Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010 Sapienza University of Rome.

Published byLindsay Marsh Modified over 8 years ago

Similar presentations

Presentation on theme: "Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010 Sapienza University of Rome."— Presentation transcript:

1 Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010 Sapienza University of Rome

2 Plan 1. 1.Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties - Constructions 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010

3 How to construct secure cryptographic devices? CRYPTO cryptographic device very secure Security based on well-defined mathematical problems not secure! Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010

4 The problem hard to attack easy to attack CRYPTO cryptographic device Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010

5 Information leakage cryptographic device Side channel information: power consumption, electromagnetic radiation, timing information, … Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010

6 Leakage-Resilient Cryptography Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 Design cryptographic protocols that are secure even on the machines that leak information Design cryptographic protocols that are secure even on the machines that leak information

7 Leakage-Resilient Cryptography:The Models Leakage-Resilient Cryptography: The Models Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10) Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10) Only computation leaks Total leakage unbounded All the memory leaks Total leakage bounded All the memory leaks Total leakage unbounded All the memory leaks Computationally hard to recover the secret from the leakage

8 Bounded memory-leakage model Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 The adversary is allowed to learn (adaptively) the values of t leakage functions (chosen by her) on the internal data used by the cryptographic scheme The adversary is allowed to learn (adaptively) the values of t leakage functions (chosen by her) on the internal data used by the cryptographic scheme

9 Leakage functions Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 very restricted class (read-off wires) 0110 f f(x) general leakage (any input-shrinking function) 00101101 x chooses retrieves chooses

10 Plan 1. 1.Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties - Constructions 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010

11 Leakage-Resilient Storage Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 Enc(m) Enc Dec Note: no secret key m m g 1,…,g t m m chooses (adaptively) t functions g i : {0,1} |Enc(m)| → {0,1} c i є Γ retrieves c i bits computationally unbounded total leakage < C very realistic Decode є Γ input-shrinking C < |Enc(m)| All-Or-Nothing Transform it should be hard to reconstruct a message if not all the bits of its encoding are known

12 Security definition Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 A scheme (Enc, Dec) is secure if for every m 0, m 1 no adversary can distinguish Enc(m 0 ) from Enc(m 1 ) A scheme (Enc, Dec) is secure if for every m 0, m 1 no adversary can distinguish Enc(m 0 ) from Enc(m 1 ) we will require that m 0, m 1 are chosen by the adversary Enc(m 0 ) Enc(m 1 )

13 Security definition adversaryoracle chooses m 0,m 1 є {0,1} α m 0,m 1 1. 1.chooses a random b = 0,1 2. 2.calculates τ := Enc(m b ) outputs b’ (Enc,Dec) is ( Γ, C, t, ε )-secure if no adversary wins the game with probability greater than 1/2 + ε Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 Enc : {0,1} α → {0,1} β Dec : {0,1} β → {0,1} α for i = 1,...,t chooses g i : {0,1} β → {0,1} c i є Γ calculates g i ( τ ) gi(τ)gi(τ) gigi wins if b’ = b advantage

14 Problem Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory the cardinality of Γ is restricted randomness extractors -wise independent hash functions For a fixed family Γ how to construct secure (Enc,Dec)?

15 A weaker adversary Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 Enc(m):=(Rand, f(Rand) m) Enc m m gigi g i (Rand, f(Rand) m) Enc(m) g i (Enc(m)) g’ i g’ i (Rand) adversaryweak adversary

16 Lemma Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 For any Γ, c, t and ε, if an encoding scheme is ( Γ, c, t, ε )-secure for then it is also ( Γ, c, t, ε ˙ 2 α )-secure for For any Γ, c, t and ε, if an encoding scheme is ( Γ, c, t, ε )-secure for then it is also ( Γ, c, t, ε ˙ 2 α )-secure for α is the length of the message

17 Proof Idea Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 wins with advantage δ can simulate replacing f(Rand) m with a random string z є {0,1} α Consider Construct wins with advantage ε = δ ˙ 2 -α = ε ˙2α = ε ˙2α

18 Two-source Extractor Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 source 1 source 2 Two-Source Extractor extracted string Example: inner product modulo 2 deterministic Independent Random Far from uniform A lot of min-entropy Almost uniformly random

19 Memory divided into 2 parts: construction Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 R0R0 R0R0 R1R1 R1R1 Ext Ext(R 0,R 1 ) Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) Dec(,, m*):= m*. R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) M0M0 M1M1 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory remind

20 Memory divided into 2 parts: contribution Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 R0R0 R0R0 R1R1 R1R1 Ext Ext(R 0,R 1 ) Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) Dec(,, m*):= m*. R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) M0M0 M1M1 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory remind IfExtis a two-source extractor then is secureEnc Dec (), against an adversary such that

21 Proof Idea Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 It suffices to show that (Enc,Dec) is secure against every One can prove that even given One can prove that even given g’ 1 (, ),…, g’ t (, ) R0R0 R0R0 R1R1 R1R1 Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) R0R0 R0R0 R1R1 R1R1 R0R0 R0R0 R1R1 R1R1 are still independent have high min-entropy (with high probability) remind and

22 Problem Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory the cardinality of Γ is restricted randomness extractors -wise independent hash functions For a fixed family Γ how to construct secure (Enc,Dec)?

23 -wise independent hash functions -wise independent hash functions Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 H={h s :X→Y} sє I is -wise independent if uniformly random S є I X Y { x 1,…,x } hShS {h S (x 1 ),…, h S (x ) } uniform over Y

24 Boolean circuits of small size: construction Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 the cardinality of Γ is restricted remind the set of functions computable by Boolean circuits of a fixed size Enc s (m):=(R, h S (R) m) Dec s (R, m*):=( h S (R) m*) H={h s :X→Y} sє I is -wise independent R є X is random

25 Plan 1. 1.Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties - Construction 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010

26 Conclusion and Future work Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010 Achieved: We have defined a primitive to securely store information in hardware that may leak information We have given constructions of such a scheme in two relevant scenarios Open: Refreshing of the storage From storage to computation: compute with encoded data Find more applications Achieved: We have defined a primitive to securely store information in hardware that may leak information We have given constructions of such a scheme in two relevant scenarios Open: Refreshing of the storage From storage to computation: compute with encoded data Find more applications

Download ppt "Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010 Sapienza University of Rome."

Similar presentations

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.

Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Similar presentations

Ads by Google