PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PROGRESS REPORT SEMINAR SUPERVISED BY JESPER BUUS NIELSEN 1

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 CRYPTOGRAPHY IN MODERN WORLD 2 How to analyze security ? Find all possible attacks ? - Infeasible ! Need mathematical modelling and proofs a.k.a. Provable Security

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 PROVABLE SECURITY AT A GLANCE 3 1. Define security notion/models. 2. Design cryptoscheme  Usually described in mathematical language. 3. Prove security  No efficient adversary can break security if assumption holds  Number theoretic: factoring is hard.  Complexity theoretic: one-way function exists.  Reduce security of complex scheme to simple assumption, e.g.,

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 TIME TO RELAX? 4 Security proof implies…  secure against all possible attacks However, provably secure systems get broken in practice! So what’s wrong? Model Reality

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 PHYSICAL ATTACKS ON IMPLEMENTATIONS Mathematical Model: Blackbox 5 input output Reality: PHYSICAL ATTACKS output input leakage tampering tampered output Our focus

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 WHY CARE ABOUT TAMPERING ? 6 BDL’01: Inject single (random) fault to the signing-key of some type of RSA-sig factor RSA-modulus ! Devastating attacks on Provably Secure Crypto-systems! Anderson and Kuhn ’96 Skorobogatov et al. ’02 Coron et al. ’09 …………and many more……. More…

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 THEORETICAL MODELS OF TAMPERING Tamper with memory and computation (IPSW ’06) Tamper only with memory ( GLMMR ‘04 ) 7 F k k F Most General Model: Complicated Limited existing results ! A Natural First Step : Simpler to handle Might be reasonable in practice ! Our Focus

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 Build compiler for any functionality -first proposed in GLMMR04 WAYS TO PROTECT AGAINST MEMORY TAMPERING 1. Protecting Specific schemes 2. Protecting Arbitrary Computation 8 Build tamper resilient - PRF, PKE, Sigs, e.g: BK 03; BCM11; KKS 11; BPT 12; DFMV13 …. Memory Circuit F compile Memory Circuit F’ K' K We build tamper-resilient PKE and Signature Scheme This talk Initialization: K' := C= Enc (K) Execution of F‘[C](x): 1. K = Dec (C) 2. Output F[K](x)

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 SECURITY GUARANTEE 9 Intuition: Adversary shall learn nothing useful from tampering. F' K’ F K compile K’ := Enc (K)

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 OUTLINE: REST OF THE TALK  Basics of Non-Malleable Codes.  Result-1: Continuous Non-Malleable Codes.  Result-2: Efficient Non-Malleable Codes for poly- size tampering circuits.  Conclusions and future works. 10

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 11 Basic definitions Non-Malleable Codes

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 ENCODING SCHEME (ENC, DEC) › ENC : › DEC : 12 s Enc C Source message Codeword Can be randomized C Dec s CodewordDecoded message No secret key !

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 f THE “TAMPERING EXPERIMENT’’ 13 › “ Tampering Experiment” for encoding scheme (Enc,Dec) : Enc s Tamper 2F2F C Dec s* Goal: Design encoding scheme (Enc,Dec) for “ interesting” F that provides “ meaningful guarantees” about s*. C*=f(C)

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 ERROR CORRECTION/DETECTION & NON-MALLEABILITY 14 f 2 F  Error-Correction: Guarentees s* = s but e.g. for hamming codes f must be such that: Ham-Dist ( C, C *) < d/2. i.e. F is very limited !  Error-Detection: Guarentees s* = {s, ? } but F can’t contain simple function e.g. constant functions f Ĉ (.)= Ĉ for valid Ĉ  Non-Malleability[ DPW10 ]: Guarentees s* = s or unrelated to s. Hope : Achievable for rich F Enc s Tamper C Dec s* C*=f(C)

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 FORMALIZING NMC [DPW’10] 15 Set C* ←f(C) If C* = C return same Else return C* 3. Output View return Tamper( s b ) View The tampering exp. should not leak anything about input ! Intuition 1. Encode C← Enc( s b ). 2. Tampering:

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 LIMITATION AND POSSIBILITY 16

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 17 Result-1 Continuous Non-Malleable Codes Based on a joint work with: Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi [Appeared in TCC 2014]

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 SPLIT-STATE TAMPERING 18 In this model, C = (C 1,C 2 ) and f =(f 1, f 2 ) for arbitrary f 1, f 2 18 f1f1 f1f1 s C1C1 C2C2 f2f2 f2f2 C1*C1* C2*C2* Dec Enc s*

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 NMC TO PROTECT TAMPERING 19 Memory Circuit F’ s' Memory Circuit F s  Idea: Build compiler for any functionality compile Initialization: s' := NMEnc ( s ) Execution loop of F’ [s‘](x): 1. s = NMDec(s‘) 2. if s = ? then STOP else output F[s](x) and re-encode s‘ = NMEnc ( s ),continue.. recall Fresh Re-encoding: Adv can tamper each codeword only once

