Download presentation

Presentation is loading. Please wait.

Published byJaquelin Boucher Modified over 2 years ago

1
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs

2
Physical Attacks Leakage: Adv observes physical output of the device. Tampering: Adv modifies internal state and interacts with tampered device.

3
Example Signature infrastructure using secure tokens (no PKI). All tokens have the same secret signing key sk. Each token has a unique userID. On input message m, token signs (userID, m). (userID, sk) m Sign sk (userID, m)

4
Example: Can we attack scheme with simple physical attacks? Attack 1 (RSA sig): Leaking a random 27% of bits of RSA key lets you factor! [HS09] Attack 2 (RSA sig): Introduce single faulty bit during signing. Use resulting sig to factor the RSA modulus. [BDL97] Attack 3 (any sig): Eve tampers userID = “Eve” to userID = “Eva” by flipping a few bits. Impersonates Eva. Sign sk (userID, m)

5
Lessons from Example Tampering attacks can be just as devastating as leakage attacks. Cannot only focus on tamper-resilience for cryptographic primitives.

6
Algorithmic Protection Want: A general compiler that takes a circuit G with state s and creates a circuit G’ with state s’ such that: (G, s) acts the same as (G’, s’) Tampering with (G’, s’) via some well-defined family F of attacks is useless.

7
Algorithmic Protection Tampering of memory and computation Tampering of memory GLMMR04 IPSW06 Circuit Memory input output Circuit Memory input output This talk

8
Algorithmic Protection Q: Why study tampering of (only) memory? Simpler. Need to understand it first. Leads to a very natural coding-theory question of independent interest. Might be reasonable in practice.

9
Code-based Solution Circuit G’ c = Enc(s) Decode s= Dec(c). Evaluate G(s). G’= Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c)

10
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

11
Coding Schemes Encoding can be randomized: c = Enc(s;r). Correctness: Dec(Enc(s)) = s with probability 1. Enc sc source messagecodeword randomized encoding Dec decoding s decoded message

12
The “Tampering Experiment” EncDec sc source message c* s* decoded message Tampering function f 2 F chosen adversarially. Independent of randomness of encoding. F={}, f1f1 f2f2, f3f3 tamper f =f(c)

13
The “Tampering Experiment” Goal: For “interesting” families F, design coding scheme (Enc, Dec) which provides “meaningful guarantees” about the outcome s*. EncDec sc c* s* tamper F

14
Error-Correction Error-Correction: require that s* = s Error-Correcting Codes for Hamming Distance: The family F = {f s.t. 8 x dist(x, f(x)) < d } No randomness in Enc. Limitations: Cannot be achieved for even small/simple families F. (e.g. even the single function f that maps all values to 0). EncDec sc c* s* tamper F

15
Error-Detection Error-Detection: require that s* 2 {s, ? } (with overwhelming probability). Problem: Might learn something about s if s* = ?. Limitation: Cannot be achieved for some even small/simple families F. (e.g. family all “constant” functions f c (x) = c). EncDec sc c* s* tamper F

16
New notion: Non-Malleability Non-Malleability: either s*= s or s* is “unrelated” to s. Analogous to non-malleability in cryptography [DDN91]. Harder to define formally (stay tuned). Examples of “malleability”: The value s* is same as s, except with 3 rd bit flipped. If s begins with 0, then s* = s. Otherwise s* = ?. Hope: non-malleability achievable for many rich families F. EncDec sc c* s* tamper F

17
Defining Non-Malleability (Attempt 1) Tampering via f 2 F does not reveal information. Can answer following without knowing s: Does your tampering change the codeword c? If so, what is new message s* = Dec(c*). c Ã Enc(s 0 ) c* Ã f(c) If c* = c say “same” else say Dec (c*) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 8 s 0, s 1 : c Ã Enc(s 1 ) c* Ã f(c) If c* = c say “same” else say Dec (c*) Problem: Unnecessarily strong! Not satisfied by error-correcting codes.

