Fully Leakage-Resilient Signatures Article

First Online: 31 October 2012 Received: 10 April 2012 DOI :
10.1007/s00145-012-9136-3

Cite this article as: Boyle, E., Segev, G. & Wichs, D. J Cryptol (2013) 26: 513. doi:10.1007/s00145-012-9136-3
Abstract A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT’09) if it is existentially unforgeable under an adaptive chosen-message attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system . This is a strong and meaningful notion of security that captures a wide range of side-channel attacks.

One of the main challenges in constructing fully leakage-resilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the random-oracle model. Moreover, even in the random-oracle model, known schemes are only resilient to leakage of less than half the length of their signing key.

In this paper we construct the first fully leakage-resilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1−o (1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific number-theoretic assumptions. In addition, we show that our approach extends to the continual-leakage model, recently introduced by Dodis, Haralambiev, Lopez-Alt and Wichs (FOCS’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.

Key words Leakage-resilient cryptography Signature schemes Communicated by Jonathan Katz

Solicited from Eurocrypt 2011. A preliminary version of this work appeared in Advances in Cryptology—EUROCRYPT’11 , pp. 89–108, 2011.

Research of E. Boyle was supported by the US National Defense Science and Engineering Graduate Fellowship. This work was partially completed while visiting the Weizmann Institute of Science.

This work was partially completed while G. Segev was a Ph.D. student at the Weizmann Institute of Science, and supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities.

This work of D. Wichs was partially completed while visiting the Weizmann Institute of Science.

References [1]

A. Akavia, S. Goldwasser, V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks, in

Proceedings of the 6th Theory of Cryptography Conference (2009), pp. 474–495

CrossRef Google Scholar [2]

J. Alwen, Y. Dodis, M. Naor, G. Segev, S. Walfish, D. Wichs, Public-key encryption in the bounded-retrieval model, in

Advances in Cryptology—EUROCRYPT’10 (2010), pp. 113–134

Google Scholar [3]

J. Alwen, Y. Dodis, D. Wichs, Leakage-resilient public-key cryptography in the bounded-retrieval model, in

Advances in Cryptology—CRYPTO’09 (2009), pp. 36–54

Google Scholar [4]

G. Ateniese, J. Camenisch, B. de Medeiros, Untraceable RFID tags via insubvertible encryption, in

Proceedings of the 12th ACM Conference on Computer and Communications Security (2005), pp. 92–101

CrossRef Google Scholar [5]

B. Barak, O. Goldreich, Universal arguments and their applications.

SIAM J. Comput.
38 (5), 1661–1694 (2008)

MathSciNet MATH CrossRef Google Scholar [6]

M. Bellare, S. Goldwasser, New paradigms for digital signatures and message authentication based on non-interative zero knowledge proofs, in

Advances in Cryptology—CRYPTO’89 (1989), pp. 194–211

Google Scholar [7]

M. Bellare, D. Hofheinz, S. Yilek, Possibility and impossibility results for encryption and commitment secure under selective opening, in

Advances in Cryptology—EUROCRYPT’09 (2009), pp. 1–35

Google Scholar [8]

E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems, in

Advances in Cryptology—CRYPTO’97 (1997), pp. 513–525

Google Scholar [9]

D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in

Advances in Cryptology—CRYPTO’04 (2004), pp. 443–459

Google Scholar [10]

D. Boneh, X. Boyen, H. Shacham, Short group signatures, in

Advances in Cryptology—CRYPTO’04 (2004), pp. 41–55

Google Scholar [11]

D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of checking cryptographic protocols for faults, in

Advances in Cryptology—EUROCRYPT’97 (1997), pp. 37–51

Google Scholar [12]

D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in

Proceedings of the 2nd Theory of Cryptography Conference (2005), pp. 325–341

CrossRef Google Scholar [13]

Z. Brakerski, S. Goldwasser, Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: quadratic residuosity strikes back), in

Advances in Cryptology—CRYPTO’10 (2010), pp. 1–20

Google Scholar [14]

Z. Brakerski, Y. Tauman Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086, 2010

[15]

Z. Brakerski, Y. Tauman Kalai, J. Katz, V. Vaikuntanathan, Cryptography resilient to continual memory leakage, in

Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (2010), pp. 501–510

Google Scholar [16]

D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in

Advances in Cryptology—EUROCRYPT’10 (2010), pp. 523–552

Google Scholar [17]

Y. Dodis, S. Goldwasser, Y. Tauman Kalai, C. Peikert, V. Vaikuntanathan, Public-key encryption schemes with auxiliary inputs, in

