pratyay mukherjee aarhus university aarhus university pratyay mukherjee 28. march 2014 new results...

PRATYAY MUKHERJEEAARHUS UNIVERSITY

AARHUSUNIVERSITY

PRATYAY MUKHERJEE

28. MARCH 2014

NEW RESULTS IN NON-MALLEABLE CODES

PRATYAY MUKHERJEE28. MARCH 2014


PROGRESS REPORT SEMINAR

SUPERVISED BY JESPER BUUS NIELSEN

1

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



CRYPTOGRAPHY IN MODERN WORLD

2

How to analyze security ?Find all possible attacks ?

- Infeasible !Need mathematical modelling and proofs a.k.a. Provable

Security

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



PROVABLE SECURITY AT A GLANCE

3

1. Define security notion/models.2. Design cryptoscheme

Usually described in mathematical language.

3. Prove security

No efficient adversary can break security if assumption

holds

Number theoretic: factoring is hard. Complexity theoretic: one-way function exists.

Reduce security of complex scheme to simple assumption,

e.g.,

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



TIME TO RELAX?

4

Security proof implies… secure against

all possible attacks

However, provably secure systems get broken in

practice! So what’s wrong?

Model

Realit

y

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



5

PHYSICAL ATTACKS ON IMPLEMENTATIONS

Mathematical Model:Blackbox

Fk

input

output

Fk

Reality:PHYSICAL ATTACKS

output

input

leakage

F’k’

tampering

tampered output

Our focus

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



WHY CARE ABOUT TAMPERING ?

6

BDL’01: Inject single (random) fault

to the signing-key of some type of

RSA-sig

factor RSA-modulus !

Devastating attacks on Provably Secure Crypto-

systems!

Anderson and Kuhn ’96

Skorobogatov et al. ’02

Coron et al. ’09

…………and many

more…….

More

…

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



THEORETICAL MODELS OF TAMPERINGTamper with memory and

computation (IPSW ’06)Tamper only with memory

(GLMMR ‘04)

7

F

k k

F

• Most General Model: Complicated

• Limited existing results !

• A Natural First Step : Simpler to

handle

• Might be reasonable in practice !

Our

Focus

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



Build compiler for any functionality

-first proposed in

GLMMR04

WAYS TO PROTECT AGAINST MEMORY TAMPERING1. Protecting

Specific schemes2. Protecting Arbitrary Computation

8

Build tamper resilient -

PRF, PKE, Sigs,

e.g:

BK 03; BCM11; KKS 11;

BPT 12; DFMV13…. Memory

Circuit

F compile

Memory

Circuit

F’

K'K

We build tamper-

resilient PKE and

Signature Scheme

This

talk

Initialization: K' := C= Enc(K)Execution of F‘[C](x): 1. K = Dec(C)2. Output F[K](x)

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



SECURITY GUARANTEE

9

Intuition: Adversary shall learn nothing useful from tampering.

F' K’

F

K

Adv

Sim∃∀

≈

compil

e

K’ :=Enc(K)

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



OUTLINE: REST OF THE TALK Basics of Non-Malleable Codes.

Result-1: Continuous Non-Malleable Codes.

Result-2: Efficient Non-Malleable Codes for poly-size tampering circuits.

Conclusions and future works.

10

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



11

Basic definitions

Non-Malleable Codes

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



ENCODING SCHEME (ENC, DEC)›ENC:

›DEC:

12

s Enc CSource message Codeword

Can be randomize

d

C Dec sCodeword Decoded message

Correctness: s: s = Dec(Enc(s))

No secret

key !

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



f

THE “TAMPERING EXPERIMENT’’

13

› “Tampering Experiment” for encoding scheme (Enc,Dec):

Encs Tampe

r2F

CDec s*

f is chosen adversarially from some fixed family F

Goal: Design encoding scheme (Enc,Dec) for

“interesting” F that provides “meaningful

guarantees” about s*.

C*=f(C)

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



ERROR CORRECTION/DETECTION & NON-MALLEABILITY

14

f 2F

Error-Correction: Guarentees s* = s but e.g. for hamming

codes f must be such that: Ham-Dist(C,C*) < d/2. i.e. F is

very limited !