18
Defining Non-Malleability s* Ã D f if s* = “same” output s else output s*. s* Ã Dec ( f(Enc(s)) ) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 9 simulator D f such that 8 s: Tampering via f 2 F does not reveal information. Can “simulate” the answer to following questions: Did the message s stay the same? If no, what is the new message s*?

19
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

20
General Impossibility Non-Malleability For every coding scheme (Enc, Dec) there exists a single function f, for which the scheme is malleable. f(c) = Enc(Dec(c) + 1). Bad f depends heavily on (Enc, Dec). Corollaries: No coding scheme (Enc, Dec) (with n bit codewords), is non- malleable w.r.t. F all = { all f : {0,1} n ! {0,1} n }. No efficient coding scheme is non-malleable w.r.t. all efficient functions.

21
General Possibility of Non-Malleability For every “small enough” family F, there exists a nm-code w.r.t F. “small enough” F: log(log(|F|)) < n. Note: log(log(|F all |)) = n + log(n). For every “small enough” family F, there exists a nm-code w.r.t F. “small enough” F: log(log(|F|)) < n. Note: log(log(|F all |)) = n + log(n). Theorem: Proved using the probabilistic method. Not efficient…

22
Use “random code” with k-bit messages and n-bit codewords. Choose the function Dec : {0,1} n ! {0,1} k uniformly at random. Define Enc(s) to sample uniform {c s.t. Dec(c) = s}. For any fixed family F, a “random code” is non-malleable w.r.t. F with overwhelming probability if: n > log(log (|F|)) + 3k Notice: rate is 1/3, even for small F. Optimality? Question: What can we do efficiently? General Possibility of Non-Malleability

23
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

24
Bit-wise independent tampering Every bit of the codeword can be tampered arbitrarily, but independently of the value of other bits. Tampering functions f = (f 1,…,f n ) and f(c) = f 1 (c 1 ),…,f n (c n ). f i : {0,1} ! {0,1} can be arbitrary. Four options for each f i : “keep”, “flip”, “set to 0”, “set to 1”. Bit-wise independent tampering contains: All constant functions: f c (x) = c (only “set to 0/1”). All “constant error” functions : f ¢ (x) = x + ¢ (only “keep/flip”).

25
Tool 1: AMD Codes Algebraic Manipulation Detection codes: [CDFPW08] A coding scheme (AE, AD) is AMD code if for any s, ¢ 0 Pr[AD( AE(s) + ¢ ) ? ] = negligible. Achieves error-detection for “keep”/“flip”. Does not protect against “set to 0”/“set to 1”. Definition:

26
Tool 2: Secret Sharing LECSS: Linear Error-Correcting Secret Sharing (SSE, SSD). Linearity: SSE(s 1 + s 2 ) = SSE(s 1 ) + SSE(s 2 ) t-Privacy: Any t bits of SSE(s) are mutually random. d-Distance: Any c 0 s.t. weight H (c) < d, SSD(c) = ?. Definition:

27
Bit-wise independent tampering: Construction Given: AMD code (AE, AD). LECSS (SSE, SSD) with d/n > ¼ and t = ! (log(n)). The code: Enc(s) = SSE( AE(s) ), Dec(c) = AD( SSD(c) ) is non-malleable for bit-wise independent tampering. Given: AMD code (AE, AD). LECSS (SSE, SSD) with d/n > ¼ and t = ! (log(n)). The code: Enc(s) = SSE( AE(s) ), Dec(c) = AD( SSD(c) ) is non-malleable for bit-wise independent tampering. Theorem:

28
Bit-wise independent tampering: Proof 4 cases based on q= # of f i that are “set to 0”/”set to 1” s AMD Code LECSS c c* = f(c) f Set to 0 Set to 1 keep Set to 0 flip 0 1 c 3 +0 0 c 5 + 1 c 6 + 1 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6

29
Bit-wise independent tampering: Proof Case 1: n - t · q : Just samples Dec(c*). OK since c* is completely unrelated to s (t-privacy). s AMD Code LECSS c c* = f(c) Set to 0/1 Keep/flip Uniformly random!

