1 / 55

Input- shrinking functions : theory and application

Input- shrinking functions : theory and application. PhD candidate: Francesco Davì. Computer Science Department Sapienza University of Rome. Reviewers : Prof. Mirosław Kutiłowski Dr. Ivan Visconti. Thesis committee : Dr. Stefan Dziembowski ( advisor )

teagan-blevins
Download Presentation

Input- shrinking functions : theory and application

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Input-shrinkingfunctions: theory and application PhD candidate: Francesco Davì Computer Science Department SapienzaUniversity of Rome Reviewers: Prof. MirosławKutiłowski Dr. Ivan Visconti Thesiscommittee: Dr. Stefan Dziembowski (advisor) Prof. Luigi Vincenzo Mancini Prof. Alessandro Mei Rome, 02/03/2012

  2. PhD Activity Cryptography on Non-TrustedMachines Project • F. Davì, S. Dziembowski and D. Venturi: Leakage-Resilient Storage, J. Garayand R. De Prisco editor, Seventh Conference on Security and Cryptography for Networks(SCN2010), LNCS 6280, Springer2010; Input-shrinkingfunctions: theory and application Francesco Davì

  3. Conferences, workshops and schools • Seventh Conference on Security and Cryptography for Networks, (SCN 2010), Amalfi, 13-15 September 2010; • Workshop on Provable Security against Physical Attacks, Leiden, 15-19 February 2010; • Theoryof Cryptography Conference (TCC2010), Zurich, 9-11 February 2010; • SummerSchool On ProvableSecurity, Barcelona, 7-11 September2009; • Bertinoro international Spring School (BiSS 2009), Bertinoro, 2-6 March 2009; • Berlin-Poznan Seminar / ASZ Workshop 2008, “Humboldt-Universität", Berlin, 20-21 June 2008. Input-shrinkingfunctions: theory and application Francesco Davì

  4. Experiencesabroad • May- July 2011: visitingstudent:Cryptography and Data Security Group, "UniwersytetWarszawski", Warsaw, Poland; • May- June 2008: Methodsfor Discrete Structures (Pre)Doc-Course 2008 on: Random and Quasirandom Graphs, "Humboldt-Universität", Berlin, Germany. Input-shrinkingfunctions: theory and application Francesco Davì

  5. Outline • Introduction and Motivations • Leakage-Resilient Storage • AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model Input-shrinkingfunctions: theory and application Francesco Davì

  6. Cryptography Design of securecryptographicschemes For long time, mostlybased on intuition and experience Solutions brokenin short time Input-shrinkingfunctions: theory and application Francesco Davì

  7. Provable security (1/2) • Formaldefinition of Security and Adversarial model • Formalproof of security: no adversary can break the scheme Security: - Information-theoretic(unboundedadversary) - Standard model (reduction from hard problems) - Random Oracle Model (cryptographichashfunctions) Input-shrinkingfunctions: theory and application Francesco Davì

  8. Provable security (2/2) Security againstallknown (even future) attacks Developedvery fast Attained a large number of securecryptographicschemes Input-shrinkingfunctions: theory and application Francesco Davì

  9. Problem Once implemented, some of the schemeswerebroken! Easy to step out from the security model Input-shrinkingfunctions: theory and application Francesco Davì

  10. Black-box model X chooses CRYPTO Y receives No information about the internal state of the cryptosystem Input-shrinkingfunctions: theory and application Francesco Davì

  11. Information leakage X MACHINE (PC, Smartcard,…) chooses Y, λ CRYPTO receives } • During the execution, the adversary can measure: • Powerconsumption • Electromagneticradiation • Time • Sound Side-channelattacks Evenpartialleakagesuffices to completely break a scheme Input-shrinkingfunctions: theory and application Francesco Davì

