Leakage-Resilient Cryptography - COSIC · Leakage-Resilient Cryptography Sebastian Faust Aarhus University, Denmark-- for symmetric primitives 1. How to construct cryptodevices? 2

Leakage-Resilient Cryptography

Sebastian FaustAarhus University, Denmark

-- for symmetric primitives

1

How to construct cryptodevices?

2

CRYPTO

cryptographic devicevery secure

much less secure!

well-defined mathematical object

often proof-driven security analysis

many ways of implementing: details matter!

security analysis by experiments, rarely proofs

Leakage Resilient Crypto

Extend concept of proof-

driven security analysis to

implementation-level

1. Define model & security notionExample: Digital signatures

key Kmessage signature

The approach of provable security

3

1. Define model & security notion

key K Forgery for new

messagerepeat

Scheme is secure: no adversary

can output a valid forgery!

Example: Digital signatures


4


2. Design cryptoschemeUsually described in mathematical language


5


3. Prove security

Shows security not only against one specific attack, but any

efficient (PPT) attack within the model (if assumption holds)

Number theory: studied intensively in math

One-wayness of function: major breakthrough in complexity

2. Design cryptoschemeUsually described in mathematical language

Reduce security of complex scheme to simple assumption, e.g.,


6

Security proof implies…

Time to relax?

secure against all known attacks

secure against all attacks that

may be discovered in future

Provably secure systems get broken in practice!

Bugs in proofs? Only rarely!

So what‟s wrong?

Underlying assumptions are false? Not for standard assumptions

7

Models make idealized assumptions

Model

Hash functions behave as random oracles

Black-box computation

Reality

Black-box model vs. Reality

K

Security model: Black box

Controls inputs/outputs

But: Internal computation and key

completely hidden

KX Y

Reality:

key

Implementations leak partial

information about internals

implement

Attacking the implementationAttacking mathematical algorithm

X Yinput output

9

Leakage: e.g., power consumption,

running time, electromagnetic

radiation…

10

Physical devices are not black boxes

1. Proofs in black-box model less meaningful

2. Even worse: Side-channel attacks exploit

leakage and break real-world implementations

Weaken black-box assumption and incorporate broad

classes of leakage into model

Goal of leakage resilient crypto

Develop new cryptoalgorithms with built-in resistance

against leakage and prove security

Important question: what

are these classes?

Leakage Resilient Cryptography

11

Hot topic…Digital signatures: [AWD09, KV09, FKPR10, DHLW10, BKKV10, BSW11,…]

Public key encryption: [AGV09, NS09, DHLW10, BKKV10, BSW11,…]

Identity based encryption: [DHLW10, CDRW10, LRW11,…]

Multiparty Computation: [ISW03, FRRTV10, GR10, JV10…]

Zero Knowledge: [GJS11]

But surprisingly little is known about symmetric primitives…

Pseudorandom Generators: [DP08, Pie09, YSPY10]

Pseudorandom Functions & Permutations: [DP10, FPS11]

Most of this talk

Defining leakage

12

K

Modeled by a leakage function f

Adversary obtains leakage f(K)

Arbitrary leakage function? No… e.g.: f(K) = K means no security

Some restrictions are necessary

X Y

Does this make sense in practice?

Arbitrary efficient

adversary

Defining leakage

13

K

Modeled by a leakage function f

Adversary obtains leakage f(K)

Arbitrary leakage function? No… e.g.: f(K) = K means no security

Some restrictions are necessary

X Y

Does this make sense in practice?In many cases yes…

Power consumption modeled by f(K)=

Hamming weight of wires in circuit

Running time of device

What are possible restrictions?

14

(such as: Hamming weight, timing)

One attempt: consider specific leakage function

But we do not want to protect only

against specific attacks

Leakage Resilient Crypto: consider

broad classes of leakage functions!

