Results 1  10
of
45
Efficient NonMalleable Codes and KeyDerivation for PolySize Tampering Circuits
, 2013
"... Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes ..."
Abstract

Cited by 25 (8 self)
 Add to MetaCart
Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes have applications to immunizing cryptosystems against tampering attacks and relatedkey attacks. One cannot have an efficient nonmalleable code that protects against all efficient tampering functions f. However, in this work we show “the next best thing”: for any polynomial bound s given apriori, there is an efficient nonmalleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size F  ≤ 2s, there is an efficient nonmalleable code that protects against all f ∈ F. The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are informationtheoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is nonmalleable with overwhelming
Cryptography Secure Against RelatedKey Attacks and Tampering
, 2011
"... We show how to leverage the RKA (RelatedKey Attack) security of blockciphers to provide RKA security for a suite of highlevel primitives. This motivates a more general theoretical question, namely, when is it possible to transfer RKA security from a primitive P1 to a primitive P2? We provide both ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
We show how to leverage the RKA (RelatedKey Attack) security of blockciphers to provide RKA security for a suite of highlevel primitives. This motivates a more general theoretical question, namely, when is it possible to transfer RKA security from a primitive P1 to a primitive P2? We provide both positive and negative answers. What emerges is a broad and high level picture of the way achievability of RKA security varies across primitives, showing, in particular, that some primitives resist “more ” RKAs than others. A technical challenge was to achieve RKA security even for the practical classes of relatedkey deriving (RKD) functions underlying fault injection attacks that fail to satisfy the “clawfreeness ” assumption made in previous works. We surmount this barrier for the first time based on the construction of PRGs that are not only RKA secure but satisfy a new notion of identitycollisionresistance.
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient
Tamper and Leakage Resilience in the SplitState Model
, 2011
"... It is notoriously difficult to create hardware that is immune from side channel and tampering attacks. A lot of recent literature, therefore, has instead considered algorithmic defenses from such attacks. In this paper, we show how to algorithmically secure any cryptographic functionality from conti ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
(Show Context)
It is notoriously difficult to create hardware that is immune from side channel and tampering attacks. A lot of recent literature, therefore, has instead considered algorithmic defenses from such attacks. In this paper, we show how to algorithmically secure any cryptographic functionality from continual splitstate leakage and tampering attacks. A splitstate attack on cryptographic hardware is one that targets separate parts of the hardware separately. Our construction does not require the hardware to have access to randomness. On contrast, prior work on protecting from continual combined leakage and tampering [KKS11] required true randomness for each update. Our construction is in the common reference string (CRS) model; the CRS must be hardwired into the device. We note that prior negative results show that it is impossible to algorithmically secure a cryptographic functionality against a combination of arbitrary continual leakage and tampering attacks without true randomness; therefore restricting our attention to the splitstate model is justified. Our construction is simple and modular, and relies on a new construction, in the CRS model, of nonmalleable codes with respect to splitstate tampering functions, which may be of independent interest. 1
TamperProof Circuits: How to Trade Leakage for TamperResilience
"... Abstract. Tampering attacks are cryptanalytic attacks on the implementation of cryptographic algorithms (e.g., smart cards), where an adversary introduces faults with the hope that the tampered device will reveal secret information. Inspired by the work of Ishai et al. [Eurocrypt’06], we propose a c ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Tampering attacks are cryptanalytic attacks on the implementation of cryptographic algorithms (e.g., smart cards), where an adversary introduces faults with the hope that the tampered device will reveal secret information. Inspired by the work of Ishai et al. [Eurocrypt’06], we propose a compiler that transforms any circuit into a new circuit with the same functionality, but which is resilient against a welldefined and powerful tampering adversary. More concretely, our transformed circuits remain secure even if the adversary can adaptively tamper with every wire in the circuit as long as the tampering fails with some probability δ> 0. This additional requirement is motivated by practical tampering attacks, where it is often difficult to guarantee the success of a specific attack. Formally, we show that a qquery tampering attack against the transformed circuit can be “simulated ” with only blackbox access to the original circuit and log(q) bits of additional auxiliary information. Thus, if the implemented cryptographic scheme is secure against log(q) bits of leakage, then our implementation is tamperproof in the above sense. Surprisingly, allowing for this small amount of information leakage allows for much more efficient compilers, which moreover do not require randomness during evaluation. Similar to earlier works our compiler requires small, stateless and computationindependent tamperproof gadgets. Thus, our result can be interpreted as reducing the problem of shielding arbitrary complex computation to protecting simple components. 1
NonMalleable Coding Against Bitwise and SplitState Tampering