30
Bit-wise independent tampering: Proof Case 2: n/2 · q < n - t: Just outputs ?. Unlikely that DSS(c*) ?. (distance/privacy). s AMD Code LECSS c Set to 0/1 Keep/flip c* = f(c) t-wise independent. few valid codewords.

31
Bit-wise independent tampering: Proof Case 3: t · q < n/2: Just outputs ?. Consider ¢ = c* - c. Same argument as previous case (linearity). s AMD Code LECSS c Set to 0/1 Keep/flip ¢ = c* - c t-wise independent. few valid codewords.

32
Bit-wise independent tampering: Proof Case 4: q · t: Samples DSS( ¢ ). If 0 output “same” else ?. ¢ is independent of AMD randomness. If ¢ 0 AMD code rejects. s AMD Code LECSS cs’ Set to 0/1 Keep/flip Uniformly random! ¢ = c* - c

33
Bit-wise independent tampering: Instantiation Recall, instantiation needs: LECSS (SSE, SSD) with distance d/n > ¼ and t = ! (log(n)). AMD code (AE, AD) AMD codes with extremely high rate [CDFPW08]. LECSS schemes? Ramp version of Shamir secret sharing does not get d/n > ¼. Use random linear code. (d = distance, t = dual distance). Not explicit, but efficient: we never need to correct errors! Parameters: Rate of final instantiation of (Enc, Dec) is k/n ¼ (1-H(.25)) ¼.19 Optimality?

34
Non-malleable Codes in the Random Oracle Model Can we instantiate a random code efficiently? Use a cryptographic hash function modeled as a Random Oracle. Cheat: gives us an “efficient” way to compute a random function. Also give this power to the adversary, tampering functions f. Each bit of f(c) depends on some subset (e.g. 90%) of the bits of c. In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”. (Access to an oracle does not change the family) In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”. (Access to an oracle does not change the family) Theorem:

35
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

36
Tamper-Resilient Security Circuit G’ c = Enc(s) Decode s= Dec(c). Evaluate G(s). G’= Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c)

37
Tamper-Resilient Security Circuit G’ c = Enc(s) Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F adv

38
Tamper-Resilient Security Circuit G’ c* Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F adv

39
Tamper-Resilient Security Circuit G’ c* Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F Input xOutput y adv State is re-encoded (reactive) Input x Output y Simulator ¼

40
Tamper-Resilient Security Theorem: If (Enc, Dec) is non- malleable w.r.t. F then our compiler is tamper-resilient w.r.t. F

41
Comparison to Prior Work Same assumption: tampers memory, but not computation. Main solution: use signatures. Sign the state. Verify signature on each invocation. If fail, stop working. Does not satisfy our definition of tamper-resilient security. e.g. Set the first bit of state to 0. See if device stops working. Works for signature/encryption scheme (limitations). Device cannot update its state (requires secret key). Allows all efficient tampering strategies! Algorithmic Tamper-Proof Security [GLMMR04]

42
Comparison to Prior Work Stronger model: adversary can tamper with the wire- values during a computation of a circuit. Same strong definition of security using a simulator. Limited to tampering functions which only modify some small subset of the wires (or set wires to 0). Private Circuits (II) [IPSW06]

43
Conclusions Define non-malleable codes. Construct non-malleable codes for: All “small” families of tampering function (inefficient). Bit-wise independent tampering (efficient). Complex families closed under oracle access. (efficient in RO model). Connect non-malleable codes to tamper-resilient security. Open Questions: More efficient constructions of non-malleable codes for other families. Optimal rates? Results in the stronger model of [ISPW06].

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google