White-Box Security Notions for Symmetric Encryption Schemes

Transcription

1 White-Box Security Notions for Symmetric Encryption Schemes Cécile Delerablée 1 Tancrède Lepoint 1,2 Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1, École Normale Supérieure2 SAC 2013

2 Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

3 What is NOT white-box crypto? General obfuscation from any program P, generate an obfuscated program O(P) hide any program property π in the code of O(P) meaning: the code of O(P) a black-box oracle that runs P How realistic is obfuscation? very strong requirements on the compiler O known impossibility results [BGI+01]

4 What is white-box crypto? general program obfuscation! White-box cryptography [CEJO+02] considers programs in a restricted class programs(f ) where f = some keyed function hides some program properties π in the code (but not all) code a black-box oracle only in some adversarial contexts already provably secure constructions for some f (f = re-encryption [HRSV07,CCV12]) no impossibility results so far for f = blockcipher but no secure construction for e.g. f = AES k ( ), k $

5 Our approach What do we really want from white-box crypto? 1. given k $, generate (possibly randomly) P = [AES k (.)] 2. it must be hard to recover k by playing around with P OLD 3. it also must be hard to decrypt under k OLD 4. we may want P to be big and incompressible NEW 5. we may want to distribute traceable NEW versions P 1,..., P n This work we capture 1-5 into concrete security games OLD+NEW we build a toy blockcipher that provably satisfies 1-4 NEW we build a construction that provably achieves 5 NEW

6 Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

7 White-box compilers Let E = (K, E, D) be a symmetric encryption scheme. Definition A white-box compiler C E takes as input a key k K and some index r R and outputs a program P = C E (k, r) = [E r k ]. Huge behavioral differences between function E(, ) oracle E(k, ) program [Ek r ] analytic description or algorithmic description remote access, input/output only, might be stateful word in a language, stateless since rebootable, copiable, transferable, observable, modifiable, system calls simulatable (specification) (smart card) (executable software)

8 Attack models Security notion = adversarial goal + attack model What are the attack models against white-box programs? Given the description of C E (, ) and P = [Ek r ] for unknown k K chosen-plaintext attack CPA can encrypt any plaintext unavoidable chosen-ciphertext attack CCA can make decryption queries to an oracle D(k, ) recompilation attack RCA can make recompilation requests to get other programs C E (k, r ) for unknown r r combined attack RCA + CCA most powerful (?) RCA can be made stronger with known or chosen r R. What about adversarial goals?

9 Unbreakability UBK k K(), r $ R [E r k ] = C E(k, r) ˆk? = k Challenger [E r k ] ˆk A m c [E r k ] D(k, ) C E (k, R) UBK-CCA UBK-RCA There is no semantic security on k since verifying that ˆk = k is easy. So some information on k always leaks.

10 One-wayness OW k K(), r $ R [E r k ] = C E(k, r) m $ M c = E(k, m) ˆm? = m Challenger [E r k ], c ˆm A m c [E r k ] D(k, ) C E (k, R) OW-CCA OW-RCA Again, no semantic security on m since verifying that ˆm = m is easy. Expected since E is a deterministic encryption scheme.

11 Incompressibility INC Given a large program, build an equivalent yet much smaller one k K(), r $ R [Ek r] = C E(k, r) (P, E(k, ))? δ and size (P ) <? λ Challenger [E r k ] P A m c [E r k ] D(k, ) C E (k, R) INC-CCA INC-RCA

12 Traceability TRAC C E admits a tracing scheme if there exists an algorithm trace such that no adversary can win the tracing game TRAC: generate a key k $ K and P 1 = [E r 1 k ],..., P n = [E rn k ] A chooses some T [1, n] and is provided with {P i, i T } A returns some rogue program Q A({P i, i T }) trace a traitor t trace(q, k, r 1,..., r n ) A wins if Q is functional enough and t T

13 The big picture α β: if β can be broken, α can be broken INC UBK TRAC OW CCA CPA RCA + CCA RCA The weakest security notion is UBK-CPA. We don t even know how to achieve it with E = AES...

14 Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

15 Achieving incompressibility A toy example... G group of secret order w and e = exponent with large entropy Hard problems on G Given desc(g) and e UBK[G] find the group order w (FACT) ORD[G] find the order of a group element ( FACT) ROOT[G, e] find the e-th root of a group element (RSA) GAP[G, e] find the group order w with the help of an e-th root RSA def extractor (FACT = GAP-RSA)

16 Achieving incompressibility Key generation: generate k = (desc(g), e, w) Encryption: E(k, m) = m e Decryption: D(k, c) = c1/e mod w C E (k, r = ) just returns [m m e ] Then ORD[G] INC-CPA assuming that the compressed program is algebraic.

17 ORD[G] INC-CPA k K(), r $ R [E r k ] = CE(k, r) [E r k ] (P, E(k, ))? δ and size (P )? < λ Challenger P A m c [E r k ] D(k, ) CE(k, R) INC-CCA INC-RCA Here, [E r k ] = [m me ] and P is algebraic. Using extract, we can find an execution of P where P(m) = m α for a known α. Then either α e then e α ord(m) and we break ORD[G] or α = e then size (P) H(e) and P must be big

18 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

19 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

20 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

21 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

22 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

23 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

24 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

25 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

26 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

27 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

28 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

29 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

30 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] easy (under standard assumptions)

31 Achieving incompressibility Security profile of C E : ORD[G] UBK[G] ROOT[G, e] INC-CPA UBK-CPA OW-CPA INC-CCA UBK-CCA OW-CCA GAP[G, e] GAP[G, e] trivial (under standard assumptions)

32 Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

33 Traceable white-box programs Assume we can hide functional perturbations in [D r k ] a perturbation c i m i means that [D r k ](c i) returns m i instead of the correct plaintext m i = D(k, c i ) the white-box compiler C E now takes a list of perturbations as extra input (c 1 m 1, c 2 m 2,..., c u m u) assuming perturbations are hidden, we can construct a log-efficient tracing scheme

34 Traceable white-box programs Setup User program Specification Perturbations P 1 [D(k, )] c 1, c 2,..., c n P 2 [D(k, )] c 2, c 3,..., c n P 3 [D(k, )] c 3, c 4,..., c n Note that... P n 1 [D(k, )] c n 1, c n P n [D(k, )] c n 1. when c c 1,..., c n, all programs decrypt c correctly 2. when c = c i, programs P 1,..., P i are incorrect on c but P i+1,..., P n are correct

35 Traceable white-box programs We get a private-key linear broadcast encryption (PLBE) scheme With p(0) = Pr [Q(c) = D(k, c)] for c $ C p(v) = Pr [Q(c v ) = D(k, c v )] for v = 1,..., n If there is a gap on the curve of p(v) for some v then v is a traitor.

36 Traceable white-box programs Tracing algorithm on rogue decryption program Q Estimate p(v) as ˆp(v) and find a gap using dichotomy takes O(log n) executions of Q Requires 2 assumptions on how well perturbations are hidden by the white-box compiler. See details in the paper.

37 Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

38 Conclusion New achievements framework of proper security notions for white-box compilers unbreakability + one-wayness + incompressibility is achievable traceability of programs is achievable under assumptions A lot of issues remain are there any other security notions of interest? unforgeability? non-malleability? public verifiability? can we achieve any of these notions with a true blockcipher?... even just UBK-CPA with f = AES? can we extend traceability for f = any keyed function?