Efficient Public-Key Cryptography with Bounded Leakage and Tamper - - PowerPoint PPT Presentation

efficient public key cryptography with bounded leakage
SMART_READER_LITE
LIVE PREVIEW

Efficient Public-Key Cryptography with Bounded Leakage and Tamper - - PowerPoint PPT Presentation

Sep 01, 2022 413 likes •767 views

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1 Daniele Venturi 2 Department of Computer Science, Aarhus University, Aarhus, Denmark Department of Information Engineering and Computer Science,

slide-1
SLIDE 1

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience

Antonio Faonio1 Daniele Venturi2

Department of Computer Science, Aarhus University, Aarhus, Denmark Department of Information Engineering and Computer Science, University of Trento, Trento, Italy

December 8, 2016

1/14

slide-2
SLIDE 2

(Provable Secure) Crypto before Physical Attacks

P1 P2

2/14

slide-3
SLIDE 3

Crypto with Physical Attacks

P1 P2

))

)

)

))

)

)

Leak Attacks [Koc96],

3/14

slide-4
SLIDE 4

Crypto with Physical Attacks

P1 P2

))

)

)

))

)

)

Leak Attacks [Koc96], Tampering Attacks [BDL97]

3/14

slide-5
SLIDE 5

(Minimal) Related Works

Memory Circuit [IPSW06] [GLMMR04]

Restricted Bounded

[DPW10,BK03] [DFMV13]

4/14

slide-6
SLIDE 6

(Minimal) Related Works

Memory Circuit [IPSW06] [GLMMR04]

Restricted Bounded

[DPW10,BK03] [DFMV13]

Definitions of Bounded-Tamper (and Leakage) Resilience, Identification Scheme and Signatures (ROM), CCA-Secure PKE.

4/14

slide-7
SLIDE 7

Our Contributions

BTL Signature Scheme.

  • Example. The Imp. result of [GLMMR03] does not hold.

5/14

slide-8
SLIDE 8

Our Contributions

BTL Signature Scheme.

  • Example. The Imp. result of [GLMMR03] does not hold.

BLT CCA Public Key Encryption. Naor-Yung paradigm, what about Cramer-Shoup?

5/14

slide-9
SLIDE 9

6/14

Introduction BLT-CCA PKE

Section 2 BLT-CCA PKE

Antonio Faonio, Daniele Venturi Efficient Public-Key Cryptography with Bounded Leakage and Tamp

slide-10
SLIDE 10

(t, ℓ)-BLT IND-CCA PKE:

c m

7/14

slide-11
SLIDE 11

(t, ℓ)-BLT IND-CCA PKE:

c m c m

...

ppar A leaks before challenge ℓ bits; A instantiates before challenge t oracles (for ℓ + t |sk| − ω(log k))

7/14

slide-12
SLIDE 12

The Scheme of [QL13]: Building Blocks 8/14

slide-13
SLIDE 13

The Scheme of [QL13]: Building Blocks

ǫ-Hash Proof System

Complete: For c ∈ V, Pubpk(c, w) = Λsk(c). Sound: For c ∈ C \ V,any pk = µ(sk):

  • H∞(K := Λsk(c)|pk) − log ǫ

Set Membership Problem.

8/14

slide-14
SLIDE 14

The Scheme of [QL13]: Building Blocks

ǫ-Hash Proof System

Complete: For c ∈ V, Pubpk(c, w) = Λsk(c). Sound: For c ∈ C \ V,any pk = µ(sk):

  • H∞(K := Λsk(c)|pk) − log ǫ

Set Membership Problem.

δ-extractor

  • H∞(X|Z) δ, we have (Z, S, Ext(X, S)) ≈ (Z, S, U)

