Paper 2013/124
Tamper Resilient Cryptography Without SelfDestruct
Ivan Damgaard, Sebastian Faust, Pratyay Mukherjee, and Daniele Venturi
Abstract
We initiate a general study of schemes resilient to both tampering and leakage attacks. Tampering attacks are powerful cryptanalytic attacks where an adversary can change the secret state and observes the effect of such changes at the output. Our contributions are outlined below: (1) We propose a general construction showing that any cryptographic primitive where the secret key can be chosen as a uniformly random string can be made secure against bounded tampering and leakage. This holds in a restricted model where the tampering functions must be chosen from a set of bounded size after the public parameters have been sampled. Our result covers pseudorandom functions, and many encryption and signature schemes. (2) We show that standard ID and signature schemes constructed from a large class of Sigmaprotocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover's state a bounded number of times and/or obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters. (3) We show a bounded tamper and leakage resilient CCA secure public key cryptosystem based on the DDH assumption. We first define a weaker CPAlike security notion that we can instantiate based on DDH, and then we give a general compiler that yields CCAsecurity with tamper and leakage resilience. This requires a public tamperproof common reference string. (4) Finally, we explain how to boost bounded tampering and leakage resilience (as in 2. and 3. above) to continuous tampering and leakage resilience, in the socalled floppy model where each user has a personal floppy (containing leak and tamperfree information) which can be used to refresh the secret key (note that if the key is not updated, continuous tamper resilience is known to be impossible). For the case of ID schemes, we also show that if the underlying protocol is secure in the bounded retrieval model, then our compiler remains secure, even if the adversary can tamper with the computation performed by the device. In some earlier work, the implementation of the tamper resilient primitive was assumed to be aware of the possibility of tampering, in that it would switch to a special mode and, e.g., selfdestruct if tampering was detected. None of our results require this assumption.
Metadata
 Available format(s)
  withdrawn 
 Category
 Foundations
 Publication info
 Preprint. MINOR revision.
 Keywords
 tamper resiliencegeneral compilerprovable security
 Contact author(s)
 sebastian faust @ gmail com
 History
 20131008: withdrawn
 20130305: received
 See all versions
 Short URL
 https://ia.cr/2013/124
 License

CC BY