Fully Leakage-Resilient Codes

Fully Leakage-Resilient Codes

Antonio Faonio1and Jesper Buus Nielsen1

Aarhus University?

Abstract. Leakage resilient codes (LRCs) are probabilistic encoding schemes that guarantee message hiding even under some bounded leakage on the codeword. We introduce the notion offullyleakage resilient codes (FLRCs), where the adversary can leakλ0bits from the encoding process, namely, the message and the

ran-domness involved during the encoding process. In addition the adversary can as usual leak from the codeword. We give a simulation-based definition requiring that the adversary’s leakage from the encoding process and the codeword can be simulated given justλ0 bits of leakage from the message. Forλ0 = 0our new

simulation-based notion is equivalent to the usual game-simulation-based definition. A FLRC would be interesting in its own right and would be useful in building other leakage-resilient primitives in a composable manner. Unfortunately, we give a fairly general impossibility result for FLRCs in the popular split-state model, where the codeword is broken into independent parts and where the leakage occurs independently on the parts. We show that if the leakage is allowed to be any poly-time function of the secret and if collision-resistant hash functions exist, then there is no FLRC for the split-state model. The result holds when the message length is at least linear in the security parameter. We can extend the impossibility result to FLRCs with constant-length messages under assumptions related to differing-input obfuscation. These results show that it is highly unlikely that we can build FLRCs for the split-state model when the leakage can be any poly-time function of the secret state. We then give two feasibility results for weaker models. First, we show that forNC0-bounded leakage from the randomness and arbitrary poly-time leakage from the parts of the codeword the inner-product construction proposed by Daví et al.(SCN’10) and successively improved by Dziembowski and Faust (ASIACRYPT’11) is a FLRC for the split-state model. Second, we provide a compiler from any LRC to a FLRC in thecommon reference string modelwhere the leakage on the encoding comes from a fixed leakage family of small cardinality. In particular, this compiler applies to the split-state model but also to other models.

Keywords. leakage-resilient cryptography, impossibility, fully-leakage resilience, simulation-based def-inition, feasibility results

1 Introduction

Leakage-resilient codes (LRCs) (also known as leakage-resilient storages) allow to store safely a secret information in a physical memory that may leak some side-channel information. Since their introduction (see Davìet al.[DDV10]) they have found many applications either by their own or as building blocks for other leakage and tamper resilient primitives. To mention some, Dziembowski and Faust [DF11] proposed an efficient and continuous resilient identification scheme and a continuous leakage-resilient CCA2 cryptosystem, while Andrychowiczet al.[AMP15] proposed a practical leakage-resilient LPN-based version of the Lapin protocol (see Heyseet al.[HKL+12]) both relying on LRCs based on the inner-product extractor. LRC found many applications also in the context of non-malleable codes (see Dziembowskiet al.[DPW10]), which, roughly speaking, can be seen as their tamper-resilience counter-part. Faustet al.[FMVW14] showed a non-malleable code based on LRC, Aggarwalet al.[ADKO15] proposed a construction of leakage and tamper resilient code and Faustet al.[FMNV14] showed con-tinuous non-malleable codes based on LRC [FMNV14] (see also Jafargholi and Wichs [JW15]).

The security requirement of LRC states that given two messages, arbitrarily but bounded length leakage on the encoding of them is indistinguishable. Ideally, a good LRC should be resilient to a leakage that can be much longer than the size of the message protected, however, to get such strong guarantee some restriction on the class of leakage allowed must be set. Intuitively, any scheme where the adversary can compute the decoding function as leakage cannot be secure. A way to fix this problem is to consider

?

randomly chosen LRCs. As showed in [DDV10], and successively improved in [FMVW14,JW15], for any fixed set of leakage functions, there exists a family of efficiently computable codes such that with high probability a code from this family is leakage resilient. From a cryptographic prospective, the results known in this direction can be interpreted as being in the “common reference string” model, where the leakage class is set and, then, the LRC is sampled.

Another way, more relevant for our paper, is to consider the split-state model [DP08,HL11] where the message is encoded in two (or more) codewords and the leakage happens adaptively but independently from each codewords, thus the decoding function cannot automatically be part of the allowed leakage, which opens the possibility of constructing a LRC.

It is easy to see that the encoding algorithm must be randomized, otherwise two fixed messages can be easily distinguished. However, the security of LRC does not give any guarantee when there is leakage from the randomness used in the encoding process. In other words, while the encoded message can be stored in a leaky device the encoding must be executed in a completely leak-free environment. A stronger flavour of security where we allow leakage from the encoding process is usually calledfully leakage resilience.

1.1 Our Contributions

We generalize the notion of LRC to the setting of fully leakage resilience. Roughly speaking, a fully leakage-resilient code (FLRC) hides information about the secret message even when the adversary leaked information during the encoding process. Our contributions can be summarized as follow:

1. We provide a simulation-based definition of fully leakage-resilient codes. The definition postulates that for any adversary leakingλ0bit from the encoding process andλ1bits from the codewords there

exists a simulator which provide a view that is indistinguishable. Our definition is, in some sense, the minimal one suitable for the fully leakage resilience setting. As a sanity check, we show that our new notion is implied by the indistinguishability-based definition of [DDV10] forλ0= 0.

2. We show that there does not exist an efficient coding scheme in the split-state model that is a fully leakage resilient code if the leakage function is allowed to be any poly-time function. Our result holds for coding schemes where the messages length are at least linear in the security parameter and under the sole assumption that collision-resistant hash functions exist. We can generalize the impossibility result to the case of constant-length messages under the much stronger assumption that differing-input obfuscation exists (see [ABG+13,BCP14]).

3. We provide two feasibility results for weaker models. We show that, if the leakage from the random-ness is computable by bounded-depth constant fan-in circuits (i.e. NC0-computable leakage), the inner-product extractor LRC of [DDV10] is fully leakage resilient. We show a compiler from any LRC to a fully leakage resilient code in the common reference string model for any fixed leakage-from-the-encoding family of small cardinality.

Simulation-based Security. Consider the naive fully leakage-resilient extension of the indistinguish-ability-based security definition of LRC. Roughly speaking, the adversary plays against a challenger and it can leakλ0 >0bits from a random stringω←${0,1}∗, successively the adversary sends to the challenger two messagesm0, m1, the challenger chooses a random bit band encodes the messagemb

using the randomnessω. After this, the adversary gets access to leakage from the codewords. We show an easy attack on this definition. The attacker can compute, via leakage function on the randomness, the encoding of bothm0 andm1 and find a coordinate in which the two codewords differ, successively, by

leaking from the codeword only one bit, it can check whetherm0orm1 has been encoded.

the challenge generation, as shown for many other cryptographic primitive, gives to the adversary too much power.

Following theleakage-tolerant paradigm introduced by Bitanskyet al.[BCH12], we instead con-sider a simulation-based notion of security. The definition postulates that for any adversary leakingλ0

bits from the encoding process andλ1 bits from the codewords there exists a simulator which provide

a view that is indistinguishable. Namely, the adversary chooses one input message and forwards it to the challenger of the security game. After that the adversary can, sequentially, leak from the encoding process and from the codeword. The job of the simulator is to produce an indistinguishable view of the leakage oracles to the adversary, given only leakage oracle access to the message. It is not hard to see that, without any help, the task would be impossible. Since an adversary could in particular leak bits of the input message, if the input message is randomly chosen the simulator trivially cannot provide an indistinguishable view. The simulator can leak up toλ0(1 +γ)bits from the message for a “slack

param-eter”γ >0. The idea is that some information about the encoded message can unavoidably leak from the encoding process, however the amount of information about the message, even after have seen the leakage on the codeword, does not exceed to much the bound on the leakage on the encoding process. The slack parameter is often considered as a reasonable weakening of the model in the context of fully leakage resilience (see for example [GJS11,FNV14,HL11,NVZ14]), we include it in our model to make the impossibility results stronger. For the feasibility results we will instead ignore it.

The impossibility results. We give an impossibility result for FLRCs in the split-state model. Recall that, in the split state model, the codeword is divided in two parts which are stored in two independent leaky devices. Each leakage query can be any poly-time function of the data stored in one of the parts.

Here we give the intuition behind the attacker. For simplicity let us set the slack parameterγequal to 0. In our attack we leak from the encoding process a hash of each of the two parts of the codeword. The leakage function takes the message and the randomness, runs the encoding algorithm to compute the two partsLandR(the left part and the right part) and leaks two hash valueshl=h(L)andhr =h(R).

Then we use a succinct argument of knowledge systems to also leak an argument of knowledge of pre-imagesLandRofhlandhrfor which it holds that(L, R)decodes tom. Letλ0be the length of the two

hashes and the succinct argument. After this the message can be encoded. The adversary uses its access to leak fromLto leak, in sequence, several succinct arguments of knowledge ofLsuch thathl=h(L).

