Leakageresilient Signatures

1
Leakage-resilient Signatures
Vinod Vaikuntanathan
(IBM)
Jonathan Katz
(IBM Univ. of Maryland)
2
Leakage-resilient Crypto
Crypto Device
Secret-Memory
Secret-Key
L(SM)
L(SK)
SK
L any polynomial-size circuit
MR03,DP08,P09,AGV09,

• What leaks?
• How much?

L smaller class of circuits
Riv97,B99,CDH00,ISW03,FRT09,RV09
3
Models of Leakage
What leaks?
Memory Leakage HSH08, AGV09
All secret memory leaks
Computational Leakage MR03
Only computation leaks information
How much?
Bounded
Continual
Total leakage lt a(secret)
Leakage in any time-period lt a(secret)
4
Models of Leakage
Memory Leakage HSH08, AGV09
AGV09, NS09, ADW09
This Work
Computational Leakage MR03
MR03, DP08, P09,FKPR09
Bounded
Continual
5
Leakage-Resilient Signatures
GMR-security
against bounded a(.)-memory attacks
For every PPT Adv, if L(SK) a(SK), PrAdv
wins is negligible.
PK
L
Adv
L(SK)
m
Sign(m)
(m,s)
6
Leakage-Resilient Signatures
ADW09
Bounded (1/2-e)n memory leakage, in random oracle
model
FKPR09
Continual a(n) comp. leakage, assuming
2a(n)-hardness
Memory Leakage
ADW09
Comp. Leakage
FKPR09
Continual
Bounded
7
Our Results
Setting bounded, memory leakage
A New Scheme

• GMR-secure

• (1-e) fraction leakage,?egt0

• Assumption Semantically secure enc. NIZK

An Old Scheme ( tweaks)

• one-time signature (generally, t-time)

• 1/4 fraction leakage

• Assumption One-way functions

(and more)
8
Our Results
This Work FKPR09
9
Leakage-resilient One-way Functions
Definition
Hard to invert f given L(x), for any L s.t.
L(x) a(n).
Lemma
Any UOWHF is a leakage-resilient OWF.
Proof (for CRHFs)

• h0,1n ? 0,1n/2 is a CRHF

• L0,1n ? 0,1n/2-1 is any leakage function

• x has min-entropy n/2 given h(x)

• x has min-entropy 1 given h(x) and L(x)

• Given h(x) and L(x), an inverter returns x'?x
  w.p 1/2

10
Fully-secure Signature
UOWHF Public-key Encryption Simulation-sound
NIZK BFM,Sahai
Assumptions
x ? 0,1n
SK
PK
(h, h(x), PKenc, CRSnizk)
C Enc(PKenc,(x,m))
? Proof in SS-NIZK that ?x s.t PK contains
h(x) and C is the enc. of (x,m)
Sign(m)
Output (C, ?).
11
Proof of Security
Three Ideas

• Signature contains no (computational) info. on SK

- NIZK proof ? is simulatable
- Enc(x,m) c Enc(0,m)
PK(h,h(x),)
L(x)
Adv
m
s(Enc(x,m),?)
s(Enc(0,m),?)
(m,s)
12
Proof of Security
Three Ideas

• Signature contains no (computational) info. on SK

• Forgery ? extract a secret-key.

- simulation-soundness
PK(h,h(x),)
L(x)
Adv
s contains Enc(x,m) where h(x)h(x)
(m,s)
13
Proof of Security
Three Ideas

• Signature contains no (computational) info. on SK

• Forgery ? extract a secret-key.

- simulation-soundness
PK(h,h(x),)
L(x)
Adv
x s.t. h(x)h(x)
14
Proof of Security
Three Ideas

• Signature contains no (computational) info. on SK

• Forgery ? extract a secret-key.

• UOWHF Leakage-resilient OWF.

Contradiction.
PK(h,h(x),)
L(x)
Adv
x s.t. h(x)h(x)
15
A Recipe?
Given signature scheme s.t.

• H8SK given Advs view is non-zero

Leakage-resilient Signature

• Forgery ? extract a secret-key

• Finding two SKs for a PK is an attack

16
One-time Signature
(based on Lamport78)
Sign(m1mn) (x1,0 x2,1 xn,0)
010
Q Is Lamport leakage-resilient?
17
One-time Signature
(based on Lamport78)
Assumption OWF f
xn,0
x1,0
yn,0
y2,0

y1,0

x2,0
SK
PK
x1,1

x2,1

y2,1
xn,1
y1,1
yn,1
Sign(010)
Leakage

!
Sign(110)
18
One-time Signature
(based on Lamport78)
Sign(ECC(m))
Sign'(m)
19
One-time Signature
(based on Lamport78)
Sign(ECC(m))
Sign'(m)
Still insecure
Consider f(x) that ignores 99 of x outputs
OWF(1 of x).
Solution Let f be a leakage-resilient OWF
(UOWHF)
20
One-time Signature
(based on Lamport78)
Sign(ECC(m))
Sign'(m)
21
An Open Question
This Work
Bounded, memory leakage
FKPR09
Continual, computational leakage
Best of both worlds?
?
Memory Leakage
This Work
Computational Leakage
This Work FKPR09
Bounded
Continual
22
Thanks!