LNCS 10052 Sara Foresti Giuseppe Persiano (Eds.) Cryptology and Network Security 15th International Conference, CANS 2016 Milan, Italy, November 14–16, 2016 Proceedings 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 10052 More information about this series at http://www.springer.com/series/7410 Sara Foresti Giuseppe Persiano (Eds.) • Cryptology and Network Security 15th International Conference, CANS 2016 Milan, Italy, November 14–16, 2016 Proceedings 123 Editors Sara Foresti Università degli Studi di Milano Crema Italy Giuseppe Persiano Università degli Studi di Salerno Fisciano Italy ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-319-48964-3 ISBN 978-3-319-48965-0 (eBook) DOI 10.1007/978-3-319-48965-0 Library of Congress Control Number: 2016955512 LNCS Sublibrary: SL4 – Security and Cryptology © Springer International Publishing AG 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Preface These proceedings contain the papers selected for presentation at the 15th International Conference on Cryptology and Network Security (CANS 2016), held in Milan, Italy, on November 14–16, 2016 The conference was held in cooperation with the International Association of Cryptologic Research and focuses on technical aspects of cryptology and of data, network, and computer security These proceedings contain 30 full papers (with an acceptance rate of 25.86 %) and 18 short papers selected by the Program Committee from 116 submissions The proceedings also contain an extended abstract for the posters presented at the conference The many high-quality submissions made it easy to build a strong program but also required rejecting good papers Each submission was judged by at least three reviewers and the whole selection process included about six weeks of reading and discussion in the Program Committee The credit for the success of an event like CANS 2016 belongs to a number of people, who devoted their time and energy to put together the conference and who deserve acknowledgment There is a long list of people who volunteered their time and energy to organize the conference, and who deserve special thanks We would like to thank all the members of the Program Committee and all the external reviewers, for all their hard work in evaluating all the papers during the summer We are grateful to CANS Steering Committee for their support Thanks to Giovanni Livraga, for taking care of publicity and chairing local organization We are very grateful to the local organizers for their support in the conference organization and logistics We would like to thank the keynote speakers for accepting our invitation to deliver a talk at the conference Special thanks are due to the Università degli Studi di Milano for its support and for hosting the event, and to the Italian Association for Information Processing (AICA) for support in the secretarial and registration process Last but certainly not least, our thanks go to all the authors who submitted papers and posters and to all the conference’s attendees We hope you find the program of CANS 2016 interesting, stimulating, and inspiring for your future research November 2016 Sara Foresti Pino Persiano Pierangela Samarati Organization General Chair Pierangela Samarati Università degli Studi di Milano, Italy Program Chairs Sara Foresti Giuseppe Persiano Università degli Studi di Milano, Italy Università degli Studi di Salerno, Italy Poster Chairs Sara Foresti Giuseppe Persiano Pierangela Samarati Università degli Studi di Milano, Italy Università degli Studi di Salerno, Italy Università degli Studi di Milano, Italy Publicity Chair Giovanni Livraga Università degli Studi di Milano, Italy Local Arrangements Chair Giovanni Livraga Università degli Studi di Milano, Italy Steering Committee Yvo Desmedt (Chair) Juan A Garay Amir Herzberg Yi Mu David Pointcheval Huaxiong Wang The University of Texas at Dallas, USA Yahoo! Labs, USA Bar Ilan University, Israel University of Wollongong, Australia CNRS and ENS Paris, France Nanyang Technological University, Singapore Program Committee Lejla Batina Carlo Blundo Henry Carter Nishanth Chandran Yingying Chen Radboud University, The Netherlands Università degli Studi di Salerno, Italy Villanova University, USA Microsoft Research, India Stevens Institute of Technology, USA VIII Organization Sherman S.M Chow Ricardo Dahab Sabrina De Capitani di Vimercati Angelo De Caro Yvo Desmedt Nelly Fazio Georg Fuchsbauer Rosario Gennaro Amir Herzberg Vincenzo Iovino Rob Johnson Florian Kerschbaum Aggelos Kiayias Albert Levi Ming Li Dongdai Lin Peng Liu Javier Lopez Steve Lu Atsuko Miyaji Evagelos Markatos Refik Molva Yi Mu Gregory Neven Antonio Nicolosi Svetla Nikova Emmanuela Orsini Panos Papadimitratos Stefano Paraboschi Gerardo Pelosi Benny Pinkas Pierangela Samarati Nitesh Saxena Andreas Schaad Dominique Schroeder Peter Schwabe Willy Susilo Katsuyuki Takashima Qiang Tang Meng Yu Huaxiong Wang Chinese University of Hong Kong, Hong Kong IC-UNICAMP, Brazil Università degli Studi di Milano, Italy IBM Research, Zurich, Switzerland The University of Texas at Dallas, USA City University of New York, USA Ecole Normale Supérieure, France City University of New York, USA Bar Ilan University, Israel University of Luxembourg, Luxembourg Stony Brook University, USA SAP, Germany University of Athens, Greece Sabanci University, Turkey University of Arizona, USA Chinese Academy of Sciences, China The Pennsylvania State University, USA University of Malaga, Spain Stealth Software Technologies Inc., USA Osaka University/JAIST, Japan University of Crete, Greece Eurecom, France University of Wollongong, Australia IBM Research, Zurich, Switzerland Stevens Institute of Technology, USA KU Leuven, Belgium University of Bristol, UK KTH, Stockholm, Sweden Università di Bergamo, Italy Politecnico di Milano, Italy Bar Ilan University, Israel Università degli Studi di Milano, Italy University of Alabama at Birmingham, USA Huawei Research, Germany Saarland University, Germany Radboud University, The Netherlands University of Wollongong, Australia Mitsubishi Electric, Japan University of Luxembourg, Luxembourg University of Texas at San Antonio, USA Nanyang Technological University, Singapore Organization IX External Reviewers Hamza Abusalah Zakir Akram Duygu Karaoğlan Altop S Abhishek Anand Diego Aranha Tomer Ashur Seiko Arita Arash Atashpendar Pol Van Aubel Monir Azraoui Saikrishna Badrinarayanan Amos Beimel Daniel Bernau Jonas Boehler Carl Bootland Raphael Bost Christina Boura Florian Bourse Alexandre Braga Luigi Catuogno Rongmao Chen Michele Ciampi Guo Chun Mario Cornejo Joan Daemen Christophe Doche Kaoutar Elkhiyaoui Keita Emura Martianus Frederic Ezerman Nils Fleischhacker Atsushi Fujioka Yuichi Futa Marios Georgiou Esha Ghosh Rishab Goyal Le Guan Xue Haiyang Jin Han Wenhui Hu Yupeng Jiang Süleyman Kardaş Aniket Kate Akinori Kawachi Anselme Kemgne Tueno Mathias Kohler Anna Krasnova Ashutosh Kumar Jianchang Lai Russell W.F Lai Obbattu Sai Lakshmi Bhavana Hyung Tae Lee Iraklis Leontiadis Hemi Leibowitz Bin Liu Meicheng Liu Naiwei Liu Yunwen Liu Zhen Liu Jose M Lopez Isis Lovecruft Atul Luykx Chang Lv Jack P.K Ma Mohammad Mamun Pedro Maat Massolino Peihan Miao Christoph Michel Shigeo Mitsunari Eduardo Morais Toru Nakanishi Luiz Navarro Ajaya Neupane Khoa Nguyen Hod Bin Noon Maciej Obremski Kazumasa Omote Adam O’Neill Melek Önen Stjepan Picek Fabio Piva Elizabeth Quaglia Srinivasan Raghuraman Manuel Reinert Oscar Reparaz Vincent Rijmen Ruben Rios Adeline Roux-Langlois Vipin Singh Sehrawat Sruthi Sekar Babins Shrestha Maliheh Shirvanian Roee Shlomo Prakash Shrestha Luisa Siniscalchi William Skeith Maciej Skórski Akshayaram Srinivasan Raymond K.H Tai Sri Aravinda Krishnan Thyagarajan Chenyang Tu Miguel Urquidi Cédric Van Rompay Dimitrios Vasilopoulos Gabriele Viglianisi Xiao Wang Xiuhua Wang Yongge Wang Harry W.H Wong Brecht Wyseur Tran Phuong Viet Xuan Bohan Yang Eunjung Yoon Libo Zhang Miaomiao Zhang Shiwei Zhang Tao Zhang Yongjun Zhao Jingyuan Zhao Jincheng Zhuang Contents Cryptanalysis of Symmetric Key Linear Regression Attack with F-test: A New SCARE Technique for Secret Block Ciphers Si Gao, Hua Chen, Wenling Wu, Limin Fan, Jingyi Feng, and Xiangliang Ma Compact Representation for Division Property Yosuke Todo and Masakatu Morii 19 An Automatic Cryptanalysis of Transposition Ciphers Using Compression Noor R Al-Kazaz, Sean A Irvine, and William J Teahan 36 SideChannel Attacks and Implementation Side-Channel Attacks on Threshold Implementations Using a Glitch Algebra Serge Vaudenay 55 Diversity Within the Rijndael Design Principles for Resistance to Differential Power Analysis Merrielle Spain and Mayank Varia 71 NEON-SIDH: Efficient Implementation of Supersingular Isogeny Diffie-Hellman Key Exchange Protocol on ARM Brian Koziel, Amir Jalali, Reza Azarderakhsh, David Jao, and Mehran Mozaffari-Kermani 88 Lattice-Based Cryptography Server-Aided Revocable Identity-Based Encryption from Lattices Khoa Nguyen, Huaxiong Wang, and Juanyang Zhang 107 Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography Patrick Longa and Michael Naehrig 124 An Efficient Lattice-Based Multisignature Scheme with Applications to Bitcoins Rachid El Bansarkhani and Jan Sturm 140 748 C.-A Toli et al single matching module in the context of security and reliability In general, it is indisputable that biometrics fusion has a critical role to play in identification systems and different fusion mechanisms work differently for every combination of data, rules and tools, while optimality is conflicting with regard to the retrieval performance rates Furthermore, identity-purposed databases for online authentication mechanisms, seriously enhance risks from different perspectives and for each assessment separately MPC restricts the misuses of private biometric information at the levels required by realistic applications Future solutions for these major issues can support the feasibility of large-scale privacy enhancing biometric identity management technologies Acknowledgements This work was supported in part by the Research Council KU Leuven: C16/15/058 In addition, it will contribute to ICT programme under contract FP7-ICT-2013-10-SEP-210076296 PRACTICE of the European Commission through the Horizon 2020 research and innovation programme References Bhattasali, T., Saeed, K., Chaki, N., Chaki, R.: A survey of security and privacy issues for biometrics based remote authentication in cloud In: Saeed, K., Sn´ aˇsel, V (eds.) CISIM 2014 LNCS, vol 8838, pp 112–121 Springer, Heidelberg (2014) di Vimercati, S.D.C., Foresti, S., Samarati, P.: Data security issues in cloud scenarios In: Jajodia, S., Mazumdar, C (eds.) ICISS 2015 LNCS, vol 9478, pp 3–10 Springer, Heidelberg (2015) doi:10.1007/978-3-319-26961-0 Kindt, E.J.: Privacy and Data Protection Issues of Biometric Applications - A Comparative Legal Analysis Springer, Netherlands (2013) Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computation In: STOC, pp 1–10 ACM (1988) Chaum, D., Cr´epeau, C., Damg˚ ard, I.: Multiparty unconditionally secure protocols In: STOC, pp 11–19 