Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev...
-
Upload
ferdinand-mckenzie -
Category
Documents
-
view
219 -
download
0
Transcript of Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev...
![Page 1: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/1.jpg)
Public-Key CryptosystemsResilient to Key Leakage
Weizmann Institute of Science
Moni Naor Gil Segev
Crypto in the Clouds, August 2009, MIT
![Page 2: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/2.jpg)
2
Typical Scenario in CryptographyWant to maintain secrecy in communication
Alice and bob talk while Eve tries to listen
Alice Bob
Eve
![Page 3: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/3.jpg)
3
Modeling an AttackFoundations of Cryptography: Rigorous
specification of security of protocols The power of the adversary
Access to the system Computational power
What it means to break the system
“Standard model”
Ek(m)
![Page 4: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/4.jpg)
4
Adversarial ModelsSTANDARD MODEL: Abstract models of computation
Interactive Turing machines Private memory, randomness ...
Well-defined adversarial access Can model powerful attacks
REAL LIFE: Physical implementations leak information Adversarial access not always captured by
abstract models
Ek(m)
![Page 5: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/5.jpg)
5
Adversarial Models
Ek(m)
Attacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption ....
Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08] ...
Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino,
Feldman, Appelbaum and Felten
![Page 6: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/6.jpg)
6
Adversarial ModelsAttacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption ....
Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08] ...
Side channel:
Any information not captured by the abstract “standard” model
![Page 7: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/7.jpg)
7
Adversarial Models
http://xkcd.com/538/
![Page 8: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/8.jpg)
8
Two approaches for dealing with side channels
1. Make the world similar to the standard model Minimizing electromagnetic leakage, “tamper-proof”
devices,... Fixed timing (indep. of input), Oblivious RAM,...
Typically expensive or inefficient Require precise modeling
2. Make sure the underlying cryptosystem is robust to modification of standard model
Not mutually exclusive appraoches!
![Page 9: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/9.jpg)
9
Thesis of this talk
Many tools developed in the foundations of cryptography are helpful for protecting against
side-channel attacks
Proof by example...
and not only at implementation time
Incorporate side-channel attacks in the design of systems
and workshop?
![Page 10: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/10.jpg)
10
Modeling Side-Channels Canetti, Dodis, Halevi, Kushilevitz, and Sahai ’00
Exposure-resilient functions: functions that “look” random even if several input bits are leaked
Ishai, Prabhakaran, Sahai, and Wagner ’03 ’06Private circuit evaluation allowing several wires to leak
Micali and Reyzin ’04Computation and only computation leaks information
Dziembowski and Pietrzak ’08, Pietrzak ’09Leakage-resilient stream-ciphers Computation and only computation leaks information low-bandwidth leakage
![Page 11: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/11.jpg)
11
“Outside of a few classified military programs, side-channel attacks have been largely ignored by computer security researchers, who have instead focused on creating ever more robust encryption schemes and network protocols.”
W. Wayt Gibbs, Scientific American, May 2009
![Page 12: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/12.jpg)
12
Memory Attacks [HSHCPCFAF 08] Not only computation leaks information Memory retains its content after power is lost
5 seconds
30 seconds
60 seconds
5 minutes
http://citp.princeton.edu/memory
Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino,
Feldman, Appelbaum and Felten
![Page 13: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/13.jpg)
13
Not only computation leaks information Memory retains its content after power is lost
Recover “noisy” keys Cold boot attacks Completely compromise popular disk encryption systems Reconstruct DES, AES, and RSA keys http://citp.princeton.edu/memory
Memory content can even last for several minutes
Memory Attacks [HSHCPCFAF 08]
Can exploit redundancy in round keysExtended and further analyzed by Heninger
& Shacham 09
![Page 14: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/14.jpg)
14
Model: leakage of any function of the key
Would like to allow the adversary to learn any function
of the key
Cannot withstand learning the full key
Idea: limit the length of the function
Would like to withstand as long a leakage as possible
Want a functional definition – what the adversary
cannot succeed in doing as a result of the attack
![Page 15: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/15.jpg)
15
Public-Key EncryptionSemantic Security against Chosen Plaintext Attacks [GM82]:For any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
m0, m1
Output b’ Epk(mb)
b à {0,1}
![Page 16: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/16.jpg)
16
Key-Leakage AttacksSemantic security with key leakage [AGV 09]:For any* leakage f(sk) and for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|
m0, m1
Epk(mb)
Akavia, Goldwasser and Vaikuntanathan
[AGV 09]: Regev’s lattice-based scheme is resilient
to such leakage
![Page 17: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/17.jpg)
17
Is this the right model? Noisy leakage
as opposed to low-bandwidth leakage DRAM remanence effects
Leakage of intermediate values Are intermediate values always erased? Are intermediate values always erased?
