Quantifying Information Flow for Dynamic Secrets
|
|
- Ilene Francis
- 6 years ago
- Views:
Transcription
1 Quantifying Information Flow for Dynamic Secrets Piotr (Peter) Mardziel, Mário S. Alvim, + Michael Hicks, and Michael R. Clarkson University of Maryland, College Park, + Universidade Federal de Minas Gerais, George Washington University and Cornell University UM 1 / 20
2 Quantified Information Flow [QIF] Secrets leak to bad guys. Quantify leakage of the secret. secret information defender channel adversary 2 / 20
3 Why Quantified Information Flow? Evaluate risks. Evaluate relative merits of protection mechanisms. Design incentives to keep adversaries from participating. secret information defender channel adversary 2 / 20
4 Examples Password authentication Location-based services Address space randomization secret information defender channel adversary 2 / 20
5 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation 3 / 20
6 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation information 3 / 20
7 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation information 3 / 20
8 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation information 3 / 20
9 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation flow information after observation 3 / 20
10 This work: define flow when the secret can change Defined formal model for scenarios with dynamic secrets. Accommodates adaptive adversaries. More expressive than prior models. Definition of flow generalizes prior measures. Demonstrated several interesting phenomena using an implementation of our model. Low-adaptive adversary exponentially higher flow. Wait-adaptive adversary monotonically increasing flow. More change does not necessarily mean more security. 4 / 20
11 Outline Example: Static secrets Low-adaptive adversaries decide how to influence the channel based on prior observations. Low-adaptivity exponentially higher flow. Example: Dynamic secrets Wait-adaptive adversaries decide when to exploit the secret. Wait adaptivity monotonically increasing flow with time. 5 / 20
12 Example: Pirate Treasure defender / 20
13 Secret Prior 0? 1? 2? 3? 4? 5? 6? 7? adversary 7 / 20
14 Secret Prior = Defender Belief 0? 1? 2? 3? 4? 5? 6? 7? adversary Assumption: adversary knows defender behavior. 7 / 20
15 Exploitation e 0? 1? 2? 3? 4? 5? 6? 7? adversary Adversary raids an island e for the treasure. If e = h he succeeds. 7 / 20
16 Exploitation e 0? 1? 2? 3? 4? 5? 6? 7? adversary Smith (FoSSaCS 09): (prior) Vulnerability: expected probability of optimal adversary with one guess being correct. 7 / 20
17 Exploitation: Measures of Success e 0? 1? 2? 3? 4? 5? 6? 7? adversary Optimal adversary behavior: Guessing Entropy: Minimal number of guesses to find secret. Alvim et al. (CSF 12): g-vulnerability Gain/payoff according to function g(secret, exploit). 7 / 20
18 Exploitation: Vulnerability e 0? 1? 2? 3? 4? 5? 6? 7? adversary Connect probability of success to economic quantities. If the treasure is worth w doubloons, the expected gain to adversary and loss to the defender is w V doubloons. Here, w/8. Will stick with expected probability of success using the term gain in the remainder of this talk. 7 / 20
19 Observation Gold compass points in the direction of the treasure. Adversary has a choice of where to use the compass. Analogy to timing side-channel in an RSA implementation as per Brumley and Boneh (USENIX Security 03) west east???????? channel adversary 8 / 20
20 Observation Gold compass points in the direction of the treasure. Adversary has a choice of where to use the compass. Analogy to timing side-channel in an RSA implementation as per Brumley and Boneh (USENIX Security 03) 1/2 1/ west channel adversary 8 / 20
21 Increased knowledge Observation leads to increase in knowledge. Which leads to increased odds of exploitation. 1/2 1/ adversary 9 / 20
22 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). 1/2 1/ adversary 9 / 20
23 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation 1/2 1/ adversary 9 / 20
24 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation 1/2 1/ adversary 9 / 20
25 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation 1/2 1/ adversary 9 / 20
26 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation Here: 2/8. 1/2 1/ adversary 9 / 20
27 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} Island to raid given compass observation at island l / 20
28 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} (max) time = 2: observe at l 2, optimize α : {east, west} {east, west} {0,, 7}. Island to raid given compass observations at islands l 1 and l / 20
29 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} (max) time = 2: observe at l 2, optimize α : {east, west} {east, west} {0,, 7}. (max) time = T / 20
