Technische Universität Darmstadt System Security LabSystem Security LabTechnische Universität Darmstadt
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB 6
Advanced Topics inSecure Function Evaluation
Course Secure, Trusted and Trustworthy Computing, Part 1System Security Labhttp://trust.cased.de
Technische Universität Darmstadt
Prof. Dr.-Ing. Ahmad-Reza SadeghiDipl.-Inf. Thomas Schneider
January 21, 2011
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
!"#$%"&'$(#)*(&+,-.$-)*(&/!'+0
4
Client C Server S
private data x private data y
z = f(x,y)
?<<C'*"=9+2!)D'CC'9+"',$2)<,9EC$1)FG:)HI"9JKL()MMM)!)?7*=9+2)HN"9,>!OOL()MMM!)>,'@"*:P>,$2$,@'+%")Q$193$)0'"%+92=*2)HR,'*S$CC>!T5UL()MMM
")A"*$)Q$*9%+'=9+)HB,S'+AVWX.5OL()MMM")D$#'*"C)0'"%+92=*2)HR",+'AWX!!5OL()MMM")MMM
!)MMM
public function f(·, ·)
&$,$Y)E93&)<",=$2)1"2345*("16&7&5*("16&8$6&#$%3*$1
Secure Function Evaluation(SFE)
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
+(93(""%3(9&!'+&:%*6*#*.1
Z
."2S)[)>,9EC$1
?C%9,'3&1
!AB)>,939*9C
\1<C$1$+3"=9+
D$"27,$)>$,]9,1"+*$
^91919,<&'*)B+*,:<=9+)_^B`
V",EC$#);',*7'32)_V;`
;*-.1<
=0&>-?323@"&A"%B*%2-(#"
C0&D**.&!$::*%6
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
D531&E"#6$%"
#$>-?323@"&A"%B*%2-(#"&*B&!'+! %&'()*+,-./(01+,-23(45367)_A,$$)abQ`
! 8),51/(-9:;)_V;c^B`
<$ D**.&!$::*%6! =>9=?-_.99C)]9,)?7391"=+%)!$*7,$).89P<",3I)*91<73"=9+2`
d
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
F2:%*,"G&;-%8."G&H3%#$361
e
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
!'+&I365&;-%8."G&H3%#$361&/;H0&JK-*LMN
K
Client C
• GarbledCircuit �C
f(·, ·)
�C�y
f(x,y) = �C(�x, �y)
Server S
• Circuit
z
. . .
�xn �yn �x1 �y1�y2�x2
�c1�c2
Garbled Table
z
. . .
xn yn x1 y1y2x2
<<< c1c2
GarbledValues
e.g., x < y
private data x = x1, .., xn private data y = y1, .., yn
(�x;⊥) ← OT(x; (�x0, �x1))
!$37<>&"2$
b+C'+$>&"2$ �c01,�c11
E(�x01, �y01 ; �c
g(0,0)1 )
E(�x01, �y11 ; �c
g(0,1)1 )
E(�x11, �y01 ; �c
g(1,0)1 )
E(�x11, �y11 ; �c
g(1,1)1 )
C: compute �c = �a⊕�b
S: set �c0 = �a0 ⊕�b0,�c1 = �c0 ⊕∆
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
F2:%*,"G&;-%8."G&H3%#$361&JO*."1(3P*,!QLN
• F2:%*,"G&;H1&:%*,3G"&RB%""&STU&9-6"1V<
–@)-4)&&5@34/A)@-B@)-C/(01+,-6/01+D
–@+C13C301+-4)&'56/A)@-BEFG-)H-03676(3@C7D
• FG"-<&W1"&%".-6"G&9-%8."G&,-.$"1
• '%""&STU<
U
• S chooses fixed key difference ∆ ∈R {0, 1}t (unknown to C)
• S chooses related garbled values satisfying �w0i = �w1
i ⊕∆ ∈R {0, 1}t
�c0�c1
c
�a0�a1
�b0�b1
a b
Secure Multi-Party ComputationHomomorphic Encryption
Oblivious TransferSecure Function Evaluation
IntroductionMultiplicative/Additive Homomorphic SchemesFully Homomorphic Schemes
Further Operations
Additively Homomorphic Encryption allows to multiply a ciphertext
EncAdd(m) with a plaintext constant c > 0 as
EncAdd(c ·m) = EncAdd(m)c .