Similarly the adversary uses its access to leak fromRto leak, in sequence, several succinct arguments of knowledge ofRsuch thathr =h(R). By settingλ1λ0we can within the leakage boundλ1onLand

Rleak17λ0succinct arguments of knowledge ofLandR. If the code is secure there exists a simulator

which can simulate the leakage ofhlandhrand all the arguments given at mostλ0bits of leakage onm.

Since the arguments are accepting in the real world and the simulator is assumed to be good it follows that the simulated arguments are accepting too with probability close to1. Since the simulator has access to onlyλ0bits of leakage onmit follows that for one of the17λ0simulated arguments produced by the

simulator it uses the leakage oracle onmwith probability at most1₄. This means that with probability 3₄ the simulator is not even using the leakage oracle to simulate this argument, so if we remove the access to leakage frommthe argument will still be acceptable with probability close to 3₄. Hence if the argument systems has knowledge error just 1₂ we can extractLfrom this argument with probability close to 1₄. Similarly we can extract from one of the arguments of knowledge ofR the valueR with probability close to 1₄. By collision resistance and soundness of the first argument leaked from the encoding process it follows that(L, R) decodes tom. This means that we can extract from the simulator the message

mwith probability negligibly close to ₁₆1 while using onlyλ0 bits of leakage onm. Ifmis uniformly

random and justλ0 + 6bits long, this is a contradiction, as there is 6bits on min-entropy onm after

leakingλ0bits onmand hencemcannot be guessed with probability better than2−6.

an impossibility result for certain flavors of leakage-resilient zero-knowledge proof systems. The way we apply this type of argument here is novel. It is in particular a new idea to use many arguments of knowledge in sequence to sufficient restrict the simulators ability to leak from its leakage oracle in one of the proofs.

The proposed attack needs to leak at least a collision resistant hash function of the codeword. On the other hand, the definition of FLR makes sense only when the leakage parameterλ0is strictly smaller than

the size of the message, therefore the length of the message needs to be super-logarithmic in the security parameter. Thus the technique cannot be used directly to give an impossibility result for constant-length message FLRC. We can overcome this problem relying on the concept of Predictable ZAP (PZAP) recently proposed by Faonioet al.[FNV15]. A PZAP is an extremely succinct 2-message argument of knowledge where the prover can first see the challenge from the verifier and then decide the instance. This allows the attacker to implement the first check by just leaking a constant-length argument that the hashes of the two parts of the codeword are well formed (without actually leaking the hash values) and then, successively, leak the hash values from the codeword and check the validity of the argument. PZAP are shown to imply extractable witness encryption (see Boyleet al.[BCP14]) and therefore the “implausibility” result of Garget al.[GGHW14] applies. We interpret our second impossibility result as an evidence that constant-length FLRC are hard to construct as such a code would not only make diO implausible, but it would prove diOimpossibleunder the only assumption that collision-resistant hash functions exists.

The feasibility results. The ability to leak collision resistant hash functions of the randomness is nec-essary for the impossibility result. The natural question that follows is: If we restrict the leakage class so that no collision resistance hash function can be computed as leakage on the randomness, can we find a coding scheme that is fully leakage resilient? We answer this question affirmatively. We consider the classNC0 of constant-depth constant fan-in circuits and we show that the LRC based on the inner-product extractor (and more general LRCs where there is anNC0function that maps the randomness to the codeword) are fully leakage resilient. The intuition is thatNC0 leakage is not powerful enough to break all the “independence” between the two parts of the codeword. Technically, we are able to cast every leakage query on the randomness into two slightly bigger and independent leakage queries on the two parts of the codeword. Notice that collision resistant hash functions cannot be computed by NC0

circuits. This is necessary. In fact, proving a similar result for a bigger complexity class automatically implies a lower bound on the complexity of computing either a collision resistant hash function or an argument of knowledge. Intuitively, this provides a strong evidence that is hard to construct FLRC even for bounded classes of leakage.

Another important property that we exploit in the impossibility result is that, given access to the leakage oracle on the randomness, we can compute the codeword. A second path to avoid the impossi-bility results is to consider weaker models of security where this is not permitted. We point out that the schemes proposed by [DDV10,FMVW14,JW15] in the common reference string model can be easily proved to be fully leakage resilient. Inspired by the above results we provide a compiler that maps any LRC to FLRC for any fixed leakage-from-the-encoding familyF of small cardinality. Notice that the bound is on the cardinality of the leakage class and not on its complexity (in principle, the leakage class could contain collision resistance hash functions).

Technically, we use a result of Trevisan and Vadhan [TV00] which proves that for any fixed leakage classFat-wise independent hash function (the parametertdepends on the cardinality ofF) is a deter-ministic extractor with high probability. The proof mostly follows the template given in [FMVW14].

1.2 Related Work

Cryptographic schemes are designed under the assumption that the adversary cannot learn any informa-tion about the secret key. However, side-channel attacks (see [Koc96,KJJ99,QS01]) have showed that this assumption does not always hold. These attacks have motivated the design of leakage-resilient cryp-tosystems which remain secure even against adversaries that may obtain partial information about the secret state. Starting from the groundbreaking result of Micali and Reyzin [MR04], successively either gradually stronger or different models have been consider (see for example [ADW09,DP08,FRR+10,NS09]). Fully leakage resilient schemes are known for signatures [BSW13,FNV14,MTVY11], zero-knowledge proof system [AGP14,GJS11,Pan14] and multi-party computation protocols [BDL14,BGK14]. Simi-lar concepts of leakage resilient codes have been considered, Liu and Lysyanskaya [LL12] and suc-cessively Aggarwal et al. [ADKO15] constructed leakage and tamper resilient codes while Dodis et al.[DLWW11] constructed continual leakage resilient storage. Simulation-based definitions in the

con-text of leakage-resilient cryptography were also adopted in the case of zero-knowledge proof (see [AGP14,GJS11,Pan14]), public-key encryption (see [HL11]) and signature schemes (see [NVZ14]). As mentioned already, our

proof technique for the impossibility result is inspired by the works of Nielsenet al.[NVZ13] and Ostro-vskyet al.[OPV15], however, part of the analysis diverges, and instead resembles an information theo-retic argument already known in leakage-resilient cryptography (see for example [ADW09,FNV14,KV09]).

In [FMNV15] the authors present a RAM model of computation where a CPU is connected to some constant number of memories, paralleling the split-state model that we use here. The memories and buses are assumed to be leaky, but the CPU is assumed to be leakage free. Besides leakage, the paper also shows how to handle tampering, like moving around codewords in the memories. They show how to use a leakage-resilient and tamper-resilient code to securely compute on this platform. In each step the CPU will read from the disks a number of codewords, decode these, do a computation on the plaintext, re-encode the results and write the codewords back in the memories. One should wonder if it is possible to get a similar result for the more realistic model where there is a little leakage from the CPU? It is clear that if the CPU can leak, then it can also leak from the plaintexts it is working on. This can be handled by having the computation that is done on the plaintexts being leakage resilient in itself. The challenging part is then to show that the leakage from the CPU during re-encoding of the results to be stored in the memories can be simulated given just a little leakage on the results themeselves. This would in particular require that the code is fully leakage-resilient in the sense we define in this paper. Our negative results therefore do not bode well for this proof strategy. On the other hand, our positive results open up the possibility of tolerating some simple leakage from the CPU or getting a result for weaker models, like the random oracle model. Note, however, that the code would have to be tamper-resilient in addition to being fully leakage resilient, so there still seem to be significant obstacles towards proving such a result.

1.3 Roadmap

2 Preliminaries

2.1 Notation and Probability Preliminaries

We letNdenote the naturals andRdenote the reals. Fora, b∈R, we let[a, b] ={x∈R : a≤x≤b}; for a ∈ Nwe let [a] = {1,2, . . . , a}. Ifx is a string, we denote its length by|x|; if X is a set,|X | represents the number of elements inX. Whenxis chosen randomly inX, we writex←$X. WhenAis an algorithm, we writey← A(x)to denote a run ofAon inputxand outputy; ifAis randomized, then

yis a random variable andA(x;r)denotes a run ofAon inputxand randomnessr. An algorithmAis probabilistic polynomial-time(ppt) ifAis allowed to use random choices and for any inputx∈ {0,1}∗

and randomnessr∈ {0,1}∗_{the computation ofA(x;r)terminates in at mostpoly(|x|)steps.}

Let κ be a security parameter. A function negl is called negligible inκ (or simply negligible) if it vanishes faster than the inverse of any polynomial in κ. For a relation R ⊆ {0,1}∗ × {0,1}∗, the language associated withRisLR={x:∃ws.t.(x, w)∈ R}.

For two ensemblesX ={Xκ}κ∈N,Y ={Yκ}κ∈N, we writeX

c

≈Y, meaning that every

probabilis-tic polynomial-time distinguisherDhas(κ)advantage in distinguishingX andY, i.e., 1₂|Pr[D(X_κ) = 1]−Pr[D(Y_κ) = 1]| ≤(κ)for all sufficiently large values ofκ.

We simply write X ≈ Yc when there exists a negligible functionsuch that X ≈c Y. Similarly,

we writeX ≈Y(statistical indistinguishability), meaning that every unbounded distinguisher has(κ)

advantage in distinguishingX andY.

Given two ensemblesX andY such thatX ≈Y the following holds: 1

2 X

z

Pr[X_κ =z]−Pr[Y_κ =z]

6(κ).

We recall the notion of (average) conditional min-entropy. We adopt the definition given in [ADW09], where the authors generalize the notion of conditional min-entropy tointeractivepredictors that partic-ipate in some randomized experimentE. The conditional min-entropy of random variableXgiven any randomized experimentEis defined as follows:

e

H∞(X|E) = max

B −log Pr[B()

E_=X]

,

where the maximum is taken over all predictors without any requirement on efficiency. Note that w.l.o.g. the predictor Bis deterministic, in fact, we can de-randomize Bby hardwiring the random coins that maximize its outcome. Sometimes we writeHe∞(X|Y)for a random variableY, in this case we mean the average conditional min-entropy ofX given the random experiment that givesY as input to the predictor.

Given a stringX∈ {0,1}∗_{and a valueλ∈}

Nlet the oracleOXλ (·)bethe leakage oraclethat accepts

as input functionsf1, f2, . . . defined as circuits and outputsf1(X), f2(X), . . . under the restriction that P

i|fi(X)|6λ.

We recall here a lemma of Alwenet al.[ADW09] that we make use of.

Lemma 1. For any random variableXand for any experimentEwith oracle access toOX

λ (·), consider

the experimentE0which is the same asEexcept that the predictor does not have oracle access toOX λ (·).

ThenHe∞(X|E)>He∞(X|E0)−λ.

We recall a lemma from Bellare and Rompel [BR94].

Lemma 2. Lett>4be an even integer. SupposeX1, . . . , Xnaret-wise independent random variables

taking values in[0,1]. LetX := P

iXi and defineµ := E[X]to be the expectation of the sum. Then,

for anyA >0,Pr[|X−µ|_>A]68tµ+t_A22

t/2

2.2 Cryptographic Primitives

Arguments of Knowledge. Our results are based on the existence of round-efficient interactive argu-ment systems. We follow some of the notation of Wee [Wee05]. The knowledge soundness definition is taken from [OPV15]. A public-coin argument system(P(w), V)(x)with round complexityρ(κ)is fully described by the tuple ofpptalgorithms(Prove,Judge)where:

- V on inputxsamples uniformly random stringsy1, . . . , yρ(κ)←${0,1}κ,Pon inputsx, wsamples

uniformly random stringrP ←${0,1}κ.

- For anyi∈[ρ(κ)],V sends the messageyiandPreplies with the messagexi :=Prove(x, w, y1, . . . , yi;rP).

- The verifierV executesj:=Judge x, y1, . . . , yρ(κ), x1, . . . , xρ(κ)

and accepts ifj= 1.

Definition 1 (Argument of knowledge).An interactive protocol(P, V)is an argument of knowledge for a languageLif there is a relationRsuch thatL = LR := {x|∃w : (x, w) ∈ R}, and functions

ν, s:N→[0,1]such that1−ν(κ)> s(κ) + 1/poly(κ)and the following conditions hold.

- (Efficiency): The length of all the exchanged messages is polynomially bounded, and bothP andV

are computable in probabilistic polynomial time;

- (Completeness): If(x, w)∈ R, thenV accepts in(P(w), V)(x)with probability at least1−ν(|x|). - (Knowledge Soundness): For everypptprover strategyP∗, there exists an expected polynomial-time algorithmK(called the knowledge extractor) such that for everyx, z, r ∈ {0,1}∗ if we denote by

p∗(x, z, r)the probability thatV accepts in(P(z;r), V)(x), thenp∗(x, z, r)> s(|x|)implies that

Pr[K(P∗, x, z, r)∈ R(x)]>p∗(x, z, r)−s(|x|).

The value ν(·) is called the completeness errorand the value s(·) is called theknowledge error. We say (P, V) has perfect completeness if ν = 0. The communication complexity of the argument sys-tem is the total length of all messages exchanged during an execution; the round complexity is the total number of exchanged messages. We writeAoKν,s(ρ(κ), λ(κ))to denote interactive argument on

knowledge systems with completeness errorν, knowledge errors, round-complexityρ(κ)and commu-nication complexity λ(κ). Sometimes we also writeλ(κ) = λP(κ) +λV(κ) to differentiate between

the communication complexity of the prover and of the verifier. We say (P, V)is succinctif λ(κ) is poly-logarithmic in the length of the witness and the statement being proven.

Instantiations. Kilian [Kil92] constructs a 4-round public-coin succinct argument of knowledge for

NPbased on a probabilistically checkable proof (PCP) system forNPand a collision-resistant function ensemble. Gentry and Wichs [GW11] prove that non-interactive succinct arguments, so called SNARGs, cannot exist given a black-box reduction to any falsifiable assumption. In fact, the only constructions of SNARGs we know of are either based on the random oracle model of Bellare and Rogaway [BR93] (as shows Micali [Mic00] by applying the Fiat-Shamir transform [FS86] to Kilian’s protocol) or under so-called “knowledge of exponent” assumptions [BCCT12] or under so-called “extractable collision-resistant hash functions” [BCC+14].

We remark that for our results interactive arguments are sufficient; in particular our theorems can be based on the assumption that collision-resistant function ensembles exist.

- V samples(c, tp)←$Chall(1κ)and sendsctoP.

(Notice that the generated tuple is independent of the instance.) - P samplesa←$Resp(1κ, x, w, c)and sendsatoV.

- V computesb:=Predict(tp, x)and accepts ifa=b, else rejects.

Roughly speaking, the adaptive knowledge-soundness of a Predictable ZAP postulates that the malicious prover can selects instances adaptively as function of the challengec. The knowledge property states that for any adversary succeeding in the experiment with some non-trivial probability, there exists a knowledge extractor that outputs valid witnesses for the instances produced by the malicious prover with roughly the same probability. We give the security definition in Appendix B.

Collision Resistant Hash Functions. Let(GenCRH,EvalCRH)be a tuple ofpptalgorithms such that upon input1κ _{the algorithmGenoutputs an evaluation keyhand upon inputshand a stringx ∈ {0,1}}∗ _the deterministic algorithmEvalCRHoutputs a stringy ∈ {0,1}`CRH(κ)_{. We shorten the notation by writing}

h(x)forEvalCRH(h, x).

Definition 2. A tuple(EvalCRH,GenCRH)is a collision-resistant hash function (family) with output length

`CRH(κ)if for any non-uniform polynomial time collision-finder adversaryBcollthere exists a negligible

functionneglsuch that the following holds:

Pr h←$GenCRH₍₁κ₎

h(x0) =h(x1)∧x0 =6 x1|(x0, x1) :=Bcoll(h)

<negl(κ).

For simplicity we consider the model of non-uniform polynomial time adversaries. Note, however, that our results hold also if we consider the modelpptadversaries.

3 Definition

In this section we give the definition of Fully Leakage Resilient Codes. The definition given is special-ized for the 2-split-state model, we adopt this definition instead of a more general one for simplicity. The results given in Section 4 can be adapted to hold for the more generalk-split model (see Remark 1). LRCs of [DDV10,FMNV14,JW15] in the common reference string model can be proved fully-leakage resilience (see Section 5). Therefore the syntax given allows the scheme to depends on a common refer-ence string to include the scheme of [LL12].

An(α, β)-split-coding scheme is a tupleΣ = (Gen,Enc,Dec)ofpptalgorithms with the following syntax:

- Genon input1κoutputs a common reference stringcrs.

- Encon inputscrsand a messagem∈ M_κ outputs a tuple(L, R)∈ C_κ× C_κ;

- Dec is a deterministic algorithm that on inputscrs and a codeword (L, R) ∈ Cκ × Cκ decodes to

m0 ∈ M_κ.

HereMκ ={0,1}α(κ),Cκ ={0,1}β(κ)and the randomness space ofEncisRk={0,1}p(κ)for a fixed

polynomialp.

A split-coding scheme is correct if for anyκand anym∈ M_κwe havePrcrs,re[Dec(crs,Enc(crs, m;re)) =

m] = 1. In what follows, whenever it is clear from the context, we will omit the security parameterκso we will writeα, βinstead ofα(κ), β(κ), etc.

Given an(α, β)-split-coding schemeΣ, for anyA= (A0,A1)and any functionλ0, λ1letRealλA0,Σ,λ1(κ)

be the following experiment:

Sampling Phase. The experiment runs the adversary A₀ on input crs←$Gen(1κ) and randomness

rA←${0,1}p(κ) for a polynomial p that bounds the running time of A₀. The adversary outputs a messagem ∈ M_κ and a state valuest. The experiment samplesω←$R_κand instantiates a leakage oracleOω_λkm

Encoding Phase. The experiment runs the adversaryA₁on inputstandcrs. Moreover, the experiment sets an indexi:= 0.

- Upon query(rand, f) from the adversary where f is the description of a function with domain

Rκ× Mκ, the experiment setsi:=i+ 1, computeslkiω :=O ωkm

λ0 (f)and returns the value to the adversary.

