On the Impossibility of Cryptography with Tamperable Randomness

Abstract

We initiate a study of the security of cryptographic primitives in the presence of efficient tampering attacks to the randomness of honest parties. More precisely, we consider p-tampering attackers that may efficiently tamper with each bit of the honest parties’ random tape with probability p, but have to do so in an “online” fashion. Our main result is a strong negative result: We show that any secure encryption scheme, bit commitment scheme, or zero-knowledge protocol can be “broken” with advantage \(\Omega (p)\) by a p-tampering attacker. The core of this result is a new algorithm for biasing the output of bounded-value functions, which may be of independent interest. We also show that this result cannot be extended to primitives such as signature schemes and identification protocols: assuming the existence of one-way functions, such primitives can be made resilient to -tampering attacks where n is the security parameter.

This is a preview of subscription content, log in to check access.

Notes

  1. 1.

    Let us remark that the simulation property of tamper-resilient compilers do not necessarily guarantee that if the sender algorithm is compiled into a “tamper-resilient” version, then the encryption scheme is tamper-resilient. This is due to the fact that the simulation property of those compilers only guarantee that an attacker cannot learn more from tampering with the sender strategy than it could have with black-box access to it. But in the case of encryption schemes, it is actually the input to the algorithm (i.e., the message to be encrypted) that we wish to hide (as opposed to some secret held by the algorithm).

  2. 2.

    In a stronger variant of tampering attacks, the attacker might be completely stateful and memorize the original values of the previous bits before and after tampering and also the places where the tampering took place, and use this extra information in its future tampering. Using the weaker stateless attacker of Definition 3.1 only makes our negative results stronger. Our positive results hold even against stateful attackers.

  3. 3.

    The auxiliary input could, e.g., be the information that the tampering algorithm receives about the secret state of the tampered party; this information might not be available at the time the tampering circuit is generated by the adversary.

  4. 4.

    The input length m could potentially be much smaller than the security parameter \(\kappa \).

  5. 5.

    This could be achieved, e.g., by switching to choosing \((1-f)\) with provability 0.5 whenever f is sampled from \({\mathcal F}\). This modification gives us the desired property while preserving the pairwise independence of \({\mathcal F}\).

  6. 6.

    If the scheme was public-key this would not be necessary as the whole description of T could depend on \(\mathsf {pk}\).

  7. 7.

    More formally, for this statement to be true, we need the event E that the security is broken to be efficiently recognizable.

References

  1. 1.

    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) Theory of Cryptography, 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15-17, 2009. Proceedings, volume 5444 of Lecture Notes in Computer Science, pp. 474–495. Springer, Berlin (2009)

  2. 2.

    Anderson, R., Kuhn, M.: Tamper resistance—a cautionary note. In: Proceedings of the Second USENIX Workshop on Electronic Commerce, pp. 1–11, November (1996)

  3. 3.

    One, A.: Smashing the stack for fun and profit. Phrack Magazine, 7(49):File 14 (1996)

  4. 4.

    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT (1997)

  5. 5.

    Brakerski, Z., Kalai, Y. T., Katz, J., Vaikuntanathan, V.: Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage. In: FOCS, pp. 501–510. IEEE Computer Society (2010)

  6. 6.

    Beimel, A., Malkin, T., Micali, S.: The all-or-nothing nature of two-party secure computation. In CRYPTO, pp. 80–97 (1999)

  7. 7.

    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Advances in Cryptology–CRYPTO 2014, pp. 1–19. Springer (2014)

  8. 8.

    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: CRYPTO: Proceedings of Crypto (1997)

  9. 9.

    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: STOC, pp. 235–244 (2000)

  10. 10.

    Choi, S.G., Kiayias, A., Malkin, T.: BiTR: Built-in tamper resilience. In: Lee, D.H., Wang, X. (eds.) Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4–8, 2011. Proceedings, Volume 7073 of Lecture Notes in Computer Science, pp. 740–758. Springer (2011)

  11. 11.

    Dodis, Y., Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, Daniele (ed.) Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9–11, 2010. Proceedings, volume 5978 of Lecture Notes in Computer Science, pp. 361–381. Springer (2010)

  12. 12.

    Dodis, Y., Haralambiev, K., López-Alt, A., Wichs, D.: Cryptography against continuous memory attacks. In: FOCS, pp. 511–520. IEEE Computer Society (2010)

  13. 13.

    Dodis, Y., Oliveira, R.: On extracting private randomness over a public channel. In: RANDOM: International Workshop on Randomization and Approximation Techniques in Computer Science. LNCS (2003)

  14. 14.

    Dodis, Y., Ong, S.J., Prabhakaran, M., Sahai, A.: On the (im)possibility of cryptography with imperfect randomness. In: FOCS: IEEE Symposium on Foundations of Computer Science (FOCS) (2004)

  15. 15.

    Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS, pp. 293–302. IEEE Computer Society (2008)

  16. 16.

    Dziembowski, S., Pietrzak, K., Wichs, D.: Non-malleable codes. In: Chi-Chih Yao, A. (ed.) ICS, pp. 434–452. Tsinghua University Press, Tsinghua (2010)

    Google Scholar 

  17. 17.

    Dachman-Soled, D., Kalai, Y.T.: Securing circuits against constant-rate tampering. IACR Cryptol. ePrint Arch. 2012, 366 (2012). (informal publication)

    MATH  Google Scholar 

  18. 18.

