New Cryptographic Protocols With Side-Channel Attack Security

Acknowledgments This thesis is based on joint work with Professor Mihir Bellare and David Cash. I'd like to express gratitude for the time that we explored ideas together; you were wonderful to work with! A very special thank you to my Advisor, Professor Shafi Goldwasser, for such caring mentorship – it has been such a pleasure to work and to learn under you for my time at MIT. Finally, I'd like to thank my family and my friends for their awesome, incredible support. 4 1 Introduction Historical notions of cryptographic security have assumed that adversaries have only black box access to cryptographic primitives; in these security games, adversaries can observe input and output behavior of the protocol, but gain no information from the physical implementation. However, this model fails to account for the fact that adversaries do gain additional information from physical implementations: such implementations leak data, such as the time or power it takes to compute with a secret key, and are also susceptible to physical tampering attacks, such as modification of the secret key with microprobes. Attacks that take advantage of this non-black-box nature of protocols are collectively known as side channel attacks. Side channel attacks actually exist in practice-many practical side channel attacks have been well documented for almost two decades. To model the adversarial powers that allow side channel attacks, theoretical cryptographers have developed the enhanced security models of leakage and tampering. Leakage accounts for information passive adversaries may gain about the contents of secret memory in addition to the input/output behavior of the system. Tampering accounts for adversarial modification of an executing protocol, including changes to the bits in secret memory, the introduction of errors to the computation, and even physical changes to the circuit executing the protocol. Theoretical works have studied leakage extensively over the last several years, especially in the context of signatures and encryption. In contrast, very few theoretical results address tampering attacks– efficient cryptographic primitives with robust security against tampering are still lacking. Though several constructions of higher level primitives exist, these constructions only protect against highly algebraic and scheme specific tampering attacks [GOR11, AHI11, Luc04, BC10, GL10], or else require heavy and inefficient machinery, such as NIZK proofs[KKS11]. The most commonly used theoretical framework in tampering is the Related-Key Attack (RKA) model, which allows adversarial modification of the secret key. In a related key attack, the adversary is allowed to …