Presentation is loading. Please wait.

Presentation is loading. Please wait.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

Published byJaquelin Boucher Modified over 9 years ago

Similar presentations

Presentation on theme: "NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs."— Presentation transcript:

1 NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs

2 Physical Attacks  Leakage: Adv observes physical output of the device.  Tampering: Adv modifies internal state and interacts with tampered device.

3 Example Signature infrastructure using secure tokens (no PKI).  All tokens have the same secret signing key sk.  Each token has a unique userID.  On input message m, token signs (userID, m). (userID, sk) m Sign sk (userID, m)

4 Example: Can we attack scheme with simple physical attacks?  Attack 1 (RSA sig): Leaking a random 27% of bits of RSA key lets you factor! [HS09]  Attack 2 (RSA sig): Introduce single faulty bit during signing. Use resulting sig to factor the RSA modulus. [BDL97]  Attack 3 (any sig): Eve tampers userID = “Eve” to userID = “Eva” by flipping a few bits. Impersonates Eva. Sign sk (userID, m)

5 Lessons from Example  Tampering attacks can be just as devastating as leakage attacks.  Cannot only focus on tamper-resilience for cryptographic primitives.

6 Algorithmic Protection Want: A general compiler that takes a circuit G with state s and creates a circuit G’ with state s’ such that:  (G, s) acts the same as (G’, s’)  Tampering with (G’, s’) via some well-defined family F of attacks is useless.

7 Algorithmic Protection Tampering of memory and computation Tampering of memory GLMMR04 IPSW06 Circuit Memory input output Circuit Memory input output This talk

8 Algorithmic Protection  Q: Why study tampering of (only) memory?  Simpler. Need to understand it first.  Leads to a very natural coding-theory question of independent interest.  Might be reasonable in practice.

9 Code-based Solution Circuit G’ c = Enc(s) Decode s= Dec(c). Evaluate G(s). G’= Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c)

10 Talk Outline  Definition of non-malleable codes.  General (im)possibility results for nm-codes.  Efficient non-malleable codes.  Bit-wise independent tampering.  Results in the RO model.  Application to tamper-resilient security:  Formal model of tamper-resilience.  Application of non-malleable codes.  Comparison to prior work.

11 Coding Schemes  Encoding can be randomized: c = Enc(s;r).  Correctness: Dec(Enc(s)) = s with probability 1. Enc sc source messagecodeword randomized encoding Dec decoding s decoded message

12 The “Tampering Experiment” EncDec sc source message c* s* decoded message  Tampering function f 2 F chosen adversarially.  Independent of randomness of encoding. F={}, f1f1 f2f2, f3f3 tamper f =f(c)

13 The “Tampering Experiment” Goal: For “interesting” families F, design coding scheme (Enc, Dec) which provides “meaningful guarantees” about the outcome s*. EncDec sc c* s* tamper F

14 Error-Correction  Error-Correction: require that s* = s  Error-Correcting Codes for Hamming Distance: The family F = {f s.t. 8 x dist(x, f(x)) < d }  No randomness in Enc.  Limitations: Cannot be achieved for even small/simple families F. (e.g. even the single function f that maps all values to 0). EncDec sc c* s* tamper F

15 Error-Detection  Error-Detection: require that s* 2 {s, ? } (with overwhelming probability).  Problem: Might learn something about s if s* = ?.  Limitation: Cannot be achieved for some even small/simple families F. (e.g. family all “constant” functions f c (x) = c). EncDec sc c* s* tamper F

16 New notion: Non-Malleability  Non-Malleability: either s*= s or s* is “unrelated” to s.  Analogous to non-malleability in cryptography [DDN91].  Harder to define formally (stay tuned).  Examples of “malleability”:  The value s* is same as s, except with 3 rd bit flipped.  If s begins with 0, then s* = s. Otherwise s* = ?.  Hope: non-malleability achievable for many rich families F. EncDec sc c* s* tamper F

17 Defining Non-Malleability (Attempt 1)  Tampering via f 2 F does not reveal information. Can answer following without knowing s:  Does your tampering change the codeword c?  If so, what is new message s* = Dec(c*). c à Enc(s 0 ) c* à f(c) If c* = c say “same” else say Dec (c*) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 8 s 0, s 1 : c à Enc(s 1 ) c* à f(c) If c* = c say “same” else say Dec (c*) Problem: Unnecessarily strong! Not satisfied by error-correcting codes.

