input-shrinking functions: theory and application phd candidate: francesco davì thesis committee:...
TRANSCRIPT
Input-shrinking functions: theory and application
PhD candidate: Francesco Davì
Thesis committee:Dr. Stefan Dziembowski (advisor)Prof. Luigi Vincenzo ManciniProf. Alessandro Mei
Reviewers:Prof. Mirosław KutiłowskiDr. Ivan Visconti
Rome, 02/03/2012
Computer Science DepartmentSapienza University of Rome
PhD Activity
Cryptography on Non-Trusted Machines Project
• F. Davì, S. Dziembowski and D. Venturi: Leakage-Resilient Storage, J. Garay and R. De Prisco editor, Seventh Conference on Security and Cryptography for Networks (SCN2010), LNCS 6280, Springer 2010;
Input-shrinking functions: theory and application Francesco Davì
Conferences, workshops and schools• Seventh Conference on Security and Cryptography for Networks, (SCN
2010), Amalfi, 13-15 September 2010;
• Workshop on Provable Security against Physical Attacks, Leiden, 15-19 February 2010;
• Theory of Cryptography Conference (TCC2010), Zurich, 9-11 February 2010;
• Summer School On Provable Security, Barcelona, 7-11 September 2009;
• Bertinoro international Spring School (BiSS 2009), Bertinoro, 2-6 March 2009;
• Berlin-Poznan Seminar / ASZ Workshop 2008, “Humboldt-Universität", Berlin, 20-21 June 2008.
Input-shrinking functions: theory and application Francesco Davì
Experiences abroad
• May - July 2011: visiting student: Cryptography and Data Security Group, "Uniwersytet Warszawski", Warsaw, Poland;
• May - June 2008: Methods for Discrete Structures (Pre)Doc-Course 2008 on: Random and Quasirandom Graphs, "Humboldt-Universität", Berlin, Germany.
Input-shrinking functions: theory and application Francesco Davì
Outline
1. Introduction and Motivations2. Leakage-Resilient Storage3. Authenticated Key Exchange protocol in
the Bounded-Retrieval Model
Input-shrinking functions: theory and application Francesco Davì
Cryptography
Design of secure cryptographic schemes
For long time, mostly based on intuition and experience
Solutions broken in short time
Input-shrinking functions: theory and application Francesco Davì
Provable security (1/2)
• Formal definition ofSecurity and Adversarial model
• Formal proof of security:no adversary can break the scheme
Security:- Information-theoretic (unbounded adversary)- Standard model (reduction from hard problems)- Random Oracle Model (cryptographic hash functions)
Input-shrinking functions: theory and application Francesco Davì
Provable security (2/2)
Security against all known (even future) attacks
Developed very fast
Attained a large number of secure cryptographic schemes
Input-shrinking functions: theory and application Francesco Davì
Problem
Once implemented, some of the schemes were broken!
Easy to step out from
the security model
Input-shrinking functions: theory and application Francesco Davì
Black-box model
X
Y
No information about the internal state of the
cryptosystem
chooses
receives
Input-shrinking functions: theory and application Francesco Davì
CRYPTO
Information leakageX
Y, λ
During the execution, the adversary can measure:• Power consumption• Electromagnetic radiation• Time• Sound
MACHINE(PC, Smartcard,…)
} Side-channel attacks
chooses
receives
Even partial leakage suffices to completely break a scheme
Input-shrinking functions: theory and application Francesco Davì
CRYPTO
Side-channel attacks
Exploit physical measurements on real devices
Practitioners: find countermeasures (and exploit new attacks)
• mostly ad-hoc• often without a formal proof of security• cannot provide security against all possible attacks
Recent trend: extend the realm of provable security
Input-shrinking functions: theory and application Francesco Davì
Leakage-Resilient Cryptography
Design protocols that are secure
even if
they are implemented on machines that may leak information
Input-shrinking functions: theory and application Francesco Davì
Leakage-Resilient Cryptography: The ModelsOnly computation leaks
Total leakage unbounded
All the memory leaks
Total leakage bounded
All the memory leaks
Total leakage unbounded
All the memory leaksComputationally hard to recover
the secret from the leakage
• Continual leakage(MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10, DP10, KP10, DF11)
