lea eakag age res resilie ilient nt crypt ptogra graphy
play

Lea eakag age-Res Resilie ilient nt Crypt ptogra graphy phy - PowerPoint PPT Presentation

Jan 01, 2023 •264 likes •857 views

Sebastian Faust Aarhus University, Denmark Lea eakag age-Res Resilie ilient nt Crypt ptogra graphy phy -- -- for r symmetric mmetric pr prim imit itives ives 1 How to construct cryptodevices? cryptographic device very secure

  1. Sebastian Faust Aarhus University, Denmark Lea eakag age-Res Resilie ilient nt Crypt ptogra graphy phy -- -- for r symmetric mmetric pr prim imit itives ives 1

  2. How to construct cryptodevices? cryptographic device very secure  well-defined mathematical object  often proof-driven security analysis Leakage Resilient Crypto CRYPTO Extend concept of proof- driven security analysis to implementation-level much less secure!  many ways of implementing: details matter!  security analysis by experiments, rarely proofs 2

  3. The approach of provable security 1. Define model & security notion Example: Digital signatures key K signature message 3

  4. The approach of provable security 1. Define model & security notion Example: Digital signatures Forgery for new key K message repeat Scheme is secure: no adversary can output a valid forgery! 4

  5. The approach of provable security 1. Define model & security notion 2. Design cryptoscheme Usually described in mathematical language 5

  6. The approach of provable security 1. Define model & security notion 2. Design cryptoscheme Usually described in mathematical language 3. Prove security Reduce security of complex scheme to simple assumption, e.g.,  Number theory: studied intensively in math  One-wayness of function: major breakthrough in complexity  Shows security not only against one specific attack, but any efficient (PPT) attack within the model (if assumption holds) 6

  7. Time to relax? Security proof implies…  secure against all known attacks  secure against all attacks that may be discovered in future Provably secure systems get broken in practice! Underlying assumptions are false? Not for standard assumptions Bugs in proofs? Only rarely! So what‟s wrong? 7

  8. Model Reality Models make idealized assumptions  Hash functions behave as random oracles  Black-box computation

  9. Black-box model vs. Reality Security model: Black box Reality: Attacking mathematical algorithm Attacking the implementation K X Y X Y input output K key implement Implementations leak partial Controls inputs/outputs information about internals But: Internal computation and key Leakage: e.g., power consumption, completely hidden running time, electromagnetic radiation… 9

  10. Physical devices are not black boxes 1. Proofs in black-box model less meaningful 2. Even worse: Side-channel attacks exploit leakage and break real-world implementations Important question: what are these classes? Goal of leakage resilient crypto Weaken black-box assumption and incorporate broad classes of leakage into model Develop new cryptoalgorithms with built-in resistance against leakage and prove security 10

  11. Leakage Resilient Cryptography Hot topic… Digital signatures: [AWD09, KV09, FKPR10, DHLW10, BKKV10, BSW11 ,…] Public key encryption: [AGV09, NS09, DHLW10, BKKV10, BSW11 ,…] Identity based encryption: [DHLW10, CDRW10, LRW11 ,…] Multiparty Computation: [ISW03, FRRTV10, GR10, JV10 …] Most of this talk Zero Knowledge: [GJS11] But surprisingly little is known about symmetric primitives… Pseudorandom Generators: [DP08, Pie09, YSPY10] Pseudorandom Functions & Permutations: [DP10, FPS11] 11

  12. Defining leakage K X Y Modeled by a leakage function f Adversary obtains leakage f(K) Arbitrary leakage function? No…  e.g.: f(K) = K means no security Some restrictions are necessary Does this make sense in practice? Arbitrary efficient adversary 12

  13. Defining leakage K X Y Modeled by a leakage function f Adversary obtains leakage f(K) Arbitrary leakage function? No…  e.g.: f(K) = K means no security Some restrictions are necessary Does this make sense in practice? In many cases yes… Power consumption modeled by f(K)= Hamming weight of wires in circuit Running time of device 13

  14. What are possible restrictions? One attempt: consider specific leakage function But we do not want to protect only against specific attacks (such as: Hamming weight, timing) Leakage Resilient Crypto: consider broad classes of leakage functions! 14

  15. A broad class of leakage functions K L is class of poly-time computable Y X input shrinking functions f є L L = { f : {0,1} m -> {0,1} n }, with n < m f( K ) Observation: f is poly-time  can simulate all intermediate values & leak about them Many realistic leakages: HW, running time exploit only poly-log amount of information Problem: total leakage << length of the key Reality: Many observations are possible (many attacks exploit a large number of observations) 15

