390 likes | 686 Views
Leakage-Resilient Signatures. TCC 2010, Zurich, Switzerland. Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton. Security against leakage. Bounded total leakage. Continuous leakage.
E N D
Leakage-Resilient Signatures TCC 2010, Zurich, Switzerland Sebastian FaustKU Leuven Joint work with EikeKiltzCWI Krzysztof PietrzakCWI Guy RothblumPrinceton
Security against leakage Bounded total leakage Continuous leakage Introduced in context of cold boot attacks [AGV09] Models many side-channel attacks Leakage function is PPT Leakage function is PPT Leakage bounded per observation Leakage bounded in total Leakage can depend on complete state Only computation leaks Stream cipher: DP08, P09 This work: Signatures Results: NS09, ADW09, KV09,…
Digital Signatures • Threealgorithms: k KeyGen Sign Verify sk pk pk,sk
Standard Security Definition (q-times,є)-secure: (q-times,є)-secure: probability є that adversary outputs forgery (pk,sk) pk • … repeat q times How to extend this definition to leakage setting? Valid forgery: Verification succeeds and message has never been queried before
Leakage Setting Security against leakage (pk,sk) pk f1 • … fq f2 f1(sk,r1) fq(sk,rq) f2(sk,r2) Arbitrary leakage functions? No! Leakage function can output complete key Solution: Bound amount of leakage
Bounded Total Leakage (q,є,λT)-secure against total leakage probability є that adversary outputs forgery (pk,sk) pk f1 • … fq f2 f1(sk) fq(sk) f2(sk) • Total leakage λT = ∑ |fi(sk)| • < |sk|
Instantiations Every signature scheme is secure against bounded total leakage • (q, 2λє, λ)-secure against total leakage • (q,є)-secure Sig Sig Drawback: exponential security loss in λ Can we do without this loss? Yes! e.g.: [AlwenDodisWichs09], [KatzVai09]: Okamoto-Schnorr signatures are secure even if constant fraction of key is leaked
Continuous leakage Bounded total leakage insufficient in practice Continuous leakage: bounded amount per observation ( total leakage >> |sk|) Problem:leakage function can output key Idea: use key-evolution Signature scheme has to be stateful
Stateful Digital Signatures k KeyGen Sign Verify ski-1 pk ski pk,sk0 • All signatures can be verified with same pk
Second Assumption Axiom of [MR04]: “Only computation leaks” In other words: Leakage is independent of untouched memory Divide state in two parts active passive S+ S- f(S+)
Security against continuous leakage (q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery (pk,sk) pk f1 • … fq f2 f1(sk0+) fq(skq+) f2(sk1+) sk0- sk0+ Can simulate all intermediate results & leak about them f1 Bound in round: • λbits < |sk|
Security against continuous leakage (q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery (pk,sk) pk f1 • … fq f2 f1(sk0+) fq(skq+) f2(sk1+) • upd • upd sk0- sk0+ sk1- sk1+ • … f1 f2 Bound in round: • λbits < |sk| • λbits • Total leakage >> |sk|
Leakage-resilient signatures Main theorem: • (3, є, λ)-secure against total leakage • (q, qє, λ/3)-secure against continuous leakage Sig Sig’ λ bits of total leakage λ/3 bits per invocation Basic idea: Use tree based scheme [NaorYung],[Lam],[Merkle]
Tree based signatures SIG’ (pk,sk0) ← KeyGen(rand) R • … • … dsdff Public key of Sig’ is assigned to root w dsdff For now:assume existence of physical randomness: w1 i.e. device that outputs randomness w0 dsdff dsdff can be eliminated with leakage resilient stream cipher!