- Eventually, the adversary notifies the experiment by sending the messageencode.

The message is encoded, namely the experiment defines(L, R) :=Enc(crs, m;ω)and instantiates the oraclesOL

λ1,O

R

λ1. Moreover, the experiment sets two indexesl:= 0andr:= 0.

- Upon query(L, f)from the adversary wheref is the description of a function with domainCκ, the

experiment setsl:=l+ 1, computeslkl_L:=OL

λ1(f)and returns the value to the adversary. - Upon query(R, f)from the adversary wheref is the description of a function with domainC_κ, the

experiment setsr :=r+ 1, computeslkr_R:=OR

λ1(f)and returns the value to the adversary.

By overloading the notation, we letRealλ0,λ1

A,Σ be also the tuple of random variables that describes the

view ofAin the experiment:

Realλ0,λ1 A,Σ :=



  

rA,crs,

lkω:= (lk1_ω,lk2_ω, . . . ,lki_ω),

lkL:= (lk1_L,lk2_L, . . . ,lkl_L),

lkR:= (lk1R,lk2R, . . . ,lkrR) 

  

,

Given an adversaryA = (A0,A1), a simulatorS and a slack parameterγ(κ) such that0 6 γ(κ) < α(κ)

λ0(κ)−1letIdeal

λ0,λ1

A,S,γ(κ)be the following experiment:

Sampling Phase. The experiment runs the adversary A0 on input crs←$Gen(1κ) and randomness

rA←${0,1}p(κ) for a polynomial p that bounds the running time of A₀. The adversary outputs a messagem∈ Mκand a state valuest. The experiment instantiates an oracleOm_λ0·(1+γ).

Encoding Phase. The experiment runs the adversaryA1 on input standcrs, and the simulator S on

inputcrs.

- Upon query(X, f)from the adversary whereX ∈ {rand,L,R}the experiment forwards the query to the simulatorSwhich returns an answer to the adversary.

- Upon query(msg, f)from the simulator the experiment computeslkm :=Om

λ0·(1+γ)(f)and returns an answer to the simulator.

As we did withRealλ0,λ1

A,Σ we denote withIdeal λ0,λ1

A,S,γalso the tuple of random variables that describe the

view ofAin the experiment. To mark the distinction between the real experiment and ideal experiment we upper script the “simulated” components of the ideal experiment with a tilde, namely:

Idealλ0,λ1

A,S,γ = rA,crs,lke_ω,lke_L,lke_R

Given a class of leakage functionsΛwe say that an adversary isΛ-bounded if it submits only queries

(rand, f)where the functionf ∈Λ.

Definition 3 (Simulation-basedΛ-fully leakage resilient code).An(α, β)-split-coding scheme is said to be(Λ, λ0, λ1, )-FLR-sim-secure with slack parameter06γ < α/λ0−1if for anypptadversaryA

that isΛ-bounded there exists apptsimulatorS:

n

Realλ0,λ1 A,Σ (κ)

o

κ∈N

c

≈nIdealλ0,λ1 A,S,γ(κ)

o

κ∈N .

Definition 4 (Simulation-based fully leakage resilient code).An (α, β)-split-coding scheme is said to be(λ0, λ1, )-FLR-sim-secure with slack parameterγ if it is(P/poly, λ0, λ1, )-FLR-sim-secure with

slack parameterγ. We simply say that a split-coding scheme is(λ0, λ1)-FLR-sim-secure if there exists a

negligible functionnegland a constantγ < α/λ0−1such that the scheme is(λ0, λ1,negl)

-FLR-sim-secure with slack parameterγ.

In Appendix A we recall the game-based definition of [DDV10] and we prove formally that it implies FLR-sim-security forλ0 = 0.

4 Impossibility Results

In this section we show the main result of this paper. Throughout the section we let the class of leakage functions beΛ = P/poly. We prove that(α, β)-split-coding schemes that are(λ0, λ1)-FLR-sim-secure

don’t exist for many interesting parameters ofα, β, λ0andλ1. We start with the caseα(κ) =Ω(κ), the

impossibility results holds under the only assumption that collision resistant hash function exists. For the caseα(κ) = O(1), the impossibility results holds under the stronger assumption that adaptive-secure PAoK exists.

Theorem 1. If public-coinAoK1/2,negl(κ)(O(1), `AoK(κ))forNPand collision-resistant hash functions with output length`CRH(κ)exist then for anyλ0 > `AoK(κ) + 2·`CRH(κ)for anyγ >0and for any

(α, β)-split-coding schemeΣwithα(κ)>λ0(κ)·(1 +γ) +`CRH(κ) + 7and ifλ1(κ)>17λ0(κ)·(1 +

γ)·`AoK(κ)thenΣis not(λ0, λ1)-FLR-sim-secure.

Proof. We first set some necessary notation. Given a random variablex we use the notationx¯ to refer to a possible assignment of the random variable. Let (GenCRH,EvalCRH) be a collision resistant hash function with output length`CRH(κ).

Leakage-aided Prover. LetΠ = (Prove,Judge)be inAoK1/2,negl(κ)(O(1), `AoK(κ))and a public-coin argument system for NP. For concreteness let ρ be the round complexity of the Π. We say that an attacker leaks an argument of knowledge for x ∈ LR fromX ∈ {rand,L,R} if the attacker proceeds with the following sequence of instructions and leakage-oracle queries:

– Letrp be a random string long enough to specify all random choices done by the prover ofΠ. For

j ∈[ρ]do the following:

1. Sample a random stringyj←${0,1}κ; 2. Send the query X,Prove(x,·, y1, . . . , yj;rp)

and letzj be the answer to such query.

– Letπ := y1, . . . , yρ, z1, . . . , zρbe the leaked transcript, compute the valuej := Judge x, π

, if

j = 1we say that the leaked argument of knowledge is accepting.

Consider the adversaryA0 = (A0₀,A0₁)that does the following: 1. Pick a collision resistant hash functionh←GenCRH₍₁κ_);

2. Pickm←$M_κand send it to the challenger; 3. Computeh(m).

This ends the code ofA0

0, formally,A00(1κ)outputsmthat is forwarded to the experiment which

instan-tiates a leakage oracleOm

λ0·(1+γ), alsoA 0

0(1κ)outputs the statest:= (h, h(m)). Here starts the code of A0

1(h, h(m)):

4. Leak Hashed Values.Define the following function:

f0(ωkm) := (h(L), h(R)whereL, R=Enc(crs, m;ω)) ;

5. Leak Argument of Knowledge of Consistency.Consider the following relation:

Rst :=  



(xcrs, xl, xr, xm),(wl, wr) :

h(wl) =xl

h(wr) =xr

h(Dec(ccrs, wl, wr)) =xm  



Leak an argument of knowledge for(crs, hl, hr, h(m))∈ LRst fromrand. Notice that a witness for

the instance can be defined as function of(ωkm). If the leaked argument is not accepting then abort. Letπ0be the leaked transcript.

6. Send the messageencode.

7. Leak Arguments of Knowledge of the Left part.Consider the following relation:

Rhash :=(y, x) :h(x) =y

Letτ := 17λ0·(1 +γ), for alli∈[τ]leak an argument of knowledge forhl ∈ LRhash fromL. If the

leaked argument is not accepting then abort. LetπL_i be the leaked transcript.

8. Leak Arguments of Knowledge of the Right part.For alli∈[τ]leak an argument of knowledge for hr ∈ LRhash from R. If the leaked argument is not accepting then abort. Let π_iRbe the leaked

transcript.

Consider the following randomized experimentE:

– Pick uniformly randomm←$M_κandh←$GenCRH(1κ)and setst= (h, h(m))and forward to the predictor the statest.

– Instantiate an oracleOm

λ0·(1+γ)and give the predictor access to it. Lemma 3. He∞(m |E)>α−`CRH−λ0·(1 +γ).

Proof. Consider the experimentE0which is the same asEexcept that the predictor’s input ish(instead of(h, h(m))). We apply Lemma 1:

e

H∞(m |E)>_He_∞ m |E0

−`CRH.

Consider the experimentE00which is the same asE0except that the predictor’s oracle access toOm λ0·(1+γ) is removed. We apply Lemma 1:

e

H∞ m |E0

>_He_∞ m |E00

−λ0·(1 +γ).

In the last experimentE00 the predictor has no information aboutmand moreoverh is independently chosen with respect tom, therefore:

e

H∞ m |E00= log|M|=α.

u t

Lemma 4. IfΣis(λ0, λ1)-FLR-sim-secure then_He_∞(m|E)66.

