Loading in 5 sec....

Input- shrinking functions : theory and applicationPowerPoint Presentation

Input- shrinking functions : theory and application

- By
**erwin** - Follow User

- 63 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Input- shrinking functions : theory and application' - erwin

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Leakage-Resilient Cryptography: The Models

### Leakage model

### Leakage-ResilientStorage

### Security definition

### Adversary model

### Lemma

### Problem

### Two-source Extractor

### Memory divided into 2 parts: construction

### Proof Idea

### Problem

### l-wise independent hash functions

### Boolean circuits of small size: construction

### Lemma

### Proof Idea

Input-shrinkingfunctions: theory and application

PhD candidate: Francesco Davì

Computer Science Department

SapienzaUniversity of Rome

Reviewers:

Prof. MirosławKutiłowski

Dr. Ivan Visconti

Thesiscommittee:

Dr. Stefan Dziembowski (advisor)

Prof. Luigi Vincenzo Mancini

Prof. Alessandro Mei

Rome, 02/03/2012

PhD Activity

Cryptography on Non-TrustedMachines Project

- F. Davì, S. Dziembowski and D. Venturi: Leakage-Resilient Storage, J. Garayand R. De Prisco editor, Seventh Conference on Security and Cryptography for Networks(SCN2010), LNCS 6280, Springer2010;

Input-shrinkingfunctions: theory and application Francesco Davì

Conferences, workshops and schools

- Seventh Conference on Security and Cryptography for Networks, (SCN 2010), Amalfi, 13-15 September 2010;
- Workshop on Provable Security against Physical Attacks,
Leiden, 15-19 February 2010;

- Theoryof Cryptography Conference (TCC2010),
Zurich, 9-11 February 2010;

- SummerSchool On ProvableSecurity,
Barcelona, 7-11 September2009;

- Bertinoro international Spring School (BiSS 2009),
Bertinoro, 2-6 March 2009;

- Berlin-Poznan Seminar / ASZ Workshop 2008,
“Humboldt-Universität", Berlin, 20-21 June 2008.

Input-shrinkingfunctions: theory and application Francesco Davì

Experiencesabroad

- May- July 2011:
visitingstudent:Cryptography and Data Security

Group,

"UniwersytetWarszawski", Warsaw, Poland;

- May- June 2008:
Methodsfor Discrete Structures (Pre)Doc-Course

2008 on: Random and Quasirandom Graphs,

"Humboldt-Universität", Berlin, Germany.

Input-shrinkingfunctions: theory and application Francesco Davì

Outline

- Introduction and Motivations
- Leakage-Resilient Storage
- AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì

Cryptography

Design of securecryptographicschemes

For long time, mostlybased on

intuition and experience

Solutions brokenin short time

Input-shrinkingfunctions: theory and application Francesco Davì

Provable security (1/2)

- Formaldefinition of
Security and Adversarial model

- Formalproof of security:
no adversary can break the scheme

Security:

- Information-theoretic(unboundedadversary)

- Standard model (reduction from hard problems)

- Random Oracle Model (cryptographichashfunctions)

Input-shrinkingfunctions: theory and application Francesco Davì

Provable security (2/2)

Security againstallknown (even future) attacks

Developedvery fast

Attained a large number of

securecryptographicschemes

Input-shrinkingfunctions: theory and application Francesco Davì

Problem

Once implemented, some of the schemeswerebroken!

Easy to step out from

the security model

Input-shrinkingfunctions: theory and application Francesco Davì

Black-box model

X

chooses

CRYPTO

Y

receives

No information about

the internal state of the cryptosystem

Input-shrinkingfunctions: theory and application Francesco Davì

Information leakage

X

MACHINE

(PC, Smartcard,…)

chooses

Y, λ

CRYPTO

receives

}

- During the execution, the adversary can measure:
- Powerconsumption
- Electromagneticradiation
- Time
- Sound

Side-channelattacks

Evenpartialleakagesuffices to completely break a scheme

Input-shrinkingfunctions: theory and application Francesco Davì

Side-channelattacks

Exploit physicalmeasurements on real devices

Practitioners:

find countermeasures (and exploit new attacks)

- mostly ad-hoc
- often without a formal proof of security
- cannot provide security against allpossibleattacks
Recent trend: extend the realm of provable security

