[TITLE WITH CAPITAL LETTERS]

NEW RESULTS in non-malleable codes

PROGRESS REPORT seminar

supervised by jesper buus nielsen1

VERSITETPratyay MukherjeeAarhus UniversityAARHUSUNIVERSITYPratyay Mukherjee28. march 2014UNINew Results in Non-Malleable CodesPratyay Mukherjee28. march 2014AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20141

CRYPTOGRAPHY in modern world2

How to analyze security ?Find all possible attacks ?- Infeasible !Need mathematical modelling and proofs a.k.a. Provable Security

AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20142Provable security at a glance31. Define security notion/models.2. Design cryptoschemeUsually described in mathematical language.3. Prove security No efficient adversary can break security if assumption holds Number theoretic: factoring is hard. Complexity theoretic: one-way function exists. Reduce security of complex scheme to simple assumption, e.g.,AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20143Time to relax? 4

Security proof impliessecure against all possible attacksHowever, provably secure systems get broken in practice!

So whats wrong?

Model RealityAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20144

Physical attacks on implementations

Mathematical Model:Blackbox

5inputoutput

Reality:PHYSICAL ATTACKS

outputinput

leakage

tamperingtampered output Our focus

AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20145Why care about tampering ? 6BDL01: Inject single (random) fault to the signing-key of some type of RSA-sig

factor RSA-modulus !Devastating attacks on Provably Secure Crypto-systems!Anderson and Kuhn 96Skorobogatov et al. 02Coron et al. 09and many more.MoreAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20146Theoretical models of tamperingTamper with memory and computation (IPSW 06)Tamper only with memory (GLMMR 04)7

FkkFMost General Model: ComplicatedLimited existing results !A Natural First Step : Simpler to handleMight be reasonable in practice ! Our Focus AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20147Build compiler for any functionality-first proposed inGLMMR04Ways to Protect against memory tamperingProtecting Specific schemes

2. Protecting Arbitrary Computation 8Build tamper resilient - PRF, PKE, Sigs,e.g: BK 03; BCM11; KKS 11; BPT 12; DFMV13.Memory

Circuit FcompileMemory

Circuit FK'K We build tamper-resilient PKE and Signature Scheme This talk

Initialization: K' := C= Enc(K)Execution of F[C](x): 1. K = Dec(C)2. Output F[K](x)AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20148Security guArantee9Intuition: Adversary shall learn nothing useful from tampering.

F' K

FKAdvSim

compileK :=Enc(K)AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20149Outline: rest of the talk Basics of Non-Malleable Codes.

Result-1: Continuous Non-Malleable Codes.

Result-2: Efficient Non-Malleable Codes for poly-size tampering circuits.

Conclusions and future works. 10AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20141011Basic definitionsNon-Malleable CodesAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201411Encoding scheme (Enc, Dec)ENC:

DEC:

12sEncCSource messageCodewordCan be randomizedCDecs

CodewordDecoded message No secret key ! AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201412fThe tampering experiment13 Tampering Experiment for encoding scheme (Enc,Dec):

EncsTamper2F CDecs*Goal: Design encoding scheme (Enc,Dec) for interesting F that provides meaningful guarantees about s*.

C*=f(C)

AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201413Error correction/detection & Non-malleability14f 2F

Error-Correction: Guarentees s* = s but e.g. for hamming codes f must be such that: Ham-Dist(C,C*) < d/2. i.e. F is very limited ! Error-Detection: Guarentees s* = {s, ?} but F cant contain simple function e.g. constant functions f(.)= for valid Non-Malleability[DPW10]: Guarentees s* = s or unrelated to s. Hope: Achievable for rich F

EncsTamperCDecs*C*=f(C)

AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201414Formalizing NMC [DPW10]15

Set C* f(C) If C* = C return same Else return C*

3. Output View

returnTamper(sb) ViewThe tampering exp. should not leak anything about input ! IntuitionEncode C Enc(sb).Tampering:

AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201415Limitation and possibility16AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 2014Check if the CG paper contains this or its the other paper. Swap first 2 lines1617Result-1Continuous Non-Malleable CodesBased on a joint work with:Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi[Appeared in TCC 2014]AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201417Split-state tampering18In this model, C = (C1,C2) and f =(f1, f2) for arbitrary f1, f2

18f1sC1C2f2C1*C2*DecEncs*AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201418Nmc to protect tampering19

