non-malleable codes and tamper-resilient security ( ics 2010 ) joint work with: stefan dziembowski,...
TRANSCRIPT
![Page 1: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/1.jpg)
NON-MALLEABLE CODESAND
TAMPER-RESILIENT SECURITY
( ICS 2010 )
Joint work with:Stefan Dziembowski, Krzysztof Pietrzak
Speaker: Daniel Wichs
![Page 2: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/2.jpg)
Physical Attacks
Leakage: Adv observes physical output of the device.
Tampering: Adv modifies internal state and interacts with tampered device.
![Page 3: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/3.jpg)
Example
Signature infrastructure using secure tokens (no PKI).
All tokens have the same secret signing key sk.
Each token has a unique userID. On input message m, token signs (userID,
m).
(userID, sk)
m Signsk(userID, m)
![Page 4: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/4.jpg)
Example:
Can we attack scheme with simple physical attacks?
Attack 1 (RSA sig): Leaking a random 27% of bits of RSA key lets you factor! [HS09]
Attack 2 (RSA sig): Introduce single faulty bit during signing. Use resulting sig to factor the RSA modulus. [BDL97]
Attack 3 (any sig): Eve tampers userID = “Eve” to userID = “Eva” by flipping a few bits. Impersonates Eva.
Signsk(userID, m)
![Page 5: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/5.jpg)
Lessons from Example
Tampering attacks can be just as devastating as leakage attacks.
Cannot only focus on tamper-resilience for cryptographic primitives.
![Page 6: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/6.jpg)
Algorithmic Protection
Want: A general compiler that takes a circuit G with state s and creates a circuit G’ with state s’ such that: (G, s) acts the same as (G’, s’) Tampering with (G’, s’) via some well-
defined family F of attacks is useless.
![Page 7: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/7.jpg)
Algorithmic Protection
Tampering of memory and computation
Tampering of memoryGLMMR04
IPSW06
Circuit
Memory
input outputCircui
t
Memory
input output
This talk
![Page 8: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/8.jpg)
Algorithmic Protection
Q: Why study tampering of (only) memory? Simpler. Need to understand it first. Leads to a very natural coding-theory
question of independent interest. Might be reasonable in practice.
![Page 9: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/9.jpg)
Code-based Solution
CircuitG’
c = Enc(s)
Decode s= Dec(c).Evaluate G(s).
G’=
CircuitG
s
Original Functionality (G, s)
Compiled Functionality (G’, c)
![Page 10: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/10.jpg)
Talk Outline
Definition of non-malleable codes.
General (im)possibility results for nm-codes.
Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model.
Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.
![Page 11: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/11.jpg)
Coding Schemes
Encoding can be randomized: c = Enc(s;r).
Correctness: Dec(Enc(s)) = s with probability 1.
Encs csource messagecodeword
randomizedencoding
Decdecoding
s
decoded message
![Page 12: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/12.jpg)
The “Tampering Experiment”
Enc Decs csource message
c*
s*
decoded message
Tampering function f 2 F chosen adversarially.
Independent of randomness of encoding.
F={ },f1 f2
, f3
tamper
f
=f(c)
![Page 13: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/13.jpg)
The “Tampering Experiment”
Goal: For “interesting” families F, design coding scheme (Enc, Dec) which provides “meaningful guarantees” about the outcome s*.
Enc Decs c c*
s*
tamper F
![Page 14: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/14.jpg)
Error-Correction
Error-Correction: require that s* = s
Error-Correcting Codes for Hamming Distance: The family F = {f s.t. 8 x dist(x, f(x)) < d }
No randomness in Enc.
Limitations: Cannot be achieved for even small/simple families F. (e.g. even the single function f that maps all values to 0).
Enc Decs c c*
s*
tamper F
![Page 15: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/15.jpg)
Error-Detection
Error-Detection: require that s* 2 {s, ?} (with overwhelming probability).
Problem: Might learn something about s if s* = ?.
Limitation: Cannot be achieved for some even small/simple families F. (e.g. family all “constant” functions fc(x) = c).
Enc Decs c c*
s*
tamper F
![Page 16: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/16.jpg)
New notion: Non-Malleability
Non-Malleability: either s*= s or s* is “unrelated” to s. Analogous to non-malleability in cryptography [DDN91].
Harder to define formally (stay tuned). Examples of “malleability”:
The value s* is same as s, except with 3rd bit flipped. If s begins with 0, then s* = s. Otherwise s* = ?.
Hope: non-malleability achievable for many rich families F.
Enc Decs c c*
s*
tamper F
![Page 17: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/17.jpg)
Defining Non-Malleability (Attempt 1)
Tampering via f 2 F does not reveal information. Can answer following without knowing s: Does your tampering change the codeword c? If so, what is new message s* = Dec(c*).
c à Enc(s0) c* à f(c)
If c* = c say “same”
else say Dec (c*)
¼
Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 8 s0, s1: c à Enc(s1)
c* Ã f(c) If c* = c say
“same”else say Dec (c*)
Problem: Unnecessarily strong! Not satisfied by error-correcting codes.
![Page 18: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/18.jpg)
Defining Non-Malleability
s* Ã Df
if s* = “same” output s
else output s*.
s* Ã Dec ( f(Enc(s)) ) ¼
Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 9 simulator Df such that 8 s:
Tampering via f 2 F does not reveal information. Can “simulate” the answer to following questions: Did the message s stay the same? If no, what is the new message s*?
![Page 19: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/19.jpg)
Talk Outline
Definition of non-malleable codes.
General (im)possibility results for nm-codes.
Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model.
Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.
![Page 20: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/20.jpg)
General Impossibility Non-Malleability
For every coding scheme (Enc, Dec) there exists a single function f, for which the scheme is malleable. f(c) = Enc(Dec(c) + 1). Bad f depends heavily on (Enc, Dec).
Corollaries: No coding scheme (Enc, Dec) (with n bit codewords),
is non-malleable w.r.t. Fall = { all f : {0,1}n ! {0,1}n }. No efficient coding scheme is non-malleable w.r.t. all
efficient functions.
![Page 21: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/21.jpg)
General Possibility of Non-Malleability
For every “small enough” family F, there exists a nm-code w.r.t F.
“small enough” F: log(log(|F|)) < n.Note: log(log(|Fall|)) = n + log(n).
Theorem:
Proved using the probabilistic method. Not efficient…
![Page 22: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/22.jpg)
Use “random code” with k-bit messages and n-bit codewords. Choose the function Dec : {0,1}n ! {0,1}k uniformly at
random. Define Enc(s) to sample uniform {c s.t. Dec(c) = s}.
For any fixed family F, a “random code” is non-malleable w.r.t. F with overwhelming probability if:
n > log(log (|F|)) + 3k
Notice: rate is 1/3, even for small F. Optimality?
Question: What can we do efficiently?
General Possibility of Non-Malleability
![Page 23: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/23.jpg)
Talk Outline
Definition of non-malleable codes.
General (im)possibility results for nm-codes.
Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model.
Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.
![Page 24: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/24.jpg)
Bit-wise independent tampering
Every bit of the codeword can be tampered arbitrarily, but independently of the value of other bits.
Tampering functions f = (f1,…,fn) and f(c) = f1(c1),…,fn(cn). fi : {0,1} ! {0,1} can be arbitrary.
Four options for each fi : “keep”, “flip”, “set to 0”, “set to 1”.
Bit-wise independent tampering contains: All constant functions: fc(x) = c (only “set to 0/1”). All “constant error” functions : f¢(x) = x + ¢ (only
“keep/flip”).
![Page 25: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/25.jpg)
Tool 1: AMD Codes
Algebraic Manipulation Detection codes: [CDFPW08] A coding scheme (AE, AD) is AMD code if for any s, ¢ 0
Pr[AD( AE(s) + ¢) ?] = negligible.
Achieves error-detection for “keep”/“flip” . Does not protect against “set to 0”/“set to 1”.
Definition:
![Page 26: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/26.jpg)
Tool 2: Secret Sharing
LECSS: Linear Error-Correcting Secret Sharing (SSE, SSD). Linearity: SSE(s1 + s2) = SSE(s1) + SSE(s2) t-Privacy: Any t bits of SSE(s) are mutually
random. d-Distance: Any c 0 s.t. weightH(c) < d,
SSD(c) = ?.
Definition:
![Page 27: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/27.jpg)
Bit-wise independent tampering:Construction
Given:• AMD code (AE, AD).• LECSS (SSE, SSD) with d/n > ¼ and t = !(log(n)).
The code:Enc(s) = SSE( AE(s) ) , Dec(c) = AD( SSD(c) )
is non-malleable for bit-wise independent tampering.
Theorem:
![Page 28: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/28.jpg)
Bit-wise independent tampering: Proof
4 cases based on q= # of fi that are “set to 0”/”set to 1”
s
AMDCode
LECSS
c c* = f(c)f
Set to 0Set to 1
keep
Set to 0
flip
flip
01
c3 +0
0
c5 + 1
c6 + 1
c1
c2
c3
c4
c5
c6
![Page 29: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/29.jpg)
Bit-wise independent tampering: Proof
Case 1: n - t · q : Just samples Dec(c*). OK since c* is completely unrelated to s (t-
privacy).
s
AMDCode
LECSS
c c* = f(c)
Set to 0/1
Keep/flip Uniformly random!