18 Defining Non-Malleability s* Ã D f if s* = “same” output s else output s*. s* Ã Dec ( f(Enc(s)) ) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 9 simulator D f such that 8 s:  Tampering via f 2 F does not reveal information. Can “simulate” the answer to following questions:  Did the message s stay the same?  If no, what is the new message s*?

19 Talk Outline  Definition of non-malleable codes.  General (im)possibility results for nm-codes.  Efficient non-malleable codes.  Bit-wise independent tampering.  Results in the RO model.  Application to tamper-resilient security:  Formal model of tamper-resilience.  Application of non-malleable codes.  Comparison to prior work.

20 General Impossibility Non-Malleability  For every coding scheme (Enc, Dec) there exists a single function f, for which the scheme is malleable.  f(c) = Enc(Dec(c) + 1).  Bad f depends heavily on (Enc, Dec).  Corollaries:  No coding scheme (Enc, Dec) (with n bit codewords), is non- malleable w.r.t. F all = { all f : {0,1} n ! {0,1} n }.  No efficient coding scheme is non-malleable w.r.t. all efficient functions.

21 General Possibility of Non-Malleability For every “small enough” family F, there exists a nm-code w.r.t F. “small enough” F: log(log(|F|)) < n. Note: log(log(|F all |)) = n + log(n). For every “small enough” family F, there exists a nm-code w.r.t F. “small enough” F: log(log(|F|)) < n. Note: log(log(|F all |)) = n + log(n). Theorem: Proved using the probabilistic method. Not efficient…

22  Use “random code” with k-bit messages and n-bit codewords.  Choose the function Dec : {0,1} n ! {0,1} k uniformly at random.  Define Enc(s) to sample uniform {c s.t. Dec(c) = s}.  For any fixed family F, a “random code” is non-malleable w.r.t. F with overwhelming probability if: n > log(log (|F|)) + 3k  Notice: rate is 1/3, even for small F. Optimality?  Question: What can we do efficiently? General Possibility of Non-Malleability

23 Talk Outline  Definition of non-malleable codes.  General (im)possibility results for nm-codes.  Efficient non-malleable codes.  Bit-wise independent tampering.  Results in the RO model.  Application to tamper-resilient security:  Formal model of tamper-resilience.  Application of non-malleable codes.  Comparison to prior work.

24 Bit-wise independent tampering  Every bit of the codeword can be tampered arbitrarily, but independently of the value of other bits.  Tampering functions f = (f 1,…,f n ) and f(c) = f 1 (c 1 ),…,f n (c n ).  f i : {0,1} ! {0,1} can be arbitrary. Four options for each f i : “keep”, “flip”, “set to 0”, “set to 1”.  Bit-wise independent tampering contains:  All constant functions: f c (x) = c (only “set to 0/1”).  All “constant error” functions : f ¢ (x) = x + ¢ (only “keep/flip”).

25 Tool 1: AMD Codes  Algebraic Manipulation Detection codes: [CDFPW08] A coding scheme (AE, AD) is AMD code if for any s, ¢  0 Pr[AD( AE(s) + ¢ )  ? ] = negligible.  Achieves error-detection for “keep”/“flip”.  Does not protect against “set to 0”/“set to 1”. Definition:

26 Tool 2: Secret Sharing  LECSS: Linear Error-Correcting Secret Sharing (SSE, SSD).  Linearity: SSE(s 1 + s 2 ) = SSE(s 1 ) + SSE(s 2 )  t-Privacy: Any t bits of SSE(s) are mutually random.  d-Distance: Any c  0 s.t. weight H (c) < d, SSD(c) = ?. Definition:

27 Bit-wise independent tampering: Construction Given: AMD code (AE, AD). LECSS (SSE, SSD) with d/n > ¼ and t = ! (log(n)). The code: Enc(s) = SSE( AE(s) ), Dec(c) = AD( SSD(c) ) is non-malleable for bit-wise independent tampering. Given: AMD code (AE, AD). LECSS (SSE, SSD) with d/n > ¼ and t = ! (log(n)). The code: Enc(s) = SSE( AE(s) ), Dec(c) = AD( SSD(c) ) is non-malleable for bit-wise independent tampering. Theorem:

28 Bit-wise independent tampering: Proof  4 cases based on q= # of f i that are “set to 0”/”set to 1” s AMD Code LECSS c c* = f(c) f Set to 0 Set to 1 keep Set to 0 flip 0 1 c 3 +0 0 c 5 + 1 c 6 + 1 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6

29 Bit-wise independent tampering: Proof  Case 1: n - t · q : Just samples Dec(c*).  OK since c* is completely unrelated to s (t-privacy). s AMD Code LECSS c c* = f(c) Set to 0/1 Keep/flip Uniformly random!

