Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015.

Published byDenis Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015."— Presentation transcript:

1 Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015

2 CRYPTO is everywhere in modern digital life How to analyze security ? Find all possible attacks ? - Infeasible ! Need mathematical modelling and proofs a.k.a. Provable Security

3 Provable security at a glance 1. Define formal security models. 2. Design crypto-scheme  Usually described in mathematical language. 3. Prove security  Number theoretic: factoring is hard.  Complexity theoretic: one-way function exists.  Reduce security of complex scheme to simple assumption, e.g.,  Guarantee: NO practical adversary can break the security if the assumption holds

4 Time to relax? Security proof implies…  secure against all possible attacks However, provably secure systems get broken in practice! So what’s wrong? Model Reality

5 Physical attacks on implementations Mathematical Model: Blackbox input output Reality: PHYSICAL ATTACKS output Our focus tampering leakage tampered output input

6 Why care about tampering ? BDL’01: Inject single (random) fault to the signing-key of some type of RSA-sig Factor RSA-modulus ! Devastating attacks on Provably Secure Crypto- systems! Anderson and Kuhn ’96 Skorobogatov et al. ’02 Coron et al. ’09 …………and many more……. More…

7 Theoretical models of tampering Tamper with memory and computation (IPSW ’06) Tamper only with memory (GLMMR ‘04) F k F Most General Model, but… Very hard to analyze. Weak existing results even using heavy tools like PCP [DK12, DK14] ! Our Focus k Restricted Model, but… Much simpler to analyze Has practical relevance!

8 Ways to Protect against memory tampering Memory Circuit F compile Memory Circuit K' K 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, [BK 03; BCM11; KKS 11; BPT 12..........]; Build tamper-resilient compiler for any functionality [GLMMR04,.....] F’

9 Ways to Protect against memory tampering Memory Circuit F compile Memory Circuit K' K 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Build tamper-resilient compiler for any functionality [GLMMR04,.....] Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, [BK 03; BCM11; KKS 11; BPT 12..........]; Initialization: K' := C= Enc(K) Execution of F‘[C](x): 1. K = Dec(C) 2. Output F[K](x) Dziembowski, Pietrzak and Wichs [ICS 2010] Non-malleable Codes F’

10 Ways to Protect against memory tampering Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, e.g: [BK 03; BCM11; KKS 11; BPT 12..........]; Memory Circuit F compile Memory Circuit F’ K' K Build tamper-resilient compiler for any functionality GLMMR04, DPW10..... 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Initialization: K' := C= Enc(K) Execution of F‘[C](x): 1. K = Dec(C) 2. Output F[K](x) Non-malleable Codes

11 1.Protecting Specific schemes 2. Protecting Arbitrary Computation The Dissertation Bounded Tamper Resilience: How to go beyond the algebraic barrier [Asiacrypt 2013]: Joint work with Ivan Damgård, Sebastian Faust and Daniele Venturi Continuous Non-malleable Codes [TCC 2014]: Joint work with Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi Efficient Non-malleable Codes and Key-derivation for poly-size tampering circuits [Eurocrypt 2014]: Joint work with Sebastian Faust, Daniele Venturi and Daniel Wichs Tamer-resilient Identification and PKE scheme. Existing schemes like sigma-protocols, BHHO encryptions are tamper-resilient. – No need for additional machinery

12 1.Protecting Specific schemes 2. Protecting Arbitrary Computation The Dissertation Bounded Tamper Resilience: How to go beyond the algebraic barrier [Asiacrypt 2013]: Joint work with Ivan Damgård, Sebastian Faust and Daniele Venturi Continuous Non-malleable Codes [TCC 2014]: Joint work with Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi Brief mention Efficient Non-malleable Codes and Key-derivation for poly-size tampering circuits [Eurocrypt 2014]: Joint work with Sebastian Faust, Daniele Venturi and Daniel Wichs Tamer-resilient Identification and PKE scheme. Existing schemes like sigma-protocols, BHHO encryptions are tamper-resilient. – No need for additional machinery This talk

13 Outline: rest of the talk Basics of Non-malleable codes FMVW: Efficient NMC against poly-size tampering circuits Tamper-resilient compiler using NMC (DPW) (Briefly) Continuous Non-malleable codes (Briefly) Conclusion: Subsequent and Future works.

14 Basics of Non-malleable Codes

15 A modified codeword contains either original or unrelated message. E.g. Can not flip one bit of encoded message by modifying the codeword. What is Non-Malleable Codes ? (Only 10 words!) NMC

16 The “Tampering Experiment”  Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C) Goal: Design encoding scheme (ENC,DEC) with meaningful “guarantee” on s* for an “interesting” class F Note ENC can be randomized. There is no secret Key.

17  Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C)  Error-Correcting Codes: Guarantee s* = s e.g. For hamming codes with distance d, f must be such that: Ham-Dist (C,C*) < d/2.) The “Tampering Experiment”

18  Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C)  Error-Correcting Codes: Guarantee s* = s e.g. consider f to be a const. function always maps to a “valid” codeword. F excludes simple functions ! The “Tampering Experiment”

19  Consider the following experiment for some encoding scheme (ENC,DEC) f ENC s Tamper C DEC s* C*=f(C)  Error-Correcting Codes: Guarantee s* = s  Non-malleable Codes [DPW ’10] : Guarantee s* = s or “something unrelated” F Hope: Achievable for “rich” The “Tampering Experiment” F excludes simple functions !