Similarly, Multiplicatively Homomorphic Encryption allows to
exponentiate a ciphertext EncMul(m) with a constant c > 0 as
EncMul(mc) = EncMul(m)
c .
Both can be computed efficiently with the square-and-multiplyalgorithm which requires on average O(|c |) squarings and O(|c |/2)multiplications on ciphertexts.
Recall the square-and-multiply algorithm.
However, purely additively / multiplicatively homomorphic
encryption does not allow to multiply / exponentiate two ciphertexts.
Sadeghi@TU Darmstadt, Schneider@RUB, 2010 Secure, Trusted and Trustworthy Computing, Part 1 Basics of Secure Computing 16 / 41
Y)@$,']:)*9,,$*3+$22
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
H3%#$361&I365&'%""&STU
J
• X$3.G%#$361&I365&B"I&(*(4STU&9-6"1
x · y =��
i=1 2i−1yi · x
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
Y4836&>$.):.3#-)*(&H3%#$361
O
x = xh2��/2� + xl
y = yh2��/2� + yl
zh = xhyh
zl = xlyl
zd = (xh + xl)(yh + yl)− zh − zl
x · y = (xh2��/2� + xl)(yh2
��/2� + yl)
= zh22��/2� + zd2
��/2� + zl
D"?68**P-8IJ '-16-8IJ-HW","327E"bK4L
TASTY and compare different protocols against each otherand with existing SFE implementations: multiplication cir-cuits and protocols based on GC or HE (§5.1), SFE of anAES circuit generated by the Fairplay compiler (§5.2), andSFE of large GCs (§5.3).
System Setup. All performance measurements are per-formed on two desktop PCs with Intel Core 2 Duo CPU(E6850) running at 3.00GHz and 4GB RAM connected viaGigabit Ethernet. The system runs on 64 bit Gentoo Linuxwith Python version 2.6.5, gmpy version 1.11 and GMP ver-sion 4.3.2. Unless stated otherwise, all measurements wereperformed for short-term security (cf. Table 4) and usingpoint compression for elliptic curves (cf. §4.3).
5.1 Multiplication Circuits and ProtocolsAs arithmetic circuits can express arbitrary computations
as sequence of additions and multiplications, multiplicationis a fundamental basic operation. Indeed, the main differ-ence between SFE protocols based on arithmetic and booleancircuits is the cost for multiplications. We present efficientmultiplication circuits in §5.1.1 and compare the perfor-mance of secure multiplication protocols in §5.1.2.
5.1.1 Multiplication CircuitsTextbook Multiplication. The usual way of multi-
plying two unsigned �-bit integers x and y, called “Text-book Method”, multiplies x with each bit of y and addsup all the properly shifted results according to the formulax · y =
��−1i=0 xyi2
i. This results in a circuit with 2�2 − �non-XOR 2-input gates [28].
Karatsuba Multiplication. As observed by Karatsuba[26], multiplication can be performed more efficiently usingthe following recursive method (details in Algorithm 1): xand y are split into two halves as x = xh2
��/2� + xl andy = yh2
��/2� + yl. Then, the product can be computed asxy = (xh2
��/2�+xl)(yh2��/2�+yl) = zh2
2��/2�+zd2��/2�+zl.
After computing zh = xhyh and zl = xlyl, zd can be com-puted with only one multiplication as zd = (xh + xl)(yh +yl) − zh − zl. This process is continued recursively untilthe numbers are sufficiently small (� = 19 in our case asdescribed below) and multiplied with the classical schoolmethod. Overall, multiplying two � bit numbers with Karat-suba’s method requires three multiplications of �/2 bit num-bers and some additions and subtractions with linear bitcomplexity resulting in costs
TKara(�) = 3TKara (�/2) + c�+ d
for constants c and d. The master theorem [8, §4.3f] yieldsasymptotic complexity TKara(�) ∈ O(�log2 3) ≈ O(�1.585).
