Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

Published byEdwin Pauling Modified over 10 years ago

Similar presentations

Presentation on theme: "PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER."— Presentation transcript:

1 PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER BUUS NIELSEN, DANIELE VENTURI TCC 2014 1

2 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 f THE TAMPERING EXPERIMENT 2 Tampering Experiment for encoding scheme (Enc,Dec) : Enc s Tamper 2F2F C Dec s* Goal: Design encoding scheme (Enc,Dec) for interesting F that provides meaningful guarantees about s*. C*=f(C)

3 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 ERROR CORRECTION/DETECTION & NON-MALLEABILITY 3 f 2 F Error-Correction: Requires s* = s but e.g. for hamming codes f must be such that: Ham-Dist ( C, C *) < d/2. i.e. F is very limited ! Error-Detection: Requires s* = {s, ? } but F cant contain simple function e.g. constant functions f Ĉ (.)= Ĉ Non-Malleability[ DPW10 ]: Requires s* = s or unrelated to s. Hope : Achievable for rich F Enc s Tamper C Dec s* C*=f(C)

4 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 Impossibility [ DPW10 ]: Not achievable if F contains f which knows Dec. For any ( Enc, Dec ) consider f bad which decodes C, flips 1-bit and re- encodes to C*. Conclusion: There is no NMC for F all Possibilities to restrict F : 1. Compromise complexity : make | F |[ FMVW14 ] small. 2. Compromise granularity – Split-state : Considered in [DPW10, LL12, DKO13, ADL13, CG13 ( last talk )] and this work. LIMITATION AND POSSIBILITY 4

5 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 SPLIT-STATE TAMPERING 5 In this model, C = (C 1,C 2 ) and f =(f 1, f 2 ) for arbitrary f 1, f 2 5 f1f1 f1f1 s C1C1 C2C2 f2f2 f2f2 C1*C1* C2*C2* Dec Enc s* Why split-state ? Might be easy to implement. well-studied model in leakage - resilient crypto. generalizes some other models (e.g. independent bit tampering [ DPW10 ]) Rest of the talk

6 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUTLINE: REST OF THE TALK 6 Formalize and introduce CNMC. Explore a necessary requirement for CNMC. Present the construction. Overview of proof. Application.

7 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 7 Set (C 1 *,C 2 *) (f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) return Tamper( s b ) View Attack[GLMMR04]: Guess each bit, overwrite and check if the output is same - recover bit by bit Way Out: Assume Self-Destruct: If output ? once, then STOP interaction. continuous

8 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 8 Set (C 1 *,C 2 *) (f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else if Dec( C 1 *,C 2 * )= ? then return ? and self-destruct. Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) View return Tamper( s b ) Hang on for applications

9 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 UNIQUENESS: A NECESSARY PROPERTY 9 Both ( C 1,C 2 ) and ( C 1,C 2 ) are valid Why necessary ? 1.f 1 always replaces T 1 with C 1 2.f 2 checks if T 2 [i] = 0, then replaces T 2 with C 2 else replaces T 2 with C 2 Otherwise suppose Recovers T 2 (f 1, f 2 ) After knowing T 2: 3. f 1 hard-code T 2 and decode s Dec ( T 1,T 2 ). 4. Depending on s f 1 leaves it same or tampers. [LL12] construction does not satisfy Corollary: Information theoretic CNMC (split- state) is impossible.

10 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 TOWARDS CONSTRUCTING CNMC 10 Idea: Similar to [LL12], but adjusted to satisfy uniqueness. The ingredients: 1. L eakage(bounded) R esilient E ncoding in split-state. 2. C ollision R esistant H ash F unctions 3. Robust N on- I nteractive Z ero K nowledge. Possible to extract a witness from a valid proof which is not simulated s C1C1 C2C2 Enc Leakage reveals nothing about s

