Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges.

Published byZion Barrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges."— Presentation transcript:

1 Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges

2 Secrets Information accessible to one party and not to other(s) Essential to cryptography! TheoryReal life Secrets leak! [Kocher,Jaffe,Jun’98] [Kocher’96] [Quisquater’01] Cache-Timing [Bernstein’05,OST’05]

3 Secrets Leak So, what can we do about it?

4 Leakage-Resilient Cryptography Can we do Crypto with no (perfect) secrecy? Yes (in most cases) A Fundamental Question in the Foundations of Cryptography secret public

5 Three Commandments I.Secrets leak in arbitrary ways. II.Secrets leak from everywhere. III.Secrets leak all the time. (hard-disk, RAM, cache, registers, randomness sources,…) (No protected time periods) (Axioms of Leakage) [Micali-Reyzin’04] (except: leakage is polynomial time computable, and does not betray the entire secret key)

6 Interpreting the Commandments A Simple Interpretation: Bounded Leakage [AGV09] (or, Two Leakage Models) — Total leakage λ < |SK| [AGV09,NS09,KV09,ADW09,ADN+10,…] — Adversary can learn any efficiently computable function L:{0,1}* → {0,1} λ of the secret key (*). sk L(sk) 1 0 1 (*) Ideally, leakage from the entire secret state.

7 Interpreting the Commandments A Simple Interpretation: Bounded Leakage [AGV09] (or, Two Leakage Models) — Total leakage λ < |SK| [AGV09,NS09,KV09,ADW09,ADN+10,…] — Adversary can learn any efficiently computable function L:{0,1}* → {0,1} λ of the secret key. Variations:  Auxiliary Input Model [DKL’09,DGKPV’10]: L is an uninvertible function of SK  Noisy Model [NS’09]: H ∞ (SK | L(SK)) > |SK|- λ

8 Interpreting the Commandments A Realistic Interpretation: Continual Leakage (or, Two Leakage Models) — Rate of Leakage λ (leakage/time period) < |SK| — Adversary can learn any efficiently computable function L i :{0,1}* → {0,1} λ of the secret key at each “time-period” sk L 1 (sk) L 2 (sk) 1 0 1 0 0 1 [ISW03MR04,DP08,Pie09,FKPR10,FRRTV10,BKKV10, DHLW10…]

9 Interpreting the Commandments A Realistic Interpretation: Continual Leakage (or, Two Leakage Models) [ISW03MR04,DP08,Pie09,FKPR10,FRRTV10,BKKV10, DHLW10…] — Of course, secret key should be refreshed in each time. — Non-trivial: Refresh SK without changing PK (in public- key systems), or without co-ordination (in SK systems) Observations: — Rate of Leakage λ (leakage/time period) < |SK| — Adversary can learn any efficiently computable function L i :{0,1}* → {0,1} λ of the secret key at each “time-period”

10 Talk Plan PART 1: Bounded Leakage Model –One-way Functions PART 2: Continual Leakage Model PART 3: Some Research Directions –Digital Signatures –Leakage-resilient Compilers, Tamper Resistance,… –Public-key Encryption

11 A Brief History of Leakage in Crypto “We stand on the shoulders of giants…”

12 A Brief History of Leakage in Crypto  Privacy Amplification [von Neumann’46,…,Bennett-Brassard- Robert’85] — “Distill an perfectly random shared key from an imperfect one” Bounded Storage/Retrieval Models [Maurer’92,…,Di Crescenzo-Lipton-Walfish’06,Dziembowski’06]  Exposure-Resilient Cryptography [Rivest’97, Boyko’98, CDHKS’00,ISW’03,IPSW’06] — Leakage = a subset of bits of SK — We want to tolerate arbitrary (PPT) leakage functions (axiom 1) — More generally, MPC, threshold crypto etc.

13 A Brief History of Leakage in Crypto — “Distill an perfectly random shared key from an imperfect one” Bounded Storage/Retrieval Models [Maurer’92,…,Di Crescenzo-Lipton-Walfish’06,Dziembowski’06]  Exposure-Resilient Cryptography [Rivest’97, Boyko’98, CDHKS’00,ISW’03,IPSW’06]  Proactive Cryptography [HJKY’95, HJJKY’97, R’98] — “How to cope with perpetual leakage” (a continual leakage model)  Privacy Amplification [von Neumann’46,…,Bennett-Brassard- Robert’85]

14 [Ishai-Sahai-Wagner2003] [Micali-Reyzin2004] [Dodis-Ong-Prabhakaran-Sahai2004] [Ishai-Prabhakaran-Sahai-Wagner2006] [Dziembowski-Pietrzak2008] [Akavia-Goldwasser-V.2009] [Pietrzak2009] [Dodis-Kalai-Lovett2009] [Naor-Segev2009] [Dodis-Goldwasser-Kalai-Peikert-V.2009] [Katz-V.2009] [Faust-Kiltz-Pietrzak-Rothblum2009] [Alwen-Dodis-Wichs2009] [Goldwasser-Kalai-Peikert-V.2010] [Alwen-Dodis-Naor-Segev-Walfish-Wichs2009] [Juma-Vahlis.2010] [Faust-Rabin-Reyzin-Tromer-V.2010] [Brakerski-Kalai-Katz-V.2010] [Goldwasser-Rothblum.2010] [Dodis-Haralambiev-Lopez-alt-Wichs.2010] [Lewko-Waters.2010] [Chow-Dodis-Rouselakis-Waters.2010] [Boyle-Wichs-Segev.2011] [Kiltz-Pietrzak.2011] [Malkin-Teranishi-Vahlis-Yung.2011] [Jain-Pietrzak.2011] [Halevi-Lin.2011] [Lewko-Rouselakis-Waters.2011] [Lewko-Lewko-Waters.2011] …

15 Bounded Leakage

16 Leakage-Resilient One-way Functions Easy Observation: “Hardness  Leakage-resilience” –Similar connections for other primitives (enc,sig,…) –Need 2 O(n) -hardness to get O(n)-LR.

17 Leakage-Resilient One-way Functions Theorem [KV09,ADW09]: If there are Universal One-way Hash Functions, then there are LR one-way functions. –Corollary [NY89,Rom90]: If OWF exist, then LR OWFs exist.

18 Leakage-Resilient One-way Functions Proof:  Information-theoretic + Crypto techniques  A Blue-print for most leakage-resilience proofs

19 Leakage-Resilient One-way Functions Proof: reduction (UOWHF-breaker) adversary

20 Leakage-Resilient One-way Functions Proof: reduction adversary y=f(x) x — H ∞ (x) = n — Adversary returns x'≠x w.p ≥ 1/2 → breaks UOWHF 

21 A Blueprint for Leakage Proofs — Problem with many solutions — Hard: given one solution, find another — Security redn has one soln, computes leakage using that — Adversary doesn’t have enough info to pin-point the solution — Adversary returns a different soln, unwittingly solves the hard problem (information-theoretic argument) (computational argument)

22 An Open Question Theorem [KV09,ADW09]: Any Universal One-way Hash Fn (uowhf) f:{0,1} n → {0,1} n-L-1 is an L-leakage-resilient OWF. xy=F(x) Is there an leakage-resilient injective OWF? Show injective OWF = injective LR-OWF (or, separation?) OPEN:

23 Leakage-Resilient Signatures PK Sign SK (m) L(SK ) L m Cannot produce sign for a new m* sk

24 Leakage-Resilient Signatures Theorem [KV09]: λ -leakage-resilient OWF (+simulation- extractable NIZK [S99,DDOPS01]) → λ -leakage-resilient signatures Sign(m): SimExt-NIZK m for “ ∃ x s.t PK contains h(x)” SK: x PK: (f,y=f(x),CRS nizk ), where f is an λ -LR OWF, — Signature contains no (computational) info. on SK — Forgery ⇒ extract a secret-key. Proof Idea: Sim-Ext — Break LR OWF. similar to [Bellare-Goldwasser’92]

25 LR Signatures: Subsequent Results  [ADW09]: Fiat-Shamir transform + LR OWFs → LR- Sigs in the random oracle model.  [DHLW10]: Efficient LR Sigs without random oracles (using bilinear maps).  [BKK V 10,DHLW10]: Continual LR Sigs  [BSW11,MTVY11]: (continual) LR Sigs where the randomness used for signing can leak as well.  [LLW10]: Continual LR Sigs where the key update phase leaks as well

26 Leakage-Resilient Public-key Encryption (cpa) PK L(SK ) L sk Enc(b) (b← $ {0,1}) Cannot predict b

27 – [AGV09]: based on Lattices – [NS09,DGKPV10] based on Diffie-Hellman (show that [Regev05,GPV08] is leakage-resilient) (show that [BHHO08] is leakage-resilient) – [NS09] from any hash proof system [CS02] Leakage-Resilient Public-key Encryption Theorem: For every λ < |SK| - secparam, (cpa-secure) public-key encryption that tolerates λ bits of leakage:

28 Adv. breaks cpa-security Construction Outline Old Idea: One Public Key, many possible Secret Keys PK Public Key Space Secret Key space Hard Problem: Given one SK, find another. For starters: Adv. finds sk. – Reduction knows one SK, simulates leakage from it – Adv. gets pk+leakage → not enough info to fully specify SK – Adv. finds SK′ ≠ SK → breaks hard problem. Proof:

29 Adv. breaks cpa-security Construction Outline Old Idea: One Public Key, many possible Secret Keys For starters: Adv. finds sk. M DEC M C ENC PK M M ► Correctness  All secret keys decrypt C to the same message

