Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.

Published byAnnabella Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland."— Presentation transcript:

1 Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland Vinod Vaikuntanathan IBM

2 Crypto with Leakage secret key is assumed to be truly random and secret RSA (and other schemes) are insecure when a small fraction of the secret key is leaked [Rivest-Shamir85, Coppersmith1996, Heninger-Shacham2009]

3 Computation Leaks Timing [Kocher 96] Power Consumption [Kocher et al. 98] EM Radiation [Quisquater 01]

4 Memory Leaks Cold-boot attack [Halderman-Schoen-Heninger-Clarkson-Paul-Calandrino- Feldman-Appelbaum-Felten 08]

5 Outline Motivation (for studying crypto with leakage) Modeling Leakage Our Results Previous work Our Techniques

6 Modeling Leakage Continual computation leakage (only computation leaks ) [Akavia-Goldwasser-Vaikuntanathan2009] [Dodis-K-Lovett2009] [Naor-Segev2009] [Katz-Vaikuntanathan2009] [Alwen-Dodis-Wichs2009] [Alwen-Dodis-Naor-Segev-Walfish-Wichs2009] [Dodis-Goldwasser-K-Peikert-Vaikuntanathan2010] [Goldwasser-K-Peikert-Vaikuntanathan2010] [Micali-Reyzin2004] [Dziembowski-Pietrzak2008] [Pietrzak2009] [Faust-Kiltz-Pietrzak-Rothblum2009] [Juma-Vahlis2010] [Goldwasswer-Rothblum2010] Bounded memory leakage Drawback! Other models: [Rivest97], [Ishai-Sahai-Wagner2003], [Ishai-Prabhakaran-Sahai-Wagner2006], [Faust-Rabin-Rezin-Tromer-Vaikuntanathan10]

7 Our Model: Continual Memory Leakage L 1 (sk) 1011 00 L 2 (sk) L 3 (sk) 11 0 10 0 110 Is it possible to secure against continual leakage? Note: Must update the secret key

8 Our Model: Continual Memory Leakage L 1 (sk 1 ) 1011 00 L 2 (sk 2 ) L 3 (sk 3 ) 000111 11 0 10 0 110 Challenge: This should be done without changing the public key! Note: Leakage is a function of the entire secret state. Leakage may occur during the update procedure or during the signing process.

9 Example: encryption scheme semantic security with continual memory leakage challenge

10 The updates are oblivious to other users. –Public-key stays the same. –Efficiency does not degrade with the number of updates. No bound on the total leakage over the lifetime of the system. –Amount of leakage is bounded only within each time period. Our Model: Continual Memory Leakage

11 Our Results Cryptographic schemes resilient to continual memory leakage (under the linear assumption over bilinear groups). Public-key encryption scheme Identity based encryption scheme Signature scheme * Thanks to Yevgeniy, Daniel and Gil for pointing us to improved analysis of algebraic lemma ** Thanks to Daniel for pointing us to this assumption

12 Main contributions 1. Efficient signature schemes (and more) in the continual memory leakage model under linear assumption over bilinear groups. Concurrent Work [Dodis-Haralambiev-LopezAlt-Wichs10] 1.Removing the “only computation leaks information” assumption 2. Public-key and identity-based encryption schemes (unknown even assuming “only computation leaks information”)

13 Prior Work: Bounded Memory Leakage [Akavia-Goldwasser-Vaikuntanathan2009]: Regev’s public-key encryption (and IBE) scheme is secure against leakage. [Naor-Segev2009]: several public-key encryption schemes secure against leakage. [Alwen-Dodis-Wichs2009]: Signature schemes secure against leakage in ROM [Katz-Vaikuntanathan2009]: Signature schemes secure against leakage under standard assumptions. [Dodis-K-Lovett2009]: Symmetric-key encryption scheme secure w.r.t. auxiliary input leakage. [Alwen-Dodis-Naor-Segev-Walfish-Wichs2009]: encryption in BRM [Dodis-Goldwasser-K-Peikert-Vaikuntanathan2010]: Several public- key encryption schemes secure w.r.t. auxiliary input leakage.

14 Prior Work: Continual Computation Leakage [MR04] [Dziembowski-Pietrzak08, Pietrzak09] Stream ciphers [Faust-Kiltz-Pietrzak-Rothblum09] Signature schemes [Juma-Vahlis10] [Goldwasser-Rothblum10] Encryption scheme??? Assumption: Only computation leaks information [Micali- Reyzin4] Programs resilient to side-channel attacks (using simple hardware)

15 Today Cryptographic schemes resilient to continual memory leakage (under the linear assumption over bilinear groups). Public-key encryption scheme Identity based encryption scheme Signature scheme

16 Algebraic Lemma: Random Subspaces are Resilient to Continual Leakage Many thanks to Yevgeniy, Daniel and Gil for pointing to an improved analysis [Dodis-Smith2005, Boldyreva-Fehr-O’Neill2008]

17 Algebraic Lemma: Random Subspaces are Resilient to Continual Leakage

18 Algebraic Lemma: Pictorially

19 Candidate Encryption Scheme

20 Update: ?

21 Our 1 st Encryption Scheme d (Thanks Daniel!) Assumption: DDH holds in each group

22 A Step in the Proof random subspace DDH

23 Our 2 nd Encryption Scheme d Cannot distinguish between rank 2 and rank 3 matrices in the exponent

24 Algebraic Lemma: Random Subspaces are Resilient to Continual Leakage

25 Algebraic Lemma: Pictorially

26 Security

27 Pictorial Proof random subspace Linear assumption

28 Security

29 General Proof Template

30 Additional Results 1. Tolerating leakage from the updates. 2. Converting our encryption scheme into an identity based encryption scheme [Brakerski-K10]. 3.General transformation for converting any encryption scheme resilient to continual memory leakage into a signature scheme resilient to continual memory leakage [Katz-Vaikuntanathan09].* * More complicated if we want to tolerate leakage during signing process.

31 We construct –Public key encryption scheme –Identity-based encryption scheme –Signature schemes In continual memory leakage model, under linear assumption over bilinear groups. Summary was not known even if we assume “only computation leaks information”.

32 Thanks !

Download ppt "Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland."

Similar presentations

Leakage- Resilient Cryptography: Recent Advances

Leakage- Resilient Cryptography: Recent Advances
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
See you at the next conference! Hope you like our slides Hello everybody!

See you at the next conference! Hope you like our slides Hello everybody!
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges.

Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.

Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.

Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Similar presentations

Ads by Google