Algorithm 1 Karatsuba multiplication
1: function karatsuba(x, y) � x, y are �-bit integers2: xh||xl ← x � x = xh2
��/2� + xl
3: yh||yl ← y � y = yh2��/2� + yl
4: Ph ← KARATSUBA(xh, yh)5: Pl ← KARATSUBA(yl, yl)6: xs ← xh + xl
7: ys ← yh + yl8: Ps ← KARATSUBA(xs, ys)9: Pd ← Ps − Ph − Pl
10: return (Ph22��/2�) + Pd2
��/2� + Pl
11: end function
Circuit Complexity. In TASTY we have implementedboth methods for multiplication based on efficient additionand subtraction circuits of [28]. As shown in Fig. 6 and Ta-ble 5, Karatsuba multiplication is more efficient, i.e., resultsin circuits with less non-XOR gates, than Textbook multipli-cation already for multiplication of 20 bit operands. By in-terpolating through the points for bitlength � ∈ {32, 64, 128}and solving the resulting system of linear equations we ob-tain as approximation for the number of non-XOR gates
TKara(�) ≈ 9.0165�1.585 − 13.375�− 34.
Figure 6: Size of Multiplication Circuits
Table 5: Size of Multiplication Circuits (in number
of 2-input non-XOR gates)
Bitlength � 19 20 32 64 128Textbook 703 780 2,016 8,128 32,640Karatsuba 703 721 1,729 5,683 17,973Improvement 0.0 % 7.6 % 14.2 % 30.1 % 44.9 %
5.1.2 Multiplication ProtocolsUsing TASTY we compare the performance of different
secure multiplication protocols based on homomorphic en-cryption (HE) and garbled circuits (GC). For this we con-structed four basic test cases. For each SFE paradigm, weconsider the case where both inputs are provided by oneparty (S for GC1 and C for HE1), or one by each of theparties (GC2 and HE2). The inputs are Unsigned �-bit val-ues and the output, a 2�-bit Unsigned value is convertedinto a Plain output for C. In the following, we comparethe communication- and the computation complexity of thesetup- and online phase of the protocols.Communication (cf. Fig. 7). Our experiments show
that GC-based multiplication requires a substantial amountof setup communication (for transfer of GCs) whereas theonline communication of GC is better than HE for mul-tiplication of small values. The online communication formultiplying with HE is independent of the bitlength � as a
<K4)"-K-@)@"EFG7 L-MK6MK)"-#NK-"-NO-@)@"EFG7
H^$+$*S"W!!T65L
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
>*G$.-%&!'+
65
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
!'+&I365&Z*2*2*%:53#&+(#%[:)*(&/Z+0