A broad class of leakage functions

15

f(K)

L is class of poly-time computable

input shrinking functionsL = { f : {0,1}m -> {0,1}n }, with n < m

Observation: f is poly-time can simulate

all intermediate values & leak about them

Problem: total leakage << length of the key

Reality: Many observations are possible (many attacks

exploit a large number of observations)

K

X Y

f є L

Many realistic leakages: HW, running time

exploit only poly-log amount of information

16

Continuous Leakage Model

…f1(K) fq(K)

K K

Many adaptive observations:

X1

f1

Xq

fqY1 Yq

17

Continuous Leakage Model

…f1(K) fq(K)

Models, e.g., DPA where we need many power samples to

recover the key

K K

Many adaptive observations:

X1

f1

Xq

fqY1 Yq

Bounded per observation to n bitsBut: total leakage >> |K|

Rest of this talk

18

1. Leakage Resilient Stream Cipher

2. Leakage Resilient PRFs

3. Leakage Resilient Circuits

Leakage Resilient Stream Cipher

19

First construction: Dziembowski-Pietrzak-08

Simpler construction: Pietrzak-09

K

long pseudo random stream

X

Pseudorandomness: no efficient (PPT) adversary

can distinguish X from random

?

stream ciphers ≈ pseudorandom generators

short key

Stream ciphers in practice

20. . .

X2

X4

stream X is generated in

rounds from K

(one block per round)

time

X1

X3

KSC

21

Standard Security Notion

K

X1 X2 Xi-1. . .

SC

Given previous blocks, next block should look random

Adversary knows

Xi

Should look random

How to extend to leakage setting?

22


K

X1 X2 Xi-1 Xi. . .

SC


Adversary knows also leakage Should look random

f1(K) f2(K) fi-1(K)

Poly-time computable bounded-output leakage function

23


K

X1 X2 Xi-1 Xi. . .

SC


Adversary knows also leakage Should look random

f1(K) f2(K) fi-1(K)

Some problems?

1. adversary can learn entire key K bit-by-bit

2. given leakage fi-1(K), the block Xi is not pseudorandom anymore

fi-1(K) can leak some bits about Xi

24

Key evolution

X1 X2

K1 K2

In each round key Ki is used to compute new state Ki+1

SC

X3

K3. . .

- Requirement: Key evolution must be deterministic!

Otherwise it cannot be used for encryption!

25

Key evolution

X1 X2f1(K1)

- Also key update leaks!

K1 K2

In each round key Ki is used to compute new state Ki+1

SC

X3

K3. . .

- Requirement: Key evolution must be deterministic!

Otherwise it cannot be used for encryption!

f2(K2)

Is key evolution sufficient?

Is key evolution sufficient?

26

X1 X2f1(K1)

K1 K2 K3. . .

Can X2 be pseudorandom given

leakage f1(K1)? No!

Key evolution deterministic: f1 computes K2 and leaks bits of X2

Even worse: pre-computation attackLeakage function f1…fi-1 leak from future state Ki

may reveal entire Ki even with one bit of leakage

SC

Learning key bit-by-bit does not work anymore

How to avoid this attack?

27

Pre-computation attack relevant in practice? No!

It‟s a problem of the model…

Use restriction introduced by Micali-Reyzin-04:

or in other words:

“untouched memory cells do not leak information”

“only computation leaks information”

28

Only computation leaksstate

29

Only computation leaks

L R

state: divided into parts

30

Only computation leaks

L R

if used in current computation

f(L) leaks to adversary


if not accessed:

does not leak

Restriction can be relaxed in many cases…

31

Independent leakages

L R

if used in current computation

f(L) leaks to adversary


if not accessed:

f(R) leaks (independently of L)

How can we use this to avoid pre-computation?

The stream cipher – high-level view

32

Divide memory into three parts: L,X,R

holds pseudorandom output of the cipher

L RX


33


L RX

holds secret state


34


L1 R1X1

L2 := L1 R2X2

SCunmodified


35


L1 R1X1

L2 := L1 R2X2

SCunmodified


36


L1 R1X1

L2 := L1 R2X2

SCunmodified

Recall: leakage is polynomial-time computable

function, i.e., we can also leak from (X2,R2)


37


L1 R1X1

L2 R2X2

L3 R3X3

L4 R4X4

SC

SC

SC

unmodified

unmodified

unmodified

Alternation prevents pre-computation attackE.g.: f1 cannot leak about state (L3,X3,R3)


38


L1 R1X1

L2 R2X2

L3 R3X3

L4 R4X4

SC

SC

SC

unmodified

unmodified

unmodified

What can we prove?Xi is pseudorandom given X1,… Xi-1 and leakages

f1(X1,R1)… fi-2(Xi-2,Li-2)


39


L1 R1X1

L2 R2X2

L3 R3X3

L4 R4X4

SC

SC

SC

unmodified

unmodified

unmodified

How can we initialize SC?