Tree based signatures SIG’ (pk,sk0) ← KeyGen(rand) R • … • … dsdff Public key of Sig’ is assigned to root w dsdff Visit nodes in depth-first traversal At each node that is visited: w1 w0 • generate new keys • sign new pk with parent key • sign a message dsdff dsdff
Tree based signatures SIG’ • Current state in round i Sign i-th message m: R (pk,sk0) dsdff • … • … (pkw,skw) w dsdff w1 w0 dsdff dsdff
Tree based signatures SIG’ Sign i-th message m: R (pkR,skR) dsdff • … • … (pkw,skw) 1. Generate keys for current node 2. Sign new public key pkw1 with secret key skw of parent node w Sign(skw,pkw1) dsdff 3. Sign m with new secret key skw1 Sign(skw1,m) w1 w0 dsdff dsdff (pkw1,skw1) ← KeyGen(rand)
Tree based signatures SIG’ Sign i-th message m with Sig’: R (pkR,skR) dsdff • … • … (pkw,skw) 1. Generate keys for current node 2. Sign new public key pkw1 with secret key skw of parent node w Sign(skw,pkw1) dsdff 3. Sign m with new secret key skw1 Sign(skw1,m) w1 w0 dsdff dsdff 4. Return sig chain to root and signature on message 4. Return sig chain to root (pkw1,skw1)
Tree based signatures SIG’ Verify i-th signature with Sig’: • Verify signature chain from i-th node to root R dsdff • … • Verify signature of m w dsdff Accept signature, if verification was ok! w1 w0 dsdff dsdff
Security Proof Theorem: • (3, є, λ)-secure against total leakage • (q, qє, λ/3)-secure against continuous leakage Sig Sig’ λ bits of total leakage λ/3 bits per invocation
Security Proof Proof by reduction: Sig Sig’ total λ bits λ/3 per observation ‘ simulate tree structure forgery forgery
Security Proof 1. Guess target node w R dsdff • … • … • use target public key here w dsdff w1 w0 dsdff dsdff
Security Proof 2. Generate keys for all other nodes (online) R dsdff • … • … w dsdff w1 w0 dsdff dsdff
Security Proof 3. Simulate environment R f dsdff ‘ • … • … w f() dsdff compute leakage yourself w1 w0 dsdff dsdff
Security Proof 3. Simulate environment R Sig dsdff f • … • … f ‘ w f() f() dsdff w1 w0 use target oracle dsdff dsdff
Security Proof can only ask for λ bits leakage? But: Observation: each secret key is touched at most 3 times: only computation leaks sk leaks 3 times (pkw,skw) Since we allow only λ/3 bits of leakage per invocation this will be sufficient! • Twice to certify children Sign(skw,m) • Once to sign message w dsdff w1 w0 dsdff dsdff
Security Proof ‘ perfect simulation outputs forgery with probє outputs forgery for Sig with probє/q forgery of A’ can only be used if it was for node w
Summary First leakage-resilient public-key primitive • Generic transformation from any signature scheme • Leakage: const fraction of secret key, if instantiated with Okamoto • Efficiency: all parameters are log. in q or constant Eliminate physical randomness: Use leakage-resilient stream cipher [DP08,P09] • Generic for any leakage resilient signature scheme: loose security exponentially in leakage • For our signature scheme instantiated with Okamoto: variant that has no loss in security!
Eliminate physical randomness Generic from any leakage resilient stream cipher Problem: Output D of stream cipher has n-λ HILL pseudo entropy, but reduction needs uniform randomness! Some intuition: E is true with prob ½-λ Є-close D U|E D’ real experiment: HILL: n-λ min-entropy: n-λ uniform Back in the “old” world
Single Observation Sign sk f f(sk)
Bounded Leakage Bounded total leakage total leakage < |sk| Bounded leakage per observation: total leakage >> |sk|
Security against continuous leakage How to prevent pre-computation attack? Idea 1: use physical randomness for key evolution Idea 2: axiom of [MR04]: “Only computation leaks” Divide state in two parts active passive S+ S- f(S+)
Security against continuous leakage Is key evolution sufficient? No, if key evolution is deterministic and fi is PPT Why? Pre-computation attack [DP08]! fi Sign ski-1 fi(ski-1) precompute state and leak i-th bit of skt
Leakage Resilience Continuous leakage: • Any PPT function f • Leakage bounded per observation • totally can be very large • Only computation leaks (later more) • Earlier results in this model: • DP08, P09: Stream ciphers • In this work: Digital signatures
Security against continuous leakage (q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery (pk,sk) pk f1 • … fq f2 f1(sk0+) fq(skq+) f2(sk1+) • upd sk0- sk0+ sk1- sk1+ f1 Update may leak! Bound in round: • λbits < |sk|
Beautiful Theory… Security studied in black box model Inputs/Outputs are known, but no information on internal state
The Ugly Reality probing optical power electromagnetic acoustic cache
Motivation Many black-box secure cryptosystems get broken by physical attacks May not imply secure implementation! Goal: Digital signature schemeprovably secure against side-channel attacks!