  12. Side-channelattacks Exploit physicalmeasurements on real devices Practitioners: find countermeasures (and exploit new attacks) • mostly ad-hoc • often without a formal proof of security • cannot provide security against allpossibleattacks Recent trend: extend the realm of provable security Input-shrinkingfunctions: theory and application Francesco Davì

  13. Leakage-ResilientCryptography Design protocolsthat are secure evenif they are implementedon machinesthatmayleak information Input-shrinkingfunctions: theory and application Francesco Davì

  14. Leakage-Resilient Cryptography: The Models • Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10, DP10, KP10, DF11) • Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10, BG10, GKPV10, ADNSWW10, DDV10) • Auxiliary input (DKL09, DGKPV10) • Continual memory-leakage (BKKV10, DHLW10, BSW11, LRW11, LLW11, DLWW11) Only computation leaks Total leakage unbounded All the memory leaks Total leakage bounded All the memory leaks Computationally hard to recover the secret from the leakage All the memory leaks Total leakage unbounded Input-shrinkingfunctions: theory and application Francesco Davì

  15. Leakage model The adversary is allowed to learn (adaptively) the values ofsome leakage functions (chosen by her) on the internal state of the cryptographic scheme Input-shrinkingfunctions: theory and application Francesco Davì

  16. Examples of assumptions (1/2) Λ(S) input-shrinking functionΛ the adversary can learn the values on up to t wires booleancircuit S “Probing Attacks” [ISW03] Bounded-Retrieval Model “Memory Attacks” [AGV09] Input-shrinkingfunctions: theory and application Francesco Davì

  17. Examples of assumptions (2/2) Λ(S1) Λ(S) Λ(S0) input-shrinking low-complexity Λ input-shrinking Λ input-shrinking Λ S S0 S1 [FRRTV10, DDV10] [MR04, DP08, DDV10] Input-shrinkingfunctions: theory and application Francesco Davì

  18. General goal Design models: • realistic (i.e. they correspond to the real-life adversaries) • allow to construct secure schemes tradeoff Input-shrinkingfunctions: theory and application Francesco Davì

  19. Outline • Introduction and Motivations • Leakage-Resilient Storage • AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model Input-shrinkingfunctions: theory and application Francesco Davì

  20. Contribution: Leakage-Resilient Storage An encoding schemeto securely store data on hardware that may leak information PROS: information-theoretic solution CONS: analysis of concrete parameters does not seem to allow for efficient feasibility in practice Input-shrinkingfunctions: theory and application Francesco Davì

  21. Leakage-ResilientStorage All-Or-Nothing Transform Dec Enc(m) Enc m m Λ1,…,Λt Note:no secret key λ< |Enc(m)| total leakage < λ • very realistic computationally unbounded • input-shrinking retrievesλibits it should be hard to reconstruct a message if not all the bits of its encoding are known • Decode єΓ chooses (adaptively)tfunctions Λi: {0,1}|Enc(m)|→ {0,1}λiє Γ Input-shrinkingfunctions: theory and application Francesco Davì

  22. Security definition A scheme (Enc, Dec) issecureif for every m0, m1 no adversary can distinguishEnc(m0)fromEnc(m1) we will require that m0, m1 are chosen by the adversary ? Enc(m0) Enc(m1) Input-shrinkingfunctions: theory and application Francesco Davì

  23. Adversary model Enc Enc(m):=(Rand, f(Rand) m) Enc(m) m ? Λ’i Λi Λi(Enc(m)) Λ’i(Rand) Λi(Rand, f(Rand) m) weak adversary adversary Input-shrinkingfunctions: theory and application Francesco Davì

  24. Lemma For any family of functions Γ if an encoding scheme is secure for then it is also secure for security loss 2α, where αis the length of the message Input-shrinkingfunctions: theory and application Francesco Davì

  25. Problem each leakage function can dependonly on some restricted part of the memory the cardinality ofΓisrestricted For a fixed family Γ how to constructsecure(Enc,Dec)? randomness extractors l-wise independent hash functions Input-shrinkingfunctions: theory and application Francesco Davì

