white box security notions for symmetric encryption
play

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede - PowerPoint PPT Presentation

Jan 09, 2024 •26 likes •406 views

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

  1. White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C´ ecile Delerabl´ Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , ´ erieure 2 Ecole Normale Sup´ SAC 2013

  2. Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

  3. What is NOT white-box crypto? General obfuscation � from any program P , generate an obfuscated program O ( P ) � hide any program property π in the code of O ( P ) � meaning: the code of O ( P ) ≡ a black-box oracle that runs P How realistic is obfuscation? � very strong requirements on the compiler O � known impossibility results [BGI+01] White-Box Security Notions for Symmetric Encryption Schemes

  4. What is white-box crypto? � = general program obfuscation! White-box cryptography [CEJO+02] � considers programs in a restricted class programs ( f ) where f = some keyed function � hides some program properties π in the code (but not all) � code ≡ a black-box oracle only in some adversarial contexts � already provably secure constructions for some f ( f = re-encryption [HRSV07,CCV12]) � no impossibility results so far for f = blockcipher � but no secure construction for e.g. f = AES k ( · ), k ← $ White-Box Security Notions for Symmetric Encryption Schemes

  5. Our approach What do we really want from white-box crypto? 1 . given k ← $, generate (possibly randomly) P = [ AES k ( . )] 2 . it must be hard to recover k by playing around with P OLD 3 . it also must be hard to decrypt under k OLD 4 . we may want P to be big and incompressible NEW 5 . we may want to distribute traceable NEW versions P 1 , . . . , P n This work � we capture 1-5 into concrete security games OLD+NEW � we build a toy blockcipher that provably satisfies 1-4 NEW � we build a construction that provably achieves 5 NEW White-Box Security Notions for Symmetric Encryption Schemes

  6. Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

  7. White-box compilers Let E = ( K , E , D ) be a symmetric encryption scheme. Definition A white-box compiler C E takes as input a key k ∈ K and some index r ∈ R and outputs a program P = C E ( k , r ) = [ E r k ]. Huge behavioral differences between program [ E r function E ( · , · ) oracle E ( k , · ) k ] analytic description or remote access, word in a language, algorithmic description input/output only, stateless since rebootable, might be stateful copiable, transferable, observable, modifiable, system calls simulatable (specification) (smart card) (executable software) White-Box Security Notions for Symmetric Encryption Schemes

  8. Attack models Security notion = adversarial goal + attack model What are the attack models against white-box programs? Given the description of C E ( · , · ) and P = [ E r k ] for unknown k ∈ K chosen-plaintext attack – CPA can encrypt any plaintext unavoidable chosen-ciphertext attack – CCA can make decryption queries to an oracle D ( k , · ) recompilation attack – RCA can make recompilation requests to get other programs C E ( k , r ′ ) for unknown r ′ � = r combined attack – RCA + CCA most powerful (?) RCA can be made stronger with known or chosen r ′ ∈ R. What about adversarial goals? White-Box Security Notions for Symmetric Encryption Schemes

  9. Unbreakability – UBK $ D ( k, · ) k ← K () , r ← R m ′ [ E r k ] UBK - CCA [ E r k ] = C E ( k, r ) c ′ A ˆ k ˆ ? k = k UBK - RCA [ E r ′ C E ( k, R ) k ] Challenger There is no ”semantic security” on k since verifying that ˆ k = k is easy. So some information on k always leaks. White-Box Security Notions for Symmetric Encryption Schemes

  10. One-wayness – OW $ k ← K () , r ← R [ E r k ] = C E ( k, r ) D ( k, · ) $ m ′ m ← M [ E r k ] , c OW - CCA c = E ( k, m ) c ′ A m ˆ ? m ˆ = m OW - RCA [ E r ′ C E ( k, R ) k ] Challenger Again, no semantic security on m since verifying that ˆ m = m is easy. Expected since E is a deterministic encryption scheme. White-Box Security Notions for Symmetric Encryption Schemes

