Leakage-Resilient Storage
description
Transcript of Leakage-Resilient Storage
Leakage-Resilient StorageLeakage-Resilient Storage
Francesco DavìStefan DziembowskiDaniele Venturi
SCN 2010 13/09/2010
Sapienza University of Rome
PlanPlan
1.Leakage-Resilient Cryptography- Motivation- Leakage models
2. Our contribution: Leakage-Resilient Storage- Definition and Properties- Constructions
3. Conclusion
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
How to construct secure cryptographic How to construct secure cryptographic devices?devices?
CRYPTO
cryptographic device
very secure
Security based on well-defined mathematical problems
not secure!
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
The problemThe problem
hard to attack
easy to attack
CRYPTO
cryptographic device
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Information leakageInformation leakage
cryptographic deviceSide channel information:
• power consumption, • electromagnetic radiation, • timing information,
…
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Leakage-Resilient CryptographyLeakage-Resilient Cryptography
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Design cryptographic protocols that are secure
even
on the machines that leak information
Design cryptographic protocols that are secure
even
on the machines that leak information
Leakage-Resilient Cryptography:Leakage-Resilient Cryptography: The ModelsThe Models
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
• Continual leakage(MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10)
• Bounded memory-leakage(ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10)
• Auxiliary input(DKL09, DGKPV10)
• Continual memory-leakage(BKKV10, DHLW10)
• Continual leakage(MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10)
• Bounded memory-leakage(ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10)
• Auxiliary input(DKL09, DGKPV10)
• Continual memory-leakage(BKKV10, DHLW10)
Only computation leaks
Total leakage unbounded
All the memory leaks
Total leakage bounded
All the memory leaks
Total leakage unbounded
All the memory leaksComputationally hard to recover
the secret from the leakage
Bounded memory-leakage modelBounded memory-leakage model
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
The adversary is allowed to learn (adaptively)
the values of t leakage functions(chosen by her)
on the internal data used bythe cryptographic scheme
The adversary is allowed to learn (adaptively)
the values of t leakage functions(chosen by her)
on the internal data used bythe cryptographic scheme
Leakage functionsLeakage functions
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
very restricted class (read-off wires)very restricted class (read-off wires)
0 1 1 0
f
f(x)
general leakage (any input-shrinking function)general leakage (any input-shrinking function)
0 0 1 0 1 1 0 1
x
chooses
retrieves
retrieves
chooses
PlanPlan
1.Leakage-Resilient Cryptography- Motivation- Leakage models
2. Our contribution: Leakage-Resilient Storage- Definition and Properties- Constructions
3. Conclusion
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Leakage-Resilient StorageLeakage-Resilient Storage
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Enc(m)Enc(m)Enc Dec
Note:no secret key
mm
g1,…,gt
mm
chooses (adaptively) t functions
gi : {0,1}|Enc(m)| → {0,1}ci є Γ
retrieves ci bitscomputationally
unbounded
total leakage < C • very realistic
• Decode є Γ
• input-shrinking
C < |Enc(m)|
All-Or-Nothing TransformAll-Or-Nothing Transformit should be hard to reconstruct a messageif not all the bits of its encoding are known
Security definition Security definition
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
A scheme (Enc, Dec) is secure if for every m0, m1
no adversary can distinguish Enc(m0) from Enc(m1)A scheme (Enc, Dec) is secure if for every m0, m1
no adversary can distinguish Enc(m0) from Enc(m1)
we will require that m0, m1 are chosen by the adversary
Enc(m0)Enc(m0) Enc(m1)Enc(m1)
Security definitionSecurity definition
adversary oracle
chooses m0,m1 є {0,1}α m0,m11. chooses a random b = 0,12. calculates τ := Enc(mb)
outputs b’
(Enc,Dec) is (Γ, C, t, ε)-secureif no adversary wins the game
with probability greater than 1/2 + ε
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Enc : {0,1}α → {0,1}β
Dec : {0,1}β → {0,1}α
for i = 1,...,t
chooses gi : {0,1}β → {0,1}ci є Γ calculates gi(τ)gi(τ)
gi
wins if b’ = b
advantage
ProblemProblem
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
each leakage function can depend only on some restricted part
of the memory
each leakage function can depend only on some restricted part
of the memorythe cardinality of Γ is restrictedthe cardinality of Γ is restricted
randomness extractors
-wise independent hash
functions
For a fixed family Γ
how to construct secure (Enc,Dec)?
