Public-key cryptosystems resilient to key leakage

Research output: Contribution to journalArticlepeer-review


Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture side-channel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent side-channel attacks, especially the "cold boot attacks" of Halderman et al. [Proceedings of the 17th USENIX Security Symposium, San Jose, CA, 2008, pp. 45-60], Akavia, Goldwasser, and Vaikuntanathan [Proceedings of the 6th IACR Theory of Cryptography Conference, San Francisco, CA, 2009, pp. 474-495] formalized a realistic framework for modeling the security of encryption schemes against a wide class of side-channel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of public-key encryption, they showed that Regev's lattice-based scheme [Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, 2005, pp. 84-93] is resilient to any leakage of L/polylog(L) bits, where L is the length of the secret key. In this paper we revisit the above-mentioned framework and our main results are as follows. (A) We present a generic construction of a public-key encryption scheme that is resilient to key leakage from any hash proof system. The construction does not rely on additional computational assumptions, and the resulting scheme is as efficient as the underlying hash proof system. Existing constructions of hash proof systems imply that our construction can be based on a variety of numbertheoretic assumptions, including the decisional Diffie-Hellman assumption (and its progressively weaker d-linear variants), the quadratic residuosity assumption, and Paillier's composite residuosity assumption. (B) We construct a new hash proof system based on the decisional Diffie-Hellman assumption (and its d-linear variants) and show that the resulting scheme is resilient to any leakage of L(1 - o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. [Advances in Cryptology-CRYPTO'08, Santa Barbara, CA, 2008, pp. 108-125], constructed to be a "circularsecure" encryption scheme, fits our generic approach and is also resilient to any leakage of L(1-o(1)) bits. (C) We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting as well, and obtain as a corollary encryption schemes that are CCA2-secure with any leakage of L(1 - o(1)) bits. On the practical side, we prove that variants of the Cramer-Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with any leakage of L/4 bits, and CCA2-secure with any leakage of L/6 bits.

Original languageEnglish
Pages (from-to)772-814
Number of pages43
JournalSIAM Journal on Computing
Issue number4
StatePublished - 2012


  • Leakage-resilient cryptography
  • Public-key encryption

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • General Mathematics


Dive into the research topics of 'Public-key cryptosystems resilient to key leakage'. Together they form a unique fingerprint.

Cite this