LeakageResilient Cryptography New Developments and Challenges Vinod Vaikuntanathan
- Slides: 43
Leakage-Resilient Cryptography New Developments and Challenges Vinod Vaikuntanathan Microsoft Research & U. Toronto
Secrets Information accessible to one party and not to other(s) Essential to cryptography! Theory Real life Secrets leak! [Kocher, Jaffe, Jun’ 98] [Quisquater’ 01] Cache-Timing [Bernstein’ 05, OST’ 05] [Kocher’ 96]
Secrets Leak So, what can we do about it?
Leakage-Resilient Cryptography Can we do Crypto with no (perfect) secrecy? secret Yes (in most cases) public A Fundamental Question in the Foundations of Cryptography
Three Commandments (Axioms of Leakage) I. Secrets leak in arbitrary ways. (except: leakage is polynomial time computable, and does not betray the entire secret key) [Micali-Reyzin’ 04] II. Secrets leak from everywhere. (hard-disk, RAM, cache, registers, randomness sources, …) III. Secrets leak all the time. (No protected time periods)
Interpreting the Commandments (or, Two Leakage Models) A Simple Interpretation: Bounded Leakage [AGV 09] — — Adversary can learn any efficiently computable function L: {0, 1}* → {0, 1} λ of the secret key(*). Total leakage λ < |SK| [AGV 09, NS 09, KV 09, ADW 09, ADN+10, …] sk L(sk) 101 (*) Ideally, leakage from the entire secret state.
Interpreting the Commandments (or, Two Leakage Models) A Simple Interpretation: Bounded Leakage [AGV 09] — Adversary can learn any efficiently computable function L: {0, 1}* → {0, 1} λ of the secret key. — Total leakage λ < |SK| [AGV 09, NS 09, KV 09, ADW 09, ADN+10, …] Variations: λ q Noisy Model [NS’ 09]: H∞(SK | L(SK)) > |SK|- q Auxiliary Input Model [DKL’ 09, DGKPV’ 10]: L is an uninvertible function of SK
Interpreting the Commandments (or, Two Leakage Models) A Realistic Interpretation: Continual Leakage — — [ISW 03 MR 04, DP 08, Pie 09, FKPR 10, FRRTV 10, BKKV 10, DHLW 10…] Adversary can learn any efficiently computable function Li: {0, 1}* → {0, 1}λ of the secret key at each “time-period” Rate of Leakage λ (leakage/time period) < |SK| L 1(sk) sk L 2(sk) 101 001
Interpreting the Commandments (or, Two Leakage Models) A Realistic Interpretation: Continual Leakage — — [ISW 03 MR 04, DP 08, Pie 09, FKPR 10, FRRTV 10, BKKV 10, DHLW 10…] Adversary can learn any efficiently computable function Li: {0, 1}* → {0, 1}λ of the secret key at each “time-period” Rate of Leakage λ (leakage/time period) < |SK| Observations: — Of course, secret key should be refreshed in each time. — Non-trivial: Refresh SK without changing PK (in publickey systems), or without co-ordination (in SK systems)
Talk Plan PART 1: Bounded Leakage Model – One-way Functions – Digital Signatures – Public-key Encryption PART 2: Continual Leakage Model PART 3: Some Research Directions – Leakage-resilient Compilers, Tamper Resistance, …
A Brief History of Leakage in Crypto “We stand on the shoulders of giants…”
A Brief History of Leakage in Crypto q Privacy Amplification [von Neumann’ 46, …, Bennett-Brassard-Robert’ 8 — “Distill an perfectly random shared key from an imperfect one” l Bounded Storage/Retrieval Models [Maurer’ 92, …, Di Crescenzo-Lipton-Walfish’ 06, Dziembowski’ 06] Exposure-Resilient Cryptography [Rivest’ 97, Boyko’ 98, CDHKS’ 00, ISW’ 03, IPSW’ 06] — More generally, MPC, threshold crypto etc. — Leakage = a subset of bits of SK — We want to tolerate arbitrary (PPT) leakage functions (axiom 1)
A Brief History of Leakage in Crypto q Privacy Amplification [von Neumann’ 46, …, Bennett-Brassard-Robert’ 8 — “Distill an perfectly random shared key from an imperfect one” l Bounded Storage/Retrieval Models [Maurer’ 92, …, Di Crescenzo-Lipton-Walfish’ 06, Dziembowski’ 06] Exposure-Resilient Cryptography [Rivest’ 97, Boyko’ 98, CDHKS’ 00, ISW’ 03, IPSW’ 06] v Proactive Cryptography [HJKY’ 95, HJJKY’ 97, R’ 98] — “How to cope with perpetual leakage” (a continual leakage model)
[Ishai-Sahai-Wagner 2003] [Micali-Reyzin 2004] [Dodis-Ong-Prabhakaran-Sahai 2004] [Ishai-Prabhakaran-Sahai-Wagner 2006] [Dziembowski-Pietrzak 2008] [Akavia-Goldwasser-V. 2009] [Pietrzak 2009] [Dodis-Kalai-Lovett 2009] [Naor-Segev 2009] [Dodis-Goldwasser-Kalai-Peikert-V. 2009] [Katz-V. 2009] [Faust-Kiltz-Pietrzak-Rothblum 2009] [Alwen-Dodis-Wichs 2009] [Goldwasser-Kalai-Peikert-V. 2010] [Alwen-Dodis-Naor-Segev-Walfish-Wichs 2009] [Juma-Vahlis. 2010] [Faust-Rabin-Reyzin-Tromer-V. 2010] [Brakerski-Kalai-Katz-V. 2010] [Goldwasser-Rothblum. 2010] [Dodis-Haralambiev-Lopez-alt-Wichs. 2010] [Lewko-Waters. 2010] [Chow-Dodis-Rouselakis-Waters. 2010] [Boyle-Wichs-Segev. 2011] [Kiltz-Pietrzak. 2011]
Bounded Leakage
Leakage-Resilient One-way Functions Easy Observation: “Hardness Leakage-resilience” – Similar connections for other primitives (enc, sig, …) – Need 2 O(n)-hardness to get O(n)-LR.
Leakage-Resilient One-way Functions Theorem [KV 09, ADW 09]: If there are Universal One-way Hash Functions, then there are LR one-way functions. – Corollary [NY 89, Rom 90]: If OWF exist, then LR OWFs exist.
Leakage-Resilient One-way Functions Proof: q Information-theoretic + Crypto techniques q A Blue-print for most leakage-resilience proofs
Leakage-Resilient One-way Functions Proof: reduction (UOWHF-breaker) adversary
Leakage-Resilient One-way Functions y=f(x) x Proof: reduction adversary — H∞(x) = n — Adversary returns x'≠x w. p ≥ 1/2 → breaks UOWHF
A Blueprint for Leakage Proofs — Problem with many solutions — Hard: given one solution, find another — Security redn has one soln, computes leakage using that — Adversary doesn’t have enough info to pin-point the solution (information-theoretic argument) — Adversary returns a different soln, unwittingly solves the hard problem (computational argument)
Leakage-Resilient Signatures PK m sk Sign. SK(m) L L(SK) Cannot produce sign for a new m*
Leakage-Resilient Signatures Theorem [KV 09]: λ-leakage-resilient OWF (+simulationextractable NIZK [S 99, DDOPS 01]) → λ-leakage-resilient signatures similar to [Bellare-Goldwasser’ 92] PK: (f, y=f(x), CRSnizk), where f is an λ-LR OWF, SK: x Sign(m): Sim. Ext-NIZKm for “∃x s. t PK contains h(x)” Proof Idea: Sim-Ext — Signature contains no (computational) info. on SK — Forgery ⇒ extract a secret-key. — Break LR OWF.
LR Signatures: Subsequent Results q [ADW 09]: Fiat-Shamir transform + LR OWFs → LRSigs in the random oracle model. q [DHLW 10]: Efficient LR Sigs without random oracles (using bilinear maps). q [BKKV 10, DHLW 10]: Continual LR Sigs q [LLW 10]: Continual LR Sigs where the key update phase leaks as well q [BSW 11, MTVY 11]: (continual) LR Sigs where the randomness used for signing can leak as well.
Leakage-Resilient Public-key Encryption(cpa) PK sk L L(SK) Enc(b) (b←${0, 1}) Cannot predict b
Leakage-Resilient Public-key Encryption Theorem: For every λ < |SK| - secparam, (cpa-secure) public-key encryption that tolerates λ bits of leakage: – [AGV 09]: based on Lattices (show that [Regev 05, GPV 08] is leakage-resilient) – [NS 09, DGKPV 10] based on Diffie-Hellman (show that [BHHO 08] is leakage-resilient) – [NS 09] from any hash proof system [CS 02]
Construction Outline Adv. breaks For starters: Adv. finds sk. cpa-security Old Idea: One Public Key, many possible Secret Keys Hard Problem: Given one SK, find another. Proof: Public Key Space Secret Key space – Reduction knows one SK, simulates leakage from it – Adv. gets pk+leakage → not enough info to fully specify SK – PK SK′ ≠ SK → breaks hard problem. Adv. finds
Construction Outline Adv. breaks For starters: Adv. finds sk. cpa-security Old Idea: One Public Key, many possible Secret Keys ► Correctness All secret keys decrypt C to the same message DEC M PK ENC C M M M
Construction Outline Adv. breaks cpa-security Old Idea: One Public Key, many possible Secret Keys New Idea: REAL Encryption vs. FAKE Encryption ► Different secret keys decrypt c to different messages ► and yet, Fake ≈ Real (even given an SK) M PK DEC Real ENC C ≈ Fake ENC M 1 M 2 C M 3
Security Proof “Fake “Real World” DEC M 1 M PK Fake Real ENC ? ? ? M M 2 C M 3 L(SK)
LR Public-key Encryption: Subsequent Results q [NS 09]: CPA-secure → CCA-secure with the same leakage-resilience (idea: use Naor-Yung) q [AGV 09, ADN+10, CDRW 10]: leakage-resilient IBE (with leakage from the user secret keys). q [LW 10]: leakage-resilient IBE (with leakage from the master secret key as well), LR HIBE, ABE etc. q [BKKV 10, DHLW 10]: Continual LR Encryption q [LLW 10]: Continual LR Enc where the key update phase leaks as well q [HL 11]: “After-the-fact” Leakage
Continual Leakage
Continual LR Public-key Encryption q Unbounded leakage, but bounded in each time period q Solution idea: “refresh” (randomize) the secret key q Challenge: keep the public key the same – users (encryptors) are oblivious of the updates! L 1(sk 1) sk 12 L 2(sk 2) 101 001