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 A STRONGER TAMPERING MODEL 20  Memory space much bigger than length of codeword. C := NMEnc ( s ) C C’ Memory M Memory M*= f (M) f Adv can tamper continuously with the same codeword. read

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 1. Encode (C 1,C 2 ) ← Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) ← Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 21 Set (C 1 *,C 2 *) ←(f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) return Tamper( s b ) View Attack[GLMMR04]: Guess each bit, overwrite and check if the output is same - recover bit by bit Way Out: Assume Self-Destruct: If output ? once, then STOP experiment. continuous

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 1. Encode (C 1,C 2 ) ← Enc( s b ). 2. Tampering: 1. Encode (C 1,C 2 ) ← Enc( s b ). 2. Tampering: Repeat adaptively CNMC: A NATURAL EXTENSION 22 Set (C 1 *,C 2 *) ←(f 1 (C 1 ), f 2 (C 2 )) If (C 1 *,C 2 *) = (C 1,C 2 ) return same Else if Dec( C 1 *,C 2 * )= ? then return ? and self-destruct. Else return (C 1 *,C 2 *) 3. Output View (f 1, f 2 ) View return Tamper( s b )

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 UNIQUENESS: A NECESSARY PROPERTY 23 Both ( C 1,C 2 ) and ( C 1,C 2 ‘ ) are valid  Why necessary ? 1.f 1 always replaces T 1 with C 1 2.f 2 checks if T 2 [i] = 0, then replaces T 2 with C 2 else replaces T 2 with C 2 ‘ Otherwise suppose ∃ Recovers T 2 (f 1, f 2 ) After knowing T 2: 3. f 1 hard-code T 2 and decode s ← Dec ( T 1,T 2 ). 4. Depending on s f 1 leaves it same or tampers– leaks 1 bit. Exsiting [LL12] construction does not satisfy Corollary: Information theoretic CNMC (split- state) is impossible.

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 EXTRACTABILITY: ANOTHER PROPERTY 24 f1f1 f1f1 s C1C1 C2C2 f2f2 f2f2 C1*C1* C2*C2* Enc Extract C 2 ** If C 1 *≠ C 1 then it is possible to extract C 2 ** (if exists) such that ( C 1 *, C 2 ** ) is valid. Extractability Uniqueness + Extractability Our Construction Necessary ? We don’t know.

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 OUR CONSTRUCTION: INTUITIONS 25 C2*C2* C2C2 C1C1 f1f1 f2f2 Uniqueness: C 2 **= C 2 * w.h.p. C 2 ** Extract (f 1, f 2 ) C1*C1* Decode s* Apriori known to adv.

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 26 Result-2 Efficient Non-Malleable Codes for poly-size tampering circuits Based on a joint work with: Sebastian Faust, Daniele Venturi and Daniel Wichs [To appear in Eurocrypt 2014]

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 RECALL: LIMITATION AND POSSIBILITY 27  Answer: NO! because F eff contains all efficient ( Enc,Dec )

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 EFFICIENT & GLOBAL NON-MALLEABLE CODES 28 Main Result: “The next best thing” P Choose param t based on P t f 2 F  What does it mean ?

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 THE CONSTRUCTION 29 Encoding h1h1 h2h2 r ← D R s h1(r)h1(r) z Decoding Both of seed size t input output

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 SOME INTUITIONS 30 recall  Our codeword has format: C= (, h 2 ( ) )  f can not compute h 2 but can leak some bits of

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 CONCLUSIONS AND FUTURE WORKS  We mainly explored non-malleable codes in two separate directions.  Thus far NMC is only used to protect against memory- tampering. (We strengthen the model in Result-1)  Future Works:  Can we use NMC also to protect against computation? -  Leakage and Tamper resilient RAM !  Other uses of NMC ? - E.g. Non-malleable commitments/ Encryptions. – General abstraction of non-malleability.  Improving the existing NMC. 31

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 PUBLISHED PAPERS 32 1. Bounded Tamper Resilience: How to go beyond the Algebraic Barrier. Ivan Damgård, Sebastian Faust, Pratyay Mukherjee, Daniele Venturi In ASIACRYPT 2013. 2. Contnuous Non-Malleable Codes. Sebastian Faust, Pratyay Mukherjee, Jesper Buus Nielsen, Daniele Venturi In TCC 2014. 3. Efficient Non-Malleable Codes and Key-derivations for poly-size tampering circuits. Sebastian Faust, Pratyay Mukherjee, Daniele Venturi, Daniel Wichs To appear in EUROCRYPT 2014. This talk

AARHUS UNIVERSITY PRATYAY MUKHERJEE NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014 33 Thank You ! Question(s) ?

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

Similar presentations

Presentation on theme: "PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

Similar presentations

Presentation on theme: "PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014."— Presentation transcript:

Similar presentations

About project

Feedback