We consider constructing a kleptographic channel between a malicious device and an adversary who will observe an unpredictable subset of messages created by a device with a kleptographic setup. Nevertheless, the adversary must learn a secret key leaked (say, a signing key, a private decryption key, a seed to a random number generator, etc.). We consider the most restrictive scenario, in which the kleptographic message should be prepared in a fixed time, so that rejection sampling is not applicable. We propose not to leak the secret key itself but random erasure codes for this key. This approach enables leakage of an n-bit key with \(n+\delta \) kleptographic messages each encoding a single kleptographic bit, where \(\delta \) is at most 2 for 256-bit keys. This compares very well with the previous solutions, where the expected number of messages is \(n\cdot H_n\) , where \(H_n\) is the nth harmonic number. Our approach also outperforms leaking an error-correcting code of the secret instead of the secret itself. Moreover, a smaller number of messages will suffice if the adversary switches to a brute-force attack in the last phase. Thereby, we provide arguments for the necessity of strict precautions when using black box solutions for cryptographic operations.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Kleptographic Fountain - Leakage via a Binary Erasure Channel

  • Jan Wolski,
  • Mirosław Kutyłowski

摘要

We consider constructing a kleptographic channel between a malicious device and an adversary who will observe an unpredictable subset of messages created by a device with a kleptographic setup. Nevertheless, the adversary must learn a secret key leaked (say, a signing key, a private decryption key, a seed to a random number generator, etc.). We consider the most restrictive scenario, in which the kleptographic message should be prepared in a fixed time, so that rejection sampling is not applicable. We propose not to leak the secret key itself but random erasure codes for this key. This approach enables leakage of an n-bit key with \(n+\delta \) kleptographic messages each encoding a single kleptographic bit, where \(\delta \) is at most 2 for 256-bit keys. This compares very well with the previous solutions, where the expected number of messages is \(n\cdot H_n\) , where \(H_n\) is the nth harmonic number. Our approach also outperforms leaking an error-correcting code of the secret instead of the secret itself. Moreover, a smaller number of messages will suffice if the adversary switches to a brute-force attack in the last phase. Thereby, we provide arguments for the necessity of strict precautions when using black box solutions for cryptographic operations.