Proof. Assume thatΣis an(λ0, λ1, )-FLR-sim-secure split-coding scheme for a negligible function

and a slack parameterγ. SinceA0 ispptthere exists apptsimulatorS0such that:

{Realλ0,λ1 A0_,Σ(κ)}κ

c

≈_(κ){Idealλ0,λ1

A0_,S0_,γ(κ)}κ. (1)

For the sake of the proof we first build a predictor which tries to guessm. We then use this predictor to prove the lemma. LetKbe the extractor given by the knowledge soundness property of the argument of knowledge for the relationRhash_{. Consider the following predictorBthat takes as input(h, h(m))} and has oracle access toOm

1. Pick two random tapesra, rsfor the adversaryA01 and the simulatorS0and run both of them (with

the respective randomnessra, rs) forwarding all the queries fromA01toS0and fromS0toOmλ0·(1+γ). (The adversaryA0

1starts by leaking the valueshl, hr and an argument of knowledge for(hl, hr) ∈ LRst. Eventually the adversary sends the messageencode.)

2.L. Extract(hl, L0) ∈ Rhash using the knowledge extractorK.For anyi∈ [τ], letst¯Li be the actual

internal state ofS0 during the above run ofS0andA0₁just before thei-th iteration of step 7 ofA0₁. LetP_leak be a prover ofΠ forRhash _{that upon input the instanceh}

l, randomnessrp and auxiliary

inputst¯L_i does the following: – Run an new instanceS0

i ofS0with the internal state set tost¯ L i .

– Upon messageyjwithj∈[ρ]from the verifier, send toSi0the message(L,Prove(hl,·, y1, . . . , yj), rp).

– Upon message(msg, f0)from the simulatorS0

i reply⊥toSi0.

Notice thatP_leakmakes no leakage oracle queries.

i) If the value L0 is unset, run the knowledge extractor K on the prover PSi0

leak on input hl and auxiliary inputstL_i and proper randomness1. The knowledge extractorKoutputs a valueL0 or aborts. Ifhl =h(L0)then setL0otherwise we say that thei-th extraction aborts.

ii) Keep on runningA00₁andS0as in the simulated experiment until reaching the next iteration. If all the extractions abort, the predictor aborts.

2.R. Extract(hr, R0)∈ Rhashusing the knowledge extractorK.The procedure is the same as step 2.L

of the predictor, for notational completeness let us denote withstR_i the internal state ofS0just before thei-th iteration of step 8.

3. The predictor outputsm0:=Dec(L0, R0)as its own guess.

We compute the probability thatBpredictsmcorrectly. We set up some useful notation:

– LetExtL(resp.ExtR) be the event thatKsuccessfully extracts a valueL0(resp.R0). – LetCohStbe the event{h(Dec(L0, R0)) =h(m)}.

– LetCollbe the event{h(Dec(L0, R0)) =h(m)∧Dec(L0, R0)6=m}..

Recall thatm0 :=Dec(L0, R0)is the guess ofB. We can easily derive that:

Pr

m0=m = Pr

ExtL∧ExtR∧CohSt∧ ¬Coll

(2)

In fact,ExtLandExtRimply thatL0andR0are well defined and the event(CohSt∧ ¬Coll)implies that

Dec(L0, R0) =m.

Claim 1 Pr[ExtL]> 1₄ −negl(κ).

Proof. Consider the execution of step 7 between the adversary and the simulator. Letst¯ = ¯stL₁, . . . ,st¯L_τ ∈ {0,1}∗_{be a fixed observed value of the states ofS}0_{in the different rounds, i.e.,st¯}L

i is the observed state

ofS0just before thei-th iteration in step 7.

We define a probabilityFreeL( ¯stLi)of the simulator not asking a leakage query in roundi, i.e., the

probability that the simulator queries its leakage oracle if run with fresh randomness starting in round

i. We can assume without loss of generality that the randomness rs of the simulator is part of st¯Li .

Therefore the probability is taken over just the randomnessraof the adversary,m,hand the challenges

used in the proof in roundi. Notice that even though it might be fixed inst¯ = ¯stL₁, . . . ,st¯L_τ whether or not the simulator leaked in roundi(this information might be contained in the final statest¯L_τ), the probabilityFreeL( ¯stLi )might not be0or1, as it is the probability that the simulator leaked in roundiif

we would rerun roundiwith fresh randomness of the adversary consistent withst¯L_i .

1

The randomness forPSi0

Now letst¯ = ¯stL₁, . . . ,st¯_τL ∈ {0,1}∗ _{be a fixed observed value of the states ofS}0 _{in the different} rounds. LetGood( ¯st)be a function which is1if

∃i∈[τ] :FreeL( ¯stL_i )> 3

4

and which is0otherwise.2After having definedGood( ¯st)relative to a fixed observed sequence of states, we now apply it to the random variablestdescribing the states ofS0_{in a random run. When applied to} this random variable, we writeGood.

We can use the law of total probability to condition the extraction event to the event{Good= 1}:

Pr[ExtL]>Pr[ExtL|Good= 1]·Pr[Good= 1]. (3)

We will now focus on boundingPr[ExtL|Good= 1]·Pr[Good= 1]. We first boundPr[Good= 1]and

then boundPr[ExtL|Good= 1]. We first prove that

Pr[Good= 1] = 1−negl(κ).

Too see this notice that the simulator by the rules of the experiment never queries its leakage oracle in more thanλ0·(1 +γ)rounds: it is not allowed to leak more thanλ0·(1 +γ)bits and each leakage query

counts as at least one bit. Therefore there are at leastτ−λ0·(1+γ)rounds in which the simulator did not

query its oracle. IfGood= 0, then in each of these rounds the probability of leaking, before the round was executed, was at least 1₄ and hence the probability of not leaking was at most3₄. Setλ0 :=λ·(1 +γ), we can use a union bound to bound the probability of observing this event

Pr[Good= 0]≤

τ τ−λ0

3 4

τ−λ0

≤

τ λ0

2log2(3/4)(τ−λ0)_{. (4)}

We now use that τ = 17λ0 ·(1 + γ) = 17λ0 and that it holds for any constant c ∈ (0,1) that limn→∞ _cnn= 2H2(c)·n, whereH2 is the binary entropy function. We get that

Pr[Good= 0]≤2H2(1/17)17λ0₂log2(3/4)16λ0 _{= (2}H2(1/17)17+log2(3/4)16₎λ0 _<2−λ0 _.

We now boundPr[ExtL|Good= 1]. LetExtL(i)be the event thatKsuccessfully extracts the value

L0 at thei-th iteration of the step 7 of the adversaryA0. LetAccept_L(i)be the event thatPleakon input

hland auxiliary inputstLi gives an accepting proof. It follows from knowledge soundness ofΠthat

PrExtL(i)|Good= 1>PrAccept_L(i)|Good= 1]−1₂ .

LetLeakL(i)be the event that the simulator queries its leakage oracle in roundi. It holds for alli

that

PrAccept_L(i)|Good= 1]≥1−PrLeakL(i)|Good= 1−negl(κ).

To see this assume that P_leak upon message(msg, f0) from S0

i would send to the simulatorf0(ωkm)

instead of ⊥. In that case it gives an acceptable proof with probability 1−negl(κ) as the adversary leaks an acceptable proof in the real world and the simulator simulates the real world up to negligible difference. Furthermore, sending⊥ when the simulator queries its oracle can only make a difference when it actually sends a query, which happens with probabilityPr[LeakL(i)]

Combining the above inequalities we get that

PrExtL(i)|Good= 1>1−PrLeakL(i)Good= 1]−negl(κ)−1₂ . 2

WhenGood= 1there exists some roundi∗such that

FreeL( ¯stL_i∗)>

3 4 ,

which implies that

Pr

ExtL(i∗)|Good= 1

> 3

4−negl(κ)− 1 2 .

ClearlyExtL(i∗)impliesExtL, so we conclude thatPr

ExtL|Good= 1

> 1₄ −negl(κ). Claim 2 Pr[ExtR|ExtL]> 1₄ −negl(κ).

The proof proceeds similar to the proof of the last claim, therefore it is omitted. The reason why the conditionExtL does not matter is that the proof exploits only the knowledge soundness of the proof

system. Whether the extraction of the of the left part succeeded or not does not remove the knowledge soundness of the proofs for the right part, as they are doneafterthe proofs for the left part.

Claim 3 Pr[CohSt|ExtL∧ExtR]> 12−negl(κ).

Proof. We reduce to the collision resistance property ofhand the knowledge soundness of the argument systemΠ. Suppose that

Pr[h(Dec(L0, R0))6=h(m)|ExtL∧ExtR]>1/poly(κ)

Consider the following collision finder adversaryB_coll(h):

1. Sample uniformly randomm←$Mand randomh←$GenCRH(1κ);

2. Run an instance of the predictorBOmλ₀·(1+γ)_{(h, h(m)). The predictor needs oracle access toO}m

λ0·(1+γ) which can be simulated byBcoll(h).

3. LetL0, R0 be as defined by the execution of the predictorBand letra, rsbe the same randomness

picked byBin its step 1. Simulate an execution ofA0₁(h, h(m);ra)andS0(1κ;rs)and break them

just before the adversary leaks an argument of knowledge for Rst_{. Letst}0 _{be the internal state of}

S0(1κ;rs).

