# Leakage Resilience from Program Obfuscation

- 127 Downloads
- 1 Citations

## Abstract

The literature on leakage-resilient cryptography contains various leakage models that provide different levels of security. In the bounded leakage model (Akavia et al.—TCC 2009), it is assumed that there is a fixed upper bound *L* on the number of bits the attacker may leak on the secret key in the entire lifetime of the scheme. Alternatively, in the continual leakage model (Brakerski et al.—FOCS 2010, Dodis et al.—FOCS 2010), the lifetime of a cryptographic scheme is divided into “time periods” between which the scheme’s secret key is updated. Furthermore, in its attack the adversary is allowed to obtain some bounded amount of leakage on the current secret key during each time period. In the continual leakage model, a challenging problem has been to provide security against *leakage on key updates*, that is, leakage that is a function of not only the current secret key but also the randomness used to update it. We propose a modular approach to overcome this problem based on program obfuscation. Namely, we present a compiler that transforms any public key encryption or signature scheme that achieves a slight strengthening of continual leakage resilience, which we call *consecutive* continual leakage resilience, to one that is continual leakage resilient with leakage on key updates, assuming *indistinguishability obfuscation* (Barak et al.—CRYPTO 2001, Garg et al.—FOCS 2013). Under stronger forms of obfuscation, the leakage rate tolerated by our compiled scheme is essentially as good as that of the starting scheme. Our compiler is derived by making a connection between the problems of leakage on key updates and so-called sender-deniable encryption (Canetti et al.—CRYPTO 1997), which was recently constructed based on indistinguishability obfuscation by Sahai and Waters (STOC 2014). In the bounded leakage model, we give an approach to constructing leakage-resilient public key encryption from program obfuscation based on the public key encryption scheme of Sahai and Waters (STOC 2014). In particular, we achieve leakage-resilient public key encryption tolerating *L* bits of leakage for any *L* from \({\mathsf {iO}} \) and one-way functions. We build on this to achieve leakage-resilient public key encryption with optimal leakage rate of \(1-o(1)\) based on stronger forms of obfuscation and collision-resistant hash functions. Such a leakage rate is not known to be achievable in a generic way based on public key encryption alone. We then develop additional techniques to construct public key encryption that is (consecutive) continual leakage resilient under appropriate assumptions, which we believe is of independent interest.

## Keywords

Indistinguishability obfuscation Leakage resilience Public key encryption Digital signatures## Notes

### Acknowledgements

We thank the anonymous reviewers for their insightful comments, which greatly improved the presentation of this work.

