350 likes | 534 Views
Cryptography in The Presence of Continuous Side-Channel Attacks. Ali Juma University of Toronto. Yevgeniy Vahlis Columbia University. Crypto as We’ve Known It. Crypto runs on dedicated and isolated devices Adversary is 3 rd party with access to communication channels. Alice. Bob.
E N D
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University
Crypto as We’ve Known It • Crypto runs on dedicated and isolated devices • Adversary is 3rd party with access to communication channels Alice Bob Communication Channels Input CPU Storage • Secure communication is achievable through encryption
New Computing Environments Cloud Computing Mobile Computing
New Computing Environments Modern computing environments create new security risks Cloud Computing Mobile Computing Devices leak data through side-channels • Timing • Sound emanations • Radiation • Power consumption
Modeling Leakage • How can we model a large class of side channel attacks? • Allow the adversary to select • leakage function f and see f(state) • Leaking entire state breaks security • Restrict f to shrinking functions • Other restrictions are usually needed • Restrict f to access only “active”memory • Use secure hardware State f(state) Adversary
Continuous Leakage Device state over time Key K Key K Key K Leakage accumulates over time Each time a computation is performed, information leaks Even one bit of leakage can be fatal: fi(state) = ith bit of state Key K Key K Key K Leakage over time Two “conflicting” new goals: Refresh state while maintaining functionality:e.g. if state is decryption key then for allstate’2 Supp(Refresh(state))state’ is also a valid decryption key Leakage from different states should be hard tocombine into a new valid state
Only Computation Leaks We already know that computation leaks [MR04]: “only computation leaks” State: Active Active CPU Leakage Inactive
Only Computation Leaks We already know that computation leaks [MR04]: “only computation leaks” • More formally: • state=(s1,…,sn) An algorithm consists of mparts: P1,…,Pmand sets W1,…,Wmµ [n] Part Pi computes and leaks on {sj | j2Wi} and randomness ri We model secure hardware as Pi that does not leak on ri
Resilience To Continuous Leakage • [G87,GO96] oblivious RAMs • [ISW03] Private circuits: securing hardware against probing attacks • [MR04] Physically observable cryptography • [GKR08] One-time programs • [DP08] Leakage-resilient cryptography • [FKPR10] Leakage-resilient signatures • [FRRTV10] Protecting against computationally bounded and noisy leakage • [JV10] On protecting cryptographic keys against continual leakage • [GR10] How to play mental solitaire under continuous side-channels • [BKKV10] Cryptography resilient to continual memory leakage • [DHLW10] Cryptography against continuous memory attacks
Key Proxies [JRV10]: “Key Proxy”, a new primitive to immunize a cryptographic key against leakage, but allow arbitrary computation • Building blocks: • Fully homomorphic encryption • Secure hardware component independent from K Resilience to polytime leakage without any leak-free computation on the state • Properties: • Resilience to polynomial time leakage assuming that “only computation leaks” • 2l(n) secure encryption allows l(n) leakage
Key Proxies Key Proxies encapsulate a key and allow structured access to it A key proxy is a pair of algorithms: Initialization and Evaluation • Initialization generates an initial encoding of a key K • Evaluation allows arbitrary computation on K and updates encoding Key K Updated State Initial State Evaluation Initialization P(K) Program P
Definition of Security Real • Adversary submits a key K • Repeat: • Submit program P • Obtain leakage • Get P(K) Program P Evaluation Update State P(K) Key K 1 Initialization 2 Distinguisher Leakage
Definition of Security Real Ideal • Adversary submits a key K • Repeat: • Submit program P • Obtain leakage • Get P(K) • Adversary submits a key K • Repeat: • Submit program P • Simulator is given P, P(K) • Obtain simulated leakage • Get P(K) P(K) Trusted 3rd party 1 Key K P, P(K) Program P 2 Distinguisher Simulator Leakage
Main Tools: Fully Homomorphic Encryption Public key encryption KeyGen, Enc, Dec Allows computation on encrypted data [G09], [DGHV10] Encryption of M1 Encryption of M2 Encryption of Mn . . . Evaluate Algorithm P We require randomizable ciphertexts: Encryption of P(M1,…,Mn) Encryption of 0 Random encryption of P(M1,…,Mn) + =
Main Tools: Our Secure Hardware Public key We use a secure chip twice Random bits Given a public key, generate two Encryptions of 0 Both input and output leak, but not the internal randomness Encryption of 0
Overview of Construction • Initialization: • Generate (pub, pri) ←R KeyGen(1n) • Encrypt K using pub: C←R Encpub(K) • View initial state as a pair • (MemA, MemB) = (pri, C) Key K Memory A pri Memory B C=Encpub(K)
Overview of Construction Memory A pri Memory B C=Encpub(K)
Construction – Step 1 Encryption of pri under pub’ Memory A pri Memory A pri' Memory B C=Encpub(K) • Computing onMemory A: • Generate a new public-private key pair (pub’,pri’) for the fully homomorphic encryption. • Encrypt the old private key priunder the new public key and write the ciphertext on the public channel. • Overwrite the contents of Memory A with pri’