ACM (1988) Maurer, U.: Secure multi-party computation made simple Discrete Appl Math 154(2), 370–381 (2006) Coding and Cryptography Damg˚ ard, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 643–662 Springer, Heidelberg (2012) Ross, A., Jain, A.K.: Information fusion in biometrics Pat Recogn Lett 24(13), 2115–2125 (2003) Ross, A., Nandakumar, K., Jain, A.K.: Handbook of Multibiometrics International Series on Biometrics Springer, Secaucus (2006) Hybrid WBC: Secure and Efficient White-Box Encryption Schemes Jihoon Cho1 , Kyu Young Choi1 , Orr Dunkelman2(B) , Nathan Keller3 , Dukjae Moon1 , and Aviya Vaidberg3 Security Research Group, Samsung SDS, Inc., Seoul, Republic of Korea {jihoon1.cho,ky12.choi,dukjae.moon}@samsung.com Computer Science Department, University of Haifa, Haifa, Israel orrd@cs.haifa.ac.il Department of Mathematics, Bar-Ilan University, Ramat-Gan, Israel nkeller@math.biu.ac.il, aviya.v5@gmail.com Abstract White-box cryptography aims at providing security against an adversary that has access to the encryption process Numerous whitebox encryption schemes were proposed since the introduction of whitebox cryptography by Chow et al in 2002 However, most of them are slow, and thus, can be used in practice only to protect very small amounts of information, such as encryption keys In this extended abstract we present a new threat model for whitebox cryptography which corresponds to the practical abilities of the adversary in a wide range of applications Furthermore, we study design criteria for white-box primitives that are important from the industry point of view Finally, we propose a class of new primitives that combine a white-box algorithm with a standard block cipher to obtain white-box protection for encrypting long messages, with high security and reasonable performance Introduction The white-box threat model in secret-key cryptography, introduced by Chow et al [4] in 2002, considers an adversary that is accessible to the entire information on the encryption process, and can even change parts of it at will The range of applications in which the white-box threat model is relevant is already extensive and continues to grow rapidly One example is the Digital Rights Management (DRM) realm, where the legitimate user (who, of course, has full access to the encryption process), may be adversarial Another example is resourceconstrained Internet-of-Things (IoT) devices applied in an insecure environment (like RFID tags on the products in a supermarket) Yet another example is smartphones and public cloud services While certain security-critical services in such devices are provided with support of hardware security features, such as ‘secure element’ or TrustZone in mobile devices or ‘hardware security modules’ in the cloud, most services are implemented as software operating within Rich c Springer International Publishing AG 2016 S Foresti and G Persiano (Eds.): CANS 2016, LNCS 10052, pp 749–754, 2016 DOI: 10.1007/978-3-319-48965-0 55 750 J Cho et al OS The main reasons for that are low cost, development efficiency and complicated ecosystems As a result, the cryptographic implementations are vulnerable to a wide variety of attacks in which the adversary has ‘white-box’ capabilities The ever-growing range of applications where the white-box threat model is relevant necessitates devising secure and efficient solutions for white-box cryptography And indeed, numerous white-box primitives were proposed since the introduction of white-box cryptography in 2002 These primitives can be roughly divided into two classes The first class includes algorithms which take an existing block cipher (usually AES or DES), and use various methods to ‘obfuscate’ the encryption process, so that a white-box adversary will not be able to extract the secret key Pioneered by Chow et al [4], this approach was followed by quite a few designers An advantage of these designs is their relation to the original ciphers, which makes transition to the white-box primitive and compatibility with other systems much easier Unfortunately, most of these designs were broken by practical attacks a short time after their presentation In addition, all designs of this class are orders of magnitude slower than the ‘black-box’ primitives they are based upon The second class includes new block ciphers designed especially with whitebox protection in mind, like the ASASA and SPACE families [1,2] An important advantage of these designs is their better performance and higher security (though, some of them were also broken, see [5]) On the other hand, transition from existing designs to the entirely new ciphers is not an easy task, and so, quite often commercial users will be reluctant to make such a major change in the design In this extended abstract we propose a class of new primitives which provide strong security with respect to a ‘real-life’ white-box adversary, and on the other hand, are convenient for practical use – meaning that the performance is reasonable and that transition from currently used primitives to the new primitives is relatively easy To this end, in Sect we present a new threat model for whitebox cryptography which corresponds to the practical abilities of the adversary in a wide range of applications Once the security model is set, we study design criteria for white-box primitives that are important from the industry point of view In Sect we propose a class of new primitives that combine a whitebox algorithm with a standard block cipher to obtain white-box protection for