160 likes | 175 Views
Explore the physically observable security of signature schemes, focusing on provable security, black box model, Micali-Reyzin model, and leakage function. Understand how components can be combined for overall security against physical attacks.
E N D
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol
Provable Security • A proof of security provides a strong argument in favour of a scheme’s security. • Most of the major types of cryptosystem have a generally accepted security model. • Let us consider the security model for a signature scheme...
Provable Security: Signatures public key m (m*,σ*) Signature Oracle σ F The forger wins if σ* is a valid signature for the message m* and the signature oracle did not return σ* when asked to sign message m*.
Provable Security • Black box model. • Many practical implementations give out more information than just the signature. • These “side-channels” include: • Timing information. • Power consumption information. • Electro-magnetic radiation information. • Error message information.
Physically Observable Security • Micali-Reyzin model [TCC 2004]. • Passive attackers only. • Based on a series of informal axioms: • Only computation leaks information • Different computers leak different information. • Information leakage depends on measurement. • Information leakage is local. • Leaked information is efficiently computable.
Physically Observable Security public key m (m*,σ*) Signature Oracle σ
Physically Observable Security public key m (m*,σ*) Signature Oracle σ Leakage function leakage
Physically Observable Security • Note that physically observable security is a physical assumption. I.e. it is only possible to consider whether a machine is secure and not a primitive. • Micali-Reyzin approached POS from a “micro” perspective and concentrated on showing how secure components can be combined. • We take a “macro” perspective.
Physically Observable Security public key m (m*,σ*) Signature Oracle σ Leakage function leakage
Security of Signature Schemes m σ leakage
Security of Signature Schemes m σ sk1 sk2 sk3 ... skn ...
Security of Signature Schemes m σ sk1 sk2 sk3 ... skn Simulator ...
Security of Signature Schemes • If, for each “box”, there exists a polynomial-time algorithm that can simulate the leakage from the box in such a way that no polynomial-time attacker can distinguish it from the real leakage even when the attacker has access to the secret keys for all the other boxes... • ...then the signature scheme is secure against physical attacks if and only if it is secure against black-box attacks.
Security of Signature Schemes • If you can isolate each component of a signature scheme and effectively simulate all of the side-channel information it produces... • ...then you don’t have to worry about (passive) side-channel attacks against the scheme. • Note that “distinguishing” one set of side-channel information from another set of side-channel information is a physical problem.
Open problems • A physically observable security model that models all passive attackers. • A physically observable security model that models active attackers. • Signature schemes with branching and looping, and/or with dependent secret keys. • Other types of primitive? Encryption?
Conclusions • We present a theoretical result that suggests that if a signature schemes is • secure in the black-box model, • and the leakage of the individual components of the scheme do not depend on any secret information then the signature scheme is physically secure.