# Signature Schemes Secure Against Hard-to-Invert Leakage

## Abstract

*Side-channel attacks* allow the adversary to gain partial knowledge of the secret key when cryptographic protocols are implemented in real-world hardware. The goal of leakage resilient cryptography is to design cryptosystems that withstand such attacks. In the auxiliary input model, an adversary is allowed to see a *computationally hard-to-invert function* of the secret key. The auxiliary input model weakens the bounded leakage assumption commonly made in leakage resilient cryptography as the hard-to-invert function may information-theoretically reveal the entire secret key. In this work, we propose the *first* constructions of digital signature schemes that are secure in the auxiliary input model. Our main contribution is a digital signature scheme that is secure against *chosen message attacks* when given any *exponentially hard-to-invert function* of the secret key. As a second contribution, we construct a signature scheme that achieves security for *random messages* assuming that the adversary is given a *polynomial-time hard-to-invert* function (where both the challenge as well as the signatures seen prior to that are computed on random messages). Here, polynomial hardness is required even when given the entire public key. We further show that such signature schemes readily give us auxiliary input secure identification schemes.

## Notes

### Acknowledgments

The authors thank Yevgeniy Dodis for discussions at an early stage of this project.

## References

- 1.J. Alwen, Y. Dodis, D. Wichs, Leakage-resilient public-key cryptography in the bounded-retrieval model. in
*CRYPTO*(2009), pp. 36–54Google Scholar - 2.A. Akavia, S. Goldwasser, V. Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks. in
*TCC*(2009), pp. 474–495Google Scholar - 3.D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract). in
*EUROCRYPT*(1997), pp. 37–51Google Scholar - 4.Z. Brakerski, S. Goldwasser, Circular and leakage resilient public-key encryption under subgroup indistinguishability—(or: Quadratic residuosity strikes back). in
*CRYPTO*(2010), pp. 1–20Google Scholar - 5.D. Boneh, S. Halevi, M. Hamburg, R. Ostrovsky, Circular-secure encryption from decision diffie-hellman. in
*CRYPTO*(2008), pp. 108–125Google Scholar - 6.E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems. in
*CRYPTO*(1997), pp. 513–525Google Scholar - 7.Z. Brakerski, G. Segev, Better security for deterministic public-key encryption: The auxiliary-input setting. in
*CRYPTO*(2011), pp. 543–560Google Scholar - 8.E. Boyle, G. Segev, D. Wichs, Fully leakage-resilient signatures. in
*EUROCRYPT*(2011), pp. 89–108Google Scholar - 9.J. Camenisch, N. Chandran, V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. in
*EUROCRYPT*(2009), pp. 351–368Google Scholar - 10.S. Dziembowski, S. Faust, Leakage-resilient circuits without computational assumptions. in
*TCC*ed. by R. Cramer, volume 7194 of*Lecture Notes in Computer Science*(Springer, Berlinm 2012) pp. 230–247Google Scholar - 11.Y. Dodis, S. Goldwasser, Y.T. Kalai, C. Peikert, V. Vaikuntanathan, Public-key encryption schemes with auxiliary inputs. in
*TCC*(2010), pp. 361–381Google Scholar - 12.Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs, Cryptography against continuous memory attacks. in
*FOCS*(2010), pp. 511–520Google Scholar - 13.Y. Dodis, K. Haralambiev, A. López-Alt, D. Wichs, Efficient public-key cryptography in the presence of key leakage. in
*ASIACRYPT*(2010), pp. 613–631Google Scholar - 14.Y. Dodis, Y.T. Kalai, S. Lovett, On cryptography with auxiliary input. in
*STOC*(2009), pp. 621–630Google Scholar - 15.S. Dziembowski, K. Pietrzak, Leakage-resilient cryptography. in
*FOCS*(2008), pp. 293–302Google Scholar - 16.S. Faust, E. Kiltz, K. Pietrzak, G.N. Rothblum, Leakage-resilient signatures. in
*TCC*(2010), pp. 343–360Google Scholar - 17.K. Gandolfi, C. Mourtel, F. Olivier, Electromagnetic analysis: concrete results. in
*CHES*, number Generators (2001), pp. 251–261Google Scholar - 18.S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.
*SIAM J. Comput.17*(2), 281–308 (1988)CrossRefMathSciNetzbMATHGoogle Scholar - 19.C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions. in
*STOC*(2008), pp. 197–206Google Scholar - 20.J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups. in
*EUROCRYPT*(2008), pp. 415–432Google Scholar - 21.C. Hazay, A. López-Alt, H. Wee, D. Wichs, Leakage-resilient cryptography from minimal assumptions. in
*EUROCRYPT*(2013), pp. 160–176Google Scholar - 22.J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten, Lest we remember: cold-boot attacks on encryption keys.
*Commun. ACM, 52*(5), 91–98 (2009)CrossRefGoogle Scholar - 23.P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis. in
*CRYPTO*(1999), pp. 388–397Google Scholar - 24.P.C. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. in
*CRYPTO*(1996), pp. 104–113Google Scholar - 25.H. Krawczyk, T. Rabin, Chameleon signatures. in
*NDSS*(2000)Google Scholar - 26.J. Katz, V. Vaikuntanathan, Signature schemes with bounded leakage resilience. in
*ASIACRYPT*(2009), pp. 703–720Google Scholar - 27.A.B. Lewko, Y. Rouselakis, B. Waters, Achieving leakage resilience through dual system encryption. in
*TCC*(2011), pp. 70–88Google Scholar - 28.S. Micali, L. Reyzin, Physically observable cryptography (extended abstract). in
*TCC*(2004), pp. 278–296Google Scholar - 29.T. Malkin, I. Teranishi, Y. Vahlis, M. Yung, Signatures resilient to continual leakage on memory and computation. in
*TCC*(2011), pp. 89–106Google Scholar - 30.M. Naor, G. Segev, Public-key cryptosystems resilient to key leakage. in
*CRYPTO*(2009), pp. 18–35Google Scholar - 31.K. Pietrzak, A leakage-resilient mode of operation. in
*EUROCRYPT*(2009), pp. 462–482Google Scholar - 32.J.-J. Quisquater, D. Samyde, Electromagnetic analysis (ema): measures and counter-measures for smart cards. in
*E-smart*(2001), pp. 200–210Google Scholar - 33.O. Regev, On lattices, learning with errors, random linear codes, and cryptography. in
*STOC*, eds. by H.N. Gabow, R. Fagin, (ACM, 2005), pp. 84–93Google Scholar - 34.C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. in
*CRYPTO*(1991), pp. 433–444Google Scholar - 35.H. Shacham, A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074, 2007Google Scholar
- 36.F.-X. Standaert, T. Malkin, M. Yung, A unified framework for the analysis of side-channel key recovery attacks. in
*EUROCRYPT*(2009), pp. 443–461Google Scholar - 37.F.-X. Standaert, Leakage resilient cryptography: a practical overview. invited talk at ECRYPT workshop on symmetric encryption (SKEW 2011)Google Scholar
- 38.T.H. Yuen, S.S.M. Chow, Y. Zhang, S.-M. Yiu, Identity-based encryption resilient to continual auxiliary leakage. in
*EUROCRYPT*(2012), pp. 117–134Google Scholar