1IntroductionThecontributionofthispaperistwo-fold.First,wedeneanewcla - PDF document

1IntroductionThecontributionofthispaperistwo-fold.First,wedeneanewclassofstrongside-channelattacksthatwecall“memoryat-tacks”,generalizingthe“cold-bootattack”recentlyintroducedbyHaldermanetal.[22].Weshowthatthepublic-keyencryptionschemeproposedbyRegev[39],andtheidentity-basedencryptionschemeproposedbyGentry,Peikert,andVaikuntanathan[16]canprovablywithstandthesesidechannelattacksunderessentiallythesameintractabilityassumptionsastheoriginalsystems4.Second,westudyhowmanybitsaresimultaneouslyhardcoreforthecandidatetrapdoorone-wayfunctionproposedby[16].Thisfunctionfamilyhasbeenprovenone-wayun-dertheassumptionthatthelearningwitherrorproblem(LWE)forcertainparametersettingsisintractable,oralternativelytheassumptionthatapproximatingthelengthoftheshortestvectorinanintegerlatticetowithinapolynomialfactorishardforquan-tumalgorithms[39].Werstshowthatforthesetofparametersconsideredby[16],thefunctionfamilyhasO(N logN)simultaneouslyhardcorebits(whereNisthelengthoftheinputtothefunction).Next,weintroduceanewparameterregimeforwhichweprovethatthefunctionfamilyisstilltrapdoorone-wayandhasuptoN�o(N)si-multaneouslyhardcorebits5,undertheassumptionthatapproximatingthelengthoftheshortestvectorinanintegerlatticetowithinaquasi-polynomialfactorintheworst-caseishardforquantumalgorithmsrunninginquasi-polynomialtime.Thetechniquesusedtosolvebothproblemsarecloselyrelated.Weelaborateonthetworesultsbelow.1.1SecurityagainstMemoryAttacksTheabsoluteprivacyofthesecret-keysassociatedwithcryptographicalgorithmshasbeenthecorner-stoneofmoderncryptography.Still,inpractice,keysdogetcompro-misedattimesforavarietyofreasons.Aparticularlydisturbinglossofsecrecyisasaresultofside-channelattacks.Theseattacksexploitthefactthateverycryptographicalgorithmisultimatelyimplementedonaphysicaldeviceandsuchimplementationstypicallyenable`observations'whichcanbemadeandmeasured,suchastheamountofpowerconsumptionorthetimetakenbyaparticularimplementationofacryptographicalgorithm.Theseside-channelob-servationsleadtoinformationleakageaboutsecret-keyswhichcan(andhave)leadtocompletebreaksofsystemswhichhavebeenprovedmathematicallysecure,withoutviolatinganyoftheunderlyingmathematicalprinciplesorassumptions(see,forexam-ple,[28,29,12,1,2]).Traditionally,suchattackshavebeenfollowedbyad-hoc`xes'whichmakeparticularimplementationsinvulnerabletoparticularattacks,onlytopo-tentiallybebrokenanewbynewexamplesofside-channelattacks. 4Technically,theassumptionsarethesameexceptthattheyarerequiredtoholdforproblemsofasmallersize,ordimension.SeeInformalTheorems1and2fortheexactstatements.5Thestatementholdsforaparticularo(N)function.SeeInformalTheorem3. chosenindependentlyofthesystemparametersandinparticular,PK.Thisdenitioncapturestheattackspeciedin[22]wherethebitsmeasuredwereonlyafunctionofthehardwareorthestoragemediumused.Inprinciple,inthiscase,onecoulddesignthedecryptionalgorithmtoprotectagainsttheparticularhwhichwasxeda-priori.However,thiswouldrequirethedesignofnewsoftware(i.e,thedecryptionalgorithm)foreverypossiblepieceofhardware(e.g,asmart-cardimplementingthedecryptionalgorithm)whichishighlyimpractical.Moreover,itseemsthatsuchasolutionwillinvolvearticiallyexpandingthesecret-key,whichonemaywishtoavoid.Weavoidtheaforementioneddisadvantagesbyshowinganencryptionschemethatprotectsagainstallleakagefunctionsh(withoutputoflengthatmost(N)).Thesecond,stronger,attackistheadaptive-memoryattacks.Inthiscase,akey-pair(PK;SK)isrstchosenbyrunningthekeygenerationalgorithmwithsecurityparametern,andthentheadversaryoninputPKchoosesfunctionshiadaptively(de-pendingonthePKandtheoutputsofhj(SK),forji)andtheadversaryreceiveshi(SK).Thetotalnumberofbitsoutputbyhi(SK)foralli,isboundedby(N).Sincewedealwithpublic-keyencryption(PKE)andidentity-basedencryption(IBE)schemesinthispaper,wetailorourdenitionstothecaseofencryption.How-ever,weremarkthatsimilardenitionscanbemadeforothercryptographictaskssuchasdigitalsignatures,identicationprotocols,commitmentschemesetc.Wedeferthesetothefullversionofthepaper.NewResultsonPKESecurity.Therearetwonaturaldirectionstotakeindesigingschemeswhicharesecureagainstmemoryattacks.Therstistolookforredundantrepresentationsofsecret-keyswhichwillenablebattlingmemoryattacks.Theworksof[26,25,10]canbeconstruedinthislight.Naturally,thisentailsexpansionofthestoragerequiredforsecretkeysanddata.Thesecondapproachwouldbetoexaminenaturalandexistingcryptosystems,andseehowvulnerabletheyaretomemoryattacks.Wetakethesecondapproachhere.FollowingRegev[39],wedenethelearningwitherrorproblem(LWE)indimen-sionn,tobethetaskoflearningavectors2Znq(whereqisaprime),givenmpairsoftheform(ai;hai;si+ximodq)whereai2Znqarechosenuniformlyandinde-pendentlyandthexiarechosenfromsome“errordistribution” (Throughout,weonemaythinkofxi'sasbeingsmallinmagnitude.Seesection2forprecisedenitionofthiserrordistribution.).WedenotetheaboveparameterizationbyLWEn;m;q;.ThehardnessoftheLWEproblemischieyparametrizedbythedimensionn:wesaythatLWEn;m;q;ist-hardifnoprobabilisticalgorithmrunningintimetcansolveit.Weprovethefollowingtwomaintheorems.InformalTheorem1Lettheparametersm;qandbepolynomialinthesecurityparametern.Thereexistpublickeyencryptionschemeswithsecret-keylengthN=nlogq=O(nlogn)thatare:1.semanticallysecureagainstanon-adaptive(N�k)-memoryattack,assumingthepoly(n)-hardnessofLWEO(k=logn);m;q;,foranyk�0.Theencryptionschemecorrespondstoaslightvariantofthepublickeyencryptionschemeof[39]. (Arbitrary)Polynomialnumberofmeasurements.Wenditextremelyinterestingtoconstructencryptionschemessecureagainstrepeatedmemoryattacks,wherethecom-binednumberofbitsleakedcanbelargerthanthesizeofthesecret-key(althoughanysinglemeasurementleaksonlyasmallnumberofbits).Ofcourse,ifthesecret-keyisunchanged,thisisimpossible.Itseemsthattoachievethisgoal,someoff-line(random-ized)refreshingofthesecretkeymustbedoneperiodically.Wedonotdealwiththesefurtherissuesinthispaper.Leakingthecontentoftheentiresecretmemory.Thesecret-memorymayincludemorethanthesecret-keys.Forexample,resultsofintermediatecomputationsproduceddur-ingtheexecutionofthedecryptionalgorithmmaycompromisethesecurityoftheschemeevenmorethanacarefullystoredsecret-key.Giventhis,whynotallowthedef-initionofmemoryattackstomeasuretheentirecontentofthesecret-memory?Wehavetwoanswerstothisissue.First,inthecaseoftheadaptivedenition,whenthedecryp-tionalgorithmisdeterministic(asisthecasefortheschemeinquestionandallschemesinusetoday),thereisnolossofgeneralityinrestrictingtheadversarytomeasuretheleakagefromjustthesecret-key.Thisisthecasebecausethedecryptionalgorithmisitselfonlyafunctionofthesecretandpublickeysaswellastheciphertextthatitre-ceives,andthiscanbecapturedbyaleakagefunctionhthattheadversarychoosestoapply.Inthenon-adaptivecase,thedenitiondoesnotnecessarilygeneralizethisway;however,theconstructionswegivearesecureunderastrongerdenitionwhichallowsleakagefromtheentiresecret-memory.Roughly,thereasonisthatthedecryptionalgo-rithminquestioncanbeimplementedusingasmallamountofextramemory,andthustheintermediatecomputationsareaninsignicantfractionofmemoryatanytime.1.2SimultaneousHard-CoreBitsThenotionofhard-corebitsforone-wayfunctionswasintroducedveryearlyinthedevelopementofthetheoryofcryptography[42,21,8].Indeed,theexistenceofhard-corebitsforparticularproposalsofone-wayfunctions(see,forexample[8,4,23,27])andlaterforanyone-wayfunction[17],hasbeencentraltotheconstructionsofse-curepublic-key(andprivate-key)encryptionschemes,andstrongpseudo-randombitgenerators,thecornerstonesofmoderncryptography.Themainquestionswhichremainopeninthisareaconcernthegeneralizednotionof“simultaneoushard-corebitsecurity”looselydenedasfollows.Letfbeaone-wayfunctionandhaneasytocomputefunction.Wesaythathisasimultaneouslyhard-corefunctionforfifgivenf(x),h(x)iscomputationallyindistinguishablefromrandom.Inparticular,wesaythatablockofbitsofxaresimultaneouslyhard-coreforf(x)ifgivenf(x),theycannotbedistinguishedfromarandomstringofthesamelength(thiscorrespondstoafunctionhthatoutputsasubsetofitsinputbits).Thequestionofhowmanybitsofxcanbeprovedsimultaneouslyhard-corehasbeenstudiedforgeneralone-wayfunctionsaswellasforparticularcandidatesin[41,4,31,24,18,17],buttheresultsobtainedarefarfromsatisfactory.Forageneralone-wayfunction(modiedinasimilarmannerasintheirhard-coreresult),[17]showedtheexistenceofanhthatoutputsO(logN)bits(whereweletNdenotethelengthoftheinputtotheone-wayfunctionthroughout)whichisasimultaneoushard-corefunction 2.Letm=O(n),q=npolylog(n)and=4p n=q.ThereexistsaninjectivetrapdoorfunctionFn;m;q;withinputlengthNforwhicha1�1=polylog(N)fractionofin-putbitsaresimultaneouslyhardcore,assumingthehardnessofLWEn=polylog(n);m;q;.Ourproofissimpleandgeneral:oneoftheconsequencesoftheproofisthatarelatedone-wayfunctionbasedonthewell-studiedlearningparitywithnoiseproblem(LPN)[7]alsohasN�o(N)simultaneoushardcorebits.Wedefertheproofofthisresulttothefullversionduetolackofspace.IdeaoftheProof.Inthecaseofsecurityagainstnon-adaptivememoryattacks,thestatementweshowed(seeSection1.1)isthatgivenAandh(s),As+xlooksrandom.ThestatementofhardcorebitsisthatgivenAandAs+x,h(s)(wherehistheparticularfunctionthatoutputsasubsetofbitsofs)looksrandom.Thoughthestatementslookdifferent,themainideaintheproofofsecurityagainstnon-adaptivememoryattacks,namelydimensionreduction,carriesoverandcanbeusedtoprovethesimultaneoushardcorebitsresultalso.Fordetails,seeSection4.1.3OtherRelatedWorkBrentWaters,inapersonalcommunication,hassuggestedapossibleconnectionbe-tweentherecentlyproposednotionofdeterministicencryption[9,6],andsimultaneoushardcorebits.Inparticular,hisobservationisthatdeterministicencryptionschemes(whichare,informallyspeaking,trapdoorfunctionsthatareuninvertibleevenifthein-putcomesfromamin-entropysource)satisfyingthedenitionof[9]implytrapdoorfunctionswithmanysimultaneoushardcorebits.Togetherwiththeconstructionofde-terministicencryptionschemesfromlossytrapdoorfunctions[36](basedonDDHandLWE),thisgivesustrapdoorfunctionsbasedonDDHandLWEwithmanysimulta-neoushardcorebits.However,itseemsthatusingthisapproachappliedtotheLWEinstantiation,itispossibletogetonlyo(N)hardcorebits(whereNisthetotalnum-berofinputbits);roughlyspeaking,thebottleneckisthe“quality”oflossytrapdoorfunctionsbasedonLWE.Incontrast,inthiswork,weachieveN�o(N)hardcorebits.Recently,Peikert[34]hasshownaclassicalreductionfromavariantoftheworst-caseshortestvectorproblem(withappropriateapproximationfactors)totheaverage-caseLWEproblem.This,inturn,meansthatourresultscanbebasedontheclassicalworst-casehardnessofthisvariantshortest-vectorproblemaswell.Arecentobservationof[38]surprisinglyshowsthatanypublic-keyencryptionschemeissecureagainstanadaptive(N)-memoryattack,under(sub-)exponentialhardnessassumptionsonthesecurityofthepublic-keyencryptionscheme.Slightlymoreprecisely,theobservationisthatanysemanticallysecurepublic-keyencryptionschemethatcannotbebrokenintimeroughly2(N)issecureagainstanadaptive(N)-memoryattack.Incontrast,theschemesinthispapermakeonlypolynomialhardnessassumptions.(SeeSection3.1formoredetails).2PreliminariesandDenitionsWewillletboldcapitalssuchasAdenotematrices,andboldsmallletterssuchasadenotevectors.x
ydenotestheinnerproductofxandy.IfAisanmnmatrixand TheLWEproblemwasintroducedbyRegev[39],wherehedemonstratedacon-nectionbetweentheLWEproblemforcertainmoduliqanderrordistributions,andworst-caselatticeproblems.Inessence,heshowedthatLWEisashardassolvingsev-eralstandardworst-caselatticeproblemsusingaquantumalgorithm.Westateaversionofhisresulthere.Informally,gapSVPc(n)referstothe(worst-case)promiseproblemofdistinguishingbetweenlatticesthathaveavectoroflengthatmost1fromonesthathavenovectorshorterthanc(n)(byscaling,thisisequivalenttodistinguishingbetweenlatticeswithavectoroflengthatmostkfromoneswithnovectorshorterthank
c(n)).Proposition1([39]).Letq=q(n)beaprimeand=(n)2[0;1]besuchthatq�2p n.AssumethatwehaveaccesstoanoraclethatsolvesLWEn;m;q;.Then,thereisapolynomial(innandm)timequantumalgorithmtosolvegapSVP200n=foranyn-dimensionallattice.WewilluseProposition1asaguidelineforwhichparametersarehardforLWE.Inparticular,the(reasonable)assumptionthatgapSVPnpolylog(n)ishardtosolveinquasi-polynomial(quantum)timeimpliesthatLWEn;m;q;(aswellasLWE-Distn;m;q;)whereq=npolylog(n)and=2p n=qishardtosolveinpolynomialtime.Regev[39]alsoshowedthatanalgorithmthatsolvesthedecisionversionLWE-DistwithmsamplesimpliesanalgorithmthatsolvesthesearchversionLWEintimepoly(n;q).Proposition2.Thereisapolynomial(innandq)timereductionfromthesearchver-sionLWEn;m;q;tothedecisionversionLWE-Distn;m
poly(n;q);q;,andviceversa(forsomepolynomialpoly).Sampling .Thefollowingpropositiongivesawaytosamplefromthedistribution usingfewrandombits.Thisisdonebyasimplerejectionsamplingroutine(see,forexample,[16]).Proposition3.ThereisaPPTalgorithmthatoutputsavectorxwhosedistributionisstatisticallycloseto m(namely,mindependentsamplesfrom )usingO(m
log(q)
log2n)uniformlyrandombits.2.2DeningMemoryAttacksInthissection,wedenethesemanticsecurityofpublic-keyencryptionschemesagainstmemoryattacks.Thedenitionsinthissectioncanbeextendedtoothercryptographicprimitivesaswell;theseextensionsaredeferredtothefullversion.Weproceedtode-nesemanticsecurityagainsttwoavorsofmemoryattacks,(thestronger)adaptivememoryattacksand(theweaker)non-adaptivememoryattacks.SemanticSecurityAgainstAdaptiveMemoryAttacks.Inanadaptivememoryattackagainstapublic-keyencryptionscheme,theadversary,uponseeingthepublic-keyPK,chooses(efcientlycomputable)functionshiadaptively(dependingonPKandtheoutputsofhj(SK)forji)andreceiveshi(SK).Thisiscalledtheprobingphase.Thedenitionisparametrizedbyafunction(