Error-Detection: Guarentees s* = {s, ?} but F can’t contain

simple function e.g. constant functions fĈ(.)= Ĉ for valid Ĉ

Non-Malleability[DPW10]: Guarentees s* = s or

unrelated to s.

Hope: Achievable for rich F

Encs Tampe

rC

Dec s*C*=f(C)

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



FORMALIZING NMC [DPW’10]

15

Def: A code (Enc, Dec) is non-malleable w.r.t. F if 8 Adv and 8 s0, s1, Tamper(s0) Tamper(s1) where,

Set C* ←f(C)

If C* = C return same

Else return C*

3. Output View

f F

return

Tamper(sb)

View

The tampering exp. should

not leak anything about

input !

Intuition

1. Encode C← Enc(sb).

2. Tampering:

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



Impossibility [DPW10]: Not achievable if F contains some f which knows Dec.

For any (Enc, Dec) consider fbad which decodes C, flips 1-bit and re-encodes to C*.

Conclusion: There is no NMC for Fall ( |Fall. |= for -bit code)

Possibility[DPW10]: NMC exists for every family such that:| F |< How to restrict F ?

Way-1: Compromise granularity –- split-state tampering: Considered in [DPW10, LL12, DKO13, ADL13, CG13 ] and our Result-1.

Way-2: Compromise complexity –- global tampering : Considered first time in our Result-2.

LIMITATION AND POSSIBILITY

16

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



17

Result-1

Continuous Non-Malleable CodesBased on a joint work with:

Sebastian Faust, Jesper Buus Nielsen and Daniele Venturi

[Appeared in TCC 2014]

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



SPLIT-STATE TAMPERING

18

In this model, C = (C1,C2) and f =(f1, f2) for arbitrary f1, f2

18

f1sC1

C2 f2

C1*

C2*DecEnc s*

Why split-state ? | Fsplit |= O() : Rich class of functions.

Might be easy to implement. well-studied model in leakage-resilient crypto.

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



NMC TO PROTECT TAMPERING

19

Memory

Circuit

F’

s

'

Memory

Circuit

F

s

Idea: Build compiler for any functionality

compile

Initialization: s' := NMEnc(s)Execution loop of F’[s‘](x): 1. s = NMDec(s‘)2. if s = ? then STOP

else output F[s](x) and re-encode s‘= NMEnc(s),continue..

reca

l

l

Fresh Re-encoding: Adv

can tamper each codeword only

once

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



A STRONGER TAMPERING MODEL

20

Memory space much bigger than length of codeword.

C := NMEnc(s) CC’

Memory MMemory M*=f(M)

f

Adv can tamper continuously

with the same codeword.

read

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



1. Encode (C1,C2) ← Enc(sb).

2. Tampering:

Repeat

adaptively

CNMC: A NATURAL EXTENSION

21

Def: A code (Enc, Dec) is non-malleable w.r.t. Fsplit if

8 Adv and 8 s0, s1, Tamper(s0) Tamper(s1) where,

Set (C1*,C2*) ←(f1(C1), f2(C2))

If (C1*,C2*) = (C1,C2) return same

Else return (C1*,C2*)

3. Output View

(f1, f2)

return

Tamper(sb)

ViewAttack[GLMMR04]: Guess each bit, overwrite and check if the output is same- recover bit

by bitWay Out: Assume Self-Destruct: If output

? once, then STOP experiment.

continuou

s

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



1. Encode (C1,C2) ← Enc(sb).

2. Tampering:

Repeat

adaptively

CNMC: A NATURAL EXTENSION

22

Def: A code (Enc, Dec) is continuous non-malleable in split-state if

8 Adv and 8 s0, s1, Tamper(s0) Tamper(s1) where,

Set (C1*,C2*) ←(f1(C1), f2(C2))

If (C1*,C2*) = (C1,C2) return same

Else if Dec(C1*,C2*)= ?

then return ? and self-destruct .

Else return (C1*,C2*)

3. Output View

(f1, f2)

View

return

Tamper(sb)

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



UNIQUENESS: A NECESSARY PROPERTY

23

Def: For any Adv it’s hard to find (C1,C2,C2‘) such

that: Both (C1,C2) and (C1,C2‘) are valid

Why necessary ?

1. f1 always replaces T1 with C1

2. f2 checks if T2[i] = 0, then replaces T2

with C2

else replaces T2 with C2‘

Otherwise suppose ∃Recovers T2

(f1, f2)

After knowing T2:

3. f1 hard-code T2 and decode s← Dec(T1,T2).4. Depending on s f1 leaves it same or

tampers– leaks 1 bit.

Exsiting [LL12] construction

does not satisfy

Corollary:

Information theoretic

CNMC (split-state) is

impossible.

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



EXTRACTABILITY: ANOTHER PROPERTY

24

f1sC1

C2 f2

C1*

C2*Enc

Extract

C2**

If C1*≠ C1 then it is

possible to extract C2** (if

exists) such that (C1*, C2** ) is valid.

Extractability

Uniqueness + Extractability

Our Construction

Necessary ?

We don’t know.

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



OUR CONSTRUCTION: INTUITIONS

25

C2*

C2C1

f1 f2

Uniqueness:C2**= C2*

w.h.p.

C2** Extract

(f1, f2)

C1*

Decode

s*Apriori

known to

adv.

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



26

Result-2 Efficient Non-Malleable Codes for poly-size tampering circuits

Based on a joint work with:

Sebastian Faust, Daniele Venturi and Daniel Wichs

[To appear in Eurocrypt 2014]

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



Impossibility [DPW10]: There is no NMC for Fall ( |Fall. |= )

Possibility: NMC exists for every family such that:| F |< How to restrict F :

Way-1: Compromise granularity –- Result-1.Way-2: Compromise complexity –- global tampering :

Considered first time in this work.

RECALL: LIMITATION AND POSSIBILITY

27

Question: Can we protect against all efficient functions Feff

|Feff. |= 2O(poly()) ? Answer: NO! because Feff contains all efficient

(Enc,Dec)

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



EFFICIENT & GLOBAL NON-MALLEABLE CODES

28

For any pre-fixed polynomial P, we can construct global and efficient non-malleable codes for any F of size | F | 2P.

Main Result: “The next best thing”

P

Choose param t based on P

t

f 2F

What does it mean ?Choose F s.t. |F | 2P

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



THE CONSTRUCTION

29

Encoding(h1, h2)← H12

h1 h2

r ← DR s

h1(r) z 𝛔=h 2(𝐫 ,𝐳) c = (r, z, )

Ifthen output zh1(r) else output

Decoding

Both of seed size

t

input

output

Theorem(informal): The above encoding is non-

malleable w.r.t. any F of size 2P w.h.p. over the random

choices of h1,h2 as long as t >> P. (It is info theoretic

and optimal )

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



SOME INTUITIONS

30

reca

l

l

Our codeword has format: C= ( , h2( ) ) f can not compute h2 but can leak some bits of

but = (r, h1(r)) is leakage-resilient encoding of s ! [DDV’10]

Choose seeds t >> P such that: w.h.p. random (h1,h2)F

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



CONCLUSIONS AND FUTURE WORKS We mainly explored non-malleable codes in two separate directions.

Thus far NMC is only used to protect against memory-tampering. (We strengthen the model in Result-1)

Future Works:Can we use NMC also to protect against computation? -

Leakage and Tamper resilient RAM !Other uses of NMC ? - E.g. Non-malleable commitments/ Encryptions. – General abstraction of non-malleability.

Improving the existing NMC. 31

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



PUBLISHED PAPERS

32

1. Bounded Tamper Resilience: How to go beyond the Algebraic Barrier.

Ivan Damgård, Sebastian Faust, Pratyay Mukherjee, Daniele VenturiIn ASIACRYPT 2013. 2. Contnuous Non-Malleable Codes.Sebastian Faust, Pratyay Mukherjee, Jesper Buus Nielsen, Daniele VenturiIn TCC 2014.

3. Efficient Non-Malleable Codes and Key-derivations for poly-size tampering circuits.Sebastian Faust, Pratyay Mukherjee, Daniele Venturi, Daniel WichsTo appear in EUROCRYPT 2014.

This talk

AARHUSUNIVERSITY

PRATYAY MUKHERJEE



33

Thank You !

Question(s) ?

pratyay mukherjee aarhus university aarhus university pratyay mukherjee 28. march 2014 new results...

Documents

provable security slide

focus slide

output fkx slide

model reality slide

memory tampering

security proof

security guarantee

security notionmodels