Upload
arnie
View
47
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Recent Progress in leakage-Resilient cryptography. Daniel Wichs (NYU) (China Theory Week 2010). Leakage Attacks. Cryptography relies on secrets. Cryptographic devices: In reality, many “side-channels”! Timing, power, radiation, heat, acoustics… Secrets can leak! - PowerPoint PPT Presentation
Citation preview
RECENT PROGRESS IN
LEAKAGE-RESILIENT CRYPTOGRAPHY
Daniel Wichs (NYU) (China Theory Week 2010)
Leakage Attacks
Cryptography relies on secrets.
Cryptographic devices:
In reality, many “side-channels”! Timing, power, radiation, heat, acoustics… Secrets can leak!
Natural response: Not our problem. Blame the “engineers” – they should fix this!
Theory/Crypto can help!
input output
Secret
keys
Cryptography With Leakage Can we do cryptography with incomplete
secrecy?
Need a way to model leakage first!
In this talk: Adv can learn arbitrary information about the secret key as long as its amount is bounded. [AGV09] Adv specifies any poly-time function Leak : {0,1}*
! {0,1}L. Learns the output Leak(sk).
skLeak()L = leakage
boundLeak(sk)
Leakage Resilient Cryptography
Password Login and One-Way Functions.
Identification Schemes and Signatures.
Public-Key Encryption.
Password Login Scheme
(pkBob, skBob ) pkBob
Prover Bob Verifier Alice
accept
(pkBob, skBob ) pkBobpkBob
Impersonation Stagereject!skBob
skBob
sk’
Leakage Stage
skBob
Leak()
Leak(sk)
Using One-Way Functions
(pkBob = f(x), skBob = x ) pkBob= y
Prover Bob Verifier Alice
Accept iff y = f(x)
x
Standard OWF: get y = f(x), hard to find any x’ 2 f-1(y).
Suffices for regular “password login” security L-LR OWF: get y = f(x) & Leak(x), hard to find x’
2 f-1(y). Not satisfied by general OWFs (easy counter-
examples). … but can be constructed from general OWFs.
OWF ) LR-OWF OWF: get y = f(x), hard to find any x’ 2 f-
1(y).
y=f(x)
Domain Range
OWF ) LR-OWF OWF: get y = f(x), hard to find any x’ 2 f-
1(y). L-LR OWF: also get L bits of leakage
about x.
y=f(x)x
Domain Range
OWF ) LR-OWF OWF: get y = f(x), hard to find any x’ 2 f-
1(y). L-LR OWF: also get L bits of leakage
about x. SPRF: get x, hard to find any x’ ≠ x s.t.
f(x’)=f(x) Non-triviality: input length n > output length k Can build from any OWF for any n = poly(k)
[Rom90]y=f(x)xx’
Domain Range
OWF ) SPRF ) LR-OWF OWF: get y = f(x), hard to find any x’ 2 f-
1(y). L-LR OWF: also get L bits of leakage
about x. SPRF: get x, hard to find any x’ ≠ x s.t.
f(x’)=f(x) Non-triviality: input length n > output length k Can build from any OWF for any n = poly(k)
[Rom90]Theorem [ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}k is an L-LR OWF for L ¼ n - k.
Proof: Any SPRF is LR-OWFTheorem [ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}k is an L-LR-OWF for L ¼ n – k.
y=f(x)x
Assume: Can break L-LR-OWF. There is an efficient A s.t.
A( f(x), Leak(x) ) = x’ s.t. f(x’) = f(x)Conclude: Can break SPR. Let B(x) = A( f(x) , Leak(x) )B succeeds if (1) A succeeds (2) A does not return x’ = x. A has too little info about x.|f(x)| + |Leak(x)| = k + L Pr[A guesses x] < 2k+L - n
Proof: Any SPRF is LR-OWFTheorem [ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}k is an L-LR-OWF for L ¼ n – k.
Corollary: If OWF exist then L-LR-OWF exist with L = (1-o(1))n.
Open Question: Can we get LR-OWF that are Permutations?
Leakage Resilient Cryptography
Password Login and One-Way Functions.
Identification Schemes and Signatures.
Public-Key Encryption.
Identification Schemes
(pkBob, skBob ) pkBob
Prover Bob Verifier Alice
accept
Learning Stage(pkBob, skBob ) pkBobpkBob
Impersonation Stagereject!
Leakage-Resilient Identification [ADW09]
Learning Stage(pkBob, skBob ) pkBobpkBob
Impersonation Stagereject!
