non-malleable codes and tamper-resilient security

NON-MALLEABLE CODESAND

TAMPER-RESILIENT SECURITY

( ICS 2010 )

Joint work with:Stefan Dziembowski, Krzysztof Pietrzak

Speaker: Daniel Wichs

Physical Attacks

Leakage: Adv observes physical output of the device.

Tampering: Adv modifies internal state and interacts with tampered device.

Example

Signature infrastructure using secure tokens (no PKI).

All tokens have the same secret signing key sk.

Each token has a unique userID. On input message m, token signs (userID,

m).

(userID, sk)

m Signsk(userID, m)

Example:

Can we attack scheme with simple physical attacks?

Attack 1 (RSA sig): Leaking a random 27% of bits of RSA key lets you factor! [HS09]

Attack 2 (RSA sig): Introduce single faulty bit during signing. Use resulting sig to factor the RSA modulus. [BDL97]

Attack 3 (any sig): Eve tampers userID = “Eve” to userID = “Eva” by flipping a few bits. Impersonates Eva.

Signsk(userID, m)

Lessons from Example

Tampering attacks can be just as devastating as leakage attacks.

Cannot only focus on tamper-resilience for cryptographic primitives.

Algorithmic Protection

Want: A general compiler that takes a circuit G with state s and creates a circuit G’ with state s’ such that: (G, s) acts the same as (G’, s’) Tampering with (G’, s’) via some well-

defined family F of attacks is useless.


Tampering of memory and computation

Tampering of memoryGLMMR04

IPSW06

Circuit

Memory

input outputCircui

t

Memory

input output

This talk


Q: Why study tampering of (only) memory? Simpler. Need to understand it first. Leads to a very natural coding-theory

question of independent interest. Might be reasonable in practice.

Code-based Solution

CircuitG’

c = Enc(s)

Decode s= Dec(c).Evaluate G(s).

G’=

CircuitG

s

Original Functionality (G, s)

Compiled Functionality (G’, c)

Talk Outline

Definition of non-malleable codes.

General (im)possibility results for nm-codes.

Efficient non-malleable codes. Bit-wise independent tampering. Results in the RO model.

Application to tamper-resilient security: Formal model of tamper-resilience. Application of non-malleable codes. Comparison to prior work.

Coding Schemes

Encoding can be randomized: c = Enc(s;r).

Correctness: Dec(Enc(s)) = s with probability 1.

Encs csource messagecodeword

randomizedencoding

Decdecoding

s

decoded message

The “Tampering Experiment”

Enc Decs csource message

c*

s*

decoded message

Tampering function f 2 F chosen adversarially.

Independent of randomness of encoding.

F={ },f1 f2

, f3

tamper

f

=f(c)

The “Tampering Experiment”

Goal: For “interesting” families F, design coding scheme (Enc, Dec) which provides “meaningful guarantees” about the outcome s*.

Enc Decs c c*

s*

tamper F

Error-Correction

Error-Correction: require that s* = s

Error-Correcting Codes for Hamming Distance: The family F = {f s.t. 8 x dist(x, f(x)) < d }

No randomness in Enc.

Limitations: Cannot be achieved for even small/simple families F. (e.g. even the single function f that maps all values to 0).

Enc Decs c c*

s*

tamper F

Error-Detection

Error-Detection: require that s* 2 {s, ?} (with overwhelming probability).

Problem: Might learn something about s if s* = ?.

Limitation: Cannot be achieved for some even small/simple families F. (e.g. family all “constant” functions fc(x) = c).

Enc Decs c c*

s*

tamper F

New notion: Non-Malleability

Non-Malleability: either s*= s or s* is “unrelated” to s. Analogous to non-malleability in cryptography [DDN91].

Harder to define formally (stay tuned). Examples of “malleability”:

The value s* is same as s, except with 3rd bit flipped. If s begins with 0, then s* = s. Otherwise s* = ?.

Hope: non-malleability achievable for many rich families F.