66
Application: SFE by Computing on Encrypted Data
pk, �x��z� �z� = f(�x�, �y�)
HE Schemes:
Property:
+ [Paillier99], [DamgårdJ01], [DamgårdGK07], ...
+, 1* [BonehGN05], [GentryHV10], ...
+, * [Gentry09], [SmartV10], [DijkGHV10], ...
z
ServerClient restricted to
specifichomomorphicoperation(s)private data x private data y
∀x, y ∈ P : �x ◦ y� = �x� � �y�, �x� := Encpk(x)
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
A"%B*%2-(#"&*B&Z*2*2*%:53#&+(#%[:)*(
! :511P-Q;R-&3@3&/1-3@6+(/4A)@-056-(*6&:%-#)#-.&["6
! >,,3A*+1P-Q)&)&)('S34-;@4(P'A)@-37-'(/4A4/1-056-@++,7-3(6"%-#)*(&B*%&2$.):.3#-)*(R
64
�x�, �y�choose random rx, ry�x� = �x� � �rx��y� = �y� � �ry�
�x�, �y�
z = x ∗ y �z��x ∗ y� = �z� − ry�x� − rx�y� − �rx ∗ ry�
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
H*283("&\G,-(6-9"1&*B&;H&-(G&Z+
• Q;-C)),-H)(-13@+/(-)'+(/A)@7-BTUVD
• .2-C)),-H)(-T-/@,-@)@"13@+/(-)'+(/A)@7-BWU&3@U$$$D
• 2)&03@+-Q;T.2-0P-4)@*+(A@C-Q;-⇔-.2
XY(34Z+11[9\]^_U-XY/(@3:`J99]M_U-X`)1+7@3Z)*99]M_U-$$$
#$->R-/,,-(/@,)&-&/7Z-5@,+(-+@4(P'A)@
<$-YR-,+4(P'6-T-+@4(P'6-a36S-@+a-74S+&+
N$->R-6/Z+-)b-(/@,)&-&/7Z-5@,+(-+@4(P'A)@
6Z
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
D5"*%")#-.&'%-2"I*%P<&>*G$.-%&!'+
6d
9:;-c-4)@*+(6-T-4)&'56+-)@-+@4(P'6+,-,/6/-X`)1+7@3Z)*99#]_
#$ +@4(P'6-3@'567
<$ 4)&'56+-5@,+(-+@4(P'A)@
N$ ,+4(P'6-)56'567
Plain Value x
Boolean Circuitsusing Garbled Circuits
Client C
Homomorphic Value �x�
Plain Value x
Server S
Garbled Value �x
Arithmetic Circuits
using Homomorphic Encryption
Inputs/Outputs
Encrypted Values
SFE of
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
D\!DK/D**.&B*%&\$6*2-)(9&!"#$%"&DI*4:-%6K&#*2:$6-)*(10
6e
] 7
Web: http://tastyproject.net
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
D\!DK<&D**.&B*%&\$6*2-)(9&!"#$%"&DI*4:-%6K&#*2:$6-)*(1
6K
0$2'%+)V9"C2Y
• :%*9%-2)!AB)<,939*9C2)"2)2$f7$+*$)9])9<$,"=9+2)9+)$+*,:<3$#)#"3"
• 23(323@"&.-6"(#[)9])9+C'+$)<&"2$)E:)<,$P*91<7=+%)'+)2$37<)<&"2$
• 6"16()8"(#52-%P)c)#*2:-%")<$,]9,1"+*$)9])!AB)<,939*9C2
Client C Server S
Input
Output
Input
Output
Costs
Protocol Descriptionin TASTYL
Analyzation Phase
Setup Phase
Online Phase
Runtime Environment
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
D\!DKE<&D[:"1&-(G&T:"%-6*%1
6U
GarbledVector
min, max, ...Vector
+, -, *, dot
GarbledValue
mux, <, =, ...
Homomorphic
Value