LetP0

leakbe a prover forΠfor the relationRstthat upon input the instance(crs, h(L0), h(R0), h(m)) and auxiliary inputz:= (st0, m)does the following:

– Run anS0_{with the internal state set tost}0_{. Sample a random stringr}

plong enough to specify all

random choices done by the prover ofΠ.

– Upon messageyjwithj∈[ρ]from the verifier, send toS0the message(rand,Prove((crs, h(L0), h(R0), h(m)),Enc(crs,·;·), y1, . . . , yj;rp)).

(The next-message function of the prover ofΠthat uses as input the witnessEnc(crs, m;ω)and the internal randomness set torp.)

– Upon message(msg, f0)from the simulatorS0reply forwardingf0(m).

4. Run the knowledge extractorKston the proverP_leak0 on input(crs, h(L0), h(R0), h(m))and auxiliary inputz. LetL00, R00be the witness output by the extractor.

5. IfL06=L00output(L0, L00)else(R0, R00).

It is easy to check thatBcollsimulates perfectly the randomized experimentE. Therefore:

Pr[h(Dec(L0, R0))6=h(m)]> (5)

>Pr[h(Dec(L0, R0))6=h(m)|Ext_L∧ExtR] Pr[ExtL∧ExtR]>

>1/poly(κ)·(₁₆1 −negl(κ))

Combining the latter and the statement of the event in Eq. (5), we haveh(Dec(L0, R0))6=h(m) =

h(Dec(L00, R00))which implies that eitherL00 =6 L0 orR00 6=R0. Lastly, notice thatB_coll is an expected polynomial time algorithm. However we can make it polynomial time by aborting if the number of step exceeds some fixed polynomial. By setting the polynomial big enough the probability ofB_collfinding a collision is still noticeable.

Claim 4 Pr

Coll|CohSt∧ExtL∧ExtR

6negl(κ).

Recall thatCollis the event thath(m) =h(m0)butm6=m0. It can be easily verified that under collision resistance ofhthe claim holds, therefore the proof is omitted.

Summarizing, we have:

Pr[m0=m] = PrExtL∧ExtR∧CohSt∧ ¬Coll

> >(₁₆1 −negl(κ))·(1₂ −negl(κ))·(1−negl(κ))> ₆₄1.

which implies the statement of the lemma.

We conclude the proof of the theorem noticing that, ifΣis(λ0, λ1)-FLR-sim-secure split-coding scheme

by the parameter given in the statement of the theorem we have that Lemma 3 and Lemma 4 are in

contraction. ut

Remark 1. The result can be generalized for a weaker version of the split-state model where the code-word is split in many parts. The probability that the predictor in Lemma 4 guesses the message m

degrades exponentially in the number of splits (the adversary needs to leak one hash for each split and then executes step 7 for any split). Therefore, the impossibility holds when the number of splits is

o((α−λ0(1 +γ))/`CRH). We present the theorem, as stated here, for sake of simplicity.

4.1 The case of constant-size message

Theorem 2. If public-coinAoK1/2,negl(κ)(O(1), `AoK(κ))forNP, Predictable ZAP forNPwith answer length1and collision-resistant hash functions with output length`CRH(κ)exist then for anyλ0 >1for

anyγ >0and for any(α, β)-split-coding schemeΣwithα(κ)>7 +γ and ifλ1(κ)>17λ0(κ)·(1 +

γ))·`AoK(κ) + 2`CRH(κ)it holds thatΣis not(λ0, λ1)-FLR-sim-secure.

In what follows we give a sketch of the proof of Theorem 2 stressing mainly on the main differences with the proof of Theorem 1. The formal proof is given in Appendix B.

Proof (Sketch.).Consider the adversaryA0 = (A0₀,A0₁)which is the same as that of Theorem 1 but steps 4, 5 and 6 are substituted by the following:

4. Leak Predictable ZAP of Consistency.LetΠ = (Chall,Resp,Predict)be a PZAP for the relation

Ras defined below:

 



(crs, hl, hr, m),(L, R) :

h(L) =hl

h(R) =hr Dec(crs, L, R) =m

 



.

Sample(c, tp)←$Chall(1κ)and define the functions:

fL(ωkm) := (h(L)whereL, R=Enc(crs, m;ω)) ;

fR(ωkm) := (h(R)whereL, R=Enc(crs, m;ω)) ;

f0(ωkm) :=Resp(1κ, (crs, fL(ωkm), fR(ωkm), m), Enc(crs, m;ω), c).

5. Send the messageencode.

6. Leak Hashed Values and Verify Consistency. Send the queries (L, h),(R, h). Let hl, hr be the

answers to the queries. Check ifPredict(tp, (hl, hr, m)) =lk0, abort if not.

Consider the following randomized experimentE:

– Pick uniformly randomm←$Mandh←$GenCRH(1κ)and forward to the predictor the valueh. – Instantiate an oracleOm

λ0·(1+γ)and give the predictor access to it. Lemma 5. H∞(m|E)>|m| −λ0·(1 +γ).

The only difference from Lemma 3 is that the experimentEdoes not feed the predictor with the value

h(m).

Lemma 6. IfΣis(λ0, λ1)-FLR-sim-secure thenHe∞(m|E)66.

The proof of the lemma follows the same line of Lemma 4. Notice that in the experiment E the predictor does not get input m (which it is trying to predict!), so it cannot fully emulate the adver-sary A0, therefore we consider an adversary A00 which is equivalent to A0 but does not check that

Predict(tp, (crs, hl, hr, m)) =lk0(in the case the condition holds we say thatlk0isvalid). The

predic-tor, similar to Lemma 4, simulates the interactions betweenA00andS0 (the simulator forA0) and then extracts the valuesLandR.

Notice that the description of the leakage functionf0 is independent of the messagemas provided

by the syntax of Predictable ZAP and, conditioned on lk0 is valid, the interactions between A0 and S0 and the interactions between A00 andS0 are indistinguishable. Moreover, the event happens with overwhelming probability.

5 Feasibility Results

In this section we give two feasibility results for weaker models of security.

5.1 The Inner-Product Extractor is aNC0-Fully LR Code

We start by giving a well-known characterization of the classNC0. Lemma 7. Let f ∈ NC0 where f := fn_:{0,1}n_{→ {0,1}}m(n)

n∈_N for a function m. For any n there exists a valuec = O(m), a set{i1, . . . , ic} ⊆ [n]of indexes and a functiong such that for any

x∈ {0,1}n_,

f(x) =g(xi1, xi2, . . . , xic).

The lemma above shows that any function in NC0 with output lengthm such that m(n)/n = ω(1)

cannot be collision resistant, because an adversary can guess an index i /∈ {i1, . . . , ic} and output 0n,(0i−1k1k0n−i)as collision.

LetFbe a finite field and letΦn_F = (Enc,Dec)be as follows:

- Encon inputm∈Fpicks uniformly randomL,R←$_Fnunder the condition thathL,Ri=m. - Decon inputL,RoutputshL,Ri.

Theorem 3 (from [DF11]).The encoding schemeΦn

Fas defined above for|F|=Ω(κ)is a(0,0.3·|F

n_|)

-FLR-SIM-secure forn >20.

Theorem 4. For anyn∈_Nandn >20there exists a positive constantδ∈_Rsuch that, for anyλ0, λ1

such thatδ·λ0+λ1 <0.3· |Fn|the encoding schemeΦn_Fis(NC0, λ0, λ1)-FLR-SIM-secure.

Proof. Given a vectorX ∈Fnletbit(X)i be thei-th bit of a canonical bit-representation ofX. Given A= (A0,A1)we define a new adversaryA0 that works as follows:

0. Instantiate an execution of(m, st)←$A₀(1κ);

1. ExecuteA₁(st)and reply to the leakage oracle queries it makes as follow:

- Upon message(rand, f) fromA₁, let I be the set of indexes such thatf depends on I only. DefineIL:=I ∩[qn]andIR:=I∩[qn+ 1,2qn]. Define the functions:

fL(L) := (bit(L)i fori∈IL);

fR(R) := (bit(R)i fori∈IR).

Send the queries(L, fL)and(R, fR)and letlkLandlkRbe the answers to the queries. Hardwire

such values and evaluate the functionfon inputm. Namely, computelkf :=f(fL(L), fR(R), m)

and send it back toA1(st).

- Upon message(X, f)whereX∈ {L,R}fromA1forward the message.

W.l.o.g. assume that every leakage query to Oω_λkm

0 has output length 1 and that the adversary makes exactlyλ0queries. By Lemma 7 there exists a constantδ∈Nsuch that for thei-th leakage query made byA1toOω_λ0kmthe adversaryA0 leaksδbits fromOL_λ1,OR_λ1. By construction:

{Realλ0,λ1 A,Φn

F

(κ)}κ∈N≡ {Real

0,λ1+δ·λ0 A0_,Φn

F

(κ)}κ∈N.

LetS0_{be the simulator for the adversaryA}0_{as provided by Theorem 3, thus:}

{Real0,λ1+δ·λ0 A0_,Φn

F

(κ)}κ∈N≈negl(κ) {Ideal0,λ1+δ

·λ0

A0_,S0 (κ)}κ∈N.