  26. Two-source Extractor deterministic Two-Source Extractor source1 extracted string source2 Almost uniformly random Independent Random Far from uniform A lot of min-entropy Input-shrinkingfunctions: theory and application Francesco Davì

  27. Memory divided into 2 parts: construction each leakage function can dependonly on some restricted part of the memory Ext R0 Ext(R0,R1) R1 Enc(m):=( , , m) R0 R1 Ext(R0,R1) remind M0 M1 Dec( , , m*):= m* . R0 R1 Ext(R0,R1) Input-shrinkingfunctions: theory and application Francesco Davì

  28. Proof Idea remind Enc(m):=( , , m) R0 R1 Ext(R0,R1) It suffices to show that (Enc,Dec) is secure against every One can prove that even given Λ’1( ),…,Λ’t( ) Ri Ri R0 R1 and • are still independent • have high min-entropy (with high probability) Input-shrinkingfunctions: theory and application Francesco Davì

  29. Problem each leakage function can dependonly on some restricted part of the memory the cardinality ofΓisrestricted For a fixed family Γ how to constructsecure(Enc,Dec)? randomness extractors l-wise independent hash functions Input-shrinkingfunctions: theory and application Francesco Davì

  30. l-wise independent hash functions H={hs:X→Y}sєIis l-wise independent if uniformly random S є I Yl Xl {x1,…,xl} hS {hS(x1),…,hS(xl)} uniform over Yl Input-shrinkingfunctions: theory and application Francesco Davì

  31. Boolean circuits of small size: construction H={hs:X→Y}sєIis l-wise independent Encs(m):=(R, hS(R) m) remind the cardinality ofΓisrestricted RєXis random the set of functions computable by Boolean circuits of a fixed size Decs(R , m*):=(hS(R) m*) Input-shrinkingfunctions: theory and application Francesco Davì

  32. Outline • Introduction and Motivations • Leakage-Resilient Storage • AuthenticatedKey Exchange protocol in the Bounded-Retrieval Model Input-shrinkingfunctions: theory and application Francesco Davì

  33. Contribution: AKE protocol in the BRM Client and Server share a huge random file The attacker can retrieve a large portion of it Authenticated Key Exchange (AKE) protocol: • provide Client and Serverwith a short shared key • client-to-server authentication • security against activeattackers PROS: protocol analysis + efficient implementation CONS: Random Oracle model Input-shrinkingfunctions: theory and application Francesco Davì

  34. Key Exchange protocol CLIENT SERVER Problem: Man-in-the-Middle attack Solution: Authentication Key Exchange protocol Key Key Input-shrinkingfunctions: theory and application Francesco Davì

  35. Authentication CLIENT SERVER Password Password Password-basedAuthenticatedKey Exchange protocol Key Exchange protocol Key Key Input-shrinkingfunctions: theory and application Francesco Davì

  36. AKE: a general paradigm Cash, Ding, Dodis, Lee, Lipton and Walfish “Intrusion-resilient key exchange in the Bounded Retrieval Model". In TCC (2007) CLIENT SERVER WeakKey Exchange protocol Lowentropy Human memorizable Password Password Password-basedAuthenticatedKey Exchange protocol Universally-Composable Password-basedAuthenticatedKey Exchange protocol cannot be implemented in the standard model Key Key Input-shrinkingfunctions: theory and application Francesco Davì

  37. Contribution: new AKE protocol in the BRM Setup: long shared secret random file F CLIENT SERVER input-shrinkingfunctionΛ WeakKey Exchange protocol Λ(F) Λ(F) Password Password active over the channel Universally-Composable Password-basedAuthenticatedKey Exchange protocol Random Oracle model Indistinguishable from random Key Key ImplementedusingOpenSSLcryptolibrary Input-shrinkingfunctions: theory and application Francesco Davì

