Leakage-Resilient Signatures with Graceful Degradation

We investigate new models and constructions which allow leakage-resilient signatures secure against existential forgeries, where the signature is much shorter than the leakage bound. Current models of leakage-resilient signatures against existential forgeries demand that the adversary cannot produce a new valid message/signature pair (m,σ) even after receiving some λ bits of leakage on the signing key. If |σ| ≤ λ, then the adversary can just choose to leak a valid signature σ, and hence signatures must be larger than the allowed leakage, which is impractical as the goal often is to have large signing keys to allow a lot of leakage. We propose a new notion of leakage-resilient signatures against existential forgeries where we demand that the adversary cannot produce n = bλ/|σ|c + 1 distinct valid message/signature pairs (m1, σ1), . . . , (mn, σn) after receiving λ bits of leakage. If λ = 0, this is the usual notion of existential unforgeability. If 1 < λ < |σ|, this is essentially the usual notion of existential unforgeability in the presence of leakage. In addition, for λ ≥ |σ| our new notion still guarantees the best possible, namely that the adversary cannot produce more forgeries than he could have leaked, hence graceful degradation. Besides the game-based notion hinted above, we also consider a variant which is more simulationbased, in that it asks that from the leakage a simulator can “extract” a set of n − 1 messages (to be thought of as the messages corresponding to the leaked signatures), and no adversary can produce forgeries not in this small set. The game-based notion is easier to prove for a concrete instantiation of a signature scheme. The simulation-based notion is easier to use, when leakage-resilient signatures are used as components in larger protocols. We prove that the two notion are equivalent and present a generic construction of signature schemes meeting our new notion and a concrete instantiation under fairly standard assumptions. We further give an application, to leakage-resilient identification. ∗Partially supported by European Research Council Starting Grant 279447. Partially supported by DFF Starting Grant 10-081612. Partially supported by the Danish National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the Sino-Danish Center for the Theory of Interactive Computation, and also from the CFEM research center (supported by the Danish Strategic Research Council.