Input-
This presentation is the property of its rightful owner.
Sponsored Links
1 / 55

Input- shrinking functions : theory and application PowerPoint PPT Presentation


  • 37 Views
  • Uploaded on
  • Presentation posted in: General

Input- shrinking functions : theory and application. PhD candidate: Francesco Davì. Computer Science Department Sapienza University of Rome. Reviewers : Prof. Mirosław Kutiłowski Dr. Ivan Visconti. Thesis committee : Dr. Stefan Dziembowski ( advisor )

Download Presentation

Input- shrinking functions : theory and application

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Input shrinking functions theory and application

Input-shrinkingfunctions: theory and application

PhD candidate: Francesco Davì

Computer Science Department

SapienzaUniversity of Rome

Reviewers:

Prof. MirosławKutiłowski

Dr. Ivan Visconti

Thesiscommittee:

Dr. Stefan Dziembowski (advisor)

Prof. Luigi Vincenzo Mancini

Prof. Alessandro Mei

Rome, 02/03/2012


Phd activity

PhD Activity

Cryptography on Non-TrustedMachines Project

  • F. Davì, S. Dziembowski and D. Venturi: Leakage-Resilient Storage, J. Garayand R. De Prisco editor, Seventh Conference on Security and Cryptography for Networks(SCN2010), LNCS 6280, Springer2010;

Input-shrinkingfunctions: theory and application Francesco Davì


Conferences workshops and schools

Conferences, workshops and schools

  • Seventh Conference on Security and Cryptography for Networks, (SCN 2010), Amalfi, 13-15 September 2010;

  • Workshop on Provable Security against Physical Attacks,

    Leiden, 15-19 February 2010;

  • Theoryof Cryptography Conference (TCC2010),

    Zurich, 9-11 February 2010;

  • SummerSchool On ProvableSecurity,

    Barcelona, 7-11 September2009;

  • Bertinoro international Spring School (BiSS 2009),

    Bertinoro, 2-6 March 2009;

  • Berlin-Poznan Seminar / ASZ Workshop 2008,

    “Humboldt-Universität", Berlin, 20-21 June 2008.

Input-shrinkingfunctions: theory and application Francesco Davì


Experiences abroad

Experiencesabroad

  • May- July 2011:

    visitingstudent:Cryptography and Data Security

    Group,

    "UniwersytetWarszawski", Warsaw, Poland;

  • May- June 2008:

    Methodsfor Discrete Structures (Pre)Doc-Course

    2008 on: Random and Quasirandom Graphs,

    "Humboldt-Universität", Berlin, Germany.

Input-shrinkingfunctions: theory and application Francesco Davì


Outline

Outline

  • Introduction and Motivations

  • Leakage-Resilient Storage

  • AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì


Cryptography

Cryptography

Design of securecryptographicschemes

For long time, mostlybased on

intuition and experience

Solutions brokenin short time

Input-shrinkingfunctions: theory and application Francesco Davì


Provable security 1 2

Provable security (1/2)

  • Formaldefinition of

    Security and Adversarial model

  • Formalproof of security:

    no adversary can break the scheme

Security:

- Information-theoretic(unboundedadversary)

- Standard model (reduction from hard problems)

- Random Oracle Model (cryptographichashfunctions)

Input-shrinkingfunctions: theory and application Francesco Davì


Provable security 2 2

Provable security (2/2)

Security againstallknown (even future) attacks

Developedvery fast

Attained a large number of

securecryptographicschemes

Input-shrinkingfunctions: theory and application Francesco Davì


Problem

Problem

Once implemented, some of the schemeswerebroken!

Easy to step out from

the security model

Input-shrinkingfunctions: theory and application Francesco Davì


Black box model

Black-box model

X

chooses

CRYPTO

Y

receives

No information about

the internal state of the cryptosystem

Input-shrinkingfunctions: theory and application Francesco Davì


Information leakage

Information leakage

X

MACHINE

(PC, Smartcard,…)

chooses

Y, λ

CRYPTO

receives

}

  • During the execution, the adversary can measure:

  • Powerconsumption

  • Electromagneticradiation

  • Time

  • Sound

Side-channelattacks

Evenpartialleakagesuffices to completely break a scheme

Input-shrinkingfunctions: theory and application Francesco Davì


Side channel attacks

Side-channelattacks

Exploit physicalmeasurements on real devices

Practitioners:

find countermeasures (and exploit new attacks)

  • mostly ad-hoc

  • often without a formal proof of security

  • cannot provide security against allpossibleattacks

    Recent trend: extend the realm of provable security

Input-shrinkingfunctions: theory and application Francesco Davì


Leakage resilient cryptography

Leakage-ResilientCryptography

Design protocolsthat are secure

evenif

they are implementedon

machinesthatmayleak information

Input-shrinkingfunctions: theory and application Francesco Davì


Leakage resilient cryptography the models

Leakage-Resilient Cryptography: The Models

  • Continual leakage

    (MR04, DP08, Pie09, FKPR10,

    FRRTV10, GR10, JV10, DP10, KP10, DF11)

