Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.

Slides:



Advertisements
Similar presentations
Leakage- Resilient Cryptography: Recent Advances
Advertisements

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
See you at the next conference! Hope you like our slides Hello everybody!
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
1 Self Protecting Cryptosystems Moti Yung Columbia University/ RSA Labs.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
Cryptography on Non-Trusted Machines Stefan Dziembowski.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.
Class 5 Channels and Preview CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
1 Information Security – Theory vs. Reality , Winter Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:
Cryptography on Non-Trusted Machines Stefan Dziembowski International Workshop on DYnamic Networks: Algorithms and Security September 5, 2009, Wroclaw,
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters.
Ilya Mironov, Omkant Pandey, Omer Reingold, Gil Segev Microsoft Research.
Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Efficient Leakage Resilient Circuit Compilers
Topic 5: Constructing Secure Encryption Schemes
Yael Tauman Kalai Area: Cryptography PhD: MIT, with Shafi Goldwasser
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
Provable Security at Implementation-level
Leakage-resilient Signatures
Presentation transcript:

Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland Vinod Vaikuntanathan IBM

Crypto with Leakage secret key is assumed to be truly random and secret RSA (and other schemes) are insecure when a small fraction of the secret key is leaked [Rivest-Shamir85, Coppersmith1996, Heninger-Shacham2009]

Computation Leaks Timing [Kocher 96] Power Consumption [Kocher et al. 98] EM Radiation [Quisquater 01]

Memory Leaks Cold-boot attack [Halderman-Schoen-Heninger-Clarkson-Paul-Calandrino- Feldman-Appelbaum-Felten 08]

Outline Motivation (for studying crypto with leakage) Modeling Leakage Our Results Previous work Our Techniques

Modeling Leakage Continual computation leakage (only computation leaks ) [Akavia-Goldwasser-Vaikuntanathan2009] [Dodis-K-Lovett2009] [Naor-Segev2009] [Katz-Vaikuntanathan2009] [Alwen-Dodis-Wichs2009] [Alwen-Dodis-Naor-Segev-Walfish-Wichs2009] [Dodis-Goldwasser-K-Peikert-Vaikuntanathan2010] [Goldwasser-K-Peikert-Vaikuntanathan2010] [Micali-Reyzin2004] [Dziembowski-Pietrzak2008] [Pietrzak2009] [Faust-Kiltz-Pietrzak-Rothblum2009] [Juma-Vahlis2010] [Goldwasswer-Rothblum2010] Bounded memory leakage Drawback! Other models: [Rivest97], [Ishai-Sahai-Wagner2003], [Ishai-Prabhakaran-Sahai-Wagner2006], [Faust-Rabin-Rezin-Tromer-Vaikuntanathan10]

Our Model: Continual Memory Leakage L 1 (sk) L 2 (sk) L 3 (sk) Is it possible to secure against continual leakage? Note: Must update the secret key

Our Model: Continual Memory Leakage L 1 (sk 1 ) L 2 (sk 2 ) L 3 (sk 3 ) Challenge: This should be done without changing the public key! Note: Leakage is a function of the entire secret state. Leakage may occur during the update procedure or during the signing process.

Example: encryption scheme semantic security with continual memory leakage challenge

The updates are oblivious to other users. –Public-key stays the same. –Efficiency does not degrade with the number of updates. No bound on the total leakage over the lifetime of the system. –Amount of leakage is bounded only within each time period. Our Model: Continual Memory Leakage

Our Results Cryptographic schemes resilient to continual memory leakage (under the linear assumption over bilinear groups). Public-key encryption scheme Identity based encryption scheme Signature scheme * Thanks to Yevgeniy, Daniel and Gil for pointing us to improved analysis of algebraic lemma ** Thanks to Daniel for pointing us to this assumption

Main contributions 1. Efficient signature schemes (and more) in the continual memory leakage model under linear assumption over bilinear groups. Concurrent Work [Dodis-Haralambiev-LopezAlt-Wichs10] 1.Removing the “only computation leaks information” assumption 2. Public-key and identity-based encryption schemes (unknown even assuming “only computation leaks information”)

Prior Work: Bounded Memory Leakage [Akavia-Goldwasser-Vaikuntanathan2009]: Regev’s public-key encryption (and IBE) scheme is secure against leakage. [Naor-Segev2009]: several public-key encryption schemes secure against leakage. [Alwen-Dodis-Wichs2009]: Signature schemes secure against leakage in ROM [Katz-Vaikuntanathan2009]: Signature schemes secure against leakage under standard assumptions. [Dodis-K-Lovett2009]: Symmetric-key encryption scheme secure w.r.t. auxiliary input leakage. [Alwen-Dodis-Naor-Segev-Walfish-Wichs2009]: encryption in BRM [Dodis-Goldwasser-K-Peikert-Vaikuntanathan2010]: Several public- key encryption schemes secure w.r.t. auxiliary input leakage.

Prior Work: Continual Computation Leakage [MR04] [Dziembowski-Pietrzak08, Pietrzak09] Stream ciphers [Faust-Kiltz-Pietrzak-Rothblum09] Signature schemes [Juma-Vahlis10] [Goldwasser-Rothblum10] Encryption scheme??? Assumption: Only computation leaks information [Micali- Reyzin4] Programs resilient to side-channel attacks (using simple hardware)

Today Cryptographic schemes resilient to continual memory leakage (under the linear assumption over bilinear groups). Public-key encryption scheme Identity based encryption scheme Signature scheme

Algebraic Lemma: Random Subspaces are Resilient to Continual Leakage Many thanks to Yevgeniy, Daniel and Gil for pointing to an improved analysis [Dodis-Smith2005, Boldyreva-Fehr-O’Neill2008]

Algebraic Lemma: Random Subspaces are Resilient to Continual Leakage

Algebraic Lemma: Pictorially

Candidate Encryption Scheme

Update: ?

Our 1 st Encryption Scheme d (Thanks Daniel!) Assumption: DDH holds in each group

A Step in the Proof random subspace DDH

Our 2 nd Encryption Scheme d Cannot distinguish between rank 2 and rank 3 matrices in the exponent

Algebraic Lemma: Random Subspaces are Resilient to Continual Leakage

Algebraic Lemma: Pictorially

Security

Pictorial Proof random subspace Linear assumption

Security

General Proof Template

Additional Results 1. Tolerating leakage from the updates. 2. Converting our encryption scheme into an identity based encryption scheme [Brakerski-K10]. 3.General transformation for converting any encryption scheme resilient to continual memory leakage into a signature scheme resilient to continual memory leakage [Katz-Vaikuntanathan09].* * More complicated if we want to tolerate leakage during signing process.

We construct –Public key encryption scheme –Identity-based encryption scheme –Signature schemes In continual memory leakage model, under linear assumption over bilinear groups. Summary was not known even if we assume “only computation leaks information”.

Thanks !