Signature Schemes with Bounded Leakage Resilience

Abstract

A leakage-resilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (and possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show:

  • A full-fledged signature scheme tolerating leakage of n − n ε bits of information about the secret key (for any constant ε> 0), based on general assumptions.

  • A one-time signature scheme, based on the minimal assumption of one-way functions, tolerating leakage of \((\frac{1}{4}-\epsilon) \cdot n\) bits of information about the signer’s entire state.

  • A more efficient one-time signature scheme, that can be based on several specific assumptions, tolerating leakage of \((\frac{1}{2}-\epsilon) \cdot n\) bits of information about the signer’s entire state.

The latter two constructions extend to give leakage-resilient t-time signature schemes. All the above constructions are in the standard model.