  • Bounded memory-leakage

    (ISW03, IPSW06, AGV09, ADW09, KV09,

    NS09, DHLW10, BG10, GKPV10, ADNSWW10, DDV10)

  • Auxiliary input

    (DKL09, DGKPV10)

  • Continual memory-leakage

    (BKKV10, DHLW10, BSW11, LRW11,

    LLW11, DLWW11)

Only computation leaks

Total leakage unbounded

All the memory leaks

Total leakage bounded

All the memory leaks

Computationally hard to recover

the secret from the leakage

All the memory leaks

Total leakage unbounded

Input-shrinkingfunctions: theory and application Francesco Davì


Leakage model

Leakage model

The adversary is allowed to learn (adaptively)

the values ofsome leakage functions (chosen by her)

on the internal state of

the cryptographic scheme

Input-shrinkingfunctions: theory and application Francesco Davì


Examples of assumptions 1 2

Examples of assumptions (1/2)

Λ(S)

input-shrinking

functionΛ

the adversary can learn the values on up to t wires

booleancircuit

S

“Probing Attacks” [ISW03]

Bounded-Retrieval Model

“Memory Attacks” [AGV09]

Input-shrinkingfunctions: theory and application Francesco Davì


Examples of assumptions 2 2

Examples of assumptions (2/2)

Λ(S1)

Λ(S)

Λ(S0)

input-shrinking

low-complexity Λ

input-shrinking

Λ

input-shrinking

Λ

S

S0

S1

[FRRTV10, DDV10]

[MR04, DP08, DDV10]

Input-shrinkingfunctions: theory and application Francesco Davì


General goal

General goal

Design models:

  • realistic (i.e. they correspond to the real-life adversaries)

  • allow to construct secure schemes

tradeoff

Input-shrinkingfunctions: theory and application Francesco Davì


Outline1

Outline

  • Introduction and Motivations

  • Leakage-Resilient Storage

  • AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì


Contribution leakage resilient storage

Contribution: Leakage-Resilient Storage

An encoding schemeto securely store data

on hardware that may leak information

PROS: information-theoretic solution

CONS: analysis of concrete parameters does not seem to allow for efficient feasibility in practice

Input-shrinkingfunctions: theory and application Francesco Davì


Leakage resilient storage

Leakage-ResilientStorage

All-Or-Nothing Transform

Dec

Enc(m)

Enc

m

m

Λ1,…,Λt

Note:no secret key

λ< |Enc(m)|

total leakage < λ

  • very realistic

computationally unbounded

  • input-shrinking

retrievesλibits

it should be hard to reconstruct a message

if not all the bits of its encoding are known

  • Decode єΓ

chooses (adaptively)tfunctions

Λi: {0,1}|Enc(m)|→ {0,1}λiє Γ

Input-shrinkingfunctions: theory and application Francesco Davì


Security definition

Security definition

A scheme (Enc, Dec) issecureif for every m0, m1

no adversary can distinguishEnc(m0)fromEnc(m1)

we will require that m0, m1 are chosen by the adversary

?

Enc(m0)

Enc(m1)

Input-shrinkingfunctions: theory and application Francesco Davì


Adversary model

Adversary model

Enc

Enc(m):=(Rand, f(Rand) m)

Enc(m)

m

?

Λ’i

Λi

Λi(Enc(m))

Λ’i(Rand)

Λi(Rand, f(Rand) m)

weak adversary

adversary

Input-shrinkingfunctions: theory and application Francesco Davì


Lemma

Lemma

For any family of functions Γ

if an encoding scheme is secure for

then it is also secure for

security loss 2α, where αis the length of the message

Input-shrinkingfunctions: theory and application Francesco Davì


Problem1

Problem

each leakage function can dependonly on some restricted part

of the memory

the cardinality ofΓisrestricted

For a fixed family Γ

how to constructsecure(Enc,Dec)?

randomness extractors

l-wise independent hash functions

Input-shrinkingfunctions: theory and application Francesco Davì


Two source extractor

Two-source Extractor

deterministic

Two-Source

Extractor

source1

extracted string

source2

Almost uniformly random

Independent

Random

Far from uniform

A lot of min-entropy

Input-shrinkingfunctions: theory and application Francesco Davì


Memory divided into 2 parts construction

Memory divided into 2 parts: construction

each leakage function can dependonly on some restricted part

of the memory

Ext

R0

Ext(R0,R1)

R1

Enc(m):=( , , m)

R0

R1

Ext(R0,R1)

remind

M0

M1

Dec( , , m*):= m* .

