1 / 16

The Physically Observable Security of Signature Schemes

The Physically Observable Security of Signature Schemes. Alexander W. Dent Joint work with John Malone-Lee University of Bristol. Provable Security. A proof of security provides a strong argument in favour of a scheme’s security.

dbrenton
Télécharger la présentation

The Physically Observable Security of Signature Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol

  2. Provable Security • A proof of security provides a strong argument in favour of a scheme’s security. • Most of the major types of cryptosystem have a generally accepted security model. • Let us consider the security model for a signature scheme...

  3. Provable Security: Signatures public key m (m*,σ*) Signature Oracle σ F The forger wins if σ* is a valid signature for the message m* and the signature oracle did not return σ* when asked to sign message m*.

  4. Provable Security • Black box model. • Many practical implementations give out more information than just the signature. • These “side-channels” include: • Timing information. • Power consumption information. • Electro-magnetic radiation information. • Error message information.

  5. Physically Observable Security • Micali-Reyzin model [TCC 2004]. • Passive attackers only. • Based on a series of informal axioms: • Only computation leaks information • Different computers leak different information. • Information leakage depends on measurement. • Information leakage is local. • Leaked information is efficiently computable.

  6. Physically Observable Security public key m (m*,σ*) Signature Oracle σ

  7. Physically Observable Security public key m (m*,σ*) Signature Oracle σ Leakage function leakage

  8. Physically Observable Security • Note that physically observable security is a physical assumption. I.e. it is only possible to consider whether a machine is secure and not a primitive. • Micali-Reyzin approached POS from a “micro” perspective and concentrated on showing how secure components can be combined. • We take a “macro” perspective.

  9. Physically Observable Security public key m (m*,σ*) Signature Oracle σ Leakage function leakage

  10. Security of Signature Schemes m σ leakage

  11. Security of Signature Schemes m σ sk1 sk2 sk3 ... skn ...

  12. Security of Signature Schemes m σ sk1 sk2 sk3 ... skn Simulator ...

  13. Security of Signature Schemes • If, for each “box”, there exists a polynomial-time algorithm that can simulate the leakage from the box in such a way that no polynomial-time attacker can distinguish it from the real leakage even when the attacker has access to the secret keys for all the other boxes... • ...then the signature scheme is secure against physical attacks if and only if it is secure against black-box attacks.

  14. Security of Signature Schemes • If you can isolate each component of a signature scheme and effectively simulate all of the side-channel information it produces... • ...then you don’t have to worry about (passive) side-channel attacks against the scheme. • Note that “distinguishing” one set of side-channel information from another set of side-channel information is a physical problem.

  15. Open problems • A physically observable security model that models all passive attackers. • A physically observable security model that models active attackers. • Signature schemes with branching and looping, and/or with dependent secret keys. • Other types of primitive? Encryption?

  16. Conclusions • We present a theoretical result that suggests that if a signature schemes is • secure in the black-box model, • and the leakage of the individual components of the scheme do not depend on any secret information then the signature scheme is physically secure.

More Related