• Bounded memory-leakage(ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10, BG10, GKPV10, ADNSWW10, DDV10)
• Auxiliary input(DKL09, DGKPV10)
• Continual memory-leakage(BKKV10, DHLW10, BSW11, LRW11, LLW11, DLWW11)
Input-shrinking functions: theory and application Francesco Davì
Leakage model
The adversary is allowed to learn (adaptively)
the values of some leakage functions (chosen by her)
on the internal state of the cryptographic scheme
Input-shrinking functions: theory and application Francesco Davì
Examples of assumptions (1/2)
S
input-shrinking
function Λthe adversary can learn the
values on up to t wires
boolean circuit
Bounded-Retrieval Model“Memory Attacks” [AGV09]
“Probing Attacks” [ISW03]
Λ(S)
Input-shrinking functions: theory and application Francesco Davì
S
input-shrinking
low-complexity Λ
S0
input-shrinking
Λ
S1
input-shrinking
Λ
[FRRTV10, DDV10] [MR04, DP08, DDV10]
Examples of assumptions (2/2)
Λ(S) Λ(S1)Λ(S0)
Input-shrinking functions: theory and application Francesco Davì
General goal
Design models:
• realistic (i.e. they correspond to the real-life adversaries)
• allow to construct secure schemes
tradeoff
Input-shrinking functions: theory and application Francesco Davì
Outline
1. Introduction and Motivations2. Leakage-Resilient Storage3. Authenticated Key Exchange protocol in
the Bounded-Retrieval Model
Input-shrinking functions: theory and application Francesco Davì
Contribution: Leakage-Resilient Storage
An encoding scheme to securely store data on hardware that may leak information
PROS: information-theoretic solutionCONS: analysis of concrete parameters does not seem to allow for efficient feasibility in
practice
Input-shrinking functions: theory and application Francesco Davì
Leakage-Resilient Storage
Enc(m)Enc(m)Enc Dec
Note:no secret key
m
Λ1,…,Λt
chooses (adaptively) t functions
Λi : {0,1}|Enc(m)| → {0,1}λi є Γ
retrieves λi bitscomputationally
unbounded
total leakage < λ • very realistic
• Decode є Γ
• input-shrinking
λ < |Enc(m)|
All-Or-Nothing Transformit should be hard to reconstruct a messageif not all the bits of its encoding are known
m
Input-shrinking functions: theory and application Francesco Davì
Security definition
A scheme (Enc, Dec) is secure if for every m0, m1
no adversary can distinguish Enc(m0) from Enc(m1)
we will require that m0, m1 are chosen by the adversary
Enc(m0)Enc(m0) Enc(m1)Enc(m1)
Input-shrinking functions: theory and application Francesco Davì
Adversary model
Enc(m):=(Rand, f(Rand) m)Enc(m):=(Rand, f(Rand) m)Encm
Λi Λi(Rand, f(Rand) m)
Enc(m)Enc(m)
Λi(Enc(m))Λ’i Λ’i(Rand)
adversaryweak adversary
Input-shrinking functions: theory and application Francesco Davì
Lemma
For any family of functions Γ
if an encoding scheme is secure for
then it is also secure for
Input-shrinking functions: theory and application Francesco Davì
security loss 2α, where α is the length of the message
Problem
each leakage function can depend only on some restricted part
of the memorythe cardinality of Γ is restricted
randomness extractors
l-wise independent hash functions
For a fixed family Γ
how to construct secure (Enc,Dec)?
Input-shrinking functions: theory and application Francesco Davì
Two-source Extractor
source1
source2
Two-SourceExtractor
extracted stringextracted string
deterministic
Independent
Random
Far from uniform
A lot of min-entropy
Almost uniformly random
Input-shrinking functions: theory and application Francesco Davì
Memory divided into 2 parts: construction
R0
R1
Ext Ext(R0,R1)Ext(R0,R1)
Enc(m):=( , , m)R0 R1 Ext(R0,R1)Ext(R0,R1)
Dec( , , m*):= m* .R0 R1 Ext(R0,R1)Ext(R0,R1)
M0 M1each leakage function can depend
only on some restricted partof the memory
remind
Input-shrinking functions: theory and application Francesco Davì
Proof Idea
It suffices to show that (Enc,Dec) is secure against every
One can prove that even given Λ’1( ),…,Λ’t( )
R0 R1
Enc(m):=( , , m)R0 R1 Ext(R0,R1)Ext(R0,R1)
Ri Ri
• are still independent
• have high min-entropy (with high probability)
remind
and
Input-shrinking functions: theory and application Francesco Davì
Problem
each leakage function can depend only on some restricted part
of the memorythe cardinality of Γ is restricted
randomness extractors
l-wise independent hash functions
For a fixed family Γ
how to construct secure (Enc,Dec)?