encrypting long messages, with high security and reasonable performance Preliminary security analysis of the new primitives, along with a comparison with previous works, can be found in the full version of this paper [3] 2.1 Practical Requirements and Design Strategy Security Requirements – A New Threat Model Unlike the classical black-box model, in white-box cryptography the abilities of the adversary are not clearly defined, and different threat models are implicitly used by different authors Hybrid WBC: Secure and Efficient White-Box Encryption Schemes 751 The works of Chow et al [4] and their successors implicitly assume that there is a part of the encryption process, called external encoding, which is performed outside of the encryption device and cannot be accessed by the white-box adversary Such an assumption is not realistic in scenarios where the entire encryption process is implemented in software Instead, we propose the following threat model, which is relevant in a wide variety in realistic scenarios Assume that the same white-box encryption scheme is used in many devices, with at most a small difference between them (e.g., a unique identification number that is used in the encryption process) Further, assume that the adversary can mount an ‘expensive’ white-box attack on at most a few devices (e.g., by purchasing them and then analyzing in depth), and he is willing to break the encryption of all other devices Formally, we assume that the adversary has a white-box access to several devices from the family and only black-box access to all devices in the family Using the white-box access, the adversary can obtain full information on the devices he took control of His goal is to break the encryption schemes of all other devices Thus, the security goal in this model can be thought of as minimizing the damage from one-time compromise Our threat model is well suited for IoT environment IoT devices are usually manufactured in a production line simply assembling flash memories with the same binary programmed including cryptographic keys, i.e the same cryptographic keys are shared across multiple devices This is because it would be quite expensive to embed separate keys into each device either in production lines or by consumers; additional key-embedding process and related key management, as well as adding UX layers to IoT devices, generally require considerable cost In such an IoT environment, an adversary may implement the white-box attack for a single device, and try to compromise the whole system using the obtained key or any critical information, along with capabilities from the conventional black-box model We note that this threat model does not fit for all applications of white-box cryptography However, it seems relevant in sufficiently many scenarios for being considered specifically 2.2 Performance and Cost Requirements While industry accepts the need in strong security of the algorithms, it is often the case that practical efficiency considerations are prioritized by commercial users over security considerations Hence, if we want to design a primitive that will be employed in practice, we should take into account the main practical requirements from the industry point of view The main two design criteria we concentrate on are the following: Reasonable performance Previously suggested white-box algorithms except the SPACE family are 12 to 55 times slower than AES White-box primitives have thus been used to protect relatively small sizes of data We aim at using the white-box primitive to protect large amounts of data, and so, the encryption speed must be reasonably fast – ideally, almost as fast as the AES 752 J Cho et al Low transition cost The new architecture should be designed so as to minimize the modification of the existing development or manufacturing process related to cryptographic implementations Interestingly, this may be the most important factor for commercial adoption in reality 2.3 Design Strategies The practical requirements listed above lead to the following design considerations First, if we use a white-box algorithm to encrypt each block of the message then the performance of the resulting encryption scheme is the same as that of the white-box algorithm For most of the currently existing white-box algorithms, this means that the scheme is very slow Moreover, even for the SPACE family whose members are not so slow, standard ‘software obfuscation techniques’ aimed at protecting the security of the running code, make the encryption process much slower, and thus too slow for our purposes As a result, it is desirable to use the white-box algorithm to encrypt only part of the message blocks, and encrypt most blocks with a ‘classical’ algorithm Second, almost all existing solutions for data protection in data communication such as SSL, TLS and SSH are based on a shared secret (e.g session key) Designers of some solutions for data communication want to apply this session key in white-box encryption with minimum modification of their cryptographic implementation However, they cannot use this key directly in a whitebox scheme since the initiation of a white-box algorithm is slow and in general is separate from running environment In addition, in many cases users request a certificate algorithm to be used in their implementation Hence, we aim at applying a session key directly in the components of our scheme, except the white-box algorithm Third, the most effective way to minimize the damage from one-time compromise is to encrypt each