Presentation is loading. Please wait.

Presentation is loading. Please wait.

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Published byMelvyn Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)"— Presentation transcript:

1 RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

2 Leakage Attacks  Cryptography relies on secrets.  Cryptographic devices:  In reality, many “side-channels”!  Timing, power, radiation, heat, acoustics… Secrets can leak!  Natural response: Not our problem.  Blame the “engineers” – they should fix this!  Theory/Crypto can help! input output Secret keys

3 Cryptography With Leakage  Can we do cryptography with incomplete secrecy?  Need a way to model leakage first!  In this talk: Adv can learn arbitrary information about the secret key as long as its amount is bounded. [AGV09]  Adv specifies any poly-time function Leak : {0,1} * ! {0,1} L.  Learns the output Leak(sk). sk Leak() L = leakage bound Leak(sk)

4 Leakage Resilient Cryptography  Password Login and One-Way Functions.  Identification Schemes and Signatures.  Public-Key Encryption.

5 Password Login Scheme (pk Bob, sk Bob ) pk Bob Prover BobVerifier Alice accept (pk Bob, sk Bob ) pk Bob Impersonation Stage reject! sk Bob sk’ Leakage Stage sk Bob Leak() Leak(sk)

6 Using One-Way Functions (pk Bob = f(x), sk Bob = x ) pk Bob = y Prover BobVerifier Alice Accept iff y = f(x) x  Standard OWF: get y = f(x), hard to find any x’ 2 f -1 (y).  Suffices for regular “password login” security  L-LR OWF: get y = f(x) & Leak(x), hard to find x’ 2 f -1 (y).  Not satisfied by general OWFs (easy counter-examples).  … but can be constructed from general OWFs.

7 OWF ) LR-OWF  OWF: get y = f(x), hard to find any x’ 2 f -1 (y). y=f(x) Domain Range

8 OWF ) LR-OWF  OWF: get y = f(x), hard to find any x’ 2 f -1 (y).  L-LR OWF: also get L bits of leakage about x. y=f(x) x Domain Range

9 OWF ) LR-OWF  OWF: get y = f(x), hard to find any x’ 2 f -1 (y).  L-LR OWF: also get L bits of leakage about x.  SPRF: get x, hard to find any x’ ≠ x s.t. f(x’)=f(x)  Non-triviality: input length n > output length k  Can build from any OWF for any n = poly(k) [Rom90] y=f(x) x x’ Domain Range

10 OWF ) SPRF ) LR-OWF  OWF: get y = f(x), hard to find any x’ 2 f -1 (y).  L-LR OWF: also get L bits of leakage about x.  SPRF: get x, hard to find any x’ ≠ x s.t. f(x’)=f(x)  Non-triviality: input length n > output length k  Can build from any OWF for any n = poly(k) [Rom90] Theorem [ADW09,KV09] : Any SPRF f : {0,1} n → {0,1} k is an L-LR OWF for L ¼ n - k.

11 Proof: Any SPRF is LR-OWF Theorem [ADW09,KV09] : Any SPRF f : {0,1} n → {0,1} k is an L-LR-OWF for L ¼ n – k. y=f(x) x Assume: Can break L-LR-OWF. There is an efficient A s.t. A( f(x), Leak(x) ) = x’ s.t. f(x’) = f(x) Conclude: Can break SPR. Let B(x) = A( f(x), Leak(x) ) B succeeds if (1) A succeeds (2) A does not return x’  x. A has too little info about x. |f(x)| + |Leak(x)| = k + L Pr[A guesses x] < 2 k+L - n

12 Proof: Any SPRF is LR-OWF Theorem [ADW09,KV09] : Any SPRF f : {0,1} n → {0,1} k is an L-LR-OWF for L ¼ n – k. Corollary: If OWF exist then L-LR-OWF exist with L = (1-o(1))n. Open Question: Can we get LR-OWF that are Permutations?

13 Leakage Resilient Cryptography  Password Login and One-Way Functions.  Identification Schemes and Signatures.  Public-Key Encryption.

14 Identification Schemes (pk Bob, sk Bob ) pk Bob Prover BobVerifier Alice accept Learning Stage (pk Bob, sk Bob ) pk Bob Impersonation Stage reject!

15 Leakage-Resilient Identification [ADW09] Learning Stage (pk Bob, sk Bob ) pk Bob Impersonation Stage reject!  Bob’s key can leak !!! (during learning stage, not afterward) sk Bob

16 Tool: Zero-Knowledge Proof of Knowledge Verifier Prover Accept/Reject –Witness Indistinguishable (WI): Even if V dishonest, cannot tell which x is being used by the prover. –Proof of Knowledge (PoK): Even if P dishonest, can extract some valid witness x’ for y from P. Instance y witness x NP relation R

17 ID Schemes from ZK-PoK  Assume: f : {0,1} n → {0,1} k is SPR and  is ZK-PoK for y = f(x). Thm [ADW09]:  is a secure L-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security.