Bob’s key can leak !!!(during learning stage, not afterward)
skBob
Tool: Zero-Knowledge Proof of Knowledge
Verifier Prover
Accept/Reject
– Witness Indistinguishable (WI): Even if V dishonest, cannot tell which x is being used by the prover.
– Proof of Knowledge (PoK): Even if P dishonest, can extract some valid witness x’ for y from P.
Instance
ywitness
x
NP relation R
ID Schemes from ZK-PoK Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).
Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.Pf: Assume Adv breaks ID security.
ID Schemes from ZK-PoK Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).
Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.
Learning Stage(y, x ) yy
Impersonation Stage
x
Pf: Assume Adv breaks ID security.
ID Schemes from ZK-PoK Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).
Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.
Sees: y = f(x)Leakage,
interaction with P(x)only k + L < n bits of info on x.
Learning Stagey
Impersonation Stage
K bitsL bits0 bits
Pf: Assume Adv breaks ID security.
Witness Ind.
ID Schemes from ZK-PoK Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).
Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.
Sees: y = f(x)Leakage,
interaction with P(x)only k + L < n bits of info on x.
Learning Stage Impersonation Stage
Extract x’ 2 f-1(y)
Pf: Assume Adv breaks ID security.
x’ x
Witness Ind. Proof-of-Knowledge
ID Schemes from ZK-PoK Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).
Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.Pf: Assume Adv breaks ID security. To break SPR:
Simulate “Learning Stage” to Adv with x. Extract x’ x.
LR Signatures [ADW09,KV09,DHLW09,BSW10]
Similar to ID schemes with two big differences: Cannot have interaction. Need to bind each execution to a message.
Solution: use Non-Interactive ZK-PoK for x. Various techniques to bind proofs to messages
(tricky): Rand Oracles [ADW09] “Simulation-Sound” Proofs [KV09] CCA Encryption [DHLW10]
Leakage Resilient Cryptography
Password Login and One-Way Functions.
Identification Schemes and Signatures.
Public-Key Encryption.
LR Public-Key Encryption [AGV09, NS09]
Leakage on the decryption key prior to seeing the
ciphertext.
Hash Proof Enc Scheme [AGV09, NS09]
Enc scheme with sk = x, pk = f(x) for some SPRF f.
PK
Public Key Space
Secret Key space
Hash Proof Enc Scheme [AGV09, NS09]
Enc scheme with sk = x, pk = f(x) for some SPRF f.
MDECC
SKM
ENCPK
Hash Proof Enc Scheme [AGV09, NS09]
Enc scheme with sk = x, pk = f(x) for some SPRF f.
DEC
MCENCPK
Hash Proof Enc Scheme [AGV09, NS09]
Enc scheme with sk = x, pk = f(x) for some SPRF f. Correctness All x 2 f-1(pk) decrypt C to the
correct M.
M
DEC
MCENCPK M
M
Hash Proof Enc Scheme [AGV09, NS09]
Enc scheme with sk = x, pk = f(x) for some SPRF f. Correctness All x 2 f-1(pk) decrypt C to the
correct M. Fake Encryption: C= Fake(pk). Decryption
depends on x. Can’t distinguish C from C (even given x).PK
CFakeENC
MC
RealENC M1
M3
M2≈
DEC
PK
Proof: Hash Proof Enc is LR [AGV09, NS09]
L(SK)
M1
M3
M2CFakeENC
“Fake World”“Real World”
MM CRealENCPK
DEC
? PK = y
≈
Back to Bigger Picture…
Criticism/Extensions Q: What if leakage depends on complexity?
Bad: more resilience ) more complexity ) more leakage. Fix: Bounded Retrieval Model [Dzi06,…,ADW09, ADNSWW10][Complexity does not grow with resilience!]
Q: Why is leakage bounded overall? Should “leak-per-use”! Continuous Leakage with “Key Updates” [DHLW10, BKKV10]
Q: Why measure leakage in output “bits”? Noisy Leakage: use “entropy loss” [NS09, DHLW10] Auxiliary Input: use “hardness of inverting” [DKL09,DGK+10]
Conclusions
Riv97, Boy99, CDH+00, DSS01, KZ03, ISW03, MR04, DP08, GKR08, Pie09, AGV09, ADW09, DKL09, ADN+10, DGK+10, GKPV10, FKPR10, DHLW10a, FRRTV10, JRV10, GR10, DHLW10b, BKKV10, WL10, BSW10,…
Many more models/results (esp. in last 2 years)...
Many open questions, much still left to do!