Plain Valuerand, input, output/, <, =, ...
Unsigned ModularSigned
bitlengthValue
+, -, *
N
Homomorphic
VectorPlain Vector
rand, input, output/, =, ...
UnsignedVector
SignedVector
ModularVector
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
D\!DKE<&+?-2:."
6J
))))g)*9+@$,3)7+2'%+$#)39)&91919,<&'*)@$*39,))))*C'$+3M&@)h)^91919,<&'*i$*_@"Ch*C'$+3M@`))))2$,@$,M&@)GGh)*C'$+3M&@
))))g)17C=<C:)@$*39,2)_*91<9+$+3P8'2$`))))2$,@$,M&F)h)2$,@$,M&@)j)2$,@$,M8
))))g)*9+@$,3)&91919,<&'*)39)%",EC$#)@$*39,))))*C'$+3M%F)GGh)V",EC$#i$*_@"Ch2$,@$,M&F`
))))g)*91<73$)1'+'171)@"C7$))))*C'$+3M%1'+)h)*C'$+3M%FM1'+k@"C7$_`
))))g)*9+@$,3)%",EC$#)39)7+2'%+$#)@"C7$)"+#)973<73))))*C'$+3M1'+)h)/+2'%+$#_@"Ch*C'$+3M%1'+`))))*C'$+3M1'+M973<73_#$2*hl1'+'171)@"C7$l`
#$])<,939*9C_*C'$+3()2$,@$,`Y))))N)h)d))))X)h)Z4
))))g)'+<73)9])*C'$+3))))*C'$+3M@)h)/+2'%+$#i$*_E'3C$+hX()#'1hN`))))*C'$+3M@M'+<73_#$2*hl$+3$,)@"C7$2)]9,)@l`
))))g)'+<73)9])2$,@$,))))2$,@$,M8)h)/+2'%+$#i$*_E'3C$+hX()#'1hN`))))2$,@$,M8M'+<73_#$2*hl$+3$,)@"C7$2)]9,)8m`
\+<732Y);)&"2)@$*39,)@)"+#)!)&"2)@$*39,)8)_Nhd)7+2'%+$#)XhZ4PE'3)@"C7$2)$"*&`b73<73Y);)9E3"'+2)
V; ^B
mini=1,..,N (vi · wi)
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
A%3,-#[4A%"1"%,3(9&\::.3#-)*(1&3(&D\!DKE
6O
Typical Application Scenario
Client
ServerClient-Image in database?Standard-Way: Clients sends image to DB
DB compares and sends result back
Ahmad-Reza Sadeghi, Thomas Schneider, Immo Wehrenberg Efficient Privacy Preserving Face Recognition
Typical Application Scenario
Client
ServerClient-Image in database?Standard-Way: Clients sends image to DB
DB compares and sends result back
Ahmad-Reza Sadeghi, Thomas Schneider, Immo Wehrenberg Efficient Privacy Preserving Face Recognition
!"#$%&'!%()*+$"',*-).'/'0$$.1223334$*)#$4*)546%
!"#$%&'($)*+&,-&($./-0&'-$-)11/234
5(/67,%*5()")(6/23$8)9/,71$+/732&"-/,"!"#$%&'()$*+$%(,"-.*/"0#$1*+2"3(-%(45
60417*8947)*:317-7;7(*<04*:/&+(2;4-7=.*';"4&>3-?(41-7=*@02";#.*>3-?(41-7A71174B*CDE.*F&GGHIE*@02";#.*8(4#$3=(&#$-JK*7"0#$1B12"3(-%(4L74;17B4;MB%(
N0-37*O04P*O-7"
Q$;40*@$43-.*R-(4J;-,-*S$-JJ$.*'-22$4%0*T$))(44(77-*U>3-?(41-7=*0<*+-(3$.*:7$J=V*$3%*WJ$%-#-4*X0J(13-P0?*U@(JJ*T$M1.*>+!V
:2-(&9',-/&2! )*;)71-0
! YZ$#[J(1K*800,J(*6($J7".*8(1;3%"(-71P$47(
! <)2)=/-"! T(11*#(%-2$J*(44041! \017*4(%;27-03
! >&2=1/,-$&=$:2-)()"-"! R4-?$2=*0<*;1(4*%$7$! :37(JJ(27;$J*[40[(47=*0<*1(4?-2(*[40?-%(4