R0

R1

Ext(R0,R1)

Input-shrinkingfunctions: theory and application Francesco Davì


Proof idea

Proof Idea

remind

Enc(m):=( , , m)

R0

R1

Ext(R0,R1)

It suffices to show that (Enc,Dec) is secure against every

One can prove that even given Λ’1( ),…,Λ’t( )

Ri

Ri

R0

R1

and

  • are still independent

  • have high min-entropy (with high probability)

Input-shrinkingfunctions: theory and application Francesco Davì


Problem2

Problem

each leakage function can dependonly on some restricted part

of the memory

the cardinality ofΓisrestricted

For a fixed family Γ

how to constructsecure(Enc,Dec)?

randomness extractors

l-wise independent hash functions

Input-shrinkingfunctions: theory and application Francesco Davì


L wise independent hash functions

l-wise independent hash functions

H={hs:X→Y}sєIis l-wise independent if

uniformly random S є I

Yl

Xl

{x1,…,xl}

hS

{hS(x1),…,hS(xl)}

uniform over Yl

Input-shrinkingfunctions: theory and application Francesco Davì


Boolean circuits of small size construction

Boolean circuits of small size: construction

H={hs:X→Y}sєIis l-wise independent

Encs(m):=(R, hS(R) m)

remind

the cardinality ofΓisrestricted

RєXis random

the set of functions computable by Boolean circuits of a fixed size

Decs(R , m*):=(hS(R) m*)

Input-shrinkingfunctions: theory and application Francesco Davì


Outline2

Outline

  • Introduction and Motivations

  • Leakage-Resilient Storage

  • AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model

Input-shrinkingfunctions: theory and application Francesco Davì


Contribution ake protocol in the brm

Contribution: AKE protocol in the BRM

Client and Server share a huge random file

The attacker can retrieve a large portion of it

Authenticated Key Exchange (AKE) protocol:

  • provide Client and Serverwith a short shared key

  • client-to-server authentication

  • security against activeattackers

    PROS: protocol analysis + efficient implementation

    CONS: Random Oracle model

Input-shrinkingfunctions: theory and application Francesco Davì


Key exchange protocol

Key Exchange protocol

CLIENT

SERVER

Problem: Man-in-the-Middle attack

Solution: Authentication

Key Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì


Authentication

Authentication

CLIENT

SERVER

Password

Password

Password-basedAuthenticatedKey Exchange protocol

Key Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì


Ake a general paradigm

AKE: a general paradigm

Cash, Ding, Dodis, Lee, Lipton and Walfish

“Intrusion-resilient key exchange in the Bounded Retrieval Model". In TCC (2007)

CLIENT

SERVER

WeakKey Exchange protocol

Lowentropy

Human memorizable

Password

Password

Password-basedAuthenticatedKey Exchange protocol

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

cannot be implemented in the standard model

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì


Contribution new ake protocol in the brm

Contribution: new AKE protocol in the BRM

Setup: long shared secret random file F

CLIENT

SERVER

input-shrinkingfunctionΛ

WeakKey Exchange protocol

Λ(F)

Λ(F)

Password

Password

active over the channel

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Random Oracle model

Indistinguishable from random

Key

Key

ImplementedusingOpenSSLcryptolibrary

Input-shrinkingfunctions: theory and application Francesco Davì


Contribution weak key exchange protocol 1 3

Contribution: WeakKey Exchange protocol (1/3)

Setup: long shared secret random file F

CLIENT

SERVER

WeakKey Exchange protocol

Λ(F)

Password

Password

active over the channel

We prove that:

evengivenΛ(F)

i.e. the sharedpasswordsare individually unpredictable

for the adversary

Passwordhashigh min-entropy

(with high probability)

Input-shrinkingfunctions: theory and application Francesco Davì


Contribution weak key exchange protocol 2 3

Contribution: WeakKey Exchange protocol(2/3)

Setup: long shared secret random file F

CLIENT

SERVER

101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101

IDX_CLIENT

Choose random indexes

Choose random indexes

IDX_CLIENT

IDX_SERVER

IDX_SERVER

Create password: concatenate the corresponding bits of F

Create password: concatenate the corresponding bits of F

0 1 0

0 0 1

0 0 1

Several large numbers

0 1 0

Input-shrinkingfunctions: theory and application Francesco Davì


Contribution weak key exchange protocol 3 3

Contribution: WeakKey Exchange protocol(3/3)

Setup: long shared secret random file F

CLIENT

SERVER

101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101

Random Oracle model

Public parameter: cryptographichashfunctionH

SEED_CLIENT

Choose random short SEED_SERVER

Choose random short SEED_CLIENT

SEED_SERVER

Λ(F)

Calculateindexes:

IDXi= H(i|SEED)

