Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:

Published byLenard McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:"— Presentation transcript:

1 1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran

2 2 PrimitiveAttacksGuaranteesFunction ality Communi cation Assumpti ons Leakag e TamperingCorrectne ss SecrecyFunction class Output form FHEANYnoneyesYESCircuitsEncryptedMinimalComputati onal ANYno Arguments (CS proofs / PCD / SNARG) ANY YESnoRAM, distributed PlaintextMinimalExotic computati onal / oracle MPCANY YES ANYPlaintextHeavy interaction Mild computati onal Garbled circuits ANYnoneyesYESCircuitsPlaintextPreproces sing + minimal Mild computati onal ANYno Leakage resilience VariesnoneyesYESVariesPlaintextMinimalVaries Tamper resilience Varies PlaintextMinimalVaries ObfuscationANY YES PlaintextMinimal0=1 TPMSecure hardware

3 Leakage resilience s x y=y(s,x) s’ x y=y(s,x) Same I/O functionality Keeps secret even in the presence of side-channel attacks: leakage and tampering 3

4 INPUT OUTPUT CIRCUIT MEMORY Model Circuits runs for many cycles In each cycle: –Adversary chooses input –Adversary chooses an admissible attack Leakage and/or tampering from a specified class –Adversary observes output + leakage –Memory state is updated 4

5 INPUT OUTPUT CIRCUIT MEMORY Circuit transformers T=(T C,T s ), on inputs k,t, maps C to C’ and s 0 to s 0 ’. T s must be randomized –Otherwise initial state s 0 is revealed by probing C’ can be either randomized or (better yet) deterministic. Functionally equivalent: C[s 0 ]  C’[s 0 ’] C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 5

6 6 s xY Any boolean circuit Circuit transformation Transformed circuit admissible leakage YX black-box indistinguishable Security [Ishai Sahai Wagner ’03]

7 INPUT OUTPUT CIRCUIT MEMORY Security definition T protects privacy:  circuit C  efficient Sim  admissible Adv  initial state s 0 : Sim Adv,C[s0]  view of Adv attacking C’[s 0 ’] (Even in case of tampering, only privacy is required) C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 7

8 INPUT OUTPUT CIRCUIT MEMORY Relation to obfuscation C’[s 0 ’] should act like a “virtual black-box” for C[s 0 ]. –Even in the presence of side-channel attacks Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated –Can’t probe all wires in a single cycle –Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06] –Can’t freely “edit” gates and wires C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 8

9 Simple/practical schemes I Sum-of-wires leakage –Dual-Rail Logic Sum-of-wire-transitions leakage –Dual-Rail Precharge Logic Protecting s Practical complications: –Capacitance imbalance –Glitches –Cell internals 9

10 Simple/practical schemes II Single-wire leakage –Bit masking Single-”value” leakage –RSA blinding t-wire leakage –Secret sharing… 10

11 t-wire leakage [ISW03] Secrets additively shared into m=2t+1 shares Given shares of a=a 1  …  a m and b=b 1  …  b m : –Compute shares of NOT(a) : apply NOT to a 1 –Compute shares c i of a AND b : Let z i,j, i<j, be random independent bits Let z j,i =(z i,j  a i b j )  a j b i (i<j) Let c i =a i b i   j  i z i,j Re-randomize s’ at every iteration Randomness gates eliminated by a random-number generator s0’s0’ 11

12 12 s XY Any boolean circuit Circuit transformation Transformed circuit t-wire probing YX black-box indistinguishable [ISW03]

13 13 Our goal Allow stronger leakage.

14 14 Leakage classes Locality assumptions –Single wire, t wires –Separate sub-circuits –Leak-free processor (Oblivious RAM [GO95]) –Leak-free memory (“only computation leaks information” [MR04]: leakage from CPU state and memory accessed at that program step) “Simple leakgage” –Sums and Hamming weights –Low-complexity global functions Specific functionality (mainly crypto)

Download ppt "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:"

Similar presentations

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2013-2014 Lecture 7: Tamper Resilience, Cryptographic leakage Resilience Eran Tromer Slides.

1 Information Security – Theory vs. Reality , Winter Lecture 7: Tamper Resilience, Cryptographic leakage Resilience Eran Tromer Slides.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Daniel Moran & Marina Yatsina. Access control through encryption.

Daniel Moran & Marina Yatsina. Access control through encryption.

Similar presentations

Ads by Google