  16. Continuous Leakage Model Many adaptive observations: K K … X 1 X q Y 1 Y q f 1 f q f 1 ( K ) f q ( K ) 16

  17. Continuous Leakage Model Many adaptive observations: K K … X 1 X q Y 1 Y q f 1 f q f 1 ( K ) f q ( K ) Bounded per observation to n bits But: total leakage >> |K| Models, e.g., DPA where we need many power samples to recover the key 17

  18. Rest of this talk 1. Leakage Resilient Stream Cipher 2. Leakage Resilient PRFs 3. Leakage Resilient Circuits 18

  19. Leakage Resilient Stream Cipher First construction: Dziembowski-Pietrzak-08 Simpler construction: Pietrzak-09 stream ciphers ≈ pseudorandom generators Pseudorandomness: no efficient (PPT) adversary short key can distinguish X from random long pseudo ? random K stream X 19

  20. Stream ciphers in practice SC K X 1 X 2 stream X is time generated in X 3 rounds from K (one block per X 4 round ) . . . 20

  21. Standard Security Notion Given previous blocks, next block should look random SC K . . . X 1 X 2 X i-1 X i Adversary knows Should look random How to extend to leakage setting? 21

  22. Standard Security Notion Given previous blocks, next block should look random SC K f 1 ( K ) f 2 ( K ) f i-1 ( K ) . . . X 1 X 2 X i-1 X i Adversary knows also leakage Should look random Poly-time computable bounded- output leakage function 22

  23. Standard Security Notion Given previous blocks, next block should look random SC K f 1 ( K ) f 2 ( K ) f i-1 ( K ) . . . X 1 X 2 X i-1 X i Adversary knows also leakage Should look random Some problems? 1. adversary can learn entire key K bit-by-bit 2. given leakage f i-1 (K), the block X i is not pseudorandom anymore  f i-1 (K) can leak some bits about X i 23

  24. Key evolution In each round key K i is used to compute new state K i+1 SC K 1 K 2 K 3 . . . X 1 X 2 X 3 - Requirement: Key evolution must be deterministic! Otherwise it cannot be used for encryption! 24

  25. Key evolution In each round key K i is used to compute new state K i+1 SC K 1 K 2 K 3 . . . f 1 ( K 1 ) f 2 ( K 2 ) X 1 X 2 X 3 - Requirement: Key evolution must be deterministic! Otherwise it cannot be used for encryption! - Also key update leaks! Is key evolution sufficient? 25

  26. Is key evolution sufficient? Learning key bit-by-bit does not work anymore SC K 1 K 2 K 3 . . . Can X 2 be pseudorandom given leakage f 1 (K 1 )? No! f 1 ( K 1 ) X 1 X 2 Key evolution deterministic: f 1 computes K 2 and leaks bits of X 2 Even worse: pre-computation attack Leakage function f 1 …f i-1 leak from future state K i  may reveal entire K i even with one bit of leakage 26

  27. How to avoid this attack? Pre-computation attack relevant in practice? No! It‟s a problem of the model… Use restriction introduced by Micali-Reyzin-04: “only computation leaks information” or in other words: “untouched memory cells do not leak information” 27

  28. Only computation leaks state 28

  29. Only computation leaks state: divided into parts R L 29

  30. Only computation leaks state: divided into parts R L if used in current computation if not accessed:  f(L) leaks to adversary  does not leak Restriction can be relaxed in many cases… 30

  31. Independent leakages state: divided into parts R L if used in current computation if not accessed:  f(L) leaks to adversary  f(R) leaks (independently of L) How can we use this to avoid pre-computation? 31

  32. The stream cipher – high-level view Divide memory into three parts: L,X,R L X R holds pseudorandom output of the cipher 32

  33. The stream cipher – high-level view Divide memory into three parts: L,X,R L X R holds secret state 33

  34. The stream cipher – high-level view Divide memory into three parts: L,X,R L 1 X 1 R 1 SC unmodified L 2 := L 1 X 2 R 2 34

  35. The stream cipher – high-level view Divide memory into three parts: L,X,R L 1 X 1 R 1 SC unmodified L 2 := L 1 X 2 R 2 35

  36. The stream cipher – high-level view Divide memory into three parts: L,X,R L 1 X 1 R 1 SC unmodified L 2 := L 1 X 2 R 2 Recall: leakage is polynomial-time computable function, i.e., we can also leak from (X 2 ,R 2 ) 36

