Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015.

Slides:

Advertisements

Similar presentations

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.

Advertisements

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

PRATYAY MUKHERJEE Aarhus University Joint work with

Comparative Succinctness of KR Formalisms Paolo Liberatore.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.

LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

Oblivious Transfer based on the McEliece Assumptions

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Cryptography on Non-Trusted Machines Stefan Dziembowski.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

CS717 Algorithm-Based Fault Tolerance Matrix Multiplication Greg Bronevetsky.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.

PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.

1 Information Security – Theory vs. Reality , Winter Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:

Umans Complexity Theory Lectures Lecture 17: Natural Proofs.

Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Cryptographic Hash Functions

TRUSTED FLOW: Why, How and Where??? Moti Yung Columbia University.

1 Information Security – Theory vs. Reality , Winter Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer.

Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.

Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

On Public Key Encryption from Noisy Codewords Yuval Ishai Technion & UCLA Eli Ben-Sasson (Technion) Iddo Ben-Tov (Technion) Ivan Damgård (Aarhus) Noga.

Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors.

1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 

Bounded key-dependent message security

Efficient Leakage Resilient Circuit Compilers

Authenticated encryption

Modern symmetric-key Encryption

Topic 14: Random Oracle Model, Hashing Applications

Cryptographic Hash Functions Part I

A Tamper and Leakage Resilient von Neumann Architecture

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptography Lecture 10.

Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.

Provable Security at Implementation-level

New Frontiers in Secret Sharing

Cryptography Lecture 9.

Presentation transcript:

Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015

CRYPTO is everywhere in modern digital life How to analyze security ? Find all possible attacks ? - Infeasible ! Need mathematical modelling and proofs a.k.a. Provable Security

Provable security at a glance 1. Define formal security models. 2. Design crypto-scheme  Usually described in mathematical language. 3. Prove security  Number theoretic: factoring is hard.  Complexity theoretic: one-way function exists.  Reduce security of complex scheme to simple assumption, e.g.,  Guarantee: NO practical adversary can break the security if the assumption holds

Time to relax? Security proof implies…  secure against all possible attacks However, provably secure systems get broken in practice! So what’s wrong? Model Reality

Physical attacks on implementations Mathematical Model: Blackbox input output Reality: PHYSICAL ATTACKS output Our focus tampering leakage tampered output input

Why care about tampering ? BDL’01: Inject single (random) fault to the signing-key of some type of RSA-sig Factor RSA-modulus ! Devastating attacks on Provably Secure Crypto- systems! Anderson and Kuhn ’96 Skorobogatov et al. ’02 Coron et al. ’09 …………and many more……. More…

Theoretical models of tampering Tamper with memory and computation (IPSW ’06) Tamper only with memory (GLMMR ‘04) F k F Most General Model, but… Very hard to analyze. Weak existing results even using heavy tools like PCP [DK12, DK14] ! Our Focus k Restricted Model, but… Much simpler to analyze Has practical relevance!

Ways to Protect against memory tampering Memory Circuit F compile Memory Circuit K' K 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, [BK 03; BCM11; KKS 11; BPT ]; Build tamper-resilient compiler for any functionality [GLMMR04,.....] F’

Ways to Protect against memory tampering Memory Circuit F compile Memory Circuit K' K 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Build tamper-resilient compiler for any functionality [GLMMR04,.....] Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, [BK 03; BCM11; KKS 11; BPT ]; Initialization: K' := C= Enc(K) Execution of F‘[C](x): 1. K = Dec(C) 2. Output F[K](x) Dziembowski, Pietrzak and Wichs [ICS 2010] Non-malleable Codes F’

Ways to Protect against memory tampering Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, e.g: [BK 03; BCM11; KKS 11; BPT ]; Memory Circuit F compile Memory Circuit F’ K' K Build tamper-resilient compiler for any functionality GLMMR04, DPW Protecting Specific schemes 2. Protecting Arbitrary Computation Initialization: K' := C= Enc(K) Execution of F‘[C](x): 1. K = Dec(C) 2. Output F[K](x) Non-malleable Codes

1.Protecting Specific schemes 2. Protecting Arbitrary Computation The Dissertation Bounded Tamper Resilience: How to go beyond the algebraic barrier [Asiacrypt 2013]: Joint work with Ivan Damgård, Sebastian Faust and Daniele Venturi Continuous Non-malleable Codes [TCC 2014]: Joint work with Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi Efficient Non-malleable Codes and Key-derivation for poly-size tampering circuits [Eurocrypt 2014]: Joint work with Sebastian Faust, Daniele Venturi and Daniel Wichs Tamer-resilient Identification and PKE scheme. Existing schemes like sigma-protocols, BHHO encryptions are tamper-resilient. – No need for additional machinery

1.Protecting Specific schemes 2. Protecting Arbitrary Computation The Dissertation Bounded Tamper Resilience: How to go beyond the algebraic barrier [Asiacrypt 2013]: Joint work with Ivan Damgård, Sebastian Faust and Daniele Venturi Continuous Non-malleable Codes [TCC 2014]: Joint work with Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi Brief mention Efficient Non-malleable Codes and Key-derivation for poly-size tampering circuits [Eurocrypt 2014]: Joint work with Sebastian Faust, Daniele Venturi and Daniel Wichs Tamer-resilient Identification and PKE scheme. Existing schemes like sigma-protocols, BHHO encryptions are tamper-resilient. – No need for additional machinery This talk

Outline: rest of the talk Basics of Non-malleable codes FMVW: Efficient NMC against poly-size tampering circuits Tamper-resilient compiler using NMC (DPW) (Briefly) Continuous Non-malleable codes (Briefly) Conclusion: Subsequent and Future works.