11 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUR CONSTRUCTION 11 1. Encode using LRE : ( z 0,z 1 )LREnc(s) 2. Compute hashes with CRHF H : h 0 = H ( z 0 ) & h 1 = H ( z 1 ) 3. Generate NIZK-POK : π 0 Prove (CRS,h 0, z 0 ) & π 1 Prove (CRS,h 1, z 1 ) Encoding z0z0 h1h1 π1π1 π0π0 z1z1 h0h0 π0π0 π1π1 CRS 1. Local Check: Check if proofs in each side verify using CRS. 2. Global Check: Check if the hashes are correct and the proofs match. 3. If all of above pass decode using LRE: ( s )LRDec( z 0,z 1 ), else output ? Decoding Uniqeness holds: Easy to see. = C 0 C1=C1= Part-1Part-0

12 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 PROOF INTUITIONS 12 recall Main Idea: Reduction from L eakage R esilient E ncoding. leakage tampering Simulate Easy to simulate: always output ? j* denotes the index where it outputs ? for the first time. Complicated case-analysis involves uniqeness, robustness of NIZK, collision resistance etc….. Main Difficulties. 1.simulate continuous tampering using only bounded leakage. 2. Simulate the tamper view with independent leakage access to each part of codword. How to know j* ? possible using bounded leakage.

13 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 APPLICATION TO PROTECT AGAINST MEMORY- TAMPERING 13 Memory Circuit G s' Memory Circuit G s Idea: Build compiler for any functionality [ DPW 10 ] compile Initialization: s' := NMEnc ( s ) Execution of G [s](x): 1. s = NMDec(s) 2. if s = ? then self-destruct else output G[s](x) Tamper- simlatability:

14 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 DRAWBACK AND SOLUTION Requires perfect erasures. Each time the new state is re-encoded, the old one must be erased. Otherwise Adv can copy. Must erase entire memory ! Transformation is stateful even for stateless functionalities.. Decode, compute and re-encode with fresh randomness - constructing stateless transformation was open queation [DPW10] 14 Both solved with CNMC !

15 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUR TAMPERING MODEL 15 Memory space much bigger than length of codeword. C := NMEnc ( s ) C C Memory M Memory M*= f (M) f Main application. In this model we construct a Stateless Transformation for stateless functionalities assuming 1untamperable bit (used for self-destruct ).

16 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 SUMMARIZE CNMC: A natural extension of NMC. First concrete construction. Application: Protect against memory tampering in much stronger and practical model. Open: We consider only split-state model, could be interesting to consider also global model. 16

17 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 17

18 AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 PROOF INTUITIONS 18 recall Main Idea: Reduction from L eakage R esilient E ncoding. Main Challenge:. simulate continuous tampering using only bounded leakage Ask to Reveal C 0 Get f 0,,f 1 Before round j*: Compute C 0 * = f 0 (C 0 ); Let C 0 * = (z 0 *,h 1 *, π 1 *, π 0 * ) Simulate based on cases: 1. C 0 * = C 0 output same. 2. C 0 *C 0 : : (i) if any proof fails output ? (ii) π 1 * π 1 : extracts z 1 from π 1 * (iii) Else output ? Almost done except …. How to learn j* ? – Non-trivial as the leakage is only bounded. It runs the same simulator inside leakage oracle. Find j* by binary search comparing the simulated output.

Download ppt "PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER."

Similar presentations

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Analysis of Algorithms II

Analysis of Algorithms II
Analysis of Computer Algorithms

Analysis of Computer Algorithms
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
0 - 0.

0 - 0.
CS4026 Formal Models of Computation Running Haskell Programs – power.

CS4026 Formal Models of Computation Running Haskell Programs – power.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Reductions Complexity ©D.Moshkovitz.

Reductions Complexity ©D.Moshkovitz.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
1 A triple erasure Reed-Solomon code, and fast rebuilding Mark Manasse, Chandu Thekkath Microsoft Research - Silicon Valley Alice Silverberg Ohio State.

1 A triple erasure Reed-Solomon code, and fast rebuilding Mark Manasse, Chandu Thekkath Microsoft Research - Silicon Valley Alice Silverberg Ohio State.
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.

Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
CS 332: Algorithms NP Completeness David Luebke 1 4/2/2017.

CS 332: Algorithms NP Completeness David Luebke /2/2017.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Similar presentations

Ads by Google