Enc Decs c c*

s*

tamper F

Defining Non-Malleability (Attempt 1)

Tampering via f 2 F does not reveal information. Can answer following without knowing s: Does your tampering change the codeword c? If so, what is new message s* = Dec(c*).

c Ã Enc(s0) c* Ã f(c)

If c* = c say “same”

else say Dec (c*)

¼

Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 8 s0, s1: c Ã Enc(s1)

c* Ã f(c) If c* = c say

“same”else say Dec (c*)

Problem: Unnecessarily strong! Not satisfied by error-correcting codes.

Defining Non-Malleability

s* Ã Df

if s* = “same” output s

else output s*.

s* Ã Dec ( f(Enc(s)) ) ¼

Definition: A code (Enc, Dec) is non-malleable w.r.t. a family F if 8 f 2 F 9 simulator Df such that 8 s:

Tampering via f 2 F does not reveal information. Can “simulate” the answer to following questions: Did the message s stay the same? If no, what is the new message s*?

Talk Outline





General Impossibility Non-Malleability

For every coding scheme (Enc, Dec) there exists a single function f, for which the scheme is malleable. f(c) = Enc(Dec(c) + 1). Bad f depends heavily on (Enc, Dec).

Corollaries: No coding scheme (Enc, Dec) (with n bit codewords),

is non-malleable w.r.t. Fall = { all f : {0,1}n ! {0,1}n }. No efficient coding scheme is non-malleable w.r.t. all

efficient functions.

General Possibility of Non-Malleability

For every “small enough” family F, there exists a nm-code w.r.t F.

“small enough” F: log(log(|F|)) < n.Note: log(log(|Fall|)) = n + log(n).

Theorem:

Proved using the probabilistic method. Not efficient…

Use “random code” with k-bit messages and n-bit codewords. Choose the function Dec : {0,1}n ! {0,1}k uniformly at

random. Define Enc(s) to sample uniform {c s.t. Dec(c) = s}.

For any fixed family F, a “random code” is non-malleable w.r.t. F with overwhelming probability if:

n > log(log (|F|)) + 3k

Notice: rate is 1/3, even for small F. Optimality?

Question: What can we do efficiently?

General Possibility of Non-Malleability

Talk Outline





Bit-wise independent tampering

Every bit of the codeword can be tampered arbitrarily, but independently of the value of other bits.

Tampering functions f = (f1,…,fn) and f(c) = f1(c1),…,fn(cn). fi : {0,1} ! {0,1} can be arbitrary.

Four options for each fi : “keep”, “flip”, “set to 0”, “set to 1”.

Bit-wise independent tampering contains: All constant functions: fc(x) = c (only “set to 0/1”). All “constant error” functions : f¢(x) = x + ¢ (only

“keep/flip”).

Tool 1: AMD Codes

Algebraic Manipulation Detection codes: [CDFPW08] A coding scheme (AE, AD) is AMD code if for any s, ¢ 0

Pr[AD( AE(s) + ¢) ?] = negligible.

Achieves error-detection for “keep”/“flip” . Does not protect against “set to 0”/“set to 1”.

Definition:

Tool 2: Secret Sharing

LECSS: Linear Error-Correcting Secret Sharing (SSE, SSD). Linearity: SSE(s1 + s2) = SSE(s1) + SSE(s2) t-Privacy: Any t bits of SSE(s) are mutually

random. d-Distance: Any c 0 s.t. weightH(c) < d,

SSD(c) = ?.

Definition:

Bit-wise independent tampering:Construction

Given:• AMD code (AE, AD).• LECSS (SSE, SSD) with d/n > ¼ and t = !(log(n)).

The code:Enc(s) = SSE( AE(s) ) , Dec(c) = AD( SSD(c) )

is non-malleable for bit-wise independent tampering.

