Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an a-priori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. (1) We show that standard ID and signature schemes constructed from a large class of Σ-protocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters. (2) We show a bounded tamper and leakage resilient CCA-secure public key cryptosystem based on the DDH assumption. We first define a weaker CCA-like security notion that we can instantiate based on DDH, and then we give a general compiler that yields CCA security with tamper and leakage resilience. This requires a public tamper-proof common reference string. (3) Finally, we explain how to boost bounded tampering and leakage resilience [as in (1) and (2) above] to continuous tampering and leakage resilience, in the so-called floppy model where each user has a personal hardware token (containing leak- and tamper-free information) which can be used to refresh the secret key. We believe that bounded tampering is a meaningful and interesting alternative to avoid known impossibility results and can provide important insights into the security of existing standard cryptographic schemes.

Bounded Tamper Resilience: How to Go Beyond the Algebraic Barrier / Damgård, Ivan; Faust, Sebastian; Mukherjee, Pratyay; Venturi, Daniele. - In: JOURNAL OF CRYPTOLOGY. - ISSN 0933-2790. - STAMPA. - 2017, 30:1(2017), pp. 152-190. [10.1007/s00145-015-9218-0]

Bounded Tamper Resilience: How to Go Beyond the Algebraic Barrier

Venturi, Daniele
2017-01-01

Abstract

Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an a-priori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. (1) We show that standard ID and signature schemes constructed from a large class of Σ-protocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters. (2) We show a bounded tamper and leakage resilient CCA-secure public key cryptosystem based on the DDH assumption. We first define a weaker CCA-like security notion that we can instantiate based on DDH, and then we give a general compiler that yields CCA security with tamper and leakage resilience. This requires a public tamper-proof common reference string. (3) Finally, we explain how to boost bounded tampering and leakage resilience [as in (1) and (2) above] to continuous tampering and leakage resilience, in the so-called floppy model where each user has a personal hardware token (containing leak- and tamper-free information) which can be used to refresh the secret key. We believe that bounded tampering is a meaningful and interesting alternative to avoid known impossibility results and can provide important insights into the security of existing standard cryptographic schemes.
2017
1
Damgård, Ivan; Faust, Sebastian; Mukherjee, Pratyay; Venturi, Daniele
Bounded Tamper Resilience: How to Go Beyond the Algebraic Barrier / Damgård, Ivan; Faust, Sebastian; Mukherjee, Pratyay; Venturi, Daniele. - In: JOURNAL OF CRYPTOLOGY. - ISSN 0933-2790. - STAMPA. - 2017, 30:1(2017), pp. 152-190. [10.1007/s00145-015-9218-0]
File in questo prodotto:
File Dimensione Formato  
677(1).pdf

Open Access dal 01/02/2018

Descrizione: Full version
Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 517.4 kB
Formato Adobe PDF
517.4 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/155998
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 5
  • OpenAlex ND
social impact