1 / 33

NEW RESULTS in non-malleable codes PROGRESS REPORT seminar supervised by jesper buus nielsen

NEW RESULTS in non-malleable codes PROGRESS REPORT seminar supervised by jesper buus nielsen. CRYPTOGRAPHY in modern world. How to analyze security ? Find all possible attacks ? - Infeasible ! Need mathematical modelling and proofs a.k.a. Provable Security.

cirila
Download Presentation

NEW RESULTS in non-malleable codes PROGRESS REPORT seminar supervised by jesper buus nielsen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NEW RESULTS in non-malleable codesPROGRESS REPORT seminarsupervised byjesperbuusnielsen

  2. CRYPTOGRAPHY in modern world How to analyze security ? Find all possible attacks ? - Infeasible ! Need mathematical modelling and proofs a.k.a. Provable Security

  3. Provable security at a glance 1. Define security notion/models. 2. Design cryptoscheme • Usually described in mathematical language. 3. Prove security • Reduce security of complex scheme to simple assumption, e.g., • Number theoretic: factoring is hard. • Complexity theoretic: one-way function exists. No efficient adversary can break security if assumption holds

  4. Time to relax? Security proof implies… • secure against • all possible attacks However, provably secure systems get broken in practice! So what’s wrong? Reality Model

  5. Physical attacks on implementations Reality: PHYSICAL ATTACKS Ourfocus Mathematical Model: Blackbox tampering input input leakage Fk • F’k’ Fk tampered output output output

  6. Why care about tampering ? Devastating attacks on Provably Secure Crypto-systems! More… Anderson and Kuhn ’96 Skorobogatov et al. ’02 Coron et al. ’09 …………and many more……. BDL’01: Inject single (random) fault to the signing-key of some type of RSA-sig factor RSA-modulus !

  7. Theoretical models of tampering Tamper with memory and computation (IPSW ’06) Tamper only with memory (GLMMR ‘04) Our Focus F F k k • A Natural First Step: Simpler to handle • Might be reasonable in practice ! • Most General Model: Complicated • Limited existing results !

  8. Ways to Protect against memory tampering • ProtectingSpecificschemes 2. Protecting Arbitrary Computation Webuildtamper-resilient PKE andSignatureScheme Initialization: K' := C= Enc(K) ExecutionofF‘[C](x): 1. K = Dec(C) 2. Output F[K](x) Buildcompilerforanyfunctionality -first proposed in GLMMR04 Buildtamperresilient- PRF, PKE, Sigs, e.g: BK 03; BCM11; KKS 11; BPT 12; DFMV13…. F’ F compile Circuit Circuit K' K This talk Memory Memory

  9. Security guArantee Intuition: Adversary shall learn nothing usefulfrom tampering. compile K’ :=Enc(K) F F' K K’ Sim Adv

  10. Outline: rest of the talk • Basics of Non-Malleable Codes. • Result-1: Continuous Non-Malleable Codes. • Result-2: Efficient Non-Malleable Codes for poly-size tampering circuits. • Conclusions and future works.

  11. Basic definitions Non-Malleable Codes

  12. Encoding scheme (Enc, Dec) Enc s C Can be randomized Source message Codeword No secret key ! Dec C s Codeword Decoded message Correctness:s: s= Dec(Enc(s)) ENC: DEC:

  13. The “tampering experiment’’ C C*=f(C) s s* Tamper Enc Dec f 2F • f is chosen adversarially from some fixed family F Goal:Design encoding scheme (Enc,Dec)for “interesting”F that provides “meaningful guarantees”about s*. “Tampering Experiment” for encoding scheme (Enc,Dec):

  14. Error correction/detection & Non-malleability C C*=f(C) s s* Tamper Enc Dec f 2F • Error-Correction: Guarenteess* = s but e.g. for hamming codes fmust besuch that: Ham-Dist(C,C*) < d/2. i.e. F is very limited ! • Error-Detection: Guarenteess* = {s, ?} but F can’t contain simple function e.g. constant functions fĈ(.)= Ĉ for valid Ĉ • Non-Malleability[DPW10]:Guarenteess* = s or unrelated to s. • Hope: Achievable for richF

  15. Formalizing NMC [DPW’10] Def: A code (Enc, Dec) is non-malleable w.r.t. F if 8 Advand 8s0, s1, Tamper(s0)Tamper(s1) where, Tamper(sb) Encode C← Enc(sb). Tampering: f F Set C* ←f(C) IfC* = C returnsame Else returnC* 3. Output View Intuition The tamperingexp. should not leakanythingaboutinput ! return View

  16. Limitation andpossibility • Impossibility [DPW10]: Not achievableifFcontainssomefwhichknowsDec. • Forany (Enc, Dec) considerfbadwhichdecodesC, flips 1-bit andre-encodestoC*. • Conclusion:Thereisno NMC forFall( |Fall. |= for-bit code) • Possibility[DPW10]:NMC existsforeveryfamily such that:|F |< HowtorestrictF ? • Way-1: Compromisegranularity –- split-statetampering: Considered in [DPW10, LL12, DKO13, ADL13, CG13 ] andour Result-1. • Way-2: Compromisecomplexity–- global tampering: Consideredfirst time inourResult-2.

  17. Result-1 Continuous Non-Malleable Codes Based on a joint work with: Sebastian Faust, JesperBuus Nielsen and Daniele Venturi [Appeared in TCC 2014]

  18. Split-state tampering In this model, C = (C1,C2) andf =(f1, f2) for arbitrary f1, f2 C1* C1 f1 s* Dec s Enc C2 C2* f2 • Why split-state ? • |Fsplit|= O() : Rich class of functions. • Might be easy to implement. • well-studied model in leakage-resilient crypto. 18

  19. Nmc to protect tampering recall compile • Idea: Buildcompilerforanyfunctionality Fresh Re-encoding:Advcantampereachcodewordonlyonce Initialization: s':= NMEnc(s) F’ F Circuit Circuit ExecutionloopofF’[s‘](x): 1.s = NMDec(s‘) 2. ifs = ?thenSTOP elseoutputF[s](x) andre-encodes‘= NMEnc(s),continue.. s' s Memory Memory

  20. A stronger tampering model • Memory space much bigger than length of codeword. f read C’ C:= NMEnc(s) C Memory M Memory M*=f(M) Advcantampercontinuously withthe same codeword.

  21. CNMC: A natural extension continuous Def: A code (Enc, Dec) is non-malleable w.r.t. Fsplit if 8 Advand 8s0, s1, Tamper(s0)Tamper(s1) where, Tamper(sb) Encode (C1,C2) ← Enc(sb). Tampering: Repeat adaptively (f1, f2) Set (C1*,C2*) ←(f1(C1), f2(C2)) If(C1*,C2*) = (C1,C2) returnsame Else return(C1*,C2*) 3. Output View return Attack[GLMMR04]: Guess each bit, overwrite and check if the output is same- recover bit by bit Way Out: Assume Self-Destruct: If output ? once, then STOP experiment. View

  22. CNMC: A natural extension Def:A code (Enc, Dec) is continuous non-malleablein split-stateif 8 Advand 8s0, s1, Tamper(s0)Tamper(s1) where, Tamper(sb) Encode (C1,C2) ← Enc(sb). Tampering: Repeat adaptively (f1, f2) Set (C1*,C2*) ←(f1(C1), f2(C2)) If(C1*,C2*) = (C1,C2) returnsame Else ifDec(C1*,C2*)= ? then return ? and self-destruct . Else return(C1*,C2*) 3. Output View return View

  23. Uniqueness: a necessary property • Def: ForanyAdv it’s hard to find (C1,C2,C2‘) such that: Exsiting [LL12] construction does not satisfy Both (C1,C2) and (C1,C2‘) are valid C1 • Why necessary ? Otherwise suppose ∃ (f1, f2) Corollary: Information theoretic CNMC (split-state)isimpossible. Recovers T2 C2 After knowing T2: 3. f1 hard-code T2 and decode s← Dec(T1,T2). 4. Depending on s f1leaves it same or tampers– leaks 1 bit. f1 always replaces T1with C1 f2checks ifT2[i]= 0, then replaces T2 with C2 elsereplaces T2 with C2‘

  24. Extractability: another property Necessary ? We don’t know. C2** Extractability C1* C1 f1 Extract s Enc If C1*≠C1 then it is possible to extract C2** (if exists) such that (C1*, C2** ) is valid. C2 C2* f2 Uniqueness + Extractability Our Construction

  25. Our construction: intuitions Uniqueness: C2**= C2* w.h.p. C2 C2* C1 C1* f1 f2 (f1, f2) Extract C2** Decode Aprioriknown to adv. s*

  26. Result-2 Efficient Non-Malleable Codes for poly-size tampering circuits Based on a joint work with: Sebastian Faust, Daniele Venturi and Daniel Wichs [To appear in Eurocrypt 2014]

  27. Recall: Limitation and possibility • Question: Can we protect against all efficient functions Feff • |Feff. |= 2O(poly())? • Answer: NO! because Feff contains all efficient (Enc,Dec) • Impossibility [DPW10]: There is no NMC for Fall ( |Fall. |=) • Possibility: NMC exists for every family such that:| F |< How to restrict F : • Way-1: Compromise granularity –- Result-1. • Way-2: Compromise complexity –- global tampering : Considered first time inthis work.

  28. Efficient & global non-malleable codes Main Result: “The next best thing” For any pre-fixed polynomial P, we can construct global and efficient non-malleable codes for any F of size | F | 2P. • What does it mean ? Choose Fs.t. |F |2P P t f 2F Choose paramt based on P

  29. The construction Encoding input (h1,h2)←H12 r ← DR s output c= (r, z, ) h1(r) z Decoding h1 h2 Ifthen output zh1(r) else output Theorem(informal): Theaboveencodingis non-malleable w.r.t. anyFofsize 2Pw.h.p. overtherandomchoicesof h1,h2aslongast >> P. (Itisinfotheoreticand optimal ) Both of seed size t

  30. Some intuitions recall • Choose seeds t>> P such that: w.h.p. random (h1,h2)F • Our codeword has format: C= ( , h2( ) ) • f can not compute h2 but can leak some bits of • but = (r, h1(r)) is leakage-resilient encoding of s ! [DDV’10]

  31. Conclusions and future works • We mainly explored non-malleable codes in two separate directions. • Thus far NMC is only used to protect against memory-tampering. (We strengthen the model in Result-1) • Future Works: • Can we use NMC also to protect against computation? - • Leakage and Tamper resilient RAM ! • Other uses of NMC ? - E.g. Non-malleable commitments/ Encryptions. – General abstraction of non-malleability. • Improving the existing NMC.

  32. Published papers Bounded Tamper Resilience: How to go beyond the Algebraic Barrier. Ivan Damgård, Sebastian Faust, Pratyay Mukherjee,Daniele Venturi In ASIACRYPT 2013. This talk 2. Contnuous Non-Malleable Codes. Sebastian Faust,Pratyay Mukherjee, JesperBuus Nielsen, Daniele Venturi In TCC 2014. 3. Efficient Non-Malleable Codes and Key-derivations for poly-size tampering circuits. Sebastian Faust,Pratyay Mukherjee, Daniele Venturi, Daniel Wichs To appear in EUROCRYPT 2014.

  33. Thank You ! Question(s) ?

More Related