**Protecting Circuits from Computationally Bounded and Noisy Leakage **

*Sebastian Faust and Tal Rabin and Leonid Reyzin and Eran Tromer and Vinod Vaikuntanathan*

**Abstract: **Physical computational devices leak side-channel information that may, and often does, reveal secret internal states. We present a general transformation that compiles any circuit into a circuit with the same functionality but resilience against well-defined classes of leakage. Our construction requires a small, stateless and computation-independent leak-proof component that draws random elements from a fixed distribution. In essence, we reduce the problem of shielding arbitrarily complex circuits to the problem of shielding a single, simple component.

Our approach is based on modeling the adversary as a powerful observer that inspects the device via a limited measurement apparatus. We allow the apparatus to access all the bits of the computation (except those inside the leak-proof component), and the amount of leaked information to grow unbounded over time. However, we assume that the apparatus is limited in the amount of output bits per iteration and the ability to decode certain linear encodings. While our results apply in general to such leakage classes, in particular, we obtain security against:

- Constant-depth circuits leakage, where the leakage function is computed by an AC^0 circuit (composed of NOT gates and unbounded fan-in AND and OR gates).

- Noisy leakage, where the leakage function reveals all the bits of the internal state of the circuit, perturbed by independent binomial noise. Namely, for some number p \in (0,1/2], each bit of the computation is flipped with probability p, and remains unchanged with probability 1-p.

**Category / Keywords: **foundations / side channel, leakage resilience, models

**Publication Info: **Preliminary version appears in Eurocrypt 2010

**Date: **received 31 Jul 2009, last revised 16 Nov 2012

**Contact author: **reyzin at cs bu edu

**Available format(s): **PDF | BibTeX Citation

**Note: **The previous version was from before the computationally bounded and noisy cases were merged. This version has substantial revisions since Eurocrypt 2010.

**Version: **20121117:031350 (All versions of this report)

**Short URL: **ia.cr/2009/379

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]