Key-Evolution Schemes Resilient to Space-Bounded Leakage

Much recent work in cryptography attempts to build secure schemes in the presence of side-channel leakage. In this setting, the adversary may obtain some additional information (beyond the control of the scheme designer) about the internal secret state of a cryptographic scheme. Here, we consider key-evolution schemes that allow a user to evolve a secret-key K1 via a deterministic function f , to get updated keys K2 = f(K1),K3 = f(K2), . . .. Such a scheme is leakage-resilient if an adversary that can leak on the first i steps of the evolution process does not get any useful information about any future keys. For such schemes, one must assume some restriction on the complexity of the leakage to prevent pre-computation attacks, where the leakage on a key Ki simply pre-computes a future key Ki+t and leaks even a single bit on it. We notice that much of the prior work on this problem, and the restrictions made therein, can be divided into two types. Theoretical work offers rigor and provable security, but at the cost of having to make strong restrictions on the type of leakage and designing complicated schemes to make standard reduction-based proof techniques go through. On the other hand, practical work focuses on simple and efficient schemes, often at the cost of only achieving an intuitive notion of security without formal well-specified guarantees. In this paper, we complement the two tracks via a middle-of-the-road approach. On one hand, we rely on the random-oracle model, acknowledging the usefulness of this methodology in practice despite its theoretical shortcomings. On the other hand, we show that even in the random-oracle model, designing secure leakage-resilient schemes with clear and meaningful guarantees requires great care and is susceptible to pitfalls. For example, just assuming that leakage “cannot evaluate the random oracle” can be misleading. Instead, we define a new model in which we assume that the “leakage” can be any arbitrary space bounded computation that can make random oracle calls itself. We connect the space-complexity of a computation in the random-oracle modeling to the pebbling complexity on graphs. Using this connection, we derive meaningful guarantees for relatively simple key-evolution constructions.