Proceso de Estimaci´on del DEA

In this chapter, we proposed a leakage-resilient Boneh–Boyen signature scheme in the continual split-state leakage model that tolerates approximately half the bits of (a share of) the secret key at every invocation. We proved the secu- rity of our construction in the generic bilinear group model. To generate a signature, the number of exponentiations needed in the pairing base group is four (cf. Section 3.4). Hence we require only one extra exponentiation com- pared to the original Boneh–Boyen signature scheme. We also observed that the Boneh–Boyen signature scheme is existentially unforgeable in the GBG model, whereas it is only known to be selectively unforgeable in the standard model.

It seems that our results readily extend to the min-entropy leakage model of Chapter 2. Also it appears straightforward to extend our results to the full Boneh–Boyen identity-based encryption scheme. We also expect it to be fully secure (against adaptive identity attacks) in the GBG model, while it is only known to be secure against selective identity attacks in the standard model. An interesting direction would be to obtain efficient leakage-resilient signature schemes that tolerate continual leakage in the full memory leakage model where the entire secret state is input to the leakage functions. With the current techniques we expect that such schemes, if they exist, can possibly be proven secure only in an idealized model of computation, such as the generic group model or the random oracle model.

Chapter 4

Split-State Pairing-based

Schnorr Signature Scheme

In this chapter, we propose a pairing analogue of the classical Schnorr sig- nature scheme. We next transform it to include split signing key updates, similar to what was done in the earlier chapters. We give a leakage-resilience bound in the generic bilinear group model against continual split-state leakage attacks for the new scheme. Our scheme tolerates leakage of almost half of the bits of the secret key at every new signature invocation. The secret key’s storage space is constant and it is uniquely determined by the public key, the properties also enjoyed by schemes in the previous chapters.

Contents

4.1 Introduction . . . 63 4.2 Basic Pairing-based Schnorr Signature Scheme . 64 4.3 A Leakage-Resilient Pairing-based Schnorr Signa-

ture Scheme . . . 72 4.4 Conclusion and Future Directions . . . 75

4.1

Introduction

We aim at building a signature scheme secure against continual leakage in the split-state model that builds on the Schnorr signature scheme [Sch91]. Apart from being of possible interest to the cryptographic engineering com- munity due to its efficiency, it exhibits certain properties of theoretical interest as well. Notice that several works [Kat09, ADW09, FKPR10] have already built leakage-resilient signature schemes based on Schnorr. All of these works confirm the finding by Wichs [Wic13], who seems to indicate that it might be impossible to achieve continual leakage-resilience for cryptosystems whose secret key is uniquely determined by its public key, unless we weaken the se- curity model. All the above mentioned schemes are built by gluing together

several copies of the basic Schnorr signature scheme (a technique that was first used by Okamoto [Oka92]), and thus given its public key there are expo- nentially many possible secret keys. The works [Kat09, ADW09] only allow a bounded leakage during the life-time of the protocol, although in their model every part of the memory is susceptible to leak (as opposed to the split-state model); the work [FKPR10] uses the split-state model and allows roughly 1/36 leakage ratio at every signing step, but the number of signature queries is bounded in advance. Our goal is to provide a Schnorr-like signature scheme where the secret key material to be stored is constant at any time, since in the aforementioned works the secret keys’ storage is proportional to the leak- age ratio allowed. In particular we propose a scheme where the secret key is uniquely determined by its public key, the secret key consists of only two group elements at any given time and it is unforgeable even if the number of adversarial signature queries is not known in advance.

From the results of Section 2.1, we see that there are attacks (in the contin- ual split-state leakage model) for the split-secret key variant of the original Schnorr scheme instantiated over any cryptographic group G where the dis- crete logarithm problem is assumed to be hard. This is why we state our theo- rems with respect to a transposition of the modified Schnorr signature scheme to pairing groups, where the secret key is no longer x ∈ Zp but X = gx ∈ G,

where G is the base pairing group with e : G × G → GT. This allows us to use

the generic bilinear group (GBG) model that will ease our analysis. We pro- ceed by first showing that our transposition of the Schnorr signature scheme to pairing groups is existentially unforgeable [GMR88] in the GBG model. This is achieved by showing that the security reduction in the generic group model [Sho97] for elliptic-curve based Schnorr signatures recently given by Neven, Smart and Warinschi [NSW09] can be translated to the GBG and allows to deal with data leakage. Secondly, we modify the pairing-based Schnorr scheme by multiplicatively sharing X = X1· X2, where X1, X2∈ G, and by breaking

the signing scheme into two phases, each one using the corresponding share X1 or X2. Again, at each new signature invocation a fresh sharing (X10, X20)

of X is computed. Our main theorem (Theorem 4.2) states that allowing λ bits of leakage at each phase of every round overall decreases the security of the scheme by a factor of at most 22λin our leakage model, which is the same as the one used in Chapter 3. Also, our Schnorr-like scheme has efficiency comparable to that of our scheme from Chapter 3.

In Section 4.2, we introduce a bilinear variant of the Schnorr signature scheme and prove its security (without leakage) in the GBG model. In Section 4.3, we split the secret state of the bilinear Schnorr scheme and prove its leakage resilience under continual split-state leakage in the GBG model.