Theorem:

Bit-wise independent tampering: Proof

4 cases based on q= # of fi that are “set to 0”/”set to 1”

s

AMDCode

LECSS

c c* = f(c)f

Set to 0Set to 1

keep

Set to 0

flip

flip

01

c3 +0

0

c5 + 1

c6 + 1

c1

c2

c3

c4

c5

c6


Case 1: n - t · q : Just samples Dec(c*). OK since c* is completely unrelated to s (t-

privacy).

s

AMDCode

LECSS

c c* = f(c)

Set to 0/1

Keep/flip Uniformly random!


Case 2: n/2 · q < n - t: Just outputs ?. Unlikely that DSS(c*) ?. (distance/privacy).

s

AMDCode

LECSS

c

Set to 0/1

Keep/flip

c* = f(c)

• t-wise independent.

• few valid codewords.


Case 3: t · q < n/2: Just outputs ?. Consider ¢ = c* - c. Same argument as previous

case (linearity).

s

AMDCode

LECSS

c

Set to 0/1

Keep/flip

¢ = c* - c

• t-wise independent.

• few valid codewords.


Case 4: q · t: Samples DSS(¢). If 0 output “same” else ?. ¢ is independent of AMD randomness. If ¢ 0 AMD code rejects.

s

AMDCode

LECSS

cs’

Set to 0/1

Keep/flip

• Uniformly random!

¢ = c* - c

Bit-wise independent tampering:Instantiation

Recall, instantiation needs: LECSS (SSE, SSD) with distance d/n > ¼ and t = !(log(n)). AMD code (AE, AD)

AMD codes with extremely high rate [CDFPW08]. LECSS schemes?

Ramp version of Shamir secret sharing does not get d/n > ¼.

Use random linear code. (d = distance, t = dual distance). Not explicit, but efficient: we never need to correct errors!

Parameters: Rate of final instantiation of (Enc, Dec) isk/n ¼ (1-H(.25)) ¼ .19

Optimality?

Non-malleable Codes in the Random Oracle Model

Can we instantiate a random code efficiently?

Use a cryptographic hash function modeled as a Random Oracle. Cheat: gives us an “efficient” way to compute a random function. Also give this power to the adversary, tampering functions f.

Each bit of f(c) depends on some subset (e.g. 90%) of the bits of c.

In the RO model, get efficient nm-codes for any “small family” F, which is “closed under oracle access”.

(Access to an oracle does not change the family)

Theorem:

Talk Outline





Tamper-Resilient Security

CircuitG’

c = Enc(s)

Decode s= Dec(c).Evaluate G(s).

G’=

CircuitG

s




CircuitG’

c = Enc(s)

CircuitG

s



Tamper: f 2 F

adv


CircuitG’

c*

CircuitG

s



Tamper: f 2 F

adv


CircuitG’

c*

CircuitG

s



Tamper: f 2 F

Input x Output y

adv

State is re-encoded (reactive)

Input x Output y

Simulator

¼


Theorem: If (Enc, Dec) is non-malleable w.r.t. F then our compiler is tamper-resilient w.r.t. F

Comparison to Prior Work

Same assumption: tampers memory, but not computation. Main solution: use signatures.

Sign the state. Verify signature on each invocation. If fail, stop working.

Does not satisfy our definition of tamper-resilient security. e.g. Set the first bit of state to 0. See if device stops working. Works for signature/encryption scheme (limitations).

Device cannot update its state (requires secret key). Allows all efficient tampering strategies!

Algorithmic Tamper-Proof Security [GLMMR04]

Comparison to Prior Work

Stronger model: adversary can tamper with the wire-values during a computation of a circuit.

Same strong definition of security using a simulator.

Limited to tampering functions which only modify some small subset of the wires (or set wires to 0).

Private Circuits (II) [IPSW06]

Conclusions

Define non-malleable codes.

Construct non-malleable codes for: All “small” families of tampering function (inefficient). Bit-wise independent tampering (efficient). Complex families closed under oracle access. (efficient in RO

model).

Connect non-malleable codes to tamper-resilient security.

Open Questions: More efficient constructions of non-malleable codes for other

families. Optimal rates? Results in the stronger model of [ISPW06].

non-malleable codes and tamper-resilient security

Documents