Wednesday, August 17, 2011

Crypto, day 2

The second session today was on leakage and side channels and it combined theoretical and practical aspects of this subject, the former of which I will concentrate on here.

The first talk was on leakage-resilient zero knowledge. A zero-knowledge proof allows a prover to convince a verifier of the validity of a statement without revealing anything else. This is formalised by requiring that there exist a simulator which can simulate the prover without knowing the witness for the statement. The witness is some information that makes it easy to check the validity of the statement, but which the prover does not want to reveal.

The question asked here is what if that prover leaks information on this witness, which could happen in an actual execution due to side-channel attacks. The authors formalise leakage-resilient (LR) zero-knowledge (ZK) by requiring that the leakage in the real world is bounded by the leakage in the ideal (simulated) world.
The results are LR non-interactive (NI) ZK proofs (which follow from adaptive NIZKs), and more importantly LR ZK proofs (which do not require a trusted setup), where the situation is trickier: when the adversary queries for leakage, the simulator must consistently explain its previous behaviour (as for adaptive security), but here even future messages must be consistent.

The last talk of the session was on cryptography with tamperable and leaky memory. The motivation is that leaking of secret information can be bad, but an adversary actually tampering with it could even be worse. Previous work on this topic had some restrictions, such as requiring non-tamperable memory, or limiting the functions the adversary could apply to modify secret information. This work only assumes a non-tamperable common reference string, which the authors argue could be hardwired anyway and a true source of randomness.

The first result is a generic transformation from any scheme (which has a secret key that is uniformly random) that is resilient against bounded leakage into a scheme which in addition is resilient to continual tampering using fully homomorphic encryption and NIZKs. The second result are encryption and signature schemes which are resilient to continual leakage and tampering based on assumptions in bilinear groups.

No comments:

Post a Comment