One-Time Computable Self-Erasing Functions
Stefan DziembowskiTomasz KazanaDaniel Wichs
(accepted to TCC 2011)
Main contribution of this work
We introduce a new model for leakage/tamper resistance.
In our model the adversary is space-bounded.
We present some primitives that are secure in this model.
Applications: password-protected storage, proofs-of-erasure.
How to construct secure digital systems?
CRYPTO
MACHINE(PC, smartcard, etc.)
very secure
Security based on well-defined mathematical problems.
not secure!
The problem
hard to attack
easy to attack
CRYPTO
MACHINE(PC, smartcard, etc.)
Machines cannot be trusted!
1. Informationleakage
2. Maliciousmodifications
MACHINE(PC, smartcard, etc.)
Relevant scenarios
PCs specialized hardware
malicious software:
• viruses,
• trojan horses.
side-channel attacks:
• power consumption,
• electromagnetic leaks,
• timing information.
MACHINES
. . .
A recent trend in cryptography
Construct protocols that are secure even if they are implemented on machines that are not fully trusted.
[ISW03, GLMMR04, MR04, IPW06, CLW06, Dzi06, DP07, DP08, AGV09, ADW09, Pie09, NS09, SMY09, KV09, FKPR10, DDV10, DPW10, DHLW10, BKKV10, BG10,…]
Main idea of this line of research
To achieve security one assumes that the power of the adversary during the “physical attack” is
“limited in some way”.
this should be justified by some physical characteristics of the device
Examples of assumptions (1/3)
S
length-shrinkingh(S)
the adversary can learn the values on up to t wires
boolean circuit
Bounded-Retrieval Model“Memory Attacks” [AGV09]
“Probing Attacks” [ISW03]
S
length-shrinkinglow-complexity h
S0
length-shrinking
h
S1
length-shrinking
h
h(S) h(S0) h(S1)
[FRTV10,DDV10] [MR04,DP08…]
Examples of assumptions (2/3)
the adversary can modify up to t wires
boolean circuit
[IPSW03]
Examples of assumptions (3/3)
One way to look at these efforts:
The trust assumptions on hardware can never be removed completely.
But we can try to reduce them.
General goal
Come up with attack models that are:
• realistic (i.e. they correspond to the real-life adversaries),
• allow to construct secure schemes
tradeoff
Problem: current models are not strong enough.
Example: BRM --- the adversary is assumed to be passive.
Outline
1. Introduction and motivation2. Our model3. One-time computable functions4. Proofs of erasure5. Subsequent work and open
problems
Our model
We work in the “virus model”(but our techniques may also be used to protect against the side-channel
attacks)
We assume that the adversary is active:
big
small(the “virus”)
modifies the internal datainteracts
The model
big
device
read / write
send/receive
small
memory
What are the restrictions on interaction?
big
send/receive
small(the “virus”)
There is a limit t on the number of bits that the virus can send out.
(this is essentially the assumption used before in the BRM).
What are the restrictions on malicious modifications?
small(the “virus”)
The virus can modify the contents of the memory arbitrarily.
The only restriction is that he is space-bounded.
memory
read / write
Outline
1. Introduction and motivation2. Our model3. One-time computable functions4. Proofs of erasure5. Subsequent work and open
problems
Our contributionIn this model we construct a primitive:
one-time-computable pseudorandom functions
f : keys × messages ciphertexts
key Rmessage M ciphertext C=f(R,M)
Informally: “it should be possible to evaluate f(R,M) at most once”.
Normally |R| >> |M| (= |C|)
key Rmessage M ciphertext C=f(R,M)
message M’ error
read / write
send/receive
key R
In our model:
the “ideal functionality”:
can only learn one value of
f(R,K)
Some more details
key RA1: extra space for the adversary
memory
A0: for the honest scheme
Main idea: design f such that:
• the computation of f(R,M) twice takes more space than |A0| + |A1| + |R|.
• but it can be done efficiently once in space |A0| + |R|.
• hence we can compute f(R,M) exactly once (during this computation we will overwrite R).
