Doubly half-injective PRGs for incompressible white-box cryptography

Transcription

1 SESSION ID: CRYP-W02 Doubly half-injective PRGs for incompressible white-box cryptography Estuardo Alpirez Bock Aalto University, Finland Alessandro Amadori, Joppe W. Bos, Chris Brzuska, Wil Michiels

2 White-box attack scenario encryption/ plaintext/ciphertext decryption ciphertext/plaintext Adversary gets access to the implementation code and its execution environment WB Cryptography aims to maintain a program secure even when subject to this attack model 2

3 Incompressibility for white-box cryptography

4 Adversarial capabilities The adversary gets access to the program code of an implementation He could extract keys, but also copy the program and its functionality Threat of code-lifting attacks WB WB copy 4

5 Methods for mitigating code-lifting attacks Incompressibility Delerablée, Lepoint, Paillier, Rivain: White-box security notions for symmetric encryption schemes Fouque, Karpman, Kirchner, Minaud: Efficient and provable white-box primitives WB WB 5

6 In this work We build an incompressible wb-encryption scheme Our construction is based on standard assumptions, such as pseudorandom generators and pseudorandom functions PRF INC-PRF INC-PRF WB-Enc (MAC) 6

7 PRGs, PRFs and the GGM tree

8 Pseudorandom generators Deterministic, polynomial time computable function satisfying: Length-expansion: for all x {0,1}* PRG(x) = 2 x Pseudorandomness: the output from the PRG should be indistinguishable from random x G 0 (x) x G 1 (x) x 8

9 Pseudorandom functions Deterministic, polynomial time computable function satisfying: Length-condition: for all n N, k, x {0,1} n, PRF(k, x) = y Pseudorandomness: the output from the PRF should be indistinguishable from random k, x y 9

10 GGM tree: building a PRF from a PRG Introduced by Goldreich, Goldwasser and Micali Input x of the PRF(k,x) represents the binary address of the binary tree k G 0 (k) G 1 (k) G 0 G 0 (k) G 1 G 0 (k) G 0 G 1 (k) G 1 G 1 (k) 10

11 GGM tree E.g. x= 10 PRF(k,x)= GGM(k,m)= G 0 G 1 (k) k 1 G 0 (k) G 1 (k) 0 G 0 G 0 (k) G 1 G 0 (k) G 0 G 1 (k) G 1 G 1 (k) 11

12 An incompressible white-box pseudorandom function

13 (Incompressible) PRF implementation Build a PRF which uses a large, incompressible key Key expansion k {0,1}* K = Comp PRF (k), with K > > k Functionality preservation: k, x {0,1}*, f(k, x) = F(K, x) 13

14 Construction (1) - PRF Standard PRF based on the GGM tree 14

15 k 1 x = 1011 G 0 (k) G 1 (k) 0 G 0 G 0 (k) G 1 G 0 (k) G 0 G 1 (k) G 1 G 1 (k) 1 y 1 15

16 Construction (2) - Compiler Iterate the GGM on key k and all possible values of length l 16

17 k l = 2 G 0 (k) G 1 (k) k 0 k 1 k 2 k 3 K = k 0 k 1 k 2 k 3 17

18 Construction (3) - Incompressible PRF F takes as input the long key K. Input x is split in two. 18

19 k x = 1011 l = 2 j = 10 G 0 (k) G 1 (k) k 0 k 1 k 2 k 3 GGM(k 2,11) 19

20 x = 1011 k 2 1 G 0 (k) G 1 (k) 1 y y GGM(k 2,11) 20

21 Functional equivalence and incompressibility k 1 f(k,1011) = y Comp PRF (k) = K G 0 (k) G 1 (k) F(K,1011) = y 0 K = k k k k y 21

22 Possible collisions k = k a k b k = k a k c y 0 y 1 = y 0 y 1 For our incompressibility property to hold, we need injectivity 22

23 Doubly-half injective PRGs

24 PRG with double injectivity k y 0 y 1 We want injectivity from L to the set Y, with k L and y 0, y 1 Y. 24

25 Left-half-injective PRG Construction by Garg, Pandey, Srinivasan and Zhandry: use a one-way permutation to construct a left-half injective PRG Breaking the sub-exponential barrier in obfustopia OWP G(x) y 0 y 1 G(x) := OWP x (x) B(x) B(OWP(x))... B(OWP x 1 (x)), with B = hardcore bit 25

26 Doubly-half injective PRG Assuming a left-half injective, length doubling PRG G = G 0 G 1 OWP-Injective g(x 0 x 1 ) := G 0 (x 0 ) G 1 (x 0 ) G 0 (x 1 ) G 0 (x 1 ) G 1 (x 1 ) G 0 (x 0 ) Injective Injective 26

27 Doubly-half injective PRG g(x 0 x 1 ) := G 0 (x 0 ) G 1 (x 0 ) G 0 (x x ) G 0 (x 1 ) G 1 (x 1 ) G 0 (x 0 ) Left half is injective, Let w 0 w 1, s.t. g 0 (w 0 w 1 ) = g 0 (x 0 x 1 ) G 0 is a permutation x 0 = w 0 G 1 (w 0 ) G 0 (w 1 ) = G 1 (x 0 ) G 0 (x 1 ) G 0 is a permutation x 1 = w 1 The injectivity of the right half follows analogously 27

28 Conclusions

29 Overview of our construction DPRG GGM INC-PRF INC-WB Provide an incompressible (big key) white-box encryption scheme Results based on standard crypto-assumptions Construct a new type of PRG 29

30 Backup slides

31 Conclusions Provide an incompressible (big key) white-box encryption scheme Results based on standard crypto-assumptions Construct a new type of PRG DPRG GGM INC-PRF INC-WB 31

32 Alternative desirable properties Making a program traceable (traceability) Binding the WB to a precise hardware device (hardware binding) Making the functionality of the WB dependent of a set of inputs (input binding/application binding) 32

33 Why is F incompressible? k x = 0111 GGM(,0111) = G 0 (k) G 1 (k) F(K,0111) = K = k k k k

34 Why is F incompressible? We need the complete key K to achieve f(k, x) = F(K, x) for all x {0,1}* However, this might only hold depending on the definition of the PRG used in the GGM tree. 34

35 Theorem 1 IF PRF admits a computationally (σ, λ) incompressible implementation F, the wb-encryption scheme in Constructino 1 is a (σ, λ n o(1)) incompressible wb-encryption scheme. Proof sketch via reduction: we reduce the incompressibility of F to the incompressibility of the encryption scheme. Cannot produce a valid MAC without the complete key K 35

36 Doubly-half injective PRG We define a PRG which is left-half and right-half injective. Three properties required: Length-doubling: For all x {0,1}* g(x) = 2 x. g 1 (x)is the right half. g 0 (x) is the left haf of g and Doubly-half injective: Pseudorandomness: g 0 and g 1 are injective. g(u n ) is computationally indistinguishable fromu 2n. 36

37 Construction 1 via AE-scheme and F 37

38 Use cases of white-box cryptography Original concern: Digital Rights Management White-box crypto introduced as a method to mitigate piracy Chow, Eisen Johnson and van Oorschot - A white-box cryptography and an AES implementation Recently proposed as a method for protecting cryptographic keys within mobile payment applications implemented in software 38

39 Global construction of the scheme Key expansion property Pseudorandomness property follows from the property of the GGM 39

40 Methods for mitigating code-lifting attacks Two popular methods have been studied in the literature: Traceability Delerablée, Lepoint, Paillier, Rivain: White-box security notions for symmetric encryption schemes WB WB 40