Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical security is well-studied,its implementation security in the presence of leakage is a relatively under-explored...Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical security is well-studied,its implementation security in the presence of leakage is a relatively under-explored topic.Specifically,even some side-channel attacks on lattice-based Fiat-Shamir signature(FS-Sig)schemes have been proposed since 2016,little work on the leakage resilience of these schemes appears.Worse still,the proof idea of the leakage resilience of FS-Sig schemes based on traditional number-theoretic assumptions does not apply to most lattice-based FS-Sig schemes.For this,we propose a framework to construct fully leakage resilient lattice-based FS-Sig schemes in the bounded memory leakage(BML)model.The framework consists of two parts.The first part shows how to construct leakage resilient FS-Sig schemes in BML model from leakage resilient versions of nonlossy or lossy identification schemes,which can be instantiated based on lattice assumptions.The second part shows how to construct fully leakage resilient FS-Sig schemes based on leakage resilient ones together with a new property called state reconstruction.We show almost all lattice-based FS-Sig schemes have this property.As a concrete application of our fundamental framework,we apply it to existing lattice-based FS-Sig schemes and provide analysis results of their security in the leakage setting.展开更多
基金This work was supported in part by National Natural Science Foundation of China(Grant Nos.61632020,U1936209,62002353)Beijing Natural Science Foundation(4192067).
文摘Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical security is well-studied,its implementation security in the presence of leakage is a relatively under-explored topic.Specifically,even some side-channel attacks on lattice-based Fiat-Shamir signature(FS-Sig)schemes have been proposed since 2016,little work on the leakage resilience of these schemes appears.Worse still,the proof idea of the leakage resilience of FS-Sig schemes based on traditional number-theoretic assumptions does not apply to most lattice-based FS-Sig schemes.For this,we propose a framework to construct fully leakage resilient lattice-based FS-Sig schemes in the bounded memory leakage(BML)model.The framework consists of two parts.The first part shows how to construct leakage resilient FS-Sig schemes in BML model from leakage resilient versions of nonlossy or lossy identification schemes,which can be instantiated based on lattice assumptions.The second part shows how to construct fully leakage resilient FS-Sig schemes based on leakage resilient ones together with a new property called state reconstruction.We show almost all lattice-based FS-Sig schemes have this property.As a concrete application of our fundamental framework,we apply it to existing lattice-based FS-Sig schemes and provide analysis results of their security in the leakage setting.