ObservationIf |A1| ≥ |R| then: the adversary can copy M into A1:
key RA1: extra space for the adversaryA0: for the honest scheme
copy
Then, he can simply run the honest scheme on the “copy of R”.
He can obviously do it multiple times. Moral
A1 has to be shorter than R.
A simplifying assumption
In our schemes A0 will be very short.
Therefore we can forget about (include it into the space for the adversary).
So, the memory looks now like this :
key RA: space for the adversary
An application of this primitivePassword-protected storage:
f – a one-time computable PRF(Enc, Dec) – a standard symmetric encryption schemeTo encrypt a message M with a password π:1. select R at random2. calculate Z= f(R, π)3. store (R, Enc(Z,M))
key R
C=Enc(Z,M)
M
π
To decrypt compute:
Z =f(R, π) and then
Dec(Z,M)
Note: this will overwrite R
ProblemC has to be shorter than R.
(since the adversary can use part of the space where C is stored as his memory).
A solution: store C on a read-only memory.
Another problem
If an honest user makes a typo then he will not have another try.
We have a solution for this – stay tuned.
Yet another problem
1. select R at random2. calculate Z= f(R, π)3. store (R, Enc(Z, M))
Look again at this procedure:
Can it be done “locally” on this machine?
1. select a short seed S at random and store it2. set R := PRG(S)3. calculate Z= f(R, π) (destroying R)4. recalculate R := PRG(S)5. erase S 6. store (R, Enc(Z, M))
Looks problematic, since the calculation of Z will destroy R.
Solution:
Can we prove anything in our model?
It seems like we do not have the right tools in complexity theory to prove anything in a plain model.
Our solution: use the random oracle model
oraclewith a hash function H
bigsmall
Using ROM in this context is delicate
Example:
H – hash function, M – long messageIn ROM computing H(M) requires the adversary to store entire M
first.In real-life --- not necessarily:If H is constructed using Merkle-Damgard then H(M) can be
computed “on fly”:H(M)
M
Our solution
Assume that Random Oracle works only on messages of small length:
H: {0,1}cw -> {0,1}w
(for a small c)
m’
H(m||m’)
m
Typically:
c = 2 In this case H is just the compression function.
this will be our main building-
block
Our functions will always correspond to a graph
f:H(m||m’)
m m’
input
output
Our PRF is based on a pyramid graph
R1
M
R2 R3 R4 R5R1 R2 R3 R4 R5
R1 R2 R3 R4 R5R =
the key:
H(m||m’)
m m’
the hash function:
the message:
M
output (the ciphertext):
Our theorem (informally)
R
read / write
send/receive
tbits
memorykey RA: for adv.
If |A|+ t < |R|- ε then the adversary will never learn
f(R,M) and f(R,M’) for M ≠ M’
f
M
So, how to prove the security?We use a technique called
graph pebbling
there is a vast literature on this. See e.g.:
John E. Savage. Models of Computation: Exploring the Power of Computing. 1997.
We use techniques introduced in:
Dwork, Naor and Wee Pebbling and Proofs of Work, CRYPTO 2005.
Graph pebbling
a DAG:
“input vertices”
“output vertices”
Intuition: there is a pebble on a vertex v if the corresponding block is in the memory.
In the initial configuration there is a pebble on every input vertex.
The rules of moving the pebbles
1. there are up to B pebbles2. if all the children of v
carry a pebble, we can put a pebble on v
3. a pebble can be removed from every vertex
Goal: pebble every output vertex.
Fact [Dwork-Naor-Wee 1995]
R1 R2 R3- memory
read / write
R1 R2 R3--
f:
w – length of the block
the graph corresponding to f cannot be pebbled with T pebbles
impliesf cannot cannot be computed in memory ≈ w T
But our model is more complicated…
read / write
send/receive
memory
The adversary can also send data to an external adversary that is not space-bounded.
Our solution: we introduce special red-pebbles.
The “old” pebbles will be called black.
New rules
1. If there is a black pebble on v then we can put a red pebble on it.
2. if all the children of v carry (red or black) pebble, we can put a black pebble on v.
3. if all the children of v carry a red pebble then we can put a red pebble on it.