Key generation process Decryption process
Keys generated using a “weak” random source
Not a perfect model, but still a good starting point
Discuss extensions later on
Crucial for composition
![Page 18: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/18.jpg)
18
Our Results A generic construction for protecting against key leakage
Based on any Hash Proof System [CS 02] Efficient instantiations Various number-theoretic assumptions (DDH, d-Linear, QR, Paillier)
A new hash proof system Resulting scheme resilient to leakage of L – o(L) bits Based on either DDH or d-Linear
The [BHHO 08] circular-secure scheme Fits into our generic approach Resilient to leakage of L – o(L) bits
Trade-off in
efficiency
Decisional Diffie Hellman
Boneh, Halevi, Hamburg and Ostrovsky
![Page 19: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/19.jpg)
19
Our Results Chosen-ciphertext security
Theoretical side A generic CPA-to-CCA
transformation Leakage of L – o(L) bits
Practical side Efficient variants of Cramer-Shoup CCA1: Leakage of L/4 bits CCA2: Leakage of L/6 bits
Satisfied by our
schemes
Extensions of the [AGV 09] model Noisy leakage Leakage of intermediate values Keys generated using a “weak” random source
Related & independent work: Tauman-Kalai and Vaikuntanathan
• [BHHO 08] with hard-to-invert leakage
![Page 20: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/20.jpg)
20
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
![Page 21: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/21.jpg)
21
Min-Entropy
Probability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
X is a k-source if H1(X) ¸ k i.e., Pr[X = x] · 2-k for all x
Represents the probability of the most likely value of X
¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|
Statistical distance:
Example: • Un – uniform distribution on {0,1}n
• H1(Un) = n
![Page 22: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/22.jpg)
22
ExtractorsUniversal procedure for “purifying” an imperfect source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for every k-source X result is close to uniform
¢(Ext(X, Ud), Uℓ) ·
d random bits
“seed”
EXT
k-source of length n
ℓ almost-uniform bits
x
s
![Page 23: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/23.jpg)
23
Strong ExtractorsOutput looks random even after seeing the seed
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if
Ext’(x, s) = s ◦ Ext(x,s)
is a (k, )-extractor
Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors
Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n]
Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n
+ k)
![Page 24: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/24.jpg)
24
Sidebar: Weak Key-Leakage AttacksSemantic security with weakweak key leakage :For any* leakage f(sk) and for random PK for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|
m0, m1
Epk(mb)
![Page 25: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/25.jpg)
Weak Attacks: Leakage depending on secret Key only
Leakage function chosen by the adversary ahead of time without any knowledge of the public key.
• Depends only on properties of hardware devices – used for storing the secret key.
Generic construction transforming any encryption scheme Resilient to any weak leakage of L(1 - o(1)) bits.
• Parameters: – leakage parameter: ¸– length of the random string used by generation algorithm G: m
• Need: Ext: {0,1}k £ {0,1}d ! {0,1}m be (k-,)-strong extractor
L secret key length
![Page 26: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/26.jpg)
Generic construction from any schemeEncryption scheme: (G,E,D)Ext: {0,1}L £ {0,1}d ! {0,1}m a (L-,)-strong
extractor • Key generation :
– Choose x 2 {0,1}L and s 2 {0,1}d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x.
• Encryption: choose r uniformly at random and output (E(pk;M; r), s).• Decryption: ciphertext (c, s), secret key SK = x:
– Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c).
