1 / 35

Protecting Circuits from Leakage

Protecting Circuits from Leakage. @ Rome La Sapienza , January 18, 2009. KU Leuven. Sebastian Faust. Joint work with. Tal Rabin. IBM Research. Leo Reyzin. Boston University. Eran Tromer. MIT. Vinod Vaikuntanathan. IBM Research. Beautiful Theory…. Adversarial Model.

gordon
Download Presentation

Protecting Circuits from Leakage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Circuits fromLeakage @ Rome La Sapienza, January 18, 2009 KU Leuven Sebastian Faust Joint work with Tal Rabin IBM Research Leo Reyzin Boston University EranTromer MIT VinodVaikuntanathan IBM Research

  2. Beautiful Theory… • Adversarial Model Security Definition 3. Prove that no adversary exists

  3. The Ugly Reality probing optical power electromagnetic acoustic cache

  4. Motivation Many provably secure cryptosystems can be broken by side-channel attacks

  5. Engineering approach • Ad-hoc countermeasures typically tailored to defeat specific attacks • But security only if protection against • all known side channel attacks • all new attacks during thedevice's lifetime.

  6. Cryptographic approach • Face the music: computational devices are not black-box. • Cryptosystem should protect already at algorithmic-level against side-channel attacks • Prove security against well-defined class of resource-bounded adversaries

  7. Related Work [CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms [ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks [MR04]: Micali, Reyzin: Physically Observable Cryptography [GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs [DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model [Pie09]: Pietrzak: A leakage-resilient mode of operation [AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks [ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model [FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures [DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input [SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks ...

  8. X Y black-box [Ishai Sahai Wagner ’03] M X Y t-wireprobing Any boolean circuit Transformed circuit Circuit transformation indistinguishable

  9. Our goal Allow much stronger leakage.

  10. Our main construction • A transformation that makes any circuit resilient against • Global adaptive leakageMay depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary. • Arbitrary total leakage Bounded just per observation. [DP08] • But we must assume something: • Leakage function is computationally weak [MR04] • A simple leak-free component [MR04]

  11. Computationally-weak leakage computationally weak can be powerful Assumption: the observed leakage is a computationally-weak functionof the device’s internal wires. “antennas are dumb”

  12. Secure against global leakage We do not assume spatial locality, such as: • t wires [ISW03] • “Only computation leaks information” [MR04][DP08][Pie09][FKPR09]

  13. Leak-free components • Secure memory • [GKR08] • Secure processor [G89][GO95] • Here: simple component that samples from a fixed distribution, e.g:securely draw strings with parity 0. • No stored secrets or state • No input, so can be precomputed • Can be relaxed

  14. Rest of this talk • Computation model • Security model • Circuit transformation • Proof approach • Extensions

  15. Original circuit Original circuit C of arbitrary functionality(e.g., crypto algorithms), with state M,over a finite field K.Example: AES encryption with secret key M. X Y C[M]

  16. Original circuit Allowed gates in C: Add in K: + Multiply in K: ● Coin: Const: $ 1 Memory: M Copy: C (Boolean circuits are easily implemented.)

  17. Transformed circuit X Y Transformed state C’[M’] Same underlying gates as in C, plus opaque gate (later). Soundness: for any X,M: C[M](X) = C‘[M‘](X)

  18. M Model: single observation in leakage class L Y X wires f(wires)

  19. Model: adaptive observations Refreshed state Refreshed state M’2 M’3 M’1 Y0f0(wires0) Y1f1(wires1) Y2f2(wires2) X0f0∈L X1f1∈L X2f2∈L refresh state  allows total leakage to grow

  20. Model: L-secure transformation Adversary learns no more than by black-box access: Simulation: Simulation: Real: Mi M’i Xifi ∈L Yifi(wiresi) Yi Xi indistinguishable Actual definition little bit more complicated

