Upload
philomena-barrett
View
218
Download
3
Tags:
Embed Size (px)
Citation preview
PRATYAY MUKHERJEEAARHUS UNIVERSITY
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
28. MARCH 2014
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
NEW RESULTS IN NON-MALLEABLE CODES
PROGRESS REPORT SEMINAR
SUPERVISED BY JESPER BUUS NIELSEN
1
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
CRYPTOGRAPHY IN MODERN WORLD
2
How to analyze security ?Find all possible attacks ?
- Infeasible !Need mathematical modelling and proofs a.k.a. Provable
Security
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
PROVABLE SECURITY AT A GLANCE
3
1. Define security notion/models.2. Design cryptoscheme
Usually described in mathematical language.
3. Prove security
No efficient adversary can break security if assumption
holds
Number theoretic: factoring is hard. Complexity theoretic: one-way function exists.
Reduce security of complex scheme to simple assumption,
e.g.,
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
TIME TO RELAX?
4
Security proof implies… secure against
all possible attacks
However, provably secure systems get broken in
practice! So what’s wrong?
Model
Realit
y
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
5
PHYSICAL ATTACKS ON IMPLEMENTATIONS
Mathematical Model:Blackbox
Fk
input
output
Fk
Reality:PHYSICAL ATTACKS
output
input
leakage
F’k’
tampering
tampered output
Our focus
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
WHY CARE ABOUT TAMPERING ?
6
BDL’01: Inject single (random) fault
to the signing-key of some type of
RSA-sig
factor RSA-modulus !
Devastating attacks on Provably Secure Crypto-
systems!
Anderson and Kuhn ’96
Skorobogatov et al. ’02
Coron et al. ’09
…………and many
more…….
More
…
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
THEORETICAL MODELS OF TAMPERINGTamper with memory and
computation (IPSW ’06)Tamper only with memory
(GLMMR ‘04)
7
F
k k
F
• Most General Model: Complicated
• Limited existing results !
• A Natural First Step : Simpler to
handle
• Might be reasonable in practice !
Our
Focus
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
Build compiler for any functionality
-first proposed in
GLMMR04
WAYS TO PROTECT AGAINST MEMORY TAMPERING1. Protecting
Specific schemes2. Protecting Arbitrary Computation
8
Build tamper resilient -
PRF, PKE, Sigs,
e.g:
BK 03; BCM11; KKS 11;
BPT 12; DFMV13…. Memory
Circuit
F compile
Memory
Circuit
F’
K'K
We build tamper-
resilient PKE and
Signature Scheme
This
talk
Initialization: K' := C= Enc(K)Execution of F‘[C](x): 1. K = Dec(C)2. Output F[K](x)
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
SECURITY GUARANTEE
9
Intuition: Adversary shall learn nothing useful from tampering.
F' K’
F
K
Adv
Sim∃∀
≈
compil
e
K’ :=Enc(K)
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
OUTLINE: REST OF THE TALK Basics of Non-Malleable Codes.
Result-1: Continuous Non-Malleable Codes.
Result-2: Efficient Non-Malleable Codes for poly-size tampering circuits.
Conclusions and future works.
10
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
11
Basic definitions
Non-Malleable Codes
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
ENCODING SCHEME (ENC, DEC)›ENC:
›DEC:
12
s Enc CSource message Codeword
Can be randomize
d
C Dec sCodeword Decoded message
Correctness: s: s = Dec(Enc(s))
No secret
key !
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
f
THE “TAMPERING EXPERIMENT’’
13
› “Tampering Experiment” for encoding scheme (Enc,Dec):
Encs Tampe
r2F
CDec s*
f is chosen adversarially from some fixed family F
Goal: Design encoding scheme (Enc,Dec) for
“interesting” F that provides “meaningful
guarantees” about s*.
C*=f(C)
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
ERROR CORRECTION/DETECTION & NON-MALLEABILITY
14
f 2F
Error-Correction: Guarentees s* = s but e.g. for hamming
codes f must be such that: Ham-Dist(C,C*) < d/2. i.e. F is
very limited !