  11. Incompressibility – INC Given a large program, build an equivalent yet much smaller one $ k ← K () , r ← R m ′ D ( k, · ) [ E r k ] INC - CCA [ E r k ] = C E ( k, r ) c ′ A P ? ? ∆( P, E ( k, · )) � δ and size ( P ) < λ INC - RCA [ E r ′ C E ( k, R ) k ] Challenger White-Box Security Notions for Symmetric Encryption Schemes

  12. Traceability – TRAC C E admits a tracing scheme if there exists an algorithm trace such that no adversary can win the ”tracing game” TRAC: ← K and P 1 = [ E r 1 $ k ] , . . . , P n = [ E r n � generate a key k k ] � A chooses some T ⊆ [1 , n ] and is provided with { P i , i ∈ T } � A returns some rogue program Q ← A ( { P i , i ∈ T } ) � trace a traitor t ← trace ( Q , k , r 1 , . . . , r n ) � A wins if Q is functional enough and t �∈ T White-Box Security Notions for Symmetric Encryption Schemes

  13. The big picture α ⇐ β : if β can be broken, α can be broken INC ⇐ UBK ⇒ TRAC ⇓ OW CCA ⇐ CPA ⇓ ⇓ RCA + CCA ⇐ RCA The weakest security notion is UBK-CPA. We don’t even know how to achieve it with E = AES . . . White-Box Security Notions for Symmetric Encryption Schemes

  14. Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

  15. Achieving incompressibility A toy example. . . G group of secret order w and e = exponent with large entropy Hard problems on G Given desc ( G ) and e UBK[ G ] find the group order w (FACT) ORD[ G ] find the order of a group element ( ≡ FACT) ROOT[ G , e ] find the e -th root of a group element (RSA) GAP[ G , e ] find the group order w with the help of an e -th root extractor (FACT RSA def = GAP-RSA) White-Box Security Notions for Symmetric Encryption Schemes

  16. Achieving incompressibility Key generation: generate k = ( desc ( G ) , e , w ) Encryption: E ( k , m ) = m e Decryption: D ( k , c ) = c 1 / e mod w C E ( k , r = ””) just returns [ m �→ m e ] Then ORD[ G ] ⇐ INC-CPA assuming that the compressed program is algebraic. White-Box Security Notions for Symmetric Encryption Schemes

  17. ORD[ G ] ⇐ INC-CPA $ k ← K () , r ← R m ′ D ( k, · ) [ E r k ] INC - CCA [ E r k ] = C E ( k, r ) c ′ A P ? ? ∆( P, E ( k, · )) � δ and size ( P ) < λ INC - RCA [ E r ′ k ] C E ( k, R ) Challenger Here, [ E r k ] = [ m �→ m e ] and P is algebraic. Using extract , we can find an execution of P where P ( m ) = m α for a known α . Then � either α � = e then e − α ∝ ord ( m ) and we break ORD[ G ] � or α = e then size ( P ) � H ( e ) and P must be big White-Box Security Notions for Symmetric Encryption Schemes

  18. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  19. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  20. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  21. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] ≡ UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  22. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] ≡ UBK[ G ] ROOT[ G , e ] ≡ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  23. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

  24. Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography

Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography

ISC conference, September 2009, Pisa, Italy Outline Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography The Theory of Obfuscation Brecht Wyseur (im)possibility results ISC 2009, September 2009

280 views • 3 slides
Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap

Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap

Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap First, Symmetric Key Encryption Defining the problem Well do it elaborately, so that it will be easy to see different levels of security 2

1.67k views • 136 slides
Protection and Security - II Encrypts a block of data at a time (64 bit messages, with 56 bit

Protection and Security - II Encrypts a block of data at a time (64 bit messages, with 56 bit

CSC 4103 - Operating Systems Symmetric Encryption Spring 2007 Same key used to encrypt and decrypt E ( k ) can be derived from D ( k ), and vice versa Lecture - XXI DES is most commonly used symmetric block-encryption algorithm

496 views • 4 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) Story So Far We defined (passive) security of Symmetric Key Encryption (SKE)

1.13k views • 67 slides
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct decryption requirement More

1.19k views • 53 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1

1.07k views • 89 slides
Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Network and Communications Security (IN3210/IN4210) Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key exchange Eve 6R4Y2 hlbMZ CB... Dear Dear Bob Decryption Bob Encryption .... ....