![Page 30: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/30.jpg)
Bit-wise independent tampering: Proof
Case 2: n/2 · q < n - t: Just outputs ?. Unlikely that DSS(c*) ?. (distance/privacy).
s
AMDCode
LECSS
c
Set to 0/1
Keep/flip
c* = f(c)
• t-wise independent.
• few valid codewords.
![Page 31: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/31.jpg)
Bit-wise independent tampering: Proof
Case 3: t · q < n/2: Just outputs ?. Consider ¢ = c* - c. Same argument as previous
case (linearity).
s
AMDCode
LECSS
c
Set to 0/1
Keep/flip
¢ = c* - c
• t-wise independent.
• few valid codewords.
![Page 32: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/32.jpg)
Bit-wise independent tampering: Proof
Case 4: q · t: Samples DSS(¢). If 0 output “same” else ?. ¢ is independent of AMD randomness. If ¢ 0 AMD code rejects.
s
AMDCode
LECSS
cs’
Set to 0/1
Keep/flip
• Uniformly random!
¢ = c* - c
![Page 33: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/33.jpg)
Bit-wise independent tampering:Instantiation
Recall, instantiation needs: LECSS (SSE, SSD) with distance d/n > ¼ and t = !(log(n)). AMD code (AE, AD)
AMD codes with extremely high rate [CDFPW08]. LECSS schemes?
Ramp version of Shamir secret sharing does not get d/n > ¼.
Use random linear code. (d = distance, t = dual distance). Not explicit, but efficient: we never need to correct errors!
Parameters: Rate of final instantiation of (Enc, Dec) isk/n ¼ (1-H(.25)) ¼ .19
Optimality?
![Page 34: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/34.jpg)
Non-malleable Codes in the Random Oracle Model
Can we instantiate a random code efficiently?
Use a cryptographic hash function modeled as a Random Oracle. Cheat: gives us an “efficient” way to compute a random function. Also give this power to the adversary, tampering functions f.
Each bit of f(c) depends on some subset (e.g. 90%) of the bits of c.
In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”.
(Access to an oracle does not change the family)
Theorem:
![Page 35: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/35.jpg)
Talk Outline
Definition of non-malleable codes.
General (im)possibility results for nm-codes.
Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model.
Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.
![Page 36: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/36.jpg)
Tamper-Resilient Security
CircuitG’
c = Enc(s)
Decode s= Dec(c).Evaluate G(s).
G’=
CircuitG
s
Original Functionality (G, s)
Compiled Functionality (G’, c)
![Page 37: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/37.jpg)
Tamper-Resilient Security
CircuitG’
c = Enc(s)
CircuitG
s
Original Functionality (G, s)
Compiled Functionality (G’, c)
Tamper: f 2 F
adv
![Page 38: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/38.jpg)
Tamper-Resilient Security
CircuitG’
c*
CircuitG
s
Original Functionality (G, s)
Compiled Functionality (G’, c)
Tamper: f 2 F
adv
![Page 39: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/39.jpg)
Tamper-Resilient Security
CircuitG’
c*
CircuitG
s
Original Functionality (G, s)
Compiled Functionality (G’, c)
Tamper: f 2 F
Input x Output y
adv
State is re-encoded (reactive)
Input x Output y
Simulator
¼
![Page 40: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/40.jpg)
Tamper-Resilient Security
Theorem: If (Enc, Dec) is non-malleable w.r.t. F then our compiler is tamper-resilient w.r.t. F
![Page 41: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/41.jpg)
Comparison to Prior Work
Same assumption: tampers memory, but not computation. Main solution: use signatures.
Sign the state. Verify signature on each invocation. If fail, stop working.
Does not satisfy our definition of tamper-resilient security. e.g. Set the first bit of state to 0. See if device stops working. Works for signature/encryption scheme (limitations).
Device cannot update its state (requires secret key). Allows all efficient tampering strategies!
Algorithmic Tamper-Proof Security [GLMMR04]
![Page 42: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/42.jpg)
Comparison to Prior Work
Stronger model: adversary can tamper with the wire-values during a computation of a circuit.
Same strong definition of security using a simulator.
Limited to tampering functions which only modify some small subset of the wires (or set wires to 0).
Private Circuits (II) [IPSW06]
![Page 43: NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs](https://reader037.vdocuments.net/reader037/viewer/2022110320/56649c9a5503460f949570f3/html5/thumbnails/43.jpg)
Conclusions
Define non-malleable codes.
Construct non-malleable codes for: All “small” families of tampering function (inefficient). Bit-wise independent tampering (efficient). Complex families closed under oracle access. (efficient in RO
model).
Connect non-malleable codes to tamper-resilient security.
Open Questions: More efficient constructions of non-malleable codes for other
families. Optimal rates? Results in the stronger model of [ISPW06].