Digital signatures are essential techniques used in the real world, especially for validating the authenticity of a given message. The security of the digital signatures based on the traditional security definition, however, may be vulnerable to the side-channel attacks. Currently, although several leakage-resilient signature (LR-Sig) schemes have been proposed to model the side-channel attacks, the schemes are highly inefficient. Because either the signature size is quite large or a limited fraction of the secret key can be leaked. In this paper, we present practical LR-Sig schemes that are able to withstand a large scale of leakage.

Technically, we build the first generic construction of LR-Sig, which is secure in the auxiliary input model (allowing leakage by any hard-to-invert function), continual memory leakage (updating the secret key periodically while remaining the public key fixed) and fully leakage resilience (admitting leakage of the secret key and the signing randomness). Apart from the strong security model, the sizes of our signature and public key are the same as each underlying standard signature scheme. In particular, the verification algorithm of our LR-Sig is as fast as the original scheme. Thereby, our instantiation LR-ECDSA can be easily adopted in the existing cryptocurrencies since no additional modification is needed for the verifier side.

Furthermore, we provide the first comprehensive quantitative analysis for different LR-Sig schemes. The state-of-the-art signature schemes, which are able to leak over 50% of the secret key, are at least 565$k$ bits. Comparatively, our shortest instantiation LR-BLS has a signature size of only 1 group element (382 bits, shorten by 1479 times) regardless of the percentage of leakage. Meanwhile, our LR-BLS is also the first deterministic LR-Sig. Besides, our instantiation LR-Schnorr enjoys the fastest verification.

数字签名是现实世界中使用的基本技术，尤其是用于验证给定消息的真实性。然而，基于传统安全定义的数字签名的安全性可能容易受到边信道攻击。目前，虽然已经提出了几种泄漏弹性签名（LR-Sig）方案来模拟边信道攻击，但这些方案效率非常低。因为要么签名大小非常大，要么可能会泄露密钥的有限部分。在本文中，我们提出了能够承受大规模泄漏的实用LR-Sig 方案。

从技术上讲，我们构建了LR-Sig 的第一个通用构造，它在辅助输入模型中是安全的（允许任何难以反转的函数泄漏），持续内存泄漏（定期更新密钥，同时保持公钥固定）完全的泄漏弹性（承认密钥泄漏和签名随机性）。除了强大的安全模型外，我们的签名和公钥的大小是相同的作为每个基础标准签名方案。特别是，我们的 LR-Sig 的验证算法与原始方案一样快。因此，我们的实例化 LR-ECDSA 可以很容易地在现有的加密货币中采用，因为验证方不需要额外的修改。

此外，我们首次对不同的 LR-Sig 方案进行全面的定量分析。能够泄漏超过 50% 的密钥的最先进的签名方案至少为 565$k$位。相比之下，无论泄漏百分比如何，我们最短的实例化 LR-BLS 的签名大小仅为 1 个组元素（382 位，缩短了 1479 倍）。同时，我们的 LR-BLS 也是第一个确定性的 LR-Sig。此外，我们的实例化 LR-Schnorr 享有最快的验证。