Input-shrinkingfunctions: theory and application Francesco Davì

Leakage-ResilientCryptography

Design protocolsthat are secure

evenif

they are implementedon

machinesthatmayleak information

Input-shrinkingfunctions: theory and application Francesco Davì

- Continual leakage
(MR04, DP08, Pie09, FKPR10,

FRRTV10, GR10, JV10, DP10, KP10, DF11)

- Bounded memory-leakage
(ISW03, IPSW06, AGV09, ADW09, KV09,

NS09, DHLW10, BG10, GKPV10, ADNSWW10, DDV10)

- Auxiliary input
(DKL09, DGKPV10)

- Continual memory-leakage
(BKKV10, DHLW10, BSW11, LRW11,

LLW11, DLWW11)

Only computation leaks

Total leakage unbounded

All the memory leaks

Total leakage bounded

All the memory leaks

Computationally hard to recover

the secret from the leakage

All the memory leaks

Total leakage unbounded

Input-shrinkingfunctions: theory and application Francesco Davì

The adversary is allowed to learn (adaptively)

the values ofsome leakage functions (chosen by her)

on the internal state of

the cryptographic scheme

Input-shrinkingfunctions: theory and application Francesco Davì

Examples of assumptions (1/2)

Λ(S)

input-shrinking

functionΛ

the adversary can learn the values on up to t wires

booleancircuit

S

“Probing Attacks” [ISW03]

Bounded-Retrieval Model

“Memory Attacks” [AGV09]

Input-shrinkingfunctions: theory and application Francesco Davì

Examples of assumptions (2/2)

Λ(S1)

Λ(S)

Λ(S0)

input-shrinking

low-complexity Λ

input-shrinking

Λ

input-shrinking

Λ

S

S0

S1

[FRRTV10, DDV10]

[MR04, DP08, DDV10]

Input-shrinkingfunctions: theory and application Francesco Davì

General goal

Design models:

- realistic (i.e. they correspond to the real-life adversaries)
- allow to construct secure schemes

tradeoff

Input-shrinkingfunctions: theory and application Francesco Davì

Outline

- Introduction and Motivations
- Leakage-Resilient Storage
- AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì

Contribution: Leakage-Resilient Storage

An encoding schemeto securely store data

on hardware that may leak information

PROS: information-theoretic solution

CONS: analysis of concrete parameters does not seem to allow for efficient feasibility in practice

Input-shrinkingfunctions: theory and application Francesco Davì

All-Or-Nothing Transform

Dec

Enc(m)

Enc

m

m

Λ1,…,Λt

Note:no secret key

λ< |Enc(m)|

total leakage < λ

- very realistic

computationally unbounded

- input-shrinking

retrievesλibits

it should be hard to reconstruct a message

if not all the bits of its encoding are known

- Decode єΓ

chooses (adaptively)tfunctions

Λi: {0,1}|Enc(m)|→ {0,1}λiє Γ

Input-shrinkingfunctions: theory and application Francesco Davì

A scheme (Enc, Dec) issecureif for every m0, m1

no adversary can distinguishEnc(m0)fromEnc(m1)

we will require that m0, m1 are chosen by the adversary

?

Enc(m0)

Enc(m1)

Input-shrinkingfunctions: theory and application Francesco Davì

Enc

Enc(m):=(Rand, f(Rand) m)

Enc(m)

m

?

Λ’i

Λi

Λi(Enc(m))

Λ’i(Rand)

Λi(Rand, f(Rand) m)

weak adversary

adversary

Input-shrinkingfunctions: theory and application Francesco Davì

For any family of functions Γ

if an encoding scheme is secure for

then it is also secure for

security loss 2α, where αis the length of the message

Input-shrinkingfunctions: theory and application Francesco Davì

each leakage function can dependonly on some restricted part

of the memory

the cardinality ofΓisrestricted

For a fixed family Γ

how to constructsecure(Enc,Dec)?

randomness extractors

l-wise independent hash functions

Input-shrinkingfunctions: theory and application Francesco Davì

deterministic

Two-Source

Extractor

source1

extracted string

source2

Almost uniformly random

Independent

Random

Far from uniform

A lot of min-entropy

Input-shrinkingfunctions: theory and application Francesco Davì

each leakage function can dependonly on some restricted part

of the memory

Ext

R0

Ext(R0,R1)

R1

Enc(m):=( , , m)

R0

R1

Ext(R0,R1)

remind

M0

M1

Dec( , , m*):= m* .