    Feldman, A.J., Benaloh, J.: On subliminal channels in encrypt-on-cast voting systems. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE’09, pp. 12–12, Berkeley, CA, USA, 2009. USENIX Association

  19. 19.

    Faust, S., Pietrzak, K., Venturi, D.: Tamper-proof circuits: how to trade leakage for tamper-resilience. ICALP 1, 391–402 (2011)

    MathSciNet  MATH  Google Scholar 

  20. 20.

    Frykholm, N.: Countermeasures against buffer overflow attacks. Technical report, RSA Data Security, Inc., pub-RSA:adr (November 2000)

  21. 21.

    Gennaro, R., Lysyanskaya, A., Malkin, T., Micali, S., Rabin, T.: Al-gorithmic tamper-proof (atp) security: theoretical foundations for security against hardware tampering. In: Naor, M. (ed.) TCC, Volume 2951 of Lecture Notes in Computer Science, pp. 258–277. Springer (2004)

  22. 22.

    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    MathSciNet  Article  MATH  Google Scholar 

  23. 23.

    Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994)

    MathSciNet  Article  MATH  Google Scholar 

  24. 24.

    Goldwasser, S., Rothblum, G.N.: How to compute in the presence of leakage. SIAM J. Comput. 44(5), 1480–1549 (2015)

    MathSciNet  Article  MATH  Google Scholar 

  25. 25.

    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)

  26. 26.

    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    MathSciNet  Article  MATH  Google Scholar 

  27. 27.

    Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS), pp. 230–235 (1989)

  28. 28.

    Ishai, Y., Prabhakaran, M., Sahai, A., Wagner, D.: Private circuits II: keeping secrets in tamperable circuits. In: Vaudenay, S. (ed.) Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings, Volume 4004 of Lecture Notes in Computer Science, pp. 308–327. Springer (2006)

  29. 29.

    Kamara, S., Katz, J.: How to encrypt with a malicious random number generator. In: Fast Software Encryption, pp. 303–315. Springer (2008)

  30. 30.

    Kalai, Y.T., Kanukurthi, B., Sahai, A.: Cryptography with tamperable and leaky memory. In: CRYPTO, pp. 373–390 (2011)

  31. 31.

    Kalai, Y.T., Li, X., Rao, A. 2-source extractors under computational assumptions and cryptography with defective randomness. In: FOCS, pp. 617–626. IEEE Computer Society (2009)

  32. 32.

    Kalai, Y.T., Lewko, A., Rao, A.: Formulas resilient to short-circuit errors. In: Foundations of Computer Science (FOCS), 2012 IEEE 53rd Annual Symposium on, pp. 490–499. IEEE (2012)

  33. 33.

    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO, Volume 7417 of Lecture Notes in Computer Science, pp. 626–642. Springer (2012)

  34. 34.

    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Ron was wrong, whit is right. Cryptology ePrint Archive, Report 2012/064, 2012. http://eprint.iacr.org/

  35. 35.

    Liu, F.-H., Lysyanskaya, A.: Algorithmic tamper-proof security under probing attacks. In: SCN, pp. 106–120 (2010)

  36. 36.

    Liu, F.-H., Lysyanskaya, A.: Tamper and leakage resilience in the split-state model. In: Crypto (2012)

  37. 37.

    Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: Theory of Cryptography Conference (TCC), LNCS, vol. 1 (2004)

  38. 38.

    Pincus, J.D., Baker, B.: Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Secur. Priv. 2(4), 20–27 (2004)

    Article  Google Scholar 

  39. 39.

    Rothblum, G.N.: How to compute under \({\cal AC}^{0}\) leakage without secure hardware. In: Safavi-Naini, R., Canetti, R. (ed.) CRYPTO, Volume 7417 of Lecture Notes in Computer Science, pp. 552–569. Springer (2012)

  40. 40.

    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    MathSciNet  Article  MATH  Google Scholar 

  41. 41.

    Simmons, G.J.: Subliminal channels; past and present. ETT 5(4), 15 (1994)

    Google Scholar 

  42. 42.

    Santha, M., Vazirani, U.V.: Generating quasi-random sequences from semi-random sources. J. Comput. Syst. Sci. 33(1), 75–87 (1986)

    Article  MATH  Google Scholar 

  43. 43.

    Young, A., Yung, M.: The dark side of ‘black-box’ cryptography, or: Should we trust capstone?. In: CRYPTO: Proceedings of Crypto (1996)

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Mohammad Mahmoody.

Additional information

P. Austrin: Work done while at Univ. of Toronto, funded by NSERC.

K.-M. Chung: Supported in part by NSF Award CNS-1217821.

M. Mahmoody: Supported by NSF CAREER award CCF-1350939.

R. Pass: Pass is supported in part by a Alfred P. Sloan Fellowship, Microsoft New Faculty Fellowship.

Karn Seth: Work done while at Cornell.

NSF Award CNS-1217821, NSF CAREER Award CCF-0746990, NSF Award CCF-1214844, AFOSR YIP Award FA9550-10-1-0093, and DARPA and AFRL under contract FA8750-11-2- 0211. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the US Government.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Austrin, P., Chung, K., Mahmoody, M. et al. On the Impossibility of Cryptography with Tamperable Randomness. Algorithmica 79, 1052–1101 (2017). https://doi.org/10.1007/s00453-016-0219-7

Download citation

Keywords

  • Tampering
  • Randomness
  • Encryption