1 / 26

Leakage-Resilient Storage

Leakage-Resilient Storage. Sapienza University of Rome. Francesco Davì Stefan Dziembowski Daniele Venturi. SCN 2010 13/09/2010. Plan. Leakage-Resilient Cryptography - Motivation - Leakage models 2. Our contribution: Leakage-Resilient Storage - Definition and Properties

eman
Download Presentation

Leakage-Resilient Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Leakage-Resilient Storage Sapienza University of Rome Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010

  2. Plan • Leakage-Resilient Cryptography • - Motivation • - Leakage models • 2. Our contribution: Leakage-Resilient Storage • - Definition and Properties • - Constructions • 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  3. How to construct secure cryptographic devices? cryptographic device very secure Security based on well-defined mathematical problems implementation CRYPTO not secure! Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  4. The problem cryptographic device easy to attack implementation hardto attack CRYPTO Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  5. Information leakage • Side channel information: • power consumption, • electromagnetic radiation, • timing information, • … cryptographic device Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  6. Leakage-Resilient Cryptography Design cryptographic protocols that are secure even on the machines thatleak information Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  7. Leakage-Resilient Cryptography:The Models Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10) Only computation leaks Total leakage unbounded All the memory leaks Total leakage bounded All the memory leaks Computationally hard to recover the secret from the leakage All the memory leaks Total leakage unbounded Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  8. Bounded memory-leakage model The adversary is allowed to learn (adaptively) the values oft leakage functions (chosen by her) on the internal data used by the cryptographic scheme Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  9. Leakage functions very restricted class (read-off wires) general leakage (any input-shrinkingfunction) chooses retrieves f chooses f(x) retrieves Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  10. Plan • Leakage-Resilient Cryptography • - Motivation • - Leakage models • 2. Our contribution: Leakage-Resilient Storage • - Definition and Properties • - Constructions • 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  11. Leakage-Resilient Storage All-Or-Nothing Transform Dec Enc(m) Enc m m g1,…,gt Note:no secret key C < |Enc(m)| total leakage < C • very realistic computationally unbounded • input-shrinking retrievescibits it should be hard to reconstruct a message if not all the bits of its encoding are known • Decode єΓ chooses (adaptively)tfunctions gi : {0,1}|Enc(m)|→ {0,1}ciє Γ Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  12. Security definition A scheme (Enc, Dec) issecureif for every m0, m1 no adversary can distinguishEnc(m0)fromEnc(m1) we will require that m0, m1 are chosen by the adversary ? Enc(m0) Enc(m1) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  13. Security definition m0,m1 Enc : {0,1}α→ {0,1}β Dec : {0,1}β→ {0,1}α adversary oracle • chooses a random b = 0,1 • calculates τ := Enc(mb) choosesm0,m1 є {0,1}α fori = 1,...,t choosesgi : {0,1}β→ {0,1}ciє Γ gi calculates gi(τ) gi(τ) outputs b’ wins ifb’ = b (Enc,Dec)is(Γ, C, t, ε)-secure if no adversary wins the game with probability greater than1/2 + ε advantage Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  14. Problem each leakage function can dependonly on some restricted part of the memory the cardinality ofΓisrestricted For a fixed family Γ how to constructsecure(Enc,Dec)? randomness extractors l-wise independent hash functions Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  15. A weaker adversary Enc Enc(m):=(Rand, f(Rand) m) Enc(m) m gi g’i gi(Enc(m)) g’i(Rand) gi(Rand, f(Rand) m) weak adversary adversary Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  16. Lemma For any Γ, c, t and ε, if an encoding scheme is (Γ, c, t, ε)-secure for then it is also (Γ, c, t, ε˙2α)-secure for α is the length of the message Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  17. Proof Idea can simulate replacing f(Rand) m with a random string z є{0,1}α =ε˙2α wins with advantage δ Consider Construct wins with advantage ε=δ˙2-α Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  18. Two-source Extractor deterministic Two-Source Extractor source1 extracted string source2 Almost uniformly random Independent Random Far from uniform A lot of min-entropy Example: inner product modulo 2 Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  19. Memory divided into 2 parts: construction each leakage function can dependonly on some restricted part of the memory Ext R0 Ext(R0,R1) R1 Enc(m):=( , , m) R0 R1 Ext(R0,R1) remind M0 M1 Dec( , , m*):= m* . R0 R1 Ext(R0,R1) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  20. Memory divided into 2 parts: contribution each leakage function can dependonly on some restricted part of the memory Ext R0 If is a two-source extractor Ext Ext(R0,R1) R1 then Enc(m):=( , , m) Enc ( , ) issecure R0 R1 Ext(R0,R1) against an adversary such that remind M0 M1 Dec( , , m*):= m*. Dec R0 R1 Ext(R0,R1) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  21. Proof Idea remind Enc(m):=( , , m) R0 R1 Ext(R0,R1) It suffices to show that (Enc,Dec) is secure against every R0 R1 R0 R1 One can prove that even given g’1( , ),…, g’t( , ) R0 R1 and • are still independent • have high min-entropy (with high probability) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  22. Problem each leakage function can dependonly on some restricted part of the memory the cardinality ofΓisrestricted For a fixed family Γ how to constructsecure(Enc,Dec)? randomness extractors l-wise independent hash functions Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  23. l-wise independent hash functions H={hs:X→Y}sєIis l-wise independent if uniformly random S є I Yl Xl {x1,…,xl} hS {hS(x1),…,hS(xl)} uniform over Yl Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  24. Boolean circuits of small size: construction the cardinality ofΓisrestricted H={hs:X→Y}sєIis l-wise independent Encs(m):=(R, hS(R) m) remind RєXis random the set of functions computable by Boolean circuits of a fixed size Decs(R , m*):=(hS(R) m*) Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  25. Plan • Leakage-Resilient Cryptography • - Motivation • - Leakage models • 2. Our contribution: Leakage-Resilient Storage • - Definition and Properties • - Construction • 3. Conclusion Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

  26. Conclusion and Future work Achieved: We have defined a primitive to securely store information in hardware that may leak information We have given constructions of such a scheme in two relevant scenarios Open: Refreshing of the storage From storage to computation: compute with encoded data Find more applications Davì, Dziembowski, Venturi – Leakage-Resilient Storage SCN 2010 13/09/2010

More Related