## Supplementary material

## References

- 1.M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, and M. Ohkubo. Constant-size structure-preserving signatures: Generic constructions and simple assumptions. In X. Wang and K. Sako, editors,
*ASIACRYPT 2012*, vol. 7658 of*LNCS*(Springer, Berlin, 2012), pp. 4–24.Google Scholar - 2.A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In O. Reingold, editor,
*TCC 2009*, vol. 5444 of*LNCS*. (Springer, Berlin, 2009), , pp. 474–495.Google Scholar - 3.P. Ananth, D. Boneh, S. Garg, A. Sahai, M. Zhandry. Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689, 2013. http://eprint.iacr.org/2013/689.
- 4.B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. In J. Kilian, editor,
*CRYPTO 2001*, vol. 2139 of*LNCS*. (Springer, Berlin, 2001), pp. 1–18.Google Scholar - 5.B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs.
*J. ACM*, 59(2):6, 2012.MathSciNetCrossRefzbMATHGoogle Scholar - 6.A. Boldyreva, S. Fehr, and A. O’Neill. On notions of security for deterministic encryption, and efficient constructions without random oracles. In D. Wagner, editor,
*CRYPTO 2008*, vol. 5157 of*LNCS*. (Springer, Berlin, 2008), pp. 335–359.Google Scholar - 7.D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. Franklin, editor,
*CRYPTO 2004*, volume 3152 of*LNCS*(Springer, Berlin, 2004), pp. 41–55.Google Scholar - 8.D. Boneh and B. Waters. Constrained pseudorandom functions and their applications. In K. Sako and P. Sarkar, editors,
*ASIACRYPT 2013, Part II*, vol. 8270 of*LNCS*(Springer, Berlin, 2013), pp. 280–300.Google Scholar - 9.E. Boyle, K.-M. Chung, R. Pass. On extractability obfuscation. In Y. Lindell, editor,
*TCC 2014*, vol. 8349 of*LNCS*(Springer, Berlin, 2014), pp. 52–73.Google Scholar - 10.E. Boyle, S. Goldwasser, and I. Ivan. Functional signatures and pseudorandom functions. In H. Krawczyk, editor,
*PKC 2014*, vol. 8383 of*LNCS*(Springer, Berlin, 2014), pp. 501–519.Google Scholar - 11.E. Boyle, G. Segev, and D. Wichs. Fully leakage-resilient signatures. In K. G. Paterson, editor,
*EUROCRYPT 2011*, vol. 6632 of*LNCS*(Springer, Berlin, 2011), pp. 89–108.Google Scholar - 12.Z. Brakerski, Y. T. Kalai, J. Katz, and V. Vaikuntanathan. Overcoming the hole in the bucket: Public-key cryptography resilient to continual memory leakage. In
*51st FOCS*, pp. 501–510. IEEE Computer Society Press, (2010).Google Scholar - 13.R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable encryption. In B. S. Kaliski Jr., editor,
*CRYPTO’97*, volume 1294 of*LNCS*. (Springer, Berlin, 1997), pp. 90–104.Google Scholar - 14.R. Canetti, S. Goldwasser, and O. Poburinnaya. Adaptively secure two-party computation from indistinguishability obfuscation. In Y. Dodis and J. B. Nielsen, editors,
*TCC 2015, Part II*, vol. 9015 of*LNCS*(Springer, Berlin, 2015), pp. 557–585.Google Scholar - 15.R. Canetti, H. Krawczyk, and J. B. Nielsen. Relaxing chosen-ciphertext security. In D. Boneh, editor,
*CRYPTO 2003*, vol. 2729 of*LNCS*(Springer, Berlin, 2003), pp. 565–582.Google Scholar - 16.S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi. Towards sound approaches to counteract power-analysis attacks. In M. J. Wiener, editor,
*CRYPTO’99*, vol. 1666 of*LNCS*. (Springer, Berlin, 1999)Google Scholar - 17.M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn. Malleable proof systems and applications. In D. Pointcheval and T. Johansson, editors,
*EUROCRYPT 2012*, vol. 7237 of*LNCS*(Springer, Berlin, 2012), pp. 281–300Google Scholar - 18.D. Dachman-Soled, J. Katz, and V. Rao. Adaptively secure, universally composable, multiparty computation in constant rounds. In Y. Dodis and J. B. Nielsen, editors,
*TCC 2015, Part II*, vol. 9015 of*LNCS*(Springer, Berlin, 2015), pp. 586–613Google Scholar - 19.D. Dachman-Soled, F.-H. Liu, and H.-S. Zhou. Leakage-resilient circuits revisited - optimal number of computing components without leak-free hardware. In E. Oswald and M. Fischlin, editors,
*EUROCRYPT 2015, Part II*, vol. 9057 of*LNCS*, (Springer, Berlin, 2015), pp. 131–158.Google Scholar - 20.A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano, and A. Sahai. Robust non-interactive zero knowledge. In J. Kilian, editor,
*CRYPTO 2001*, vol. 2139 of*LNCS*(Springer, Berlin, 2001), pp. 566–598Google Scholar - 21.Y. Dodis, K. Haralambiev, A. López-Alt, and D. Wichs. Cryptography against continuous memory attacks. In
*51st FOCS*, IEEE Computer Society Press, 2010, pp. 511–520.Google Scholar - 22.Y. Dodis, K. Haralambiev, A. López-Alt, and D. Wichs. Efficient public-key cryptography in the presence of key leakage. In M. Abe, editor,
*ASIACRYPT 2010*, vol. 6477 of*LNCS*(Springer, Berlin, 2010), pp. 613–631.Google Scholar - 23.Y. Dodis, Y. T. Kalai, and S. Lovett. On cryptography with auxiliary input. In M. Mitzenmacher, editor,
*41st ACM STOC*(ACM Press, 2009), pp. 621–630.Google Scholar - 24.Y. Dodis, A. B. Lewko, B. Waters, and D. Wichs. Storing secrets on continually leaky devices. In R. Ostrovsky, editor,
