A Leakage-Resilient Mode of Operation Krzysztof Pietrzak CWI Amsterdam, The Netherlands Abstract. A weak pseudorandom function (wPRF) is a cryptographic primitive similar to – but weaker than – a pseudorandom function: for wPRFs one only requires that the output is pseudorandom when queried on random inputs. We show that unlike “normal” PRFs, wPRFs are seed- incompressible, in the sense that the output of a wPRF is pseudorandom even if a bounded amount of information about the key is leaked. As an application of this result we construct a simple mode of opera- tion which – when instantiated with any wPRF – gives a leakage-resilient stream-cipher. The implementation of such a cipher is secure against ev- ery side-channel attack, as long as the amount of information leaked per round is bounded, but overall can be arbitrary large. The construction is simpler than the previous one (Dziembowski-Pietrzak FOCS’08) as it only uses a single primitive (a wPRF) in a straight forward manner. 1 Introduction Traditionally, cryptographic algorithms are designed to withstand adversaries that can attack the cryptosystem in a black-box fashion. This means that all the adversary can do is to query the system at hand according to the security definition. In many settings this is not a realistic assumption, as real-world ad- versaries attack concrete implementations of cryptosystems, that possibly leak information which cannot be efficiently computed from black-box access alone. Attacks exploiting such leakage are called side-channel attacks. In the last two decades we saw many cryptanalytic attacks exploiting side-channels as running- time [31], electromagnetic radiation [39, 19], power consumption [33] and fault detection [4, 3]. A recent example [18] is the side-channel attack against KeeLoq (which refers to the “KeeLoq block-cipher” and some particular mode in which this cipher is used), which is widely used as e.g. anti-theft mechanisms for cars. Although the KeeLoq block-cipher seems not to be very secure to start with [9, 27], the devastating side-channel attack of [18] exploits a weakness in the mode in which the cipher is used, rather than a weakness in the cipher itself, and it would still be applicable even if the KeeLoq block-cipher was replaced with a strong block-cipher, say AES ([18] Talk of Christof Paar). It is thus an intrigu- ing question whether there exist modes of operation which are provably secure against a wide class of side-channel attacks if instantiated with any block-cipher. In this paper we answer this question affirmatively, by proposing a mode of operation (cf. Figure 1) which turns any weak PRF into a stream-cipher which is provably secure against all side-channel attacks, assuming only that the amount A. Joux (Ed.): EUROCRYPT 2009, LNCS 5479, pp. 462–482, 2009. c  International Association for Cryptologic Research 2009