Fully LeakageResilient Signatures
 Elette Boyle,
 Gil Segev,
 Daniel Wichs
 … show all 3 hide
Purchase on Springer.com
$39.95 / €34.95 / £29.95*
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Abstract
A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of sidechannel attacks.
One of the main challenges in constructing fully leakageresilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the randomoracle model. Moreover, even in the randomoracle model, known schemes are only resilient to leakage of less than half the length of their signing key.
In this paper we construct the first fully leakageresilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1−o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific numbertheoretic assumptions. In addition, we show that our approach extends to the continualleakage model, recently introduced by Dodis, Haralambiev, LopezAlt and Wichs (FOCS’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.
Inside
Within this Article
 Introduction
 Preliminaries
 Modeling LeakageResilient Signature Schemes
 $\mathcal{R}$ Lossy PublicKey Encryption
 A Signature Scheme in the BoundedLeakage Model
 An Efficient Instantiation Based on the Linear Assumption
 A Signature Scheme in the ContinualLeakage Model
 Concluding Remarks and Open Problems
 References
 References
Other actions
 A. Akavia, S. Goldwasser, V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks, in Proceedings of the 6th Theory of Cryptography Conference (2009), pp. 474–495 CrossRef
 J. Alwen, Y. Dodis, M. Naor, G. Segev, S. Walfish, D. Wichs, Publickey encryption in the boundedretrieval model, in Advances in Cryptology—EUROCRYPT’10 (2010), pp. 113–134
 J. Alwen, Y. Dodis, D. Wichs, Leakageresilient publickey cryptography in the boundedretrieval model, in Advances in Cryptology—CRYPTO’09 (2009), pp. 36–54
 G. Ateniese, J. Camenisch, B. de Medeiros, Untraceable RFID tags via insubvertible encryption, in Proceedings of the 12th ACM Conference on Computer and Communications Security (2005), pp. 92–101 CrossRef
 B. Barak, O. Goldreich, Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2008) CrossRef
 M. Bellare, S. Goldwasser, New paradigms for digital signatures and message authentication based on noninterative zero knowledge proofs, in Advances in Cryptology—CRYPTO’89 (1989), pp. 194–211
 M. Bellare, D. Hofheinz, S. Yilek, Possibility and impossibility results for encryption and commitment secure under selective opening, in Advances in Cryptology—EUROCRYPT’09 (2009), pp. 1–35
 E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems, in Advances in Cryptology—CRYPTO’97 (1997), pp. 513–525
 D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Advances in Cryptology—CRYPTO’04 (2004), pp. 443–459
 D. Boneh, X. Boyen, H. Shacham, Short group signatures, in Advances in Cryptology—CRYPTO’04 (2004), pp. 41–55
 D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of checking cryptographic protocols for faults, in Advances in Cryptology—EUROCRYPT’97 (1997), pp. 37–51
 D. Boneh, E.J. Goh, K. Nissim, Evaluating 2DNF formulas on ciphertexts, in Proceedings of the 2nd Theory of Cryptography Conference (2005), pp. 325–341 CrossRef
 Z. Brakerski, S. Goldwasser, Circular and leakage resilient publickey encryption under subgroup indistinguishability (or: quadratic residuosity strikes back), in Advances in Cryptology—CRYPTO’10 (2010), pp. 1–20
 Z. Brakerski, Y. Tauman Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086, 2010
 Z. Brakerski, Y. Tauman Kalai, J. Katz, V. Vaikuntanathan, Cryptography resilient to continual memory leakage, in Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (2010), pp. 501–510
 D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in Advances in Cryptology—EUROCRYPT’10 (2010), pp. 523–552
