Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland

Similar presentations


Presentation on theme: "Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland"— Presentation transcript:

1 Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland danadach@ece.umd.edu

2 Cryptography Public Key Encryption Digital Signatures Secure Multiparty Computation

3 Attacks Even on “provably secure” schemes such as RSA Problem: Attacks were not captured by the theoretical threat model. Focus today: Secure Computation in the presence of Physical Attacks.

4 Physical Attacks Can run implementation specific attacks Attacks that compromise the security of a system by exploiting physical properties of implementations.

5 Leakage attacks—passively leak some function of the honest party’s secret state: – Timing attacks [Kocher96,…] – Power attacks [Kocher-Jaffe-Jun99,…] – Acoustic attacks [Shamir-Tromer04] Examples of Physical Attacks

6 Tampering attacks—actively disrupt honest party’s computation while observing input/output behavior. – Fault attacks [Boneh-DeMillo-Lipton97, Biham-Shamir98,..] – Radiation attacks Examples of Physical Attacks

7 Roadmap Protection against tampering and leakage on Random Access Memory (RAM). Protection against tampering on circuit wires (fault induction).

8 Roadmap Protection against tampering and leakage on Random Access Memory (RAM). Protection against tampering on circuit wires (fault induction).

9 Non-Malleable Codes Standard way of protecting secret key stored in memory against tampering. A coding scheme has two algorithms: (Encode, Decode) Non-malleable codes: by tampering with the codeword, the underlying message is either the same or unrelated. Message m Codeword c=Encode(m) c - unchanged Encode(m’) - Unrelated m’ Encode

10 Leakage Resilient Codes Getting partial information about the codeword does not reveal the underlying message Codeword c=Encode(m) The underlying message ??? Partial codeword

11 Problem

12 Locally Decodable and Updatable Codes m1m1 m2m2 …mnmn Message C1C1 C2C2 C3C3 …C N-1 CNCN Codeword Encode Decode(i): Take input an index i, read a few blocks of the codeword and output m i Decode(i): Take input an index i, read a few blocks of the codeword and output m i Update(j, m’): Take inputs an index j and a new message m’, update a few blocks of the codeword Update(j, m’): Take inputs an index j and a new message m’, update a few blocks of the codeword

13 Achieve all three properties! Leakage resilience, non-malleability, locality Non-malleability in our setting: Tampering function either: 1.Destroy several blocks (keeps others unchanged), or 2.Change everything to unrelated messages Putting It Together C1C1 C2C2 C3C3 …C N-1 CNCN Decode(i) outputs “Error” while others unchanged C’ 1 C’ 2 C’ 3 …C’ N-1 C’ N Decodes of all positions become unrelated

14 Tamper and Leakage Resilience For RAM Computation CPU Random Access Memory (RAM) Our new code, together with an ORAM scheme, protects against physical attacks on random access memory. Store an encoding of Data in RAM-- Encode(ORAM(Data)) Write(j,m’): Use Update(j,m’) Read(i): Use Decode(i)

15 Our Results [D, Liu, Shi, Zhou, TCC ‘15] Concepts: propose a new notion that captures all three properties Constructions: two efficient new constructions, achieving different levels of security Applications: using our new tool to protect RAM computation against memory attacks. Analogous to using regular non-malleable codes to protect circuit computation Encode(Data) Our code protects data against physical attacks!

16 Future/Ongoing Work Beyond hardware tampering, Locally Decodable and Updatable Non-Malleable Codes seem to be useful in server-client settings as well. Server is infected with a virus which both downloads sensitive data but also modifies data. Assume the virus is limited in how much data it can download at once. Construct locally decodable and updatable non-malleable codes against a class of leakage and tampering functions that correspond to capabilities of virus (bounded retrieval).

17 Roadmap Protection against tampering and leakage on Random Access Memory (RAM). Protection against tampering on circuit wires (fault induction).

18 Public input Example: Circuit computes a signature using: Secret key stored in memory Public message submitted by adversary

19 Public input Choose tampering function Tamper with constant (1/k) fraction of total number of wires

20 Public input Receive output of tampered circuit Security: Learn nothing beyond input/output behavior of untampered circuit. Attacker can run the circuit and tamper over and over. Tampering with memory is persistent.

21 Our Results [D, Kalai, CRYPTO ’12 & TCC ‘14]

22 Memory: S = ECC(s) Encoding of Input Circuit Computation PCPP Computation PCPP Verification Error CascadeOutput Input: x X = ECC(x) b

23 Future/Ongoing Work Protect against simultaneous leakage and tampering. Protect against larger classes of tampering – Tampering on some subset of wires depends on the values of another subset of wires.

24 Thank you! Dana Dachman-Soled danadach@ece.umd.edu


Download ppt "Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland"

Similar presentations


Ads by Google