1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:

Slides:

Advertisements

Similar presentations

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Advertisements

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

1 Information Security – Theory vs. Reality , Winter Lecture 7: Tamper Resilience, Cryptographic leakage Resilience Eran Tromer Slides.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Daniel Moran & Marina Yatsina. Access control through encryption.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

Computability and Complexity 32-1 Computability and Complexity Andrei Bulatov Boolean Circuits.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University Crypto.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.

Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.

Boolean Algebra Dr. Bernard Chen Ph.D. University of Central Arkansas Spring 2009.

How to play ANY mental game

Chapter 3.5 Logic Circuits. How does Boolean algebra relate to computer circuits? Data is stored and manipulated in a computer as a binary number. Individual.

Cryptography on Non-Trusted Machines Stefan Dziembowski.

ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.

Discrete Mathematics CS 2610 February 19, Logic Gates: the basic elements of circuits Electronic circuits consist of so-called gates connected.

Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.

Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

1 Seoul National University Logic Design. 2 Overview of Logic Design Seoul National University Fundamental Hardware Requirements  Computation  Storage.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.

On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)

UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.

R. Johnsonbaugh Discrete Mathematics 5 th edition, 2001 Chapter 9 Boolean Algebras and Combinatorial Circuits.

Cryptography on Non-Trusted Machines Stefan Dziembowski International Workshop on DYnamic Networks: Algorithms and Security September 5, 2009, Wroclaw,

Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

1 Information Security – Theory vs. Reality , Winter Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer.

1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes

Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.

Secure Computation Basics Yan Huang Indiana University May 9, 2016.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Efficient Leakage Resilient Circuit Compilers

A Fixed-key Blockcipher

Topic 36: Zero-Knowledge Proofs

Boolean Algebra.

Privacy and Fault-Tolerance in Distributed Optimization Nitin Vaidya University of Illinois at Urbana-Champaign.

A Tamper and Leakage Resilient von Neumann Architecture

Basic Logic Gates 1.

Unconditional One Time Programs and Beyond

Provable Security at Implementation-level

Cryptographic Hash Functions Part I

Cryptography Lecture 7.

Impossibility of SNARGs

Presentation transcript:

1 Information Security – Theory vs. Reality , Winter Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran

2 PrimitiveAttacksGuaranteesFunction ality Communi cation Assumpti ons Leakag e TamperingCorrectne ss SecrecyFunction class Output form FHEANYnoneyesYESCircuitsEncryptedMinimalComputati onal ANYno Arguments (CS proofs / PCD / SNARG) ANY YESnoRAM, distributed PlaintextMinimalExotic computati onal / oracle MPCANY YES ANYPlaintextHeavy interaction Mild computati onal Garbled circuits ANYnoneyesYESCircuitsPlaintextPreproces sing + minimal Mild computati onal ANYno Leakage resilience VariesnoneyesYESVariesPlaintextMinimalVaries Tamper resilience Varies PlaintextMinimalVaries ObfuscationANY YES PlaintextMinimal0=1 TPMSecure hardware

Leakage resilience s x y=y(s,x) s’ x y=y(s,x) Same I/O functionality Keeps secret even in the presence of side-channel attacks: leakage and tampering 3

INPUT OUTPUT CIRCUIT MEMORY Model Circuits runs for many cycles In each cycle: –Adversary chooses input –Adversary chooses an admissible attack Leakage and/or tampering from a specified class –Adversary observes output + leakage –Memory state is updated 4

INPUT OUTPUT CIRCUIT MEMORY Circuit transformers T=(T C,T s ), on inputs k,t, maps C to C’ and s 0 to s 0 ’. T s must be randomized –Otherwise initial state s 0 is revealed by probing C’ can be either randomized or (better yet) deterministic. Functionally equivalent: C[s 0 ]  C’[s 0 ’] C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 5

6 s xY Any boolean circuit Circuit transformation Transformed circuit admissible leakage YX black-box indistinguishable Security [Ishai Sahai Wagner ’03]

INPUT OUTPUT CIRCUIT MEMORY Security definition T protects privacy:  circuit C  efficient Sim  admissible Adv  initial state s 0 : Sim Adv,C[s0]  view of Adv attacking C’[s 0 ’] (Even in case of tampering, only privacy is required) C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 7

INPUT OUTPUT CIRCUIT MEMORY Relation to obfuscation C’[s 0 ’] should act like a “virtual black-box” for C[s 0 ]. –Even in the presence of side-channel attacks Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated –Can’t probe all wires in a single cycle –Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06] –Can’t freely “edit” gates and wires C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 8

Simple/practical schemes I Sum-of-wires leakage –Dual-Rail Logic Sum-of-wire-transitions leakage –Dual-Rail Precharge Logic Protecting s Practical complications: –Capacitance imbalance –Glitches –Cell internals 9

Simple/practical schemes II Single-wire leakage –Bit masking Single-”value” leakage –RSA blinding t-wire leakage –Secret sharing… 10

t-wire leakage [ISW03] Secrets additively shared into m=2t+1 shares Given shares of a=a 1  …  a m and b=b 1  …  b m : –Compute shares of NOT(a) : apply NOT to a 1 –Compute shares c i of a AND b : Let z i,j, i<j, be random independent bits Let z j,i =(z i,j  a i b j )  a j b i (i<j) Let c i =a i b i   j  i z i,j Re-randomize s’ at every iteration Randomness gates eliminated by a random-number generator s0’s0’ 11

12 s XY Any boolean circuit Circuit transformation Transformed circuit t-wire probing YX black-box indistinguishable [ISW03]

13 Our goal Allow stronger leakage.

14 Leakage classes Locality assumptions –Single wire, t wires –Separate sub-circuits –Leak-free processor (Oblivious RAM [GO95]) –Leak-free memory (“only computation leaks information” [MR04]: leakage from CPU state and memory accessed at that program step) “Simple leakgage” –Sums and Hamming weights –Low-complexity global functions Specific functionality (mainly crypto)