Efficient Public-Key Cryptography with Bounded Leakage and Tamper - PowerPoint PPT Presentation

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1 Daniele Venturi 2 Department of Computer Science, Aarhus University, Aarhus, Denmark Department of Information Engineering and Computer Science, University of Trento, Trento, Italy December 8, 2016 1/14

(Provable Secure) Crypto before Physical Attacks P1 P2 2/14

Crypto with Physical Attacks P1 P2 ) ) ) ) ) ) ) ) Leak Attacks [Koc96], 3/14

Crypto with Physical Attacks P1 P2 ) ) ) ) ) ) ) ) Leak Attacks [Koc96], Tampering Attacks [BDL97] 3/14

(Minimal) Related Works Memory Circuit [GLMMR04] [IPSW06] Restricted Bounded [DPW10,BK03] [DFMV13] 4/14

(Minimal) Related Works Memory Circuit [GLMMR04] [IPSW06] Restricted Bounded [DPW10,BK03] [DFMV13] Definitions of Bounded-Tamper (and Leakage) Resilience, Identification Scheme and Signatures (ROM), CCA-Secure PKE. 4/14

Our Contributions BTL Signature Scheme. Example. The Imp. result of [GLMMR03] does not hold. 5/14

Our Contributions BTL Signature Scheme. Example. The Imp. result of [GLMMR03] does not hold. BLT CCA Public Key Encryption. Naor-Yung paradigm, what about Cramer-Shoup? 5/14

Introduction BLT-CCA PKE Section 2 BLT-CCA PKE 6/14 Antonio Faonio, Daniele Venturi Efficient Public-Key Cryptography with Bounded Leakage and Tamp

( t , ℓ )-BLT IND-CCA PKE: c m 7/14

( t , ℓ )-BLT IND-CCA PKE: ppar c c m m ... A leaks before challenge ℓ bits; A instantiates before challenge t oracles (for ℓ + t � | sk | − ω (log k )) 7/14

The Scheme of [QL13]: Building Blocks 8/14

The Scheme of [QL13]: Building Blocks ǫ -Hash Proof System Complete: For c ∈ V , Pub pk ( c , w ) = Λ sk ( c ). Sound: For c ∈ C \ V ,any pk = µ ( sk ): � H ∞ ( K := Λ sk ( c ) | pk ) � − log ǫ Set Membership Problem. 8/14

The Scheme of [QL13]: Building Blocks ǫ -Hash Proof System Complete: For c ∈ V , Pub pk ( c , w ) = Λ sk ( c ). Sound: For c ∈ C \ V ,any pk = µ ( sk ): � H ∞ ( K := Λ sk ( c ) | pk ) � − log ǫ Set Membership Problem. δ -extractor � H ∞ ( X | Z ) � δ , we have ( Z , S , Ext( X , S )) ≈ ( Z , S , U ) 8/14

The Scheme of [QL13]: Building Blocks, Pt.2 ℓ -(OT-)Lossy Filter LF φ : T × X → Y 9/14

The Scheme of [QL13]: Building Blocks, Pt.2 ℓ -(OT-)Lossy Filter LF φ : T × X → Y tag 9/14

The Scheme of [QL13]: Building Blocks, Pt.2 ℓ -(OT-)Lossy Filter LF φ : T × X → Y tag tag 9/14

The Scheme of [QL13]: Building Blocks, Pt.2 ℓ -(OT-)Lossy Filter LF φ : T × X → Y tag tag Losiness: |{•}| � 2 ℓ ∈ { 0 , 1 } ∗ × T c tag tag Indistinghuishable: 9/14

The Scheme of [QL13]: Building Blocks, Pt.2 ℓ -(OT-)Lossy Filter LF φ : T × X → Y tag tag Losiness: |{•}| � 2 ℓ ∈ { 0 , 1 } ∗ × T c tag tag Indistinghuishable: Evasiviness: It is hard to forge t ∗ c lossy even given one lossy tag. 9/14

The Scheme of [QL13]: m C K Ext S 10/14

The Scheme of [QL13]: m m C C K K Ext Ext S S 10/14

The Scheme of [QL13]: m m m C C C K K K Ext Ext Ext S S S H ∞ ( K ∗ | pk , C ∗ , L ) � − log ε − | L | 10/14

The Scheme of [QL13]: m m m C C C K K K Ext Ext Ext S S S H ∞ ( K ∗ | pk , C ∗ , L ) � − log ε − | L | H ∞ ( K ∗ | pk , C ∗ , L , Π ) � − log ε − | L | − ℓ 10/14

Reduce Tampering to Leakage aux aux = L ( sk ) Interact unbounded with Dec T ( sk ) , while aux small and bounded . 11/14

aux 12/14

aux Let ˜ sk = T ( sk ), leak µ ( ˜ sk ) (( C , S , Φ) , t c , Π) 12/14

aux Let ˜ sk = T ( sk ), leak µ ( ˜ sk ) (( C , S , Φ) , t c , Π) C ∈ V ( C , µ ( ˜ sk )) fully define K . Execute Decryption. 12/14

aux Let ˜ sk = T ( sk ), leak µ ( ˜ sk ) (( C , S , Φ) , t c , Π) C ∈ V ( C , µ ( ˜ sk )) fully define K . Execute Decryption. C �∈ V Depend on H ∞ (Λ ˜ sk ( C ) | View = v ). If big then output ⊥ ; If small then leak ˜ sk and run Dec ˜ sk . 12/14

aux Let ˜ sk = T ( sk ), leak µ ( ˜ sk ) (( C , S , Φ) , t c , Π) C ∈ V ( C , µ ( ˜ sk )) fully define K . Execute Decryption. C �∈ V Depend on H ∞ (Λ ˜ sk ( C ) | View = v ). If big then output ⊥ ; If small then leak ˜ sk and run Dec ˜ sk . Yeah, but what do big and small even mean? 12/14

aux Let ˜ sk = T ( sk ), leak µ ( ˜ sk ) (( C , S , Φ) , t c , Π) C ∈ V ( C , µ ( ˜ sk )) fully define K . Execute Decryption. C �∈ V Depend on H ∞ (Λ ˜ sk ( C ) | View = v ). If big then output ⊥ ; If small then leak ˜ sk and run Dec ˜ sk . Yeah, but what do big and small even mean? I would tell you, if I had time.. 12/14

Mathemagical!! β = s − log ε , s = log | SK | α = log | PK | We pay approx α + β bits of leakage for each tampering oracle. s t = α + β 13/14

Mathemagical!! β = s − log ε , s = log | SK | α = log | PK | We pay approx α + β bits of leakage for each tampering oracle. s t = α + β We can instantiate the HPS using RSI. 13/14

Introduction BLT-CCA PKE Open Problems Is the tampering rate O (1 / k ) inherent? A better Hash Proof System? 14/14 Antonio Faonio, Daniele Venturi Efficient Public-Key Cryptography with Bounded Leakage and Tamp

Introduction BLT-CCA PKE Open Problems Is the tampering rate O (1 / k ) inherent? A better Hash Proof System? Thank You! 14/14 Antonio Faonio, Daniele Venturi Efficient Public-Key Cryptography with Bounded Leakage and Tamp