30 Bit-wise independent tampering: Proof  Case 2: n/2 · q < n - t: Just outputs ?.  Unlikely that DSS(c*)  ?. (distance/privacy). s AMD Code LECSS c Set to 0/1 Keep/flip c* = f(c) t-wise independent. few valid codewords.

31 Bit-wise independent tampering: Proof  Case 3: t · q < n/2: Just outputs ?.  Consider ¢ = c* - c. Same argument as previous case (linearity). s AMD Code LECSS c Set to 0/1 Keep/flip ¢ = c* - c t-wise independent. few valid codewords.

32 Bit-wise independent tampering: Proof  Case 4: q · t: Samples DSS( ¢ ). If 0 output “same” else ?.  ¢ is independent of AMD randomness.  If ¢  0 AMD code rejects. s AMD Code LECSS cs’ Set to 0/1 Keep/flip Uniformly random! ¢ = c* - c

33 Bit-wise independent tampering: Instantiation  Recall, instantiation needs:  LECSS (SSE, SSD) with distance d/n > ¼ and t = ! (log(n)).  AMD code (AE, AD)  AMD codes with extremely high rate [CDFPW08].  LECSS schemes?  Ramp version of Shamir secret sharing does not get d/n > ¼.  Use random linear code. (d = distance, t = dual distance).  Not explicit, but efficient: we never need to correct errors!  Parameters: Rate of final instantiation of (Enc, Dec) is k/n ¼ (1-H(.25)) ¼.19  Optimality?

34 Non-malleable Codes in the Random Oracle Model  Can we instantiate a random code efficiently?  Use a cryptographic hash function modeled as a Random Oracle.  Cheat: gives us an “efficient” way to compute a random function.  Also give this power to the adversary, tampering functions f.  Each bit of f(c) depends on some subset (e.g. 90%) of the bits of c. In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”. (Access to an oracle does not change the family) In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”. (Access to an oracle does not change the family) Theorem:

35 Talk Outline  Definition of non-malleable codes.  General (im)possibility results for nm-codes.  Efficient non-malleable codes.  Bit-wise independent tampering.  Results in the RO model.  Application to tamper-resilient security:  Formal model of tamper-resilience.  Application of non-malleable codes.  Comparison to prior work.

36 Tamper-Resilient Security Circuit G’ c = Enc(s) Decode s= Dec(c). Evaluate G(s). G’= Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c)

37 Tamper-Resilient Security Circuit G’ c = Enc(s) Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F adv

38 Tamper-Resilient Security Circuit G’ c* Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F adv

39 Tamper-Resilient Security Circuit G’ c* Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F Input xOutput y adv State is re-encoded (reactive) Input x Output y Simulator ¼

40 Tamper-Resilient Security Theorem: If (Enc, Dec) is non- malleable w.r.t. F then our compiler is tamper-resilient w.r.t. F

41 Comparison to Prior Work  Same assumption: tampers memory, but not computation.  Main solution: use signatures.  Sign the state.  Verify signature on each invocation. If fail, stop working.  Does not satisfy our definition of tamper-resilient security.  e.g. Set the first bit of state to 0. See if device stops working.  Works for signature/encryption scheme (limitations).  Device cannot update its state (requires secret key).  Allows all efficient tampering strategies! Algorithmic Tamper-Proof Security [GLMMR04]

42 Comparison to Prior Work  Stronger model: adversary can tamper with the wire- values during a computation of a circuit.  Same strong definition of security using a simulator.  Limited to tampering functions which only modify some small subset of the wires (or set wires to 0). Private Circuits (II) [IPSW06]

43 Conclusions  Define non-malleable codes.  Construct non-malleable codes for:  All “small” families of tampering function (inefficient).  Bit-wise independent tampering (efficient).  Complex families closed under oracle access. (efficient in RO model).  Connect non-malleable codes to tamper-resilient security.  Open Questions:  More efficient constructions of non-malleable codes for other families.  Optimal rates?  Results in the stronger model of [ISPW06].

Download ppt "NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs."

Similar presentations

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.

A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Similar presentations

Ads by Google