Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer.

Published byJasper Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer."— Presentation transcript:

1 1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer

2 2 Leakage resilience (continued)

3 3 black box indistinguishable Security [Ishai Sahai Wagner ’03] adversarysimulator Adversary chooses a leakage/tampering function, from a given set of admissible leakage/tampering functions, to be applied to the wires.

4 INPUT OUTPUT CIRCUIT MEMORY Security definition C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 4

5 Resilient-schemes 1/3 (whiteboard discussion) Sum-of-wires leakage –Dual-Rail Logic Sum-of-wire-transitions leakage –Dual-Rail Precharge Logic 5

6 Resilient-schemes 2/3 (whiteboard discussion) Single-wire leakage –Bit masking or secret sharing Multiple-wire leakage –Secret sharing Leakage of “data-dependent” values from “bulk” computation –RSA blinding 6

7 t-wire leakage [ISW03] Secrets additively secret-shared into m=2t+1 shares Given shares of a=a 1  …  a m and b=b 1  …  b m : –Compute shares of NOT(a) : apply NOT to a 1 –Compute shares c i of a AND b : Let z i,j, i<j, be random independent bits Let z j,i =(z i,j  a i b j )  a j b i (i<j) Let c i =a i b i   j  i z i,j Re-randomize s’ at every iteration (hence m=2t+1). Security proof sketch: simulator runs adversary and, when asked for leakage value: if answer implied by inputs / inputs / previous answer, answers thus. Otherwise answers randomly. This has the correct distribution. s0’s0’ 7

8 8 xY YX black-box indistinguishable Other leakage? C’C admissible leakage sisi

9 9 Our goal Allow stronger leakage.

10 10 Leakage classes Locality assumptions –Single wire, t wires –Separate sub-circuits –Leak-free processor: Oblivious RAM [Goldreich Ostrovsky 95] –Leak-free memory (“only computation leaks information” [Micali Reyzin 04] : leakage is only from CPU state and memory accessed at that program step) Quantitatively bounded –Total #bits leaked –Total #bits leaked per “computational step” –Noisy leakage from every wire “Simple leakage” –Sums and Hamming weights –Low-complexity global functions “Too-complicated leakage” (hard to invert) Some of these are for specific functionality (mainly crypto) Open problem: realistic models allowing secure and efficient constructions.

11 11 Trusted Computing Architecture (warmup discussion, see next week’s slides)

Download ppt "1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 2: Crypto review, fault attacks Eran Tromer (This lecture was given mostly.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 2: Crypto review, fault attacks Eran Tromer (This lecture was given mostly.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2013-2014 Lecture 7: Tamper Resilience, Cryptographic leakage Resilience Eran Tromer Slides.

1 Information Security – Theory vs. Reality , Winter Lecture 7: Tamper Resilience, Cryptographic leakage Resilience Eran Tromer Slides.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Similar presentations

Ads by Google