Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Software-Based Memory Erasure with relaxed isolation requirements: Extended Version

Sergiu Bursuc, Reynaldo Gil-Pons, Sjouke Mauw, Rolando Trujillo-Rasua

TL;DR

This work removes the isolation assumption from software-based PoSE protocols by introducing PoSE-DB, a class of distance-bounding memory-erasure protocols secure against distant attackers. It develops three concrete protocols, including an unconditional random-data protocol and graph-based schemes that rely on depth-robust, in-place-labellable graphs to ensure memory erasure with realistic device capabilities. The authors provide formal security models and multi-round analyses showing erasure guarantees scale with rounds and resist outsourcing the proof to external conspirators, even when memory can be co-opted by an attacker. A lightweight graph-based variant offers favorable performance while trading off some security, illustrating practical applicability for low-end devices and broad IoT deployments. The work also introduces novel graph constructions and proof techniques that connect memory erasure security to depth-robustness in graph theory, with potential applicability to memory hardness and proofs of space beyond erasure.

Abstract

A Proof of Secure Erasure (PoSE) is a communication protocol where a verifier seeks evidence that a prover has erased its memory within the time frame of the protocol execution. Designers of PoSE protocols have long been aware that, if a prover can outsource the computation of the memory erasure proof to another device, then their protocols are trivially defeated. As a result, most software-based PoSE protocols in the literature assume that provers are isolated during the protocol execution, that is, provers cannot receive help from a network adversary. Our main contribution is to show that this assumption is not necessary. We introduce formal models for PoSE protocols playing against provers aided by external conspirators and develop three PoSE protocols that we prove secure in this context. We reduce the requirement of isolation to the more realistic requirement that the communication with the external conspirator is relatively slow. Software-based protocols with such relaxed isolation assumptions are especially pertinent for low-end devices, where it is too costly to deploy sophisticated protection methods.

Software-Based Memory Erasure with relaxed isolation requirements: Extended Version

TL;DR

This work removes the isolation assumption from software-based PoSE protocols by introducing PoSE-DB, a class of distance-bounding memory-erasure protocols secure against distant attackers. It develops three concrete protocols, including an unconditional random-data protocol and graph-based schemes that rely on depth-robust, in-place-labellable graphs to ensure memory erasure with realistic device capabilities. The authors provide formal security models and multi-round analyses showing erasure guarantees scale with rounds and resist outsourcing the proof to external conspirators, even when memory can be co-opted by an attacker. A lightweight graph-based variant offers favorable performance while trading off some security, illustrating practical applicability for low-end devices and broad IoT deployments. The work also introduces novel graph constructions and proof techniques that connect memory erasure security to depth-robustness in graph theory, with potential applicability to memory hardness and proofs of space beyond erasure.

Abstract

A Proof of Secure Erasure (PoSE) is a communication protocol where a verifier seeks evidence that a prover has erased its memory within the time frame of the protocol execution. Designers of PoSE protocols have long been aware that, if a prover can outsource the computation of the memory erasure proof to another device, then their protocols are trivially defeated. As a result, most software-based PoSE protocols in the literature assume that provers are isolated during the protocol execution, that is, provers cannot receive help from a network adversary. Our main contribution is to show that this assumption is not necessary. We introduce formal models for PoSE protocols playing against provers aided by external conspirators and develop three PoSE protocols that we prove secure in this context. We reduce the requirement of isolation to the more realistic requirement that the communication with the external conspirator is relatively slow. Software-based protocols with such relaxed isolation assumptions are especially pertinent for low-end devices, where it is too costly to deploy sophisticated protection methods.
Paper Structure (22 sections, 35 theorems, 23 equations, 7 figures)

This paper contains 22 sections, 35 theorems, 23 equations, 7 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. A Formal Model for PoSE-DB protocols
  4. Proof of Secure Erasure with Distance Bounding
  5. Formalizing Secure Erasure Against Distant Attackers
  6. Initial results
  7. The unconditional PoSE-DB protocol
  8. PoSE based on depth-robust graphs
  9. Graph-based notation and PoSE scheme
  10. Depth-robustness is sufficient for security
  11. Graph-restricted adversary
  12. Security proof: first step
  13. Security proof: second step for graph-restricted A
  14. Depth-robust graphs that can be labelled in-place
  15. Lightweight protocol
  16. ...and 7 more sections

Key Result

Lemma 1

For any $(M,q)$-bounded adversary $\mathcal{A}$ against the PoSE-DB security experiment, there is a uniform $(M,q)$-bounded adversary $\bar{\mathcal{A}}$ that wins the experiment with at least the same probability: $\underset{\Upsilon \sample \mathcal{I}}{\operatorname{\probname}}[\mathcal{A}^r] \le

Figures (7)

  • Figure 1: The isolation assumption (on the left) assumes no interference in the prover-verifier communication. The distant attacker assumption (on the right) lets the attacker interfere from far away.
  • Figure 2: Comparison of erasure and attestation protocols in terms of their communication complexity (Comm) and their capacity to avoid the use of the device isolation assumption (No Isol.) and specialised hardware (No Hw.). The value of $n$ refers to the memory size and $r$ is a security parameter that refers to the number of rounds during the fast phase (see \ref{['sec:model']}).
  • Figure 3: PoSE-DB protocol session
  • Figure 4: The y-axis denotes a timeline. Because $A_0$ is far, $A_1$ cannot relay the verifier's challenge to $A_0$ and wait for a response. $A_0$ does help $A_1$ in the other phases of the protocol execution.
  • Figure 5: Security experiment $\mathsf{Exp}^{m,r,w}_{\mathcal{A}_0,\mathcal{A}_1}$.
  • ...and 2 more figures

Theorems & Definitions (78)

  • Definition 1
  • Example 1
  • Definition 2: The unconditional PoSE-DB protocol
  • Definition 3
  • Definition 4: PoSE-DB security
  • Lemma 1
  • proof
  • Lemma 2
  • proof
  • Definition 5
  • ...and 68 more