditional non-malleable codes that are secure against tampering functions computed by decision trees of depth $d = n^{1/4-o(1)}$. In particular, each bit of the tampered codeword is set arbitrarily after adaptively reading up to $d$ arbitrary locations within the original codeword. Prior to this work, no efficient unconditional non-malleable codes were known for decision trees beyond depth $O(\log^2 n)$. Our result also yields efficient, unconditional...

2019/302 (PDF) Last updated: 2019-03-20
A Survey of Leakage-Resilient Cryptography
Yael Tauman Kalai, Leonid Reyzin
Foundations

In the past 15 years, cryptography has made considerable progress in expanding the adversarial attack model to cover side-channel attacks, and has built schemes to provably defend against some of them. This survey covers the main models and results in this so-called "leakage-resilient" cryptography.

2019/291 (PDF) Last updated: 2021-06-04
CCA Security and Trapdoor Functions via Key-Dependent-Message Security
Fuyuki Kitagawa, Takahiro Matsuda, Keisuke Tanaka
Public-key cryptography

We study the relationship among public-key encryption (PKE) satisfying indistinguishability against chosen plaintext attacks (IND-CPA security), that against chosen ciphertext attacks (IND-CCA security), and trapdoor functions (TDF). Specifically, we aim at finding a unified approach and some additional requirement to realize IND-CCA secure PKE and TDF based on IND-CPA secure PKE, and show the following two main results. As the first main result, we show how to achieve IND-CCA security via...

2019/225 (PDF) Last updated: 2019-08-28
Leakage Resilience of the Duplex Construction
Christoph Dobraunig, Bart Mennink
Secret-key cryptography

Side-channel attacks, especially differential power analysis (DPA), pose a serious threat to cryptographic implementations deployed in a malicious environment. One way to counter side-channel attacks is to design cryptographic schemes to withstand them, an area that is covered amongst others by leakage resilient cryptography. So far, however, leakage resilient cryptography has predominantly focused on block cipher based designs, and insights in permutation based leakage resilient...

2019/193 (PDF) Last updated: 2019-08-14
Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction
Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
Secret-key cryptography

The ongoing NIST lightweight standardization process explicitly puts forward a requirement of side-channel security, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight side-channel secure implementations. To address this challenge, we investigate the leakage-resilience of a generic duplex-based stream cipher, and prove the classical bound, i.e., $\approx2^{c/2}$, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass...

2019/181 (PDF) Last updated: 2019-12-13
Lower Bounds for Leakage-Resilient Secret Sharing
Jesper Buus Nielsen, Mark Simkin
Foundations

Threshold secret sharing allows a dealer to split a secret into $n$ shares such that any authorized subset of cardinality at least $t$ of those shares efficiently reveals the secret, while at the same time any unauthorized subset of cardinality less than $t$ contains no information about the secret. Leakage-resilience additionally requires that the secret remains hidden even if one is given a bounded amount of additional leakage from every share. In this work, we study leakage-resilient...

2019/137 (PDF) Last updated: 2019-02-13
TEDT, a Leakage-Resilient AEAD mode for High (Physical) Security Applications
Francesco Berti, Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
Secret-key cryptography

We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers asymptotically optimal security in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It offers KDM security in the multi-user setting, that is, its security is maintained even if key-dependent...

2019/105 (PDF) Last updated: 2019-02-13
Non-Malleable Secret Sharing in the Computational Setting: Adaptive Tampering, Noisy-Leakage Resilience, and Improved Rate
Antonio Faonio, Daniele Venturi
Foundations

We revisit the concept of *non-malleable* secret sharing (Goyal and Kumar, STOC 2018) in the computational setting. In particular, under the assumption of one-to-one one-way functions, we exhibit a *computationally* private, *threshold* secret sharing scheme satisfying all of the following properties. -) Continuous non-malleability: No computationally-bounded adversary tampering independently with all the shares can produce mauled shares that reconstruct to a value related to the original...

