Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010 Sapienza University of Rome.

Slides:



Advertisements
Similar presentations
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Advertisements

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University Crypto.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Computer Security CS 426 Lecture 3
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 8 Stefan Dziembowski
Cryptography on Non-Trusted Machines Stefan Dziembowski.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Input-shrinking functions: theory and application PhD candidate: Francesco Davì Thesis committee: Dr. Stefan Dziembowski (advisor) Prof. Luigi Vincenzo.
Cryptography Lecture 2 Stefan Dziembowski
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Lecture 2: Introduction to Cryptography
PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.
The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015.
On Forward-Secure Storage Stefan Dziembowski Warsaw University and University of Rome La Sapienza.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Cryptography on Non-Trusted Machines Stefan Dziembowski International Workshop on DYnamic Networks: Algorithms and Security September 5, 2009, Wroclaw,
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Randomness Extraction Beyond the Classical World Kai-Min Chung Academia Sinica, Taiwan 1 Based on joint works with Xin Li, Yaoyun Shi, and Xiaodi Wu.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors.
Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
Efficient Leakage Resilient Circuit Compilers
Topic 14: Random Oracle Model, Hashing Applications
A Tamper and Leakage Resilient von Neumann Architecture
Topic 3: Perfect Secrecy
Topic 7: Pseudorandom Functions and CPA-Security
Provable Security at Implementation-level
Cryptography Lecture 4.
Cryptography Lecture 8.
The “Taint” Leakage Model
Leakage-resilient Signatures
Presentation transcript:

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome

Plan 1. 1.Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties - Constructions 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010

How to construct secure cryptographic devices? CRYPTO cryptographic device very secure Security based on well-defined mathematical problems not secure! Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010

The problem hard to attack easy to attack CRYPTO cryptographic device Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010

Information leakage cryptographic device Side channel information: power consumption, electromagnetic radiation, timing information, … Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010

Leakage-Resilient Cryptography Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 Design cryptographic protocols that are secure even on the machines that leak information Design cryptographic protocols that are secure even on the machines that leak information

Leakage-Resilient Cryptography:The Models Leakage-Resilient Cryptography: The Models Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10) Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10) Only computation leaks Total leakage unbounded All the memory leaks Total leakage bounded All the memory leaks Total leakage unbounded All the memory leaks Computationally hard to recover the secret from the leakage

Bounded memory-leakage model Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 The adversary is allowed to learn (adaptively) the values of t leakage functions (chosen by her) on the internal data used by the cryptographic scheme The adversary is allowed to learn (adaptively) the values of t leakage functions (chosen by her) on the internal data used by the cryptographic scheme

Leakage functions Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 very restricted class (read-off wires) 0110 f f(x) general leakage (any input-shrinking function) x chooses retrieves chooses

Plan 1. 1.Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties - Constructions 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010

Leakage-Resilient Storage Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 Enc(m) Enc Dec Note: no secret key m m g 1,…,g t m m chooses (adaptively) t functions g i : {0,1} |Enc(m)| → {0,1} c i є Γ retrieves c i bits computationally unbounded total leakage < C very realistic Decode є Γ input-shrinking C < |Enc(m)| All-Or-Nothing Transform it should be hard to reconstruct a message if not all the bits of its encoding are known

Security definition Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 A scheme (Enc, Dec) is secure if for every m 0, m 1 no adversary can distinguish Enc(m 0 ) from Enc(m 1 ) A scheme (Enc, Dec) is secure if for every m 0, m 1 no adversary can distinguish Enc(m 0 ) from Enc(m 1 ) we will require that m 0, m 1 are chosen by the adversary Enc(m 0 ) Enc(m 1 )

Security definition adversaryoracle chooses m 0,m 1 є {0,1} α m 0,m chooses a random b = 0, calculates τ := Enc(m b ) outputs b’ (Enc,Dec) is ( Γ, C, t, ε )-secure if no adversary wins the game with probability greater than 1/2 + ε Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 Enc : {0,1} α → {0,1} β Dec : {0,1} β → {0,1} α for i = 1,...,t chooses g i : {0,1} β → {0,1} c i є Γ calculates g i ( τ ) gi(τ)gi(τ) gigi wins if b’ = b advantage

Problem Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory the cardinality of Γ is restricted randomness extractors -wise independent hash functions For a fixed family Γ how to construct secure (Enc,Dec)?

A weaker adversary Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 Enc(m):=(Rand, f(Rand) m) Enc m m gigi g i (Rand, f(Rand) m) Enc(m) g i (Enc(m)) g’ i g’ i (Rand) adversaryweak adversary

Lemma Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 For any Γ, c, t and ε, if an encoding scheme is ( Γ, c, t, ε )-secure for then it is also ( Γ, c, t, ε ˙ 2 α )-secure for For any Γ, c, t and ε, if an encoding scheme is ( Γ, c, t, ε )-secure for then it is also ( Γ, c, t, ε ˙ 2 α )-secure for α is the length of the message

Proof Idea Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 wins with advantage δ can simulate replacing f(Rand) m with a random string z є {0,1} α Consider Construct wins with advantage ε = δ ˙ 2 -α = ε ˙2α = ε ˙2α

Two-source Extractor Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 source 1 source 2 Two-Source Extractor extracted string Example: inner product modulo 2 deterministic Independent Random Far from uniform A lot of min-entropy Almost uniformly random

Memory divided into 2 parts: construction Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 R0R0 R0R0 R1R1 R1R1 Ext Ext(R 0,R 1 ) Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) Dec(,, m*):= m*. R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) M0M0 M1M1 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory remind

Memory divided into 2 parts: contribution Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 R0R0 R0R0 R1R1 R1R1 Ext Ext(R 0,R 1 ) Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) Dec(,, m*):= m*. R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) M0M0 M1M1 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory remind IfExtis a two-source extractor then is secureEnc Dec (), against an adversary such that

Proof Idea Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 It suffices to show that (Enc,Dec) is secure against every One can prove that even given One can prove that even given g’ 1 (, ),…, g’ t (, ) R0R0 R0R0 R1R1 R1R1 Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) R0R0 R0R0 R1R1 R1R1 R0R0 R0R0 R1R1 R1R1 are still independent have high min-entropy (with high probability) remind and

Problem Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory the cardinality of Γ is restricted randomness extractors -wise independent hash functions For a fixed family Γ how to construct secure (Enc,Dec)?

-wise independent hash functions -wise independent hash functions Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 H={h s :X→Y} sє I is -wise independent if uniformly random S є I X Y { x 1,…,x } hShS {h S (x 1 ),…, h S (x ) } uniform over Y

Boolean circuits of small size: construction Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 the cardinality of Γ is restricted remind the set of functions computable by Boolean circuits of a fixed size Enc s (m):=(R, h S (R) m) Dec s (R, m*):=( h S (R) m*) H={h s :X→Y} sє I is -wise independent R є X is random

Plan 1. 1.Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties - Construction 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010

Conclusion and Future work Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN /09/2010 Achieved: We have defined a primitive to securely store information in hardware that may leak information We have given constructions of such a scheme in two relevant scenarios Open: Refreshing of the storage From storage to computation: compute with encoded data Find more applications Achieved: We have defined a primitive to securely store information in hardware that may leak information We have given constructions of such a scheme in two relevant scenarios Open: Refreshing of the storage From storage to computation: compute with encoded data Find more applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.