*52nd FOCS*, pp. 688–697. IEEE Computer Society Press, 2011.Google Scholar - 25.Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data.
*SIAM J. Comput.*, 38(1):97–139, 2008.MathSciNetCrossRefzbMATHGoogle Scholar - 26.Y. Dodis and A. Smith. Correcting errors without leaking partial information. In H. N. Gabow and R. Fagin, editors,
*37th ACM STOC*(ACM Press, 2005), pp. 654–663.Google Scholar - 27.S. Faust, T. Rabin, L. Reyzin, E. Tromer, and V. Vaikuntanathan. Protecting circuits from leakage: the computationally-bounded and noisy cases. In H. Gilbert, editor,
*EUROCRYPT 2010*, vol. 6110 of*LNCS*(Springer, Berlin, 2010), pp. 135–156.Google Scholar - 28.S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. In T. Johansson and P. Q. Nguyen, editors,
*EUROCRYPT 2013*, vol. 7881 of*LNCS*(Springer, Berlin, 2013), pp. 1–17.Google Scholar - 29.S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. in
*54th FOCS*, pp. 40–49. IEEE Computer Society Press, 2013.Google Scholar - 30.S. Garg, C. Gentry, S. Halevi, and D. Wichs. On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. In J. A. Garay and R. Gennaro, editors,
*CRYPTO 2014, Part I*, volume 8616 of*LNCS*, (Springer, Berlin, 2014), pp. 518–535.Google Scholar - 31.S. Garg and A. Polychroniadou. Two-round adaptively secure MPC from indistinguishability obfuscation. In Y. Dodis and J. B. Nielsen, editors,
*TCC 2015, Part II*, vol. 9015 of*LNCS*(Springer, Berlin, 2015), pp. 614–637.Google Scholar - 32.O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions.
*J. ACM*, 33(4):792–807, Aug. 1986.MathSciNetCrossRefzbMATHGoogle Scholar - 33.S. Goldwasser and G. N. Rothblum. On best-possible obfuscation. In S. P. Vadhan, editor,
*TCC 2007*, volume 4392 of*LNCS*(Springer, Berlin 2007), pp. 194–213Google Scholar - 34.J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys, in
*USENIX Security Symposium*, pp. 45–60 (2008)Google Scholar - 35.C. Hazay, A. López-Alt, H. Wee, and D. Wichs. Leakage-resilient cryptography from minimal assumptions. In T. Johansson and P. Q. Nguyen, editors,
*EUROCRYPT 2013*, volume 7881 of*LNCS*, (Springer, Berlin, 2013), pp. 160–176.Google Scholar - 36.R. Impagliazzo, L. A. Levin, and M. Luby. Pseudo-random generation from one-way functions (extended abstracts). In
*21st ACM STOC*(ACM Press, 1989), pp. 12–24.Google Scholar - 37.Y. Ishai, O. Pandey, and A. Sahai. Public-coin differing-inputs obfuscation and its applications. In Y. Dodis and J. B. Nielsen, editors,
*TCC 2015, Part II*, vol. 9015 of*LNCS*, (Springer, Berlin, 2015), pp. 668–697.Google Scholar - 38.J. Katz and Y. Lindell.
*Introduction to Modern Cryptography, Second Edition*. CRC Press, 2014.zbMATHGoogle Scholar - 39.J. Katz and V. Vaikuntanathan. Signature schemes with bounded leakage resilience. In M. Matsui, editor,
*ASIACRYPT 2009*, vol. 5912 of*LNCS*, (Springer, Berlin, 2009), pp. 703–720Google Scholar - 40.M. J. Kearns and U. V. Vazirani.
*An introduction to computational learning theory*. Massachusetts Institute of Technology (1994)Google Scholar - 41.A. Kiayias, S. Papadopoulos, N. Triandopoulos, and T. Zacharias. Delegatable pseudorandom functions and applications. In A.-R. Sadeghi, V. D. Gligor, and M. Yung, editors,
*ACM CCS 13*, (ACM Press, 2013), pp. 669–684.Google Scholar - 42.C.-J. Lee, C.-J. Lu, S.-C. Tsai, and W.-G. Tzeng. Extracting randomness from multiple independent sources.
*IEEE Transactions on Information Theory*, 51(6):2224–2227, 2005.MathSciNetCrossRefzbMATHGoogle Scholar - 43.A. B. Lewko, M. Lewko, and B. Waters. How to leak on key updates. In L. Fortnow and S. P. Vadhan, editors,
*43rd ACM STOC*(ACM Press, 2011), pp. 725–734Google Scholar - 44.T. Malkin, I. Teranishi, Y. Vahlis, and M. Yung. Signatures resilient to continual leakage on memory and computation. In Y. Ishai, editor,
*TCC 2011*, vol. 6597 of*LNCS*, (Springer, Berlin, 2011), pp. 89–106Google Scholar - 45.S. Micali and L. Reyzin. Physically observable cryptography (extended abstract). In M. Naor, editor,
*TCC 2004*, vol. 2951 of*LNCS*(Springer, Berlin, 2004), pp. 278–296Google Scholar - 46.M. Naor and G. Segev. Public-key cryptosystems resilient to key leakage. In S. Halevi, editor,
*CRYPTO 2009*, vol. 5677 of*LNCS*, (Springer, Berlin, 2009), pp. 18–35Google Scholar - 47.A. Sahai and B. Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In D. B. Shmoys, editor,
*46th ACM STOC*(ACM Press, 2014), pp. 475–484Google Scholar - 48.B. Waters. Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. In S. Halevi, editor,
*CRYPTO 2009*, volume 5677 of*LNCS*, (Springer, Berlin, 2009), pp. 619–636Google Scholar - 49.B. Waters. CS 395T Special Topic: Obfuscation in Cryptography. 2014. http://www.cs.utexas.edu/~bwaters/classes/CS395T-Fall-14/outline.html
- 50.B. Waters. How to use in distinguishability obfuscation, in
*Visions of Cryptography*, 2014. Talk slides available at http://www.cs.utexas.edu/~bwaters/presentations/files/how-to-use-IO.ppt. - 51.D. Wichs. Cryptographic resilience to continual information leakage. Ph.D. Thesis, 2011. http://www.ccs.neu.edu/home/wichs/thesis.pdf