2019/045 (PDF) Last updated: 2019-01-31
Leakage-resilient Identity-based Encryption in Bounded Retrieval Model with Nearly Optimal Leakage-Ratio
Ryo Nishimaki, Takashi Yamakawa

We propose new constructions of leakage-resilient public-key encryption (PKE) and identity-based encryption (IBE) schemes in the bounded retrieval model (BRM). In the BRM, adversaries are allowed to obtain at most $\ell$-bit leakage from a secret key and we can increase $\ell$ only by increasing the size of secret keys without losing efficiency in any other performance measure. We call $\ell/|\textsf{sk}|$ leakage-ratio where $|\textsf{sk}|$ denotes a bit-length of a secret key. Several...

2019/002 (PDF) Last updated: 2019-01-09
Leakage-Resilient Group Signature: Definitions and Constructions
Jianye Huang, Qiong Huang
Public-key cryptography

Group signature scheme provides group members a way to sign messages without revealing their identities. Anonymity and traceability are two essential properties in a group signature system. However, these two security properties hold based on the assumption that all the signing keys are perfectly secret and leakage-free. On the another hand, on account of the physical imperfection of cryptosystems in practice, malicious attackers can learn fraction of secret state (including secret keys and...

2018/1154 (PDF) Last updated: 2019-08-19
Leakage Resilient Secret Sharing and Applications
Akshayaram Srinivasan, Prashant Nalini Vasudevan
Foundations

A secret sharing scheme allows a dealer to share a secret among a set of $n$ parties such that any authorized subset of the parties can recover the secret, while any unauthorized subset of the parties learns no information about the secret. A local leakage-resilient secret sharing scheme (introduced in independent works by (Goyal and Kumar, STOC 18) and (Benhamouda, Degwekar, Ishai and Rabin, Crypto 18)) additionally requires the secrecy to hold against every unauthorized set of parties even...

2018/1138 (PDF) Last updated: 2018-12-14
Leakage-Resilient Secret Sharing
Ashutosh Kumar, Raghu Meka, Amit Sahai
Foundations

In this work, we consider the natural goal of designing secret sharing schemes that ensure security against a powerful adaptive adversary who may learn some ``leaked'' information about all the shares. We say that a secret sharing scheme is $p$-party leakage-resilient, if the secret remains statistically hidden even after an adversary learns a bounded amount of leakage, where each bit of leakage can depend jointly on the shares of an adaptively chosen subset of $p$ parties. A lot of works...

2018/1068 (PDF) Last updated: 2018-11-09
Partial Key Exposure in Ring-LWE-Based Cryptosystems: Attacks and Resilience
Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, Aria Shahverdi
Public-key cryptography

We initiate the study of partial key exposure in ring-LWE-based cryptosystems. Specifically, we - Introduce the search and decision Leaky-RLWE assumptions (Leaky-SRLWE, Leaky-DRLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret and/or error. - Present and implement an efficient key exposure attack that, given certain $1/4$-fraction of the coordinates of the NTT transform of the RLWE secret, along...

2018/1044 (PDF) Last updated: 2018-11-02
Strongly Unforgeable Signatures Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions
Masahito Ishizaka, Kanta Matsuura
Public-key cryptography

A signature scheme is said to be weakly unforgeable, if it is hard to forge a signature on a message not signed before. A signature scheme is said to be strongly unforgeable, if it is hard to forge a signature on any message. In some applications, the weak unforgeability is not enough and the strong unforgeability is required, e.g., the Canetti, Halevi and Katz transformation. Leakage-resilience is a property which guarantees that even if secret information such as the secret-key is...

2018/781 (PDF) Last updated: 2018-09-03
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation
Yu Chen, Yuyu Wang, Hong-sheng Zhou
Public-key cryptography

In this work, we develop a framework for building leakage-resilient cryptosystems in the bounded leakage model from puncturable primitives and indistinguishability obfuscation ($i\mathcal{O}$). The major insight of our work is that various types of puncturable pseudorandom functions (PRFs) can achieve leakage resilience on an obfuscated street. First, we build leakage-resilient weak PRFs from weak puncturable PRFs and $i\mathcal{O}$, which readily imply leakage-resilient secret-key...

2018/672 (PDF) Last updated: 2018-07-13
Cold Boot Attacks on Ring and Module LWE Keys Under the NTT
Martin R. Albrecht, Amit Deo, Kenneth G. Paterson
Public-key cryptography

In this work, we consider the ring- and module- variants of the LWE problem and investigate cold boot attacks on cryptographic schemes based on these problems, wherein an attacker is faced with the problem of recovering a scheme's secret key from a noisy version of that key. The leakage resilience of cryptography based on the learning with errors (LWE) problem has been studied before, but there are only limited results considering the parameters observed in cold boot attack scenarios. There...

