Download presentation
Presentation is loading. Please wait.
1
Leakage-resilient Signatures
Vinod Vaikuntanathan (IBM) Jonathan Katz (IBM & Univ. of Maryland)
2
Leakage-resilient Crypto
Crypto Device Secret-Memory Secret-Key L(SK) L(SM) =SK+… L: any polynomial-size circuit [MR’03,DP’08,P’09,AGV’09,…] What leaks? How much? L: smaller class of circuits [Riv’97,B’99,CDH+’00,ISW’03,FRT’09,RV’09] 2
3
Models of Leakage What leaks? How much? Bounded Continual
Memory Leakage [HSH+’08, AGV’09] “All secret memory leaks” Computational Leakage [MR’03] “Only computation leaks information” How much? Bounded Continual Total leakage < α(|secret|) Leakage in any time-period < α(|secret|) 3
4
Models of Leakage Bounded Continual Memory Leakage [HSH+’08, AGV’09]
[AGV’09, NS’09, ADW’09] This Work Computational Leakage [MR’03] [MR’03, DP’08, P’09,FKPR’09] Bounded Continual 4
![Models of Leakage Bounded Continual Memory Leakage [HSH+’08, AGV’09]](http://slideplayer.com/slide/16392461/95/images/4/Models+of+Leakage+Bounded+Continual+Memory+Leakage+%5BHSH%2B%E2%80%9908%2C+AGV%E2%80%9909%5D.jpg "[AGV’09, NS’09, ADW’09] This Work. Computational. Leakage [MR’03] [MR’03, DP’08, P’09,FKPR’09] Bounded. Continual. 4.")
5
Leakage-Resilient Signatures
GMR-security against bounded α(.)-memory attacks For every PPT Adv, if |L(SK)| ≤ α(|SK|), Pr[Adv wins] is negligible. PK L Adv L(SK) m Sign(m) (m*,σ*) 5
6
Leakage-Resilient Signatures
[ADW’09] Bounded (1/2-ε)n memory leakage, in random oracle model [FKPR’09] Continual α(n) comp. leakage, assuming 2α(n)-hardness Memory Leakage [ADW’09] Comp. Leakage [FKPR’09] Bounded Continual 6
7
Our Results Setting: bounded, memory leakage A New Scheme GMR-secure
(1-ε) fraction leakage,∀ε>0 Assumption: Semantically secure enc. + NIZK More generally, I would like to come up with a Recipe An Old Scheme (+ tweaks) one-time signature (generally, t-time) ≈ 1/4 fraction leakage Assumption: One-way functions (and more…) 7
8
Our Results Theorem [FKPR’09]
Bounded α(n) leakage ⇒ Continual α(n)/3 comp. leakage (3-time sig) (fully-secure sig) Computational Leakage Memory Bounded Continual This Work Theorem of FKPR This Work + [FKPR’09] 8
![Our Results Theorem [FKPR’09]](http://slideplayer.com/slide/16392461/95/images/8/Our+Results+Theorem+%5BFKPR%E2%80%9909%5D.jpg "Bounded α(n) leakage ⇒ Continual α(n)/3 comp. leakage. (3-time sig) (fully-secure sig) Computational. Leakage. Memory. Bounded. Continual. This Work. Theorem of FKPR. This Work + [FKPR’09] 8.")
