Cryptography on Non-Trusted Machines

The goal of this project was to study the methods for protecting cryptographic schemes against the attacks on cryptographic devices on which these schemes are implemented. The examples of such attacks include the malicious software intrusions (like e.g. viruses), the so-called side channel attacks (where the adversary obtains the information about the cryptographic hardware by, e.g. measuring its power consumption), or the tampering attacks, where the adversary alters the behavior of the device by maliciously modifying it.

Our main principle was to construct cryptographic schemes where the security can be argued in a formal way. Typically, such formal approach consist of the following steps: (1) define a mathematical model that captures some real-life attack scenario, (2) construct a cryptographic scheme, and (3) prove formally that the scheme constructed in Step (2) is secure in the model defined in Step (1). Obviously, what constitutes a ``real-life attack model'' is debatable, and in fact there is a vibrant discussion in the scientific community about it. The scientist with more theoretical background usually strive for the mathematical elegance of the model, while the practitioners care more about how realistic the model is.

Our initial approach was more theory-inspired. For example, we constructed schemes secure under a mathematically natural model, where the memory of the attacked device is divided into two parts that the adversary can attack ``independently''. As it turns out this model has a lot to do with the theory of the ``two-source randomness extractors'' that has been investigated in computer science since the 1980s. These observations allowed us to construct several interesting cryptographic schemes. Luckily, as it recently turned out, these schemes, although coming from the theoretical work, in fact perform very well when implemented in real life.

Towards the end of the project we became increasingly interested in bridging the gap between the ``theoretical'' and the ``practical'' models in this area. These efforts resulted in a recent paper that won the Best Paper Award on EUROCRYPT 2014, which is one of the two most prestigious annual conferences in the area of cryptography. In this paper we show close connections between the ``noisy leakage model'' (used by the partitioners) and the ``probing model'' (developed by the theoreticians).

Other achievements of the project include: the introduction of a concept of the non-malleable codes, which is as a tool for protecting against the tampering attacks; inventing a new model in leakage- and tamper-resilience based on the assumption that the space resources available to the adversary during the physical attacks are limited; and proposing a new method for protecting against active attacks based on the CAPTCHA puzzles.

To summarize: our work demonstrated that the area of leakage- and tamper-resilience is an exciting line of research. We are sure that there are still many important research questions in this field and we plan to continue working on them.