International Association
for Cryptologic Research

Side channel attacks -- attacks that exploit implementation-dependent information of a cryptosystem -- have been shown to be highly detrimental, and the cryptographic community has recently

focused on developing techniques for securing implementations against such attacks. An important model called \\emph{Only Computation Leaks} (OCL) [Micali and Reyzin, TCC \'04] and its stronger variants were proposed to model a broad class of leakage attacks (a type of

side-channel attack). These models allow for unbounded, arbitrary leakage as long as (1) information in each leakage observation is bounded, and (2) different parts of the computation leak independently. Various results and techniques have been developed for these models and we continue this line of research in the current work.

We address the problem of compiling any circuit into a circuit secure against OCL attacks. In order to leverage the OCL assumption, the resulting circuit will be split into components, where at any point in time only a single component is active. Optimally, we would like to output a circuit that has only one component, and no part of the computation needs to be leak-free. However, this task is impossible due to the result of Barak et al. [JACM \'12].The current state-of-the-art constructions achieve either two components with additional leak-free hardware, or many components without leak-free hardware.

In this work, we show how to achieve the best of both worlds: We construct two-component OCL schemes without relying on leak-free components. Our approach is general and modular -- we develop generic techniques to remove the hardware component from hardware-based constructions, when the functionality provided by the hardware satisfies some properties. Our techniques use universal deniable encryption (recently constructed by Sahai and Water [STOC \'14] using indistinguishable obfuscation) and non-committing encryption in a novel way. Then, we observe that the functionalities of the hardware used in previous two-component constructions of Juma and Vahlis [Crypto \'10], and Dziembowski and Faust [TCC \'12] satisfy the required properties.

The techniques developed in this paper have deep connections with adaptively secure and leakage tolerant multi-party computation (MPC).

Our constructions immediately yield adaptively secure and leakage tolerant MPC protocols for any no-input randomized functionality in the semi-honest model. The result holds in the CRS model, without pre-processing. Our results also have implications to two-party leakage tolerant computation for arbitrary functionalities, which we obtain by combining our constructions with a recent result of Bitansky, Dachman-Soled, and Lin [Crypto \'14].