Simultaneous Hardcore Bits and Cryptography Against Freezing Attacks

This paper considers two questions in cryptography. 1. Simultaneous Hardcore Bits. Let f be a one-way function. We say that a block of bits of x are simultaneously hard-core for f(x) if given f(x), they cannot be distinguished from a random string of the same length. Although there are many examples of (candidate) one-way functions with one hardcore bit (or even O(log n) simultaneously hardcore bits), there are very few examples of oneway functions (and even fewer examples of trapdoor one-way functions) for which a linear number of the input bits are simultaneously hardcore. We show that for the lattice-based (injective) trapdoor function recently proposed by Gentry, Peikert and Vaikuntanathan (STOC 2008), which is in turn based on the one-way function of Regev (STOC 2005), an n− o(n) number of input bits are simultaneously hardcore (where n is the total number of input bits). 2. Cryptography Against Memory-Freezing Attacks. The absolute privacy of the secret keys associated with cryptographic algorithms has been the corner-stone of modern cryptography. Still, it has been clear that in practice keys do get compromised at times, by various means. In a particularly devastating side-channel attack, termed the “freezing attack” which was proposed recently, a significant fraction of the bits of the secret key can be measured if the secret key is ever stored in the part of memory which can be accessed (even after power has been turned off for a short amount of time). Such an attack has been shown to completely compromise the security of various cryptosystems, including the RSA cryptosystem and variants. We show that the public-key encryption scheme of Regev (STOC 2005), and the identity-based encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against freezing attacks where the adversary can measure a large fraction of the bits of the secretkey. This is done without increasing the size of the secret key, or by introducing any complication of the natural encryption and decryption routines. Although seemingly completely different, these two problems turn out to be very similar: in particular, our results demonstrate that the proof techniques that can be used to solve both these problems are intimately related. ∗Institute of Advanced Study, Princeton, NJ and DIMACS, Rutgers. EMAIL: [email protected] †MIT and Weizmann Institute. Supported in part by NSF grants CCF-0514167, CCF-0635297, NSF-0729011 and the Israel Science Foundation 700/08. EMAIL: [email protected] ‡MIT and IBM Research. Supported in part by NSF grants CCF-0635297 and Israel Science Foundation 700/08. EMAIL: [email protected]