White-box Cryptomania

Similar documents
From obfuscation to white-box crypto: relaxation and security notions

CSC 5930/9010 Modern Cryptography: Digital Signatures

Keynote: White-Box Cryptography

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

Lecture 8 - Message Authentication Codes

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Digital Signatures. Sven Laur University of Tartu

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Anonymous Signature Schemes

Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

More crypto and security

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Cryptography. Andreas Hülsing. 6 September 2016

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

Lecture 10, Zero Knowledge Proofs, Secure Computation

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Lecture 3.4: Public Key Cryptography IV

Direct Anonymous Attestation

Cryptography. Lecture 12. Arpita Patra

Lecture 18 - Chosen Ciphertext Security

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Verifiably Encrypted Signature Scheme with Threshold Adjudication

La Science du Secret sans Secrets

Public-Key Cryptography

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Somewhat Homomorphic Encryption

Iron: Functional encryption using Intel SGX

ISA 562: Information Security, Theory and Practice. Lecture 1

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

Foundations of Cryptography CS Shweta Agrawal

Cryptography: More Primitives

Security of Identity Based Encryption - A Different Perspective

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Universal designated multi verifier signature schemes

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Anonymizable Ring Signature Without Pairing

Password Authenticated Key Exchange by Juggling

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

Cryptographically Secure Bloom-Filters

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

White-Box Cryptography State of the Art. Paul Gorissen

Advanced Cryptography 1st Semester Symmetric Encryption

Digital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54

Timed-Release Certificateless Encryption

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Authenticated encryption

On the Security of a Certificateless Public-Key Encryption

Introduction to Public-Key Cryptography

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS

Applied Cryptography and Computer Security CSE 664 Spring 2018

Authenticated Encryption

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

the Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford

Applied cryptography

Overview of Cryptography

CS 495 Cryptography Lecture 6

Efficient Compilers for Authenticated Group Key Exchange

Financial Cryptography February 2001 Grand Cayman Islands - BWI

Efficient Round Optimal Blind Signatures

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Homomorphic Encryption

Notes for Lecture 24

Securely Combining Public-Key Cryptosystems

Publicly Verifiable Secret Sharing for Cloud-based Key Management

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens

Brief Introduction to Provable Security

On the Difficulty of Protecting Private Keys in Software Environments

On the security of a certificateless signature scheme in the standard model

Lecture 8: Cryptography in the presence of local/public randomness

COMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes

Advances in Securely Outsourcing Computation

Publicly-verifiable proof of storage: a modular construction. Federico Giacon

Plaintext Awareness via Key Registration

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Key-Evolution Schemes Resilient to Space Bounded Leakage

A Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity

On cryptographic properties of the CVV and PVV parameters generation procedures in payment systems

Completely Non-Malleable Schemes

Online Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh

Cryptography V: Digital Signatures

Introduction to Obfuscation. Black-box Security

Refining Computationally Sound Mech. Proofs for Kerberos

Cryptography V: Digital Signatures

Multi-Theorem Preprocessing NIZKs from Lattices

An Exploration of Group and Ring Signatures

NIST Post- Quantum Cryptography Standardiza9on

Post-Quantum Cryptography A Collective Challenge

Towards Post-Quantum Cryptography Standardization. Lily Chen and Dustin Moody National Institute of Standards and Technology USA

Obfuscation Omer Paneth

Concrete cryptographic security in F*

Solutions to exam in Cryptography December 17, 2013

Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications

Transcription:

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud & Implementation Paris, June 27-28 2017

Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box cryptomania 4 Conclusion: the lesson to learn 5 News from the front: the WhibOx Contest

What is white-box crypto? The concept

What is NOT white-box crypto? General purpose obfuscation from any program P, generate an obfuscated program O(P) hide any program property π in the code of O(P) meaning: the code of O(P) a black-box oracle that runs P How realistic is obfuscation? very strong requirements on the compiler O known impossibility results (Barak et al, etc)

What is white-box crypto? general program obfuscation! White-box cryptography considers programs in a restricted class programs(f ) where f = some keyed function hides some program properties π in the code (but not all) code a black-box oracle only in some adversarial contexts already provably secure constructions for some f no impossibility results so far for f = blockcipher but no secure construction for e.g. f = AES k ( ), k $

Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box cryptomania 4 Conclusion: the lesson to learn 5 News from the front: the WhibOx Contest

White-box compilers for signatures Let Σ = (KeyGen, Sign, Verif ) be a public-key signature scheme. Definition A white-box compiler C Σ takes a key pair (sk, pk) KeyGen and some index r R and outputs a program C Σ (sk, pk, r) = [Sign r sk ]. Huge behavioral differences between function Sign(, ) oracle Sign(sk, ) program [Signsk r ] analytic description or algorithmic description remote access, input/output only, word in a language, stateless since rebootable, typically stateful, copiable, transferable, private randomness observable, modifiable, system calls simulatable (specification) (smart card) (executable software)

A basic scheme: Schnorr signatures Pick some G = g of order q. KeyGen(1 κ ) Sign(sk, m) Verif (pk, m, (s, c)) x Z q y = g x k Z q c = H(m, g k ) s = k cx mod q H(m, g s y c ) = c? Existentially unforgeable in the ROM under the DL problem Known impossibility results in the SM

Schnorr signing programs [Sign r sk ] =

Schnorr signing programs [Sign r sk ] =

Schnorr signing programs We intercept the call to the random source and put what we want Then given the output (s, c) This is a trivial break. x = k s c Schnorr signatures are not securely implementable as such k = PRNG(m) not good enough either k = PRNG(m, x) seems ok.

Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box cryptomania 4 Conclusion: the lesson to learn 5 News from the front: the WhibOx Contest

White-box cryptomania It s the world where [Signsk r ] is safe and cozy. What do we mean by that? A does not exist unless inefficient. Finally we have tamper-proof software for the Cloud!!

Security notions for signatures α β: if β can be broken, α can be broken UBK-KOA UUF-KOA EUF-KOA UBK-KMA UUF-KMA EUF-KMA UBK-CMA UUF-CMA EUF-CMA But that s not sufficient to capture attack on programs. Let s introduce known program attacks

Known program attacks UBK-KPA:

A first observation We have a reduction UBK-KPA UBK-CMA :

Equivalence CMA/KPA In white-box cryptomania, we should loose nothing when switching from CMA to KPA. It means there must be a reduction in the other direction: Now UBK-KPA = UBK-CMA :)

Program-reconstructing meta-reduction We see that we can build a meta-reduction!

Program-reconstructing meta-reduction... but the public-key given by R might be different from pk

Algebraic programs Algebraicity over G: Huge class of algorithms, extends generic model

Repairing the biased program If R is algebraic then we can extract the coefficients in pk = y = g α y β so that given a program output (s, c ) on m, we have ( c = H m, g s y c ) = H (m, g s g αc y βc ) If we pose s = s +αc β and c = c and assume that generator g can be put into the public key pk, then the program can be repaired into a signing program wrt the key pair (sk, pk) since ( c = H m, (g β) s (y β) c) pk = (g, y) (g β, y β )

The effect of white-box cryptomania To summarize, white-box cryptomania gives us an efficient program reconstruction algorithm:

Impact on UUF-CMA Recall the UUF-CMA game:

Impact on UUF-CMA Using M, UUF-CMA is now easy to break :( This is a huge collateral damage of white-box cryptomania, unavoidable unless we relax our definition of white-box cryptomania

Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box cryptomania 4 Conclusion: the lesson to learn 5 News from the front: the WhibOx Contest

Conclusion: the lesson to learn White-box crypto is a powerful paradigm beside the question of theoretic existence, the range of applications is immense white-box cryptomania is a bit too much: we do not want to loose the unforgeability properties of public-key signatures preferable to leave UBK-CMA and UBK-CPA non-equivalent to allow some security to subsist for UUF-CMA This is work in progress a lot of questions remain can we have the same conclusions for e.g. ECDSA? how to relax white-box cryptomania?

Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box cryptomania 4 Conclusion: the lesson to learn 5 News from the front: the WhibOx Contest

News from the front: WhibOx Contest

News from the front: WhibOx Contest

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback