leakage-resilient signatures sebastian faust ku leuven joint work with eike kiltz cwi krzysztof...
Post on 19-Dec-2015
223 views
TRANSCRIPT
Leakage-Resilient Signatures
Sebastian Faust KU Leuven
Joint work with Eike Kiltz CWI
Krzysztof Pietrzak CWI
Guy Rothblum Princeton
TCC 2010, Zurich, Switzerland
2
Bounded total leakage
Introduced in context of cold boot attacks [AGV09]
Continuous leakage
Models many side-channel attacks
Security against leakage
Leakage function is PPT
Leakage bounded in total
Leakage can depend on complete state
Results: NS09, ADW09, KV09,…
Leakage function is PPT
Leakage bounded per observation
Only computation leaks
Stream cipher: DP08, P09
This work: Signatures
3
Digital Signatures
Three algorithms:
KeyGen Sign
k
pk,sk
sk Verifypk
4
Standard Security Definition
(pk,sk)
…
(q-times,є)-secure:(q-times,є)-secure:probability є that adversary outputs forgery
How to extend this definition to leakage setting?
pk
Valid forgery: Verification succeeds and message has never been
queried before
repeat q times
5
Leakage Setting
pk …f1 f1(sk,r1) f2 f2(sk,r2) fq fq(sk,rq)
(pk,sk)Security against leakage
Arbitrary leakage functions? No!Leakage function can output complete key
Solution: Bound amount of leakage
pk …f1 f1(sk) f2 f2(sk) fq fq(sk)
(pk,sk)(q,є,λT)-secure against total leakage
probability є that adversary outputs forgery
Bounded Total Leakage
Total leakage λT = ∑ |fi(sk)|
6
< |sk|
7
Instantiations
Every signature scheme is secure against bounded total leakage
Can we do without this loss? Yes!
e.g.: [AlwenDodisWichs09], [KatzVai09]: Okamoto-Schnorr signatures are secure even if constant fraction of key is leaked
Drawback: exponential security loss in λ
Sig
(q, 2λє, λ)-secure against total leakage (q,є)-secure
Sig
8
Continuous leakage
Idea: use key-evolution
Problem: leakage function can output key
Continuous leakage: bounded amount per observation ( total leakage >> |sk|)
Signature scheme has to be stateful
Bounded total leakage insufficient in practice
9
Stateful Digital Signatures
KeyGen Sign
k
pk,sk0
ski-1 Verifypk
ski
All signatures can be verified with same pk
10
Second Assumption
Axiom of [MR04]: “Only computation leaks”
S+ S-
active passive
Divide state in two parts
f(S+)
In other words:
Leakage is independent of untouched memory
11
pk …f1 f1(sk0+) f2 f2(sk1
+) fq fq(skq+)
(pk,sk)
Security against continuous leakage
(q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery
sk0+sk0
-
f1
λ bits < |sk|Bound in round:
Can simulate all intermediate results &
leak about them
12
pk …f1 f1(sk0+) f2 f2(sk1
+) fq fq(skq+)
(pk,sk)
Security against continuous leakage
(q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery
sk0+sk0
-
f1
λ bits < |sk|
sk1+sk1
-
f2
λ bits
…
Total leakage >> |sk|
Bound in round:
upd upd
13
Leakage-resilient signatures
λ bits of total leakage
Sig Sig’
λ/3 bits per invocation
Main theorem:
Use tree based scheme [NaorYung],[Lam],[Merkle]Basic idea:
(3, є, λ)-secure against total leakage
(q, qє, λ/3)-secure against continuous leakage
14
Tree based signatures SIG’
dsdff
dsdff
dsdff
w
w0……
w1
dsdff
R
Public key of Sig’ is assigned to root
(pk,sk0) ← KeyGen(rand)
For now: assume existence of physical randomness:
i.e. device that outputs randomness
can be eliminated with leakage resilient stream cipher!
15
dsdff
dsdff
dsdff
w
w0……
w1
dsdff
R
Visit nodes in depth-first traversal
At each node that is visited:
Public key of Sig’ is assigned to root
(pk,sk0) ← KeyGen(rand)
• generate new keys
• sign new pk with parent key
• sign a message
Tree based signatures SIG’
16
Sign i-th message m:
dsdff
dsdff
dsdff
w
w0
(pk,sk0)……
w1 Current state
in round i
dsdff
R
(pkw,skw)
Tree based signatures SIG’
17
Sign i-th message m:
dsdff
dsdff
dsdff
w
w0
(pkR,skR)
…dsdff
R
…
w1
(pkw1,skw1) ← KeyGen(rand)
2. Sign new public key pkw1 with secret key skw of parent node
1. Generate keys for current node
Sign(skw,pkw1)
Sign(skw1,m)
3. Sign m with new secret key skw1
(pkw,skw)
Tree based signatures SIG’
18
Sign i-th message m with Sig’:
dsdff
dsdff
dsdff
w
w0
(pkR,skR)
…dsdff
R
…
w1
(pkw1,skw1)
2. Sign new public key pkw1 with secret key skw of parent node
1. Generate keys for current node
Sign(skw,pkw1)
3. Sign m with new secret key skw1
4. Return sig chain to root
(pkw,skw)
Sign(skw1,m)
4. Return sig chain to root and signature on message
Tree based signatures SIG’
19
Verify i-th signature with Sig’:
dsdff
dsdff
dsdff
w
w0
…
w1
dsdff
R• Verify signature chain from i-th node to root
• Verify signature of m
Accept signature, if verification was ok!