!??(&7,0! 8)9/,71$+/732&"-/,"
! >1(4*$1P1*(&%02704*O"(7"(4*70*?-1-7*$*%02704
! 5(/67,%*5()")(6/23! F0*307*4(?($J*$3=*1(31-7-?(*-3<04#$7-03
! !99/-/&271$5(&?)(-/)"! Y<<-2-(37! R40?$MJ=*+(2;4(
5(/67,%*5()")(6/23$>17""/=/,7-/&2$&=$@1),-(&$>7(9/&3(7A$B@>CD$+7-7$EFGHI
*
*
17$=*$7*"0#( ?-1-7*%02704
;1(4 (&%02704
%(24=[7
!??1/)9$>(%?-&3(7?0%! >&A?'-/23$&2$)2,(%?-)9$97-7
! 60#0#04["-2*(324=[7-03*U(B,B.*R$-JJ-(4*]G^V*$JJ0O1*!"#$%&'()$&%*"(#+*;3%(4*(324=[7-03
! >&A?'-/23$./-0$)2,(%?-)9$='2,-/&2"! 8$4MJ(%*2-42;-71*0<*_$0*]D^*$JJ0O*J-3($4*$3%#(#,J-3($4*0[(4$7-031*;3%(4*(324=[7-03
! @==/,/)2-$,&AJ/27-/&2$&=$J&-0
K%"-)A$K),'(/-%L7J
\J$11-<-2$7-03*$22;4$2= I`Bab
\J-(37*4;37-#( CIBH1
+(4?(4*4;37-#( C`Bc1
\0##;3-2$7-03 `G*P@=7(
K/3271$5(&,)""/23! @>C$>17""/=/,7-/&2$!13&(/-0A$&=$EMI
! :#[40?(%*$3%*#$[[(%*70*-37(,(4*$4-7"#(7-21
:A?1)A)2-7-/&2$N)"'1-"! /O0*R\1*Ua*86)*:37(J*\04(*F;0.*G8@*'!QV.*8-,$M-7*Y7"(43(7
$]C^*>B*'B*!2"$4=$.*dB*+;4-.*dB*!B*YB*+[$$3.*$3%*+B*QB*X4-1"3$3B*-./%#0$+'"#'0%&."%0'+"1#%!')&(0$++"#12*+[4-3,(4.*cEEHB]c^*QB*@$43-.*RB*S$-JJ$.*WB*X0J(13-P0?.*'B*T$))(4(77-.*!B&'B*+$%(,"-.*/B*+2"3(-%(4B*3$04&$'$/%!4%*"(#'(5')&"/%*$'!"#$%&'6&%#07"#1')&(1&%8+'9"*7'8$."0%!'%))!"0%*"(#+2''''':3*CG7"*Y;40[($3*+=#[01-;#*03*'(1($42"*-3*\0#[;7(4*+(2;4-7=*UY+e':\+*fEgVB*S;JJ*?(41-03*$?$-J$MJ(*$7*"77[Khh([4-37B-$24B04,hcEEghCgDB]a^*QB*@$43-.*RB*S$-JJ$.*WB*X0J(13-P0?.*'B*T$))(4(77-.*!B*R$;1.*!B&'B*+$%(,"-.*/B*+2"3(-%(4B*:55"0"$#*')&"/%0;,)&$+$&/"#1'0!%++"5"0%*"(#'(5':<='+"1#%!+2*****:3*C17*:YYY*:37(43$7-03$J*i04P1"0[*03*:3<04#$7-03*S04(31-21*$3%*+(2;4-7=*Ui:S+*fEgVB]G^*RB*R$-JJ-(4B*>46!"0,?$;'0&;)*(+;+*$8+'6%+$.'(#'0(8)(+"*$'.$1&$$'&$+".4(+"*;'0!%++$+2':3*CI7"*!%?$32(1*-3*\4=[70J0,=*j*Y>'e\'_R/*CgggB]D^*!B*\B*_$0B*@(9'*('1$#$&%*$'%#.'$A07%#1$'+$0&$*+2':3*cH7"*:YYY*+=#[01-;#*03*S0;3%$7-031*0<*\0#[;7(4*+2-(32(*USe\+*kI`VB
N)=)()2,)"
#($1;4(*Y\8
[402(11*1-,3$J (324=[7(%*l;(4=2J$11-<=*;3%(4*(324=[7-03
(324=[7(%*4(1[031(
9+6-%@6+(7+4A)@X:(++,&/@d[]O_Q;
:/4+"G+4)C@3A)@X9/,+CS39\]M_Q;T.2
8+,34/1-e3/C@)7A47-B;2.DXY/(@3:`J99]M_Q;T.2
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
^31#$113*(<&!"#$%"&H*2:$6-)*(&3(&A%-#)#"
45
• ;f43+@4P
– (+7)5(4+-3@6+@73*+-B4)&'56/A)@T4)&&5@34/A)@D
– '(3*/4P"'(+7+(*3@C-/''134/A)@7U-+$C$U-H/4+"(+4)C@3A)@
• 9+45(36PR-4(3A4/1-B+$C$U-&+,34/1D-/''134/A)@7--@++,– C",%$)2$*7,'3:)<","1$3$,2)_C9+%P3$,1)2$*7,'3:`