  37. The stream cipher – high-level view Divide memory into three parts: L,X,R L 1 X 1 R 1 SC unmodified L 2 X 2 R 2 SC unmodified L 3 X 3 R 3 SC unmodified L 4 X 4 R 4 Alternation prevents pre-computation attack E.g.: f 1 cannot leak about state (L 3 ,X 3 ,R 3 ) 37

  38. The stream cipher – high-level view Divide memory into three parts: L,X,R L 1 X 1 R 1 SC unmodified L 2 X 2 R 2 SC unmodified L 3 X 3 R 3 SC unmodified L 4 X 4 R 4 What can we prove? X i is pseudorandom given X 1 ,… X i-1 and leakages f 1 (X 1 ,R 1 )… f i-2 (X i-2 ,L i-2 ) 38

Recommend

Ca Cambodi mbodia: Cit : City Resilie silience, Chall Challeng enges es and the and

Ca Cambodi mbodia: Cit : City Resilie silience, Chall Challeng enges es and the and

Ca Cambodi mbodia: Cit : City Resilie silience, Chall Challeng enges es and the and the Way F y Forward d Cities for All Conference 2018 at the Cambodia-Korea Cooperation Center (CK CKCC CC) Phnom Penh, November 29-30

255 views • 22 slides
Maintain ntaining ing Resilie ilienc nce, Adapti aptive ve Policy icy Measu sures

Maintain ntaining ing Resilie ilienc nce, Adapti aptive ve Policy icy Measu sures

Republ ublic ic of Indone nesia ia Maintain ntaining ing Resilie ilienc nce, Adapti aptive ve Policy icy Measu sures Novem embe ber 2017 About Investo tor Relatio tions ns Unit of the Republic ublic of Indones

1.22k views • 105 slides
Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability) OpenBSD Higher Availability IDS M:Tier A.R.S.S (Security) DNS Reshaping DNS Local Resolver NTP DMZ A.R.S.S (Stability) Packet

415 views • 16 slides
Ge Geography graphy Be Bee Ro Round d 2: Tr Travel aveling ing Ar Arou ound nd the he

Ge Geography graphy Be Bee Ro Round d 2: Tr Travel aveling ing Ar Arou ound nd the he

Ge Geography graphy Be Bee Ro Round d 2: Tr Travel aveling ing Ar Arou ound nd the he U.S. S. If yo you cl climbed mbed Mo Mount nt Elbert ert an and Mo Mount nt Ma Massive, e, yo you wo would ld be e in n whi hich

580 views • 31 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
A Glimpse of t he Hist ory of Crypt ography Cunsheng Ding Depar t ment of Comput er Science

A Glimpse of t he Hist ory of Crypt ography Cunsheng Ding Depar t ment of Comput er Science

A Glimpse of t he Hist ory of Crypt ography Cunsheng Ding Depar t ment of Comput er Science HKUST, Hong Kong, CHI NA Cunsheng Ding 1 P art I I : Machine Ciphers Cunsheng Ding 2 Enigma Bef ore war broke out in 1939 t he Germans

385 views • 22 slides
wider array of potential outcomes. 2 How We Used to Use Scenario Planning More dense land use

wider array of potential outcomes. 2 How We Used to Use Scenario Planning More dense land use

P LANNING FOR AN AN U NCERTAIN F UTU TURE Usin ing Explo loratory Sce cenario Pla lanning to Create a More Resilie ient Regional Pla lan David Da id Vautin in, Princ rincipal Pla lanner/Analyst Metropolitan Transportation Commission

344 views • 21 slides
water ski, Jet- Ski or parasailing and unexpected encounters such as sting rays and whales a

water ski, Jet- Ski or parasailing and unexpected encounters such as sting rays and whales a

Facts ts about ut Polynes ynesia ia and its geograph graphy Polynesia is a French overseas country in the heart of the South Pacific and made up of over 118 islands. Some are volcanic islands: The Society Islands including Tahiti,

459 views • 10 slides
Al Algo gori rithms thms fo for r in inst stan ance ce-st stable able an and pe d

Al Algo gori rithms thms fo for r in inst stan ance ce-st stable able an and pe d

Al Algo gori rithms thms fo for r in inst stan ance ce-st stable able an and pe d pert rtur urbat bation ion-res resili ilient ent pr prob oblems ems Haris Angelidakis, TTIC Konstantin Makarychev, Northwestern Yury

1.16k views • 44 slides
Blockchains Focus is on abstraction they provide (Take CS 485/585 for how they work)

Blockchains Focus is on abstraction they provide (Take CS 485/585 for how they work)

Cryptographic Primitives Used in Blockchains Focus is on abstraction they provide (Take CS 485/585 for how they work) Public-key, Private-key cryptography Bu But t first st, , sy symm mmetric etric en encr crypt yption ion

