1 / 14

Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran

Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.). Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran. y=y(s,x). s’. x. Leakage resilience. y=y(s,x). s. x. Same I/O functionality

callie
Download Presentation

Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013Lecture 13:Cryptographic leakage resilience (cont.) Eran TromerSlides credit: Yuval Ishai, Manoj Prabhakaran

  2. y=y(s,x) s’ x Leakage resilience y=y(s,x) s x • Same I/O functionality • Keeps secret even in the presence of side-channel attacks:leakage andtampering

  3. Model CIRCUIT INPUT OUTPUT MEMORY • Circuits runs for many cycles • In each cycle: • Adversary chooses input • Adversary chooses an admissible attack • Leakage and/or tampering from a specified class • Adversary observes output + leakage • Memory state is updated

  4. C’ T CIRCUIT CIRCUIT INPUT INPUT OUTPUT OUTPUT MEMORY MEMORY Circuit transformers • T=(TC,Ts), on inputs k,t, maps C to C’ and s0 to s0’. • Ts must be randomized • Otherwise initial state s0 is revealed by probing • C’ can be either randomized or (better yet) deterministic. • Functionally equivalent: C[s0]  C’[s0’] C s0 s0’

  5. X Y black-box Security [Ishai Sahai Wagner ’03] s x Y admissible leakage Any boolean circuit Transformed circuit Circuit transformation indistinguishable

  6. C’ T CIRCUIT CIRCUIT INPUT INPUT OUTPUT OUTPUT MEMORY MEMORY Security definition T protects privacy: circuit Cefficient Simadmissible Advinitial state s0 :SimAdv,C[s0]  view of Adv attacking C’[s0’](Even in case of tampering, only privacy is required) C s0 s0’

  7. C’ T CIRCUIT CIRCUIT INPUT INPUT OUTPUT OUTPUT MEMORY MEMORY Relation to obfuscation • C’[s0’] should act like a “virtual black-box” for C[s0]. • Even in the presence of side-channel attacks • Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated • Can’t probe all wires in a single cycle • Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06] • Can’t freely “edit” gates and wires C s0 s0’

  8. Simple/practical schemes I • Sum-of-wires leakage • Dual-Rail Logic <Show how simulator uses adversary> • Sum-of-wire-transitions leakage • Dual-Rail Precharge Logic • Protecting s • Practical complications: • Capacitance imbalance • Glitches • Cell internals

  9. Simple/practical schemes II • Single-wire leakage • Bit masking • Single-”value” leakage • RSA blinding • t-wire leakage • Secret sharing…

  10. t-wire leakage [ISW03] • Secrets additively shared into m=2t+1 shares • Given shares of a=a1 … amandb=b1… bm : • Compute shares of NOT(a) : apply NOT to a1 • Compute shares ci of a AND b : • Let zi,j , i<j, be random independent bits • Let zj,i=(zi,jaibj)  ajbi(i<j) • Let ci=aibi jizi,j • Re-randomize s’ at every iteration • Randomness gates eliminated by a random-number generator s0’

  11. X Y black-box [ISW03] s X Y t-wireprobing Any boolean circuit Transformed circuit Circuit transformation indistinguishable

  12. Our goal Allow stronger leakage.

  13. Leakage classes • Locality assumptions • Single wire, t wires • Separate sub-circuits • Leak-free processor (Oblivious RAM [GO95]) • Leak-free memory (“only computation leaks information” [MR04]: leakage from CPU state and memory accessed at that program step) • “Simple leakgage” • Sums and Hamming weights • Low-complexity global functions • Specific functionality (mainly crypto)

More Related