message by a one-time key which is protected by white-box algorithms However, managing these one-time keys is a big burden and existing key exchange protocols not provide a one-time session key Thus, we will encrypt the nonce by a white-box algorithm and use it in the encryption process as a replacement for a one-time key 3.1 The New Primitives General Structure and Security Goals Our primitives use two separate keys – one for a white-box primitive and another for a ‘classical’ encryption algorithm (e.g., AES), where the white-box algorithm is only used for encryption of a nonce (e.g initial vector (IV) or a counter) while the classical algorithm is used for encryption of plaintexts The keys K1 and K2 are assumed to be permanent and may be shared by many devices, while the nonce in changed in every encryption session Hybrid WBC: Secure and Efficient White-Box Encryption Schemes 753 We restrict the use of our scheme to encrypting messages of length at most 264 blocks in a single session (i.e without rekeying) Furthermore, as common in nonce-based algorithms, we not allow re-use of the nonce The security level we aim at is data complexity of 264 and memory and time complexities of 280 That is, any white-box attack that can recover the secret key K1 , or distinguish our scheme from random, or recover part of the plaintext in a non-compromised session, should require either more than 264 messages, or more than 280 time or more than 280 memory 3.2 The New Hybrid White-Box Schemes In this subsection we present two new hybrid white-box schemes, which – according to our preliminary analysis – are secure in the white-box model Fig F-CTR-WBC: a white-box variant of AES-CTR with a 256-bit block and a feed-forward operation The first scheme, called F-CTR-WBC and presented in Fig 1, is similar to the standard CTR mode of operation using the AES block cipher, but with three differences First, a counter CTR is encrypted using a white-box primitive (e.g., white-box-AES or a member of the SPACE family) Second, the scheme contains a feed-forward operation (in order to thwart a trivial attack in the white-box model presented in [3]) Third, the block length is increased to 256 bits (e.g., by using Rijndael-256 instead of AES), in order to make a time-memory tradeoff attack presented in [3] infeasible Our experiments show that this scheme is only 1.3 times slower than AES-CTR The second scheme we propose, presented in Fig 2, is a bit more complex, using AES with feed-forward also in the counter update function If the full AES is used in both layers of the scheme, it is almost two times slower than F-CTR-WBC with Rijndael-256 However, as the upper layer is used mainly to reduce the relation between consecutive inputs to the second-layer AES and their relation to the initial CT R, it is actually sufficient to use 3-round AES-128 in the upper layer As a result, this scheme has roughly the same performance like F-CTR-WBC presented above Initial security analysis of both schemes is presented in [3] 754 J Cho et al Fig UF-CTR-WBC: a two-layered variant with feed-forwards References Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract) In: Sarkar, P., Iwata, T (eds.) ASIACRYPT 2014, Part I LNCS, vol 8873, pp 63–84 Springer, Heidelberg (2014) Bogdanov, A., Isobe, T.: White-box cryptography revisited: space-hard ciphers In: Proceedings of Computer and Communications Security (CCS 2015), pp 1058–1069 ACM (2015) Cho, J., Choi, K.Y., Dunkelman, O., Keller, N., Moon, D., Vaidberg, A.: Hybrid WBC: Secure and Efficient White-Box Encryption Schemes, IACR eprint report 2016:679 (2016) Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation In: Nyberg, K., Heys, H (eds.) SAC 2002 LNCS, vol 2595, pp 250–270 Springer, Heidelberg (2003) doi:10.1007/3-540-36492-7 17 Gilbert, H., Plˆ ut, J., Treger, J.: Key-recovery attack on the ASASA cryptosystem with expanding S-boxes In: Gennaro, R., Robshaw, M (eds.) CRYPTO 2015, Part I LNCS, vol 9215, pp 475–490 Springer, Heidelberg (2015) doi:10.1007/ 978-3-662-47989-6 23 Moving in Next Door: Network Flooding as a Side Channel in Cloud Environments Yatharth Agarwal1 , Vishnu Murale2 , Jason Hennessey3(B) , Kyle Hogan3 , and Mayank Varia3 Phillips Academy, Andover, USA yagarwal@andover.edu Buckingham Browne & Nichols School, Cambridge, USA vmurale@bbns.org Boston University, Boston, USA {henn,klhogan,varia}@bu.edu Abstract Co-locating multiple tenants’ virtual machines (VMs) on the same host underpins public clouds’ affordability, but sharing physical hardware also exposes consumer VMs to side channel attacks from adversarial co-residents We demonstrate passive bandwidth measurement to perform traffic analysis attacks on co-located VMs Our attacks not assume a privileged position in the network or require any communication between adversarial and victim VMs Using a single feature in the observed bandwidth data, our algorithm can identify which of potential YouTube videos a co-resident VM streamed with 66 % accuracy We discuss defense from both a cloud provider’s and a consumer’s perspective, showing that effective defense is difficult to achieve without costly under-utilization on the part of the cloud provider or over-utilization on the part of the consumer Keywords: Cloud privacy · Encrypted communication analysis work virtualization · Side channel · Traffic analysis · Net- Introduction In response to an increasingly digital age, researchers have developed cryptographic protocols to protect cyber-privacy However, the gap between protocols’ physical