Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland

2 Bounded total leakage Introduced in context of cold boot attacks [AGV09] Continuous leakage Models many side-channel attacks Security against leakage Leakage function is PPT Leakage bounded in total Leakage can depend on complete state Results: NS09, ADW09, KV09,… Leakage function is PPT Leakage bounded per observation Only computation leaks Stream cipher: DP08, P09 This work: Signatures

3 Digital Signatures Three algorithms: KeyGen Sign k pk,sk sk Verify pk

4 Standard Security Definition (pk,sk) … (q-times,є)-secure: probability є that adversary outputs forgery How to extend this definition to leakage setting? pk Valid forgery: Verification succeeds and message has never been queried before repeat q times

5 Leakage Setting pk … f1f1 f 1 (sk,r 1 ) f2f2 f 2 (sk,r 2 ) fqfq f q (sk,r q ) (pk,sk) Security against leakage Arbitrary leakage functions? No! Leakage function can output complete key Solution: Bound amount of leakage

pk … f1f1 f 1 (sk) f2f2 f 2 (sk) fqfq f q (sk) (pk,sk) (q,є,λ T )-secure against total leakage probability є that adversary outputs forgery Bounded Total Leakage Total leakage λ T = ∑ |f i (sk)| 6 < |sk|

7 Instantiations Every signature scheme is secure against bounded total leakage Can we do without this loss? Yes! e.g.: [AlwenDodisWichs09], [KatzVai09]: Okamoto-Schnorr signatures are secure even if constant fraction of key is leaked Drawback: exponential security loss in λ Sig (q, 2 λ є, λ)-secure against total leakage (q,є)-secure Sig

8 Continuous leakage Idea: use key-evolution Problem: leakage function can output key Continuous leakage: bounded amount per observation (  total leakage >> |sk|) Signature scheme has to be stateful Bounded total leakage insufficient in practice

9 Stateful Digital Signatures KeyGen Sign k pk,sk 0 sk i-1 Verify pk sk i All signatures can be verified with same pk

10 Second Assumption Axiom of [MR04]: “Only computation leaks” S+S+ S-S- active passive Divide state in two parts f(S + ) In other words: Leakage is independent of untouched memory

11 pk … f1f1 f 1 (sk 0 + ) f2f2 f 2 (sk 1 + ) fqfq f q (sk q + ) (pk,sk) Security against continuous leakage (q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery sk 0 + sk 0 - f1f1 λ bits < |sk| Bound in round: Can simulate all intermediate results & leak about them

12 pk … f1f1 f 1 (sk 0 + ) f2f2 f 2 (sk 1 + ) fqfq f q (sk q + ) (pk,sk) Security against continuous leakage (q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery sk 0 + sk 0 - f1f1 λ bits < |sk| sk 1 + sk 1 - f2f2 λ bits … Total leakage >> |sk| Bound in round: upd

13 Leakage-resilient signatures λ bits of total leakage Sig Sig’ λ/3 bits per invocation Main theorem: Use tree based scheme [NaorYung],[Lam],[Merkle] Basic idea: (3, є, λ)-secure against total leakage (q, qє, λ/3)-secure against continuous leakage

14 Tree based signatures SIG’ w w0 … … w1 R Public key of Sig’ is assigned to root (pk,sk 0 ) ← KeyGen(rand) For now: assume existence of physical randomness: i.e. device that outputs randomness can be eliminated with leakage resilient stream cipher!

15 w w0 … … w1 R Visit nodes in depth-first traversal At each node that is visited: Public key of Sig’ is assigned to root (pk,sk 0 ) ← KeyGen(rand) generate new keys sign new pk with parent key sign a message Tree based signatures SIG’

16 Sign i-th message m: w w0 (pk,sk 0 ) … … w1 Current state in round i R (pk w,sk w ) Tree based signatures SIG’

17 Sign i-th message m: w w0 (pk R,sk R ) … R … w1 (pk w1,sk w1 ) ← KeyGen(rand) 2. Sign new public key pk w1 with secret key sk w of parent node 1. Generate keys for current node Sign(sk w,pk w1 ) Sign(sk w1,m) 3. Sign m with new secret key sk w1 (pk w,sk w ) Tree based signatures SIG’

