Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model

Alwen, Joël; Dodis, Yevgeniy; Wichs, Daniel

doi:10.1007/978-3-642-03356-8_3

Cited by 218 publications

(271 citation statements)

References 36 publications

Supporting

Mentioning

268

Contrasting

Order By: Relevance

“…The name serves as an analogy to the Bounded Storage Model (BSM) of [Mau92], which restricts the amount of data that an adversary can store after observing a huge public random string, rather than the amount of data an adversary can retrieve from a huge secret key. With the exception of [ADW09], all of the work on the BRM is in the symmetric-key setting, where two parties share a huge secret key. The recent work of Alwen et al [ADW09] gave the first public-key results in the BRM, by constructing identification schemes, (variants of) signatures, and authenticated-key-agreement protocols.…”

Section: Brm the Bounded-retrieval Model Was (Concurrently) Proposedmentioning

confidence: 99%

“…With the exception of [ADW09], all of the work on the BRM is in the symmetric-key setting, where two parties share a huge secret key. The recent work of Alwen et al [ADW09] gave the first public-key results in the BRM, by constructing identification schemes, (variants of) signatures, and authenticated-key-agreement protocols. However, these primitives cannot be used to encrypt a message non-interactively, as is done in the current work.…”

Section: Brm the Bounded-retrieval Model Was (Concurrently) Proposedmentioning

confidence: 99%

“…However, these primitives cannot be used to encrypt a message non-interactively, as is done in the current work. Moreover, the authenticated-key agreement protocols of [ADW09] required the use of Random Oracles, while we offer (some) constructions in the standard model. We note that many of the prior schemes in the BRM and BSM employ ideas similar to the "parallel repetition" and "random-subset selection" that we described in the introduction.…”

Section: Brm the Bounded-retrieval Model Was (Concurrently) Proposedmentioning

confidence: 99%

“…This assumption is very reasonable for some attacks, such as the cold-boot attack, where all memory contents decay uniformly over time. [Dzi06,CLW06,ADW09] is a generalization of the relative-leakage model. In this model, the leakage-parameter is an arbitrary and independent parameter of the system, which is based on practical considerations about how much leakage the system needs to tolerate on an absolute scale.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Public-Key Encryption in the Bounded-Retrieval Model

Alwen

Dodis

Naor

et al. 2010

Advances in Cryptology – EUROCRYPT 2010

Self Cite

157

202

View full text Add to dashboard Cite

Abstract.We construct the first public-key encryption scheme in the Bounded-Retrieval Model (BRM), providing security against various forms of adversarial "key leakage" attacks. In this model, the adversary is allowed to learn arbitrary information about the decryption key, subject only to the constraint that the overall amount of "leakage" is bounded by at most bits. The goal of the BRM is to design cryptographic schemes that can flexibly tolerate arbitrarily leakage bounds (few bits or many Gigabytes), by only increasing the size of secret key proportionally, but keeping all the other parameters -including the size of the public key, ciphertext, encryption/decryption time, and the number of secret-key bits accessed during decryption -small and independent of . As our main technical tool, we introduce the concept of an IdentityBased Hash Proof System (IB-HPS), which generalizes the notion of hash proof systems of Cramer and Shoup [CS02] to the identity-based setting. We give three different constructions of this primitive based on: (1) bilinear groups, (2) lattices, and (3) quadratic residuosity. As a result of independent interest, we show that an IB-HPS almost immediately yields an Identity-Based Encryption (IBE) scheme which is secure against (small) partial leakage of the target identity's decryption key. As our main result, we use IB-HPS to construct public-key encryption (and IBE) schemes in the Bounded-Retrieval Model.

show abstract

Section: Brm the Bounded-retrieval Model Was (Concurrently) Proposedmentioning

confidence: 99%

Section: Brm the Bounded-retrieval Model Was (Concurrently) Proposedmentioning

confidence: 99%

Section: Brm the Bounded-retrieval Model Was (Concurrently) Proposedmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Public-Key Encryption in the Bounded-Retrieval Model