LetSbe defined as the machine that runs the adversaryA0interacting with the simulatorS0. Notice that:

{Ideal0,λ1+δ·λ0

A0_,S0 (κ)}κ∈N≡ {Ideal

λ0,λ1

A,S (κ)}κ∈N.

This conclude the proof of the theorem. ut

Remark 2. The proof exploits only marginally the structure ofΦn_F. It is not hard to see that the theorem can be generalized for any coding scheme(Gen,Enc,Dec)where for any messagem∈ Mthe function

Enc(m;·)is invertible inNC0. We present the theorem, as stated here, only for sake of concreteness. Remark 3. The construction is secure under the slightly stronger definition where the adversary does not lose access toO_λωkm

0 after having sent the messageencode.

5.2 A Compiler from LRC to weak FLRC.

Given a(α, β)-split-coding schemeΣ = (Gen,Enc,Dec)with randomness spaceR, letHr,t denote a

family of efficiently computablet-wise independent hash function with domain{0,1}r _{and co-domain} R.

We defineΣ0= (Gen0,Enc0,Dec0 :=Dec)as follow:

– Gen0 on input 1κ executes crs←$Gen(1κ) and samples a function h←$H_r,t. It outputs crs0 =

(h,crs).

Theorem 5. For any encoding schemeΣ and any leakage classF, ifΣis(0, λ1, )-FLR-SIM-secure

thenΣ0is(F, λ0, λ1,3)-FLR-SIM-secure for any06λ0< αwhenever:

r>λ0+λ1+ 2 log(1/) + log(t) + 3,

t>λ0·log|F |+α+λ0+λ1+ 2 log(1/).

Proof. Given an adversaryA0againstΣ0, we define apptadversaryA= (A0,A1)againstΣas follow:

- AdversaryA0:On inputcrs, it picks at randomh←$H_r,t, a random stringω←${0,1}rand a ran-dom stringr←${0,1}p(κ)for a polynomialpthat bounds the running time ofA0and runsA0₀(1κ;r). Upon leakage oracle queryf toOω

λ0 fromA 0

0, it repliesf(ω). Eventually, the adversaryA00 outputs

a a messagem∈ Mand a state valuest,A0outputsmandst0 = (st, h).

- AdversaryA₁:On inputsst0= (st, h)andcrs, it runsA0

1(st,(h,crs))and forwards all the queries

made byA0₁.

W.l.o.g. the adversary A0 makes the sequence(rand, f1),(rand, f2), . . . ,(rand, fλ0) of queries. Let

f := (f1, . . . , fλ0)∈ F

λ0_{, therefore view ofA}0 _{in the real experiment is:}

Realλ0,λ1

A0_,Σ0(κ) = r,(h,crs),f(ω),lkL,lkR

On the other hand, by definition of the adversaryA, the view provided toA0is:

Hyb(κ) = r,f(ω),(h,crs),lkL0,lkR0,

whereL0, R0 =Enc(crs, m;ω0)andω←${0,1}randω0←$R. Claim 5

Realλ0,λ1 A0_,Σ0(κ) _κ∈

N≈2(κ)

Hyb(κ) _κ∈

N.

Before proceeding with the proof of the claim we show how the theorem follows. LetSbe the simulator for the adversaryAas given by the hypothesis of the theorem:

{Real0,λ1

A,Σ(κ)}κ∈N

c

≈_(κ){Ideal0,λ1

A,S(κ)}κ∈N. (6)

Let S0 be defined as the adversary A interacting with the simulator S. Therefore, if we consider

Ideal0,λ1

A,S(κ) = (r, h, ω), crs,lke_L,lke_R

, it holds that:

Idealλ0,λ1

A0_,S0(κ) = r,(h,crs),f(ω),lke_L,lke_R

.

It follows from a simple reduction to Eq. (6) that:

Hyb(κ) _κ∈

N

c

≈_(κ){Idealλ0,λ1

A0_,S0(κ)}κ∈N.

We conclude by applying Claim 5 to equation above. ut

Proof (of the claim).Since we are proving statistical closeness we can de-randomize the adversaryA0

by setting the random string that maximize the distinguishability of the two random variables. Similarly we can de-randomize the common reference string generation algorithm Gen. Therefore, w.l.o.g., we can consider them fixed in the views.

Recall that the adversaryAdefines forA0 a hybrid environment where the leakage on the random-ness is onω←${0,1}rbut the codeword is instantiated using fresh randomnessω0←$R. We prove the stronger statement that the two views are statistical close with high probability over the choice of the

t-wise hash functionh. For convenience, we define two tuples of random variables:

Realh:= f(ω),lkL,lkR(L, R) =Enc crs, m; h(ω)

Hyb_h:= f(ω),lkL0,lkR0

Notice that in both distributions above the functionf are random variable. For any fixed sequence of functionsf = f0, . . . , fλ0, letRealh,f (resp.Hybh,f) be the distributionRealh (resp.Hybh) where the leakage functions are set. We prove that

Pr[Hyb_h≈Realh]>1− ,

where the probability is over the choice ofh←$H_r,t. LetBadbe the event{Hyb_h6≈Real_h}.

Pr[Bad]≤ Pr h←$Hr,t

∃f1, . . . , fλ0 ∈ F, m∈ M:Realh,f 6≈Hybh,f

6 X

f∈Fλ₀ X

m∈M

Pr h←$Hr,t

h X

v Pr

ω[Realh,f =v]−ω,ωPr0[Hybh,f =v]

>2

i

Letλ:=λ0+λ1and letpv := Prω,ω0[Hyb_h,f =v]. Definep˜_v := max{p_v,2−λ}. Note that:

X

v∈{0,1}λ ˜

pv 6 X

v

pv+ X

v

2−λ 62

Define the indicator random variableYω,v¯ for the event{Realh,f =v|ω = ¯ω}, where the randomness is over the choice ofh←$H_r,t.

For any viewv, the random variables{Yω,v¯ }ω¯∈{0,1}r aret-wise independent.

Moreover,E[Pω¯∈{0,1}rYω,v¯ ] = 2rpv. In fact, for any h¯ ∈ H, anyω¯ ∈ {0,1}r and anyv ∈ {0,1}λ it

holds thatPrh[Realh,f =v|ω= ¯ω] = Prω0[Hyb_h,f =v|ω= ¯ω, h= ¯h]. It follows that

Pr h←$Hr,t

h X

v Pr

ω[Realh,f =v]−pv >2

i

6 Pr

h←$Hr,t h

∃v:Pr

ω[Realh,f =v]−pv

> ·p˜_v i

6 X

v∈{0,1}λ Pr h←$Hr,t

h Pr

ω[Realh,f =v]−pv

> ·p˜_v i

6 X

v∈{0,1}λ Pr h←$Hr,t

h

X

¯ ω

Yω,v¯ −2rpv

>2r·p˜_v i

6 X

v∈{0,1}λ 8

t·2rpv+t2 (2r_·p˜

v)2 t/2

(7)

6 X

v∈{0,1}λ 8

2t·2rp˜v (2r_·p˜

v)2 t/2

(8)

6 2λ·8

2t

2r−λ_·2 t/2

(9)

where Eq. (7) follows by Lemma 2 and Eq. (8) and Eq. (9) follow because2r·p˜v >2r−λ >t. Combining

all together we have:

Pr[Bad]6|F |λ0_{· |M| ·2}λ0+λ1 _·8

2t

2r−λ0−λ1 ·2

t/2

.

To make the above negligible we can set:

r>λ0+λ1+ 2 log(1/) + log(t) + 3,

References

ABG+13. Prabhanjan Ananth, Dan Boneh, Sanjam Garg, Amit Sahai, and Mark Zhandry. Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689, 2013.http://ia.cr/2013/689.

ADKO15. Divesh Aggarwal, Stefan Dziembowski, Tomasz Kazana, and Maciej Obremski. Leakage-resilient non-malleable codes. InTCC, Part I, pages 398–426, 2015.

ADW09. J. Alwen, Y. Dodis, and D. Wichs. Leakage-resilient public-key cryptography in the bounded-retrieval model. In CRYPTO, pages 36–54, 2009.

AGP14. Prabhanjan Ananth, Vipul Goyal, and Omkant Pandey. Interactive proofs under continual memory leakage. In CRYPTO, pages 164–182, 2014.

AMP15. Marcin Andrychowicz, Daniel Masny, and Edoardo Persichetti. Leakage-resilient cryptography over large finite fields: Theory and practice. InACNS, 2015.

BCC+14. Nir Bitansky, Ran Canetti, Alessandro Chiesa, Shafi Goldwasser, Huijia Lin, Aviad Rubinstein, and Eran Tromer. The hunting of the snark. Cryptology ePrint Archive, Report 2014/580, 2014.http://ia.cr/2014/580. BCCT12. Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. From extractable collision resistance to succinct

non-interactive arguments of knowledge, and back again. InITCS, pages 326–349, 2012.