 Y. Dodis, S. Goldwasser, Y. Tauman Kalai, C. Peikert, V. Vaikuntanathan, Publickey encryption schemes with auxiliary inputs, in Proceedings of the 7th Theory of Cryptography Conference (2010), pp. 361–381 CrossRef
 Y. Dodis, K. Haralambiev, A. LopezAlt, D. Wichs, Cryptography against continuous memory attacks, in Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (2010), pp. 511–520
 Y. Dodis, K. Haralambiev, A. LopezAlt, D. Wichs, Efficient publickey cryptography in the presence of key leakage, in Advances in Cryptology—ASIACRYPT’10 (2010), pp. 613–631
 Y. Dodis, A.B. Lewko, B. Waters, D. Wichs, Storing secrets on continually leaky devices, in Proceedings of the 52nd Annual IEEE Symposium on Foundations of Computer Science (2011), pp. 688–697
 Y. Dodis, R. Ostrovsky, L. Reyzin, A. Smith, Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008) CrossRef
 Y. Dodis, Y. Tauman Kalai, S. Lovett, On cryptography with auxiliary input, in Proceedings of the 41st Annual ACM Symposium on Theory of Computing (2009), pp. 621–630 CrossRef
 S. Dziembowski, K. Pietrzak, Leakageresilient cryptography, in Proceedings of the 49th Annual IEEE Symposium on Foundations of Computer Science (2008), pp. 293–302
 S. Faust, E. Kiltz, K. Pietrzak, G.N. Rothblum, Leakageresilient signatures, in Proceedings of the 7th Theory of Cryptography Conference (2010), pp. 343–360 CrossRef
 S. Faust, T. Rabin, L. Reyzin, E. Tromer, V. Vaikuntanathan, Protecting circuits from leakage: the computationallybounded and noisy cases, in Advances in Cryptology—EUROCRYPT’10 (2010), pp. 135–156
 A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in Advances in Cryptology—CRYPTO’86 (1986), pp. 186–194
 D.M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlationsecure trapdoor functions, in Proceedings of the 13th International Conference on Practice and Theory in Public Key Cryptography (2010), pp. 279–295
 S. Garg, A. Jain, A. Sahai, Leakageresilient zero knowledge, in Advances in Cryptology—CRYPTO’11 (2011), pp. 297–315
 S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984) CrossRef
 S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosenmessage attacks. SIAM J. Comput. 17(2), 281–308 (1988) CrossRef
 S. Goldwasser, G. Rothblum, How to play mental solitaire under continuous sidechannels: a completeness theorem using secure hardware, in Advances in Cryptology—CRYPTO’10 (2010), pp. 59–79
 S. Goldwasser, Y. Tauman Kalai, C. Peikert, V. Vaikuntanathan, Robustness of the learning with errors assumption, in Proceedings of the 1st Symposium on Innovations in Computer Science (2010), pp. 230–240
 J. Groth, R. Ostrovsky, A. Sahai, Perfect noninteractive zero knowledge for NP, in Advance in Cryptology—EUROCRYPT’06 (2006), pp. 339–358
 J. Groth, A. Sahai, Efficient noninteractive proof systems for bilinear groups, in Advances in Cryptology—EUROCRYPT’08 (2008), pp. 415–432
 J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten, Lest we remember: cold boot attacks on encryption keys, in Proceedings of the 17th USENIX Security Symposium (2008), pp. 45–60
 B. Hemenway, B. Libert, R. Ostrovsky, D. Vergnaud, Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security, in Advances in Cryptology—ASIACRYPT’11 (2011), pp. 70–88
 N. Heninger, H. Shacham, Reconstructing RSA private keys from random key bits, in Advances in Cryptology—CRYPTO’09 (2009), pp. 1–17
 S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in Advances in Cryptology—CRYPTO’09 (2009), pp. 654–670
 C.Y. Hsiao, L. Reyzin, Finding collisions on a public road, or do secure hash functions need secret coins, in Advances in Cryptology—CRYPTO’04 (2004), pp. 92–105
 Y. Ishai, A. Sahai, D. Wagner, Private circuits: securing hardware against probing attacks, in Advances in Cryptology—CRYPTO’03 (2003), pp. 463–481
 A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003) CrossRef
 A. Juma, Y. Vahlis, On protecting cryptographic keys against sidechannel attacks, in Advances in Cryptology—CRYPTO’10 (2010), pp. 41–58
 J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience, in Advances in Cryptology—ASIACRYPT’09 (2009), pp. 703–720
 J. Kilian, A note on efficient zeroknowledge proofs and arguments (extended abstract), in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (1992), pp. 723–732
 E. Kiltz, Chosenciphertext secure keyencapsulation based on gap hashed Diffie–Hellman, in Proceedings of the 10th International Conference on Practice and Theory in PublicKey Cryptography (2007), pp. 282–297
 P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in Advances in Cryptology—CRYPTO’96 (1996), pp. 104–113
 P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in Advances in Cryptology—CRYPTO’99 (1999), pp. 388–397
 G. Kol, M. Naor, Cryptography and game theory: designing protocols for exchanging information, in Proceedings of the 5th Theory of Cryptography Conference (2008), pp. 320–339 CrossRef
 H. Krawczyk, T. Rabin, Chameleon signatures, in Proceedings of the Network and Distributed System Security Symposium (NDSS) (2000)
 A.B. Lewko, M. Lewko, B. Waters, How to leak on key updates, in Proceedings of the 43rd Annaul ACM Symposium on Theory of Computing (2011), pp. 725–734
 V. Lyubashevsky, A. Palacio, G. Segev, Publickey cryptographic primitives provably as secure as subset sum, in Proceedings of the 7th Theory of Cryptography Conference (2010), pp. 382–400 CrossRef
 T. Malkin, I. Teranishi, Y. Vahlis, M. Yung, Signatures resilient to continual leakage on memory and computation, in Proceedings of the 8th Theory of Cryptography Conference (2011), pp. 89–106 CrossRef
 S. Micali, Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000) CrossRef
 S. Micali, L. Reyzin, Physically observable cryptography, in Proceedings of the 1st Theory of Cryptography Conference (2004), pp. 278–296 CrossRef
 M. Naor, G. Segev, Publickey cryptosystems resilient to key leakage, in Advances in Cryptology—CRYPTO’09 (2009), pp. 18–35
 M. Naor, M. Yung, Universal oneway hash functions and their cryptographic applications, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing (1989), pp. 33–43
 C. Peikert, V. Vaikuntanathan, B. Waters, A framework for efficient and composable oblivious transfer, in Advances in Cryptology—CRYPTO’08 (2008), pp. 554–571
 C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput. 40(6), 1803–1844 (2011) CrossRef
 K. Pietrzak, A leakageresilient mode of operation, in Advances in Cryptology—EUROCRYPT’09 (2009), pp. 462–482
 J. Rompel, Oneway functions are necessary and sufficient for secure signatures, in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (1990), pp. 387–394
 H. Shacham, A Cramer–Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007)
 V. Shoup, Lower bounds for discrete logarithms and related problems, in Advances in Cryptology—EUROCRYPT’97 (1997), pp. 256–266
 Y. Tauman Kalai, B. Kanukurthi, A. Sahai, Cryptography with tamperable and leaky memory, in Advances in Cryptology—CRYPTO’11 (2011), pp. 373–390
 B. Waters, Efficient identitybased encryption without random oracles, in Advances in Cryptology—EUROCRYPT’05 (2005), pp. 114–127
 Title
 Fully LeakageResilient Signatures
 Journal

Journal of Cryptology
Volume 26, Issue 3 , pp 513558
 Cover Date
 20130701
 DOI
 10.1007/s0014501291363
 Print ISSN
 09332790
 Online ISSN
 14321378
 Publisher
 SpringerVerlag
 Additional Links
 Topics
 Keywords

 Leakageresilient cryptography
 Signature schemes
 Industry Sectors
 Authors

 Elette Boyle ^{(1)}
 Gil Segev ^{(2)}
 Daniel Wichs ^{(3)}
 Author Affiliations

 1. Department of Mathematics, Massachusetts Institute of Technology, Cambridge, MA, 02139, USA
 2. Microsoft Research, Mountain View, CA, 94043, USA
 3. Department of Computer Science, New York University, New York, NY, 10012, USA