implementations and the theoretical context in which they are usually considered introduces the potential for side channel attacks Side channels are flows of information exposed by the physical implementation of a system and typically not included in any proofs of security [8] For example, despite the encryption SSH performs on each keystroke, Song et al extracted about bit of information per pair of keystrokes from timing information on when the keystrokes were sent [9] Y Agarwal and V Murale are equally contributed c Springer International Publishing AG 2016 S Foresti and G Persiano (Eds.): CANS 2016, LNCS 10052, pp 755–760, 2016 DOI: 10.1007/978-3-319-48965-0 56 756 Y Agarwal et al The rise of cloud computing exacerbates the threat that side channels pose Cloud providers issue customers virtual machines (VMs), often co-locating different customers’ VMs to increase resource utilization and amortize costs Thus, a customer’s VM may be placed on the same host as a different, potentially adversarial VM Ristenpart et al and others have shown that a co-resident adversary can leverage this sharing of a physical platform, particularly the shared caches, to compromise the isolation of a victim’s VM [5,7] Our contributions This paper examines the network interface side channel We empirically demonstrate load measurement and behavior profiling on two commercial cloud environments: DigitalOcean and the Massachusetts Open Cloud Our raw data collection component is available in an open-source repository.1 Our experimental setup involves a malicious VM, denoted Flooder, that saturates the network interface to put its bandwidth in contention with that of the targeted co-resident customer’s VM, Victim Data from test trials helped calibrate Flooder’s observations to estimate Victim’s load over time Such data can be used to determine when a competitor’s traffic spikes or learn statistics about a cloud environment that doesn’t publish its utilization The raw data becomes more valuable when paired with encrypted communications analyses to determine, for example, which website Victim is visiting After test trials had trained a classification algorithm, we showed the algorithm could identify which YouTube video Victim was streaming with 66 % accuracy compared to 33 % for random guessing This result represents a macro-approach relying on estimating bandwidth instead of the usual micro-approach of collecting individual packets Thus, we not require Flooder to have a privileged position on the network or any kind of affiliation with the cloud provider By contrast, previous work was conducted on local testbeds and furthermore required a malicious client to remain connected to Victim on the order of seconds to reliably measure throughput [1] This limited potential targets to web or media servers that offered large downloads publicly The single long connection cannot be substituted simply with short, repeated ones if Victim uses DDoS protection Our threat model imposes no such restriction Environments We consider two cloud tenants: an honest Victim and a malicious Flooder As the name suggests, Flooder sends as many packets as the network can process; various choices for packet sizes, sleep times, and internet protocols are described in Sect We assume that the cloud provider is a trusted entity whose switch usage data isn’t directly published Additionally, we assume that the cloud provider is unaffiliated with adversaries, so Flooder cannot directly request co-residency with Victim However, researchers have demonstrated indirect achievement of co-residency with specific victims on commercial clouds [1,4,7] Therefore, we https://github.com/YatharthROCK/primes-data-collection Moving in Next Door: Network Flooding as a Side Channel 757 presume here that co-residency is achievable and build from there We consider scenarios Environment A Victim and Flooder occupied different MacBook Pros connected via ethernet to the same LAN network Both Victim and Flooder connected to clients over the internet via a 10 MB/s downlink Environment B Victim and Flooder occupied different physical Sun v20z servers running Ubuntu 16.04 x64, and both connected to clients on the same LAN via a dedicated switch capable of a throughput of 12 MB/s Environment C Victim and Flooder ran as different processes on a $10/mo VM running Ubuntu 14.04 x64 on DigitalOcean, a production cloud Both connected to clients on different VMs in the same data center, NYC-2 Environment D Victim and Flooder occupied co-located m1.medium VMs running Ubuntu 14.04 x64 on the Massachusetts Open Cloud (MOC), a production cloud environment Both connected to different clients with a throughput on the order of 40 MB/s Load Measurement With an increase in Victim’s network activity, we observed a corresponding decrease in Flooder’s throughput in all four environments described above, including two production clouds We confirmed an inversely linear relationship and, on the basis of test runs, calibrated a tool to output an estimate for Victim’s load based on Flooder’s observations (see Fig 1) Data collection used TCP instead of UDP UDP sent packets fast enough to congest the network and thus achieved very low goodput Having Flooder sleep between transmissions of UDP packets improved goodput until a point, Fig Inverse linear relationship between Victim’s and Flooder’s throughput (in green and blue respectively) Left shows data collected in Environment C; Right shows data collected in Environment D Right additionally overlays (in red) Flooder throughput