),andrequiresthatthetotalnumberofbitsoutputbyhi(SK)foralliisboundedby(N)(whereNisthelengthofthesecret-key). (PK;SK) GEN(1n)(m0;m1;state) A1(PK;h(SK))s.t.jm0j=jm1jy ENCPK(mb)whereb2f0;1gisarandombitb0 A2(y;state)TheadversaryAwinstheexperimentifb0=b.RemarksabouttheDenitionsASimplerDenitionthatisEquivalenttotheadaptivedenition.Weobservethatwith-outlossofgenerality,wecanrestrictourattentiontoanadversarythatoutputsasinglefunctionh(whoseoutputlengthisboundedby(N))andgets(PK;h(PK;SK))(where(PK;SK) GEN(1n))asaresult.Informally,theequivalenceholdsbecausetheadversarycanencodeallthefunctionshi(thatdependonPKaswellashj(SK)forji)intoasinglepolynomial-sizecircuiththattakesPKaswellasSKasinputs.WewillusethisformulationofDenition2laterinthepaper.TheDependenceoftheLeakageFunctionontheChallengeCiphertext.Intheadaptivedenition,theadversaryisnotallowedtoobtainh(SK)afterheseesthechallengeciphertext.Thisrestrictionisnecessary:ifweallowtheadversarytochoosehdepend-ingonthechallengeciphertext,hecanusethisabilitytodecryptit(bylettinghbethedecryptioncircuitandencodingtheciphertextintoh),andthusthedenitionwouldbeunachievable.AsimilarissuearisesinthedenitionofCCA2-securityofencryptionschemes,wheretheadversaryshouldbeprohibitedfromqueryingthedecryptionoracleonthechallengeciphertext.Unfortunately,whereasthesolutiontothisissueintheCCA2-secureencryptioncaseisstraightforward(namely,explicitydisallowqueryingthede-cryptionoracleonthechallengeciphertext),itseemsfarlessclearinourcase.TheAdaptiveDenitionandBoundedCCA1-security.Itiseasytoseethatabit-encryptionschemesecureagainstanadaptive(N)-memoryattackisalsosecureagainstaCCA1attackwhereadversarycanmakeatmost(N)decryptionqueries(alsocalledan(N)-boundedCCA1attack).3Public-keyEncryptionSecureAgainstMemoryAttacksInthissection,weconstructapublic-keyencryptionschemethatissecureagainstmem-oryattacks.InSection3.1,weshowthattheRegevencryptionscheme[39]issecureagainstadaptive-memoryattacks,for(N)=O(N logN),undertheassumptionthatLWEO(n);m;q;ispoly(n)-hard(wherenisthesecurityparameterandN=3nlogqisthelengthofthesecret-key).Theparametersq;mandarejustasinRegev'sencryp-tionscheme,describedbelow.InSection3.2,weshowthataslightvariantofRegev'sencryptionschemeisse-cureagainstnon-adaptive(N�k)-memoryattacks,assumingthepoly(n)-hardnessofLWEO(k=logn);m;q;.Ontheonehand,thisallowstheadversarytoobtainmoreinfor-mationaboutthesecret-keybutontheotherhand,achievesamuchweaker(namely,non-adaptive)denitionofsecurity. Wewillinfactshowastrongerstatement,namelythat(A;As+x;rA;rAs;h(A;s;x);rx)c(A;As+x;u;u0;h(A;s;x);rx)(2)Thedifferencebetween(1)and(2)isthatinthelatter,thedistributionsalsocontaintheadditionalinformationr
x.Clearly,thisisstrongerthan(1).Weshow(2)infoursteps.Step1.WeshowthatrAcanbereplacedwithauniformlyrandomvectorinZnqwhilemaintainingstatisticalindistinguishability,evengivenA;As+x,theleakageh(A;s;x)andr
x.Moreprecisely,(A;As+x;rA;rAs;h(A;s;x);r
x)s(A;As+x;u;u
s;h(A;s;x);r
x)(3)whereu2Znqisuniformlyrandom.Informally,3istruebecauseoftheleftoverhashlemma.(Avariantof)leftoverhashlemmastatesthatif(a)rischosenfromadistributionoverZnqwithmin-entropyk2nlogq+!(logn),(b)AisauniformlyrandommatrixinZmnq,and(c)thedistributionsofrandAarestatisticallyindependent,then(A;rA)s(A;u)whereuisauniformlyrandomvectorinZnq.Givenr