Proceedings of the 7th Theory of Cryptography Conference (2010), pp. 361–381

CrossRef Google Scholar [18]

Y. Dodis, K. Haralambiev, A. Lopez-Alt, D. Wichs, Cryptography against continuous memory attacks, in

Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (2010), pp. 511–520

Google Scholar [19]

Y. Dodis, K. Haralambiev, A. Lopez-Alt, D. Wichs, Efficient public-key cryptography in the presence of key leakage, in

Advances in Cryptology—ASIACRYPT’10 (2010), pp. 613–631

Google Scholar [20]

Y. Dodis, A.B. Lewko, B. Waters, D. Wichs, Storing secrets on continually leaky devices, in

Proceedings of the 52nd Annual IEEE Symposium on Foundations of Computer Science (2011), pp. 688–697

Google Scholar [21]

Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith, Fuzzy extractors: how to generate strong keys from biometrics and other noisy data.

SIAM J. Comput.
38 (1), 97–139 (2008)

MathSciNet MATH CrossRef Google Scholar [22]

Y. Dodis, Y. Tauman Kalai, S. Lovett, On cryptography with auxiliary input, in

Proceedings of the 41st Annual ACM Symposium on Theory of Computing (2009), pp. 621–630

CrossRef Google Scholar [23]

S. Dziembowski, K. Pietrzak, Leakage-resilient cryptography, in

Proceedings of the 49th Annual IEEE Symposium on Foundations of Computer Science (2008), pp. 293–302

Google Scholar [24]

S. Faust, E. Kiltz, K. Pietrzak, G.N. Rothblum, Leakage-resilient signatures, in

Proceedings of the 7th Theory of Cryptography Conference (2010), pp. 343–360

CrossRef Google Scholar [25]

S. Faust, T. Rabin, L. Reyzin, E. Tromer, V. Vaikuntanathan, Protecting circuits from leakage: the computationally-bounded and noisy cases, in

Advances in Cryptology—EUROCRYPT’10 (2010), pp. 135–156

Google Scholar [26]

A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in

Advances in Cryptology—CRYPTO’86 (1986), pp. 186–194

Google Scholar [27]

D.M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlation-secure trapdoor functions, in

Proceedings of the 13th International Conference on Practice and Theory in Public Key Cryptography (2010), pp. 279–295

Google Scholar [28]

S. Garg, A. Jain, A. Sahai, Leakage-resilient zero knowledge, in

Advances in Cryptology—CRYPTO’11 (2011), pp. 297–315

Google Scholar [29]

S. Goldwasser, S. Micali, Probabilistic encryption.

J. Comput. Syst. Sci.
28 (2), 270–299 (1984)

MathSciNet MATH CrossRef Google Scholar [30]

S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.

SIAM J. Comput.
17 (2), 281–308 (1988)

MathSciNet MATH CrossRef Google Scholar [31]

S. Goldwasser, G. Rothblum, How to play mental solitaire under continuous side-channels: a completeness theorem using secure hardware, in

Advances in Cryptology—CRYPTO’10 (2010), pp. 59–79

Google Scholar [32]

S. Goldwasser, Y. Tauman Kalai, C. Peikert, V. Vaikuntanathan, Robustness of the learning with errors assumption, in

Proceedings of the 1st Symposium on Innovations in Computer Science (2010), pp. 230–240

Google Scholar [33]

J. Groth, R. Ostrovsky, A. Sahai, Perfect non-interactive zero knowledge for NP, in

Advance in Cryptology—EUROCRYPT’06 (2006), pp. 339–358

Google Scholar [34]

J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in

Advances in Cryptology—EUROCRYPT’08 (2008), pp. 415–432

Google Scholar [35]

J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten, Lest we remember: cold boot attacks on encryption keys, in

Proceedings of the 17th USENIX Security Symposium (2008), pp. 45–60

Google Scholar [36]

B. Hemenway, B. Libert, R. Ostrovsky, D. Vergnaud, Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security, in

Advances in Cryptology—ASIACRYPT’11 (2011), pp. 70–88

Google Scholar [37]

N. Heninger, H. Shacham, Reconstructing RSA private keys from random key bits, in

Advances in Cryptology—CRYPTO’09 (2009), pp. 1–17

Google Scholar [38]

S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in

Advances in Cryptology—CRYPTO’09 (2009), pp. 654–670

Google Scholar [39]

C.-Y. Hsiao, L. Reyzin, Finding collisions on a public road, or do secure hash functions need secret coins, in

Advances in Cryptology—CRYPTO’04 (2004), pp. 92–105

Google Scholar [40]

Y. Ishai, A. Sahai, D. Wagner, Private circuits: securing hardware against probing attacks, in

Advances in Cryptology—CRYPTO’03 (2003), pp. 463–481

Google Scholar [41]

A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups.