4. a black pebble can be removed from every vertex (there is no need to remove the red pebbles)
Goal: put a black or red pebble on every output vertex.
Definition: a vertex v a “heavy pebble” if it is a black pebble, or a red pebble generated by Rule 1.
The new restriction
We require that at any point of the game the number of the heavy pebbles is at most U (where U is some parameter).
Intuition:The only things that costs are:• the black pebbles ≈ “memory”• transforming a black pebble into a red one
≈ “communication”
Fact that we prove
w – length of the block
the graph corresponding to f cannot be pebbled with U heavy pebbles
implies
f cannot cannot be computed if the sum of • the memory size and • the number of sent bitsis ≈ w U
Now, recall what we want to prove
read / write
send/receive
tbits
memorykey RA: for adv.
If |A|+ t < |R|- ε then the adversary will never learn
f(R,M) and f(R,M’) for M ≠ M’
How does it translate into “pebbling”?
R
f
M
The pebbling problem
M R2R1 RK M’
It is impossible to pebble both outputs with less than 2K-1 heavy pebbles.
A definition
We say that the output of the graph is input-dependent if after removing all the pebbles from the input it’s impossible to pebble the output:
impossiblepossible
Lemma 1
If the output is input-dependent then the number of heavy pebbles is at least K.
Proof by induction on K.
Base case K=2 is trivial:
Suppose the hypothesis holds for some K-1We show it for K:
suppose in this configuration:1. the output is input-dependent2. there are x heavy pebbles
transform the configuration by: 1. putting on the
second row black pebbles that are reachable from the first row
2. removing the pebbles from the first row
observations:1. the “new” configuration is input-
dependent2. y ≤ x-1
From the induction hypothesis: y ≥ K-1
let y denote the number of heavy
pebbles
x ≥ K QED
Lemma 2In the first configuration that is input-independent there are at least K-1 heavy
pebbles.
Proof
A configuration can become input-independent only because of moves of this type.
Therefore there new configuration has to “depend on the second row”.
So, it needs to have at least K-1 heavy pebbles.
QED
Now, look again at the graph
M R2R1 RK M’
Suppose the left graph becomes input independent first.
there need to be at least K-1 heavy pebbles here
and at least K heavy pebbles in the rest of the graph.
So, there are at least 2K-1 pebbles altogether. QED
In the “password-protected storage”:Can we allow more than one trial?
YES!
The construction gets a bit more complicated.
Main idea: the key gets destroyed “gradually”.
The maximal number of trials that we can tolerate is approximately equal to
u2(u-m)
where:u – the bound on communication plus storagem – the size of the secret key
Outline
1. Introduction and motivation2. Our model3. One-time computable functions4. Proofs of erasure5. Subsequent work and open
problems
Proof of erasure
[Perito and Tsudik, ESORICS 2010]
verifier securelink
memory
device
Goal: the verifier wants to make sure that the device has erased its memory.
The scheme of Perito and Tsudik
verifier
memory M
devicea random string
of length |M|
R
R
the device proves the knowledge of
R
Our idea
We construct a “hash function” H: {0,1}a {0,1}a
(where a is small) that • can be computed in memory of length |M|• but it cannot be computed in memory slightly
smaller than M.
The improved protocol
verifier
memory M
devicea random string
of length aX
computeY := H(X)
(this overwrites M)Ycheck ifY = H(X)
advantage: communication from the verifier to the device is much shorter.
How to construct such an H?
We use again the pyramid graph!X
Y=H(X)w – the length of the block
set K := |M|/w
let K be the number of the blocks.
Fact 1this function can be computed in memory of length |M|
Fact 2
Using the “pebbling techniques” we can show that:
it is impossible to compute H in memory significantly smaller than |M|.
Outline
1. Introduction and motivation2. Our model3. One-time computable functions4. Proofs of erasure5. Subsequent work and open
problems
Subsequent work
D., Kazana and WichsKey-Evolution Schemes Resilient to Space-
Bounded Leakage(in submission)
We show key-evolution schemes secure in this model.
Research directions
1. Find new applications.
2. Proofs without the standard model?
Thank you!