9
Leakage-resilient One-way Functions
Definition: Hard to invert f given L(x), for any L s.t. |L(x)| ≤ α(n). Lemma: Any UOWHF is a leakage-resilient OWF. “Proof”: (for CRHFs) h:{0,1}n → {0,1}n/2 is a CRHF L:{0,1}n → {0,1}n/2-1 is any leakage function x has min-entropy ≥ 1 given h(x) and L(x) x has min-entropy n/2 given h(x) Given h(x) and L(x), an inverter returns x'≠x w.p ≥ 1/2 9
10
Fully-secure Signature
UOWHF+ Public-key Encryption+ Simulation-sound NIZK [BFM,Sahai] Assumptions: x є {0,1}n SK: PK: (h, h(x), PKenc, CRSnizk) C = Enc(PKenc,(x,m)) Π = Proof in SS-NIZK that “∃x s.t PK contains h(x) and C is the enc. of (x,m)” Sign(m): Output (C, Π). 10
11
Proof of Security Three Ideas:
Signature contains no (computational) info. on SK - NIZK proof Π is simulatable - Enc(x,m) ≈c Enc(0,m) PK=(h,h(x),…) L(x) Adv m σ=(Enc(0,m),Π) σ=(Enc(x,m),Π) (m*,σ*) 11
12
Proof of Security Three Ideas:
Signature contains no (computational) info. on SK Forgery ⇒ extract a secret-key. - simulation-soundness PK=(h,h(x),…) L(x) Adv σ* contains Enc(x*,m*) where h(x*)=h(x) (m*,σ*) 12
13
Proof of Security Three Ideas:
Signature contains no (computational) info. on SK Forgery ⇒ extract a secret-key. - simulation-soundness PK=(h,h(x),…) L(x) Adv x* s.t. h(x*)=h(x) 13
14
Proof of Security Three Ideas:
Signature contains no (computational) info. on SK Forgery ⇒ extract a secret-key. UOWHF = Leakage-resilient OWF. Contradiction. PK=(h,h(x),…) L(x) Adv x* s.t. h(x*)=h(x) 14
15
A Recipe? Given signature scheme s.t.
H∞[SK given Adv’s view] is non-zero Leakage-resilient Signature Forgery ⇒ extract a secret-key Finding two SK’s for a PK is an “attack” 15
16
One-time Signature xn,0 x1,0 x2,0 x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1
(based on Lamport’78) xn,0 x1,0 x2,0 Assumption: OWF f SK: PK: x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1 y2,0 y2,1 (where yi,j = f(xi,j)) (xi,j unif. random) Sign(m1…mn) = (x1,0 x2,1 … xn,0) =01…0 Q: Is Lamport leakage-resilient? 16
17
! One-time Signature x1,0 … xn,0 y1,0 y2,0 … yn,0 x2,0 x1,1 x2,1 …
(based on Lamport’78) Assumption: OWF f x1,0 … xn,0 y1,0 y2,0 … yn,0 x2,0 SK: PK: x1,1 x2,1 … xn,1 y1,1 y2,1 … yn,1 Leakage Sign(01…0) + ! Sign(11…0) 17
18
One-time Signature xn,0 x1,0 x2,0 x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1
(based on Lamport’78) xn,0 x1,0 x2,0 Assumption: OWF f SK: PK: x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1 y2,0 y2,1 Sign'(m) = Sign(ECC(m)) 18
19
One-time Signature xn,0 x1,0 x2,0 x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1
(based on Lamport’78) xn,0 x1,0 x2,0 Assumption: OWF f SK: PK: x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1 y2,0 y2,1 Sign'(m) = Sign(ECC(m)) Still insecure: Consider f(x) that ignores 99% of x; outputs OWF(1% of x). Solution: Let f be a leakage-resilient OWF (=UOWHF) 19
20
One-time Signature xn,0 x1,0 x2,0 x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1
(based on Lamport’78) xn,0 x1,0 x2,0 Assumption: UOWHF h (=OWF [NY,R]) SK: PK: x1,1 … xn,1 x2,1 y1,0 y1,1 yn,0 yn,1 y2,0 y2,1 Sign'(m) = Sign(ECC(m)) 20
21
? An Open Question This Work: Bounded, memory leakage +FKPR’09:
Continual, computational leakage Best of both worlds? ? Memory Leakage This Work Computational Leakage This Work + [FKPR’09] Bounded Continual 21
22
Thanks! 22
Similar presentations