Continual LR Public-key Encryption Theorem: [BKKV 10] CLR-secure public-key encryption schemes that tolerate (in every time step): (1/2 -ε)|SK| leakage, based on decisional linear – (1 -ε)|SK| leakage, based on symmetric external DH – assumptions in bilinear groups. L 1(sk 1) sk 12 L 2(sk 2) 101 001
Continual LR Public-key Encryption Other Results: q [BKKV 10]: CLR-secure signatures and IBE (with leakage from user secret keys) q Concurrently, [DHLW 10]: efficient CLR-secure signatures, ID schemes and AKA schemes q [LLW 11]: tolerates large leakage from updates L 1(sk 1) sk 12 L 2(sk 2) 101 001
Continual LR Public-key Encryption How to update SK? (without changing PK) q First Idea: Resample from the key-space! q PROBLEM: sk 3 L 3(SK 3) This is supposed to be hard! sk 1 sk 2 L 1(SK 1) L 2 (SK 2) pk L 4(SK 4) sk 4 sk space
New Idea: “Neighborhood of SKs” • Given a secret key: – Easy to resample inside neighborhood. – Hard to find a secret key outside of neighborhood. pk • Sampling in neighborhood ≈c entire space. Adv. can’t tell the difference. • “Proof” outline: – Reduction knows sk and updates in neighborhood. – To Adv. , updates “look like” from entire space. – Even given leakage, Adv. cannot recover any leaked key entirely will have to come up with new sk’≠sk. – WHP sk’ not in neighborhood breaks hard corresp. sk space problem.
Some Open Questions
Foundational Questions SO FAR: Designed SPECIFIC crypto primitives (sigs. , enc. ) secure against continual leakage QUESTION: Any circuit → Continual Leakage-resilient circuit — Yao/GMW/BGW/CCD for leakage-resilient crypto — Automatically leakage-proof commonly used cryptosystems, e. g. , RSA / AES
Foundational Questions Many Partial Results q [Ishai-Sahai-Wagner’ 03] : Any circuit → “Probing-resilient” circuit secure against leakage of ≤ t wires q q OPEN: [FRRTV’ 09] : Any circuit → circuit secure against AC 0 compiler against general leakagea(assuming a small piece of secure hardware) leakage functions [JV’ 10, GR’ 10] : Any circuit → circuit secure against (without secure hardware) polynomial-time leakage (assuming a small piece of secure hardware + secure memory) q [BGIRSVY’ 00, Imp’ 10] : This has connections to program obfuscation!
Practical Questions q In theory, we have practical constructions – How about truly practical constructions? (e. g. [YSPY’ 10]) – Perhaps relax the model in a meaningful way model q reality Given a side-channel attack, how much information does it leak? [SVO+10]
To Conclude… q Tons of Open Problems — Parallel Repetition for Leakage Amplification [DW, LW]: Suppose scheme S tolerates L bits. Can we “repeat it in parallel” n times and get n. L bit leakage-tolerance? — Tamper Resistance [IPSW, GLMMR, DPW, Malkin et al. ]: Many attacks, Boneh-Lipton, Shamir’s bug attacks. . . py Entro Very Active Field, Lots of work recently! Information-theoretic + Computational Techniques
Thanks! Questions? You can find me here …
- Simsonattribut
- Vinod vaikuntanathan
- In the colonial era developments such as the new england
- Vinod sampat
- Vinod ganapathy iisc
- Dmaremappingcompatible
- Vinod jain ca
- Vinod panicker
- Dr vinod singh
- One minute management techniques
- Ranipril
- Vinod kurup
- Vinod dhall
- New directions in cryptography
- 1976 new directions in cryptology
- New directions in cryptography
- Rijandael
- Recent developments in ict
- Recent developments in object detection
- Sahelanthropus tchadensis cultural development brainly
- Chartered developments
- Political developments in the early republic
- Peter catana
- Chapter 11 political developments in the early republic
- Surface developments
- Transmission developments
- Target developments
- Pattern of development definition example
- The development of an object that is rolled or folded
- Comtel atca
- Democratic developments in england
- Ska developments
- Name
- Mdi vision
- Donmeg developments
- Democratic developments in england
- The new nation faces challenges
- Wireless security in cryptography and network security
- Modulo table
- Security mechanisms in cryptography
- Number theory in cyber security
- Firewall in cryptography and network security
- Authentication in cryptography and network security
- Cryptography standards and protocols