• Resilient to any weakweak leakage of L(1 - o(1)) bitsGiven f(x) distribution of Ext(x; s) close to uniform
Key generation algorithmG: {0,1}m {0,1}w
![Page 27: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/27.jpg)
27
Decisional Diffie-Hellman
gx
gyAlice Bob
Both parties compute K = gxy
DDH assumption:
(g, gx, gy, gxy) (g, gx, gy, gz)
for random x, y, z 2 Zq
(g1, g2, g1r, g2
r) (g1, g2, g1r1, g2
r2)
for random g1, g2 2 G and r, r1, r2 2 Zq
![Page 28: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/28.jpg)
28
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
![Page 29: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/29.jpg)
29
G - group of order q where DDH is hard Ext : G £ {0,1}d ! {0,1} - strong
extractor Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
A Simple Scheme
MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1
x1 g2x2 reveals only log(q) bits of information on
sk=(x1, x2) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸
![Page 30: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/30.jpg)
30
G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Choose r 2 Zq and a seed s 2 {0,1}d
Output (g1r, g2
r, s, Ext(hr, s) © m)
Output e © Ext(u1x1 u2
x2, s)
Key generation
Encpk(m)
Decsk(u1, u2, s, e)
A Simple Scheme
Correctness: u1x1 u2
x2 = (g1x1 g2
x2)r = hr
![Page 31: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/31.jpg)
31
Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits
half the size of sk
A Simple Scheme: Security Theorem
Proof by reduction:
Adversary for the encryption scheme
Distinguisher for Decisional Diffie-Hellman
log(q) -|m|
![Page 32: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/32.jpg)
32
Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits
A Simple Scheme
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
m0, m1
Epk(mb)
Suppose b’=b with probability ½+ > 1/poly
![Page 33: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/33.jpg)
33
Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits
A Simple Scheme
pk(g1, g2, g1
r1, g2r2)
b’r1 r2
r1 r2
or
f
f(sk)
m0, m1
Epk(mb)
Distinguisher for DDH
![Page 34: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/34.jpg)
34
(g1r, g2
r, s, Ext(hr, s) © m)
h = g1x1 g2
x2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable not knowing sk
Simple Scheme: Security Proof
![Page 35: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/35.jpg)
35
(g1r, g2
r, s, Ext((g1r)x1 (g2
r)x2, s) © m)
Simple Scheme: Security Proof
h = g1x1 g2
x2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
![Page 36: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/36.jpg)
36
(g1r1, g2
r2, s, Ext((g1r1)x1 (g2
r2)x2, s) © m)
Simple Scheme: Security Proof
Valid ciphertext: r1 r2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
![Page 37: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/37.jpg)
37
(g1r1, g2
r2, s, Ext((g1r1)x1 (g2
r2)x2, s) © m)
Simple Scheme: Security Proof
(g1r1)x1 (g2
r2)x2 uniformly distributed given pk and (g1r1,
g2r2)
x1 + wx2 = log(h)r1x1 + r2wx2 = log(t)
Invalid ciphertext: r1 r2
Therefore, even given f(sk): min-entropy ¸ log(q) - ¸
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
h=g1x1 g2
x2By applying the
extractor we get back a random string
![Page 38: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/38.jpg)
38
Proof of Securitypk
(g1, g2, u1, u2)
b’
If b’ boutput “r1 r2”otherwise “r1 r2”
f
f(sk)
m0, m1
sk = (x1, x2)= (g1, g2, g1
x1 g2x2)
h u1, u2, s,Ext(u1
x1 u2x2, s) © mb i
Case 1: u1 = g1r & u2 = g2
r Case 2: u1 = g1r1 & u2 = g2
r2
Simulation is identical to actual attack
Pr[b’ = b] = 1/2 +
Challenge independent of b Pr[b’ = b] = 1/2
up to
![Page 39: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/39.jpg)
39
Hash Proof SystemsKey-encapsulation mechanism with an additional property:
Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random
computationally indistinguishable
Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext
Our general construction:
Hash proof system + strong extractor
Key-encapsulation mechanism resilient to key leakage
![Page 40: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/40.jpg)
40
Hash Proof SystemsKey-encapsulation mechanism with an additional property:
Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random
computationally indistinguishable
Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext
Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)
