implementation and evaluation of a leakage resilient
play

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM - PowerPoint PPT Presentation

Mar 29, 2023 •370 likes •712 views

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Groschdl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of

  1. Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Großschädl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of Luxembourg PROOFS 2014 David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  2. Side-Channel Attacks Use data leaked due to the physical nature of computation: running time power consumption electromagnetic-radiation leak acoustic emanation photons emissions ground electric potential fault attacks David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  3. Side-Channel Attacks Countermeasures SCA Countermeasures flow Aimed at specific attacks input message Concrete implementations K ⋆ target computation Leakage model meaningful f ( K ⋆ , T ) Reasonably practical leakage model SCA-resistant primitives ϕ noise N actual leakage � � N X ≈ ϕ ( K ⋆ , T ) distinguisher D attack/non-attack � K = D ( X , T ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  4. Side-Channel Attacks Countermeasures SCA Countermeasures flow Aimed at specific attacks input message Concrete implementations K ⋆ target computation Leakage model meaningful f ( K ⋆ , T ) Reasonably practical leakage model SCA-resistant primitives ϕ noise N However... actual leakage � � N X ≈ ϕ ( K ⋆ , T ) distinguisher D attack/non-attack � K = D ( X , T ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  5. Side-Channel Attacks Countermeasures SCA Countermeasures flow � Aimed at specific attacks input message � Concrete implementations K ⋆ target computation � Leakage model meaningful f ( K ⋆ , T ) � Reasonably practical leakage model SCA-resistant primitives ϕ noise A new attack ( ϕ, N , D ) might be N discovered actual leakage � Endless? cat-and-mouse game � � N X ≈ ϕ ( K ⋆ , T ) distinguisher D security? � K = D ( X , T ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  6. SCA Countermeasures vs. Leakage-Resilient Cryptography SCA countermeasures Leakage-Resilient Crypto � Aimed at specific attacks � Aimed at generic attacks � Concrete implementations � No implementations � Leakage model meaningful � Leakage model generic � Reasonably practical � Not practical SCA-resistant primitives A new attack ( ϕ, N , D ) might be discovered � Endless? cat-and-mouse game � Security reduction David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  7. Meaningful Leakage-Resilient Cryptography � Aimed at general attacks � Leakage model meaningful � Reasonably practical SCA-resistant primitives � Security reduction � Concrete implementations David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  8. Meaningful Leakage-Resilient Cryptography � Aimed at general attacks � Leakage model meaningful � Reasonably practical SCA-resistant primitives � Security reduction � Concrete implementations In this work we take a step forward towards to this goal David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  9. Our contribution A more reasonable leakage modeling We depart from an existing practical ElGamal KEM and modify it using practical motivations We use the theory and practice of SCA to argue that it potentially meets the leakage bound We implement the scheme on an ARM Cortex M-3 processor David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  10. Stateful Key Encapsulation Mechanisms A stateful KEM scheme Π = ( KeyGen , Enc , Dec 1 , Dec 2 ) consists of efficient algorithms: � � KeyGen ( 1 κ ) outputs pk , ( sk 0 , sk ′ 0 ) Enc ( pk ) outputs ( K , C ) Dec 1 ( sk i − 1 , C ) updates sk i − 1 to sk i and outputs intermediate state w i Dec 2 ( sk ′ i − 1 , w i ) updates sk ′ i − 1 to sk ′ i and outputs key K or ⊥ David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  11. ElGamal KEM with Multiplicative Masking $ ← Z q . Set X = g x , sk 0 = t 0 , sk ′ KG ( κ ) : choose x , t 0 0 = x / t 0 . Return ( X , ( sk 0 , sk ′ 0 ) ) ← Z q . Compute C = g r and K = X r ; return ( C , K ) $ Enc ( pk ) choose r $ ← Z q , set sk i = sk i − 1 · t i , Y i = C sk i . Return ( t i , Y i ) Dec1 ( sk i − 1 , C ) pick t i sk ′ − 1 , and return K = Y Dec2 ( sk ′ i − 1 , ( t i , Y i ) , C ) set sk ′ i = sk ′ i − 1 · t i i . i David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  12. CCA1 with Leakage – Stateful KEM We consider chosen-ciphertext and leakage security against lunch-time attacks (CCLA1) CCLA1 Experiment KEM-Leak-Oracle O CCLA1 ( C , f i , h i ) KEM-CCLA1 KEM ( A , κ, λ ) 0 )) ← KG ∗ ( κ, λ ) ( pk , ( sk 0 , sk ′ w ← A O CCLA1 ( · ) ( pk ) r i ( sk i , w i ) ← Dec1 ∗ ( sk i − 1 , C ) r ′ $ i ← { 0 , 1 } ( sk ′ i , K ) ← Dec2 ∗ ( sk ′ i − 1 , w i ) b ( C ∗ , K 0 ) ← Enc ∗ ( pk ) Λ i := f i ( sk i − 1 , r i ) $ K 1 ← K Λ ′ i := h i ( sk ′ i − 1 , r ′ i , w i ) b ′ ← A ( w , C ∗ , K b ) i := i + 1 Return ( K , Λ i , Λ ′ i ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  13. CCA1 with Leakage – Stateful KEM We consider chosen-ciphertext and leakage security against lunch-time attacks (CCLA1) CCLA1 Experiment KEM-Leak-Oracle O CCLA1 ( C , f i , h i ) KEM-CCLA1 KEM ( A , κ, λ ) 0 )) ← KG ∗ ( κ, λ ) ( pk , ( sk 0 , sk ′ w ← A O CCLA1 ( · ) ( pk ) r i ( sk i , w i ) ← Dec1 ∗ ( sk i − 1 , C ) r ′ $ i ← { 0 , 1 } ( sk ′ i , K ) ← Dec2 ∗ ( sk ′ i − 1 , w i ) b ( C ∗ , K 0 ) ← Enc ∗ ( pk ) Λ i := f i ( sk i − 1 , r i ) $ K 1 ← K Λ ′ i := h i ( sk ′ i − 1 , r ′ i , w i ) b ′ ← A ( w , C ∗ , K b ) i := i + 1 Return ( K , Λ i , Λ ′ i ) Restriction on leakage functions f i , h i ˜ H ∞ ( t | f i ( σ i − 1 , r i )) ≥ H ∞ ( t ) − λ ∀ t ∈ σ i − 1 ∪ r i , � � ˜ t | h i ( σ ′ i − 1 , r ′ ∀ t ∈ σ ′ i − 1 ∪ r ′ H ∞ i , w i ) ≥ H ∞ ( t ) − λ i ∪ w i . David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  14. Leakage-Resilience of ElGamal KEM State of the art does not allow to give a security reduction with leakage If f i , h i leak λ ≥ 3 / 8 log q bits of each share of the secret key, then there exists a heuristic attack [Galindo-Vivek,IPL 2014] Probably due to the fact that any exponentiation algorithm inherently leaks information about the exponent David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  15. Leakage-Resilience of ElGamal KEM State of the art does not allow to give a security reduction with leakage If f i , h i leak λ ≥ 3 / 8 log q bits of each share of the secret key, then there exists a heuristic attack [Galindo-Vivek,IPL 2014] Probably due to the fact that any exponentiation algorithm inherently leaks information about the exponent Idea! Avoid placing secret data on your exponentiations’ exponents... David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  16. Asymmetric Pairings Let G 1 , G 2 , G T be groups of prime order q G 1 = < g >, G 2 = < G > Pairing e : G 1 × G 2 → G T bilinear: e ( g a , g b ) = e ( g , g ) ab , ∀ a , b ∈ Z non-degenerate: G T = < e ( g , G ) > David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  17. Pairing-Based Stateful ElGamal KEM (Asiacrypt 2010) $ ← Z q . Set X = g x , sk 0 = g t 0 , sk ′ 0 = g x − t 0 , and KG ( κ ) : choose x , t 0 X T = e ( X , G ) . Return ( X T , ( sk 0 , sk ′ 0 ) ) ← Z q . Compute C = G r and K = X r $ Enc ( pk ) choose r T ; return ( C , K ) ← Z q , set sk i = sk i − 1 · G t i , Y i = e ( sk i , C ) . $ Dec1 ( C , sk i − 1 ) pick t i Return ( t i , Y i ) i − 1 · G − t i , and Y ′ Dec2 ( sk ′ i − 1 , ( t i , Y i ) , C ) set sk ′ i = sk ′ i = e ( sk ′ i , C ) . Return K = Y i · Y ′ i ∈ G T David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  18. ElGamal KEM with Multiplicative Masking $ ← Z q . Set X = g x , sk 0 = t 0 , sk ′ KG ( κ ) : choose x , t 0 0 = x / t 0 . Return ( X , ( sk 0 , sk ′ 0 ) ) ← Z q . Compute C = g r and K = X r ; return ( C , K ) $ Enc ( pk ) choose r $ ← Z q , set sk i = sk i − 1 · t i , Y i = C sk i . Return ( t i , Y i ) Dec1 ( sk i − 1 , C ) pick t i sk ′ − 1 , and return K = Y Dec2 ( sk ′ i − 1 , ( t i , Y i ) , C ) set sk ′ i = sk ′ i − 1 · t i i . i David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