in a follow-up trial without Victim activity Note that the fluctuations in Flooder’s throughput due to Victim’s activity are distinguishably larger than those caused by unrelated environmental factors (Color figure online) 758 Y Agarwal et al after which goodput decreased again We were not able to saturate the network interface enough with UDP for Victim’s and Flooder’s bandwidth to be in contention Data was collected using 4000-byte packets as we determined this packet size resulted in the most consistent bandwidth across trials Consistency in the bandwidth aids in distinguishing fluctuations in Flooder’s bandwidth caused by Victim’s activity from those caused by unrelated environmental factors Even then, environmental noise was significantly higher in Environment D than in Environments A, B, and C Profiling Correlating data gathered from side channels with known behaviors makes the data much more meaningful We demonstrate that the continuous estimate of Victim’s load from our tool in the previous section can serve as a foundation for encrypted communication analysis We considered the case of streaming 4K YouTube videos and observed ‘bandwidth fingerprints’ unique to the video being streamed (see Fig 2(a)) Variable bitrate (VBR) technology, which lets a higher bitrate be allocated to more complex segments of media files, contributes to this phenomenon [2] We trained our classification algorithm on 60 trials of different videos using the feature of delays between bandwidth dips After recursively weighing the importance of the dips, we fit the learning data with 75 % accuracy On a new set of 60 trials, the trained algorithm achieved an accuracy of 66 % compared to the 33 % accuracy of random guessing (see Fig 2(b)) (a) Victim load while streaming the same (b) ROC curves for our algorithm (“33-66” video in multiple trials curve represents random classification) Fig Classification of YouTube video in environment A This result attests to the feasibility of determining which YouTube video Victim streamed with passive load measurement in the cloud as well as of applying other encrypted communication analysis attacks like those demonstrated by Dyer, Miller and others [3,6,9,10] Moving in Next Door: Network Flooding as a Side Channel 759 Counter-Measures and Future Vision Each of the three agents that participate in this paper’s threat model (the cloud provider, the victim, and the adversary) face trade-offs in defending or executing the presented attack A Cloud Provider’s Perspective A provider has incentive to protect the privacy of customers’ information as loss of trust translates into loss of business However, this can be at odds with overall utilization and thus the economies of scale offered by the cloud Perfect co-resident isolation could be achieved, for example, by dedicating a network port to each VM, but this would be prohibitively expensive, especially for VMs that are relatively small compared to the host Future work exploring this tradeoff would seek to identify what level of network isolation is required (such as switch- or hypervisor-based methods) to render network flooding attacks ineffective in specific scenarios A second approach would be to automatically detect flooding activity within the cloud Cloud providers could then thwart the attack by terminating suspicious VMs, migrating them to another host, or rate limiting their traffic Each option comes with its own tradeoffs: terminating a VM without notice could violate service level agreements, migrating VMs could be prohibitively costly and would not prevent the VM from attacking any tenants on its new host, and rate limiting would need to balance network utilization with privacy protection A Customer’s Perspective A tenant on a cloud can thwart attackers’ attempts by preventing them from becoming co-located with his or her VMs [7] To achieve this, he or she can provision VMs so as to consume the resources of an entire physical host or take advantage of host isolation options like Amazon EC2’s Dedicated Hosts Many clouds including the MOC allow customers to create affinity groups which preferentially co-locate their own machines Alternatively, customers can try to mask their signal by adding bandwidth noise, though this can be difficult to efficiently and might incur additional costs [3] An Adversary’s Perspective Improving the presented attack encompasses increasing the accuracy and precision of the data gathered via the flooding technique as well as improving the analysis of that data Using UDP instead of TCP to flood Victim promises improvements due to UDP’s statelessness, allowing increased control over packet timing and size Additionally, having a malicious client connect directly to Victim, as done in [1], would help to control for environmental fluctuation in Flooder’s client’s throughput To work around provider rate limits, a promising avenue of research includes micro-bursts, flooding for brief periods of time, as well as using multiple Flooders working together In terms of analysis, a more intelligent classifier trained on a greater number of features would allow for more accurate YouTube video identification, especially as the number of videos Victim could potentially have streamed increases 760 Y Agarwal et al Acknowledgements We would like to acknowledge the MIT PRIMES program and thank in particular Dr Slava Gerovitch and Dr Srini Devadas for their support We are also grateful to Boston University, the Hariri Institute, and the Massachusetts Open Cloud This paper is based upon