20 Let’s be formal…..

21 f ENC s Tamper C DEC s* C*=f(C) If C* = C return same Else return s* Tamper f ( s ) FORMALLY

22 Limitation… No hope to achieve non-malleability for such f bad ! Other Questions:  Rate ( =|s|/|C| )  Efficiency  Assumption(s) Main Question: How to restrict F ?

23 …..and Possibilities  Codeword consists of components which are independently tamperable.  Decoding requires whole codewords.  Example: Split-state tampering model where there are only two independently tamperable components. [ DPW10, LL12, DKO13, ADL13, CG14a, FMNV14, CZ15, ADKO15.... ] Way-1: Granular Tampering Continuous Main Question: How to restrict F ?

24 …..and Possibilities Main Question: How to restrict F ? Way-2: Low complexity tampering  The whole codeword is tamperable.  The tampering functions are “less complicated” than encoding/decoding.  [ CG14b, FMVW 14 ] Our focus

25 Efficient Non-Malleable Codes for poly-size tampering circuits

26 Our Result Main Result: “The next best thing” recall Corollary-2: It is impossible to construct efficient encoding scheme which is non-malleable w.r.t. all efficient functions F eff. Even more.. Caveat: Our results hold in CRS model.

27 NMC in CRS model  Fix some polynomial P.  We construct a family of efficient codes parameterized by CRS: (ENC CRS, DEC CRS )

28 Input: s Inner Encoding C1C1 Outer Encoding C Ingredient: a t-wise independent hash function h C C1C1 || h( ) C1C1 is Valid C C is of the form R || h( ) R Intuitions (outer encoding) described by CRS  For every tampering function f there is a “small set” S f such that if a tampered codeword is valid, then it is in S f w.h.p. The Construction Overview

29 Input: s Inner Encoding C1C1 Outer Encoding C Intuitions (outer encoding)  For every tampering function f there is a “small set” S f such that if a tampered codeword is valid, then it is in S f w.h.p. We call this property Bounded Malleability which ensures that the tampered codeword does not contain “too much information” about the input. The Construction Overview

30 Input: s Inner Encoding C1C1 Outer Encoding C recall  Output of Tamper f ( s ) can be thought of as some sort of leakage on C 1  f can guess some bit(s) of C 1 and if the guess is correct, leave C same otherwise overwrites to some invalid code. Example A leakage- resilient code Intuitions (Inner encoding)

31 Leakage-Resilient Code Our Inner Encoding

32 Putting everything together Input: s Inner Encoding C1C1 Outer Encoding C Bounded Malleable Code for F Leakage Resilient Code for G Non-Malleable Code for F  | F | = | G |

33 Few additional remarks

34 Tamper-resilient Compiler via Non-malleable Codes (Briefly) [DPW10]

35 Ways to Protect against memory tampering Memory Circuit F compile Memory Circuit F’ K' K 1.Protecting Specific schemes 2. Protecting Arbitrary Computation Build tamper-resilient compiler for any functionality [GLMMR04,.....] Build concrete tamper resilient schemes: e.g. PRF, PKE, Sigs, [BK 03; BCM11; KKS 11; BPT 12..........]; Initialization: K' := C= Enc(K) Execution of F‘[C](x): 1. K = Dec(C) 2. Output F[K](x) RECALL

36 K’ F’ K F Tamper-resilient compiler using NMC NMC Guarantee Self-destruct

37 Continuous Non-malleable Codes (Briefly)

38 f ENC s Tamper C DEC s* C*=f(C) ContTamper f ( s ) Continuous NMC

39 A natural extension:Continuous Non- malleable Codes: The same codeword can be tampered many times. Gives a better compiler : protects against stronger tampering where memory is much bigger and there is no earsure. C C’ Memory M Memory M*=f(M) Adv can tamper continuously with the same codeword. C := NMEnc(s) EXEC

40 Conclusion: Subsequent and Future Works

41 In a nutshell: showed different theoretical methods of protecting against tampering attack. En route improved theory of Non-malleable Codes. Several subsequent works: [FMNV15], [JW15], [DFMV15],[QLYDC15]…… Open: Reduding gaps with practical models of tampering. Inspiration from Leakage-resilient crypto [DDF14]. Improvement of state-of-art in tampering with the computation itself. New applications of Non-malleable Codes.

42

Download ppt "Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015."

Similar presentations

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 25. FEB 2014 CONTINUOUS NON-MALLEABLE CODES JOINT WORK WITH SEBASTIAN FAUST, JESPER.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Comparative Succinctness of KR Formalisms Paolo Liberatore.

Comparative Succinctness of KR Formalisms Paolo Liberatore.
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.

A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.
LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.

LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Similar presentations

Ads by Google