J. Cryptol.
16 (4), 239–247 (2003)

MathSciNet MATH CrossRef Google Scholar [42]

A. Juma, Y. Vahlis, On protecting cryptographic keys against side-channel attacks, in

Advances in Cryptology—CRYPTO’10 (2010), pp. 41–58

Google Scholar [43]

J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience, in

Advances in Cryptology—ASIACRYPT’09 (2009), pp. 703–720

Google Scholar [44]

J. Kilian, A note on efficient zero-knowledge proofs and arguments (extended abstract), in

Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (1992), pp. 723–732

Google Scholar [45]

E. Kiltz, Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie–Hellman, in

Proceedings of the 10th International Conference on Practice and Theory in Public-Key Cryptography (2007), pp. 282–297

Google Scholar [46]

P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in

Advances in Cryptology—CRYPTO’96 (1996), pp. 104–113

Google Scholar [47]

P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in

Advances in Cryptology—CRYPTO’99 (1999), pp. 388–397

Google Scholar [48]

G. Kol, M. Naor, Cryptography and game theory: designing protocols for exchanging information, in

Proceedings of the 5th Theory of Cryptography Conference (2008), pp. 320–339

CrossRef Google Scholar [49]

H. Krawczyk, T. Rabin, Chameleon signatures, in

Proceedings of the Network and Distributed System Security Symposium (NDSS) (2000)

Google Scholar [50]

A.B. Lewko, M. Lewko, B. Waters, How to leak on key updates, in

Proceedings of the 43rd Annaul ACM Symposium on Theory of Computing (2011), pp. 725–734

Google Scholar [51]

V. Lyubashevsky, A. Palacio, G. Segev, Public-key cryptographic primitives provably as secure as subset sum, in

Proceedings of the 7th Theory of Cryptography Conference (2010), pp. 382–400

CrossRef Google Scholar [52]

T. Malkin, I. Teranishi, Y. Vahlis, M. Yung, Signatures resilient to continual leakage on memory and computation, in

Proceedings of the 8th Theory of Cryptography Conference (2011), pp. 89–106

CrossRef Google Scholar [53]

S. Micali, Computationally sound proofs.

SIAM J. Comput.
30 (4), 1253–1298 (2000)

MathSciNet MATH CrossRef Google Scholar [54]

S. Micali, L. Reyzin, Physically observable cryptography, in

Proceedings of the 1st Theory of Cryptography Conference (2004), pp. 278–296

CrossRef Google Scholar [55]

M. Naor, G. Segev, Public-key cryptosystems resilient to key leakage, in

Advances in Cryptology—CRYPTO’09 (2009), pp. 18–35

Google Scholar [56]

M. Naor, M. Yung, Universal one-way hash functions and their cryptographic applications, in

Proceedings of the 21st Annual ACM Symposium on Theory of Computing (1989), pp. 33–43

Google Scholar [57]

C. Peikert, V. Vaikuntanathan, B. Waters, A framework for efficient and composable oblivious transfer, in

Advances in Cryptology—CRYPTO’08 (2008), pp. 554–571

Google Scholar [58]

C. Peikert, B. Waters, Lossy trapdoor functions and their applications.

SIAM J. Comput.
40 (6), 1803–1844 (2011)

MathSciNet MATH CrossRef Google Scholar [59]

K. Pietrzak, A leakage-resilient mode of operation, in

Advances in Cryptology—EUROCRYPT’09 (2009), pp. 462–482

Google Scholar [60]

J. Rompel, One-way functions are necessary and sufficient for secure signatures, in

Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (1990), pp. 387–394

Google Scholar [61]

H. Shacham, A Cramer–Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007)

[62]

V. Shoup, Lower bounds for discrete logarithms and related problems, in

Advances in Cryptology—EUROCRYPT’97 (1997), pp. 256–266

Google Scholar [63]

Y. Tauman Kalai, B. Kanukurthi, A. Sahai, Cryptography with tamperable and leaky memory, in

Advances in Cryptology—CRYPTO’11 (2011), pp. 373–390

Google Scholar [64]

B. Waters, Efficient identity-based encryption without random oracles, in

Advances in Cryptology—EUROCRYPT’05 (2005), pp. 114–127

Google Scholar © International Association for Cryptologic Research 2012

Authors and Affiliations 1. Department of Mathematics Massachusetts Institute of Technology Cambridge USA 2. Microsoft Research Mountain View USA 3. Department of Computer Science New York University New York USA