18 ID Schemes from ZK-PoK  Assume: f : {0,1} n → {0,1} k is SPR and  is ZK-PoK for y = f(x). Thm [ADW09]:  is a secure L-LR ID scheme for L ¼ n-k. Learning Stage (y, x ) yy Impersonation Stage x Pf: Assume Adv breaks ID security.

19 ID Schemes from ZK-PoK  Assume: f : {0,1} n → {0,1} k is SPR and  is ZK-PoK for y = f(x). Thm [ADW09]:  is a secure L-LR ID scheme for L ¼ n-k. Sees: y = f(x) Leakage, interaction with P(x) only k + L < n bits of info on x. Learning Stage y Impersonation Stage K bits L bits 0 bits Pf: Assume Adv breaks ID security. Witness Ind.

20 ID Schemes from ZK-PoK  Assume: f : {0,1} n → {0,1} k is SPR and  is ZK-PoK for y = f(x). Thm [ADW09]:  is a secure L-LR ID scheme for L ¼ n-k. Sees: y = f(x) Leakage, interaction with P(x) only k + L < n bits of info on x. Learning StageImpersonation Stage Extract x’ 2 f -1 (y) Pf: Assume Adv breaks ID security. x’  x Witness Ind.Proof-of-Knowledge

21 ID Schemes from ZK-PoK  Assume: f : {0,1} n → {0,1} k is SPR and  is ZK-PoK for y = f(x). Thm [ADW09]:  is a secure L-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security. To break SPR: Simulate “Learning Stage” to Adv with x. Extract x’  x.

22 LR Signatures [ADW09,KV09,DHLW09,BSW10]  Similar to ID schemes with two big differences:  Cannot have interaction.  Need to bind each execution to a message.  Solution: use Non-Interactive ZK-PoK for x.  Various techniques to bind proofs to messages (tricky):  Rand Oracles [ADW09]  “Simulation-Sound” Proofs [KV09]  CCA Encryption [DHLW10]

23 Leakage Resilient Cryptography  Password Login and One-Way Functions.  Identification Schemes and Signatures.  Public-Key Encryption.

24 LR Public-Key Encryption [AGV09, NS09] Leakage on the decryption key prior to seeing the ciphertext.

25 Hash Proof Enc Scheme [AGV09, NS09]  Enc scheme with sk = x, pk = f(x) for some SPRF f. PK Public Key Space Secret Key space

26 Hash Proof Enc Scheme [AGV09, NS09]  Enc scheme with sk = x, pk = f(x) for some SPRF f. M DEC C SK M ENC PK

27 Hash Proof Enc Scheme [AGV09, NS09]  Enc scheme with sk = x, pk = f(x) for some SPRF f. DEC M C ENC PK

28 Hash Proof Enc Scheme [AGV09, NS09]  Enc scheme with sk = x, pk = f(x) for some SPRF f.  Correctness  All x 2 f -1 (pk) decrypt C to the correct M. M DEC M C ENC PK M M

29 Hash Proof Enc Scheme [AGV09, NS09]  Enc scheme with sk = x, pk = f(x) for some SPRF f.  Correctness  All x 2 f -1 (pk) decrypt C to the correct M.  Fake Encryption: C= Fake(pk). Decryption depends on x.  Can’t distinguish C from C (even given x). PK C Fake ENC M C Real ENC M1M1 M3M3 M2M2 ≈ DEC PK

30 Proof: Hash Proof Enc is LR [AGV09, NS09] L(SK) M1M1 M3M3 M2M2 C Fake ENC “Fake World”“Real World” M MC Real ENC PK DEC ? PK = y ≈

31 Back to Bigger Picture…

32 Criticism/Extensions  Q: What if leakage depends on complexity?  Bad: more resilience ) more complexity ) more leakage.  Fix: Bounded Retrieval Model [Dzi06,…,ADW09, ADNSWW10] [Complexity does not grow with resilience!]  Q: Why is leakage bounded overall? Should “leak-per-use”!  Continuous Leakage with “Key Updates” [DHLW10, BKKV10]  Q: Why measure leakage in output “bits”?  Noisy Leakage: use “entropy loss” [NS09, DHLW10]  Auxiliary Input: use “hardness of inverting” [DKL09,DGK+10]

33 Conclusions Riv97, Boy99, CDH+00, DSS01, KZ03, ISW03, MR04, DP08, GKR08, Pie09, AGV09, ADW09, DKL09, ADN+10, DGK+10, GKPV10, FKPR10, DHLW10a, FRRTV10, JRV10, GR10, DHLW10b, BKKV10, WL10, BSW10,… Many more models/results (esp. in last 2 years)... Many open questions, much still left to do!

Download ppt "RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)"

Similar presentations

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
See you at the next conference! Hope you like our slides Hello everybody!

See you at the next conference! Hope you like our slides Hello everybody!
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges.

Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.

Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.

Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Similar presentations

Ads by Google