Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol."— Presentation transcript:

1 The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol

2 2 Provable Security A proof of security provides a strong argument in favour of a scheme’s security. Most of the major types of cryptosystem have a generally accepted security model. Let us consider the security model for a signature scheme...

3 3 Provable Security: Signatures public key Signature Oracle m σ (m*,σ*) The forger wins if σ* is a valid signature for the message m* and the signature oracle did not return σ* when asked to sign message m*. F

4 4 Provable Security Black box model. Many practical implementations give out more information than just the signature. These “side-channels” include: – Timing information. – Power consumption information. – Electro-magnetic radiation information. – Error message information.

5 5 Physically Observable Security Micali-Reyzin model [TCC 2004]. Passive attackers only. Based on a series of informal axioms: – Only computation leaks information – Different computers leak different information. – Information leakage depends on measurement. – Information leakage is local. – Leaked information is efficiently computable.

6 6 Physically Observable Security public key Signature Oracle m σ (m*,σ *)

7 7 Physically Observable Security public key Signature Oracle m σ (m*,σ *) Leakage function leakage

8 8 Physically Observable Security Note that physically observable security is a physical assumption. I.e. it is only possible to consider whether a machine is secure and not a primitive. Micali-Reyzin approached POS from a “micro” perspective and concentrated on showing how secure components can be combined. We take a “macro” perspective.

9 9 Physically Observable Security public key Signature Oracle m σ (m*,σ *) Leakage function leakage

10 10 Security of Signature Schemes mσ leakage

11 11 Security of Signature Schemes mσ... sk 1 sk 2 sk 3 sk n

12 12 Security of Signature Schemes mσ... sk 1 sk 2 sk 3 sk n Simulator

13 13 Security of Signature Schemes If, for each “box”, there exists a polynomial- time algorithm that can simulate the leakage from the box in such a way that no polynomial- time attacker can distinguish it from the real leakage even when the attacker has access to the secret keys for all the other boxes......then the signature scheme is secure against physical attacks if and only if it is secure against black-box attacks.

14 14 Security of Signature Schemes If you can isolate each component of a signature scheme and effectively simulate all of the side-channel information it produces......then you don’t have to worry about (passive) side-channel attacks against the scheme. Note that “distinguishing” one set of side- channel information from another set of side- channel information is a physical problem.

15 15 Open problems A physically observable security model that models all passive attackers. A physically observable security model that models active attackers. Signature schemes with branching and looping, and/or with dependent secret keys. Other types of primitive? Encryption?

16 16 Conclusions We present a theoretical result that suggests that if a signature schemes is – secure in the black-box model, – and the leakage of the individual components of the scheme do not depend on any secret information then the signature scheme is physically secure.

Download ppt "The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.

LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 6 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 6 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Similar presentations

Ads by Google