Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical sec-urity is well-studied,its implementation security in the presence of leakage is a relatively under-explored topic.Specifically,even some side-channel attacks on lattice-based Fiat-Shamir signature(FS-Sig)schemes have been proposed since 2016,little work on the leakage resilience of these schemes appears.Worse still,the proof idea of the leakage resilience of FS-Sig schemes based on traditional number-theoretic assumptions does not apply to most lattice-based FS-Sig schemes.For this,we propose a framework to construct fully leakage resilient lattice-based FS-Sig schemes in the bounded memory leakage(BML)model.The framework consists of two parts.The first part shows how to construct leakage resilient FS-Sig schemes in BML model from leakage resilient versions of non-lossy or lossy identification schemes,which can be instantiated based on lattice assumptions.The second part shows how to construct fully leakage resilient FS-Sig schemes based on leakage resilient ones together with a new property called state reconstruction.We show almost all lattice-based FS-Sig schemes have this property.As a concrete application of our fundamental framework,we apply it to existing lattice-based FS-Sig schemes and provide analysis results of their security in the leakage setting.

Yuejun LIU;Yongbin ZHOU;Rui ZHANG;Yang TAO

State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China

计算机科学前沿

[1]Yuejun LIU;Yongbin ZHOU;Rui ZHANG;Yang TAO-.(Full)Leakage resilience of Fiat-Shamir signatures over lattices)[J].计算机科学前沿,2022(05):172-182

urity,instantiated

Full,Leakage,resilience,Fiat,Shamir,signatures,over,lattices,mainstream,paradigm,schemes,While,its,theoretical,well,studied,implementation,security,presence,leakage,relatively,under,explored,topic,Specifically,even,some,side,channel,attacks,FS,Sig,have,been,proposed,since,little,these,appears,Worse,still,proof,idea,traditional,number,assumptions,does,not,apply,For,this,framework,fully,resilient,bounded,memory,BML,model,consists,two,parts,first,shows,from,versions,lossy,identification,which,can,second,ones,together,new,property,called,state,reconstruction,We,almost,concrete,application,our,fundamental,existing,provide,analysis,results,their,setting

0.418839