8/14

slide-15
SLIDE 15

The Scheme of [QL13]: Building Blocks, Pt.2

ℓ-(OT-)Lossy Filter LFφ : T × X → Y

9/14

slide-16
SLIDE 16

The Scheme of [QL13]: Building Blocks, Pt.2

ℓ-(OT-)Lossy Filter LFφ : T × X → Y

tag

9/14

slide-17
SLIDE 17

The Scheme of [QL13]: Building Blocks, Pt.2

ℓ-(OT-)Lossy Filter LFφ : T × X → Y

tag tag

9/14

slide-18
SLIDE 18

The Scheme of [QL13]: Building Blocks, Pt.2

ℓ-(OT-)Lossy Filter LFφ : T × X → Y

tag tag

Losiness: |{•}| 2ℓ Indistinghuishable:

tag tag

∈ {0, 1}∗ × Tc

9/14

slide-19
SLIDE 19

The Scheme of [QL13]: Building Blocks, Pt.2

ℓ-(OT-)Lossy Filter LFφ : T × X → Y

tag tag

Losiness: |{•}| 2ℓ Indistinghuishable:

tag tag

∈ {0, 1}∗ × Tc

Evasiviness: It is hard to forge t∗

c lossy even

given one lossy tag.

9/14

slide-20
SLIDE 20

The Scheme of [QL13]:

m K Ext C S

10/14

slide-21
SLIDE 21

The Scheme of [QL13]:

m K Ext C S m K Ext C S

10/14

slide-22
SLIDE 22

The Scheme of [QL13]:

m K Ext C S m K Ext C S m K Ext C S

H∞(K∗|pk, C∗, L) − log ε − |L|

10/14

slide-23
SLIDE 23

The Scheme of [QL13]:

m K Ext C S m K Ext C S m K Ext C S

H∞(K∗|pk, C∗, L) − log ε − |L| H∞(K∗|pk, C∗, L, Π) − log ε − |L| − ℓ

10/14

slide-24
SLIDE 24

Reduce Tampering to Leakage

aux

aux = L(sk) Interact unbounded with DecT(sk), while aux small and bounded.

11/14

slide-25
SLIDE 25

aux

12/14

slide-26
SLIDE 26

aux

Let ˜ sk = T(sk), leak µ( ˜ sk) ((C, S, Φ), tc, Π)

12/14

slide-27
SLIDE 27

aux

Let ˜ sk = T(sk), leak µ( ˜ sk) ((C, S, Φ), tc, Π) C ∈ V (C, µ( ˜ sk)) fully define K. Execute Decryption.

12/14

slide-28
SLIDE 28

aux

Let ˜ sk = T(sk), leak µ( ˜ sk) ((C, S, Φ), tc, Π) C ∈ V (C, µ( ˜ sk)) fully define K. Execute Decryption. C ∈ V Depend on H∞(Λ ˜

sk(C)|View = v).

If big then output ⊥; If small then leak ˜ sk and run Dec ˜

sk.

12/14

slide-29
SLIDE 29

aux

Let ˜ sk = T(sk), leak µ( ˜ sk) ((C, S, Φ), tc, Π) C ∈ V (C, µ( ˜ sk)) fully define K. Execute Decryption. C ∈ V Depend on H∞(Λ ˜

sk(C)|View = v).

If big then output ⊥; If small then leak ˜ sk and run Dec ˜

sk.

Yeah, but what do big and small even mean?

12/14

slide-30
SLIDE 30

aux

Let ˜ sk = T(sk), leak µ( ˜ sk) ((C, S, Φ), tc, Π) C ∈ V (C, µ( ˜ sk)) fully define K. Execute Decryption. C ∈ V Depend on H∞(Λ ˜

sk(C)|View = v).

If big then output ⊥; If small then leak ˜ sk and run Dec ˜

sk.

Yeah, but what do big and small even mean? I would tell you, if I had time..

12/14

slide-31
SLIDE 31

Mathemagical!!

β = s − log ε, s = log |SK| α = log |PK| We pay approx α + β bits of leakage for each tampering

  • racle.

t = s α + β 13/14

slide-32
SLIDE 32

Mathemagical!!

β = s − log ε, s = log |SK| α = log |PK| We pay approx α + β bits of leakage for each tampering

  • racle.

t = s α + β

We can instantiate the HPS using RSI.

13/14

slide-33
SLIDE 33

14/14

Introduction BLT-CCA PKE

Open Problems

Is the tampering rate O(1/k) inherent? A better Hash Proof System?

Antonio Faonio, Daniele Venturi Efficient Public-Key Cryptography with Bounded Leakage and Tamp

slide-34
SLIDE 34

14/14

Introduction BLT-CCA PKE

Open Problems

Is the tampering rate O(1/k) inherent? A better Hash Proof System? Thank You!

Antonio Faonio, Daniele Venturi Efficient Public-Key Cryptography with Bounded Leakage and Tamp