PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

Slides:



Advertisements
Similar presentations
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Advertisements

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Analysis of Algorithms II
Analysis of Computer Algorithms
Quantum Software Copy-Protection Scott Aaronson (MIT) |
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
0 - 0.
CS4026 Formal Models of Computation Running Haskell Programs – power.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Reductions Complexity ©D.Moshkovitz.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
1 A triple erasure Reed-Solomon code, and fast rebuilding Mark Manasse, Chandu Thekkath Microsoft Research - Silicon Valley Alice Silverberg Ohio State.
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
CS 332: Algorithms NP Completeness David Luebke /2/2017.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with
LT Codes Paper by Michael Luby FOCS ‘02 Presented by Ashish Sabharwal Feb 26, 2003 CSE 590vg.
Approximate quantum error correction for correlated noise Avraham Ben-Aroya Amnon Ta-Shma Tel-Aviv University 1.
Two Segments Intersect?
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Off-the-Record Communication, or, Why Not To Use PGP
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Codes for Deletion and Insertion Channels with Segmented Errors Zhenming Liu Michael Mitzenmacher Harvard University, School of Engineering and Applied.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Great Theoretical Ideas in Computer Science.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
CS717 Algorithm-Based Fault Tolerance Matrix Multiplication Greg Bronevetsky.
Computer Science Division
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015.
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors.
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
Universal Turing Machine
On the Size of Pairing-based Non-interactive Arguments
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Topic 14: Random Oracle Model, Hashing Applications
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
A Tamper and Leakage Resilient von Neumann Architecture
Randomized Algorithms CS648
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Unconditional One Time Programs and Beyond
Indistinguishability by adaptive procedures with advice, and lower bounds on hardness amplification proofs Aryeh Grinberg, U. Haifa Ronen.
Provable Security at Implementation-level
Fiat-Shamir for Highly Sound Protocols is Instantiable
Cryptography Lecture 18.
Presentation transcript:

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER BUUS NIELSEN, DANIELE VENTURI TCC

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 f THE TAMPERING EXPERIMENT 2 Tampering Experiment for encoding scheme (Enc,Dec) : Enc s Tamper 2F2F C Dec s* Goal: Design encoding scheme (Enc,Dec) for interesting F that provides meaningful guarantees about s*. C*=f(C)

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 ERROR CORRECTION/DETECTION & NON-MALLEABILITY 3 f 2 F Error-Correction: Requires s* = s but e.g. for hamming codes f must be such that: Ham-Dist ( C, C *) < d/2. i.e. F is very limited ! Error-Detection: Requires s* = {s, ? } but F cant contain simple function e.g. constant functions f Ĉ (.)= Ĉ Non-Malleability[ DPW10 ]: Requires s* = s or unrelated to s. Hope : Achievable for rich F Enc s Tamper C Dec s* C*=f(C)

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 Impossibility [ DPW10 ]: Not achievable if F contains f which knows Dec. For any ( Enc, Dec ) consider f bad which decodes C, flips 1-bit and re- encodes to C*. Conclusion: There is no NMC for F all Possibilities to restrict F : 1. Compromise complexity : make | F |[ FMVW14 ] small. 2. Compromise granularity – Split-state : Considered in [DPW10, LL12, DKO13, ADL13, CG13 ( last talk )] and this work. LIMITATION AND POSSIBILITY 4

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 SPLIT-STATE TAMPERING 5 In this model, C = (C 1,C 2 ) and f =(f 1, f 2 ) for arbitrary f 1, f 2 5 f1f1 f1f1 s C1C1 C2C2 f2f2 f2f2 C1*C1* C2*C2* Dec Enc s* Why split-state ? Might be easy to implement. well-studied model in leakage - resilient crypto. generalizes some other models (e.g. independent bit tampering [ DPW10 ]) Rest of the talk

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUTLINE: REST OF THE TALK 6 Formalize and introduce CNMC. Explore a necessary requirement for CNMC. Present the construction. Overview of proof. Application.

