Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Published byKelley Lynch Modified over 9 years ago

Similar presentations

Presentation on theme: "TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)"— Presentation transcript:

1 TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

2 Protecting Data Against “Tampering”  Question: How can we protect data against tampering by an adversary?  Variants of this question studied in cryptography, information theory and coding theory.  What kind of tampering are we considering?  What protection/guarantees do we want to achieve?  Can we use secret keys or randomness ?  Tools: Signatures, MACs, Hash Functions, Error-correcting codes, Error-detecting codes.  New variants: tamper-detection codes, non-malleable codes, continuous non-malleable codes.

3 Motivation: Physical Attacks  Implementing cryptography on a physical device is often difficult.  Side-Channel Leakage: Adversary observes physical properties of the device.  Tampering: Adversary modifies internal state and interacts with tampered device.

4 Motivating Example Signature infrastructure using secure tokens (no PKI).  All tokens have the same secret signing key sk.  Each token has a unique userID.  On input message m, token signs (userID, m). (userID, sk) m Sign sk (userID, m)

5 Motivating Example: Can we attack scheme with simple tampering attacks?  Attack 1 (RSA sig): Introduce single faulty to signing key. Use resulting sig to factor the RSA modulus. [BDL97]  Attack 2 (any sig): Eve tampers userID = “Eve” to userID = “Eva” by flipping a few bits. Impersonates Eva. Sign sk (userID, m)

6 Coding against Tampering  Solution Idea: encode the data on the device to protect it against tampering.  Each execution first decodes the underlying data, then runs the cryptosystem.  Example: Use an error-correcting code to protect against attacks that modify a few bits.  What kind of tampering can we protect against?  What kind of codes do we need?

7 1. Message: s. 2. Codeword c à Enc(s). 3. Tampered codeword c* = f(c). f 2 F adversarial but independent of randomness of c. 4. Decoded message: s* = Dec(c*). The “Tampering Experiment” message: s c= Enc(s)  Coding scheme (Enc, Dec) s.t.  Enc can be randomized  Dec(Enc(s)) = s (with probability 1)

8 c= Enc(s) The “Tampering Experiment” c* F={}, f1f1 f2f2 1. Message: s. 2. Codeword c à Enc(s). 3. Tampered codeword c* = f(c). f 2 F adversarial but independent of randomness of c. 4. Decoded message: s* = Dec(c*). s* = Dec(c*)

9 The “Tampering Experiment”  Differences from “standard” coding problems:  No notion of distance between original and tampered codeword. Focus on the family of functions being applied.  Tampering is “worst-case”, but choice of function f does not depend on randomness of encoding. EncDec sc source messagecodeword randomized encoding f tampering function f 2 family F c* decoding tampered codeword s* decoded message

10 The “Tampering Experiment” Goal: For “interesting” families F, design coding scheme (Enc, Dec) which provides “meaningful guarantees” about the outcome of the tampering experiment. EncDec sc source messagecodeword randomized encoding f tampering function f 2 family F c* decoding tampered codeword s* decoded message

11 Correction  Error-Correction: require that s* = s  Error-Correcting Codes for Hamming Distance: The family F = {f s.t. 8 x dist(x, f(x)) < d }  Too limited for us! Must preserve some relationship between original and tampered codeword.  E.g., cannot protect against overwriting with random value. EncDec sc source messagecodeword randomized encoding f tampering function f 2 family F c* decoding tampered codeword s* decoded message

12 Tamper Detection EncDec sc source messagecodeword randomized encoding f tampering function f 2 family F c* decoding tampered codeword s* decoded message

13 Tamper Detection  Error-Correcting Codes provide tamper detection for the family F = {f s.t. 8 x 0 < dist(x, f(x)) < d } Algebraic Manipulation Detection (AMD)

14 Tamper Detection: AMD Codes

15

16

17 Tamper Detection: Beyond AMD? Question: Can we go beyond AMD codes?  What function families F allow for tamper-detection codes?  Can’t allow functions that are (close to) “identity”.  Can’t allow functions that are (close to) “constant”.  Can’t allow functions that are “too complex”:  e.g., f(x) = Enc( Dec(x) + 1)

18 Tamper Detection: General Result

19

20 Tamper Detection: Construction

21 Tamper Detection: Analysis (s 1,z 1 ) (s 2,z 2 ) (s 3,z 3 ) (s 4,z 4 ) (s 5,z 5 ) Bad edge: z = h(s) for both end points

22 Tamper Detection: Construction

23 Tamper Detection: Limitations  Tamper detection fails for functions with many fixed points, or low entropy.  This is inherent, but perhaps not so bad.  Fixed-points: nothing changes!  Low-entropy: not much remains!  Can we relax tamper-detection and still get meaningful security?

