Download presentation

Presentation is loading. Please wait.

Published byEdwin Pauling Modified over 3 years ago

1
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER BUUS NIELSEN, DANIELE VENTURI TCC 2014 1

2
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 f THE TAMPERING EXPERIMENT 2 Tampering Experiment for encoding scheme (Enc,Dec) : Enc s Tamper 2F2F C Dec s* Goal: Design encoding scheme (Enc,Dec) for interesting F that provides meaningful guarantees about s*. C*=f(C)

3
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 ERROR CORRECTION/DETECTION & NON-MALLEABILITY 3 f 2 F Error-Correction: Requires s* = s but e.g. for hamming codes f must be such that: Ham-Dist ( C, C *) < d/2. i.e. F is very limited ! Error-Detection: Requires s* = {s, ? } but F cant contain simple function e.g. constant functions f Ĉ (.)= Ĉ Non-Malleability[ DPW10 ]: Requires s* = s or unrelated to s. Hope : Achievable for rich F Enc s Tamper C Dec s* C*=f(C)

4
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 Impossibility [ DPW10 ]: Not achievable if F contains f which knows Dec. For any ( Enc, Dec ) consider f bad which decodes C, flips 1-bit and re- encodes to C*. Conclusion: There is no NMC for F all Possibilities to restrict F : 1. Compromise complexity : make | F |[ FMVW14 ] small. 2. Compromise granularity – Split-state : Considered in [DPW10, LL12, DKO13, ADL13, CG13 ( last talk )] and this work. LIMITATION AND POSSIBILITY 4

5
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 SPLIT-STATE TAMPERING 5 In this model, C = (C 1,C 2 ) and f =(f 1, f 2 ) for arbitrary f 1, f 2 5 f1f1 f1f1 s C1C1 C2C2 f2f2 f2f2 C1*C1* C2*C2* Dec Enc s* Why split-state ? Might be easy to implement. well-studied model in leakage - resilient crypto. generalizes some other models (e.g. independent bit tampering [ DPW10 ]) Rest of the talk

6
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUTLINE: REST OF THE TALK 6 Formalize and introduce CNMC. Explore a necessary requirement for CNMC. Present the construction. Overview of proof. Application.

7
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 7 Set (C 1 *,C 2 *) (f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) return Tamper( s b ) View Attack[GLMMR04]: Guess each bit, overwrite and check if the output is same - recover bit by bit Way Out: Assume Self-Destruct: If output ? once, then STOP interaction. continuous

8
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 8 Set (C 1 *,C 2 *) (f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else if Dec( C 1 *,C 2 * )= ? then return ? and self-destruct. Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) View return Tamper( s b ) Hang on for applications

9
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 UNIQUENESS: A NECESSARY PROPERTY 9 Both ( C 1,C 2 ) and ( C 1,C 2 ) are valid Why necessary ? 1.f 1 always replaces T 1 with C 1 2.f 2 checks if T 2 [i] = 0, then replaces T 2 with C 2 else replaces T 2 with C 2 Otherwise suppose Recovers T 2 (f 1, f 2 ) After knowing T 2: 3. f 1 hard-code T 2 and decode s Dec ( T 1,T 2 ). 4. Depending on s f 1 leaves it same or tampers. [LL12] construction does not satisfy Corollary: Information theoretic CNMC (split- state) is impossible.

10
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 TOWARDS CONSTRUCTING CNMC 10 Idea: Similar to [LL12], but adjusted to satisfy uniqueness. The ingredients: 1. L eakage(bounded) R esilient E ncoding in split-state. 2. C ollision R esistant H ash F unctions 3. Robust N on- I nteractive Z ero K nowledge. Possible to extract a witness from a valid proof which is not simulated s C1C1 C2C2 Enc Leakage reveals nothing about s

11
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUR CONSTRUCTION 11 1. Encode using LRE : ( z 0,z 1 )LREnc(s) 2. Compute hashes with CRHF H : h 0 = H ( z 0 ) & h 1 = H ( z 1 ) 3. Generate NIZK-POK : π 0 Prove (CRS,h 0, z 0 ) & π 1 Prove (CRS,h 1, z 1 ) Encoding z0z0 h1h1 π1π1 π0π0 z1z1 h0h0 π0π0 π1π1 CRS 1. Local Check: Check if proofs in each side verify using CRS. 2. Global Check: Check if the hashes are correct and the proofs match. 3. If all of above pass decode using LRE: ( s )LRDec( z 0,z 1 ), else output ? Decoding Uniqeness holds: Easy to see. = C 0 C1=C1= Part-1Part-0

12
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 PROOF INTUITIONS 12 recall Main Idea: Reduction from L eakage R esilient E ncoding. leakage tampering Simulate Easy to simulate: always output ? j* denotes the index where it outputs ? for the first time. Complicated case-analysis involves uniqeness, robustness of NIZK, collision resistance etc….. Main Difficulties. 1.simulate continuous tampering using only bounded leakage. 2. Simulate the tamper view with independent leakage access to each part of codword. How to know j* ? possible using bounded leakage.

13
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 APPLICATION TO PROTECT AGAINST MEMORY- TAMPERING 13 Memory Circuit G s' Memory Circuit G s Idea: Build compiler for any functionality [ DPW 10 ] compile Initialization: s' := NMEnc ( s ) Execution of G [s](x): 1. s = NMDec(s) 2. if s = ? then self-destruct else output G[s](x) Tamper- simlatability:

14
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 DRAWBACK AND SOLUTION Requires perfect erasures. Each time the new state is re-encoded, the old one must be erased. Otherwise Adv can copy. Must erase entire memory ! Transformation is stateful even for stateless functionalities.. Decode, compute and re-encode with fresh randomness - constructing stateless transformation was open queation [DPW10] 14 Both solved with CNMC !

15
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUR TAMPERING MODEL 15 Memory space much bigger than length of codeword. C := NMEnc ( s ) C C Memory M Memory M*= f (M) f Main application. In this model we construct a Stateless Transformation for stateless functionalities assuming 1untamperable bit (used for self-destruct ).

16
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 SUMMARIZE CNMC: A natural extension of NMC. First concrete construction. Application: Protect against memory tampering in much stronger and practical model. Open: We consider only split-state model, could be interesting to consider also global model. 16

17
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 17

18
AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 PROOF INTUITIONS 18 recall Main Idea: Reduction from L eakage R esilient E ncoding. Main Challenge:. simulate continuous tampering using only bounded leakage Ask to Reveal C 0 Get f 0,,f 1 Before round j*: Compute C 0 * = f 0 (C 0 ); Let C 0 * = (z 0 *,h 1 *, π 1 *, π 0 * ) Simulate based on cases: 1. C 0 * = C 0 output same. 2. C 0 *C 0 : : (i) if any proof fails output ? (ii) π 1 * π 1 : extracts z 1 from π 1 * (iii) Else output ? Almost done except …. How to learn j* ? – Non-trivial as the leakage is only bounded. It runs the same simulator inside leakage oracle. Find j* by binary search comparing the simulated output.

Similar presentations

OK

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google