- 43 Views
- Uploaded on
- Presentation posted in: General

Input- shrinking functions : theory and application

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Input-shrinkingfunctions: theory and application

PhD candidate: Francesco Davì

Computer Science Department

SapienzaUniversity of Rome

Reviewers:

Prof. MirosławKutiłowski

Dr. Ivan Visconti

Thesiscommittee:

Dr. Stefan Dziembowski (advisor)

Prof. Luigi Vincenzo Mancini

Prof. Alessandro Mei

Rome, 02/03/2012

Cryptography on Non-TrustedMachines Project

- F. Davì, S. Dziembowski and D. Venturi: Leakage-Resilient Storage, J. Garayand R. De Prisco editor, Seventh Conference on Security and Cryptography for Networks(SCN2010), LNCS 6280, Springer2010;

Input-shrinkingfunctions: theory and application Francesco Davì

- Seventh Conference on Security and Cryptography for Networks, (SCN 2010), Amalfi, 13-15 September 2010;
- Workshop on Provable Security against Physical Attacks,
Leiden, 15-19 February 2010;

- Theoryof Cryptography Conference (TCC2010),
Zurich, 9-11 February 2010;

- SummerSchool On ProvableSecurity,
Barcelona, 7-11 September2009;

- Bertinoro international Spring School (BiSS 2009),
Bertinoro, 2-6 March 2009;

- Berlin-Poznan Seminar / ASZ Workshop 2008,
“Humboldt-Universität", Berlin, 20-21 June 2008.

Input-shrinkingfunctions: theory and application Francesco Davì

- May- July 2011:
visitingstudent:Cryptography and Data Security

Group,

"UniwersytetWarszawski", Warsaw, Poland;

- May- June 2008:
Methodsfor Discrete Structures (Pre)Doc-Course

2008 on: Random and Quasirandom Graphs,

"Humboldt-Universität", Berlin, Germany.

Input-shrinkingfunctions: theory and application Francesco Davì

- Introduction and Motivations
- Leakage-Resilient Storage
- AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì

Design of securecryptographicschemes

For long time, mostlybased on

intuition and experience

Solutions brokenin short time

Input-shrinkingfunctions: theory and application Francesco Davì

- Formaldefinition of
Security and Adversarial model

- Formalproof of security:
no adversary can break the scheme

Security:

- Information-theoretic(unboundedadversary)

- Standard model (reduction from hard problems)

- Random Oracle Model (cryptographichashfunctions)

Input-shrinkingfunctions: theory and application Francesco Davì

Security againstallknown (even future) attacks

Developedvery fast

Attained a large number of

securecryptographicschemes

Input-shrinkingfunctions: theory and application Francesco Davì

Once implemented, some of the schemeswerebroken!

Easy to step out from

the security model

Input-shrinkingfunctions: theory and application Francesco Davì

X

chooses

CRYPTO

Y

receives

No information about

the internal state of the cryptosystem

Input-shrinkingfunctions: theory and application Francesco Davì

X

MACHINE

(PC, Smartcard,…)

chooses

Y, λ

CRYPTO

receives

}

- During the execution, the adversary can measure:
- Powerconsumption
- Electromagneticradiation
- Time
- Sound

Side-channelattacks

Evenpartialleakagesuffices to completely break a scheme

Input-shrinkingfunctions: theory and application Francesco Davì

Exploit physicalmeasurements on real devices

Practitioners:

find countermeasures (and exploit new attacks)

- mostly ad-hoc
- often without a formal proof of security
- cannot provide security against allpossibleattacks
Recent trend: extend the realm of provable security

Input-shrinkingfunctions: theory and application Francesco Davì

Design protocolsthat are secure

evenif

they are implementedon

machinesthatmayleak information

Input-shrinkingfunctions: theory and application Francesco Davì

Leakage-Resilient Cryptography: The Models

- Continual leakage
(MR04, DP08, Pie09, FKPR10,

FRRTV10, GR10, JV10, DP10, KP10, DF11)