R0

R1

Ext(R0,R1)

Input-shrinkingfunctions: theory and application Francesco Davì

remind

Enc(m):=( , , m)

R0

R1

Ext(R0,R1)

It suffices to show that (Enc,Dec) is secure against every

One can prove that even given Λ’1( ),…,Λ’t( )

Ri

Ri

R0

R1

and

- are still independent
- have high min-entropy (with high probability)

Input-shrinkingfunctions: theory and application Francesco Davì

each leakage function can dependonly on some restricted part

of the memory

the cardinality ofΓisrestricted

For a fixed family Γ

how to constructsecure(Enc,Dec)?

randomness extractors

l-wise independent hash functions

Input-shrinkingfunctions: theory and application Francesco Davì

H={hs:X→Y}sєIis l-wise independent if

uniformly random S є I

Yl

Xl

{x1,…,xl}

hS

{hS(x1),…,hS(xl)}

uniform over Yl

Input-shrinkingfunctions: theory and application Francesco Davì

H={hs:X→Y}sєIis l-wise independent

Encs(m):=(R, hS(R) m)

remind

the cardinality ofΓisrestricted

RєXis random

the set of functions computable by Boolean circuits of a fixed size

Decs(R , m*):=(hS(R) m*)

Input-shrinkingfunctions: theory and application Francesco Davì

Outline

- Introduction and Motivations
- Leakage-Resilient Storage
- AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì

Contribution: AKE protocol in the BRM

Client and Server share a huge random file

The attacker can retrieve a large portion of it

Authenticated Key Exchange (AKE) protocol:

- provide Client and Serverwith a short shared key
- client-to-server authentication
- security against activeattackers
PROS: protocol analysis + efficient implementation

CONS: Random Oracle model

Input-shrinkingfunctions: theory and application Francesco Davì

Key Exchange protocol

CLIENT

SERVER

Problem: Man-in-the-Middle attack

Solution: Authentication

Key Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Authentication

CLIENT

SERVER

Password

Password

Password-basedAuthenticatedKey Exchange protocol

Key Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

AKE: a general paradigm

Cash, Ding, Dodis, Lee, Lipton and Walfish

“Intrusion-resilient key exchange in the Bounded Retrieval Model". In TCC (2007)

CLIENT

SERVER

WeakKey Exchange protocol

Lowentropy

Human memorizable

Password

Password

Password-basedAuthenticatedKey Exchange protocol

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

cannot be implemented in the standard model

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Contribution: new AKE protocol in the BRM

Setup: long shared secret random file F

CLIENT

SERVER

input-shrinkingfunctionΛ

WeakKey Exchange protocol

Λ(F)

Λ(F)

Password

Password

active over the channel

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Random Oracle model

Indistinguishable from random

Key

Key

ImplementedusingOpenSSLcryptolibrary

Input-shrinkingfunctions: theory and application Francesco Davì

Contribution: WeakKey Exchange protocol (1/3)

Setup: long shared secret random file F

CLIENT

SERVER

WeakKey Exchange protocol

Λ(F)

Password

Password

active over the channel

We prove that:

evengivenΛ(F)

i.e. the sharedpasswordsare individually unpredictable

for the adversary

Passwordhashigh min-entropy

(with high probability)

Input-shrinkingfunctions: theory and application Francesco Davì

Contribution: WeakKey Exchange protocol(2/3)

Setup: long shared secret random file F

CLIENT

SERVER

101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101

IDX_CLIENT

Choose random indexes

Choose random indexes

IDX_CLIENT

IDX_SERVER

IDX_SERVER

Create password: concatenate the corresponding bits of F

Create password: concatenate the corresponding bits of F

0 1 0

0 0 1

0 0 1

Several large numbers

0 1 0

Input-shrinkingfunctions: theory and application Francesco Davì

Contribution: WeakKey Exchange protocol(3/3)

Setup: long shared secret random file F

CLIENT

SERVER

101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101

Random Oracle model

Public parameter: cryptographichashfunctionH

SEED_CLIENT

Choose random short SEED_SERVER

Choose random short SEED_CLIENT

SEED_SERVER

Λ(F)

Calculateindexes:

IDXi= H(i|SEED)