"... Nonmalleable coding, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where errordetection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original messag ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Nonmalleable coding, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where errordetection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original message or, in presence of any tampering, to an unrelated message. Nonmalleable coding is possible against any class of adversaries of bounded size. In particular, Dziembowski et al. show that such codes exist and may achieve positive rates for any class of tampering functions of size at most 22αn, for any constant α ∈ [0, 1). However, this result is existential and has thus attracted a great deal of subsequent research on explicit constructions of nonmalleable codes against natural classes of adversaries. In this work, we consider constructions of coding schemes against two wellstudied classes of tampering functions; namely, bitwise tampering functions (where the adversary tampers each bit of the encoding independently) and the much more general class of splitstate adversaries (where two independent adversaries arbitrarily tamper each half of the encoded sequence). We obtain the following results for these models. 1. For bittampering adversaries, we obtain explicit and efficiently encodable and decodable nonmalleable
From singlebit to multibit publickey encryption via nonmalleable codes
 IACR Cryptology ePrint Archive
, 2014
"... One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger ” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and c ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger ” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), is to build a multibit chosenciphertext (CCA) secure publickey encryption scheme from a singlebit CCAsecure one. While their approaches achieve the desired goal, it is fair to say that the employed techniques are complicated and that the resulting ciphertext lengths are impractical. We propose a completely different and surprisingly simple approach to solving this problem. While it is wellknown that encrypting each bit of a plaintext string independently is insecure—the resulting scheme is malleable—we show that applying a suitable nonmalleable code (Dziembowski et al., ICS ’10) to the plaintext and subsequently encrypting the resulting codeword bitbybit results in a secure scheme. Our result is the one of the first applications of nonmalleable codes in a context other than memory tampering. The original notion of nonmalleability is, however, not sufficient. We therefore prove that
BiTR: Builtin Tamper Resilience
"... Abstract. The assumption of the availability of tamperproof hardware tokens has been used extensively in the design of cryptographic primitives. For example, Katz (Eurocrypt 2007) suggests them as an alternative to other setup assumptions, towards achieving general UCsecure multiparty computation ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The assumption of the availability of tamperproof hardware tokens has been used extensively in the design of cryptographic primitives. For example, Katz (Eurocrypt 2007) suggests them as an alternative to other setup assumptions, towards achieving general UCsecure multiparty computation. On the other hand, a lot of recent research has focused on protecting security of various cryptographic primitives against physical attacks such as leakage and tampering. In this paper we put forward the notion of Builtin Tamper Resilience (BiTR) for cryptographic protocols, capturing the idea that the protocol that is encapsulated in a hardware token is designed in such a way so that tampering gives no advantage to an adversary. Our definition is within the UC model, and can be viewed as unifying and extending several prior related works. We provide a composition theorem for BiTR security of protocols, impossibility results, as well as several BiTR constructions for specific cryptographic protocols or tampering function classes. In particular, we achieve general UCsecure computation based on a hardware token that may be susceptible to affine tampering attacks. We also prove that two existing identification and signature schemes (by Schnorr and Okamoto, respecitively) are already BiTR against affine attacks (without requiring any modification or endcoding). We next observe that nonmalleable codes can be used as state encodings to achieve the BiTR property, and show new positive results for deterministic nonmalleable encodings for various classes of tampering functions. 1
Nonmalleable codes from the wiretap channel
 In 2011 IEEE Information Theory Workshop, ITW 2011, Paraty
"... ar ..."
(Show Context)
Algorithmic TamperProof Security under Probing Attacks
"... Abstract. Gennaro et al. initiated the study of algorithmic tamper proof (ATP) cryptography: cryptographic hardware that remains secure even in the presence of an adversary who can tamper with the memory content of a hardware device. In this paper, we solve an open problem stated in their paper, and ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Gennaro et al. initiated the study of algorithmic tamper proof (ATP) cryptography: cryptographic hardware that remains secure even in the presence of an adversary who can tamper with the memory content of a hardware device. In this paper, we solve an open problem stated in their paper, and also consider whether a device can be secured against an adversary who can both tamper with its memory and probe a few memory locations or wires at a time. Our results are as follows: – It is impossible to realize a secure cryptographic functionality with a personal identification number (PIN) where a user is allowed to make up to ℓ incorrect consecutive attempts to enter her PIN, with no total limit on incorrect PIN attempts. (This was left as an open problem by Gennaro et al.) – It is impossible to secure a deterministic cryptographic device against an adversary who is allowed to both tamper with the memory of the device and probe a memory location; it is also essentially infeasible to secure it if the adversary’s probing power is restricted to internal wires; it is impossible to secure it against an adversary whose probing power is restricted to internal wires, but who is also allowed to tamper with a few internal wires. – By extending the results of Ishai et al., we show that a cryptographic device with a true source of randomness can withstand tampering and limited probing attacks at the same time. 1