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 7 Set (C 1 *,C 2 *) (f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) return Tamper( s b ) View Attack[GLMMR04]: Guess each bit, overwrite and check if the output is same - recover bit by bit Way Out: Assume Self-Destruct: If output ? once, then STOP interaction. continuous

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 8 Set (C 1 *,C 2 *) (f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else if Dec( C 1 *,C 2 * )= ? then return ? and self-destruct. Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) View return Tamper( s b ) Hang on for applications

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 UNIQUENESS: A NECESSARY PROPERTY 9 Both ( C 1,C 2 ) and ( C 1,C 2 ) are valid Why necessary ? 1.f 1 always replaces T 1 with C 1 2.f 2 checks if T 2 [i] = 0, then replaces T 2 with C 2 else replaces T 2 with C 2 Otherwise suppose Recovers T 2 (f 1, f 2 ) After knowing T 2: 3. f 1 hard-code T 2 and decode s Dec ( T 1,T 2 ). 4. Depending on s f 1 leaves it same or tampers. [LL12] construction does not satisfy Corollary: Information theoretic CNMC (split- state) is impossible.

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 TOWARDS CONSTRUCTING CNMC 10 Idea: Similar to [LL12], but adjusted to satisfy uniqueness. The ingredients: 1. L eakage(bounded) R esilient E ncoding in split-state. 2. C ollision R esistant H ash F unctions 3. Robust N on- I nteractive Z ero K nowledge. Possible to extract a witness from a valid proof which is not simulated s C1C1 C2C2 Enc Leakage reveals nothing about s

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUR CONSTRUCTION Encode using LRE : ( z 0,z 1 )LREnc(s) 2. Compute hashes with CRHF H : h 0 = H ( z 0 ) & h 1 = H ( z 1 ) 3. Generate NIZK-POK : π 0 Prove (CRS,h 0, z 0 ) & π 1 Prove (CRS,h 1, z 1 ) Encoding z0z0 h1h1 π1π1 π0π0 z1z1 h0h0 π0π0 π1π1 CRS 1. Local Check: Check if proofs in each side verify using CRS. 2. Global Check: Check if the hashes are correct and the proofs match. 3. If all of above pass decode using LRE: ( s )LRDec( z 0,z 1 ), else output ? Decoding Uniqeness holds: Easy to see. = C 0 C1=C1= Part-1Part-0

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 PROOF INTUITIONS 12 recall Main Idea: Reduction from L eakage R esilient E ncoding. leakage tampering Simulate Easy to simulate: always output ? j* denotes the index where it outputs ? for the first time. Complicated case-analysis involves uniqeness, robustness of NIZK, collision resistance etc….. Main Difficulties. 1.simulate continuous tampering using only bounded leakage. 2. Simulate the tamper view with independent leakage access to each part of codword. How to know j* ? possible using bounded leakage.

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 APPLICATION TO PROTECT AGAINST MEMORY- TAMPERING 13 Memory Circuit G s' Memory Circuit G s Idea: Build compiler for any functionality [ DPW 10 ] compile Initialization: s' := NMEnc ( s ) Execution of G [s](x): 1. s = NMDec(s) 2. if s = ? then self-destruct else output G[s](x) Tamper- simlatability:

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 DRAWBACK AND SOLUTION Requires perfect erasures. Each time the new state is re-encoded, the old one must be erased. Otherwise Adv can copy. Must erase entire memory ! Transformation is stateful even for stateless functionalities.. Decode, compute and re-encode with fresh randomness - constructing stateless transformation was open queation [DPW10] 14 Both solved with CNMC !

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 OUR TAMPERING MODEL 15 Memory space much bigger than length of codeword. C := NMEnc ( s ) C C Memory M Memory M*= f (M) f Main application. In this model we construct a Stateless Transformation for stateless functionalities assuming 1untamperable bit (used for self-destruct ).

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 SUMMARIZE CNMC: A natural extension of NMC. First concrete construction. Application: Protect against memory tampering in much stronger and practical model. Open: We consider only split-state model, could be interesting to consider also global model. 16

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB

AARHUS UNIVERSITY PRATYAY MUKHERJEE CONTNUOUS NON-MALLEABLE CODES PRATYAY MUKHERJEE 25. FEB 2014 PROOF INTUITIONS 18 recall Main Idea: Reduction from L eakage R esilient E ncoding. Main Challenge:. simulate continuous tampering using only bounded leakage Ask to Reveal C 0 Get f 0,,f 1 Before round j*: Compute C 0 * = f 0 (C 0 ); Let C 0 * = (z 0 *,h 1 *, π 1 *, π 0 * ) Simulate based on cases: 1. C 0 * = C 0 output same. 2. C 0 *C 0 : : (i) if any proof fails output ? (ii) π 1 * π 1 : extracts z 1 from π 1 * (iii) Else output ? Almost done except …. How to learn j* ? – Non-trivial as the leakage is only bounded. It runs the same simulator inside leakage oracle. Find j* by binary search comparing the simulated output.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.