x(whichhaslengthlogq=O(logn)),theresidualmin-entropyofrisatleastm�logq2nlogq+!(logn).Moreover,thedistributionofrgivenr
xdependsonlyonx,andisstatisticallyindependentofA.Thus,leftoverhashlemmaappliesandrAcanbereplacedwitharandomvectoru.Step2.Thisisthecrucialstepintheproof.Here,wereplacethe(uniformlyrandom)matrixAwithamatrixA0drawnfromanotherdistributionD.Informally,the(ef-cientlysampleable)distributionDsatisestwoproperties:(1)arandommatrixdrawnfromDiscomputationallyindistinguishablefromauniformlyrandommatrix,assum-ingthepoly(n)-hardnessofLWEO(n);m;q;,and(2)givenA0 Dandy=A0s+x,themin-entropyofsisatleastn.TheexistenceofsuchadistributionfollowsfromLemma1below.Theintuitionbehindthisstepisthefollowing:Clearly,As+xiscomputationallyindistinguishablefromA0s+x.Moreover,givenA0s+x,shashigh(information-theoretic)min-entropy.Thus,insomeinformalsense,shashigh“computationalen-tropy”givenAs+x.Thisistheintuitionforthenextstep.Summingup,theclaiminthisstepisthat(A;As+x;u;u
s;h(A;s;x);r
x)c(A0;A0s+x;u;u
s;h(A0;s;x);r
x)(4)whereA0 D.ThisfollowsdirectlyfromLemma1below.Step3.ByLemma1,shasmin-entropyatleastnN 9logNgivenA0s+x.SincetheoutputlengthofhisatmostN 10logNandthelengthofr
xislogq=O(logn),sstillhasresidualmin-entropy!(logn)givenA0;A0s+x,h(A0;s;x)andr
x.Notealsothatthevectoruontheleft-handsidedistributionisindependentof(A;As+x;h(A;s;x);r
x).Thisallowsustoapplyleftoverhashlemmaagain(withuasthe“seed”andsasthemin-entropysource).Thus,(A0;A0s+x;u;u
s;h(A0;s;x);r
x)s(A0;A0s+x;u;u0;h(A0;s;x);r
x)(5)whereu0 Zqisuniformlyrandomandindependentofalltheothercomponentsinthedistribution. Wesketchaproofofthistheorembelow.TheproofofsemanticsecurityofRegev'sencryptionisbasedonthefactthatthepublic-key(A;As+x)iscomputationallyin-distinguishablefromuniform.Inordertoshowsecurityagainstnon-adaptivememoryattacks,itissufcienttoshowthatthiscomputationalindistinguishabilityholdsevengivenh(s),wherehisanarbitrary(polynomial-timecomputable)functionwhoseout-putlengthisatmost(N).Theproofofthisessentiallyfollowsfromtheleftoverhashlemma.Firstofall,observethatshasmin-entropyatleastN�(N),givenh(s)(thisisbecausetheoutputlengthofhisatmost(N)).Furthermore,thedistributionofsgivenh(s)isindependentofA(sincehdependsonlyonsandischosenindependentofA).Byourchoiceofparameters,N�(N)3klogq.Thus,leftoverhashlemmaimpliesthatCsisavectortwhosedistributionisstatisticallyclosetouniform(evengivenCandh(s)).Thus,As+x=BCs+x=Bt+xisdistributedexactlyliketheoutputofanLWEdistributionwithdimensionk(sincet2Zkq).Thisiscomputationallyindistinguishablefromrandom,assumingLWEk;m;q;=LWEo(n);m;q;(sincek=o(n)byourchoice).4SimultaneousHardcoreBitsInthissection,weshowthatvariantsofthetrapdoorone-wayfunctionproposedbyGentryetal[16](theGPVtrapdoorfunction)hasmanysimultaneoushardcorebits.Fortheparametersof[16],weshowthata1/polylog(N)fractionoftheinputbitsaresimultaneouslyhardcore,assumingthepoly(n)-hardnessofLWEO(n);m;q;(here,mandqarepolynomialinnandisinverse-polynomialinn,theGPVparameterregime).Moresignicantly,weshowadifferent(andnon-standard)choiceofparametersforwhichthefunctionhasN�N=polylog(N)hardcorebits.Thechoiceofparame-tersism=O(n),amodulusq=npolylog(n)and=4p