1 / 60

Randomness Leakage in the KEM/DEM Framework

Randomness Leakage in the KEM/DEM Framework. Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT). ProvSec 2011. Leakage-Resilient C ryptography. Prove the security even if some secret information leaks (by side-channel attacks).

aimee
Download Presentation

Randomness Leakage in the KEM/DEM Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki(Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec 2011

  2. Leakage-Resilient Cryptography • Prove the security even if some secret information leaks (by side-channel attacks)

  3. Leakage-Resilient Cryptography • Prove the security even if some secret information leaks (by side-channel attacks) • Stream Cipher [DP08][Pie09] • Public-Key Encryption [AGV09][NS09] [ADW09][AND+10][BG10][DHL+10] … • Signature [ADW09][KV09][FKP10][MTV+11][BSW11] … • etc.

  4. Leakage-Resilient PKE c c =Encpk(m;r) m =Decsk(c)

  5. Leakage-Resilient PKE • Leakage of secret key [AGV09][NS09][ADW09] … c c =Encpk(m;r) m =Decsk(c)

  6. Leakage-Resilient PKE • Leakage of secret key [AGV09][NS09][ADW09] … Leakage of sk c c =Encpk(m;r) m =Decsk(c)

  7. Leakage-Resilient PKE • Leakage of secret key [AGV09][NS09][ADW09] … • Restriction: Amount of leakage is bounded Leakage of sk c c =Encpk(m;r) m =Decsk(c)

  8. This Work

  9. This Work • Leakage of randomness in encryption

  10. This Work • Leakage of randomness in encryption • Restriction:Amount of leakage is bounded

  11. This Work • Leakage of randomness in encryption • Restriction:Amount of leakage is bounded c c =Encpk(m;r) m =Decsk(c)

  12. This Work • Leakage of randomness in encryption • Restriction:Amount of leakage is bounded Leakage of r c c =Encpk(m;r) m =Decsk(c)

  13. Our Results

  14. Our Results • No securerandomness-LR schemeif leaks after public key is published

  15. Our Results • No securerandomness-LR schemeif leaks after public key is published • Even if 1-bit leaks

  16. Our Results • No securerandomness-LR schemeif leaks after public key is published • Even if 1-bit leaks • Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…)

  17. Our Results • No securerandomness-LR schemeif leaks after public key is published • Even if 1-bit leaks • Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…) • Secure randomness-LR KEM/DEM schemeeven if leaks after public key is published

  18. Our Results • No securerandomness-LR schemeif leaks after public key is published • Even if 1-bit leaks • Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…) • Secure randomness-LR KEM/DEM schemeeven if leaks after public key is published • Relax the leakage model (describe later)

  19. Our Results • No securerandomness-LR schemeif leaks after public key is published • Even if 1-bit leaks • Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…) • Secure randomness-LR KEM/DEM schemeeven if leaks after public key is published • Relax the leakage model (describe later) • Leakage rate = 1 – o(1)(DDH assumption)

  20. Model of Randomness Leakage pk m0, m1 c c =Encpk(mb;r) b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

  21. Model of Randomness Leakage r pk Leakage Oracle m0, m1 c c =Encpk(mb;r) b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

  22. Model of Randomness Leakage r pk f Leakage Oracle m0, m1 c c =Encpk(mb;r) b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

  23. Model of Randomness Leakage r pk f Leakage Oracle m0, m1 f(r) c c =Encpk(mb;r) b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

  24. Model of Randomness Leakage r pk f Leakage Oracle m0, m1 f(r) c |f(r)|≤ λ c =Encpk(mb;r) b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

  25. Model of Randomness Leakage r pk f Leakage Oracle m0, m1 f(r) c |f(r)|≤ λ c =Encpk(mb;r) leakage rate = λ /|r| b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

  26. Randomness leakage after public key is published Theorem.No secure randomness-LR scheme exists if randomness leaks after public key is published

  27. Randomness leakage after public key is published Theorem.No secure randomness-LR scheme exists if randomness leaks after public key is published Proof: • Adversary’s strategy: • Set f(r) := { i-th bit of Encpk(m0; r) } for random i • If f(r) ≠{ i-th bit of c }, output 1, o.w. a random guess • When b = 0, Pr[ b = b’ ] = 1/2 • When b = 1, Pr[ b = b’ ] ≥ 1/2 + 1/|c| since f(r) ≠ {i-th bit of c } w.p. at least 1/|c|