Basics of Non-malleable Codes

A modified codeword contains either original or unrelated message. E.g. Can not flip one bit of encoded message by modifying the codeword. What is Non-Malleable Codes ? (Only 10 words!) NMC

The “Tampering Experiment”  Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C) Goal: Design encoding scheme (ENC,DEC) with meaningful “guarantee” on s* for an “interesting” class F Note ENC can be randomized. There is no secret Key.

 Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C)  Error-Correcting Codes: Guarantee s* = s e.g. For hamming codes with distance d, f must be such that: Ham-Dist (C,C*) < d/2.) The “Tampering Experiment”

 Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C)  Error-Correcting Codes: Guarantee s* = s e.g. consider f to be a const. function always maps to a “valid” codeword. F excludes simple functions ! The “Tampering Experiment”

 Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C)  Error-Correcting Codes: Guarantee s* = s  Non-malleable Codes [DPW ’10] : Guarantee s* = s or “something unrelated” F Hope: Achievable for “rich” The “Tampering Experiment” F excludes simple functions !

Let’s be formal…..

f ENC s Tamper C DEC s* C*=f(C) If C* = C return same Else return s* Tamper f ( s ) FORMALLY

Limitation… No hope to achieve non-malleability for such f bad ! Other Questions:  Rate ( =|s|/|C| )  Efficiency  Assumption(s) Main Question: How to restrict F ?

…..and Possibilities  Codeword consists of components which are independently tamperable.  Decoding requires whole codewords.  Example: Split-state tampering model where there are only two independently tamperable components. [ DPW10, LL12, DKO13, ADL13, CG14a, FMNV14, CZ15, ADKO ] Way-1: Granular Tampering Continuous Main Question: How to restrict F ?

…..and Possibilities Main Question: How to restrict F ? Way-2: Low complexity tampering  The whole codeword is tamperable.  The tampering functions are “less complicated” than encoding/decoding.  [ CG14b, FMVW 14 ] Our focus

Efficient Non-Malleable Codes for poly-size tampering circuits

Our Result Main Result: “The next best thing” recall Corollary-2: It is impossible to construct efficient encoding scheme which is non-malleable w.r.t. all efficient functions F eff. Even more.. Caveat: Our results hold in CRS model.

NMC in CRS model  Fix some polynomial P.  We construct a family of efficient codes parameterized by CRS: (ENC CRS, DEC CRS )

Input: s Inner Encoding C1C1 Outer Encoding C Ingredient: a t-wise independent hash function h C C1C1 || h( ) C1C1 is Valid C C is of the form R || h( ) R Intuitions (outer encoding) described by CRS  For every tampering function f there is a “small set” S f such that if a tampered codeword is valid, then it is in S f w.h.p. The Construction Overview

Input: s Inner Encoding C1C1 Outer Encoding C Intuitions (outer encoding)  For every tampering function f there is a “small set” S f such that if a tampered codeword is valid, then it is in S f w.h.p. We call this property Bounded Malleability which ensures that the tampered codeword does not contain “too much information” about the input. The Construction Overview

Input: s Inner Encoding C1C1 Outer Encoding C recall  Output of Tamper f ( s ) can be thought of as some sort of leakage on C 1  f can guess some bit(s) of C 1 and if the guess is correct, leave C same otherwise overwrites to some invalid code. Example A leakage- resilient code Intuitions (Inner encoding)

Leakage-Resilient Code Our Inner Encoding

Putting everything together Input: s Inner Encoding C1C1 Outer Encoding C Bounded Malleable Code for F Leakage Resilient Code for G Non-Malleable Code for F  | F | = | G |

Few additional remarks

Tamper-resilient Compiler via Non-malleable Codes (Briefly) [DPW10]

Ways to Protect against memory tampering Memory Circuit F compile Memory Circuit F’ K' K 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Build tamper-resilient compiler for any functionality [GLMMR04,.....] Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, [BK 03; BCM11; KKS 11; BPT ]; Initialization: K' := C= Enc(K) Execution of F‘[C](x): 1. K = Dec(C) 2. Output F[K](x) RECALL

K’ F’ K F Tamper-resilient compiler using NMC NMC Guarantee Self-destruct

Continuous Non-malleable Codes (Briefly)

f ENC s Tamper C DEC s* C*=f(C) ContTamper f ( s ) Continuous NMC

A natural extension:Continuous Non- malleable Codes: The same codeword can be tampered many times. Gives a better compiler : protects against stronger tampering where memory is much bigger and there is no earsure. C C’ Memory M Memory M*=f(M) Adv can tamper continuously with the same codeword. C := NMEnc(s) EXEC

Conclusion: Subsequent and Future Works

In a nutshell: showed different theoretical methods of protecting against tampering attack. En route improved theory of Non-malleable Codes. Several subsequent works: [FMNV15], [JW15], [DFMV15],[QLYDC15]…… Open: Reduding gaps with practical models of tampering. Inspiration from Leakage-resilient crypto [DDF14]. Improvement of state-of-art in tampering with the computation itself. New applications of Non-malleable Codes.