Input-shrinking functions: theory and application Francesco Davì
l-wise independent hash functions
H={hs:X→Y}sєI is l-wise independent if
uniformly random S є I
Xl Yl
{x1,…,xl} hS {hS(x1),…,hS(xl)}
uniform over Yl
Input-shrinking functions: theory and application Francesco Davì
the cardinality of Γ is restricted
Boolean circuits of small size: construction
remind
the set of functions computable by Boolean circuits of a fixed size
Encs(m):=(R, hS(R) m)
Decs(R , m*):=(hS(R) m*)
H={hs:X→Y}sєI is l-wise independent
R є X is random
Input-shrinking functions: theory and application Francesco Davì
Outline
1. Introduction and Motivations2. Leakage-Resilient Storage3. Authenticated Key Exchange protocol in
the Bounded-Retrieval Model
Input-shrinking functions: theory and application Francesco Davì
Contribution: AKE protocol in the BRM
Authenticated Key Exchange (AKE) protocol:• provide Client and Server with a short shared key• client-to-server authentication• security against active attackers
PROS: protocol analysis + efficient implementationCONS: Random Oracle model
Input-shrinking functions: theory and application Francesco Davì
Client and Server share a huge random fileThe attacker can retrieve a large portion of it
Key Exchange protocolCLIENT SERVER
Key Exchange protocol
Key Key
Input-shrinking functions: theory and application Francesco Davì
Problem: Man-in-the-Middle attack
Solution: Authentication
AuthenticationCLIENT SERVER
Password-based Authenticated Key Exchange protocol
Key Key
Input-shrinking functions: theory and application Francesco Davì
Password Password
Key Exchange protocol
AKE: a general paradigmCLIENT SERVER
Weak Key Exchange protocol
Input-shrinking functions: theory and application Francesco Davì
Low entropy
Human memorizable
Cash, Ding, Dodis, Lee, Lipton and Walfish “Intrusion-resilient key exchange in the Bounded Retrieval
Model". In TCC (2007)
Password-based Authenticated Key Exchange protocol
Key Key
Password Password
Universally-Composable Password-based Authenticated Key Exchange protocol
cannot be implemented in the standard model
Contribution: new AKE protocol in the BRM
CLIENT SERVER
Weak Key Exchange protocol
Input-shrinking functions: theory and application Francesco Davì
Key Key
Password Password
Universally-Composable Password-based Authenticated Key Exchange protocol
input-shrinking function Λ
Λ(F)
Λ(F)
active over the channel
Indistinguishable from random
Implemented using OpenSSL crypto library
Random Oracle model
Setup: long shared secret random file F
Contribution: Weak Key Exchange protocol (1/3)
CLIENT SERVER
Weak Key Exchange protocol
Input-shrinking functions: theory and application Francesco Davì
Password PasswordΛ(F)
active over the channel
We prove that:even given Λ(F)
i.e. the shared passwords are individually unpredictable for the adversary
Password has high min-entropy(with high probability)
Setup: long shared secret random file F
Contribution: Weak Key Exchange protocol (2/3)
Input-shrinking functions: theory and application Francesco Davì
Choose random indexes Choose random indexesIDX_CLIENT
IDX_SERVER
Create password: concatenate the
corresponding bits of F
Create password: concatenate the
corresponding bits of F
Several large numbers
101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101
0 0 1 0 0 10 1 0 0 1 0
IDX_CLIENT IDX_SERVER
CLIENT SERVERSetup: long shared secret random file F
Contribution: Weak Key Exchange protocol (3/3)
Input-shrinking functions: theory and application Francesco Davì
Choose random short SEED_CLIENT
Choose random short SEED_SERVER
SEED_CLIENT
SEED_SERVER
Calculate indexes:
IDXi= H(i|SEED)
Public parameter: cryptographic hash function H
Create password Create password
unpredictable
Random Oracle model
Setup: long shared secret random file F101001001001010101001010100100101001010000100101011010101010010101010111010110101001010010010110101010110010101001010101011010010101010010010101010100110010101101010100101010101001010100010101001011010110101010010110101111101001011001010101011011010101010011101010100101010101010101010100100101000000000010101010111111110101010101001010101010100101010101010101010101111111101011001100101010010010100101001010010010010100101101010111001000010100101011010111001010101010100101001010101000010010101010010100101010000001110101010100101001110101101001011011010101000101011111010101
CLIENT SERVER
0 0 1 0 1 0 0 0 1 0 1 0
Λ(F)
AKE: a general paradigmCLIENT SERVER
Input-shrinking functions: theory and application Francesco Davì
Weak Key Exchange protocol
Key Key
Password Password
Universally-Composable Password-based Authenticated Key Exchange protocol
UC Password-based AKE protocol
Input-shrinking functions: theory and application Francesco Davì
Abdalla, Catalano, Chevalier and Pointcheval: Efficient two-party password-based key exchange protocols in
the UC framework. CT-RSA (2008)
(Modified) Diffie-Hellman Key Exchange:• No assumptions on the distribution on the
passwords• One-flow encrypted• Two cryptographic hash functions to compute
secret key and provide authentication
Forward securityCLIENT SERVER
Input-shrinking functions: theory and application Francesco Davì
Weak Key Exchange protocol
Key Key
Password Password
Universally-Composable Password-based Authenticated Key Exchange protocol
Setup: long shared secret random file F
Λ(F)
F
Diffie-Hellman Key Exchange encrypted with Password
? ?