Error-Detection: Guarentees s* = {s, ?} but F can’t contain
simple function e.g. constant functions fĈ(.)= Ĉ for valid Ĉ
Non-Malleability[DPW10]: Guarentees s* = s or
unrelated to s.
Hope: Achievable for rich F
Encs Tampe
rC
Dec s*C*=f(C)
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
FORMALIZING NMC [DPW’10]
15
Def: A code (Enc, Dec) is non-malleable w.r.t. F if 8 Adv and 8 s0, s1, Tamper(s0) Tamper(s1) where,
Set C* ←f(C)
If C* = C return same
Else return C*
3. Output View
f F
return
Tamper(sb)
View
The tampering exp. should
not leak anything about
input !
Intuition
1. Encode C← Enc(sb).
2. Tampering:
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
Impossibility [DPW10]: Not achievable if F contains some f which knows Dec.
For any (Enc, Dec) consider fbad which decodes C, flips 1-bit and re-encodes to C*.
Conclusion: There is no NMC for Fall ( |Fall. |= for -bit code)
Possibility[DPW10]: NMC exists for every family such that:| F |< How to restrict F ?
Way-1: Compromise granularity –- split-state tampering: Considered in [DPW10, LL12, DKO13, ADL13, CG13 ] and our Result-1.
Way-2: Compromise complexity –- global tampering : Considered first time in our Result-2.
LIMITATION AND POSSIBILITY
16
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
17
Result-1
Continuous Non-Malleable CodesBased on a joint work with:
Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi
[Appeared in TCC 2014]
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
SPLIT-STATE TAMPERING
18
In this model, C = (C1,C2) and f =(f1, f2) for arbitrary f1, f2
18
f1sC1
C2 f2
C1*
C2*DecEnc s*
Why split-state ? | Fsplit |= O() : Rich class of functions.
Might be easy to implement. well-studied model in leakage-resilient crypto.
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
NMC TO PROTECT TAMPERING
19
Memory
Circuit
F’
s
'
Memory
Circuit
F
s
Idea: Build compiler for any functionality
compile
Initialization: s' := NMEnc(s)Execution loop of F’[s‘](x): 1. s = NMDec(s‘)2. if s = ? then STOP
else output F[s](x) and re-encode s‘= NMEnc(s),continue..
reca
l
l
Fresh Re-encoding: Adv
can tamper each codeword only
once
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
A STRONGER TAMPERING MODEL
20
Memory space much bigger than length of codeword.
C := NMEnc(s) CC’
Memory MMemory M*=f(M)
f
Adv can tamper continuously
with the same codeword.
read
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
1. Encode (C1,C2) ← Enc(sb).
2. Tampering:
Repeat
adaptively
CNMC: A NATURAL EXTENSION
21
Def: A code (Enc, Dec) is non-malleable w.r.t. Fsplit if
8 Adv and 8 s0, s1, Tamper(s0) Tamper(s1) where,
Set (C1*,C2*) ←(f1(C1), f2(C2))
If (C1*,C2*) = (C1,C2) return same
Else return (C1*,C2*)
3. Output View
(f1, f2)
return
Tamper(sb)
ViewAttack[GLMMR04]: Guess each bit, overwrite and check if the output is same- recover bit
by bitWay Out: Assume Self-Destruct: If output
? once, then STOP experiment.
continuou
s
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
1. Encode (C1,C2) ← Enc(sb).
2. Tampering:
Repeat
adaptively
CNMC: A NATURAL EXTENSION
22
Def: A code (Enc, Dec) is continuous non-malleable in split-state if
8 Adv and 8 s0, s1, Tamper(s0) Tamper(s1) where,
Set (C1*,C2*) ←(f1(C1), f2(C2))
If (C1*,C2*) = (C1,C2) return same
Else if Dec(C1*,C2*)= ?
then return ? and self-destruct .
Else return (C1*,C2*)
3. Output View
(f1, f2)
View
return
Tamper(sb)
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
UNIQUENESS: A NECESSARY PROPERTY
23
Def: For any Adv it’s hard to find (C1,C2,C2‘) such
that: Both (C1,C2) and (C1,C2‘) are valid
Why necessary ?