Create password

Create password

unpredictable

0 0 1

0 0 1

0 1 0

0 1 0

Input-shrinkingfunctions: theory and application Francesco Davì


Ake a general paradigm1

AKE: a general paradigm

CLIENT

SERVER

WeakKey Exchange protocol

Password

Password

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì


Uc password based ake protocol

UC Password-based AKE protocol

Abdalla, Catalano, Chevalierand Pointcheval:

Efficient two-party password-based key exchange protocols in the UC framework. CT-RSA (2008)

(Modified) Diffie-HellmanKey Exchange:

  • No assumptions on the distribution on the passwords

  • One-flow encrypted

  • Twocryptographichashfunctions to compute secret key and provideauthentication

Input-shrinkingfunctions: theory and application Francesco Davì


Forward security

Forward security

Setup: long shared secret random file F

CLIENT

SERVER

WeakKey Exchange protocol

Λ(F)

Password

Password

Universally-Composable Password-basedAuthenticatedKey Exchange protocol

Diffie-HellmanKey Exchange

encrypted with Password

?

?

F

Key

Key

Input-shrinkingfunctions: theory and application Francesco Davì


Experimental r esults

Experimentalresults

Security parameter

Leakage

Shared file size

t = number of indexes

running time evaluated experimentally on an Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 4GB of RAM, under the 64-bits version of Ubuntu 11.04

Input-shrinkingfunctions: theory and application Francesco Davì


Number of indexes

Number of indexes

Input-shrinkingfunctions: theory and application Francesco Davì


Pake protocol running time

PAKE protocolrunning time

Input-shrinkingfunctions: theory and application Francesco Davì


Wke protocol running time

WKE protocolrunning time

Input-shrinkingfunctions: theory and application Francesco Davì


Input shrinking functions theory and application

Thankyou!

Input-shrinkingfunctions: theory and application Francesco Davì


Main idea of this line of research

Main idea of this line of research

To achieve security one assumes that

the power of the adversary

during the “physical attack” is

“limited in some way”

this should be justified by some physical characteristics of the device

Input-shrinkingfunctions: theory and application Francesco Davì


Security definition1

Security definition

m0,m1

Enc : {0,1}α→ {0,1}β

Dec : {0,1}β→ {0,1}α

adversary

oracle

  • chooses a random b = 0,1

  • calculates τ := Enc(mb)

choosesm0,m1 є {0,1}α

fori = 1,...,t,chooses

Λi: {0,1}β→ {0,1}λiє Γ

Λi

calculates Λi(τ)

Λi(τ)

outputs b’

wins ifb’ = b

(Enc,Dec)is(Γ,λ, t, ε)-secure

if no adversary wins the game

with probability greater than1/2 + ε

advantage

Input-shrinkingfunctions: theory and application Francesco Davì


Lemma1

Lemma

For any Γ, λ, t and ε,

if an encoding scheme is (Γ, λ, t, ε)-secure for

then it is also (Γ, λ, t, ε˙2α)-secure for

α is the length of the message

Input-shrinkingfunctions: theory and application Francesco Davì


Proof idea1

Proof Idea

can simulate

replacing f(Rand) m with a random string z є{0,1}α

=ε˙2α

wins with advantage δ

Consider

Construct

wins with advantage δ˙2-α

Input-shrinkingfunctions: theory and application Francesco Davì


Diffie hellman key exchange

Diffie-HellmanKey Exchange

CLIENT

Setup:

finite cyclic group G = <g>

of order a prime numberp

SERVER

a← [p-1]

b ← [p-1]

A

A← gamodp

B

B← gbmodp

K= Bamodp

K= Abmodp

gabmodp

Input-shrinkingfunctions: theory and application Francesco Davì


Man in the middle attack

Man-in-the-middle attack

CLIENT

Setup:

finite cyclic group G = <g>

of order a prime numberp

SERVER

a← [p-1]

b ← [p-1]

A

E

e← [p-1]

A← gamodp

B

E← gemodp

E

B← gbmodp

KC= Aemodp

K= Eamodp

K= Ebmodp

KS= Bemodp

Theyneedauthentication!

Input-shrinkingfunctions: theory and application Francesco Davì


Uc password based ake protocol1

UC Password-based AKE protocol

CLIENT

SERVER

Setup:

finite cyclic group G = <g>

of order a prime numberp

Pwd

Pwd

a← [p-1]

b ← [p-1]

A

A← gamodp

ENCPwd(B)

B← gbmodp

B= DECPwd(B)

DHS= Abmodp

DHC= Bamodp

if AUTH= H1(Pwd|DHS)

KEYS= H0(Pwd|DHS)

else ERROR

KEYC= H0(Pwd|DHC)

AUTH

AUTH= H1(Pwd|DHC)

Input-shrinkingfunctions: theory and application Francesco Davì


  • Login