1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer.

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
Secure Computation of Linear Algebraic Functions
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Information Security – Theory vs. Reality , Winter 2011 Lecture 2: Crypto review, fault attacks Eran Tromer (This lecture was given mostly.
1 Information Security – Theory vs. Reality , Winter Lecture 7: Tamper Resilience, Cryptographic leakage Resilience Eran Tromer Slides.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Oblivious Transfer based on the McEliece Assumptions
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University Crypto.
Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor.
1 Recap (I) n -qubit quantum state: 2 n -dimensional unit vector Unitary op: 2 n  2 n linear operation U such that U † U = I (where U † denotes the conjugate.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
How to play ANY mental game
Computer Science 1000 Digital Circuits. Digital Information computers store and process information using binary as we’ve seen, binary affords us similar.
Chapter 3.5 Logic Circuits. How does Boolean algebra relate to computer circuits? Data is stored and manipulated in a computer as a binary number. Individual.
Cryptography on Non-Trusted Machines Stefan Dziembowski.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Lecture 6 BOOLEAN ALGEBRA and GATES Building a 32 bit processor PH 3: B.1-B.5.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.
1 Information Security – Theory vs. Reality , Winter Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:
UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.
1 Information Security – Theory vs. Reality , Winter Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation.
Cryptography on Non-Trusted Machines Stefan Dziembowski International Workshop on DYnamic Networks: Algorithms and Security September 5, 2009, Wroclaw,
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.
1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.
Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.
Efficient Leakage Resilient Circuit Compilers
Course Business I am traveling April 25-May 3rd
A Tamper and Leakage Resilient von Neumann Architecture
Some Rules for Expectation
Unconditional One Time Programs and Beyond
Alessandra Scafuro Practical UC security Black-box protocols
Provable Security at Implementation-level
Leakage-resilient Signatures
Impossibility of SNARGs
Presentation transcript:

1 Information Security – Theory vs. Reality , Winter Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer

2 Leakage resilience (continued)

3 black box indistinguishable Security [Ishai Sahai Wagner ’03] adversarysimulator Adversary chooses a leakage/tampering function, from a given set of admissible leakage/tampering functions, to be applied to the wires.

INPUT OUTPUT CIRCUIT MEMORY Security definition C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’ 4

Resilient-schemes 1/3 (whiteboard discussion) Sum-of-wires leakage –Dual-Rail Logic Sum-of-wire-transitions leakage –Dual-Rail Precharge Logic 5

Resilient-schemes 2/3 (whiteboard discussion) Single-wire leakage –Bit masking or secret sharing Multiple-wire leakage –Secret sharing Leakage of “data-dependent” values from “bulk” computation –RSA blinding 6

t-wire leakage [ISW03] Secrets additively secret-shared into m=2t+1 shares Given shares of a=a 1  …  a m and b=b 1  …  b m : –Compute shares of NOT(a) : apply NOT to a 1 –Compute shares c i of a AND b : Let z i,j, i<j, be random independent bits Let z j,i =(z i,j  a i b j )  a j b i (i<j) Let c i =a i b i   j  i z i,j Re-randomize s’ at every iteration (hence m=2t+1). Security proof sketch: simulator runs adversary and, when asked for leakage value: if answer implied by inputs / inputs / previous answer, answers thus. Otherwise answers randomly. This has the correct distribution. s0’s0’ 7

8 xY YX black-box indistinguishable Other leakage? C’C admissible leakage sisi

9 Our goal Allow stronger leakage.

10 Leakage classes Locality assumptions –Single wire, t wires –Separate sub-circuits –Leak-free processor: Oblivious RAM [Goldreich Ostrovsky 95] –Leak-free memory (“only computation leaks information” [Micali Reyzin 04] : leakage is only from CPU state and memory accessed at that program step) Quantitatively bounded –Total #bits leaked –Total #bits leaked per “computational step” –Noisy leakage from every wire “Simple leakage” –Sums and Hamming weights –Low-complexity global functions “Too-complicated leakage” (hard to invert) Some of these are for specific functionality (mainly crypto) Open problem: realistic models allowing secure and efficient constructions.

11 Trusted Computing Architecture (warmup discussion, see next week’s slides)