Download presentation

Presentation is loading. Please wait.

Published byJaquelin Boucher Modified over 2 years ago

1
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs

2
Physical Attacks Leakage: Adv observes physical output of the device. Tampering: Adv modifies internal state and interacts with tampered device.

3
Example Signature infrastructure using secure tokens (no PKI). All tokens have the same secret signing key sk. Each token has a unique userID. On input message m, token signs (userID, m). (userID, sk) m Sign sk (userID, m)

4
Example: Can we attack scheme with simple physical attacks? Attack 1 (RSA sig): Leaking a random 27% of bits of RSA key lets you factor! [HS09] Attack 2 (RSA sig): Introduce single faulty bit during signing. Use resulting sig to factor the RSA modulus. [BDL97] Attack 3 (any sig): Eve tampers userID = “Eve” to userID = “Eva” by flipping a few bits. Impersonates Eva. Sign sk (userID, m)

5
Lessons from Example Tampering attacks can be just as devastating as leakage attacks. Cannot only focus on tamper-resilience for cryptographic primitives.

6
Algorithmic Protection Want: A general compiler that takes a circuit G with state s and creates a circuit G’ with state s’ such that: (G, s) acts the same as (G’, s’) Tampering with (G’, s’) via some well-defined family F of attacks is useless.

7
Algorithmic Protection Tampering of memory and computation Tampering of memory GLMMR04 IPSW06 Circuit Memory input output Circuit Memory input output This talk

8
Algorithmic Protection Q: Why study tampering of (only) memory? Simpler. Need to understand it first. Leads to a very natural coding-theory question of independent interest. Might be reasonable in practice.

9
Code-based Solution Circuit G’ c = Enc(s) Decode s= Dec(c). Evaluate G(s). G’= Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c)

10
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

11
Coding Schemes Encoding can be randomized: c = Enc(s;r). Correctness: Dec(Enc(s)) = s with probability 1. Enc sc source messagecodeword randomized encoding Dec decoding s decoded message

12
The “Tampering Experiment” EncDec sc source message c* s* decoded message Tampering function f 2 F chosen adversarially. Independent of randomness of encoding. F={}, f1f1 f2f2, f3f3 tamper f =f(c)

13
The “Tampering Experiment” Goal: For “interesting” families F, design coding scheme (Enc, Dec) which provides “meaningful guarantees” about the outcome s*. EncDec sc c* s* tamper F

14
Error-Correction Error-Correction: require that s* = s Error-Correcting Codes for Hamming Distance: The family F = {f s.t. 8 x dist(x, f(x)) < d } No randomness in Enc. Limitations: Cannot be achieved for even small/simple families F. (e.g. even the single function f that maps all values to 0). EncDec sc c* s* tamper F

15
Error-Detection Error-Detection: require that s* 2 {s, ? } (with overwhelming probability). Problem: Might learn something about s if s* = ?. Limitation: Cannot be achieved for some even small/simple families F. (e.g. family all “constant” functions f c (x) = c). EncDec sc c* s* tamper F

16
New notion: Non-Malleability Non-Malleability: either s*= s or s* is “unrelated” to s. Analogous to non-malleability in cryptography [DDN91]. Harder to define formally (stay tuned). Examples of “malleability”: The value s* is same as s, except with 3 rd bit flipped. If s begins with 0, then s* = s. Otherwise s* = ?. Hope: non-malleability achievable for many rich families F. EncDec sc c* s* tamper F

17
Defining Non-Malleability (Attempt 1) Tampering via f 2 F does not reveal information. Can answer following without knowing s: Does your tampering change the codeword c? If so, what is new message s* = Dec(c*). c Ã Enc(s 0 ) c* Ã f(c) If c* = c say “same” else say Dec (c*) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 8 s 0, s 1 : c Ã Enc(s 1 ) c* Ã f(c) If c* = c say “same” else say Dec (c*) Problem: Unnecessarily strong! Not satisfied by error-correcting codes.

