Storing Secrets on Continually Leaky Devices

Y. Dodis, Allison Bishop, Brent Waters, D. Wichs
{"title":"Storing Secrets on Continually Leaky Devices","authors":"Y. Dodis, Allison Bishop, Brent Waters, D. Wichs","doi":"10.1109/FOCS.2011.35","DOIUrl":null,"url":null,"abstract":"We consider the question of how to store a value secretly on devices that continually leak information about their internal state to an external attacker. If the secret value is stored on a single device from which it is efficiently retrievable, and the attacker can leak even a single predicate of the internal state of that device, then she may learn some information about the secret value itself. Therefore, we consider a setting where the secret value is shared between multiple devices (or multiple components of a single device), each of which continually leaks arbitrary adaptively chosen predicates its individual state. Since leakage is continual, each device must also continually update its state so that an attacker cannot just leak it entirely one bit at a time. In our model, the devices update their state individually and asynchronously, without any communication between them. The update process is necessarily randomized, and its randomness can leak as well. As our main result, we construct a sharing scheme for two devices, where a constant fraction of the internal state of each device can leak in between and during updates. Our scheme has the structure of a public-key encryption, where one share is a secret key and the other is a ciphertext. As a contribution of independent interest, we also get public-key encryption in the continual leakage model, introduced by Brakerski et al. and Dodis et al. (FOCS '10). This scheme tolerates continual leakage on the secret key and the updates, and simplifies the recent construction of Lewko, Lewko and Waters (STOC '11). For our main result, we show how to update the ciphertexts of the encryption scheme so that the message remains hidden even if an attacker interleaves leakage on secret key and ciphertext shares. The security of our scheme is based on the linear assumption in prime-order bilinear groups. We also provide an extension to general access structures realizable by linear secret sharing schemes across many devices. The main advantage of this extension is that the state of some devices can be compromised entirely, while that of the all remaining devices is susceptible to continual leakage. Lastly, we show impossibility of information theoretic sharing schemes in our model, where continually leaky devices update their state individually.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"74","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FOCS.2011.35","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 74

Abstract

We consider the question of how to store a value secretly on devices that continually leak information about their internal state to an external attacker. If the secret value is stored on a single device from which it is efficiently retrievable, and the attacker can leak even a single predicate of the internal state of that device, then she may learn some information about the secret value itself. Therefore, we consider a setting where the secret value is shared between multiple devices (or multiple components of a single device), each of which continually leaks arbitrary adaptively chosen predicates its individual state. Since leakage is continual, each device must also continually update its state so that an attacker cannot just leak it entirely one bit at a time. In our model, the devices update their state individually and asynchronously, without any communication between them. The update process is necessarily randomized, and its randomness can leak as well. As our main result, we construct a sharing scheme for two devices, where a constant fraction of the internal state of each device can leak in between and during updates. Our scheme has the structure of a public-key encryption, where one share is a secret key and the other is a ciphertext. As a contribution of independent interest, we also get public-key encryption in the continual leakage model, introduced by Brakerski et al. and Dodis et al. (FOCS '10). This scheme tolerates continual leakage on the secret key and the updates, and simplifies the recent construction of Lewko, Lewko and Waters (STOC '11). For our main result, we show how to update the ciphertexts of the encryption scheme so that the message remains hidden even if an attacker interleaves leakage on secret key and ciphertext shares. The security of our scheme is based on the linear assumption in prime-order bilinear groups. We also provide an extension to general access structures realizable by linear secret sharing schemes across many devices. The main advantage of this extension is that the state of some devices can be compromised entirely, while that of the all remaining devices is susceptible to continual leakage. Lastly, we show impossibility of information theoretic sharing schemes in our model, where continually leaky devices update their state individually.
在不断泄漏的设备上存储秘密
我们考虑如何在设备上秘密存储值的问题,这些设备会不断地向外部攻击者泄露有关其内部状态的信息。如果秘密值存储在可以有效检索的单个设备上,并且攻击者甚至可以泄漏该设备内部状态的单个谓词,那么他可能会了解有关秘密值本身的一些信息。因此,我们考虑在多个设备(或单个设备的多个组件)之间共享秘密值的设置,其中每个设备不断泄漏任意自适应选择的谓词其各自的状态。由于泄漏是连续的,每个设备也必须不断地更新它的状态,这样攻击者就不能一次完全泄漏一个比特。在我们的模型中,设备单独异步地更新它们的状态,它们之间没有任何通信。更新过程必然是随机的,其随机性也可能泄漏。作为我们的主要结果,我们为两个设备构建了一个共享方案,其中每个设备的内部状态的恒定部分可以在更新之间和更新期间泄漏。我们的方案具有公钥加密的结构,其中一个共享是密钥,另一个共享是密文。作为独立兴趣的贡献,我们还在Brakerski等人和Dodis等人(FOCS '10)引入的连续泄漏模型中获得了公钥加密。该方案允许密钥和更新的持续泄漏,并简化了最近的Lewko, Lewko和Waters (STOC '11)的构建。对于我们的主要结果,我们展示了如何更新加密方案的密文,以便即使攻击者在秘密密钥和密文共享上穿插泄漏,消息也保持隐藏。该方案的安全性是基于对素阶双线性群的线性假设。我们还提供了一种扩展,以实现跨许多设备的线性秘密共享方案的一般访问结构。这种扩展的主要优点是,一些设备的状态可以完全受损,而所有剩余设备的状态都容易受到持续泄漏的影响。最后,我们证明了在我们的模型中信息理论共享方案的不可能性,其中连续泄漏设备单独更新其状态。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信