  21. Motivating example M M 1-wire probing Problem: Adversary learns one bit of the state Solution: Share each value over many wires [ISW03, generalized] Every value encoded by a linear secret sharing scheme (Enc,Dec)with security parameter t: Enc: KKt (probabilistic) Dec: KtK (surjective linear function)

  22. Leakage: L-leakage-indistinguishability (Enc,Dec) is L-leakage-indistinguishable if for all x0,x1K: x1 x0 bR {0,1} Enc(xb) Consequence: Leakage functions in L cannot decode b‘ Pr[b‘ = b] - ½ ≤ negl

  23. Main construction For any linear encoding scheme that isL-leakage indistinguishable ‘ we present an L -secure transformationfor any circuit and state Simple functions fL f’ L’ Assumption: encoding can tolerate these leakage functions Thm: transformed circuit can tolerate these leakage functions

  24. Unconditional resilience against AC0leakage Some known circuit lower bounds imply L-leakage-indistinguishability of encodings hard for AC0 DecParity depth: 2 size: O(t2) const depth and poly size circuits Enc(x) Theorem f  AC0 f ’ f ’ AC0 ? ?

  25. Is this practical? • Not really… • AC0 not very realistic class of leakage functions • sec parameter t has to be large (blow up ≈t2) • But… • AC0 can approximate hamming weight  • Very powerful adversary (adaptive, statistical security) • Make reasonable assumption on power of leakage functions (very important future work!)

  26. Transformation: high level C[M] C ’[M’] • The state is encoded: M ’ = Enc(M) • Circuit topology is preserved • Every wire is encoded • Inputs are encoded; outputs are decoded • Every gate is converted into a gadget operating on encodings

  27. Computing on encodingsfirst attempt + f(wires) Easy to attack Notation:

  28. Computing on encodingssecond attempt – use linearity + + f(wires) ??? Works well for a single gate... but does not compose.Exponential security loss (for AC0).

  29. Y M X wires f Intuition: wire simulation Since f can verify arbitrary gates in circuit, wires must be consistent with X and Y. Problem: simulator does not know the state M, so hard to simulate internal wires! Solution: to fool the adversary, introduce a non-verifiable atomic gate. X, f X M Y, f(wires) Y

  30. Enc(0) Opaque gate Fool adversary:gate is non-verifiable by functions in L. Opaque gate: • Samples from a fixed distribution. • No inputs

  31. Using the opaque gate Wire simulator’s advantage:can change output of opaque without getting noticed(L-leakage-indistinguishable) Full transformationfor gate: + Enc(0) So can simulate this gate independentof all others gates. ???

  32. Enc(0) Enc(0) Enc(0) Enc(0) Other gates • Similar transformation for other gates. • The challenging case is the non-linear gate: multiplication.Hard to make leak-resilient; standard MPC doesn’t work.Trick: give wire simulator enough degrees of freedom. Dec + + Dec S B Dec

  33. Wire simulator composability • This property (suitably defined)composes!If every gadget has a (shallow) wire simulatorthen the whole transformed circuit has a (shallow) wire simulator. Security for 1 round follows easily. For multiple rounds there’s extra work due to adaptivity of the leakage and inputs.

  34. Summary of (positive) results Public-key encryption +Gen+Dec+Encgadgets Any encoding +leakage classwhich can’t decode +leak-free gates (relaxed) Noisy leakage +leak-free encoding gates Linear encoding +leakage classwhich can’t decode +leak-free Enc(0) gates AC0 / ACC0[q] leakage +leak-free 0-parity gates

  35. Conclusions • Achieved • New model for side-channel leakage, which allows global leakage ofunbounded total size • Constructions for generic circuit transformation,for example, against all leakage in AC0 or noisy leakages. • General proof technique + several additional applications. • Open problems • More leakage classes: find a reasonable assumption on the power of leakage functions! • Smaller leak-free components • Proof/falsify black-box necessity conjecture • Circumvent necessity result (e.g., non-blackbox constructions) http://eprint.iacr.org/2009/379

More Related