Simulatable Leakage: Analysis, Pitfalls, and New Constructions

Longo, Jake; Martin, Daniel P.; Oswald, Elisabeth; Page, Daniel; Stam, Martijin; Tunstall, Michael

doi:10.1007/978-3-662-45611-8_12

Cited by 14 publications

(5 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A series of works [7,8,19,23] have proposed a number of leakage-resilient symmetric encryption schemes, message authentication codes, and authenticated encryption schemes. These constructions assume that a subset of their components (block cipher instances) are leakage-free and that the leakage in the other components is simulatable, an assumption that is somewhat contentious [21,26]. Based on these assumptions, they show that the security of their encryption schemes reduces to the security of a single-block variant of the same scheme.…”

Section: Related Workmentioning

confidence: 99%

Sponges Resist Leakage: The Case of Authenticated Encryption

Degabriele

Janson

Struck

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In this work we advance the study of leakage-resilient Authenticated Encryption with Associated Data (AEAD) and lay the theoretical groundwork for building such schemes from sponges. Building on the work of Barwell et al. (ASIACRYPT 2017), we reduce the problem of constructing leakage-resilient AEAD schemes to that of building fixed-input-length function families that retain pseudorandomness and unpredictability in the presence of leakage. Notably, neither property is implied by the other in the leakage-resilient setting. We then show that such a function family can be combined with standard primitives, namely a pseudorandom generator and a collision-resistant hash, to yield a nonce-based AEAD scheme. In addition, our construction is quite efficient in that it requires only two calls to this leakage-resilient function per encryption or decryption call. This construction can be instantiated entirely from the T-sponge to yield a concrete AEAD scheme which we call Slae. We prove this sponge-based instantiation secure in the non-adaptive leakage setting. Slae bears many similarities and is indeed inspired by Isap, which was proposed by Dobraunig et al. at FSE 2017. However, while retaining most of the practical advantages of Isap, Slae additionally benefits from a formal security treatment. A.1 Standard Cryptographic PrimitivesWe make use of the following definition of a pseudorandom generator. Note that our syntax defines a pseudorandom generator with variable output length, where the output length (in bits) is specified as part of the input. In addition, in our security definition we allow the adversary to make multiple queries to the challenge oracle G.Definition 6 (Pseudorandom Generators). Let G : S × N → {0, 1} * be a pseudorandom generator with an associated seed space S, and let the PRG game be as defined in Fig. 16. Then for any adversary A, its corresponding PRG advantage is given by:We define collision-resistant hash functions over a generic domain X . Letting X = {0, 1} * results in the usual syntax but we can also, for instance, model a vector hash function over a triple of strings by setting X = {0, 1} * × {0, 1} * × {0, 1} * . For simplicity we only consider the random transformation model. Definition 7 (Collision-Resistant Hash Functions).Let H : X → {0, 1} w be a hash function constructed from a random transformation ρ, with domain X and output length w . Then for any adversary A with oracle access to ρ, its corresponding advantage is given by:Adv cr H (A) = 2 Pr[(X 0 , X 1 ) ← A ρ : H(X 0 ) = H(X 1 ) ∧ X 0 = X 1 ∧ X 0 , X 1 ∈ X ] .

show abstract

Section: Related Workmentioning

confidence: 99%

Sponges Resist Leakage: The Case of Authenticated Encryption

Degabriele

Janson

Struck

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…However, the construction requires a leak free component and in practice relies on the existence of efficient simulators of the leakage from (e.g.) AES, simulators that Longo et al [33] demonstrate are unlikely to exist.…”

Section: Related Workmentioning

confidence: 99%

Authenticated Encryption in the Face of Protocol and Side Channel Leakage

Barwell

Martin

Oswald

et al. 2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Authenticated encryption schemes in practice have to be robust against adversaries that have access to various types of leakage, for instance decryption leakage on invalid ciphertexts (protocol leakage), or leakage on the underlying primitives (side channel leakage). This work includes several novel contributions: we augment the notion of nonce-base authenticated encryption with the notion of continuous leakage and we prove composition results in the face of protocol and side channel leakage. Moreover, we show how to achieve authenticated encryption that is simultaneously both misuse resistant and leakage resilient, based on a sufficiently leakage resilient PRF, and finally we propose a concrete, pairing-based instantiation of the latter.

show abstract

“…A different, but related, line of research recently proposed leakage models that better cope with the perspective of cryptographic engineering (see, e.g., [70,71,55]).…”

Section: Related Workmentioning

confidence: 99%

Fully leakage-resilient signatures revisited: Graceful degradation, noisy leakage, and construction in the bounded-retrieval model

Faonio

Nielsen

Venturi

2017

Theoretical Computer Science

View full text Add to dashboard Cite

We construct new leakage-resilient signature schemes. Our schemes remain unforgeable against an adversary leaking arbitrary (yet bounded) information on the entire state of the signer (sometimes known as fully leakage resilience), including the random coin tosses of the signing algorithm. The main feature of our constructions is that they offer a graceful degradation of security in situations where standard existential unforgeability is impossible. This property was recently put forward by Nielsen, Venturi, and Zottarel (PKC 2014) to deal with settings in which the secret key is much larger than the size of a signature. One remarkable such case is the so-called Bounded-Retrieval Model (BRM), where one intentionally inflates the size of the secret key while keeping constant the signature size and the computational complexity of the scheme. Our main constructions have leakage rate 1 − o(1), and are proven secure in the standard model. We additionally give a construction in the BRM, relying on a random oracle. All of our schemes are described in terms of generic building blocks, but also admit efficient instantiations under fairly standard number-theoretic assumptions. Finally, we explain how to extend some of our schemes to the setting of noisy leakage, where the only restriction on the leakage functions is that the output does not decrease the min-entropy of the secret key by too much.

show abstract

Simulatable Leakage: Analysis, Pitfalls, and New Constructions

Cited by 14 publications

References 16 publications

Sponges Resist Leakage: The Case of Authenticated Encryption

Sponges Resist Leakage: The Case of Authenticated Encryption

Authenticated Encryption in the Face of Protocol and Side Channel Leakage

Fully leakage-resilient signatures revisited: Graceful degradation, noisy leakage, and construction in the bounded-retrieval model

Contact Info

Product

Resources

About