# Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks

@inproceedings{Dodis2010LeakageResilientPF, title={Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks}, author={Yevgeniy Dodis and Krzysztof Pietrzak}, booktitle={CRYPTO}, year={2010} }

A cryptographic primitive is leakage-resilient, if it remains secure even if an adversary can learn a bounded amount of arbitrary information about the computation with every invocation. As a consequence, the physical implementation of a leakage-resilient primitive is secure against every side-channel as long as the amount of information leaked per invocation is bounded.
In this paper we prove positive and negative results about the feasibility of constructing leakage-resilient pseudorandom…

## 93 Citations

### Practical Leakage-Resilient Symmetric Cryptography

- Computer Science, MathematicsCHES
- 2012

It is shown that indeed for simpler constructions leakage-resilience can be obtained when the authors aim for relaxed security notions where the leakage-functions and/or the inputs to the primitive are chosen non-adaptively.

### Leakage Resilient One-Way Functions: The Auxiliary-Input Setting

- Mathematics, Computer ScienceTCC
- 2016

This work considers the problem of constructing leakage resilient one-way functions that are secure with respect to arbitrary computationally hiding leakage a.k.a auxiliary-input and shows that when the leakage is chosen ahead of time, there are leakage resilientOne- way functions based on a variety of assumption.

### Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

This paper argues that the previous “bounded leakage” requirements used in leakage-resilient cryptography are hard to fulfill by hardware engineers, and introduces a new, more realistic and empirically verifiable assumption of simulatable leakage, under which security proofs in the standard model can be obtained.

### Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs

- Computer Science, MathematicsCHES
- 2012

It is put forward that the AES is not perfectly suited for integration in a leakage-resilient design, and more sophisticated tools based on lattice reduction turn out to be powerful in the physical cryptanalysis of these primitives.

### Multiparty computation secure against continual memory leakage

- Mathematics, Computer ScienceSTOC '12
- 2012

We construct a multiparty computation (MPC) protocol that is secure even if a malicious adversary, in addition to corrupting 1-ε fraction of all parties for an arbitrarily small constant ε >0, can…

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

- Computer Science, MathematicsCCS
- 2015

This paper proposes and analyzes new constructions of leakage-resilient MAC and encryption schemes, which allow fixing security and efficiency drawbacks of previous proposals in this direction.

### Masking against Side-Channel Attacks: A Formal Security Proof

- Computer Science, MathematicsEUROCRYPT
- 2013

It is proved that the information gained by observing the leakage from one execution can be made negligible (in the masking order) and a formal security proof for masked implementations of block ciphers is provided.

### Unknown-Input Attacks in the Parallel Setting: Improving the Security of the CHES 2012 Leakage-Resilient PRF

- Computer Science, MathematicsASIACRYPT
- 2016

It turns out that such noise renders the problem of side-channel key recovery intractable under very little and easily satisfiable assumptions, which means that the construction stays secure even in a noise-free setting and independent of the number of traces and the used power model.

### Leakage-Resilient Symmetric Encryption via Re-keying

- Computer Science, MathematicsCHES
- 2013

Here, it is proved that using a leakage-resilient re-keying scheme on top of a secure encryption scheme in the standard model, leads to a leaking-resILient encryption scheme.

### Practical Leakage-Resilient Pseudorandom Objects with Minimum Public Randomness

- Mathematics, Computer ScienceCT-RSA
- 2013

This paper shows that tweaked designs with minimum randomness requirements can be proven leakage-resilient in minicrypt, and improves the practical relevance of two important leakage- Resilient pseudorandom objects.

## References

SHOWING 1-10 OF 49 REFERENCES

### Leakage-Resilient Cryptography

- Computer Science, Mathematics2008 49th Annual IEEE Symposium on Foundations of Computer Science
- 2008

A stream-cipher S is constructed whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked during computation, and a lemma is proved that the output of any PRG has high HILLpseudoentropy even if arbitrary information about the seed is leaked.

### A Leakage-Resilient Mode of Operation

- Computer Science, MathematicsEUROCRYPT
- 2009

It is shown that unlike "normal" PRFs, wPRFs are seed-incompressible, in the sense that the output of a wPRF is pseudorandom even if a bounded amount of information about the key is leaked.

### Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model

- Computer Science, MathematicsCRYPTO
- 2009

This work builds an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution, and allows for repeated "invisible updates" of the secret key, allowing for an unlimited amount of leakage overall.

### Cryptography Resilient to Continual Memory Leakage

- Computer Science, Mathematics
- 2010

The main contributions of this work are showing how to securely update a secret key while information is leaked (in the more general model) and giving a public key encryption schemes that are resilient to continual leakage.

### Leakage-Resilient Signatures

- Computer Science, MathematicsTCC
- 2010

The notion of “leakage-resilient signatures” is put forward, which strengthens the standard security notion by giving the adversary the additional power to learn a bounded amount of arbitrary information about the secret state that was accessed during every signature generation.

### Cryptography against Continuous Memory Attacks

- Computer Science, Mathematics2010 IEEE 51st Annual Symposium on Foundations of Computer Science
- 2010

This work constructs a variety of practical CLR schemes, including CLR one-way relations, CLR signatures, CLR identification schemes, and CLR authenticated key agreement protocols, and shows how to instantiate them efficiently using a well established assumption on bilinear groups, called the K-Linear assumption.

### Merkle-Damgård Revisited: How to Construct a Hash Function

- Computer Science, MathematicsCRYPTO
- 2005

It is shown that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgard transformation — does not satisfy a new security notion for hash-functions, stronger than collision-resistance.

### Signature Schemes with Bounded Leakage Resilience

- Computer Science, MathematicsASIACRYPT
- 2009

This work shows a full-fledged signature scheme tolerating leakage of n *** n *** bits of information about the secret key (for any constant *** > 0), based on general assumptions.

### Intrusion-Resilient Secret Sharing

- Computer Science, Mathematics48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07)
- 2007

There is an obvious connection between IRSS schemes and the fact that there exist functions with an exponential gap in their communication complexity for k and k-1 rounds, and the scheme implies such a separation which is in several aspects stronger than the previously known ones.

### Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back)

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2010

The main results of this work are new public-key encryption schemes that, under the quadratic residuosity (QR) assumption (or Paillier's decisional composite residuosity (DCR) assumption), achieve…