30 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} (max) time = 2: observe at l 2, optimize α : {east, west} {east, west} {0,, 7}. (max) time = T... expected raid gain T = number of observations before raid 10 / 20
31 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. 11 / 20
32 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20
33 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20
34 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20
35 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20
36 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. Optimize how to exploit: α e : {0 l,, 7 l } t {east, west} t {0 e,, 7 e }. 11 / 20
37 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. Optimize how to exploit: α e : {0 l,, 7 l } t {east, west} t {0 e,, 7 e }. 11 / 20
38 Where to observe? expected raid gain Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. Optimize how to exploit: α e : {0 l,, 7 l } t {east, west} t {0 e,, 7 e }. Can perform binary search for the secret (cannot do so with fixed observation order) fixed observation order adaptive observations T = number of observations before raid 11 / 20
39 Low Adaptivity Köpf and Basin (CCS 07): low-adaptive adversaries for deterministic systems (side channels). Adaptivity is largely ignored in QIF literature (even since the above work). Our work: probabilistic systems (channel, defender behavior). expected raid gain fixed observation order adaptive observations T = number of observations before raid 12 / 20
40 Overview so far secrets adversary influence h 0 l 1 l 2 o 1 Time defender channel l 3 o 2 o 3 observation adversary exploitation e g defender s loss gain/loss g adversary s gain 13 / 20
41 Add dynamic secrets secrets h 0 adversary influence l 1 h 1 l 2 o 1 Time defender h 2 channel l 3 o 2 o 3 observation adversary exploitation e g defender s loss gain/loss g adversary s gain 13 / 20
42 Example: Moving treasure Defender s strategy changes the secret based on prior secret. Prior, he chooses one of two strategies with equal probability. 1/2 : move west 1/2 : move east 1/4 1/4 1/4 1/4 1/4 1/4 1/4 1/4 14 / 20
43 Example: Moving treasure Defender s strategy changes the secret based on prior secret. Prior, he chooses one of two strategies with equal probability. Assumption: adversary knows the process with which the defender chose his strategy (but not the resulting strategy). 1/2 : move west 1/2 : move east 1/4 1/4 1/4 1/4 1/4 1/4 1/4 1/4 14 / 20
44 Gain with moving treasure Defender moves his treasure every 3 time steps. expected raid gain without moves with moves T = number of observations before raid 15 / 20
45 Gain with moving treasure Defender moves his treasure every 3 time steps. expected raid gain without moves with moves T = number of observations before raid 15 / 20
46 Gain with moving treasure Defender moves his treasure every 3 time steps. Adversary eventually learns how the treasure moves. expected raid gain without moves with moves T = number of observations before raid 15 / 20
47 Hiding the treasure vs. Hiding its dynamics Uneasy balance: Protect secrecy of current secret. Protect secrecy of how the secret changes. This can lead to strangeness: more secret change quicker adversary inference of secret (see paper). 16 / 20
48 Negative flow? Gain at time 3 < Gain at time 2 expected raid gain T = number of observations before raid 17 / 20
49 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. expected raid gain T = number of observations before raid 17 / 20
50 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. Solution: Gain at time T : adversary makes at most T observations then raids. raid now? wait? expected raid gain T = number of observations before raid 17 / 20
51 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. Solution: Gain at time T : adversary makes at most T observations then raids. raid now? wait? expected raid gain T = number of observations before raid 17 / 20
52 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. Solution: Gain at time T : adversary makes at most T observations then raids. raid now? wait? expected raid gain T = number of observations before raid 17 / 20
53 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } 18 / 20
54 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } 18 / 20
55 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } 18 / 20
56 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } Monotonic gain over time (positive flow). expected raid gain non-adaptive wait adaptive wait T = (max) number of observations before raid 18 / 20
57 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } Monotonic gain over time (positive flow). Non-compositional : optimal behavior for time 3 is not the prefix to optimal behavior for time 5. expected raid gain non-adaptive wait adaptive wait T = (max) number of observations before raid 18 / 20
