white box security notions for symmetric encryption
play

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede - PowerPoint PPT Presentation

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box


  1. White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C´ ecile Delerabl´ Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , ´ erieure 2 Ecole Normale Sup´ SAC 2013

  2. Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

  3. What is NOT white-box crypto? General obfuscation � from any program P , generate an obfuscated program O ( P ) � hide any program property π in the code of O ( P ) � meaning: the code of O ( P ) ≡ a black-box oracle that runs P How realistic is obfuscation? � very strong requirements on the compiler O � known impossibility results [BGI+01] White-Box Security Notions for Symmetric Encryption Schemes

  4. What is white-box crypto? � = general program obfuscation! White-box cryptography [CEJO+02] � considers programs in a restricted class programs ( f ) where f = some keyed function � hides some program properties π in the code (but not all) � code ≡ a black-box oracle only in some adversarial contexts � already provably secure constructions for some f ( f = re-encryption [HRSV07,CCV12]) � no impossibility results so far for f = blockcipher � but no secure construction for e.g. f = AES k ( · ), k ← $ White-Box Security Notions for Symmetric Encryption Schemes

  5. Our approach What do we really want from white-box crypto? 1 . given k ← $, generate (possibly randomly) P = [ AES k ( . )] 2 . it must be hard to recover k by playing around with P OLD 3 . it also must be hard to decrypt under k OLD 4 . we may want P to be big and incompressible NEW 5 . we may want to distribute traceable NEW versions P 1 , . . . , P n This work � we capture 1-5 into concrete security games OLD+NEW � we build a toy blockcipher that provably satisfies 1-4 NEW � we build a construction that provably achieves 5 NEW White-Box Security Notions for Symmetric Encryption Schemes

  6. Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

  7. White-box compilers Let E = ( K , E , D ) be a symmetric encryption scheme. Definition A white-box compiler C E takes as input a key k ∈ K and some index r ∈ R and outputs a program P = C E ( k , r ) = [ E r k ]. Huge behavioral differences between program [ E r function E ( · , · ) oracle E ( k , · ) k ] analytic description or remote access, word in a language, algorithmic description input/output only, stateless since rebootable, might be stateful copiable, transferable, observable, modifiable, system calls simulatable (specification) (smart card) (executable software) White-Box Security Notions for Symmetric Encryption Schemes

  8. Attack models Security notion = adversarial goal + attack model What are the attack models against white-box programs? Given the description of C E ( · , · ) and P = [ E r k ] for unknown k ∈ K chosen-plaintext attack – CPA can encrypt any plaintext unavoidable chosen-ciphertext attack – CCA can make decryption queries to an oracle D ( k , · ) recompilation attack – RCA can make recompilation requests to get other programs C E ( k , r ′ ) for unknown r ′ � = r combined attack – RCA + CCA most powerful (?) RCA can be made stronger with known or chosen r ′ ∈ R. What about adversarial goals? White-Box Security Notions for Symmetric Encryption Schemes

  9. Unbreakability – UBK $ D ( k, · ) k ← K () , r ← R m ′ [ E r k ] UBK - CCA [ E r k ] = C E ( k, r ) c ′ A ˆ k ˆ ? k = k UBK - RCA [ E r ′ C E ( k, R ) k ] Challenger There is no ”semantic security” on k since verifying that ˆ k = k is easy. So some information on k always leaks. White-Box Security Notions for Symmetric Encryption Schemes

  10. One-wayness – OW $ k ← K () , r ← R [ E r k ] = C E ( k, r ) D ( k, · ) $ m ′ m ← M [ E r k ] , c OW - CCA c = E ( k, m ) c ′ A m ˆ ? m ˆ = m OW - RCA [ E r ′ C E ( k, R ) k ] Challenger Again, no semantic security on m since verifying that ˆ m = m is easy. Expected since E is a deterministic encryption scheme. White-Box Security Notions for Symmetric Encryption Schemes

  11. Incompressibility – INC Given a large program, build an equivalent yet much smaller one $ k ← K () , r ← R m ′ D ( k, · ) [ E r k ] INC - CCA [ E r k ] = C E ( k, r ) c ′ A P ? ? ∆( P, E ( k, · )) � δ and size ( P ) < λ INC - RCA [ E r ′ C E ( k, R ) k ] Challenger White-Box Security Notions for Symmetric Encryption Schemes

  12. Traceability – TRAC C E admits a tracing scheme if there exists an algorithm trace such that no adversary can win the ”tracing game” TRAC: ← K and P 1 = [ E r 1 $ k ] , . . . , P n = [ E r n � generate a key k k ] � A chooses some T ⊆ [1 , n ] and is provided with { P i , i ∈ T } � A returns some rogue program Q ← A ( { P i , i ∈ T } ) � trace a traitor t ← trace ( Q , k , r 1 , . . . , r n ) � A wins if Q is functional enough and t �∈ T White-Box Security Notions for Symmetric Encryption Schemes

  13. The big picture α ⇐ β : if β can be broken, α can be broken INC ⇐ UBK ⇒ TRAC ⇓ OW CCA ⇐ CPA ⇓ ⇓ RCA + CCA ⇐ RCA The weakest security notion is UBK-CPA. We don’t even know how to achieve it with E = AES . . . White-Box Security Notions for Symmetric Encryption Schemes

  14. Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

  15. Achieving incompressibility A toy example. . . G group of secret order w and e = exponent with large entropy Hard problems on G Given desc ( G ) and e UBK[ G ] find the group order w (FACT) ORD[ G ] find the order of a group element ( ≡ FACT) ROOT[ G , e ] find the e -th root of a group element (RSA) GAP[ G , e ] find the group order w with the help of an e -th root extractor (FACT RSA def = GAP-RSA) White-Box Security Notions for Symmetric Encryption Schemes

  16. Achieving incompressibility Key generation: generate k = ( desc ( G ) , e , w ) Encryption: E ( k , m ) = m e Decryption: D ( k , c ) = c 1 / e mod w C E ( k , r = ””) just returns [ m �→ m e ] Then ORD[ G ] ⇐ INC-CPA assuming that the compressed program is algebraic. White-Box Security Notions for Symmetric Encryption Schemes

  17. ORD[ G ] ⇐ INC-CPA $ k ← K () , r ← R m ′ D ( k, · ) [ E r k ] INC - CCA [ E r k ] = C E ( k, r ) c ′ A P ? ? ∆( P, E ( k, · )) � δ and size ( P ) < λ INC - RCA [ E r ′ k ] C E ( k, R ) Challenger Here, [ E r k ] = [ m �→ m e ] and P is algebraic. Using extract , we can find an execution of P where P ( m ) = m α for a known α . Then � either α � = e then e − α ∝ ord ( m ) and we break ORD[ G ] � or α = e then size ( P ) � H ( e ) and P must be big White-Box Security Notions for Symmetric Encryption Schemes

  18. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  19. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  20. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  21. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] ≡ UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  22. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] ≡ UBK[ G ] ROOT[ G , e ] ≡ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  23. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  24. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend