Paper 2024/332

Leakage-Tolerant Circuits

Yuval Ishai, Technion – Israel Institute of Technology
Yifan Song, Institute for Theoretical Computer Science, Institute for Interdisciplinary Information Sciences, Tsinghua University, Shanghai Qi Zhi Institute
Abstract

A leakage-resilient circuit for $f:\{0,1\}^n\to\{0,1\}^m$ is a randomized Boolean circuit $C$ mapping a randomized encoding of an input $x$ to an encoding of $y=f(x)$, such that applying any leakage function $L\in \cal L$ to the wires of $C$ reveals essentially nothing about $x$. A leakage-tolerant circuit achieves the stronger guarantee that even when $x$ and $y$ are not protected by any encoding, the output of $L$ can be simulated by applying some $L'\in \cal L$ to $x$ and $y$ alone. Thus, $C$ is as secure as an ideal hardware implementation of $f$ with respect to leakage from $\cal L$. Leakage-resilient circuits were constructed for low-complexity classes $\cal L$, including (length-$t$ output) $\mathcal{AC}0$ functions, parities, and functions with bounded communication complexity. In contrast, leakage-tolerant circuits were only known for the simple case of probing leakage, where $L$ outputs the values of $t$ wires in $C$. We initiate a systematic study of leakage-tolerant circuits for natural classes $\cal L$ of global leakage functions, obtaining the following main results. Leakage-tolerant circuits for depth-1 leakage. Every circuit $C_f$ for $f$ can be efficiently compiled into an $\cal L$-tolerant circuit $C$ for $f$, where $\cal L$ includes all leakage functions $L$ that output either $t$ parities or $t$ disjunctions (alternatively, conjunctions) of any number of wires or their negations. In the case of parities, our simulator runs in $2^{O(t)}$ time. We provide partial evidence that this may be inherent. Application to stateful leakage-resilient circuits. Using a general transformation from leakage-tolerant circuits, we obtain the first construction of stateful $t$-leakage-resilient circuits that tolerate a continuous parity leakage, and the first such construction for disjunction/conjunction leakage in which the circuit size grows sub-quadratically with $t$. Interestingly, here we can obtain $\mathtt{poly}(t)$-time simulation even in the case of parities.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in EUROCRYPT 2024
Keywords
Leakage ToleranceLeakage Resilience
Contact author(s)
yuvali @ cs technion ac il
yfsong @ mail tsinghua edu cn
History
2024-02-27: approved
2024-02-26: received
See all versions
Short URL
https://ia.cr/2024/332
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/332,
      author = {Yuval Ishai and Yifan Song},
      title = {Leakage-Tolerant Circuits},
      howpublished = {Cryptology ePrint Archive, Paper 2024/332},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/332}},
      url = {https://eprint.iacr.org/2024/332}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.