Recommend

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient Cryptography Traditional Cryptography: adv has only black-box access to a cryptosystem I O LR-Cryptography: open the black-box more

279 views • 25 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP &amp; UCL Crypto Group &amp; Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient in the random oracle

668 views • 27 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 51 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.2k views • 104 slides
Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.29k views • 116 slides
Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan Dziembowski, Tomasz Kazana, Micha Zaj c , Maciej Zdanowicz Estonian Computer Science Theory Days Jekla 2-4.10.2015 Computers can be

542 views • 32 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of Science Israel Foundations of Cryptography Rigorous analysis of the security of cryptographic schemes Adversarial model Notion of security

428 views • 20 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides
Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable Codes Dana Dachman-Soled University of Maryland Joint work with: Mukul Kulkarni and Aria Shahverdi, University of Maryland Talk is also based on

572 views • 35 slides
AET-LR: Rate-1 Leakage-Resilient AEAD based on the Romulus Family Extended Abstract Chun Guo,

AET-LR: Rate-1 Leakage-Resilient AEAD based on the Romulus Family Extended Abstract Chun Guo,

AET-LR: Rate-1 Leakage-Resilient AEAD based on the Romulus Family Extended Abstract Chun Guo, Mustafa Khairallah and Thomas Peyrin Shandong University, Shandong, China 201999900076@sdu.edu.cn Nanyang Technological University, Singapore, Singapore

815 views • 28 slides
Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

1.45k views • 20 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital &lt; HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Evaluation of environmental requirements implementation in Lithuania Basis of the Evaluation In

Evaluation of environmental requirements implementation in Lithuania Basis of the Evaluation In

Presentation for the Conference SEA implementation and Practise: Making an Impact? Theme SEA and EU Cohesion Policy: Coming together ar still far apart? Evaluation of environmental requirements implementation in Lithuania Basis of the

481 views • 16 slides

More recommend