n=q.Thisresultassumesthepoly(n)-hardnessofLWEn=polylog(n);m;q;fortheseparametersm;qand.Thepa-rametersarenon-standardintworespects:rst,themodulusissuperpolynomial,andthenoiserateisverysmall(i.e,inversesuper-polynomial)whichmakesthehardnessassumptionstronger.Secondly,thenumberofsamplesmislinearinn(asopposedtoroughlynlognin[16]):thisaffectsthetrapdoorpropertiesofthefunction(formorede-tails,seeSection4.2).Also,notethatthehardnessassumptionherereferstoareduceddimension(namely,n=polylog(n)).Weremarkthatforanysufcientlylargeo(N)function,wecanshowthattheGPVfunctionisatrapdoorfunctionwithN�o(N)hardcorebitsfordifferentchoicesofparameters.Wedeferthedetailstothefullversion.4.1HardcoreBitsfortheGPVTrapdoorFunctionInthissection,weshowsimultaneoushardcorebitsfortheGPVtrapdoorfunction.First,weshowageneralresultabouthardcorebitsthatappliestoawideclassofpa-rametersettings:then,weshowhowtoapplyittogetO(N=polylog(N))hardcorebitsfortheGPVparameters,andinSection4.2,N�N=polylog(N)hardcorebitsforournewsettingofparameters.Thecollectionof(injective)trapdoorfunctionsFn;m;q;isdenedasfollows.Letm=m(n)bepolynomialinn.EachfunctionfA:Znqf0;1gr!Zmqisindexed O(mlog(q)log2n),byProposition3.Thus,thetotalinputlengthisnlogq+r=nlogq+O(mlog(q)log2n)=nlogq(1+ ).ByLemma2,assumingthehardnessofthedecisionproblemLWE-Distk;m;q;(or,byProposition2,assumingthepoly(n;q)-hardnessofthesearchproblemLWEk;m;q;),thenumberofsimultaneouslyhardcorebitsisatleast(n�k)logq.Thefractionofhardcorebits,then,is(n�k)logq nlogq(1+ )=1 1+ (1�k n).FortheGPVparameters =polylog(N),andwithk=O(n),thenumberofhardcorebitsisO(N=polylog(N))assumingthehardnessofLWEO(n);m;q;.ut4.2ANewSettingofParametersfortheGPVFunctionInthissection,weshowachoiceoftheparametersfortheGPVfunctionforwhichthefunctionremainstrapdoorone-wayandan1�o(1)fractionoftheinputbitsaresimultaneouslyhardcore.AlthoughthenumberofhardcorebitsremainsthesameasintheGPVparametrization(asafunctionofnandq),namely(n�k)logqbitsassumingthehardnessofLWEk;m;q;,thelengthoftheinputrelativetothisnumberwillbemuchsmaller.Overall,thismeansthatthefractionofinputbitsthataresimultaneouslyhardcoreislarger.Wechoosetheparameterssothatr(thenumberofrandombitsneededtosampletheerror-vectorx)isasubconstantfractionofnlogq.Thiscouldbedoneinone(orboth)ofthefollowingways.(a)Reducemrelativeton:notethatmcannotbetoosmallrelativeton,otherwisethefunctionceasestobeinjective.(b)ReducethestandarddeviationoftheGaussiannoiserelativetothemodulusq:as=qgetssmallerandsmaller,itbecomeseasiertoinvertthefunctionandconsequently,theone-waynessofthefunctionhastobebasedonprogressivelystrongerassumptions.Indeed,wewillemployboththesemethods(a)and(b)toachieveourgoal.Inaddition,wehavetoshowthatforourchoiceofparameters,itispossibletosamplearandomfunctioninFn;m;q;(thatis,thetrapdoorsamplingproperty)andthatgiventhetrapdoor,itispossibletoinvertthefunction(thatis,thetrapdoorinversionproperty).SeetheproofofTheorem4belowformoredetails.Ourchoiceofparametersism(n)=6n,q(n)=nlog3nand=4p n=q.Theorem4.Letm(n)=6n,q(n)=nlog3nand=4p n=q.Then,thefamilyoffunctionsFn;m;q;isafamilyoftrapdoorinjectiveone-wayfunctionswithan1�1=polylog(N)fractionofhardcorebits,assumingthenpolylog(n)-hardnessofthesearchproblemLWEn=polylog(n);m;q;.UsingRegev'sworst-casetoaverage-caseconnectionforLWE,theone-waynessofthisfunctionfamilycanalsobebasedontheworst-casenpolylog(n)-hardnessofgapSVPnpolylog(n).Proof.