Results 1  10
of
16
Continuous Nonmalleable Codes
 TCC 2014
, 2014
"... Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modi ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
Nonmalleable codes are a natural relaxation of error correcting/detecting codes that have useful applications in the context of tamper resilient cryptography. Informally, a code is nonmalleable if an adversary trying to tamper with an encoding of a given message can only leave it unchanged or modify it to the encoding of a completely unrelated value. This paper introduces an extension of the standard nonmalleability security notion – socalled continuous nonmalleability – where we allow the adversary to tamper continuously with an encoding. This is in contrast to the standard notion of nonmalleable codes where the adversary only is allowed to tamper a single time with an encoding. We show how to construct continuous nonmalleable codes in the common splitstate model where an encoding consist of two parts and the tampering can be arbitrary but has to be independent with both parts. Our main contributions are outlined below: 1. We propose a new uniqueness requirement of splitstate codes which states that it is computationally hard to find two codewords C = (X0, X1) and C ′ = (X0, X ′ 1) such that both codwords are valid, but X0 is the same in both C and C ′. A simple attack shows that uniqueness is necessary to achieve continuous nonmalleability in the splitstate model. Moreover,
On the Connection between Leakage Tolerance and Adaptive Security ⋆
"... Abstract. We revisit the context of leakagetolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows: 1. For the purpose of secure message transmission, any encryption protocol with message space M and secret key space SK to ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the context of leakagetolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows: 1. For the purpose of secure message transmission, any encryption protocol with message space M and secret key space SK tolerating polylogarithmic leakage on the secret state of the receiver must satisfy SK  ≥ (1 − ɛ)M, for every 0 < ɛ ≤ 1, and if SK  = M, then the scheme must use a fresh key pair to encrypt each message. 2. More generally, we show that any n party protocol tolerates leakage of ≈ poly(log κ) bits from one party at the end of the protocol execution, if and only if the protocol has passive adaptive security against an adaptive corruption of one party at the end of the protocol execution. This shows that as soon as a little leakage is tolerated, one needs full adaptive security. 3. In case more than one party can be corrupted, we get that leakage tolerance is equivalent to a weaker form of adaptivity, which we call semiadaptivity. Roughly, a protocol has semiadaptive security if there exist a simulator which can simulate the internal state of corrupted parties, however, such a state is not required to be indistinguishable from a real state, only that it would have lead to the simulated communication. All our results can be based on the solely assumption that collisionresistant function ensembles exist.
Obfuscation for Evasive Functions
, 2013
"... An evasive circuit family is a collection of circuits C such that for every input x, a random circuit from C outputs 0 on x with overwhelming probability. We provide a combination of definitional, constructive, and impossibility results regarding obfuscation for evasive functions: 1. The (average ca ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
An evasive circuit family is a collection of circuits C such that for every input x, a random circuit from C outputs 0 on x with overwhelming probability. We provide a combination of definitional, constructive, and impossibility results regarding obfuscation for evasive functions: 1. The (average case variants of the) notions of virtual black box obfuscation (Barak et al, CRYPTO ’01) and virtual gray box obfuscation (Bitansky and Canetti, CRYPTO ’10) coincide for evasive function families. We also define the notion of inputhiding obfuscation for evasive function families, stipulating that for a random C ∈ C it is hard to find, given O(C), a value outside the preimage of 0. Interestingly, this natural definition, also motivated by applications, is likely not implied by the seemingly stronger notion of averagecase virtual blackbox obfuscation. 2. If there exist averagecase virtual gray box obfuscators for all evasive function families, then there exist (quantitatively weaker) averagecase virtual gray obfuscators for all function families. 3. There does not exist a worstcase virtual black box obfuscator even for evasive circuits, nor is there an averagecase virtual gray box obfuscator for evasive Turing machine families.
On Continuous AftertheFact LeakageResilient Key Exchange ∗
"... Sidechannel attacks are severe type of attack against implementation of cryptographic primitives. Leakageresilient cryptography is a new theoretical approach to formally address the problem of sidechannel attacks. Recently, the Continuous AftertheFact Leakage (CAFL) security model has been intr ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
(Show Context)
Sidechannel attacks are severe type of attack against implementation of cryptographic primitives. Leakageresilient cryptography is a new theoretical approach to formally address the problem of sidechannel attacks. Recently, the Continuous AftertheFact Leakage (CAFL) security model has been introduced for twoparty authenticated key exchange (AKE) protocols. In the CAFL model, an adversary can adaptively request arbitrary leakage of longterm secrets even after the test session is activated. It supports continuous leakage even when the adversary learns certain ephemeral secrets or session keys. The amount of leakage is limited per query, but there is no bound on the total leakage. A generic leakageresilient key exchange protocol pi has also been introduced that is formally proved to be secure in the CAFL model. In this paper, we comment on the CAFL model, and show that it does not capture its claimed security. Furthermore, we present an attack and counterproofs for the security of protocol pi which invalidates the formal security proofs of protocol pi in the CAFL model.
Locally Decodable and Updatable NonMalleable Codes and Their Applications
, 2014
"... Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications o ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes, introduced as a relaxation of errorcorrecting codes by Dziembowski, Pietrzak and Wichs (ICS ’10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications of nonmalleable codes have been discovered, and one of the most significant applications among these is the connection with tamperresilient cryptography. There is a large body of work considering security against various classes of tampering functions, as well as nonmalleable codes with enhanced features such as leakage resilience. In this work, we propose combining the concepts of nonmalleability, leakage resilience, and locality in a coding scheme. The contribution of this work is threefold: 1. As a conceptual contribution, we define a new notion of locally decodable and updatable nonmalleable code that combines the above properties. 2. We present two simple and efficient constructions achieving our new notion with different levels of security.
