1 / 33

Recent Progress in leakage-Resilient cryptography

Recent Progress in leakage-Resilient cryptography. Daniel Wichs (NYU) (China Theory Week 2010). Leakage Attacks. Cryptography relies on secrets. Cryptographic devices: In reality, many “side-channels”! Timing, power, radiation, heat, acoustics… Secrets can leak!

arnie
Download Presentation

Recent Progress in leakage-Resilient cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recent Progress inleakage-Resilient cryptography Daniel Wichs(NYU)(China Theory Week 2010)

  2. Leakage Attacks • Cryptography relies on secrets. • Cryptographic devices: • In reality, many “side-channels”! • Timing, power, radiation, heat, acoustics… Secrets can leak! • Natural response: Not our problem. • Blame the “engineers” – they should fix this! • Theory/Crypto can help! Secret keys input output

  3. Cryptography With Leakage • Can we do cryptography with incomplete secrecy? • Need a way to model leakage first! • In this talk: Adv can learn arbitrary information about the secret key as long as its amount is bounded. [AGV09] • Adv specifies any poly-time function Leak : {0,1}*! {0,1}L. • Learns the output Leak(sk). sk Leak() L = leakage bound Leak(sk)

  4. Leakage Resilient Cryptography • Password Login and One-Way Functions. • Identification Schemes and Signatures. • Public-Key Encryption.

  5. Password Login Scheme accept pkBob (pkBob, skBob) skBob Prover Bob Verifier Alice Leakage Stage Impersonation Stage reject! pkBob pkBob (pkBob, skBob) sk’ Leak() Leak(sk) skBob skBob

  6. Using One-Way Functions Accept iffy = f(x) pkBob= y (pkBob= f(x), skBob= x) x Prover Bob Verifier Alice • Standard OWF: get y = f(x), hard to find any x’2f-1(y). • Suffices for regular “password login” security • L-LR OWF: get y = f(x) & Leak(x),hard to find x’2f-1(y). • Not satisfied by general OWFs (easy counter-examples). • … but can be constructed from general OWFs.

  7. OWF ) LR-OWF • OWF: get y = f(x), hard to find any x’2f-1(y). Domain Range y=f(x)

  8. OWF ) LR-OWF • OWF: get y = f(x), hard to find any x’2f-1(y). • L-LR OWF: also get L bits of leakage about x. Domain Range y=f(x) x

  9. OWF ) LR-OWF • OWF: get y = f(x), hard to find any x’2f-1(y). • L-LR OWF: also get L bits of leakage about x. • SPRF: get x, hard to find any x’ ≠ xs.t. f(x’)=f(x) • Non-triviality: input length n > output length k • Can build from any OWF for any n = poly(k) [Rom90] Domain Range x’ y=f(x) x

  10. OWF ) SPRF ) LR-OWF • OWF: get y = f(x), hard to find any x’2f-1(y). • L-LR OWF: also get L bits of leakage about x. • SPRF: get x, hard to find any x’ ≠ xs.t. f(x’)=f(x) • Non-triviality: input length n > output length k • Can build from any OWF for any n = poly(k) [Rom90] Theorem[ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}kis an L-LR OWF for L ¼ n - k.

  11. Proof: Any SPRF is LR-OWF Theorem[ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}kis an L-LR-OWF for L ¼ n – k. Assume: Can break L-LR-OWF. There is an efficient A s.t. A( f(x), Leak(x) ) = x’ s.t. f(x’) = f(x) Conclude: Can break SPR. Let B(x)= A( f(x) , Leak(x) ) B succeeds if (1) A succeeds (2) A does not return x’ = x. A has too little info about x. |f(x)| + |Leak(x)| = k + L y=f(x) x Pr[A guesses x] < 2k+L - n

  12. Proof: Any SPRF is LR-OWF Theorem[ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}kis an L-LR-OWF for L ¼ n – k. Corollary: If OWF exist then L-LR-OWF exist with L = (1-o(1))n. Open Question: Can we get LR-OWF that are Permutations?

  13. Leakage Resilient Cryptography • Password Login and One-Way Functions. • Identification Schemes and Signatures. • Public-Key Encryption.

  14. Identification Schemes accept pkBob (pkBob, skBob) Prover Bob Verifier Alice Learning Stage Impersonation Stage reject! pkBob pkBob (pkBob, skBob)

  15. Leakage-Resilient Identification [ADW09] • Bob’s key can leak !!! • (during learning stage, not afterward) Learning Stage Impersonation Stage reject! pkBob pkBob (pkBob, skBob) skBob

  16. Tool: Zero-Knowledge Proof of Knowledge NP relation R Prover Verifier Instance y witness x Accept/Reject • Witness Indistinguishable (WI): Even if Vdishonest, cannot tell which x is being used by the prover. • Proof of Knowledge (PoK): Even if Pdishonest, can extract some valid witness x’for y from P.

