Joël Alwen scite author profile

We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter . We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round leakage-resilient AKA in the Random-Oracle model. This protocol ensures that session keys are private and authentic even if (1) the adversary leaks a large fraction of the long-term secret keys of both users prior to the protocol execution and (2) the adversary completely learns the long-term secret keys after the protocol execution. In particular, our AKA protocol provides qualitatively stronger privacy guarantees than leakage-resilient public-encryption schemes (constructed in prior and concurrent works), since such schemes necessarily become insecure if the adversary can perform leakage attacks after seing a ciphertext.Moreover, our schemes can be flexibly extended to the Bounded-Retrieval Model, allowing us to tolerate very large absolute amount of adversarial leakage (potentially many gigabytes of information), only by increasing the size of the secret key and without any other loss of efficiency in communication or computation. Concretely, given any leakage parameter , security parameter λ, and any desired fraction 0 < δ ≤ 1, our schemes have the following properties:Secret key size is (1 + δ) + O(λ). In particular, the attacker can learn an approximately (1 − δ) fraction of the secret key.Public key size is O(λ), and independent of . Communication complexity is O(λ/δ), and independent of . All computation reads at most O(λ/δ2 ) locations of the secret key, independently of .Lastly, we show that our schemes allow for repeated "invisible updates" of the secret key, allowing us to tolerate up to bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short "master update key" (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.

show abstract

Generating Shorter Bases for Hard Random Lattices

Alwen

2010

View full text Add to dashboard Cite

Abstract. We revisit the problem of generating a "hard" random lattice together with a basis of relatively short vectors. This problem has gained in importance lately due to new cryptographic schemes that use such a procedure for generating public/secret key pairs. In these applications, a shorter basis directly corresponds to milder underlying complexity assumptions and smaller key sizes.The contributions of this work are twofold. First, using the Hermite normal form as an organizing principle, we simplify and generalize an approach due to Ajtai (ICALP 1999). Second, we improve the construction and its analysis in several ways, most notably by tightening the length of the output basis essentially to the optimum value.

show abstract

Public-Key Encryption in the Bounded-Retrieval Model

et al. 2010

View full text Add to dashboard Cite

Abstract.We construct the first public-key encryption scheme in the Bounded-Retrieval Model (BRM), providing security against various forms of adversarial "key leakage" attacks. In this model, the adversary is allowed to learn arbitrary information about the decryption key, subject only to the constraint that the overall amount of "leakage" is bounded by at most bits. The goal of the BRM is to design cryptographic schemes that can flexibly tolerate arbitrarily leakage bounds (few bits or many Gigabytes), by only increasing the size of secret key proportionally, but keeping all the other parameters -including the size of the public key, ciphertext, encryption/decryption time, and the number of secret-key bits accessed during decryption -small and independent of . As our main technical tool, we introduce the concept of an IdentityBased Hash Proof System (IB-HPS), which generalizes the notion of hash proof systems of Cramer and Shoup [CS02] to the identity-based setting. We give three different constructions of this primitive based on: (1) bilinear groups, (2) lattices, and (3) quadratic residuosity. As a result of independent interest, we show that an IB-HPS almost immediately yields an Identity-Based Encryption (IBE) scheme which is secure against (small) partial leakage of the target identity's decryption key. As our main result, we use IB-HPS to construct public-key encryption (and IBE) schemes in the Bounded-Retrieval Model.

show abstract

SpaceMint: A Cryptocurrency Based on Proofs of Space

et al. 2018

View full text Add to dashboard Cite

The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

Alwen¹,

Coretti

Dodis

2019

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Joël Alwen

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model

Generating Shorter Bases for Hard Random Lattices

Public-Key Encryption in the Bounded-Retrieval Model

SpaceMint: A Cryptocurrency Based on Proofs of Space

The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol

Contact Info

Product

Resources

About