831 views • 63 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
Strong Jump-Traceability The Computably Enumerable Case Peter Cholak University of Notre Dame

Strong Jump-Traceability The Computably Enumerable Case Peter Cholak University of Notre Dame

Will he finish in time? No way! Yes! Strong Jump-Traceability The Computably Enumerable Case Peter Cholak University of Notre Dame Department of Mathematics www.nd.edu/~cholak Supported by NSF Grant DMS 02-45167 (USA). Logic Colloquium 07

440 views • 9 slides
DISTRIBUTED TRACING WHO ARE WE? Frank Pfleger Lukasz Pielak @frankpfleger

DISTRIBUTED TRACING WHO ARE WE? Frank Pfleger Lukasz Pielak @frankpfleger

THE WAY TO DISTRIBUTED TRACING WHO ARE WE? Frank Pfleger Lukasz Pielak @frankpfleger @lukaszpielak frank@trasier.com lukasz@trasier.com WHAT IS THIS TALK ABOUT Understand the concepts The way to Distributed

754 views • 49 slides
Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in the Monero Blockchain, joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey,

891 views • 30 slides
Data Pallets For Traceable Data Jay Lofstead, Joshua Baker, Andrew Younge PDSW-DISCS WIP

Data Pallets For Traceable Data Jay Lofstead, Joshua Baker, Andrew Younge PDSW-DISCS WIP

Data Pallets For Traceable Data Jay Lofstead, Joshua Baker, Andrew Younge PDSW-DISCS WIP November 12, 2018 SAND2018-12555 C Sandia National Laboratories is a multimission laboratory managed and operated by National Technology and Engineering

462 views • 7 slides
Towards Distributed Trustworthy Traceability and Accountability Jrn Erbguth a and Jean-Henry

Towards Distributed Trustworthy Traceability and Accountability Jrn Erbguth a and Jean-Henry

Towards Distributed Trustworthy Traceability and Accountability Jrn Erbguth a and Jean-Henry Morin a b a University of Geneva, CUI - ISS, 1227 Carouge, Switzerland Tel: +41 787256027, E-mail: erbguth@unige.ch - Tel: +41 22 379 02 55, E-mail:

177 views • 3 slides
RecoveringTraceabilityLinks viaInforma7onRetrievalMethods

RecoveringTraceabilityLinks viaInforma7onRetrievalMethods

RecoveringTraceabilityLinks viaInforma7onRetrievalMethods ChallengesandOpportuni7es Dr.RoccoOliveto,Ph.D. DepartmentofMathemaFcsandInformaFcs, UniversityofSalerno

914 views • 53 slides
E-Passport: The Global Traceability or How to Feel Like an UPS Package Dario Carluccio, Kerstin

E-Passport: The Global Traceability or How to Feel Like an UPS Package Dario Carluccio, Kerstin

E-Passport: The Global Traceability or How to Feel Like an UPS Package Dario Carluccio, Kerstin Lemke-Rust, Christof Paar, and Ahmad-Reza Sadeghi Horst-Grtz Institute for IT Security July, 14th 2006 Workshop on RFID Security Electronic

209 views • 18 slides
Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T.

Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T.

Introduction Quartic Quintic Conclusion Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T. Zamfirescu Combinatorial Algorithms and Algorithmic Graph Theory Department of Applied Mathematics,

673 views • 40 slides

More recommend