Download presentation
Presentation is loading. Please wait.
1
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol
2
2 Provable Security A proof of security provides a strong argument in favour of a scheme’s security. Most of the major types of cryptosystem have a generally accepted security model. Let us consider the security model for a signature scheme...
3
3 Provable Security: Signatures public key Signature Oracle m σ (m*,σ*) The forger wins if σ* is a valid signature for the message m* and the signature oracle did not return σ* when asked to sign message m*. F
4
4 Provable Security Black box model. Many practical implementations give out more information than just the signature. These “side-channels” include: – Timing information. – Power consumption information. – Electro-magnetic radiation information. – Error message information.
5
5 Physically Observable Security Micali-Reyzin model [TCC 2004]. Passive attackers only. Based on a series of informal axioms: – Only computation leaks information – Different computers leak different information. – Information leakage depends on measurement. – Information leakage is local. – Leaked information is efficiently computable.
6
6 Physically Observable Security public key Signature Oracle m σ (m*,σ *)
7
7 Physically Observable Security public key Signature Oracle m σ (m*,σ *) Leakage function leakage
8
8 Physically Observable Security Note that physically observable security is a physical assumption. I.e. it is only possible to consider whether a machine is secure and not a primitive. Micali-Reyzin approached POS from a “micro” perspective and concentrated on showing how secure components can be combined. We take a “macro” perspective.
9
9 Physically Observable Security public key Signature Oracle m σ (m*,σ *) Leakage function leakage
10
10 Security of Signature Schemes mσ leakage
11
11 Security of Signature Schemes mσ... sk 1 sk 2 sk 3 sk n
12
12 Security of Signature Schemes mσ... sk 1 sk 2 sk 3 sk n Simulator
13
13 Security of Signature Schemes If, for each “box”, there exists a polynomial- time algorithm that can simulate the leakage from the box in such a way that no polynomial- time attacker can distinguish it from the real leakage even when the attacker has access to the secret keys for all the other boxes......then the signature scheme is secure against physical attacks if and only if it is secure against black-box attacks.
14
14 Security of Signature Schemes If you can isolate each component of a signature scheme and effectively simulate all of the side-channel information it produces......then you don’t have to worry about (passive) side-channel attacks against the scheme. Note that “distinguishing” one set of side- channel information from another set of side- channel information is a physical problem.
15
15 Open problems A physically observable security model that models all passive attackers. A physically observable security model that models active attackers. Signature schemes with branching and looping, and/or with dependent secret keys. Other types of primitive? Encryption?
16
16 Conclusions We present a theoretical result that suggests that if a signature schemes is – secure in the black-box model, – and the leakage of the individual components of the scheme do not depend on any secret information then the signature scheme is physically secure.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.