  17. ID Schemes from ZK-PoK • Assume: f : {0,1}n → {0,1}k is SPR and  is ZK-PoK for y = f(x). Thm[ADW09]:  is a secureL-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security.

  18. ID Schemes from ZK-PoK • Assume: f : {0,1}n → {0,1}k is SPR and  is ZK-PoK for y = f(x). Thm[ADW09]: is a secureL-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security. Learning Stage Impersonation Stage y y (y, x) x

  19. ID Schemes from ZK-PoK • Assume: f : {0,1}n → {0,1}k is SPR and  is ZK-PoK for y = f(x). Thm[ADW09]: is a secureL-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security. Learning Stage Impersonation Stage Witness Ind. y Sees: y = f(x) Leakage, interaction with P(x) only k + L < n bits of info on x. K bits L bits 0 bits

  20. ID Schemes from ZK-PoK • Assume: f : {0,1}n → {0,1}k is SPR and  is ZK-PoK for y = f(x). Thm[ADW09]: is a secureL-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security. Learning Stage Impersonation Stage Witness Ind. Proof-of-Knowledge Sees: y = f(x) Leakage, interaction with P(x) only k + L < n bits of info on x. Extract x’ 2 f-1(y) x’  x

  21. ID Schemes from ZK-PoK • Assume: f : {0,1}n → {0,1}k is SPR and  is ZK-PoK for y = f(x). Thm[ADW09]: is a secureL-LR ID scheme for L ¼ n-k. Pf: Assume Adv breaks ID security. To break SPR: Simulate “Learning Stage” toAdv with x. Extractx’  x.

  22. LR Signatures [ADW09,KV09,DHLW09,BSW10] • Similar to ID schemes with two big differences: • Cannot have interaction. • Need to bind each execution to a message. • Solution: useNon-Interactive ZK-PoKfor x. • Various techniques to bind proofs to messages (tricky): • Rand Oracles [ADW09] • “Simulation-Sound” Proofs [KV09] • CCA Encryption [DHLW10]

  23. Leakage Resilient Cryptography • Password Login and One-Way Functions. • Identification Schemes and Signatures. • Public-Key Encryption.

  24. LR Public-Key Encryption [AGV09, NS09] Leakage on the decryption key prior to seeing the ciphertext.

  25. Hash Proof Enc Scheme [AGV09, NS09] • Enc scheme with sk = x, pk = f(x) for some SPRF f. Public Key Space Secret Key space PK

  26. Hash Proof Enc Scheme [AGV09, NS09] • Enc scheme with sk = x, pk = f(x) for some SPRF f. DEC M M ENC C PK SK

  27. Hash Proof Enc Scheme [AGV09, NS09] • Enc scheme with sk = x, pk = f(x) for some SPRF f. DEC M ENC C PK

  28. Hash Proof Enc Scheme [AGV09, NS09] • Enc scheme with sk = x, pk = f(x) for some SPRF f. • Correctness  All x 2f-1(pk) decrypt C to the correct M. DEC M M ENC C M PK M

  29. Hash Proof Enc Scheme [AGV09, NS09] • Enc scheme with sk = x, pk = f(x) for some SPRF f. • Correctness  All x 2f-1(pk) decrypt C to the correct M. • Fake Encryption: C= Fake(pk). Decryption depends on x. • Can’t distinguish C from C (even given x). DEC M RealENC C PK M1 M2 ≈ M3 FakeENC C PK

  30. FakeENC C RealENC M C PK Proof: Hash Proof Enc is LR [AGV09, NS09] ≈ “Real World” “Fake World” DEC M1 M M2 M3 PK = y ? L(SK)

  31. Back to Bigger Picture…

  32. Criticism/Extensions • Q: What if leakage depends on complexity? • Bad: more resilience ) more complexity ) more leakage. • Fix: Bounded Retrieval Model [Dzi06,…,ADW09, ADNSWW10] [Complexity does not grow with resilience!] • Q: Why is leakage bounded overall? Should “leak-per-use”! • Continuous Leakage with “Key Updates” [DHLW10, BKKV10] • Q: Why measure leakage in output “bits”? • Noisy Leakage: use “entropy loss” [NS09, DHLW10] • Auxiliary Input: use “hardness of inverting” [DKL09,DGK+10]

  33. Conclusions Many more models/results (esp. in last 2 years)... Riv97, Boy99, CDH+00, DSS01, KZ03, ISW03, MR04, DP08, GKR08, Pie09, AGV09, ADW09, DKL09, ADN+10, DGK+10, GKPV10, FKPR10, DHLW10a, FRRTV10, JRV10, GR10, DHLW10b, BKKV10, WL10, BSW10,… Many open questions, much still left to do!

More Related