Experimental results
Input-shrinking functions: theory and application Francesco Davì
Security parameterLeakage
Shared file size
t = number of indexes
running time evaluated experimentally on an Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 4GB of RAM, under the 64-bits version of Ubuntu 11.04
Number of indexes
Input-shrinking functions: theory and application Francesco Davì
PAKE protocol running time
Input-shrinking functions: theory and application Francesco Davì
WKE protocol running time
Input-shrinking functions: theory and application Francesco Davì
Thank you!
Input-shrinking functions: theory and application Francesco Davì
Main idea of this line of research
To achieve security one assumes that the power of the adversary
during the “physical attack” is “limited in some way”
this should be justified by some physical characteristics of the device
Input-shrinking functions: theory and application Francesco Davì
Security definition
adversary oracle
chooses m0,m1 є {0,1}α m0,m11. chooses a random b = 0,12. calculates τ := Enc(mb)
outputs b’
(Enc,Dec) is (Γ, λ, t, ε)-secureif no adversary wins the game
with probability greater than 1/2 + ε
Enc : {0,1}α → {0,1}β
Dec : {0,1}β → {0,1}α
for i = 1,...,t, chooses
Λi : {0,1}β → {0,1}λi є Γ calculates Λi(τ)Λi(τ)
Λi
wins if b’ = b
advantage
Input-shrinking functions: theory and application Francesco Davì
Lemma
For any Γ, λ, t and ε,
if an encoding scheme is (Γ, λ, t, ε )-secure for
then it is also (Γ, λ, t, ε˙2α )-secure for
α is the length of the message
Input-shrinking functions: theory and application Francesco Davì
Proof Idea
wins with advantage δ
can simulate
replacing f(Rand) m with a random string z є {0,1}α
Consider
Constructwins with advantage δ˙2-α
= ε ˙2α
Input-shrinking functions: theory and application Francesco Davì
= ε
Diffie-Hellman Key ExchangeSetup:
finite cyclic group G = <g> of order a prime number p
CLIENT SERVER
a ← [p-1] b ← [p-1]A
B ← gbmod p
A ← ga mod pB
K = Ba mod p K = Ab mod pgab mod p
Input-shrinking functions: theory and application Francesco Davì
Man-in-the-middle attackSetup:
finite cyclic group G = <g> of order a prime number p
CLIENT SERVER
a ← [p-1] b ← [p-1]A
B ← gbmod pE← ge mod p B
K = Ea mod p K = Eb mod p
e ← [p-1]
E
EA ← ga mod p
KC = Ae mod pKS = Be mod p
They need authentication!Input-shrinking functions: theory and application Francesco Davì
UC Password-based AKE protocolCLIENT SERVER
Input-shrinking functions: theory and application Francesco Davì
Pwd Pwd
a ← [p-1] b ← [p-1]A
B ← gbmod pA ← ga mod p ENCPwd(B)
DHC = Ba mod p DHS = Ab mod pB = DECPwd(B)
KEYC = H0(Pwd|DHC)AUTH = H1(Pwd|DHC)
if AUTH = H1(Pwd|DHS)KEYS = H0(Pwd|DHS)
else ERROR
AUTH
Setup:finite cyclic group G = <g> of order a prime number p