Add to collection(s) Add to saved
  1. No category

Leakage-Resilient Cryptography

advertisement 
Leakage-Resilient Storage
Francesco Davì
Stefan Dziembowski
Daniele Venturi
SCN 2010
Sapienza University of Rome
13/09/2010
Plan
1.Leakage-Resilient Cryptography
- Motivation
- Leakage models
2. Our contribution: Leakage-Resilient Storage
- Definition and Properties
- Constructions
3. Conclusion
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
How to construct secure cryptographic
devices?
cryptographic device
very secure
Security based on well-defined
mathematical problems
CRYPTO
not secure!
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
The problem
cryptographic device
CRYPTO
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Information leakage
Side channel information:
cryptographic device
• power consumption,
• electromagnetic radiation,
• timing information,
…
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage-Resilient Cryptography
Design cryptographic protocols that are secure
even
on the machines that leak information
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage-Resilient Cryptography: The Models
Only computation leaks
• Continual leakage
Total leakage unbounded
(MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10)
All the memory leaks
• Bounded memory-leakage
Total leakage bounded
(ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10)
• Auxiliary input
(DKL09, DGKPV10)
All the memory leaks
Computationally hard to recover
the secret from the leakage
• Continual memory-leakage
(BKKV10, DHLW10)
All the memory leaks
Total leakage unbounded
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Bounded memory-leakage model
The adversary is allowed to learn
(adaptively)
the values of t leakage functions
(chosen by her)
on the internal data used by
the cryptographic scheme
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage functions
very restricted class (read-off wires)
0
retrieves
0
0
1
0
1
1
1
0
1
0
1
general leakage (any input-shrinking function)
x
f
retrieves
f(x)
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Plan
1.Leakage-Resilient Cryptography
- Motivation
- Leakage models
2. Our contribution: Leakage-Resilient Storage
- Definition and Properties
- Constructions
3. Conclusion
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Leakage-Resilient Storage
Enc
m
Note:
no secret key
Enc(m)
Dec
g1,…,gt
total leakage < C
computationally
unbounded
m
C < |Enc(m)|
All-Or-Nothing Transform
• very realistic
• input-shrinking
retrieves
c
bits
i
it should be hard to reconstruct a message
if not all the bits of its encoding are known
• Decode є
chooses (adaptively) t functions
Γ
gi : {0,1}|Enc(m)| → {0,1}ci є Γ
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Security definition
we will require that m0, m1 are chosen by the adversary
A scheme (Enc, Dec) is secure if for every m0, m1
no adversary can distinguish Enc(m0) from Enc(m1)
Enc(m0)
Enc(m1)
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Security definition
Enc : {0,1}α → {0,1}β
adversary
oracle
Dec : {0,1}β → {0,1}α
chooses m0,m1 є {0,1}α
for i = 1,...,t
chooses gi : {0,1}β → {0,1}ci є Γ
outputs b’
1. chooses a random b = 0,1
2. calculates τ := Enc(mb)
m0,m1
gi
gi(τ)
calculates gi(τ)
wins if b’ = b
(Enc,Dec) is (Γ, C, t, ε)-secure
if no adversary wins the game
with probability greater than 1/2 + ε
advantage
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Problem
For a fixed family Γ
each leakage function can depend
only on some restricted part
of the memory
the cardinality of Γ is restricted
how to construct secure (Enc,Dec)?
randomness
extractors
l-wise
independent hash
functions
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
A weaker adversary
m
Enc
g’
gii
Enc(m):=(Rand,
Enc(m)
f(Rand) m)
gi(Rand,
gg’
f(Rand) m)
i(Enc(m))
i(Rand)
weak
adversary
adversary
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Lemma
For any Γ, c, t and ε,
if an encoding scheme is (Γ, c, t, ε )-secure for
then it is also (Γ, c, t, ε˙2α )-secure for
α is the length of the message
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Proof Idea
can simulate
replacing f(Rand) m with a random string z є {0,1}α
Consider
Construct
wins with advantage δ
= ε ˙2α
wins with advantage ε= δ˙2-α
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Two-source Extractor
deterministic
source1
Two-Source
Extractor
extracted string
source2
Almost uniformly
random
Independent
Example:
Random
Far from uniform
A lot of min-entropy
inner product
modulo 2
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Memory divided into 2 parts: construction
R0
Ext
R1
Enc(m):=(
R0
,
Ext(R0,R1)
R1
,
Ext(R0,R1)
 m)
remind
M0
Dec(
each leakage function can depend
only on some restricted part
of the memory
R0
,
R1
, m*):= m* 
M1
Ext(R0,R.1)
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Memory divided into 2 parts: contribution
R0
Ext(R
is aExt
two-source
extractor
0,R1)
R
then
Enc
Enc(m):=(( R ,, R ,) isExt(R
secure
0,R1)  m)
If
1
0
M0
Dec(
Dec
1
remind
against
an
adversary
such
that
each leakage function can depend
only on some restricted part
of the memory
R0
,
R1
, m*):= m* 
M1
Ext(R0,R.1)
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Proof Idea
remind
Enc(m):=(
R0
,
, Ext(R0,R1)  m)
R1
It suffices to show that (Enc,Dec) is secure against every
One can prove that even given g’1( R0 , R1 ),…, g’t( R0 ,
R0
and
R1
• are still independent
• have high min-entropy (with high probability)
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
R1
)
Problem
For a fixed family Γ
each leakage function can depend
only on some restricted part
of the memory
the cardinality of Γ is restricted
how to construct secure (Enc,Dec)?
randomness
extractors
l-wise
independent hash
functions
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
l-wise independent hash functions
H={hs:X→Y}sєI
is l-wise independent if
uniformly random S є I
Yl
Xl
{x1,…,xl}
hS
{hS(x1),…,hS(xl)}
uniform over Yl
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Boolean circuits of small size: construction
H={hs:X→Y}sєI
is l-wise independent
Encs(m):=(R, hS(R)  m)
remind
the cardinality of Γ is restricted
R є X is random
the set of functions computable by Boolean circuits of a fixed size
Decs(R , m*):=(hS(R)  m*)
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Plan
1.Leakage-Resilient Cryptography
- Motivation
- Leakage models
2. Our contribution: Leakage-Resilient Storage
- Definition and Properties
- Construction
3. Conclusion
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Conclusion and Future work
Achieved:
• We have defined a primitive to securely store
information in hardware that may leak information
• We have given constructions of such a scheme in two
relevant scenarios
Open:
• Refreshing of the storage
• From storage to computation: compute with encoded
data
• Find more applications
Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010
Related documents
BirthofPoMoVenturi
BirthofPoMoVenturi
Soybean Cyst Nematode 2013 PPT
Soybean Cyst Nematode 2013 PPT
Essay in Architecture
Essay in Architecture
July 2012 HBB GDA Meeting - Bose
July 2012 HBB GDA Meeting - Bose
Biological Rhythms
Biological Rhythms
Matter Powerpoint
Matter Powerpoint
Lab 11
Lab 11
PWM Efficacy - Biological and Agricultural Engineering
PWM Efficacy - Biological and Agricultural Engineering
Download
advertisement