24 Non-Malleability [Dziembowski-Pietrzak-W10]  Non-Malleability: either s*= s or s* is “unrelated” to s.  Analogous to non-malleability in cryptography [DDN91].  Harder to define formally (stay tuned).  Examples of “malleability”:  The value s* is same as s, except with 1 st bit flipped.  If s begins with 0, then s* = s. Otherwise s* = ?. EncDec sc source messagecodeword randomized encoding f tampering function f 2 family F c* decoding tampered codeword s* decoded message

25 Defining Non-Malleability  High Level: either s*= s or s* is “unrelated” to s.  Recall s = “source msg.”, s* = “decoded msg.”  Attempt 1: 8 f 2 F, we can predict distribution of s*= Dec ( f(Enc(s)) ) without knowing s.  Too strong: want to allow s* = s.

26 Defining Non-Malleability  High Level: either s*= s or s* is “unrelated” to s.  Recall s = “source msg.”, s* = “decoded msg.”  Attempt 2: 8 f 2 F, we can predict distribution s* but can say that it stayed the “same” without specifying value. s* Ã D f if s* = “same” output s else output s*. s* Ã Dec ( f(Enc(s)) ) ¼ Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 9 distribution D f over {0,1}* [ { ?, “same”} such that 8 s:

27 General Results for Non-Malleability

28

29 Special-Purpose Results  Bit-wise tampering [DPW10,CG13] : each bit of codeword is tampered independently but arbitrarily.  Permuting bits of codeword [AGM+14]  Split-state model [DKO13, ADL13, ADKO15] : Codeword split into two parts that are tampered independently but arbitrarily.

30 Application: Tamper-Resilient Security  Non-malleable codes can protect physical devices against tampering attacks.  Tampering leaves data unchanged, or completely overwrites it with a new unrelated value.

31 Tamper-Resilient Security  Assume tampering only changes the state and not the computation.  Tamper-Resilient Compiler: given (G, s) output (G’, c) such that:  (G’, c) acts the same as (G, s).  For any adversary with tampering access to (G’, c), there is a simulator with BB access to (G, s) which learns the same information. input: x output: y Tamper: f 2 F input: x output: y Functionality: G. State s. Compiled functionality: G’, state c. adversarysimulator Black-Box access

32 Tamper-Resilient Security input: x output: y Tamper: f 2 F input: x output: y Functionality: G. State s. Compiled functionality: G’, state c. adversarysimulator Black-Box access If (Enc, Dec) is non-malleable w.r.t. F, compiler below is tamper-resilient: c = Enc(s) G’ : decode s = Dec(c) and run G with state s and input x. re-encode c’ = Enc(s’). If (Enc, Dec) is non-malleable w.r.t. F, compiler below is tamper-resilient: c = Enc(s) G’ : decode s = Dec(c) and run G with state s and input x. re-encode c’ = Enc(s’). Theorem:

33 Continuous Tampering and Re-Encoding  Tamper-Resilient compiler has to re-encode the codeword each time with fresh randomness. Is this necessary?  Non-malleable codes only allow one tampering attack per codeword.  Can we allow continuous tampering of a single codeword?  Continuous non-malleable codes (4 flavors): [FMV+14, JW15]  “Self-destruct” if tampering detected?  “Persistent” tampering?

34 Continuous Non-Malleable Codes Self-Destruct, Persistent (weakest) No Self-Destruct, Non-Persistent (strongest) Self-Destruct, Non-Persistent No Self-Destruct, Persistent Few fixed points, High entropy No restrictions on F Few fixed points High entropy

35 Conclusions  Defined tamper-detection codes and (continuous) non- malleable codes.  One general construction. Based on probabilistic method, but can be made efficient for “small” function families.  Open Questions:  Explicit constructions of tamper detection codes and non- malleable codes. More families. Simpler. Better rate.  More applications. To non-malleable cryptography [AGM+14,CMT+15,CDT+15] To other areas?

36 Thank you!

Download ppt "TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)"

Similar presentations

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.

A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Similar presentations

Ads by Google