58 Prototype Implementation Describe models as probabilistic programs in monadic-style OCaml. Optimize adversary behavior via backward induction. Analyze a series of scenarios (including this talk s examples) Freely available online. 19 / 20
59 Conclusions Model for information flow with dynamic secrets. 20 / 20
60 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. 20 / 20
61 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. 20 / 20
62 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. Most expressive model for QIF to date (as far as we know) 20 / 20
63 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. Most expressive model for QIF to date (as far as we know) Implementation and Experiments More change more gain And more! (see paper and TR) 20 / 20
64 Quantifying Information Flow for Dynamic Secrets Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. Most expressive model for QIF to date (as far as we know) Implementation and Experiments More change more gain And more! (see paper and TR) Paper, TR, Implementation, Experiments Follow up paper: adversary gain defender loss 20 / 20
Adversary Gain vs. Defender Loss in Quantified Information Flow
Adversary Gain vs. Defender Loss in Quantified Information Flow Piotr Mardziel, Mário S. Alvim, and Michael Hicks, University of Maryland, College Park Universidade Federal de Minas Gerais Abstract Metrics
More informationAdversary Gain vs. Defender Loss in Quantified Information Flow
Adversary Gain vs. Defender Loss in Quantified Information Flow Piotr Mardziel, Mário S. Alvim, and Michael Hicks, University of Maryland, College Park Universidade Federal de Minas Gerais Abstract Metrics
More informationQuantifying Information Flow for Dynamic Secrets
Quantifying Information Flow for Dynamic Secrets Piotr Mardziel, Mário S. Alvim, Michael Hicks, and Michael R. Clarkson University of Maryland, College Park Universidade Federal de Minas Gerais George
More informationTowards the Quantification of Strategy Leakage
Towards the Quantification of trategy Leakage Mário. Alvim, Piotr Mardziel, Michael Hicks Universidade Federal de Minas Gerais msalvim@dcc.ufmg.br arnegie Mellon University piotrm@cmu.edu University of
More informationarxiv: v2 [cs.cr] 21 May 2018
Article A Game-Theoretic Approach to Information-Flow Control via Protocol Composition arxiv:1803.10042v2 [cs.cr] 21 May 2018 Mário S. Alvim 1 ID, Konstantinos Chatzikokolakis 2,3 ID, Yusuke Kawamoto 4
More informationQuantitative Approaches to Information Protection
Quantitative Approaches to Information Protection Catuscia Palamidessi INRIA Saclay 1 LOCALI meeting, Beijin 06/11/2013 Plan of the talk Motivations and Examples A General Quantitative Model Quantitative
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationQuantitative Information Flow. Lecture 7
Quantitative Information Flow Lecture 7 1 The basic model: Systems = Information-Theoretic channels Secret Information Observables s1 o1... System... sm on Input Output 2 Probabilistic systems are noisy
More informationPing Pong Protocol & Auto-compensation
Ping Pong Protocol & Auto-compensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04 Outline Introduction to QKD protocols + motivation Ping-Pong protocol Security Analysis for Ping-Pong Protocol
More informationSide Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution
Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik Bultan Computer Science Department University of California, Santa Barbara Joint work with: Abdulbaki Aydin,
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationWhen Not All Bits Are Equal: Worth-Based Information Flow
When Not All Bits Are Equal: Worth-Based Information Flow Mário S. Alvim 1, Andre Scedrov 2, and Fred B. Schneider 3 1 Universidade Federal de Minas Gerais, Brazil 2 University of Pennsylvania, USA 3 Cornell
More informationWhat s the Over/Under? Probabilistic Bounds on Information Leakage
What s the Over/Under? Probabilistic Bounds on Information Leakage Ian Sweet 1, José Manuel Calderón Trilla 2, Chad Scherrer 2, Michael Hicks 1, and Stephen Magill 2 1 University of Maryland and 2 Galois
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationPredictive Black-Box Mitigation of Timing Channels
Predictive Black-Box Mitigation of Timing Channels Aslan Askarov aslan@cs.cornell.edu Danfeng Zhang zhangdf@cs.cornell.edu Department of Computer Science Cornell University Ithaca, NY 14853 Andrew C. Myers
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationSynthesis of Adaptive Side-Channel Attacks
Synthesis of Adaptive Side-Channel Attacks MALACARIA, P; Phan, Q-S; Pasareanu, C; Bang, L; Bultan, T; 2017 IEEE Computer Security Foundations Symposium (CSF) For additional information about this publication
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationPassword Cracking: The Effect of Bias on the Average Guesswork of Hash Functions
Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions Yair Yona, and Suhas Diggavi, Fellow, IEEE Abstract arxiv:608.0232v4 [cs.cr] Jan 207 In this work we analyze the average
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR-1466 October 24, 2012
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCold Boot Attacks in the Discrete Logarithm Setting
Cold Boot Attacks in the Discrete Logarithm Setting B. Poettering 1 & D. L. Sibborn 2 1 Ruhr University of Bochum 2 Royal Holloway, University of London October, 2015 Outline of the talk 1 Introduction
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationECE521 Lecture7. Logistic Regression
ECE521 Lecture7 Logistic Regression Outline Review of decision theory Logistic regression A single neuron Multi-class classification 2 Outline Decision theory is conceptually easy and computationally hard
More informationIntroduction to Number Theory. The study of the integers
Introduction to Number Theory The study of the integers of Integers, The set of integers = {... 3, 2, 1, 0, 1, 2, 3,...}. In this lecture, if nothing is said about a variable, it is an integer. Def. We
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationFormally Bounding the Side-Channel Leakage in Unknown-Message Attacks
Formally Bounding the Side-Channel Leakage in Unknown-Message Attacks (Full Version ) Michael Backes 1,2 and Boris Köpf 2 backes@cs.uni-sb.de bkoepf@mpi-sws.mpg.de 1 Saarland University 2 MPI-SWS Abstract.
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationWeighted Majority and the Online Learning Approach
Statistical Techniques in Robotics (16-81, F12) Lecture#9 (Wednesday September 26) Weighted Majority and the Online Learning Approach Lecturer: Drew Bagnell Scribe:Narek Melik-Barkhudarov 1 Figure 1: Drew
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationQuantifying Information Flow with Beliefs
Quantifying Information Flow with Beliefs Michael R. Clarkson Andrew C. Myers Fred B. Schneider Department of Computer Science Cornell University {clarkson,andru,fbs}@cs.cornell.edu Abstract To reason
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationInverting Proof Systems for Secrecy under OWA
Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa State University Ames, Iowa 50010 slutzki@cs.iastate.edu May 9th, 2010 Jointly with Jia Tao and Vasant Honavar
More informationInvestigations of Power Analysis Attacks on Smartcards *
Investigations of Power Analysis Attacks on Smartcards * Thomas S. Messerges Ezzy A. Dabbish Robert H. Sloan 1 Dept. of EE and Computer Science Motorola Motorola University of Illinois at Chicago tomas@ccrl.mot.com
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationStatistical Estimation of Min-Entropy Leakage
Statistical Estimation of Min-Entropy eakage Tom Chothia Yusuke Kawamoto School of Computer Science, University of Birmingham, United Kingdom April 014 Abstract This manuscript presents new results on
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationDifferential Privacy
CS 380S Differential Privacy Vitaly Shmatikov most slides from Adam Smith (Penn State) slide 1 Reading Assignment Dwork. Differential Privacy (invited talk at ICALP 2006). slide 2 Basic Setting DB= x 1
More informationError Reconciliation in QKD. Distribution
Error Reconciliation in Quantum Key Distribution Richard P. Brent MSI, ANU 1 October 2009 Abstract The problem of "error reconciliation" arises in Quantum Cryptography, which is more accurately described
More informationDS-GA 1002 Lecture notes 11 Fall Bayesian statistics
DS-GA 100 Lecture notes 11 Fall 016 Bayesian statistics In the frequentist paradigm we model the data as realizations from a distribution that depends on deterministic parameters. In contrast, in Bayesian
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationQuantitative Information Leakage. Lecture 9
Quantitative Information Leakage Lecture 9 1 The baic model: Sytem = Information-Theoretic channel Secret Information Obervable 1 o1... Sytem... m on Input Output 2 Toward a quantitative notion of leakage
More informationan information-theoretic model for adaptive side-channel attacks
an information-theoretic model for adaptive side-channel attacks Boris Köpf, David Basin ETH Zurich, Switzerland successful side-channel attacks Attacker must be able to extract information about the key
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationEAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties
EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties Bernd Finkbeiner, Christopher Hahn, and Marvin Stenger Saarland Informatics Campus, Saarland University, Saarbrücken, Germany
More informationA Probabilistic Framework for solving Inverse Problems. Lambros S. Katafygiotis, Ph.D.