Construction – Step 2 Program P Encryption of pri under pub’ Memory A pri Memory A pri' Memory B C=Encpub(K) • Computing onMemory B: External input: program P • Evaluate homomorphically on encryption of pri:Decpri(C) and P(Decpri(C)) • Homomorphic evaluation produces encryptions CK of K and CP of P(K)Both under the new public key pub’
Construction – Step 3 Program P Encryption of pri under pub’ Memory A pri Memory A pri' Memory B C=Encpub(K) Memory B C=Encpub’(K) Encryption of P(K) under pub’ • Computing onMemory B: CK = encryption ofK and CP= encryption of P(K) • Using the secure hardware component generate two encryptions ®k and ®p of 0 • Randomize CKand CP: CK ← CK+®k and CP ← CP+®p • Write CP on the public channel • Overwrite the contents of Memory B with CK
Construction – Step 4 Program P Encryption of pri under pub’ Memory A pri Memory A pri' Memory B C=Encpub(K) Memory B C=Encpub’(K) Encryption of P(K) under pub’ • Computing onMemory A: • Use pri’ to decrypt the encryption of P(K), and output P(K)
Construction Everything together: Encryption of K under previous public key Previous private key pri Encryption of previous private key under pub’ Compute encryptions of K, P(K) under pub’ Generate new key pair pub’,pri’ Encryption of K, P(K) under pub’ New private key pri' Encryption of P(K) under pub’ Randomize encryptions of K, P(K) Decrypt using pri’ and output P(K) Encryption of K under pub’ Private key pri'
Secure Hardware Components Can we rely on secure hardware to achieve leakage resilience? Yes, but it would be nice if it is Independent from protected functionality: amount and function of hardware should be same for all applications Memory-less: secure against adversaries with a drill Testable: operates on inputs from a known distribution
Achieving Resilience - Robustness Leakage depends on the device Robustness [GKPV09]: more leakage -> stronger assumptionbut security parameter stays the same Leakage grows by unknown amount Leaks n bits Size grows by function of n
Security • Observations: • After each round Memory A: a fresh private keyMemory B: a fresh encryption of K Clearly secure without leakage But uninteresting Consider leakage structure in each round: pri, pri0 C pri0, Cr Randomize Problem: Leakage on the private key both before and after leakage on C + the leakage is adaptive. Ciphertexts are incompressible
Why do we randomize? Fully homomorphic encryption may not preserve function privacy May contain information about P Evaluate Encryption of message M Encryption of message P(M) In our construction M=pri and P contains the encryption C of K Algorithm P Without randomization the final leakage function could compute on pri and C together!
Simulator Change 1: memory B now contains encryptions of 0 instead of K After change 1 pre-randomization encrypted output is Cres,i = Encpubi(Fi(0)) Change 2: encrypted output is computed as C’res,i = Encpubi(Fi(K)) Change 3: output of one leak-free component is replaced by ®p,i = C’res,i - Cres,i
Why Sim Works Cpri Claim 1: security of n rounds reduces to security of two rounds P1 P2 Ri R’i P4 P3 Proof: Step 1: - Replace all messages Ri with random encryptions R’i of Pi(K) - Replace ®p,i with ®’p,i = R’i – Cres,i Change is conceptual Cpri P1 P2 Ri+1 R’i+1 P4 P3 Cpri P1 P2 R’i+2 Ri+2 P4 P3
Why Sim Works Cpri Claim 1: security of n rounds reduces to security of two rounds P1 P2 R’i P4 P3 Proof: Step 2: Replace encryptions of K with Encryptions of 0 Change is significant But output is not affected If an adversary can detect the switch then she detects it for some i Cpri P1 P2 R’i+1 P4 P3 Cpri P1 P2 R’i+2 P4 P3
Security Cpri Claim 1: security of n rounds reduces to security of two rounds P1 P2 R’i P4 P3 Proof: i-th hybrid: CK,1,…, CK,i-1 are encryptions of K C’K,i,…,C’K,nare encryptions of 0 ®K,i = CK,i – CK,i-1 Suppose adversary distinguishes between hybrids i and i+1 Rounds 1,…,i-1 and i+2,…,n are identical in both hybrids CK,i is used in both rounds i and i+1 CK,i or C’K,i Cpri P1 P2 R’i+1 P4 P3 C’K,i+1 Cpri P1 P2 R’i+2 P4 P3 C’K,i+2
Security prii-1 Ti-1 We reduced the problem to this leakage structure for two rounds: 1 2 Cpri R’i P1 P2 prii 3 P4 P3 prii CK,i or C’K,i Cpri 4 R’i+1 P1 P2 prii+1 5 Leakage 6: prii+1 is needed to conclude the simulation P4 P3 prii+1 C’K,i+1 6 Get prii+1
Security prii-1 Ti-1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key 1 2 Cpri R’i P1 P2 Proof: prii 3 P4 P3 Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3. prii CK,i or C’K,i Cpri 4 R’i+1 P1 P2 prii+1 5 P4 P3 prii+1 C’K,i+1 6 Get prii+1
Security prii-1 Ti-1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key 1 2 Cpri R’i P1 P2 Proof: prii 3 3 P4 P3 Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3. Use the challenge CK,i/C’K,i to verify ¸ prii CK,i or C’K,i Cpri 4 R’i+1 P1 P2 prii+1 5 P4 P3 prii+1 C’K,i+1 6 Get prii+1
Security prii-1 Ti-1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key 1 1 2 Cpri R’i P1 P2 Proof: prii 3 P4 P3 Guess ± for leakage 2 and squeezeleakage 3 into 1 prii CK,i or C’K,i Cpri R’i+1 P1 P2 Claim 3: any 2l(n) secure public key encryption is resilient to O(l(n)) leakage on the private key prii+1 P4 P3 prii+1 T’i+1 Proof idea: since we can run in time 2l(n), try all possible values of leakage.