![Page 41: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/41.jpg)
41
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
![Page 42: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/42.jpg)
42
G - group of order q
An Improved Scheme
Notation:
(x1, ..., xn) 2 Zqn
(g1, ..., gn) 2 Gn
(x1, ..., xn) ¢ (g1, ..., gn)T gixi
i=1
n
![Page 43: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/43.jpg)
43
G - group of order q Ext : Gn-k £ {0,1}d ! {0,1} - strong extractor
Choose A 2 Gk£n and x 2 Zqn
Let y = Ax Output sk = x and pk = (A, y)
Choose R 2 Zq(n-k)£k and a seed s 2
{0,1}d
Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s)
Key generation
Encpk(m)
Decsk(Q, s, e)
An Improved Scheme
![Page 44: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/44.jpg)
44
Theorem: The scheme is resilient to any leakage of length¸ ¼ (1 – k/n) |sk|
1 – o(1)
An Improved Scheme
Based on the hardness of k-Linear [BBS 04] 1-Linear = DDH k-Linear is hard ) (k+1)-Linear is hard k-Linear is easy ; (k+1)-Linear is easy (in generic groups)
A new hash proof system Optimizes ratio between secret key and encapsulated key
![Page 45: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/45.jpg)
45
An Improved SchemeWe show that k-Linear implies indistinguishability of: Random P 2 Gn£n of rank k Random P 2 Gn£n of rank n
(rank computed in Zqn£n relative to a fixed generator g 2 G)
In the simplified scheme:
g1 g2
g1r1 g2
r2
r1 r2 rank 1r1 r2 rank 2
[BHHO 08] proved the case k=1
Proof similar to the simplified scheme
![Page 46: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/46.jpg)
46
The “Long” Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction
Choose g1,...,gk 2 G and s1,...,sk 2 {0,1}
Let h = g1s1¢¢¢gk
sk
Output sk = (s1,...,sk) and pk = (g1,...,gk, h) Choose r 2 Zq
Output (g1r,..., gk
r, hr ¢ m)
Output e ¢ (u1s1¢¢¢uk
sk)-1
Key generation
Encpk(m)
Decsk(u1,...,uk,e)
“built-in” extractor
k ¼ ¸+2log(q)
Boneh, Halevi, Hamburg and Ostrovsky
![Page 47: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/47.jpg)
47
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
![Page 48: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/48.jpg)
48
ExtensionsNoisy leakage Leakage not necessarily of bounded length
H1(sk | pk, leakage) > H1 (sk | pk) - ¸
Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition
Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan:
The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert
![Page 49: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/49.jpg)
49
ExtensionsWeak random source Keys generated using a low-entropy adversarially chosen source
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
(g1, g2) chosen once and shared by all users Only need H1(x1,x2 | g1, g2) ¼ log(q) + |plaintext|
![Page 50: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/50.jpg)
50
ExtensionsLeakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code,
then decrypt Not so contrived...
Output e ¢ (u1s1¢¢
¢uksk)-1
Decsk(u1,...,uk,e)
Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s1,..., sk) can be much larger
![Page 51: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/51.jpg)
51
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
![Page 52: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/52.jpg)
52
Must incorporate side-channel attacks
in the design of systems
Conclusions
Many tools developed in the foundations of cryptography are
helpful for protecting against side-channel attacks
We can build efficientcryptosystems resilient to a wide
range of side-channel attacks Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys?
As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels?
Signature Scheme [Katz Vaikuntanathan 09] Bounded Retrieval Model [Alwen, Dodis, Walfish, Wichs 09] Hard-to-invert leakage [DKL09, KV09] Block Cipher??
A falsifiablefalsifiable assumption with side channels?
![Page 53: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/53.jpg)
53
Can leverage the physical world !!
Conclusions
Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06]
Randomized response Secure computation using tamper-proof hardware [Katz07,
MS08] Human competitive nature and love of games [HN09] Voting
![Page 54: Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649cfa5503460f949cc327/html5/thumbnails/54.jpg)
54
תודה רבהThank You
To appear, Crypto 2009
Available: •www.wisdom.weizmann.ac.il/~naor/PAPERS/leakage_abs.html•IACR Archive