- Bounded memory-leakage
(ISW03, IPSW06, AGV09, ADW09, KV09,

NS09, DHLW10, BG10, GKPV10, ADNSWW10, DDV10)

- Auxiliary input
(DKL09, DGKPV10)

- Continual memory-leakage
(BKKV10, DHLW10, BSW11, LRW11,

LLW11, DLWW11)

Only computation leaks

Total leakage unbounded

All the memory leaks

Total leakage bounded

All the memory leaks

Computationally hard to recover

the secret from the leakage

All the memory leaks

Total leakage unbounded

Input-shrinkingfunctions: theory and application Francesco Davì

Leakage model

The adversary is allowed to learn (adaptively)

the values ofsome leakage functions (chosen by her)

on the internal state of

the cryptographic scheme

Input-shrinkingfunctions: theory and application Francesco Davì

Λ(S)

input-shrinking

functionΛ

the adversary can learn the values on up to t wires

booleancircuit

S

“Probing Attacks” [ISW03]

Bounded-Retrieval Model

“Memory Attacks” [AGV09]

Input-shrinkingfunctions: theory and application Francesco Davì

Λ(S1)

Λ(S)

Λ(S0)

input-shrinking

low-complexity Λ

input-shrinking

Λ

input-shrinking

Λ

S

S0

S1

[FRRTV10, DDV10]

[MR04, DP08, DDV10]

Input-shrinkingfunctions: theory and application Francesco Davì

Design models:

- realistic (i.e. they correspond to the real-life adversaries)
- allow to construct secure schemes

tradeoff

Input-shrinkingfunctions: theory and application Francesco Davì

- Introduction and Motivations
- Leakage-Resilient Storage
- AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì

An encoding schemeto securely store data

on hardware that may leak information

PROS: information-theoretic solution

CONS: analysis of concrete parameters does not seem to allow for efficient feasibility in practice

Input-shrinkingfunctions: theory and application Francesco Davì

Leakage-ResilientStorage

All-Or-Nothing Transform

Dec

Enc(m)

Enc

m

m

Λ1,…,Λt

Note:no secret key

λ< |Enc(m)|

total leakage < λ

- very realistic

computationally unbounded

- input-shrinking

retrievesλibits

it should be hard to reconstruct a message

if not all the bits of its encoding are known

- Decode єΓ

chooses (adaptively)tfunctions

Λi: {0,1}|Enc(m)|→ {0,1}λiє Γ

Input-shrinkingfunctions: theory and application Francesco Davì

Security definition

A scheme (Enc, Dec) issecureif for every m0, m1

no adversary can distinguishEnc(m0)fromEnc(m1)

we will require that m0, m1 are chosen by the adversary

?

Enc(m0)

Enc(m1)

Input-shrinkingfunctions: theory and application Francesco Davì

Adversary model

Enc

Enc(m):=(Rand, f(Rand) m)

Enc(m)

m

?

Λ’i

Λi

Λi(Enc(m))

Λ’i(Rand)

Λi(Rand, f(Rand) m)

weak adversary

adversary

Input-shrinkingfunctions: theory and application Francesco Davì

Lemma

For any family of functions Γ

if an encoding scheme is secure for

then it is also secure for

security loss 2α, where αis the length of the message

Input-shrinkingfunctions: theory and application Francesco Davì

Problem

each leakage function can dependonly on some restricted part

of the memory

the cardinality ofΓisrestricted

For a fixed family Γ

how to constructsecure(Enc,Dec)?

randomness extractors

l-wise independent hash functions

Input-shrinkingfunctions: theory and application Francesco Davì

Two-source Extractor

deterministic

Two-Source

Extractor

source1

extracted string

source2

Almost uniformly random

Independent

Random

Far from uniform

A lot of min-entropy

Input-shrinkingfunctions: theory and application Francesco Davì

Memory divided into 2 parts: construction

each leakage function can dependonly on some restricted part

of the memory

Ext

R0

Ext(R0,R1)

R1

Enc(m):=( , , m)

R0

R1

Ext(R0,R1)

remind

M0

M1

Dec( , , m*):= m* .

