Aarhus University Seal / Aarhus Universitets segl

Carmit Hazay gets paper accepted at PODC

Carmit Hazay has got her paper accepted at 31st Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing (PODC) in Madeira, Portugal. PODC is a conference that focuses on research in the theory, design, specification and implementation of distributed systems.

2012.04.26 | Jan Frederiksen

The paper, Distributed Public Key Schemes Secure against Continual Leakage, is accepted in the category for regular papers.


Distributed Public Key Schemes Secure against Continual Leakage


In this work we study public key encryption schemes in the distributed continual memory leakage model. The secret key will be distributed (i.e.shared) among two computing devices communicating over public channels, and the decryption will be computed by a simple 2-party protocol between the devices. Similarly, the secret key shares will be refreshed by a 2-party protocol in discrete time intervals throughout thelife time of the system.The leakage adversary can choose pairs, one per device, of arbitrary polynomial time length shrinking (or entropy shrinking) functions, and receive the value of the respective function on the internal state of the respective device (namely, on its secret share, internal randomness and results of intermediate computations). The advantage that this offers (to the leakage problem) is that the leakage functions chosen by the adversary are limited now to only apply to the shares of the secret state rather than the entire secret state at once. The choice of the leakage functions is adaptive depending on public communication and on leakage in previous time intervals.We present leakage resilient public key encryption (PKE) and identity based encryption (IBE) schemes that are secure against continual memory leakage in this model, under the Bilinear Decisional Diffie- Hellman and 2-Linear assumptions.

Our schemes have the following properties.

1. The number of leakage bits tolerated by our PKE and IBE schemes is (1 -o(1))|sk1| from the secret state of the first device and |sk2| from the secret state of the second device, and (1/2-o(1))|sk1|, |sk2|) during refreshing of the secret key (where|sk1|, |sk2| represent the lengths ofthe secret shares of the devices).

2. Our IBE scheme tolerates repetitive leakage from both the master secret key and the identity based secret keys.

3. Our PKE scheme is CCA2-secure against continual memory leakage.

4. Our PKE scheme also implies a secure storage system on leaky devices, where a value s is secretly stored on devices that continually leak information about their internal state to an external attacker.

This is a joint work with Adi Akavia and Shafi Goldwasser.

Conference website