Tree based signatures SIG’
20
Security Proof
λ bits of total leakage
Sig Sig’
λ/3 bits per invocation
Theorem:(3, є, λ)-secure
against total leakage (q, qє, λ/3)-secure against
continuous leakage
21
Security Proof
Sig Sig’
Proof by reduction:
obse
rvat
ion
λ/3 p
erto
tal
λ bit
s
simulate tree structure
forgeryforgery
‘
22
dsdff
dsdff
dsdff
w
w0
……w1
dsdff
R
Security Proof
1. Guess target node w
use target public key here
23
dsdff
dsdff
dsdff
w
w0
……w1
dsdff
R
Security Proof
2. Generate keys for all other nodes (online)
24
dsdff
dsdff
dsdff
w
w0
f
……w1
dsdff
R
Security Proof
3. Simulate environment
f( )
compute leakage yourself
‘
25
dsdff
dsdff
dsdff
w
w0
f……
w1
dsdff
R
Security Proof
3. Simulate environment
ff( )
f( )
use target oracle
‘
Sig
26
dsdff
dsdff
dsdff
w
w0 w1
But:
Observation: each secret key is touched at most 3 times:
Security Proof
(pkw,skw)• Twice to certify children• Once to sign messageSign(skw,m)
can only ask for λ bits leakage?
Since we allow only λ/3 bits of leakage per invocation this will be sufficient!
only computation leaks sk leaks 3 times
27
Security Proof
perfect simulation
outputs forgery with prob є
outputs forgery for Sig with prob є/q
‘
forgery of A’ can only be used if it was for node w
28
Summary
First leakage-resilient public-key primitive• Generic transformation from any signature scheme
• Leakage: const fraction of secret key, if instantiated with Okamoto
• Efficiency: all parameters are log. in q or constant
Eliminate physical randomness:Use leakage-resilient stream cipher [DP08,P09]
• Generic for any leakage resilient signature scheme: loose security exponentially in leakage
• For our signature scheme instantiated with Okamoto: variant that has no loss in security!
29
Thank you!
30
Eliminate physical randomness
Generic from any leakage resilient stream cipher
Problem: Output D of stream cipher has n-λ HILL pseudo entropy, but reduction needs uniform randomness!
Some intuition:
D D’ U|E
real experiment: HILL: n-λ
min-entropy: n-λ uniform
Є-closeE is true with
prob ½-λ
Back in the “old” world
31
Single Observation
Signsk
ff (sk)
32
Bounded Leakage
1. Bounded total leakage
2. Bounded leakage per observation:
total leakage < |sk|
total leakage >> |sk|
33
Security against continuous leakage
How to prevent pre-computation attack?
Idea 1: use physical randomness for key evolution
Idea 2: axiom of [MR04]: “Only computation leaks”
S+ S-
active passive
Divide state in two parts
f(S+)
34
Security against continuous leakage
Is key evolution sufficient? No, if key evolution is deterministic and fi is PPT
Why? Pre-computation attack [DP08]!
Signski-1
fi(ski-1)
fi
precompute state and leak i-th bit of skt
35
Leakage Resilience
Continuous leakage:• Any PPT function f
• Leakage bounded per observation
totally can be very large
• Only computation leaks (later more)Earlier results in this model:
• DP08, P09: Stream ciphers
• In this work: Digital signatures
36
pk …f1 f1(sk0+) f2 f2(sk1
+) fq fq(skq+)
(pk,sk)
Security against continuous leakage
(q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery
sk0+sk0
-
f1
λ bits < |sk|
sk1+sk1
-
Bound in round:
upd
Update may leak!
Beautiful Theory…
Security studied in black box
modelInputs/Outputs are known, but no
information on internal state
37
38
The Ugly Reality
electromagnetic acoustic
probing
cache
optical
power
39
Motivation
Many black-box secure
cryptosystems get broken by
physical attacksGoal: Digital signature scheme
provably secure against side-
channel attacks!
May not imply secure
implementation!