18
Defining Non-Malleability s* Ã D f if s* = “same” output s else output s*. s* Ã Dec ( f(Enc(s)) ) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 9 simulator D f such that 8 s: Tampering via f 2 F does not reveal information. Can “simulate” the answer to following questions: Did the message s stay the same? If no, what is the new message s*?

19
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

20
General Impossibility Non-Malleability For every coding scheme (Enc, Dec) there exists a single function f, for which the scheme is malleable. f(c) = Enc(Dec(c) + 1). Bad f depends heavily on (Enc, Dec). Corollaries: No coding scheme (Enc, Dec) (with n bit codewords), is non- malleable w.r.t. F all = { all f : {0,1} n ! {0,1} n }. No efficient coding scheme is non-malleable w.r.t. all efficient functions.

21
General Possibility of Non-Malleability For every “small enough” family F, there exists a nm-code w.r.t F. “small enough” F: log(log(|F|)) < n. Note: log(log(|F all |)) = n + log(n). For every “small enough” family F, there exists a nm-code w.r.t F. “small enough” F: log(log(|F|)) < n. Note: log(log(|F all |)) = n + log(n). Theorem: Proved using the probabilistic method. Not efficient…

22
Use “random code” with k-bit messages and n-bit codewords. Choose the function Dec : {0,1} n ! {0,1} k uniformly at random. Define Enc(s) to sample uniform {c s.t. Dec(c) = s}. For any fixed family F, a “random code” is non-malleable w.r.t. F with overwhelming probability if: n > log(log (|F|)) + 3k Notice: rate is 1/3, even for small F. Optimality? Question: What can we do efficiently? General Possibility of Non-Malleability

23
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

24
Bit-wise independent tampering Every bit of the codeword can be tampered arbitrarily, but independently of the value of other bits. Tampering functions f = (f 1,…,f n ) and f(c) = f 1 (c 1 ),…,f n (c n ). f i : {0,1} ! {0,1} can be arbitrary. Four options for each f i : “keep”, “flip”, “set to 0”, “set to 1”. Bit-wise independent tampering contains: All constant functions: f c (x) = c (only “set to 0/1”). All “constant error” functions : f ¢ (x) = x + ¢ (only “keep/flip”).

25
Tool 1: AMD Codes Algebraic Manipulation Detection codes: [CDFPW08] A coding scheme (AE, AD) is AMD code if for any s, ¢ 0 Pr[AD( AE(s) + ¢ ) ? ] = negligible. Achieves error-detection for “keep”/“flip”. Does not protect against “set to 0”/“set to 1”. Definition:

26
Tool 2: Secret Sharing LECSS: Linear Error-Correcting Secret Sharing (SSE, SSD). Linearity: SSE(s 1 + s 2 ) = SSE(s 1 ) + SSE(s 2 ) t-Privacy: Any t bits of SSE(s) are mutually random. d-Distance: Any c 0 s.t. weight H (c) < d, SSD(c) = ?. Definition:

27
Bit-wise independent tampering: Construction Given: AMD code (AE, AD). LECSS (SSE, SSD) with d/n > ¼ and t = ! (log(n)). The code: Enc(s) = SSE( AE(s) ), Dec(c) = AD( SSD(c) ) is non-malleable for bit-wise independent tampering. Given: AMD code (AE, AD). LECSS (SSE, SSD) with d/n > ¼ and t = ! (log(n)). The code: Enc(s) = SSE( AE(s) ), Dec(c) = AD( SSD(c) ) is non-malleable for bit-wise independent tampering. Theorem:

28
Bit-wise independent tampering: Proof 4 cases based on q= # of f i that are “set to 0”/”set to 1” s AMD Code LECSS c c* = f(c) f Set to 0 Set to 1 keep Set to 0 flip 0 1 c 3 +0 0 c 5 + 1 c 6 + 1 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6

29
Bit-wise independent tampering: Proof Case 1: n - t · q : Just samples Dec(c*). OK since c* is completely unrelated to s (t-privacy). s AMD Code LECSS c c* = f(c) Set to 0/1 Keep/flip Uniformly random!