Alwen

Dodis

Naor

et al. 2010

Advances in Cryptology – EUROCRYPT 2010

Self Cite

157

202

View full text Add to dashboard Cite

show abstract

“…Which means that designing algorithms such that their description already provides security against those attacks. Leakage-resilient cryptography is an increasingly active area in recent years and many leakage models have been proposed, such as only computation leaks information (OCLI) [19,21,27, 24], memory leakage [1,17], bounded retrieval [2,3,14], and auxiliary input models [15,21,20,34], etc. In this work, we design leakage-resilient signature schemes based on the following two leakage models:…”

Section: Introductionmentioning

confidence: 99%

Efficient Leakage-Resilient Signature Schemes in the Generic Bilinear Group Model

Tang

Niu

et al. 2014

Information Security Practice and Experience

View full text Add to dashboard Cite

Abstract. We extend the techniques of Kiltz et al. (in ASIACRYPT 2010) and Galindo et al. (in SAC 2012) to construct two efficient leakage-resilient signature schemes. Our schemes based on Boneh-LynnShacham (BLS) short signature and Waters signature schemes, respectively. Both of them are more efficient than Galindo et al.'s scheme, and can tolerate leakage of (1 − o (1))/2 of the secret key at every signature invocation. The security of the proposed schemes are proved in the generic bilinear group model (additionally, in our first scheme which based on the BLS short signature, a random oracle is needed for the proof).

show abstract

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Mohammad

2020

Int J Communication

View full text Add to dashboard Cite

Hao proposed the YAK as a robust key agreement based on public-key authentication, and the author claimed that the YAK protocol withstands all known attacks and therefore is secure against an extremely strong adversary. However, Toorani showed the security flaws in the YAK protocol. This paper shows that the YAK protocol cannot withstand the known key security attack, and its consequences lead us to introduce a new key compromise impersonation attack, where an adversary is allowed to reveal both the shared static secret key between two-party participation and the ephemeral private key of the initiator party in order to mount this attack. In addition, we present a new security model that covers these attacks against an extremely strong adversary. Moreover, we propose an improved YAK protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism in its block design that provides entity authentication and key confirmation. Meanwhile, we show that the proposed protocol is secure in the proposed formal security model under the gap Diffie-Hellman assumption and the random oracle assumption. Moreover, we verify the security of the proposed protocol and YAK protocol by using an automatic verification method such as the Scyther tool, and the verification result shows that the security claims of the proposed protocol are proven, in contrast to those of the YAK protocol, which are not proven. The security and performance comparisons show that the improved YAK protocol outperforms previous related protocols. K E Y W O R D Sauthenticated key agreement, cryptanalysis, eCK, formal security model, key compromise impersonation, known key security, Scyther tool | INTRODUCTIONAs a result of the rapid development in the Internet of Things (IoT)-related applications in daily life, which uses diverse communication devices, securing data has become a more challenging task. Due to a diverse powerful adversary for revealing secret information from a party's participation via the open communication model, many formal security models and automated verification tools have been developed for finding security flaws in proposed new protocols before implementing them in applications. Consequently, secret key distribution and user authentication became the most important security issues in IoT. Nowadays, the security proof and verification process of an Authenticated Key Agreement (AKA) protocol in the formal security model is important for successful IoT applications.Diffie-Hellman (DH) key exchange protocol is a fundamental building block to distribute a shared secret key over an insecure communication model, 1 which is based on the concept of asymmetric cryptography. The shared secret key is used to provide confidentiality, integrity, nonrepudiation, and authenticity for data during transmission over an untrusted communication model. An AKA protocol is based on a public key, wherein the two intended participating parties exchange static and ephemeral ...

show abstract

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model

Cited by 218 publications

References 36 publications

Public-Key Encryption in the Bounded-Retrieval Model

Public-Key Encryption in the Bounded-Retrieval Model

Efficient Leakage-Resilient Signature Schemes in the Generic Bilinear Group Model

Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther

Contact Info

Product

Resources

About