Memory

Circuit Fs'Memory

Circuit FsIdea: Build compiler for any functionalitycompileInitialization: s' := NMEnc(s)Execution loop of F[s](x): 1. s = NMDec(s)2. if s = ? then STOPelse output F[s](x) and re-encode s= NMEnc(s),continue..recallFresh Re-encoding: Adv can tamper each codeword only onceAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201419A stronger tampering model20Memory space much bigger than length of codeword.C := NMEnc(s)CCMemory MMemory M*=f(M)

fAdv can tamper continuously with the same codeword.readAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201420Encode (C1,C2) Enc(sb).Tampering:

Repeat adaptivelyCNMC: A natural extension21

Set (C1*,C2*) (f1(C1), f2(C2)) If (C1*,C2*) = (C1,C2) return same Else return (C1*,C2*)

3. Output View

(f1, f2)

returnTamper(sb) ViewAttack[GLMMR04]: Guess each bit, overwrite and check if the output is same- recover bit by bitWay Out: Assume Self-Destruct: If output ? once, then STOP experiment.continuousAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201421Encode (C1,C2) Enc(sb).Tampering:

Repeat adaptively CNMC: A natural extension22

Set (C1*,C2*) (f1(C1), f2(C2)) If (C1*,C2*) = (C1,C2) return same Else if Dec(C1*,C2*)= ? then return ? and self-destruct .Else return (C1*,C2*) 3. Output View

(f1, f2) View

returnTamper(sb)AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201422Uniqueness: a necessary property23Def: For any Adv its hard to find (C1,C2,C2) such that: Both (C1,C2) and (C1,C2) are validC1C2

Why necessary ?

f1 always replaces T1 with C1f2 checks if T2[i] = 0, then replaces T2 with C2 else replaces T2 with C2Otherwise suppose Recovers T2

(f1, f2) After knowing T2:3. f1 hard-code T2 and decode s Dec(T1,T2).4. Depending on s f1 leaves it same or tampers leaks 1 bit. Exsiting [LL12] construction does not satisfyCorollary: Information theoretic CNMC (split-state) is impossible.AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201423Extractability: another property24f1sC1C2f2C1*C2*EncExtractC2**If C1* C1 then it ispossible to extract C2** (if exists) such that (C1*, C2** ) is valid. ExtractabilityUniqueness + Extractability Our ConstructionNecessary ? We dont know.AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201424Our construction: intuitions25C2*C2C1f1 f2 Uniqueness:C2**= C2* w.h.p.C2**Extract

(f1, f2) C1*Decodes*Apriori known to adv.AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20142526Result-2 Efficient Non-Malleable Codes for poly-size tampering circuitsBased on a joint work with:Sebastian Faust, Daniele Venturi and Daniel Wichs[To appear in Eurocrypt 2014]AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201426Recall: Limitation and possibility27Answer: NO! because Feff contains all efficient (Enc,Dec) AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 2014Check if the CG paper contains this or its the other paper. Swap first 2 lines27Efficient & global non-malleable codes28Main Result: The next best thing

PChoose param t based on Ptf 2F What does it mean ?AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201428The construction29Encodingh1h2r DR s h1(r)zDecodingBoth of seed size tinputoutputAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201429Some intuitions30

recallOur codeword has format: C= ( , h2( ) ) f can not compute h2 but can leak some bits ofAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201430Conclusions and future works We mainly explored non-malleable codes in two separate directions.Thus far NMC is only used to protect against memory-tampering. (We strengthen the model in Result-1)

Future Works:Can we use NMC also to protect against computation? - Leakage and Tamper resilient RAM !Other uses of NMC ? - E.g. Non-malleable commitments/ Encryptions. General abstraction of non-malleability.Improving the existing NMC.

31AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201431Published papers32Bounded Tamper Resilience: How to go beyond the Algebraic Barrier.Ivan Damgrd, Sebastian Faust, Pratyay Mukherjee,Daniele VenturiIn ASIACRYPT 2013. 2. Contnuous Non-Malleable Codes.Sebastian Faust,Pratyay Mukherjee,Jesper Buus Nielsen, Daniele VenturiIn TCC 2014.3. Efficient Non-Malleable Codes and Key-derivations for poly-size tampering circuits.Sebastian Faust,Pratyay Mukherjee, Daniele Venturi, Daniel WichsTo appear in EUROCRYPT 2014.This talkAARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 20143233

Thank You !

Question(s) ? AARHUSUNIVERSITYPratyay MukherjeeNew Results in Non-Malleable CodesPratyay Mukherjee28. march 201433