1. f1 always replaces T1 with C1
2. f2 checks if T2[i] = 0, then replaces T2
with C2
else replaces T2 with C2‘
Otherwise suppose ∃Recovers T2
(f1, f2)
After knowing T2:
3. f1 hard-code T2 and decode s← Dec(T1,T2).4. Depending on s f1 leaves it same or
tampers– leaks 1 bit.
Exsiting [LL12] construction
does not satisfy
Corollary:
Information theoretic
CNMC (split-state) is
impossible.
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
EXTRACTABILITY: ANOTHER PROPERTY
24
f1sC1
C2 f2
C1*
C2*Enc
Extract
C2**
If C1*≠ C1 then it is
possible to extract C2** (if
exists) such that (C1*, C2** ) is valid.
Extractability
Uniqueness + Extractability
Our Construction
Necessary ?
We don’t know.
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
OUR CONSTRUCTION: INTUITIONS
25
C2*
C2C1
f1 f2
Uniqueness:C2**= C2*
w.h.p.
C2** Extract
(f1, f2)
C1*
Decode
s*Apriori
known to
adv.
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
26
Result-2 Efficient Non-Malleable Codes for poly-size tampering circuits
Based on a joint work with:
Sebastian Faust, Daniele Venturi and Daniel Wichs
[To appear in Eurocrypt 2014]
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
Impossibility [DPW10]: There is no NMC for Fall ( |Fall. |= )
Possibility: NMC exists for every family such that:| F |< How to restrict F :
Way-1: Compromise granularity –- Result-1.Way-2: Compromise complexity –- global tampering :
Considered first time in this work.
RECALL: LIMITATION AND POSSIBILITY
27
Question: Can we protect against all efficient functions Feff
|Feff. |= 2O(poly()) ? Answer: NO! because Feff contains all efficient
(Enc,Dec)
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
EFFICIENT & GLOBAL NON-MALLEABLE CODES
28
For any pre-fixed polynomial P, we can construct global and efficient non-malleable codes for any F of size | F | 2P.
Main Result: “The next best thing”
P
Choose param t based on P
t
f 2F
What does it mean ?Choose F s.t. |F | 2P
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
THE CONSTRUCTION
29
Encoding(h1, h2)← H12
h1 h2
r ← DR s
h1(r) z 𝛔=h 2(𝐫 ,𝐳) c = (r, z, )
Ifthen output zh1(r) else output
Decoding
Both of seed size
t
input
output
Theorem(informal): The above encoding is non-
malleable w.r.t. any F of size 2P w.h.p. over the random
choices of h1,h2 as long as t >> P. (It is info theoretic
and optimal )
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
SOME INTUITIONS
30
reca
l
l
Our codeword has format: C= ( , h2( ) ) f can not compute h2 but can leak some bits of
but = (r, h1(r)) is leakage-resilient encoding of s ! [DDV’10]
Choose seeds t >> P such that: w.h.p. random (h1,h2)F
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
CONCLUSIONS AND FUTURE WORKS We mainly explored non-malleable codes in two separate directions.
Thus far NMC is only used to protect against memory-tampering. (We strengthen the model in Result-1)
Future Works:Can we use NMC also to protect against computation? -
Leakage and Tamper resilient RAM !Other uses of NMC ? - E.g. Non-malleable commitments/ Encryptions. – General abstraction of non-malleability.
Improving the existing NMC. 31
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
PUBLISHED PAPERS
32
1. Bounded Tamper Resilience: How to go beyond the Algebraic Barrier.
Ivan Damgård, Sebastian Faust, Pratyay Mukherjee, Daniele VenturiIn ASIACRYPT 2013. 2. Contnuous Non-Malleable Codes.Sebastian Faust, Pratyay Mukherjee, Jesper Buus Nielsen, Daniele VenturiIn TCC 2014.
3. Efficient Non-Malleable Codes and Key-derivations for poly-size tampering circuits.Sebastian Faust, Pratyay Mukherjee, Daniele Venturi, Daniel WichsTo appear in EUROCRYPT 2014.
This talk
AARHUSUNIVERSITY
PRATYAY MUKHERJEE
NEW RESULTS IN NON-MALLEABLE CODES
PRATYAY MUKHERJEE28. MARCH 2014
33
Thank You !
Question(s) ?