18 Sign i-th message m with Sig’: w w0 (pk R,sk R ) … R … w1 (pk w1,sk w1 ) 2. Sign new public key pk w1 with secret key sk w of parent node 1. Generate keys for current node Sign(sk w,pk w1 ) 3. Sign m with new secret key sk w1 4. Return sig chain to root (pk w,sk w ) Sign(sk w1,m) 4. Return sig chain to root and signature on message Tree based signatures SIG’

19 Verify i-th signature with Sig’: w w0 … w1 R Verify signature chain from i-th node to root Verify signature of m Accept signature, if verification was ok! Tree based signatures SIG’

20 Security Proof λ bits of total leakage SigSig’ λ/3 bits per invocation Theorem: (3, є, λ)-secure against total leakage (q, qє, λ/3)-secure against continuous leakage

21 Security Proof SigSig’ Proof by reduction: observation λ/3 per total λ bits simulate tree structure forgery ‘

22 w w0 … … w1 R Security Proof 1. Guess target node w use target public key here

23 w w0 … … w1 R Security Proof 2. Generate keys for all other nodes (online)

24 w w0 f … … w1 R Security Proof 3. Simulate environment f ( ) compute leakage yourself ‘

25 w w0 f … … w1 R Security Proof 3. Simulate environment f f ( ) use target oracle ‘ Sig

26 w w0 w1 But: Observation: each secret key is touched at most 3 times: Security Proof (pk w,sk w ) Twice to certify children Once to sign message Sign(sk w,m) can only ask for λ bits leakage? Since we allow only λ/3 bits of leakage per invocation this will be sufficient! only computation leaks  sk leaks 3 times

27 Security Proof perfect simulation outputs forgery with prob є outputs forgery for Sig with prob є/q ‘ forgery of A’ can only be used if it was for node w

28 Summary First leakage-resilient public-key primitive Generic transformation from any signature scheme Leakage: const fraction of secret key, if instantiated with Okamoto Efficiency: all parameters are log. in q or constant Eliminate physical randomness: Use leakage-resilient stream cipher [DP08,P09] Generic for any leakage resilient signature scheme: loose security exponentially in leakage For our signature scheme instantiated with Okamoto: variant that has no loss in security!

29 Thank you!

30 Eliminate physical randomness Generic from any leakage resilient stream cipher Problem: Output D of stream cipher has n-λ HILL pseudo entropy, but reduction needs uniform randomness! Some intuition: D D’ U|E real experiment: HILL: n-λ min-entropy: n-λ uniform Є-close E is true with prob ½ -λ Back in the “old” world

31 Single Observation Sign sk f f (sk)

32 Bounded Leakage 1.Bounded total leakage 2.Bounded leakage per observation: total leakage < |sk| total leakage >> |sk|

33 Security against continuous leakage How to prevent pre-computation attack? Idea 1: use physical randomness for key evolution Idea 2: axiom of [MR04]: “Only computation leaks” S+S+ S-S- active passive Divide state in two parts f(S + )

Security against continuous leakage Is key evolution sufficient? 34 No, if key evolution is deterministic and f i is PPT Why? Pre-computation attack [DP08]! Sign sk i-1 f i (sk i-1 ) fifi precompute state and leak i-th bit of sk t

35 Leakage Resilience Continuous leakage: Any PPT function f Leakage bounded per observation  totally can be very large Only computation leaks (later more) Earlier results in this model: DP08, P09: Stream ciphers In this work: Digital signatures

36 pk … f1f1 f 1 (sk 0 + ) f2f2 f 2 (sk 1 + ) fqfq f q (sk q + ) (pk,sk) Security against continuous leakage (q,є,λ)-secure against continuous leakage probability є that adversary outputs forgery sk 0 + sk 0 - f1f1 λ bits < |sk| sk 1 + sk 1 - Bound in round: upd Update may leak!

Beautiful Theory… Security studied in black box model Inputs/Outputs are known, but no information on internal state 37

38 The Ugly Reality electromagneticacoustic probing cache optical power

39 Motivation Many black-box secure cryptosystems get broken by physical attacks Goal: Digital signature scheme provably secure against side-channel attacks! May not imply secure implementation!