-
Fault Attacks on Encrypted General Purpose Compute Platforms
Authors:
Robert Buhren,
Shay Gueron,
Jan Nordholz,
Jean-Pierre Seifert,
Julian Vetter
Abstract:
Adversaries with physical access to a target platform can perform cold boot or DMA attacks to extract sensitive data from the RAM. In response, several main-memory encryption schemes have been proposed to prevent such attacks. Also hardware vendors have acknowledged the threat and already announced respective hardware extensions. Intel's SGX and AMD's SME will provide means to encrypt parts of the…
▽ More
Adversaries with physical access to a target platform can perform cold boot or DMA attacks to extract sensitive data from the RAM. In response, several main-memory encryption schemes have been proposed to prevent such attacks. Also hardware vendors have acknowledged the threat and already announced respective hardware extensions. Intel's SGX and AMD's SME will provide means to encrypt parts of the RAM to protect security-relevant assets that reside there. Encrypting the RAM will protect the user's content against passive eavesdrop**. However, the level of protection it provides in scenarios that involve an adversary who is not only able to read from RAM but can also change content in RAM is less clear. Obviously, encryption offers some protection against such an "active" adversary: from the ciphertext the adversary cannot see what value is changed in the plaintext, nor predict the system behaviour based on the changes. But is this enough to prevent an active adversary from performing malicious tasks? This paper addresses the open research question whether encryption alone is a dependable protection mechanism in practice when considering an active adversary. To this end, we first build a software based memory encryption solution on a desktop system which mimics AMD's SME. Subsequently, we demonstrate a proof-of-concept fault attack on this system, by which we are able to extract the private RSA key of a GnuPG user. Our work suggests that transparent memory encryption is not enough to prevent active attacks.
△ Less
Submitted 12 December, 2016;
originally announced December 2016.
-
The Advantage of Truncated Permutations
Authors:
Shoni Gilboa,
Shay Gueron
Abstract:
Constructing a Pseudo Random Function (PRF) is a fundamental problem in cryptology. Such a construction, implemented by truncating the last $m$ bits of permutations of $\{0, 1\}^{n}$ was suggested by Hall et al. (1998). They conjectured that the distinguishing advantage of an adversary with $q$ queries, ${\bf Adv}_{n, m} (q)$, is small if $q = o (2^{(n+m)/2})$, established an upper bound on…
▽ More
Constructing a Pseudo Random Function (PRF) is a fundamental problem in cryptology. Such a construction, implemented by truncating the last $m$ bits of permutations of $\{0, 1\}^{n}$ was suggested by Hall et al. (1998). They conjectured that the distinguishing advantage of an adversary with $q$ queries, ${\bf Adv}_{n, m} (q)$, is small if $q = o (2^{(n+m)/2})$, established an upper bound on ${\bf Adv}_{n, m} (q)$ that confirms the conjecture for $m < n/7$, and also declared a general lower bound ${\bf Adv}_{n,m}(q)=Ω(q^2/2^{n+m})$. The conjecture was essentially confirmed by Bellare and Impagliazzo (1999). Nevertheless, the problem of {\em estimating} ${\bf Adv}_{n, m} (q)$ remained open. Combining the trivial bound $1$, the birthday bound, and a result of Stam (1978) leads to the upper bound \begin{equation*} {\bf Adv}_{n,m}(q) = O\left(\min\left\{\frac{q(q-1)}{2^n},\,\frac{q}{2^{\frac{n+m}{2}}},\,1\right\}\right). \end{equation*} In this paper we show that this upper bound is tight for every $0\leq m<n$ and any $q$. This, in turn, verifies that the converse to the conjecture of Hall et al. is also correct, i.e., that ${\bf Adv}_{n, m} (q)$ is negligible only for $q = o (2^{(n+m)/2})$.
△ Less
Submitted 19 January, 2021; v1 submitted 8 October, 2016;
originally announced October 2016.
-
How many queries are needed to distinguish a truncated random permutation from a random function?
Authors:
Shoni Gilboa,
Shay Gueron,
Ben Morris
Abstract:
An oracle chooses a function $f$ from the set of $n$ bits strings to itself, which is either a randomly chosen permutation or a randomly chosen function. When queried by an $n$-bit string $w$, the oracle computes $f(w)$, truncates the $m$ last bits, and returns only the first $n-m$ bits of $f(w)$. How many queries does a querying adversary need to submit in order to distinguish the truncated permu…
▽ More
An oracle chooses a function $f$ from the set of $n$ bits strings to itself, which is either a randomly chosen permutation or a randomly chosen function. When queried by an $n$-bit string $w$, the oracle computes $f(w)$, truncates the $m$ last bits, and returns only the first $n-m$ bits of $f(w)$. How many queries does a querying adversary need to submit in order to distinguish the truncated permutation from the (truncated) function?
In 1998, Hall et al. showed an algorithm for determining (with high probability) whether or not $f$ is a permutation, using $O(2^{\frac{m+n}{2}})$ queries. They also showed that if $m < n/7$, a smaller number of queries will not suffice. For $m > n/7$, their method gives a weaker bound. In this note, we first show how a modification of the approximation method used by Hall et al. can solve the problem completely. It extends the result to practically any $m$, showing that $Ω(2^{\frac{m+n}{2}})$ queries are needed to get a non-negligible distinguishing advantage. However, more surprisingly, a better bound for the distinguishing advantage can be obtained from a result of Stam published, in a different context, already in 1978. We also show that, at least in some cases, Stam's bound is tight.
△ Less
Submitted 16 December, 2014;
originally announced December 2014.
-
Balanced permutations Even-Mansour ciphers
Authors:
Shoni Gilboa,
Shay Gueron,
Mridul Nandi
Abstract:
The $r$-rounds Even-Mansour block cipher is a generalization of the well known Even-Mansour block cipher to $r$ iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al., for $r = 2, 3$. These attacks are only marginally better than brute force, but are based on an interesting observation (due to Nikolić et al.): for a "typical" permutation $P$, the distribution of…
▽ More
The $r$-rounds Even-Mansour block cipher is a generalization of the well known Even-Mansour block cipher to $r$ iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al., for $r = 2, 3$. These attacks are only marginally better than brute force, but are based on an interesting observation (due to Nikolić et al.): for a "typical" permutation $P$, the distribution of $P(x) \oplus x$ is not uniform. This naturally raises the following question. Call permutations for which the distribution of $P(x) \oplus x$ is uniform "balanced." Is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even-Mansour block cipher?
We show how to generate families of balanced permutations from the Luby-Rackoff construction, and use them to define a $2n$-bit block cipher from the $2$-rounds Even-Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of $\{0, 1\}^{2n}$, for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is $o (2^{n/2})$. As a practical example, we discuss the properties and the performance of a $256$-bit block cipher that is based on our construction, and uses AES as the public permutation.
△ Less
Submitted 20 August, 2015; v1 submitted 1 September, 2014;
originally announced September 2014.