Deterministic public-key encryption, introduced by Bellare, Boldyreva, and O’Neill (CRYPTO 2007), is an important database encryption technique which allows quick, logarithmic-time, search over encrypted data items. The technique is most effective in scenarios where frequent search queries are performed over a huge database of highly sensitive, yet unpredictable, data items such as credit card ...

We provide a framework for constructing leakage-resilient identification (ID) protocols in the bounded retrieval model (BRM) from proofs of storage (PoS) that hide partial information about the file. More precisely, we describe a generic transformation from any zero-knowledge PoS to a leakage-resilient ID protocol in the BRM. We then describe a ZK-PoS based on RSA which, under our transformatio...

A scheme is said leakage resilient if it remains secure even when an adversary is able to learn partial information about some secret values used throughout the lifetime of the system. This recent area appeared because of the need to develop schemes that resist to sidechannel attacks, such as power-consumption, fault or time analyses. Today, there exist a few encryption schemes that implement t...

Leakage attacks, including various kinds of side-channel attacks, allow an attacker to learn partial information about the internal secrets such as the secret key and the randomness of a cryptographic system. Designing a strong, meaningful, yet achievable security notion to capture practical leakage attacks is one of the primary goals of leakage-resilient cryptography. In this work, we revisit ...

In this paper we demonstrate the existence of a number of weaknesses in a leakage-resilient authenticated key transport (RSA-AKE) protocol due to Shin, Kobara and Imai.

Last time we proved the Leftover Hash Lemma, which states that if X is a random variable with universe U and H∞(X) ≥ k, ε > 0, and H is a universal hash family of size 2 with output length l = k − 2 log(1/ε), then Ext(x, h) = h(x) is a (k, ε/2) extractor with seed length d and output length m. In other words, Ext(x, h) extracts l bits from x that are ε-close to uniform, with ε = 12 √ 2−l. For a...

Authenticated Key Exchange (AKE) protocols have been widely deployed in many real-world applications for securing communication channels. In this paper, we make the following contributions. First, we revisit the security modelling of leakage-resilient AKE protocols, and show that the existing models either impose some unnatural restrictions or do not sufficiently capture leakage attacks in real...

Attack techniques based on code reuse continue to enable real-world exploits bypassing all current mitigations. Code randomization defenses greatly improve resilience against code reuse. Unfortunately, sophisticated modern attacks such as JITROP can circumvent randomization by discovering the actual code layout on the target and relocating the attack payload on the fly. Hence, effective code ra...

Side-channel attacks are one of the most dangerous threats against secure devices. By exploiting physical properties of the circuits running cryptographic protocols, that is, by analyzing the power consumption, running time, or electomagnetic radiations of circuits computing on secret data, sidechannel attacks circumvent traditional security proofs and show to be extremely effective in breaking...

Typically, secure channels are constructed from an authenticated key exchange (AKE) protocol,which authenticates the communicating parties based on long-term public keys and establishes secretsession keys. In this paper we address the partial leakage of long-term secret keys of key exchangeprotocol participants due to various side-channel attacks. Security models for two-party authe...