30
Bit-wise independent tampering: Proof Case 2: n/2 · q < n - t: Just outputs ?. Unlikely that DSS(c*) ?. (distance/privacy). s AMD Code LECSS c Set to 0/1 Keep/flip c* = f(c) t-wise independent. few valid codewords.

31
Bit-wise independent tampering: Proof Case 3: t · q < n/2: Just outputs ?. Consider ¢ = c* - c. Same argument as previous case (linearity). s AMD Code LECSS c Set to 0/1 Keep/flip ¢ = c* - c t-wise independent. few valid codewords.

32
Bit-wise independent tampering: Proof Case 4: q · t: Samples DSS( ¢ ). If 0 output “same” else ?. ¢ is independent of AMD randomness. If ¢ 0 AMD code rejects. s AMD Code LECSS cs’ Set to 0/1 Keep/flip Uniformly random! ¢ = c* - c

33
Bit-wise independent tampering: Instantiation Recall, instantiation needs: LECSS (SSE, SSD) with distance d/n > ¼ and t = ! (log(n)). AMD code (AE, AD) AMD codes with extremely high rate [CDFPW08]. LECSS schemes? Ramp version of Shamir secret sharing does not get d/n > ¼. Use random linear code. (d = distance, t = dual distance). Not explicit, but efficient: we never need to correct errors! Parameters: Rate of final instantiation of (Enc, Dec) is k/n ¼ (1-H(.25)) ¼.19 Optimality?

34
Non-malleable Codes in the Random Oracle Model Can we instantiate a random code efficiently? Use a cryptographic hash function modeled as a Random Oracle. Cheat: gives us an “efficient” way to compute a random function. Also give this power to the adversary, tampering functions f. Each bit of f(c) depends on some subset (e.g. 90%) of the bits of c. In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”. (Access to an oracle does not change the family) In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”. (Access to an oracle does not change the family) Theorem:

35
Talk Outline Definition of non-malleable codes. General (im)possibility results for nm-codes. Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model. Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

36
Tamper-Resilient Security Circuit G’ c = Enc(s) Decode s= Dec(c). Evaluate G(s). G’= Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c)

37
Tamper-Resilient Security Circuit G’ c = Enc(s) Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F adv

38
Tamper-Resilient Security Circuit G’ c* Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F adv

39
Tamper-Resilient Security Circuit G’ c* Circuit G s Original Functionality (G, s) Compiled Functionality (G’, c) Tamper: f 2 F Input xOutput y adv State is re-encoded (reactive) Input x Output y Simulator ¼

40
Tamper-Resilient Security Theorem: If (Enc, Dec) is non- malleable w.r.t. F then our compiler is tamper-resilient w.r.t. F

41
Comparison to Prior Work Same assumption: tampers memory, but not computation. Main solution: use signatures. Sign the state. Verify signature on each invocation. If fail, stop working. Does not satisfy our definition of tamper-resilient security. e.g. Set the first bit of state to 0. See if device stops working. Works for signature/encryption scheme (limitations). Device cannot update its state (requires secret key). Allows all efficient tampering strategies! Algorithmic Tamper-Proof Security [GLMMR04]

42
Comparison to Prior Work Stronger model: adversary can tamper with the wire- values during a computation of a circuit. Same strong definition of security using a simulator. Limited to tampering functions which only modify some small subset of the wires (or set wires to 0). Private Circuits (II) [IPSW06]

43
Conclusions Define non-malleable codes. Construct non-malleable codes for: All “small” families of tampering function (inefficient). Bit-wise independent tampering (efficient). Complex families closed under oracle access. (efficient in RO model). Connect non-malleable codes to tamper-resilient security. Open Questions: More efficient constructions of non-malleable codes for other families. Optimal rates? Results in the stronger model of [ISPW06].

Similar presentations

OK

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on credit policy document Ppt on professional ethics for teachers in india Ppt on rabindranath tagore in english Ppt on review of literature science Ppt on entrepreneurship development in india Ppt on indian politics jokes Ppt on mammals and egg laying animals called Ppt on mauryan Ppt on limits and continuity solutions Ppt on bagasse cogeneration