2018/542 (PDF) Last updated: 2018-06-04
Continuously Non-Malleable Codes in the Split-State Model from Minimal Assumptions
Rafail Ostrovsky, Giuseppe Persiano, Daniele Venturi, Ivan Visconti

At ICS 2010, Dziembowski, Pietrzak and Wichs introduced the notion of *non-malleable codes*, a weaker form of error-correcting codes guaranteeing that the decoding of a tampered codeword either corresponds to the original message or to an unrelated value. The last few years established non-malleable codes as one of the recently invented cryptographic primitives with the highest impact and potential, with very challenging open problems and applications. In this work, we focus on so-called...

2018/484 (PDF) Last updated: 2019-07-11
Authenticated Encryption with Nonce Misuse and Physical Leakages: Definitions, Separation Results, and Leveled Constructions
Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
Secret-key cryptography

We propose definitions and constructions of authenticated encryption (AE) schemes that offer security guarantees even in the presence of nonce misuse and side-channel leakages. This is part of an important ongoing effort to make AE more robust, while preserving appealing efficiency properties. Our definitions consider an adversary enhanced with the leakages of all the computations of an AE scheme, together with the possibility to misuse nonces, be it during all queries (in the spirit of...

2018/055 (PDF) Last updated: 2018-01-16
High-Resolution EM Attacks Against Leakage-Resilient PRFs Explained - And An Improved Construction
Florian Unterstein, Johann Heyszl, Fabrizio De Santis, Robert Specht, Georg Sigl

Achieving side-channel resistance through Leakage Resilience (LR) is highly relevant for embedded devices where requirements of other countermeasures such as e.g. high quality random numbers are hard to guarantee. The main challenge of LR lays in the initialization of a secret pseudorandom state from a long-term key and public input. Leakage-Resilient Pseudo-Random Functions (LR-PRFs) aim at solving this by bounding side-channel leakage to non-exploitable levels through frequent re-keying....

2017/1127 (PDF) Last updated: 2018-11-02
On the Leakage Resilience of Ring-LWE Based Public Key Encryption
Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, Aria Shahverdi
Public-key cryptography

We consider the leakage resilience of the Ring-LWE analogue of the Dual-Regev encryption scheme (R-Dual-Regev for short), originally presented by Lyubashevsky et al.~(Eurocrypt '13). Specifically, we would like to determine whether the R-Dual-Regev encryption scheme remains IND-CPA secure, even in the case where an attacker leaks information about the secret key. We consider the setting where $R$ is the ring of integers of the $m$-th cyclotomic number field, for $m$ which is a power-of-two,...

2017/1047 (PDF) Last updated: 2017-10-31
Consolidating Inner Product Masking
Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, François-Xavier Standaert

Masking schemes are a prominent countermeasure to defeat power analysis attacks. One of their core ingredient is the encoding function. Due to its simplicity and comparably low complexity overheads,many masking schemes are based on a Boolean encoding. Yet, several recent works have proposed masking schemes that are based on alternative encoding functions. One such example is the inner product masking scheme that has been brought towards practice by recent research. In this work, we improve...

2017/967 (PDF) Last updated: 2017-10-03
Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions
Zvika Brakerski, Alex Lombardi, Gil Segev, Vinod Vaikuntanathan
Public-key cryptography

In anonymous identity-based encryption (IBE), ciphertexts not only hide their corresponding messages, but also their target identity. We construct an anonymous IBE scheme based on the Computational Diffie-Hellman (CDH) assumption in general groups (and thus, as a special case, based on the hardness of factoring Blum integers). Our approach extends and refines the recent tree-based approach of Cho et al. (CRYPTO '17) and Döttling and Garg (CRYPTO '17). Whereas the tools underlying their...

2017/926 (PDF) Last updated: 2017-12-04
How to Construct a Leakage-Resilient (Stateless) Trusted Party
Daniel Genkin, Yual Ishai, Mor Weiss

Trusted parties and devices are commonly used in the real world to securely perform computations on secret inputs. However, their security can often be compromised by side-channel attacks in which the adversary obtains partial leakage on intermediate computation values. This gives rise to the following natural question: To what extent can one protect the trusted party against leakage? Our goal is to design a hardware device $T$ that allows $m\ge 1$ parties to securely evaluate a function...

