International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Hovav Shacham

Publications

Year
Venue
Title
2022
TCHES
The Silent Zero Store Side Channel and Its Implications for Crypto Implementations
Yingchen Wang Hovav Shacham
Cryptographic software aiming to be constant-time must avoid overwriting a memory location with a value that, depending on a secret, is either all-zero or not all-zero. The reason is silent zero store suppression, a microarchitectural optimization that allows evicted all-zero cachelines that are dirty but unchanged to be dropped instead of written back. As discovered by Travis Downs, recent Intel processors implement silent zero store suppression for some evictions from the L2 cache. We describe an adaptive chosen-ciphertext attack strategy against SIKE (a popular post-quantum key-encapsulation primitive) in which a correct key-bit guess triggers thousands of suppressed silent zero stores. We show that our attack strategy renders both the Cloudflare CIRCL implementation of SIKE (written in Go) and the Microsoft PQCrypto-SIKE implementation (written in C) vulnerable to a remote timing attack when running on an Intel Ice Lake CPU, despite having been written to be side-channel resistant. Our attack recovers the complete 378-bit SIKE-751 secret key from a CIRCL server in 39 hours and from a PQCrypto-SIKE server in 72 hours.
2013
JOFC
Compact Proofs of Retrievability
Hovav Shacham Brent Waters
In a proof-of-retrievability system, a data storage center must prove to a verifier that he is actually storing all of a client’s data. The central challenge is to build systems that are both efficient and provably secure—that is, it should be possible to extract the client’s data from any prover that passes a verification check. In this paper, we give the first proof-of-retrievability schemes with full proofs of security against arbitrary adversaries in the strongest model, that of Juels and Kaliski.Our first scheme, built from BLS signatures and secure in the random oracle model, features a proof-of-retrievability protocol in which the client’s query and server’s response are both extremely short. This scheme allows public verifiability: anyone can act as a verifier, not just the file owner. Our second scheme, which builds on pseudorandom functions (PRFs) and is secure in the standard model, allows only private verification. It features a proof-of-retrievability protocol with an even shorter server’s response than our first scheme, but the client’s query is long. Both schemes rely on homomorphic properties to aggregate a proof into one small authenticator value.
2011
EUROCRYPT
2010
ASIACRYPT
2010
CHES
2009
ASIACRYPT
2009
CRYPTO
2009
CRYPTO
2008
ASIACRYPT
2007
PKC
2006
EUROCRYPT
2004
CRYPTO
2004
EUROCRYPT
2004
JOFC
2003
EUROCRYPT
2001
ASIACRYPT

Program Committees

Crypto 2018 (Program chair)
Crypto 2017 (Program chair)
Eurocrypt 2014
Crypto 2013
Eurocrypt 2011
PKC 2010
PKC 2009
Crypto 2008
Eurocrypt 2008
PKC 2007
Crypto 2006
Asiacrypt 2006
Asiacrypt 2005