220 likes | 362 Views
Leakage-resilient Signatures. Vinod Vaikuntanathan. (IBM). Jonathan Katz. (IBM & Univ. of Maryland). L. Leakage-resilient Crypto. Crypto Device. S ecret- M emory. S ecret- K ey. L(SM). L(SK). =SK+…. L: any polynomial-size circuit. [ MR’03 ,DP’08,P’09,AGV’09,…]. What leaks?
E N D
Leakage-resilient Signatures Vinod Vaikuntanathan (IBM) Jonathan Katz (IBM & Univ. of Maryland)
L Leakage-resilient Crypto Crypto Device Secret-Memory Secret-Key L(SM) L(SK) =SK+… L: any polynomial-size circuit [MR’03,DP’08,P’09,AGV’09,…] What leaks? How much? L: smaller class of circuits [Riv’97,B’99,CDH+’00,ISW’03,FRT’09,RV’09]
Models of Leakage What leaks? Memory Leakage [HSH+’08, AGV’09] “All secret memory leaks” Computational Leakage[MR’03] “Only computation leaks information” How much? Bounded Continual Total leakage < α(|secret|) Leakage in any time-period < α(|secret|)
Models of Leakage Memory Leakage [HSH+’08, AGV’09] [AGV’09, NS’09, ADW’09] This Work Computational Leakage[MR’03] [MR’03, DP’08, P’09,FKPR’09] Bounded Continual
Leakage-Resilient Signatures GMR-security against boundedα(.)-memory attacks For every PPT Adv, if |L(SK)| ≤ α(|SK|), Pr[Adv wins] is negligible. PK L Adv L(SK) m Sign(m) (m*,σ*)
Leakage-Resilient Signatures [ADW’09] Bounded (1/2-ε)n memory leakage, in random oracle model [FKPR’09] Continual α(n) comp. leakage, assuming 2α(n)-hardness Memory Leakage [ADW’09] Comp. Leakage [FKPR’09] Continual Bounded
Our Results Setting: bounded, memory leakage A New Scheme • GMR-secure • (1-ε) fraction leakage,∀ε>0 • Assumption: Semantically secure enc. + NIZK An Old Scheme (+ tweaks) • one-time signature (generally, t-time) • ≈ 1/4 fraction leakage • Assumption: One-way functions (and more…)
Theorem [FKPR’09] Bounded α(n) leakage ⇒ Continual α(n)/3 comp. leakage (3-time sig) (fully-secure sig) Memory Leakage This Work Computational Leakage Bounded Continual Our Results This Work + [FKPR’09]
Leakage-resilient One-way Functions Definition: Hard to invert f given L(x), for any L s.t. |L(x)| ≤ α(n). Lemma: Any UOWHF is a leakage-resilient OWF. “Proof”: (for CRHFs) • h:{0,1}n→ {0,1}n/2 is a CRHF • L:{0,1}n→ {0,1}n/2-1 is any leakage function • x has min-entropy n/2 given h(x) • x has min-entropy ≥ 1 given h(x) and L(x) • Given h(x) and L(x), an inverter returns x'≠x w.p ≥ 1/2
Fully-secure Signature UOWHF+ Public-key Encryption+ Simulation-sound NIZK [BFM,Sahai] Assumptions: x є{0,1}n SK: PK: (h, h(x), PKenc, CRSnizk) C = Enc(PKenc,(x,m)) Π = Proof in SS-NIZK that “∃x s.t PK contains h(x) and C is the enc. of (x,m)” Sign(m): Output (C, Π).
Proof of Security Three Ideas: • Signature contains no (computational) info. on SK - NIZK proof Π is simulatable - Enc(x,m) ≈c Enc(0,m) PK=(h,h(x),…) L(x) Adv m σ=(Enc(x,m),Π) σ=(Enc(0,m),Π) (m*,σ*)
Proof of Security Three Ideas: • Signature contains no (computational) info. on SK • Forgery ⇒ extract a secret-key. - simulation-soundness PK=(h,h(x),…) L(x) Adv σ* contains Enc(x*,m*) where h(x*)=h(x) (m*,σ*)
Proof of Security Three Ideas: • Signature contains no (computational) info. on SK • Forgery ⇒ extract a secret-key. - simulation-soundness PK=(h,h(x),…) L(x) Adv x* s.t. h(x*)=h(x)
Proof of Security Three Ideas: • Signature contains no (computational) info. on SK • Forgery ⇒ extract a secret-key. • UOWHF = Leakage-resilient OWF. Contradiction. PK=(h,h(x),…) L(x) Adv x* s.t. h(x*)=h(x)
A Recipe? Given signature scheme s.t. • H∞[SK given Adv’s view] is non-zero Leakage-resilient Signature • Forgery ⇒ extract a secret-key • Finding two SK’s for a PK is an “attack”
Assumption:OWF f xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 (xi,j unif. random) (where yi,j = f(xi,j)) One-time Signature (based on Lamport’78) Sign(m1…mn) = (x1,0 x2,1 … xn,0) =01…0 Q: Is Lamport leakage-resilient?
One-time Signature (based on Lamport’78) Assumption:OWF f x1,0 xn,0 y2,0 yn,0 … y1,0 … x2,0 SK: PK: x1,1 x2,1 … y2,1 … xn,1 y1,1 yn,1 Leakage Sign(01…0) + ! Sign(11…0)
Assumption:OWF f xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 One-time Signature (based on Lamport’78) Sign(ECC(m)) Sign'(m) =
Assumption:OWF f xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 One-time Signature (based on Lamport’78) Sign(ECC(m)) Sign'(m) = Still insecure: Consider f(x) that ignores 99% of x; outputs OWF(1% of x). Solution:Let f be a leakage-resilient OWF (=UOWHF)
Assumption:UOWHF h (=OWF [NY,R]) xn,0 y2,0 yn,0 x1,0 … y1,0 … x2,0 SK: PK: x2,1 … y2,1 … x1,1 xn,1 y1,1 yn,1 One-time Signature (based on Lamport’78) Sign(ECC(m)) Sign'(m) =
An Open Question This Work: Bounded, memory leakage +FKPR’09: Continual, computational leakage Best of both worlds? ? Memory Leakage This Work Computational Leakage This Work + [FKPR’09] Bounded Continual