Paper 2017/1052

Early Detection and Analysis of Leakage Abuse Vulnerabilities

Charles V. Wright and David Pouliot

Abstract

In order to be useful in the real world, efficient cryptographic constructions often reveal, or ``leak,'' more information about their plaintext than one might desire. Up until now, the approach for addressing leakage when proposing a new cryptographic construction has focused entirely on qualifying exactly what information is leaked. Unfortunately there has been no way to predict what the real-world impact of that leakage will be. In this paper, we argue in favor of an analytical approach for quantifying the vulnerability of leaky cryptographic constructions against attacks that use leakage to recover the plaintext or other sensitive information. In contrast to the previous empirical and ad-hoc approach for identifying and assessing such vulnerabilities, analytical techniques can be integrated much earlier in the design lifecycle of a new construction, and the results of the analysis apply much more broadly across many different kinds of data. We applied the proposed framework to evaluate the leakage profiles of five recent constructions for deterministic and order-revealing encryption. Our analysis discovered powerful attacks against every construction that we analyzed, and with only one possible exception, the attack allows the adversary to recover virtually any plaintext with only an exponentially small probability of error. We hope that these results, together with the proposed analytical framework, will help spur the development of new efficient constructions with improved leakage profiles that meaningfully limit the power of leakage abuse attacks in the real world.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
cryptanalysisefficiently searchable encryptionencrypted databases
Contact author(s)
cvwright @ cs pdx edu
History
2017-10-31: received
Short URL
https://ia.cr/2017/1052
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/1052,
      author = {Charles V.  Wright and David Pouliot},
      title = {Early Detection and Analysis of Leakage Abuse Vulnerabilities},
      howpublished = {Cryptology ePrint Archive, Paper 2017/1052},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/1052}},
      url = {https://eprint.iacr.org/2017/1052}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.