30 Adv. breaks cpa-security Construction Outline Old Idea: One Public Key, many possible Secret Keys New Idea: REAL Encryption vs. FAKE Encryption PK C Fake ENC M C Real ENC DEC M1M1 M3M3 M2M2 ► Different secret keys decrypt c to different messages ► and yet, Fake ≈ Real (even given an SK) ≈

31 Security Proof L(SK) M1M1 M3M3 M2M2 C Fake ENC “Fake World” ??? “Real World” M MC Real ENC PK DEC

32 LR Public-key Encryption: Subsequent Results  [NS09]: CPA-secure → CCA-secure with the same leakage-resilience (idea: use Naor-Yung)  [AGV09,ADN+10,CDRW10]: leakage-resilient IBE (with leakage from the user secret keys).  [LW10]: leakage-resilient IBE (with leakage from the master secret key as well), LR HIBE, ABE etc.  [BKK V 10,DHLW10]: Continual LR Encryption  [LLW10]: Continual LR Enc where the key update phase leaks as well  [HL11]: “After-the-fact” Leakage

33 Continual Leakage

34 Continual LR Public-key Encryption  Unbounded leakage, but bounded in each time period  Challenge: keep the public key the same  Solution idea: “refresh” (randomize) the secret key sk 1 L 1 (sk 1 ) L 2 (sk 2 ) 1 0 1 0 0 1 sk 2 – users (encryptors) are oblivious of the updates!

35 Continual LR Public-key Encryption Theorem: [BKKV10] CLR-secure public-key encryption schemes that tolerate (in every time step): – (1/2-ε)|SK| leakage, based on decisional linear – (1-ε)|SK| leakage, based on symmetric external DH assumptions in bilinear groups. sk 1 L 1 (sk 1 ) L 2 (sk 2 ) 1 0 1 0 0 1 sk 2

36 Continual LR Public-key Encryption Other Results:  [BKKV10]: CLR-secure signatures and IBE (with leakage from user secret keys)  Concurrently, [DHLW10]: efficient CLR-secure signatures, ID schemes and AKA schemes sk 1 L 1 (sk 1 ) L 2 (sk 2 ) 1 0 1 0 0 1 sk 2  [LLW11]: tolerates large leakage from updates

37 Continual LR Public-key Encryption How to update SK? (without changing PK) pk sk space  First Idea: Resample from the key-space!  PROBLEM: This is supposed to be hard! sk 1 sk 2 sk 3 sk 4 L 1 (SK 1 ) L 2 (SK 2 ) L 3 (SK 3 ) L 4 (SK 4 )

38 New Idea: “Neighborhood of SKs” Given a secret key: –Easy to resample inside neighborhood. –Hard to find a secret key outside of neighborhood. pk corresp. sk space Sampling in neighborhood ≈ c entire space.  Adv. can’t tell the difference. “Proof” outline: –Reduction knows sk and updates in neighborhood. –To Adv., updates “look like” from entire space. –Even given leakage, Adv. cannot recover any leaked key entirely  will have to come up with new sk’≠sk. –WHP sk’ not in neighborhood  breaks hard problem.

39 Some Open Questions

40 SO FAR: Designed SPECIFIC crypto primitives (sigs.,enc.) secure against continual leakage QUESTION: Any circuit → Continual Leakage-resilient circuit — Yao/GMW/BGW/CCD for leakage-resilient crypto Foundational Questions — Automatically leakage-proof commonly used cryptosystems, e.g., RSA / AES

41 Foundational Questions Many Partial Results  [Ishai-Sahai-Wagner’03] : Any circuit → “Probing-resilient” circuit secure against leakage of ≤ t wires  [FRRT V ’09] : Any circuit → circuit secure against AC 0 leakage  [JV’10,GR’10] : Any circuit → circuit secure against polynomial-time leakage (assuming a small piece of secure hardware) (assuming a small piece of secure hardware + secure memory) OPEN: a compiler against general leakage functions (without secure hardware)  [BGIRSVY’00,Imp’10] : This has connections to program obfuscation!

42 Practical Questions  In theory, we have practical constructions – How about truly practical constructions? (e.g. [YSPY’10]) – Perhaps relax the model in a meaningful way  Given a side-channel attack, how much information does it leak? [SVO+10] model reality

43 To Conclude…  Tons of Open Problems — Parallel Repetition for Leakage Amplification [DW,LW]: Suppose scheme S tolerates L bits. Can we “repeat it in parallel” n times and get nL bit leakage-tolerance? — Tamper Resistance [IPSW, GLMMR, DPW, Malkin et al.]: Many attacks, Boneh-Lipton, Shamir’s bug attacks... Very Active Field, Lots of work recently! Information-theoretic + Computational Techniques Entropy

44 Thanks! Questions? You can find me here …

Download ppt "Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
See you at the next conference! Hope you like our slides Hello everybody!

See you at the next conference! Hope you like our slides Hello everybody!
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.

Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.

Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

Similar presentations

Ads by Google