R0

R1

Ext(R0,R1)

Input-shrinkingfunctions: theory and application Francesco Davì

Proof Idea

remind

Enc(m):=( , , m)

R0

R1

Ext(R0,R1)

It suffices to show that (Enc,Dec) is secure against every

One can prove that even given Λ’1( ),…,Λ’t( )

Ri

Ri

R0

R1

and

- are still independent
- have high min-entropy (with high probability)

Input-shrinkingfunctions: theory and application Francesco Davì

Problem

each leakage function can dependonly on some restricted part

of the memory

the cardinality ofΓisrestricted

For a fixed family Γ

how to constructsecure(Enc,Dec)?

randomness extractors

l-wise independent hash functions

Input-shrinkingfunctions: theory and application Francesco Davì

l-wise independent hash functions

H={hs:X→Y}sєIis l-wise independent if

uniformly random S є I

Yl

Xl

{x1,…,xl}

hS

{hS(x1),…,hS(xl)}

uniform over Yl

Input-shrinkingfunctions: theory and application Francesco Davì

Boolean circuits of small size: construction

H={hs:X→Y}sєIis l-wise independent

Encs(m):=(R, hS(R) m)

remind

the cardinality ofΓisrestricted

RєXis random

the set of functions computable by Boolean circuits of a fixed size

Decs(R , m*):=(hS(R) m*)

Input-shrinkingfunctions: theory and application Francesco Davì

- Introduction and Motivations
- Leakage-Resilient Storage
- AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì

Client and Server share a huge random file

The attacker can retrieve a large portion of it

Authenticated Key Exchange (AKE) protocol:

- provide Client and Serverwith a short shared key
- client-to-server authentication
- security against activeattackers
PROS: protocol analysis + efficient implementation

CONS: Random Oracle model

Input-shrinkingfunctions: theory and application Francesco Davì

CLIENT

SERVER

Problem: Man-in-the-Middle attack

Solution: Authentication

Key Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

CLIENT

SERVER

Password

Password

Password-basedAuthenticatedKey Exchange protocol

Key Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Cash, Ding, Dodis, Lee, Lipton and Walfish

“Intrusion-resilient key exchange in the Bounded Retrieval Model". In TCC (2007)

CLIENT

SERVER

WeakKey Exchange protocol

Lowentropy

Human memorizable

Password

Password

Password-basedAuthenticatedKey Exchange protocol

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

cannot be implemented in the standard model

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Setup: long shared secret random file F

CLIENT

SERVER

input-shrinkingfunctionΛ

WeakKey Exchange protocol

Λ(F)

Λ(F)

Password

Password

active over the channel

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Random Oracle model

Indistinguishable from random

Key

Key

ImplementedusingOpenSSLcryptolibrary

Input-shrinkingfunctions: theory and application Francesco Davì

Setup: long shared secret random file F

CLIENT

SERVER

WeakKey Exchange protocol

Λ(F)

Password

Password

active over the channel

We prove that:

evengivenΛ(F)

i.e. the sharedpasswordsare individually unpredictable

for the adversary

Passwordhashigh min-entropy

(with high probability)

Input-shrinkingfunctions: theory and application Francesco Davì

Setup: long shared secret random file F

CLIENT

SERVER

101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101

IDX_CLIENT

Choose random indexes

Choose random indexes

IDX_CLIENT

IDX_SERVER

IDX_SERVER

Create password: concatenate the corresponding bits of F

Create password: concatenate the corresponding bits of F

0 1 0

0 0 1

0 0 1

Several large numbers

0 1 0

Input-shrinkingfunctions: theory and application Francesco Davì

Setup: long shared secret random file F

CLIENT

SERVER

101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101

Random Oracle model

Public parameter: cryptographichashfunctionH

SEED_CLIENT

Choose random short SEED_SERVER

Choose random short SEED_CLIENT

SEED_SERVER

Λ(F)

Calculateindexes:

IDXi= H(i|SEED)

