1 / 22

Leakage-resilient Signatures

Leakage-resilient Signatures. Vinod Vaikuntanathan. (IBM). Jonathan Katz. (IBM & Univ. of Maryland). L. Leakage-resilient Crypto. Crypto Device. S ecret- M emory. S ecret- K ey. L(SM). L(SK). =SK+…. L: any polynomial-size circuit. [ MR’03 ,DP’08,P’09,AGV’09,…]. What leaks?

tavita
Download Presentation

Leakage-resilient Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leakage-resilient Signatures Vinod Vaikuntanathan (IBM) Jonathan Katz (IBM & Univ. of Maryland)

  2. L Leakage-resilient Crypto Crypto Device Secret-Memory Secret-Key L(SM) L(SK) =SK+… L: any polynomial-size circuit [MR’03,DP’08,P’09,AGV’09,…] What leaks? How much? L: smaller class of circuits [Riv’97,B’99,CDH+’00,ISW’03,FRT’09,RV’09]

  3. Models of Leakage What leaks? Memory Leakage [HSH+’08, AGV’09] “All secret memory leaks” Computational Leakage[MR’03] “Only computation leaks information” How much? Bounded Continual Total leakage < α(|secret|) Leakage in any time-period < α(|secret|)

  4. Models of Leakage Memory Leakage [HSH+’08, AGV’09] [AGV’09, NS’09, ADW’09] This Work Computational Leakage[MR’03] [MR’03, DP’08, P’09,FKPR’09] Bounded Continual

  5. Leakage-Resilient Signatures GMR-security against boundedα(.)-memory attacks For every PPT Adv, if |L(SK)| ≤ α(|SK|), Pr[Adv wins] is negligible. PK L Adv L(SK) m Sign(m) (m*,σ*)

  6. Leakage-Resilient Signatures [ADW’09] Bounded (1/2-ε)n memory leakage, in random oracle model [FKPR’09] Continual α(n) comp. leakage, assuming 2α(n)-hardness Memory Leakage [ADW’09] Comp. Leakage [FKPR’09] Continual Bounded

  7. Our Results Setting: bounded, memory leakage A New Scheme • GMR-secure • (1-ε) fraction leakage,∀ε>0 • Assumption: Semantically secure enc. + NIZK An Old Scheme (+ tweaks) • one-time signature (generally, t-time) • ≈ 1/4 fraction leakage • Assumption: One-way functions (and more…)

  8. Theorem [FKPR’09] Bounded α(n) leakage ⇒ Continual α(n)/3 comp. leakage (3-time sig) (fully-secure sig) Memory Leakage This Work Computational Leakage Bounded Continual Our Results This Work + [FKPR’09]

  9. Leakage-resilient One-way Functions Definition: Hard to invert f given L(x), for any L s.t. |L(x)| ≤ α(n). Lemma: Any UOWHF is a leakage-resilient OWF. “Proof”: (for CRHFs) • h:{0,1}n→ {0,1}n/2 is a CRHF • L:{0,1}n→ {0,1}n/2-1 is any leakage function • x has min-entropy n/2 given h(x) • x has min-entropy ≥ 1 given h(x) and L(x) • Given h(x) and L(x), an inverter returns x'≠x w.p ≥ 1/2

  10. Fully-secure Signature UOWHF+ Public-key Encryption+ Simulation-sound NIZK [BFM,Sahai] Assumptions: x є{0,1}n SK: PK: (h, h(x), PKenc, CRSnizk) C = Enc(PKenc,(x,m)) Π = Proof in SS-NIZK that “∃x s.t PK contains h(x) and C is the enc. of (x,m)” Sign(m): Output (C, Π).

  11. Proof of Security Three Ideas: • Signature contains no (computational) info. on SK - NIZK proof Π is simulatable - Enc(x,m) ≈c Enc(0,m) PK=(h,h(x),…) L(x) Adv m σ=(Enc(x,m),Π) σ=(Enc(0,m),Π) (m*,σ*)

  12. Proof of Security Three Ideas: • Signature contains no (computational) info. on SK • Forgery ⇒ extract a secret-key. - simulation-soundness PK=(h,h(x),…) L(x) Adv σ* contains Enc(x*,m*) where h(x*)=h(x) (m*,σ*)

  13. Proof of Security Three Ideas: • Signature contains no (computational) info. on SK • Forgery ⇒ extract a secret-key. - simulation-soundness PK=(h,h(x),…) L(x) Adv x* s.t. h(x*)=h(x)

  14. Proof of Security Three Ideas: • Signature contains no (computational) info. on SK • Forgery ⇒ extract a secret-key. • UOWHF = Leakage-resilient OWF. Contradiction. PK=(h,h(x),…) L(x) Adv x* s.t. h(x*)=h(x)

  15. A Recipe? Given signature scheme s.t. • H∞[SK given Adv’s view] is non-zero Leakage-resilient Signature • Forgery ⇒ extract a secret-key • Finding two SK’s for a PK is an “attack”

  16. Assumption:OWF f xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 (xi,j unif. random) (where yi,j = f(xi,j)) One-time Signature (based on Lamport’78) Sign(m1…mn) = (x1,0 x2,1 … xn,0) =01…0 Q: Is Lamport leakage-resilient?

  17. One-time Signature (based on Lamport’78) Assumption:OWF f x1,0 xn,0 y2,0 yn,0 … y1,0 … x2,0 SK: PK: x1,1 x2,1 … y2,1 … xn,1 y1,1 yn,1 Leakage Sign(01…0) + ! Sign(11…0)

  18. Assumption:OWF f xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 One-time Signature (based on Lamport’78) Sign(ECC(m)) Sign'(m) =

  19. Assumption:OWF f xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 One-time Signature (based on Lamport’78) Sign(ECC(m)) Sign'(m) = Still insecure: Consider f(x) that ignores 99% of x; outputs OWF(1% of x). Solution:Let f be a leakage-resilient OWF (=UOWHF)

  20. Assumption:UOWHF h (=OWF [NY,R]) xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 One-time Signature (based on Lamport’78) Sign(ECC(m)) Sign'(m) =

  21. An Open Question This Work: Bounded, memory leakage +FKPR’09: Continual, computational leakage Best of both worlds? ? Memory Leakage This Work Computational Leakage This Work + [FKPR’09] Bounded Continual

  22. Thanks!

More Related