A Probabilistic Framework for solving Inverse Problems Lambros S. Katafygiotis, Ph.D. OUTLINE Introduction to basic concepts of Bayesian Statistics Inverse Problems in Civil Engineering Probabilistic Model
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationAutomata-Based String Analysis
1 / 46 Automata-Based String Analysis Model Counting Tevfik Bultan, Abdulbaki Aydin, Lucas Bang Verification Laboratory http://vlab.cs.ucsb.edu Department of Computer Science Overview Overview String Constraints
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationOn the computational soundness of cryptographically masked flows
On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationFrequency-hiding Dependency-preserving Encryption for Outsourced Databases
Frequency-hiding Dependency-preserving Encryption for Outsourced Databases ICDE 17 Boxiang Dong 1 Wendy Wang 2 1 Montclair State University Montclair, NJ 2 Stevens Institute of Technology Hoboken, NJ April
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationRange Queries on Two Column Data
07 IEEE Second International Conference on Data Science in Cyberspace Range Queries on Two Column Data Ce Yang, Weiming Zhang and Nenghai Yu CAS Key Laboratory of Electro-magnetic Space Information University
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationRemote Timing Attacks are Practical
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel
More informationBayesian Concept Learning
Learning from positive and negative examples Bayesian Concept Learning Chen Yu Indiana University With both positive and negative examples, it is easy to define a boundary to separate these two. Just with
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More information19. Coding for Secrecy
19. Coding for Secrecy 19.1 Introduction Protecting sensitive information from the prying eyes and ears of others is an important issue today as much as it has been for thousands of years. Government secrets,
More informationMidterm 1. Total. CS70 Discrete Mathematics and Probability Theory, Spring :00-9:00pm, 1 March. Instructions:
CS70 Discrete Mathematics and Probability Theory, Spring 2012 Midterm 1 7:00-9:00pm, 1 March Your Name: Person on Your Left: Person on Your Right: Your Section: Instructions: (a) There are five questions
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationTowards a Game Theoretic View of Secure Computation
Towards a Game Theoretic View of Secure Computation Gilad Asharov Ran Canetti Carmit Hazay July 3, 2015 Abstract We demonstrate how Game Theoretic concepts and formalism can be used to capture cryptographic
More informationA Unified Framework for the Analysis of Side-Channel Key Recovery Attacks
A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks François-Xavier Standaert 1, Tal G. Malkin 2, Moti Yung 2,3 1 UCL Crypto Group, Université Catholique de Louvain. 2 Dept. of Computer
More informationarxiv: v1 [cs.ds] 3 Feb 2018
A Model for Learned Bloom Filters and Related Structures Michael Mitzenmacher 1 arxiv:1802.00884v1 [cs.ds] 3 Feb 2018 Abstract Recent work has suggested enhancing Bloom filters by using a pre-filter, based
More informationUnpredictable Walks on the Integers
Unpredictable Walks on the Integers EJ Infeld March 5, 213 Abstract In 1997 Benjamini, Premantle and Peres introduced a construction of a walk on Z that has a faster decaying predictability profile than
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationComputational Cognitive Science
Computational Cognitive Science Lecture 9: A Bayesian model of concept learning Chris Lucas School of Informatics University of Edinburgh October 16, 218 Reading Rules and Similarity in Concept Learning
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationLifted Inference: Exact Search Based Algorithms
Lifted Inference: Exact Search Based Algorithms Vibhav Gogate The University of Texas at Dallas Overview Background and Notation Probabilistic Knowledge Bases Exact Inference in Propositional Models First-order
More informationDPA-Resistance without routing constraints?
Introduction Attack strategy Experimental results Conclusion Introduction Attack strategy Experimental results Conclusion Outline DPA-Resistance without routing constraints? A cautionary note about MDPL
More information