  28. Randomness leakage after public key is published • Randomness leakage is more seriousthan key leakage !! • 1-bit leakage  insecurity • Secure key-LR scheme [AGV09][NS09]…

  29. Randomness leakage after public key is published • Randomness leakage is more seriousthan key leakage !! • 1-bit leakage  insecurity • Secure key-LR scheme [AGV09][NS09]… • Relax the leakage model • Fit for KEM/DEM framework

  30. KEM/DEM Framework • KEM ≈ PKE for random messages • Random message is used as secret key of DEM

  31. KEM/DEM Framework • KEM ≈ PKE for random messages • Random message is used as secret key of DEM (c1, K) = KEM.Encpk(r1) c2 = DEM.EncK(m;r2)

  32. KEM/DEM Framework • KEM ≈ PKE for random messages • Random message is used as secret key of DEM c1, c2 (c1, K) = KEM.Encpk(r1) c2 = DEM.EncK(m;r2)

  33. KEM/DEM Framework • KEM ≈ PKE for random messages • Random message is used as secret key of DEM c1, c2 (c1, K) = KEM.Encpk(r1) K=KEM.Decsk(c1) c2 = DEM.EncK(m;r2) m =DEM.DecK(c2)

  34. Randomness Leakage in KEM/DEM f(r1, r2) c1, c2 (c1, K) = KEM.Encpk(r1) K=KEM.Decsk(c1) m =DEM.DecK(c2) c2 = DEM.EncK(m;r2)

  35. Randomness Leakage in KEM/DEM c1, c2 (c1, K) = KEM.Encpk(r1) K=KEM.Decsk(c1) m =DEM.DecK(c2) c2 = DEM.EncK(m;r2) • Relaxation: Rand. for KEM/DEM leaks independently

  36. Randomness Leakage in KEM/DEM c1, c2 DEM KEM r2 r1 (c1, K) = KEM.Encpk(r1) K=KEM.Decsk(c1) m =DEM.DecK(c2) c2 = DEM.EncK(m;r2) • Relaxation: Rand. for KEM/DEM leaks independently • The situation that KEM/DEM are implemented by different chips

  37. Randomness Leakage in KEM/DEM • Relaxation: Rand. for KEM/DEM leaks independently • The situationthatKEM/DEM are implemented by different chips c1, c2 DEM KEM r2 r1 (c1, K) = KEM.Encpk(r1) K=KEM.Decsk(c1) m =DEM.DecK(c2) c2 = DEM.EncK(m;r2)

  38. Randomness Leakage in KEM/DEM |f(r1)|≤ λ r1 pk ① f Leakage Oracle ② f(r1) m0, m1 ③ * Leakage Oracle ④ c1, c2 r2 ⑤ (c1, K) = KEM.Encpk(r1) r2 entire string! b’ c2 = DEM.EncK(m;r2)

  39. Randomness Leakage in KEM/DEM |f(r1)|≤ λ • Remark: (1) Rand. for KEM/DEM leaks independently + (2) Messages are independent of DEM leakage r1 pk ① f Leakage Oracle ② f(r1) m0, m1 ③ * Leakage Oracle ④ c1, c2 r2 ⑤ (c1, K) = KEM.Encpk(r1) r2 entire string! b’ c2 = DEM.EncK(m;r2)

  40. Secure randomness-LR KEM/DEM scheme

  41. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR scheme

  42. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !!

  43. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen : Enc:

  44. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc: 1n sample param,sk

  45. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc:  r1  c1  K  c2 C = (c1, c2) 1n sample param,sk sample KEM param,r1 DEM m, K

  46. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc: C = Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc:  r1  c1  K  c2 C = (c1, c2) 1n sample param,sk sample KEM param,r1 DEM m, K

  47. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc: C = Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc:  r1  c1  K  c2 C = (c1, c2) 1n sample param,sk sample param,r1 m, K

  48. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc:  sk  pk C = Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc:  r1  c1  K  c2 C = (c1, c2) 1n sample param,sk sample sample param,r1 param,sk m, K

  49. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc:  sk  pk C = Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc:  r1  c1  K  c2 C = (c1, c2) 1n sample param,sk sample sample param,r1 param,sk m, K

  50. Secure randomness-LR KEM/DEM scheme • Idea: key-LR scheme  randomness-LR schemeExchange the roles of key and randomness !! Rand.-LR KEM/DEM scheme: Gen :  r1  c1 PK = SK = Enc:  sk  pk C = Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc:  r1  c1  K  c2 C = (c1, c2) 1n sample sample param,sk param,r1 sample sample param,r1 param,sk m, K

More Related