Create password

Create password

unpredictable

0 0 1

0 0 1

0 1 0

0 1 0

Input-shrinkingfunctions: theory and application Francesco Davì

CLIENT

SERVER

WeakKey Exchange protocol

Password

Password

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Abdalla, Catalano, Chevalierand Pointcheval:

Efficient two-party password-based key exchange protocols in the UC framework. CT-RSA (2008)

(Modified) Diffie-HellmanKey Exchange:

- No assumptions on the distribution on the passwords
- One-flow encrypted
- Twocryptographichashfunctions to compute secret key and provideauthentication

Input-shrinkingfunctions: theory and application Francesco Davì

Setup: long shared secret random file F

CLIENT

SERVER

WeakKey Exchange protocol

Λ(F)

Password

Password

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Diffie-HellmanKey Exchange

encrypted with Password

?

?

F

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Security parameter

Leakage

Shared file size

t = number of indexes

running time evaluated experimentally on an Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 4GB of RAM, under the 64-bits version of Ubuntu 11.04

Input-shrinkingfunctions: theory and application Francesco Davì

Input-shrinkingfunctions: theory and application Francesco Davì

Input-shrinkingfunctions: theory and application Francesco Davì

Input-shrinkingfunctions: theory and application Francesco Davì

Thankyou!

Input-shrinkingfunctions: theory and application Francesco Davì

To achieve security one assumes that

the power of the adversary

during the “physical attack” is

“limited in some way”

this should be justified by some physical characteristics of the device

Input-shrinkingfunctions: theory and application Francesco Davì

m0,m1

Enc : {0,1}α→ {0,1}β

Dec : {0,1}β→ {0,1}α

adversary

oracle

- chooses a random b = 0,1
- calculates τ := Enc(mb)

choosesm0,m1 є {0,1}α

fori = 1,...,t,chooses

Λi: {0,1}β→ {0,1}λiє Γ

Λi

calculates Λi(τ)

Λi(τ)

outputs b’

wins ifb’ = b

(Enc,Dec)is(Γ,λ, t, ε)-secure

if no adversary wins the game

with probability greater than1/2 + ε

advantage

Input-shrinkingfunctions: theory and application Francesco Davì

Lemma

For any Γ, λ, t and ε,

if an encoding scheme is (Γ, λ, t, ε)-secure for

then it is also (Γ, λ, t, ε˙2α)-secure for

α is the length of the message

Input-shrinkingfunctions: theory and application Francesco Davì

Proof Idea

can simulate

replacing f(Rand) m with a random string z є{0,1}α

=ε˙2α

wins with advantage δ

Consider

=ε

Construct

wins with advantage δ˙2-α

Input-shrinkingfunctions: theory and application Francesco Davì

CLIENT

Setup:

finite cyclic group G = <g>

of order a prime numberp

SERVER

a← [p-1]

b ← [p-1]

A

A← gamodp

B

B← gbmodp

K= Bamodp

K= Abmodp

gabmodp

Input-shrinkingfunctions: theory and application Francesco Davì

CLIENT

Setup:

finite cyclic group G = <g>

of order a prime numberp

SERVER

a← [p-1]

b ← [p-1]

A

E

e← [p-1]

A← gamodp

B

E← gemodp

E

B← gbmodp

KC= Aemodp

K= Eamodp

K= Ebmodp

KS= Bemodp

Theyneedauthentication!

Input-shrinkingfunctions: theory and application Francesco Davì

CLIENT

SERVER

Setup:

finite cyclic group G = <g>

of order a prime numberp

Pwd

Pwd

a← [p-1]

b ← [p-1]

A

A← gamodp

ENCPwd(B)

B← gbmodp

B= DECPwd(B)

DHS= Abmodp

DHC= Bamodp

if AUTH= H1(Pwd|DHS)

KEYS= H0(Pwd|DHS)

else ERROR

KEYC= H0(Pwd|DHC)

AUTH

AUTH= H1(Pwd|DHC)

Input-shrinkingfunctions: theory and application Francesco Davì