– <,93$*=9+)"%"'+23)"*=@$[1"C'*'972)"n"*S$,2
• I7/03136PR-6))1-75'')(6– ;91<73$,)?'#$#);,:<39%,"<&:)B+%'+$$,'+%
– '+37'=@$)72$,)'+3$,]"*$2 &n<Y[[*"*$P<,9o$*3M$7
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
E36"%-6$%"&/=0
46
HR",+'AWX!!5OL DM)R",+'()>M)A"'CC"()iM)W9C$2+'S9@()QM)X"pp$,$q()?MPQM)!"#$%&'().M)!*&+$'#$,M)!$*7,$)$@"C7"=9+)9])<,'@"3$)C'+$",)E,"+*&'+%)<,9%,"12)8'3&)1$#'*"C)"<<C'*"=9+2M)\+)B7,9<$"+)!:1<92'71)9+)Q$2$",*&)'+);91<73$,)!$*7,'3:)_B!bQ\;!r5O`()@9C71$)eUJO)9])XN;!()<"%$2)d4dsdZOM)!<,'+%$,()455OM
HR9+$&VN5eL 0M)R9+$&()BMPtM)V9&()WM)N'22'1M)B@"C7"=+%)4P0NA)]9,17C"2)9+)*'<&$,P)3$F32M)\+).&$9,:)9]);,:<39%,"<&:);9+]$,$+*$)_.;;r5e`()@9C71$)ZZUJ)9])XN;!()<"%$2)Z4esZd6M)!<,'+%$,()455eM
HR9:",>>55L tM)R9:",()QM)>$,"C3"()0M)>9*&7$@M)b+)3&$)17C=<C'*"=@$)*91<C$F'3:)9])R99C$"+)]7+*=9+2)9@$,)3&$)E"2'2)_∧()⊕()6`M).&$9,$=*"C);91<73$,)!*'$+*$()4Ze_6`YdZs)eU()4555M
HR,'*S$CC>!T5UL tM)R,'*S$CC()0M)BM)>9,3$,()iM)!&1"=S9@()BM)T'3*&$CM)>,'@"*:P)<,$2$,@'+%),$193$)#'"%+92=*2M)\+)?;D);91<73$,)"+#);9117+'*"=9+2)!$*7,'3:)_;;!r5U`()<"%$2)dOJse5UM)?;D()455UM
H0"1%u,#VW5UL \M)0"1%",#()DM)V$'2C$,()DM)W,v'%"",#M)Bw*'$+3)"+#)2$*7,$)*91<",'29+)]9,)9+PC'+$)"7*=9+2M)\+)?723,"C"2'"+);9+]$,$+*$)9+)\+]9,1"=9+)!$*7,'3:)"+#)>,'@"*:)_?;\!>r5U`()@9C71$)deJK)9])XN;!()<"%$2)d6KsdZ5M)!<,'+%$,()455UM
H0"1%u,#t56L \M)0"1%",#()DM)t7,'SM)?)%$+$,"C'2"=9+()")2'1<C'x*"=9+)"+#)291$)"<<C'*"=9+2)9])>"'CC'$,r2)<,9E"E'C'2=*)<7EC'*PS$:)2:23$1M)\+)>7EC'*PW$:);,:<39%,"<&:)_>W;r56`()XN;!()<"%$2)66Os6ZKM)!<,'+%$,()4556M
H0'oSV^i65L DM)@"+)0'oS();M)V$+3,:()!M)^"C$@'()iM)i"'S7+3"+"3&"+M)A7CC:)&91919,<&'*)$+*,:<=9+)9@$,)3&$)'+3$%$,2M)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.r65()@9C71$)K665)9])XN;!()<"%$2)4dsdZM)!<,'+%$,()4565M
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
E36"%-6$%"&/C0
44
HB,S'+AVWX.5OL yM)B,S'+()DM)A,"+p()tM)V7"o",#9()!M)W"3p$+E$'22$,()\M)X"%$+#'oS().M).9zM)>,'@"*:P<,$2$,@'+%)]"*$),$*9%+'=9+M)\+)>,'@"*:)B+&"+*'+%).$*&+9C9%'$2)!:1<92'71)_>B.!r5O`()@9C71$)eKU4)9])XN;!()<"%$2)4Zes4eZM)!<,'+%$,()455OM
HA,$$#1"+N>5dL) DM)tM)A,$$#1"+()WM)N'22'1()RM)>'+S"2M)Bw*'$+3)<,'@"3$)1"3*&'+%)"+#)2$3)'+3$,2$*=9+M)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.r5d()@9C71$)Z54U)9])XN;!()<"%$2)6s6OM)!<,'+%$,()455dM
