International Association
for Cryptologic Research

We investigate new models and constructions which allow

leakage-resilient signatures secure against existential forgeries,

where the signature is much shorter than the leakage bound.

Current models of leakage-resilient signatures against existential

forgeries demand that the adversary cannot produce a new valid

message/signature pair $(m, \\sigma)$ even after receiving some

$\\lambda$ bits of leakage on the signing key. If $\\vert \\sigma \\vert

\\le \\lambda$, then the adversary can just choose to leak a valid

signature $\\sigma$, and hence signatures must be larger than the

allowed leakage, which is impractical as the goal often is to have

large signing keys to allow a lot of leakage.

We propose a new notion of leakage-resilient signatures against

existential forgeries where we demand that the adversary cannot

produce $n = \\lfloor \\lambda / \\vert \\sigma \\vert \\rfloor + 1$

distinct valid message/signature pairs

$(m_1, \\sigma_1), \\ldots, (m_n, \\sigma_n)$ after receiving

$\\lambda$ bits of leakage. If $\\lambda =

0$, this is the usual notion of existential unforgeability. If $1