260 likes | 455 Views
Leakage-Resilient Storage. Sapienza University of Rome. Francesco Davì Stefan Dziembowski Daniele Venturi. SCN 2010 13/09/2010. Plan. Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties
E N D
Leakage-Resilient Storage Sapienza University of Rome Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010
Plan • Leakage-Resilient Cryptography • - Motivation • - Leakage models • 2. Our contribution: Leakage-Resilient Storage • - Definition and Properties • - Constructions • 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
How to construct secure cryptographic devices? cryptographic device very secure Security based on well-defined mathematical problems implementation CRYPTO not secure! Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
The problem cryptographic device easy to attack implementation hardto attack CRYPTO Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Information leakage • Side channel information: • power consumption, • electromagnetic radiation, • timing information, • … cryptographic device Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage-Resilient Cryptography Design cryptographic protocols that are secure even on the machines thatleak information Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage-Resilient Cryptography:The Models Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10) Only computation leaks Total leakage unbounded All the memory leaks Total leakage bounded All the memory leaks Computationally hard to recover the secret from the leakage All the memory leaks Total leakage unbounded Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Bounded memory-leakage model The adversary is allowed to learn (adaptively) the values oft leakage functions (chosen by her) on the internal data used by the cryptographic scheme Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage functions very restricted class (read-off wires) general leakage (any input-shrinkingfunction) chooses retrieves f chooses f(x) retrieves Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Plan • Leakage-Resilient Cryptography • - Motivation • - Leakage models • 2. Our contribution: Leakage-Resilient Storage • - Definition and Properties • - Constructions • 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage-Resilient Storage All-Or-Nothing Transform Dec Enc(m) Enc m m g1,…,gt Note:no secret key C < |Enc(m)| total leakage < C • very realistic computationally unbounded • input-shrinking retrievescibits it should be hard to reconstruct a message if not all the bits of its encoding are known • Decode єΓ chooses (adaptively)tfunctions gi : {0,1}|Enc(m)|→ {0,1}ciє Γ Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Security definition A scheme (Enc, Dec) issecureif for every m0, m1 no adversary can distinguishEnc(m0)fromEnc(m1) we will require that m0, m1 are chosen by the adversary ? Enc(m0) Enc(m1) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Security definition m0,m1 Enc : {0,1}α→ {0,1}β Dec : {0,1}β→ {0,1}α adversary oracle • chooses a random b = 0,1 • calculates τ := Enc(mb) choosesm0,m1 є {0,1}α fori = 1,...,t choosesgi : {0,1}β→ {0,1}ciє Γ gi calculates gi(τ) gi(τ) outputs b’ wins ifb’ = b (Enc,Dec)is(Γ, C, t, ε)-secure if no adversary wins the game with probability greater than1/2 + ε advantage Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Problem each leakage function can dependonly on some restricted part of the memory the cardinality ofΓisrestricted For a fixed family Γ how to constructsecure(Enc,Dec)? randomness extractors l-wise independent hash functions Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
A weaker adversary Enc Enc(m):=(Rand, f(Rand) m) Enc(m) m gi g’i gi(Enc(m)) g’i(Rand) gi(Rand, f(Rand) m) weak adversary adversary Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Lemma For any Γ, c, t and ε, if an encoding scheme is (Γ, c, t, ε)-secure for then it is also (Γ, c, t, ε˙2α)-secure for α is the length of the message Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Proof Idea can simulate replacing f(Rand) m with a random string z є{0,1}α =ε˙2α wins with advantage δ Consider Construct wins with advantage ε=δ˙2-α Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Two-source Extractor deterministic Two-Source Extractor source1 extracted string source2 Almost uniformly random Independent Random Far from uniform A lot of min-entropy Example: inner product modulo 2 Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Memory divided into 2 parts: construction each leakage function can dependonly on some restricted part of the memory Ext R0 Ext(R0,R1) R1 Enc(m):=( , , m) R0 R1 Ext(R0,R1) remind M0 M1 Dec( , , m*):= m* . R0 R1 Ext(R0,R1) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Memory divided into 2 parts: contribution each leakage function can dependonly on some restricted part of the memory Ext R0 If is a two-source extractor Ext Ext(R0,R1) R1 then Enc(m):=( , , m) Enc ( , ) issecure R0 R1 Ext(R0,R1) against an adversary such that remind M0 M1 Dec( , , m*):= m*. Dec R0 R1 Ext(R0,R1) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Proof Idea remind Enc(m):=( , , m) R0 R1 Ext(R0,R1) It suffices to show that (Enc,Dec) is secure against every R0 R1 R0 R1 One can prove that even given g’1( , ),…, g’t( , ) R0 R1 and • are still independent • have high min-entropy (with high probability) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Problem each leakage function can dependonly on some restricted part of the memory the cardinality ofΓisrestricted For a fixed family Γ how to constructsecure(Enc,Dec)? randomness extractors l-wise independent hash functions Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
l-wise independent hash functions H={hs:X→Y}sєIis l-wise independent if uniformly random S є I Yl Xl {x1,…,xl} hS {hS(x1),…,hS(xl)} uniform over Yl Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Boolean circuits of small size: construction the cardinality ofΓisrestricted H={hs:X→Y}sєIis l-wise independent Encs(m):=(R, hS(R) m) remind RєXis random the set of functions computable by Boolean circuits of a fixed size Decs(R , m*):=(hS(R) m*) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Plan • Leakage-Resilient Cryptography • - Motivation • - Leakage models • 2. Our contribution: Leakage-Resilient Storage • - Definition and Properties • - Construction • 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Conclusion and Future work Achieved: We have defined a primitive to securely store information in hardware that may leak information We have given constructions of such a scheme in two relevant scenarios Open: Refreshing of the storage From storage to computation: compute with encoded data Find more applications Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010