BCH12. Nir Bitansky, Ran Canetti, and Shai Halevi. Leakage-tolerant interactive protocols. InTCC, pages 266–284, 2012. BCP14. Elette Boyle, Kai-Min Chung, and Rafael Pass. On extractability obfuscation. InTCC, pages 52–73, 2014. BDL14. Nir Bitansky, Dana Dachman-Soled, and Huijia Lin. Leakage-tolerant computation with input-independent

pre-processing. InCRYPTO, pages 146–163, 2014.

BGK14. Elette Boyle, Shafi Goldwasser, and Yael Tauman Kalai. Leakage-resilient coin tossing. Distributed Computing, 27(3):147–164, 2014.

BR93. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. InACM Conference on Computer and Communications Security, pages 62–73, 1993.

BR94. Mihir Bellare and John Rompel. Randomness-efficient oblivious sampling. InFOCS, pages 276–287, 1994. BSW13. Elette Boyle, Gil Segev, and Daniel Wichs. Fully leakage-resilient signatures. J. Cryptology, 26(3):513–558,

2013.

DDV10. Francesco Davì, Stefan Dziembowski, and Daniele Venturi. Leakage-resilient storage. InSCN, pages 121–137, 2010.

DF11. Stefan Dziembowski and Sebastian Faust. Leakage-resilient cryptography from the inner-product extractor. In ASIACRYPT, pages 702–721, 2011.

DLWW11. Yevgeniy Dodis, Allison B. Lewko, Brent Waters, and Daniel Wichs. Storing secrets on continually leaky devices. InFOCS, pages 688–697, 2011.

DP08. Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. InFOCS, pages 293–302, 2008. DPW10. Stefan Dziembowski, Krzysztof Pietrzak, and Daniel Wichs. Non-malleable codes. InICS, pages 434–452, 2010. FMNV14. Sebastian Faust, Pratyay Mukherjee, Jesper Buus Nielsen, and Daniele Venturi. Continuous non-malleable codes.

InTCC, pages 465–488, 2014.

FMNV15. Sebastian Faust, Pratyay Mukherjee, Jesper Buus Nielsen, and Daniele Venturi. A tamper and leakage resilient von neumann architecture. InPKC, pages 579–603, 2015.

FMVW14. Sebastian Faust, Pratyay Mukherjee, Daniele Venturi, and Daniel Wichs. Efficient non-malleable codes and key-derivation for poly-size tampering circuits. InEUROCRYPT, pages 111–128, 2014.

FNV14. Antonio Faonio, Jesper Buus Nielsen, and Daniele Venturi. Mind your coins: Fully leakage-resilient signatures with graceful degradation. IACR Cryptology ePrint Archive, 2014:913, 2014.

FNV15. Antonio Faonio, Jesper Buus Nielsen, and Daniele Venturi. Predictable arguments of knowledge. 2015. http:

//ia.cr/2015/740.

FRR+10. Sebastian Faust, Tal Rabin, Leonid Reyzin, Eran Tromer, and Vinod Vaikuntanathan. Protecting circuits from leakage: the computationally-bounded and noisy cases. InEUROCRYPT, pages 135–156, 2010.

FS86. Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. InCRYPTO, pages 186–194, 1986.

GGHW14. Sanjam Garg, Craig Gentry, Shai Halevi, and Daniel Wichs. On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. InCRYPTO, pages 518–535, 2014.

GJS11. Sanjam Garg, Abhishek Jain, and Amit Sahai. Leakage-resilient zero knowledge. InCRYPTO, pages 297–315, 2011.

GW11. Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. InSTOC, pages 99–108, 2011.

HKL+_{12. Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, and Krzysztof Pietrzak. Lapin: An efficient}

authen-tication protocol based on ring-lpn. InFSE, pages 346–365, 2012.

HL11. Shai Halevi and Huijia Lin. After-the-fact leakage in public-key encryption. InTCC, pages 107–124, 2011. JW15. Zahra Jafargholi and Daniel Wichs. Tamper detection and continuous non-malleable codes. InTCC, Part I, pages

Kil92. Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract). InSTOC, pages 723– 732, 1992.

KJJ99. Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. InCRYPTO, pages 388–397, 1999. Koc96. Paul C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. InCRYPTO,

pages 104–113, 1996.

KV09. Jonathan Katz and Vinod Vaikuntanathan. Signature schemes with bounded leakage resilience. InASIACRYPT, pages 703–720, 2009.

LL12. Feng-Hao Liu and Anna Lysyanskaya. Tamper and leakage resilience in the split-state model. InCRYPTO, pages 517–532, 2012.

Mic00. Silvio Micali. Computationally sound proofs.SIAM J. Comput., 30(4):1253–1298, 2000.

MR04. Silvio Micali and Leonid Reyzin. Physically observable cryptography (extended abstract). InTCC, pages 278– 296, 2004.

MTVY11. Tal Malkin, Isamu Teranishi, Yevgeniy Vahlis, and Moti Yung. Signatures resilient to continual leakage on memory and computation. InTCC, pages 89–106, 2011.

NS09. Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. IACR Cryptology ePrint Archive, 2009:105, 2009.

NVZ13. Jesper Buus Nielsen, Daniele Venturi, and Angela Zottarel. On the connection between leakage tolerance and adaptive security. InPKC, pages 497–515, 2013.

NVZ14. Jesper Buus Nielsen, Daniele Venturi, and Angela Zottarel. Leakage-resilient signatures with graceful degradation. InPublic Key Cryptography, pages 362–379, 2014.

OPV15. Rafail Ostrovsky, Giuseppe Persiano, and Ivan Visconti. Impossibility of black-box simulation against leakage attacks. InCRYPTO, pages 130–149, 2015.

Pan14. Omkant Pandey. Achieving constant round leakage-resilient zero-knowledge. InTCC, pages 146–166, 2014. QS01. Jean-Jacques Quisquater and David Samyde. Electromagnetic analysis (EMA): Measures and counter-measures

for smart cards. InE-smart, pages 200–210, 2001.

TV00. Luca Trevisan and Salil P. Vadhan. Extracting randomness from samplable distributions. InFOCS, pages 32–42, 2000.

Appendix

A Relation with the definition of [DDV10] forλ0 = 0.

We recall the indistinghuishability-based definition:

Definition 5 (Leakage-Resilient Storage [DDV10]).For any adversary A = (A0,A1) and any

en-coding schemeΣ= (Enc,Dec), consider the following experimentExpLRind

A,Σ(κ, λ1)betweenAand a

challenger:

1. Upon input 1κ the adversaryA₀ outputs a pair of messages m0, m1 ∈ Mtogether with a state

informationst;

2. The challenger selects a random bitband sets(L, R)←$Enc(m₀); 3. Upon inputstand oracle access toOL

λ1 andO R

λ1 the adversaryA1 outputs a bitb 0_.

4. Ifb=b0 then the output of the experiment is1, else0.

Given λ(κ) ∈ N, a (α, β)-split-coding scheme Σ is said to be (λ1, )-LR-ind-secure if for any

un-bounded adversaryA:

Pr[ExpLRind

A,Σ(κ, λ1)]≤ 1₂ +(κ)

We prove that the notion above is stronger than the FLR-sim-secure notion when the leakage parameter

λ0= 0.

Theorem 6. LetΣbe a split-coding scheme. IfΣis(λ1, )-LR-ind-secure then it is(0, λ1, )

-FLR-sim-secure.

Proof. Suppose that exists adversaryA= (A₀,A₁)such that for any simulatorS:

Real0,λ1

A,Σ(κ) κ∈N6

c ≈

Ideal0,λ1

A,S(κ) κ∈N (10)

Specifically, consider the simulatorS0that does the following: – Upon input1κencodes(L, R)←$Enc(0α).

– Upon message(X, f)fromAwhereX∈ {L,R}it replies withf(L)ifX=Lotherwisef(R). By Eq. (10) there exists apptdistinguisherDsuch that:

|Pr[D(Ideal0,λ1

A,S0(κ)) = 1 ]−Pr[D(Real0,λ_A,Σ1(κ)) = 1 ]

> (κ)

Consider the following adversaryA0 = (A0₀,A0₁)for the experimentExpLRind_A0_,Σ(κ, λ1):

– Upon input1κ the adversary A0₀ runsA0(1κ)which returnsm and a state informationst,A00 sets

m0:=m, m1 := 0αand outputs(m0, m1)andst.

– Upon inputstthe adversaryA0₁runsA1(st)until eventually it terminates. Letvbe the view defined

byA. The adversaryA0₁runs the distinguisherD(v)and outputs whatDreturns. We show that the adversaryA0_{break the LR-ind-security ofΣ:}

Pr[ExpLRind

A0_,Σ(κ, λ₁) = 1]

=1₂Pr[D(v) = 0|b= 0] + 1₂Pr[D(v) = 1|b= 1] =1₂(1−Pr[D(Real0,λ1

A,Σ) = 1 ] + Pr[D(Ideal 0,λ1

A,S0) = 1 ])

>12+

Pr[D(Ideal0,λ_A,S10) = 1 ]−Pr[D(Real0,λ_A,Σ1) = 1 ]

> 1₂+(κ)