  38. Contribution: WeakKey Exchange protocol (1/3) Setup: long shared secret random file F CLIENT SERVER WeakKey Exchange protocol Λ(F) Password Password active over the channel We prove that: evengivenΛ(F) i.e. the sharedpasswordsare individually unpredictable for the adversary Passwordhashigh min-entropy (with high probability) Input-shrinkingfunctions: theory and application Francesco Davì

  39. Contribution: WeakKey Exchange protocol(2/3) Setup: long shared secret random file F CLIENT SERVER 101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101 IDX_CLIENT Choose random indexes Choose random indexes IDX_CLIENT IDX_SERVER IDX_SERVER Create password: concatenate the corresponding bits of F Create password: concatenate the corresponding bits of F 0 1 0 0 0 1 0 0 1 Several large numbers 0 1 0 Input-shrinkingfunctions: theory and application Francesco Davì

  40. Contribution: WeakKey Exchange protocol(3/3) Setup: long shared secret random file F CLIENT SERVER 101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101 Random Oracle model Public parameter: cryptographichashfunctionH SEED_CLIENT Choose random short SEED_SERVER Choose random short SEED_CLIENT SEED_SERVER Λ(F) Calculateindexes: IDXi= H(i|SEED) Create password Create password unpredictable 0 0 1 0 0 1 0 1 0 0 1 0 Input-shrinkingfunctions: theory and application Francesco Davì

  41. AKE: a general paradigm CLIENT SERVER WeakKey Exchange protocol Password Password Universally-Composable Password-basedAuthenticatedKey Exchange protocol Key Key Input-shrinkingfunctions: theory and application Francesco Davì

  42. UC Password-based AKE protocol Abdalla, Catalano, Chevalierand Pointcheval: Efficient two-party password-based key exchange protocols in the UC framework. CT-RSA (2008) (Modified) Diffie-HellmanKey Exchange: • No assumptions on the distribution on the passwords • One-flow encrypted • Twocryptographichashfunctions to compute secret key and provideauthentication Input-shrinkingfunctions: theory and application Francesco Davì

  43. Forward security Setup: long shared secret random file F CLIENT SERVER WeakKey Exchange protocol Λ(F) Password Password Universally-Composable Password-basedAuthenticatedKey Exchange protocol Diffie-HellmanKey Exchange encrypted with Password ? ? F Key Key Input-shrinkingfunctions: theory and application Francesco Davì

  44. Experimentalresults Security parameter Leakage Shared file size t = number of indexes running time evaluated experimentally on an Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 4GB of RAM, under the 64-bits version of Ubuntu 11.04 Input-shrinkingfunctions: theory and application Francesco Davì

  45. Number of indexes Input-shrinkingfunctions: theory and application Francesco Davì

  46. PAKE protocolrunning time Input-shrinkingfunctions: theory and application Francesco Davì

  47. WKE protocolrunning time Input-shrinkingfunctions: theory and application Francesco Davì

  48. Thankyou! Input-shrinkingfunctions: theory and application Francesco Davì

  49. Main idea of this line of research To achieve security one assumes that the power of the adversary during the “physical attack” is “limited in some way” this should be justified by some physical characteristics of the device Input-shrinkingfunctions: theory and application Francesco Davì

  50. Security definition m0,m1 Enc : {0,1}α→ {0,1}β Dec : {0,1}β→ {0,1}α adversary oracle • chooses a random b = 0,1 • calculates τ := Enc(mb) choosesm0,m1 є {0,1}α fori = 1,...,t,chooses Λi: {0,1}β→ {0,1}λiє Γ Λi calculates Λi(τ) Λi(τ) outputs b’ wins ifb’ = b (Enc,Dec)is(Γ,λ, t, ε)-secure if no adversary wins the game with probability greater than1/2 + ε advantage Input-shrinkingfunctions: theory and application Francesco Davì

More Related