recent progress in leakage-resilient cryptography daniel wichs (nyu) (china theory week 2010)

33
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Upload: melvyn-peters

Post on 17-Dec-2015

217 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN

LEAKAGE-RESILIENT CRYPTOGRAPHY

Daniel Wichs (NYU) (China Theory Week 2010)

Page 2: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Leakage Attacks

Cryptography relies on secrets.

Cryptographic devices:

In reality, many “side-channels”! Timing, power, radiation, heat, acoustics… Secrets can

leak!

Natural response: Not our problem. Blame the “engineers” – they should fix this!

Theory/Crypto can help!

input output

Secret

keys

Page 3: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Cryptography With Leakage

Can we do cryptography with incomplete secrecy?

Need a way to model leakage first!

In this talk: Adv can learn arbitrary information about the secret key as long as its amount is bounded. [AGV09] Adv specifies any poly-time function Leak : {0,1}*

! {0,1}L. Learns the output Leak(sk).

skLeak()

L = leakage bound

Leak(sk)

Page 4: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Leakage Resilient Cryptography

Password Login and One-Way Functions.

Identification Schemes and Signatures.

Public-Key Encryption.

Page 5: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Password Login Scheme

(pkBob, skBob ) pkBob

Prover Bob Verifier Alice

accept

(pkBob, skBob ) pkBobpkBob

Impersonation Stagereject!

skBob

skBob

sk’

Leakage Stage

skBob

Leak()

Leak(sk)

Page 6: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Using One-Way Functions

(pkBob = f(x), skBob = x ) pkBob= y

Prover Bob Verifier Alice

Accept iff y = f(x)

x

Standard OWF: get y = f(x), hard to find any x’ 2 f-1(y).

Suffices for regular “password login” security L-LR OWF: get y = f(x) & Leak(x), hard to find x’

2 f-1(y). Not satisfied by general OWFs (easy counter-

examples). … but can be constructed from general OWFs.

Page 7: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

OWF ) LR-OWF

OWF: get y = f(x), hard to find any x’ 2 f-

1(y).

y=f(x)

Domain Range

Page 8: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

OWF ) LR-OWF

OWF: get y = f(x), hard to find any x’ 2 f-

1(y). L-LR OWF: also get L bits of leakage

about x.

y=f(x)x

Domain Range

Page 9: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

OWF ) LR-OWF

OWF: get y = f(x), hard to find any x’ 2 f-

1(y). L-LR OWF: also get L bits of leakage

about x. SPRF: get x, hard to find any x’ ≠ x s.t.

f(x’)=f(x) Non-triviality: input length n > output length k Can build from any OWF for any n = poly(k)

[Rom90]y=f(x)xx’

Domain Range

Page 10: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

OWF ) SPRF ) LR-OWF

OWF: get y = f(x), hard to find any x’ 2 f-

1(y). L-LR OWF: also get L bits of leakage

about x. SPRF: get x, hard to find any x’ ≠ x s.t.

f(x’)=f(x) Non-triviality: input length n > output length k Can build from any OWF for any n = poly(k)

[Rom90]Theorem [ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}k is an L-LR OWF for L ¼ n - k.

Page 11: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Proof: Any SPRF is LR-OWF

Theorem [ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}k is an L-LR-OWF for L ¼ n – k.

y=f(x)x

Assume: Can break L-LR-OWF. There is an efficient A s.t.

A( f(x), Leak(x) ) = x’ s.t. f(x’) = f(x)Conclude: Can break SPR. Let B(x) = A( f(x) , Leak(x) )B succeeds if (1) A succeeds (2) A does not return x’ = x. A has too little info about x.|f(x)| + |Leak(x)| = k + L

Pr[A guesses x] < 2k+L - n

Page 12: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Proof: Any SPRF is LR-OWF

Theorem [ADW09,KV09]: Any SPRF f : {0,1}n → {0,1}k is an L-LR-OWF for L ¼ n – k.

Corollary: If OWF exist then L-LR-OWF exist with L = (1-o(1))n.

Open Question: Can we get LR-OWF that are Permutations?

Page 13: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Leakage Resilient Cryptography

Password Login and One-Way Functions.

Identification Schemes and Signatures.

Public-Key Encryption.

Page 14: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Identification Schemes

(pkBob, skBob ) pkBob

Prover Bob Verifier Alice

accept

Learning Stage

(pkBob, skBob ) pkBobpkBob

Impersonation Stagereject!

Page 15: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Leakage-Resilient Identification [ADW09]

Learning Stage

(pkBob, skBob ) pkBobpkBob

Impersonation Stagereject!

Bob’s key can leak !!!(during learning stage, not afterward)

skBob

Page 16: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Tool: Zero-Knowledge Proof of Knowledge

Verifier Prover

Accept/Reject

– Witness Indistinguishable (WI): Even if V dishonest, cannot tell which x is being used by the prover.

– Proof of Knowledge (PoK): Even if P dishonest, can extract some valid witness x’ for y from P.

Instance

y

witness x

NP relation R

Page 17: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

ID Schemes from ZK-PoK

Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).

Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.Pf: Assume Adv breaks ID security.

Page 18: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

ID Schemes from ZK-PoK

Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).

Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.

Learning Stage

(y, x ) yy

Impersonation Stage

x

Pf: Assume Adv breaks ID security.

Page 19: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

ID Schemes from ZK-PoK

Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).

Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.

Sees: y = f(x)Leakage,

interaction with P(x)only k + L < n bits of info on x.

Learning Stage

y

Impersonation Stage

K bitsL bits0 bits

Pf: Assume Adv breaks ID security.

Witness Ind.

Page 20: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

ID Schemes from ZK-PoK

Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).

Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.

Sees: y = f(x)Leakage,

interaction with P(x)only k + L < n bits of info on x.

Learning Stage Impersonation Stage

Extract x’ 2 f-1(y)

Pf: Assume Adv breaks ID security.

x’ x

Witness Ind. Proof-of-Knowledge

Page 21: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

ID Schemes from ZK-PoK

Assume: f : {0,1}n → {0,1}k is SPR and is ZK-PoK for y = f(x).

Thm [ADW09]: is a secure L-LR ID scheme for L ¼ n-k.Pf: Assume Adv breaks ID security. To break SPR:

Simulate “Learning Stage” to Adv with x. Extract x’ x.

Page 22: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

LR Signatures [ADW09,KV09,DHLW09,BSW10]

Similar to ID schemes with two big differences: Cannot have interaction. Need to bind each execution to a message.

Solution: use Non-Interactive ZK-PoK for x. Various techniques to bind proofs to

messages (tricky): Rand Oracles [ADW09]

“Simulation-Sound” Proofs [KV09]

CCA Encryption [DHLW10]

Page 23: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Leakage Resilient Cryptography

Password Login and One-Way Functions.

Identification Schemes and Signatures.

Public-Key Encryption.

Page 24: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

LR Public-Key Encryption [AGV09, NS09]

Leakage on the decryption key prior to seeing the

ciphertext.

Page 25: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Hash Proof Enc Scheme [AGV09, NS09]

Enc scheme with sk = x, pk = f(x) for some SPRF f.

PK

Public Key Space

Secret Key space

Page 26: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Hash Proof Enc Scheme [AGV09, NS09]

Enc scheme with sk = x, pk = f(x) for some SPRF f.

MDECC

SK

MENC

PK

Page 27: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Hash Proof Enc Scheme [AGV09, NS09]

Enc scheme with sk = x, pk = f(x) for some SPRF f.

DEC

MCENC

PK

Page 28: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Hash Proof Enc Scheme [AGV09, NS09]

Enc scheme with sk = x, pk = f(x) for some SPRF f. Correctness All x 2 f-1(pk) decrypt C to the

correct M.

M

DEC

MCENC

PK M

M

Page 29: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Hash Proof Enc Scheme [AGV09, NS09]

Enc scheme with sk = x, pk = f(x) for some SPRF f. Correctness All x 2 f-1(pk) decrypt C to the

correct M. Fake Encryption: C= Fake(pk). Decryption

depends on x. Can’t distinguish C from C (even given x).PK

CFakeENC

MC

RealENC M1

M3

M2≈

DEC

PK

Page 30: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Proof: Hash Proof Enc is LR [AGV09, NS09]

L(SK)

M1

M3

M2CFakeENC

“Fake World”“Real World”

MM CReal

ENCPK

DEC

? PK = y

Page 31: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Back to Bigger Picture…

Page 32: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Criticism/Extensions

Q: What if leakage depends on complexity? Bad: more resilience ) more complexity ) more leakage. Fix: Bounded Retrieval Model [Dzi06,…,ADW09, ADNSWW10][Complexity does not grow with resilience!]

Q: Why is leakage bounded overall? Should “leak-per-use”! Continuous Leakage with “Key Updates” [DHLW10, BKKV10]

Q: Why measure leakage in output “bits”? Noisy Leakage: use “entropy loss” [NS09, DHLW10] Auxiliary Input: use “hardness of inverting” [DKL09,DGK+10]

Page 33: RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

Conclusions

Riv97, Boy99, CDH+00, DSS01, KZ03, ISW03, MR04, DP08, GKR08, Pie09, AGV09, ADW09, DKL09, ADN+10, DGK+10, GKPV10, FKPR10, DHLW10a, FRRTV10, JRV10, GR10, DHLW10b, BKKV10, WL10, BSW10,…

Many more models/results (esp. in last 2 years)...

Many open questions, much still left to do!