work supported by the National Science Foundation under Grants No 1414119 and 1413920 References Bates, A.M., Mood, B., Pletcher, J., Pruse, H., Valafar, M., Butler, K.R.B.: Detecting co-residency with active traffic analysis techniques In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security, pp 1–12 ACM (2012) Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp 191–206 IEEE Computer Society, Washington (2010) Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp 332–346 IEEE Computer Society, Washington (2012) Herzberg, A., Shulman, H., Ullrich, J., Weippl, E.R.: Cloudoscopy: services discovery and topology mapping In: Proceedings of the 2013 ACM Cloud Computing Security Workshop, CCSW 2013, pp 113–122 ACM (2013) Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical In: 2015 IEEE Symposium on Security and Privacy, pp 605– 622, May 2015 Miller, B., Huang, L., Joseph, A.D., Tygar, J.D.: I know why you went to the clinic: risks and realization of HTTPS traffic analysis CoRR abs/1403.0297 (2014) Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, pp 199–212 ACM (2009) Rohatgi, P.: Side-channel attacks In: Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management, vol Wiley (2006) Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH In: 10th USENIX Security Symposium USENIX (2001) 10 Wright, C.V., Ballard, L., Monrose, F., Masson, G.M.: Language identification of encrypted voip traffic: Alejandra y roberto or alice and bob? In: Proceedings of 16th USENIX Security Symposium, SS 2007, pp 4:1–4:12 USENIX Association, Berkeley (2007) Author Index Abidin, Aysajan 284, 335, 615 Aceto, Giuseppe 737 Agarwal, Yatharth 755 Akiyama, Mitsuaki 521 Al-Ibrahim, Naser 713 Al-Kazaz, Noor R 36 Alomair, Basel 265 Aly, Abdelrahaman 284, 615, 743 Anima, Bashira Akter 692 Azarderakhsh, Reza 88 Beato, Filipe 681 Belyaev, Kirill 383 Brezo, Félix 192 Buccafurri, Francesco 719 Budianto, Enrico 731 Canard, Sébastien 299, 594 Chen, Hua Chen, Liqun 467 Chen, Yu-Jia 637 Cheng, Chen-Mou 637 Cho, Jihoon 749 Choi, Kyu Young 749 Chow, Richard 731 Chueh, Di-Chia 637 Cleemput, Sara 615 Colajanni, Michele 626 Dai, Tianxiang 651 de los Santos, Sergio 192 Derler, David 211 Dimitriou, Tassos 713 Ding, Jonathan 731 Dunkelman, Orr 749 El Bansarkhani, Rachid Emura, Keita 228 Fan, Limin Feng, Jingyi Ferretti, Luca 626 Gao, Si Gavin, Gérald 451 140 Grossklags, Jens 670 Grothe, Martin 159 Halpin, Harry 176 Halunen, Kimmo 681 Hanaoka, Goichiro 228 Harizi, Wafa 400 Hasanuzzaman, Md 692 Hayasaka, Kenichiro 350 Hennessey, Jason 755 Hirano, Takato 350 Hiruta, Shohei 521 Hogan, Kyle 755 Horst, Matthias 159 Hsu, Yuan-Che 637 Igier, Mathilde 701 Iovino, Vincenzo 585 Irvine, Sean A 36 Ishida, Ai 228 Iwamoto, Mitsugu 350, 500 Jager, Tibor 159 Jalali, Amir 88 Jao, David 88 Jasim, Mahmood 692 Kaffel-Ben Ayed, Hella 400 Kaneko, Kali 176 Kaufmann, Thierry 573 Kawai, Yutaka 350 Keller, Nathan 749 Kim, Eunkyung 435 Koseki, Yoshihiro 350 Koziel, Brian 88 Krenn, Stephan 211 Laguillaumie, Fabien 299 Laing, Thalia M 467 Lax, Gianluca 719 Leontiadis, Iraklis 419 Li, Ming 419 Longa, Patrick 124 762 Author Index Ma, Xiangliang Mandal, Kalikinkar 265 Marchetti, Mirco 626 Marrière, Nicolas 562 Martin, Keith M 467 Matyáš, Vashek 552 Mbol, Faustin 532 McCool, Michael 731 Mennink, Bart 681 Misawa, Yuto 500 Mitrokotsa, Aikaterini 284 Mizuki, Takaaki 484 Montieri, Antonio 737 Moon, Dukjae 749 Morii, Masakatu 19 Mozaffari-Kermani, Mehran 88 Murale, Vishnu 755 Mustafa, Mustafa A 615 Nachef, Valérie 562 Naehrig, Michael 124 Naito, Yusuke 245 Nakai, Takeshi 500 Navarro-Arribas, Guillermo Nguyen, Khoa 107 Nicolazzo, Serena 719 Nocera, Antonino 719 661 Obana, Satoshi 604 Ohta, Kazuo 350, 500 ̌ Oštádal, Radim 552 Paindavoine, Marie 299 Pelletier, Hervé 573 Peng, Bo-Yuan 637 Pescapè, Antonio 737 Phan, Duong Hieu 594 Pollan, Ruben 176 Poovendran, Radha 265 Preneel, Bart 335, 743 Pu, Yu 670 Quan, Hanyu 419 Rahman, Khandaker Abir 692 Ray, Indrakshi 383 Robert, Jean-Marc 532 Royer, Jean-Claude 367 Rúa, Enrique Argones 284, 335 Rubio, Yaiza 192 Rulapaugh, Adam 692 Sadighian, Alireza 532 Sakai, Yusuke 228 Santana De Oliveira, Anderson Schwenk, Jörg 159 Shimada, Hajime 521 Shulman, Haya 651 Simon, Kai 725 Slamanig, Daniel 211 Spain, Merrielle 71 Sparrow, Elijah 176 Sturm, Jan 140 Švenda, Petr 552 Takakura, Hiroki 521 Tan, Joash W.J 542 Tanaka, Keisuke 228 Tang, Qiang 585 Teahan, William J 36 Tibouchi, Mehdi 435 Todo, Yosuke 19 Tokushige, Yuuki 500 Toli, Christina-Angeliki 743 Torra, Vicenỗ 661 Torrano, Carmen 192 Trinh, Viet Cuong 594 Vaidberg, Aviya 749 Varia, Mayank 71, 755 Vaudenay, Serge 55, 573, 701 Villegas, Karine 573 Volte, Emmanuel 562 Waidner, Michael 651 Wang, Boyang 419 Wang, Huaxiong 107 Wu, Wenling 3, 319 Yagi, Takeshi 521 Yamaguchi, Yukiko 521 Yang, Bo-Yin 637 Yap, Roland H.C 542 Yoshida, Maki 604 Zaghdoudi, Bilel 400 Żebrowski, Karol 585 Zhang, Jian 319 Zhang, Juanyang 107 Zhang, Yuqing 419 367 ... http://www.springer.com/series/7410 Sara Foresti Giuseppe Persiano (Eds.) • Cryptology and Network Security 15th International Conference, CANS 2016 Milan, Italy, November 14–16, 2016 Proceedings 123 Editors Sara Foresti Università... on Cryptology and Network Security (CANS 2016) , held in Milan, Italy, on November 14–16, 2016 The conference was held in cooperation with the International Association of Cryptologic Research and. .. International Publishing AG 2016 S Foresti and G Persiano (Eds.): CANS 2016, LNCS 10052, pp 19–35, 2016 DOI: 10.1007/978-3-319-48965-0 20 Y Todo and M Morii At FSE 2016, the bit-based division