HV$+3,:5OL ;M)V$+3,:M)A7CC:)&91919,<&'*)$+*,:<=9+)72'+%)'#$"C)C"q*$2M)\+)?;D)!:1<92'71)9+).&$9,:)9]);91<7=+%)_!.b;r5O`()<"%$2)6KOs6UJM)?;D()455OM
HV$+3,:^i65L ;M)V$+3,:()!M)^"C$@'()iM)i"'S7+3"+"3&"+M)?)2'1<C$)RVNP3:<$)*,:<392:23$1)],91)XTBM)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.r65()@9C71$)K665)9])XN;!()<"%$2)e5Kse44M)!<,'+%$,()4565M
HW","327E"bK4L ?M)?M)W","327E"()IM)b]1"+M)D7C=<C'*"=9+)9])1"+:P#'%'3"C)+71E$,2)E:)"7391"=*)*91<73$,2M)!!!Q)?*"#$1:)9])!*'$+*$2()6deY4OZs4Od()6OK4M
HW9C$2+'S9@!5JL iM)W9C$2+'S9@().M)!*&+$'#$,M)\1<,9@$#)%",EC$#)*',*7'3Y)A,$$)abQ)%"3$2)"+#)"<<C'*"=9+2M)\+)\+3$,+"=9+"C);9CC9f7'71)9+)?7391"3"()X"+%7"%$2)"+#)>,9%,"11'+%)_\;?X>r5J`()@9C71$)e64K)9])XN;!()<"%$2)dJKsdOJM)!<,'+%$,()455JM
HW9C$2+'S9@!!5OL) iM)W9C$2+'S9@()?MPQM)!"#$%&'().M)!*&+$'#$,M)\1<,9@$#)%",EC$#)*',*7'3)E7'C#'+%)EC9*S2)"+#)"<<C'*"=9+2)39)"7*=9+2)"+#)*91<7=+%)1'+'1"M)\+)\+3$,+"=9+"C);9+]$,$+*$)9+);,:<39C9%:)?+#)N$389,S)!$*7,'3:)_;?N!r5O`()@9C71$)eJJJ)9])XN;!()<"%$2)6s45M)!<,'+%$,()455OM
Technische Universität Darmstadt System Security Lab
!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB
E36"%-6$%"&/_0
4Z
HW9C$2+'S9@!!65L) iM)W9C$2+'S9@()?MPQM)!"#$%&'().M)!*&+$'#$,M)A,91)#723)39)#"8+Y)>,"*=*"CC:)$w*'$+3)389P<",3:)2$*7,$)]7+*=9+)$@"C7"=9+)<,939*9C2)"+#)3&$',)19#7C",)#$2'%+M);,:<39C9%:)$>,'+3)?,*&'@$()Q$<9,3)4565[5UO()4565M
HN"9,>!OOL DM)N"9,()RM)>'+S"2()QM)!71+$,M)>,'@"*:)<,$2$,@'+%)"7*=9+2)"+#)1$*&"+'21)#$2'%+M)\+)?;D);9+]$,$+*$)9+)BC$*3,9+'*);911$,*$()<"%$2)64Os6ZO()6OOOM
H>"'CC'$,OOL >M)>"'CC'$,M)>7EC'*PS$:)*,:<392:23$12)E"2$#)9+)*91<92'3$)#$%,$$),$2'#792'3:)*C"22$2M)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.rOO()@9C71$)6eO4)9])XN;!()<"%$2)44Zs4ZJM)!<,'+%$,()6OOOM
H!"#$%&'!T5OL ?MPQM)!"#$%&'().M)!*&+$'#$,()\M)T$&,$+E$,%M)Bw*'$+3)<,'@"*:P<,$2$,@'+%)]"*$),$*9%+'=9+M)\+)\+3$,+"=9+"C);9+]$,$+*$)9+)\+]9,1"=9+)!$*7,'3:)"+#);,:<39C9%:)_\;\!;r5O`()@9C71$)eOJd)9])XN;!()<"%$2)44Os4ddM)!<,'+%$,()455OM
H!1",3i65L NM)>M)!1",3()AM)i$,*"73$,$+M)A7CC:)&91919,<&'*)$+*,:<=9+)8'3&),$C"=@$C:)21"CC)S$:)"+#)*'<&$,3$F3)2'p$2M)\+)>7EC'*)W$:);,:<39%,"<&:)_>W;r65`()@9C71$)K5eK)9])XN;!()<"%$2)d45sddZM)!<,'+%$,()4565M
HT"S21"+KJL ?M)T"S21"+M)?)>$,173"=9+)N$389,SM)t97,+"C)9])3&$)?;D()6e_6`Y6eOP6KZ()6OKJM
HI"9JKL ?M);M)I"9M)^98)39)%$+$,"3$)"+#)$F*&"+%$)2$*,$32M)\+)\BBB)!:1<92'71)9+)A97+#"=9+2)9]);91<73$,)!*'$+*$)_Ab;!rJK`()<"%$2)6K4s6KUM)\BBB()6OJKM
Top Related