(Sketch.)Letusrstcomputethefractionofhardcorebits.ByTheorem3ap-pliedtoourparameters,wegeta1�1 lognfractionofhardcorebitsassumingthehardnessofLWE-DistO(n=logn);m;q;.ByPropositions2and1,thistranslatestotheassumptionsclaimedinthetheorem.Wenowoutlinetheproofthatforthischoiceofparameters,Fn;m;q;isaninjec-tivetrapdoorone-wayfunction.Injectivity12followsfromthefactthatforallbutan 12Infact,whatweproveisaslightlyweakerstatement.Moreprecisely,weshowthatforallbutanexponentiallysmallfractionofA,therearenotwopairs(s;x)and(s0;x0)suchthat 5OpenQuestionsInthispaper,wedesignpublic-keyandidentity-basedencryptionschemesthatarese-cureagainstmemoryattacks.Therstquestionthatarisesfromourworkiswhetheritispossibleto(deneand)constructothercryptographicprimitivessuchassignatureschemes,identicationschemesandevenprotocoltasksthataresecureagainstmem-oryattacks.Thesecondquestioniswhetheritispossibletoprotectagainstmemoryattacksthatmeasureanarbitrarypolynomialnumberofbits.Clearly,thisrequiressomeformof(randomized)refreshingofthesecret-key,anditwouldbeinterestingtocon-structsuchamechanism.Finally,itwouldbeinterestingtoimprovetheparametersofourconstruction,aswellasthecomplexityassumptions,andalsotodesignencryptionschemesagainstmemoryattacksunderothercryptographicassumptions.Acknowledgments.WethankYaelKalai,ChrisPeikert,OmerReingold,BrentWatersandtheTCCprogramcommitteefortheirexcellentcomments.ThethirdauthorwouldliketoacknowledgedelightfuldiscussionswithRafaelPassaboutthesimultaneoushardcorebitsproblemintheinitialstagesofthiswork.References1.DakshiAgrawal,BruceArchambeault,JosyulaR.Rao,andPankajRohatgi.Theemside-channel(s).InCHES,pages29–45,2002.2.DakshiAgrawal,JosyulaR.Rao,andPankajRohatgi.Multi-channelattacks.InCHES,pages2–16,2003.3.Mikl´osAjtai.Generatinghardinstancesoftheshortbasisproblem.InICALP,pages1–9,1999.4.WernerAlexi,BennyChor,OdedGoldreich,andClaus-PeterSchnorr.Rsaandrabinfunc-tions:Certainpartsareashardasthewhole.SIAMJ.Comput.,17(2):194–209,1988.5.JoelAlwenandChrisPeikert.Generatingshorterbasesforhardrandomlattices.Manuscript,2008.6.MihirBellare,MarcFischlin,AdamO'Neill,andThomasRistenpart.Deterministicencryp-tion:Denitionalequivalencesandconstructionswithoutrandomoracles.InCRYPTO,pages360–378,2008.7.AvrimBlum,MerrickL.Furst,MichaelJ.Kearns,andRichardJ.Lipton.Cryptographicprimitivesbasedonhardlearningproblems.InCRYPTO,pages278–291,1993.8.ManuelBlumandSilvioMicali.Howtogeneratecryptographicallystrongsequencesofpseudo-randombits.SIAMJ.Comput.,13(4):850–864,1984.9.AlexandraBoldyreva,SergeFehr,andAdamO'Neill.Onnotionsofsecurityfordetermin-isticencryption,andefcientconstructionswithoutrandomoracles.InCRYPTO,pages335–359,2008.10.RanCanetti,DrorEiger,ShaGoldwasser,andDah-YohLim.Howtoprotectyourselfwithoutperfectshredding.InICALP(2),pages511–523,2008.11.DarioCatalano,RosarioGennaro,andNickHowgrave-Graham.Paillier'strapdoorfunctionhidesuptoO(n)bits.J.Cryptology,15(4):251–269,2002.12.SureshChari,JosyulaR.Rao,andPankajRohatgi.Templateattacks.InCHES,pages13–28,2002.13.DonCoppersmith.Smallsolutionstopolynomialequations,andlowexponentrsavulnera-bilities.J.Cryptology,10(4):233–260,1997.14.YevgeniyDodis,LeonidReyzin,andAdamSmith.Fuzzyextractors:Howtogeneratestrongkeysfrombiometricsandothernoisydata.InEUROCRYPT,pages523–540,2004.15.StefanDziembowskiandKrysztofPietrzak.Leakage-resilientstreamciphers.InToAppearintheIEEEFoundationsofComputerScience,2008.