Modelling afterthefact leakage for key exchange
 In ASIACCS
, 2014
"... Security models for twoparty authenticated key exchange (AKE) protocols have developed over time to prove the security of AKE protocols even when the adversary learns certain secret values. In this work, we address more granular leakage: partial leakage of longterm secrets of protocol principals, ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Security models for twoparty authenticated key exchange (AKE) protocols have developed over time to prove the security of AKE protocols even when the adversary learns certain secret values. In this work, we address more granular leakage: partial leakage of longterm secrets of protocol principals, even after the session key is established. We introduce a generic key exchange security model, which can be instantiated allowing bounded or continuous leakage, even when the adversary learns certain ephemeral secrets or session keys. Our model is the strongest known partialleakagebased security model for key exchange protocols. We propose a generic construction of a twopass leakageresilient key exchange protocol that is secure in the proposed model, by introducing a new concept: the leakageresilient NAXOS trick. We identify a special property for publickey cryptosystems: pair generation indistinguishability, and show how to obtain the leakageresilient NAXOS trick from a pair generation indistinguishable leakageresilient
A leakageresilient pairingbased variant of the Schnorr signature scheme
 IMA Int. Conf., volume 8308 of LNCS
, 2013
"... Abstract. Leakageresilient cryptography aims at capturing sidechannel attacks within the provable security framework. Currently there exists a plethora of schemes with provably secure guarantees against a variety of sidechannel attacks. However, meeting the strongest security levels (resilience ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Leakageresilient cryptography aims at capturing sidechannel attacks within the provable security framework. Currently there exists a plethora of schemes with provably secure guarantees against a variety of sidechannel attacks. However, meeting the strongest security levels (resilience against continual leakage attacks) under the weakest assumptions leads currently to costly schemes. Additionally, recent results show the impossibility to achieve the strongest leakageresilient security levels for cryptosystems whose secret key is uniquely determined by its public key. The above justifies the use of stronger assumptions to achieve simpler, more efficient schemes, since most deployed and practical cryptosystems satisfy the abovementioned uniqueness of the secret key property. In particular, the Schnorrbased leakageresilient digital signature schemes proposed up to now are built by gluing together `copies of the basic signature scheme, resulting in a public key that admits exponentiallymany secret keys. Furthermore, the space needed to store the secret key material is proportional to the leakage tolerated by these schemes. We aim at designing a leakageresilient variant of the Schnorr signature scheme whose secret key's storage space is constant, independently of the amount of leakage that it can tolerate. We assume that at any given time only the parts of the memory in use leak (splitstate/only computation leaks information model); we ease the problem of exhibiting a security reduction by relying on generic groups (generic bilinear group model). We proceed by first proposing a pairing analogue of the Schnorr signature scheme, that we next transform to include split signing key updates. We give a leakageresilience lower bound in generic bilinear groups against continual leakage attacks for the new scheme.
Leakageresilient cryptography over large finite fields: Theory and practice
 In ACNS, 2015. BCC+14. Nir Bitansky, Ran Canetti, Alessandro Chiesa, Shafi Goldwasser, Huijia Lin, Aviad Rubinstein, and Eran Tromer
"... Information leakage is a major concern in modern day ITsecurity. In fact, a malicious user is often able to extract information about private values from the computation performed on the devices. In specific settings, such as RFID, where a low computational complexity is required, it is hard to ap ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Information leakage is a major concern in modern day ITsecurity. In fact, a malicious user is often able to extract information about private values from the computation performed on the devices. In specific settings, such as RFID, where a low computational complexity is required, it is hard to apply standard techniques to achieve resilience against this kind of attacks. In this paper, we present a framework to make cryptographic primitives based on large finite fields robust against information leakage with a bounded computational cost. The approach makes use of the inner product extractor and guarantees security in the presence of leakage in a widely accepted model. Furthermore, we show how to apply the proposed techniques to the authentication protocol Lapin, and we compare it to existing solutions. 1
Efficient refreshing protocol for leakageresilient storage based on the innerproduct extractor
 CoRR
"... ar ..."
Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing,China
"... Abstract. K. Yoneyama et al. introduces the Leaky Random Oracle Model at ProvSec2008, which only considers the leakage of the hash list of a hash function used by a cryptosystem due to various attacks caused by implementation or sloppy usages. However, an important fact is that such attacks not only ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. K. Yoneyama et al. introduces the Leaky Random Oracle Model at ProvSec2008, which only considers the leakage of the hash list of a hash function used by a cryptosystem due to various attacks caused by implementation or sloppy usages. However, an important fact is that such attacks not only leak the hash list of a hash function, but also leak other secret states outside the hash list of a cryptosystem (e.g. the secret key). In most cases, an adversary may be more interesting in revealing these secret states. Therefore, the Leaky Random Oracle Model is very limited because it only considers the leakage of the hash list and does not consider the leakage of other secret states. In this paper, we present a new leakage model based on the Leaky Random Oracle Model. In our new model, both the secret states (secret key) and the hash list can be leaked. Furthermore, the secret key can be leaked continually. Hence, our new model is more universal and stronger than the Leaky Random Oracle Model and some other leakage models. Furthermore, we give a provable security public key encryption scheme which is INDCCA secure in our new model.