A weaker adversaryA weaker adversary
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Enc(m):=(Rand, f(Rand) m)Enc(m):=(Rand, f(Rand) m)Encmm
gi gi(Rand, f(Rand) m)
Enc(m)Enc(m)
gi(Enc(m))g’i g’i(Rand)
adversaryweak adversary
LemmaLemma
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
For any Γ, c, t and ε,
if an encoding scheme is (Γ, c, t, ε )-secure for
then it is also (Γ, c, t, ε˙2α )-secure for
For any Γ, c, t and ε,
if an encoding scheme is (Γ, c, t, ε )-secure for
then it is also (Γ, c, t, ε˙2α )-secure for
α is the length of the message
Proof IdeaProof Idea
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
wins with advantage δ
can simulate
replacing f(Rand) m with a random string z є {0,1}α
ConsiderConsider
ConstructConstruct
wins with advantage ε= δ˙2-α
= ε ˙2α
Two-source ExtractorTwo-source Extractor
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
source1source1
source2source2
Two-SourceExtractor
extracted stringextracted string
Example:
inner product modulo 2
deterministic
Independent
Random
Far from uniform
A lot of min-entropy
Almost uniformly random
Memory divided into 2 parts: constructionMemory divided into 2 parts: construction
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
R0R0
R1R1
Ext Ext(R0,R1)Ext(R0,R1)
Enc(m):=( , , m)R0R0 R1R1 Ext(R0,R1)Ext(R0,R1)
Dec( , , m*):= m* .R0R0 R1R1 Ext(R0,R1)Ext(R0,R1)
M0 M1each leakage function can depend
only on some restricted partof the memory
each leakage function can depend only on some restricted part
of the memory
remind
Memory divided into 2 parts: contributionMemory divided into 2 parts: contribution
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
R0R0
R1R1
Ext Ext(R0,R1)Ext(R0,R1)
Enc(m):=( , , m)R0R0 R1R1 Ext(R0,R1)Ext(R0,R1)
Dec( , , m*):= m* .R0R0 R1R1 Ext(R0,R1)Ext(R0,R1)
M0 M1each leakage function can depend
only on some restricted partof the memory
each leakage function can depend only on some restricted part
of the memory
remind
If Extis a two-source extractorthen
is secureEnc
Dec
( ),
against an adversary such that
Proof IdeaProof Idea
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
It suffices to show that It suffices to show that (Enc,Dec)(Enc,Dec) is secure against every is secure against every
One can prove that even given One can prove that even given g’1( , ),…, g’t( , )
R0R0 R1R1
Enc(m):=( , , m)R0R0 R1R1 Ext(R0,R1)Ext(R0,R1)
R0R0 R1R1 R0R0 R1R1
• are still independent
• have high min-entropy (with high probability)
remind
andand
ProblemProblem
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
each leakage function can depend only on some restricted part
of the memory
each leakage function can depend only on some restricted part
of the memorythe cardinality of Γ is restrictedthe cardinality of Γ is restricted
randomness extractors
-wise independent hash
functions
For a fixed family Γ
how to construct secure (Enc,Dec)?
-wise independent hash functions-wise independent hash functions
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
H={hs:X→Y}sєIis -wise independent if
uniformly random S є I
X Y
{x1,…,x} hS {hS(x1),…,hS(x)}
uniform over Y
Boolean circuits of small size: constructionBoolean circuits of small size: construction
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
the cardinality of Γ is restrictedthe cardinality of Γ is restricted
remind
the set of functions computable by Boolean circuits of a fixed size
Encs(m):=(R, hS(R) m)
Decs(R , m*):=(hS(R) m*)
H={hs:X→Y}sєIis -wise independent
R є X is random
PlanPlan
1.Leakage-Resilient Cryptography- Motivation- Leakage models
2. Our contribution: Leakage-Resilient Storage- Definition and Properties- Construction
3. Conclusion
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Conclusion and Future workConclusion and Future work
Davì, Dziembowski, Venturi – Leakage-Resilient StorageSCN 2010 13/09/2010
Achieved:• We have defined a primitive to securely store
information in hardware that may leak information• We have given constructions of such a scheme in two
relevant scenarios
Open:• Refreshing of the storage• From storage to computation: compute with encoded
data• Find more applications
Achieved:• We have defined a primitive to securely store
information in hardware that may leak information• We have given constructions of such a scheme in two
relevant scenarios
Open:• Refreshing of the storage• From storage to computation: compute with encoded
data• Find more applications