545 views • 38 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
A cus custom omer er fo focused fr fram amework fo for el electric ectric sy system

A cus custom omer er fo focused fr fram amework fo for el electric ectric sy system

A cus custom omer er fo focused fr fram amework fo for el electric ectric sy system resilie silience Alison Silverstein May 2018 Full report: https://gridprogress.files.wordpress.com/2018/05/customer focused resilience final

444 views • 9 slides
Lab abor M r Migr grati tion on i in the Maldive ves Piotr Plewa, Ph.D. Duke University

Lab abor M r Migr grati tion on i in the Maldive ves Piotr Plewa, Ph.D. Duke University

Lab abor M r Migr grati tion on i in the Maldive ves Piotr Plewa, Ph.D. Duke University Center for International and Global Studies 1 Geo eogr graphy 1200 islands 188 permanently inhabited 127 industrial 111

517 views • 15 slides
he Clima limate e Change hange Ada dapt ptation ion Project oject The on on Building

he Clima limate e Change hange Ada dapt ptation ion Project oject The on on Building

8/31/12 he Clima limate e Change hange Ada dapt ptation ion Project oject The on on Building uilding Clima limate e Res esilient ilient Far arming ming Communit ommunities ies in in Agus gusan an del del Nor Norte

144 views • 10 slides
COVI OVID-19 19 Kee eeping ping ou our pe r people, ople, co comm mmun unities, ities,

COVI OVID-19 19 Kee eeping ping ou our pe r people, ople, co comm mmun unities, ities,

COVI OVID-19 19 Kee eeping ping ou our pe r people, ople, co comm mmun unities, ities, an and bus d busin inesses esses sa safe fe an and r d res esilien ilient Wha What w t we ar e are e doi doing to ng to supp uppor

284 views • 26 slides
We build Transport for the North John Cridland for a better Spitalfields Crypt Trust Gary

We build Transport for the North John Cridland for a better Spitalfields Crypt Trust Gary

Upfront magazine We build for a better society issue #7: 17, June A Skanska publication in print online Inside this issue Creating a positive legacy K&amp;L Gates Clarissa Coleman We build Transport for the North John Cridland for a

292 views • 5 slides
Bakers Dozen of Inconvenient Truths about Software Engineering Tom Feliz

Bakers Dozen of Inconvenient Truths about Software Engineering Tom Feliz

10/30/2013 Bakers Dozen of Inconvenient Truths about Software Engineering Tom Feliz tom.feliz@tektronix.com Author hor Biograp graphy hy Tom Feliz is a Lead Software Design Engineer at Tektronix Corporation in Beaverton, Oregon. He has

381 views • 9 slides
SRS Client Future direction of SRS client Current Client Tested on 5 different distros in

SRS Client Future direction of SRS client Current Client Tested on 5 different distros in

SRS Client Future direction of SRS client Current Client Tested on 5 different distros in 32 bit and 64 bit Requires a dedicated test/build box Difficult Crypt::OpenPGP dependencies Poor error reporting Not thread

495 views • 5 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
A Story of United Nations of Post Quantum Cryptogrpahy Direct dialogue between quantum

A Story of United Nations of Post Quantum Cryptogrpahy Direct dialogue between quantum

A Story of United Nations of Post Quantum Cryptogrpahy Direct dialogue between quantum alg. &amp; braid Crypt. Licheng Wang and Lihua Wang National Institute of Information and Communications Technology Story of two United

272 views • 8 slides
Welcome to M2 SCCI 2014-2015 Promotion David Albert Huffman David A. Huffman(1925-1999) [Photo:

Welcome to M2 SCCI 2014-2015 Promotion David Albert Huffman David A. Huffman(1925-1999) [Photo:

Welcome to M2 SCCI 2014-2015 Promotion David Albert Huffman David A. Huffman(1925-1999) [Photo: Don Harris] Grenoble Gr enoble Univ Univer ersit ity SCCI - - M2P 2P / M2R 2R Secur ecurit ity, , Crypt ptolog ology and and Coding

610 views • 18 slides
Section of Colonic mucosa biopsy. The black arrow points to the shallow broad based ulcers. The

Section of Colonic mucosa biopsy. The black arrow points to the shallow broad based ulcers. The

Section of Colonic mucosa biopsy. The black arrow points to the shallow broad based ulcers. The blue arrow is on the intact muscularis Mucosa. The yellow arrow points to the Lymphoid hyperplasia. The red points to the crypt abscess. R &amp; D

516 views • 6 slides

More recommend