2017/441 (PDF) Last updated: 2017-10-10
New Approach to Practical Leakage-Resilient Public-Key Cryptography
Suvradip Chakraborty, Janaka Alawatugoda, C. Pandu Rangan

We present a new approach to construct several leakage-resilient cryptographic primitives, including leakage-resilient public-key encryption (PKE) schemes, authenticated key exchange (AKE) protocols and low-latency key exchange (LLKE) protocols. To this end, we introduce a new primitive called leakage-resilient non-interactive key exchange (LR-NIKE) protocol. We introduce a generic security model for LR-NIKE protocols, which can be instantiated in both the bounded and continuous-memory...

2017/418 (PDF) Last updated: 2017-06-26
Strong Authenticated Key Exchange with Auxiliary Inputs
Rongmao Chen, Yi Mu, Guomin Yang, Willy Susilo, Fuchun Guo

Leakage attacks, including various kinds of side-channel attacks, allow an attacker to learn partial information about the internal secrets such as the secret key and the randomness of a cryptographic system. Designing a strong, meaningful, yet achievable security notion to capture practical leakage attacks is one of the primary goals of leakage-resilient cryptography. In this work, we revisit the modelling and design of authenticated key exchange (AKE) protocols with leakage resilience. We...

2017/303 (PDF) Last updated: 2017-05-18
Locally Decodable and Updatable Non-Malleable Codes in the Bounded Retrieval Model
Dana Dachman-Soled, Mukul Kulkarni, Aria Shahverdi

In a recent result, Dachman-Soled et al.(TCC '15) proposed a new notion called locally decodable and updatable non-malleable codes, which informally, provides the security guarantees of a non-malleable code while also allowing for efficient random access. They also considered locally decodable and updatable non-malleable codes that are leakage-resilient, allowing for adversaries who continually leak information in addition to tampering. The bounded retrieval model (BRM) (cf. [Alwen et al.,...

2017/272 (PDF) Last updated: 2017-12-12
Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks - A Practical Security Evaluation on FPGA
Florian Unterstein, Johann Heyszl, Fabrizio De Santis, Robert Specht

In leakage-resilient symmetric cryptography, two important concepts have been proposed in order to decrease the success rate of differential side-channel attacks. The first one is to limit the attacker’s data complexity by restricting the number of observable inputs; the second one is to create correlated algorithmic noise by using parallel S-boxes with equal inputs. The latter hinders the typical divide and conquer approach of differential side-channel attacks and makes key recovery much...

2017/068 (PDF) Last updated: 2017-09-13
Authenticated Encryption in the Face of Protocol and Side Channel Leakage
Guy Barwell, Daniel P. Martin, Elisabeth Oswald, Martijn Stam
Secret-key cryptography

Authenticated encryption schemes in practice have to be robust against adversaries that have access to various types of leakage, for instance decryption leakage on invalid ciphertexts (protocol leakage), or leakage on the underlying primitives (side channel leakage). This work includes several novel contributions: we augment the notion of nonce-base authenticated encryption with the notion of continuous leakage and we prove composition results in the face of protocol and side channel...

2016/1192 (PDF) Last updated: 2017-01-01
Non-Malleable Codes with Split-State Refresh
Antonio Faonio, Jesper Buus Nielsen
Foundations

Non-Malleable Codes for the split state model allow to encode a mes- sage into two parts such that arbitrary independent tampering on the parts either destroys completely the content or maintains the message untouched. If the code is also leakage resilient it allows limited independent leakage from the two parts. We propose a model where the two parts can be refreshed independently. We give an abstract framework for building codes for this model, instantiate the construc- tion under the...

2016/1121 (PDF) Last updated: 2016-12-01
Insecurity of RCB: Leakage-Resilient Authenticated Encryption
Farzaneh abed, Francesco Berti, Stefan Lucks

Leakage-resilient cryptography is about security in the pres- ence of leakage from side-channels. In this paper, we present several issues of the RCB block cipher mode. Agrawal et al [2] proposed recently RCB as a leakage-resilient authenticated encryption (AE) scheme. Our main result is that RCB fails to provide authenticity, even in the absence of leakage.

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.