Create password

Create password

unpredictable

0 0 1

0 0 1

0 1 0

0 1 0

Input-shrinkingfunctions: theory and application Francesco Davì

AKE: a general paradigm

CLIENT

SERVER

WeakKey Exchange protocol

Password

Password

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

UC Password-based AKE protocol

Abdalla, Catalano, Chevalierand Pointcheval:

Efficient two-party password-based key exchange protocols in the UC framework. CT-RSA (2008)

(Modified) Diffie-HellmanKey Exchange:

- No assumptions on the distribution on the passwords
- One-flow encrypted
- Twocryptographichashfunctions to compute secret key and provideauthentication

Input-shrinkingfunctions: theory and application Francesco Davì

Forward security

Setup: long shared secret random file F

CLIENT

SERVER

WeakKey Exchange protocol

Λ(F)

Password

Password

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Diffie-HellmanKey Exchange

encrypted with Password

?

?

F

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì

Experimentalresults

Security parameter

Leakage

Shared file size

t = number of indexes

running time evaluated experimentally on an Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 4GB of RAM, under the 64-bits version of Ubuntu 11.04

Input-shrinkingfunctions: theory and application Francesco Davì

Number of indexes

Input-shrinkingfunctions: theory and application Francesco Davì

PAKE protocolrunning time

Input-shrinkingfunctions: theory and application Francesco Davì

WKE protocolrunning time

Input-shrinkingfunctions: theory and application Francesco Davì

Thankyou!

Input-shrinkingfunctions: theory and application Francesco Davì

Main idea of this line of research

To achieve security one assumes that

the power of the adversary

during the “physical attack” is

“limited in some way”

this should be justified by some physical characteristics of the device

Input-shrinkingfunctions: theory and application Francesco Davì

Security definition

m0,m1

Enc : {0,1}α→ {0,1}β

Dec : {0,1}β→ {0,1}α

adversary

oracle

- chooses a random b = 0,1
- calculates τ := Enc(mb)

choosesm0,m1 є {0,1}α

fori = 1,...,t,chooses

Λi: {0,1}β→ {0,1}λiє Γ

Λi

calculates Λi(τ)

Λi(τ)

outputs b’

wins ifb’ = b

(Enc,Dec)is(Γ,λ, t, ε)-secure

if no adversary wins the game

with probability greater than1/2 + ε

advantage

Input-shrinkingfunctions: theory and application Francesco Davì

For any Γ, λ, t and ε,

if an encoding scheme is (Γ, λ, t, ε)-secure for

then it is also (Γ, λ, t, ε˙2α)-secure for

α is the length of the message

Input-shrinkingfunctions: theory and application Francesco Davì

can simulate

replacing f(Rand) m with a random string z є{0,1}α

=ε˙2α

wins with advantage δ

Consider

=ε

Construct

wins with advantage δ˙2-α

Input-shrinkingfunctions: theory and application Francesco Davì

Diffie-HellmanKey Exchange

CLIENT

Setup:

finite cyclic group G = <g>

of order a prime numberp

SERVER

a← [p-1]

b ← [p-1]

A

A← gamodp

B

B← gbmodp

K= Bamodp

K= Abmodp

gabmodp

Input-shrinkingfunctions: theory and application Francesco Davì

Man-in-the-middle attack

CLIENT

Setup:

finite cyclic group G = <g>

of order a prime numberp

SERVER

a← [p-1]

b ← [p-1]

A

E

e← [p-1]

A← gamodp

B

E← gemodp

E

B← gbmodp

KC= Aemodp

K= Eamodp

K= Ebmodp

KS= Bemodp

Theyneedauthentication!

Input-shrinkingfunctions: theory and application Francesco Davì

UC Password-based AKE protocol

CLIENT

SERVER

Setup:

finite cyclic group G = <g>

of order a prime numberp

Pwd

Pwd

a← [p-1]

b ← [p-1]

A

A← gamodp

ENCPwd(B)

B← gbmodp

B= DECPwd(B)

DHS= Abmodp

DHC= Bamodp

if AUTH= H1(Pwd|DHS)

KEYS= H0(Pwd|DHS)

else ERROR

KEYC= H0(Pwd|DHC)

AUTH

AUTH= H1(Pwd|DHC)

Input-shrinkingfunctions: theory and application Francesco Davì

Download Presentation

Connecting to Server..