Dziembowski-Pietrzak-08

40

Security proof: see the paper!

Use randomness extractor: generates from short random seed Xi-1

and high min-entropy source Ri-1 an almost uniform string Yi

Li-1 Ri-1Xi-1

Li RiXi

Yi = Ext(Xi-1,Ri-1)

SCRi = PRG(Yi)

But: Yi is much shorter than evolved state Ri and output Xi

Use pseudorandom generator: generates from short random seed

long pseudorandom string (Xi Ri) as good as uniform

Alternative Instantiations

41

Li-1 Ri-1Xi-1

Li RiXi

(Xi,Yi) = F(Ri-1, Xi-1)SC

Pietrzak-2009: use a weak PRF F (for fixed key and random

inputs, the output is pseudorandom)

Yu-Standaert-Pereira-Yung-2010:

• even simpler construction & tight security reduction

• But in the Random Oracle model leakage function cannot

query the RO

Rest of this talk

42




Pseudorandom Functions

43

K

Pseudorandom Generator G(K): for short key K outputs long

pseudorandom string X

long pseudorandom string X

Pseudorandom Function F(K,.): for short key K can be queried

on input X and outputs pseudorandom string Y

K Input: X

Output: Y

GG

F

Pseudorandom Functions

44

KG

Pseudorandom Generator G(K): for short key K outputs long

pseudorandom string X

long pseudorandom string X

Pseudorandom Function F(K,.): for short key K can be queried

on input X and outputs pseudorandom string Y

K Can be repeated

many times.

Behaves as function: for same input, it returns the same output

How can we extend this to leaky setting?

F Input: Xi

Output: Yi

Standard security notion: Yi+1 is pseudorandom given Y1,… Yi, if

Xi+1 has not been queried

45

How to extend to leaky setting?

K

X1

Y1

PRF K

Y2

PRF

…

K

Yq

PRF

Yq+1 is pseudorandom if Xq+1 has not been queried yet

f1 (K,X

1 )

f2 (K,X

2 )

fq (K,X

q )

Problem: Leakage allows to recover K bit-by-bit

Can we use again key evolution? No: For two identical

queries PRF has to return same values!

f1

X2

f2

Xq

fq

Leakage Resilient PRF -- Restrictions

46

We use the following restrictions:

1. Leakage is bounded per observation

2. Only computation leaks information

3. Leakage functions are fixed a-priori by the device

But: at lower architectural level: computation of PRF is structured into t time

steps which leak independently

Reasonable in reality: adversary has no full adaptive control over functions

Leakage Resilient PRF

47

Standard way to build PRF is via GGM-tree construction

G

G

……

G

G

G

G G

pseudorandom

K

Is GGM leakage resilient?

48

G

G

……

G

G

K

Does this suffice? No: pre-

computation attack still possible

Dodis-Pietrzak-10: hybrid of a leakage resilient stream cipher

and the GGM tree is a leakage resilient PRF

Each node leaks independently &

leakage functions are fixed a-priori

F-Pietrzak-Schipper-11: simpler & more natural construction(only secure for non-adaptive input queries)

Rest of this talk

49




Proof of leakage resilient AES?

50

Unlikely: we cannot prove that AES is black-box secure

Idea: show that implementation is as secure as in bb-world

Leakage Resilient Circuit Compilers

X Y

C

YX

K’C’

Arbitrary Boolean circuit, e.g., AES

K

Leakage Resilient Circuits

51


X Y

C

YX

K’C’

K

Circuit compiler:Input: description of circuit C and key K

Output: description of transformed circuit C„ and key K„



Leakage Resilient Circuits

52


X Y

C

YX

K’C’

K

Circuit compiler:Input: description of circuit C and key K

Output: description of transformed circuit C„ and key K„

resistant to continuous leakages from some function class L

Even given leakage C‟ is as secure as in bb-world

Transformed circuit C‘:



What is the class of functions L?

53

Theorem 1: A compiler that makes any circuit resilient to

probing up to t wires [Ishai-Sahai-Wagner-03]. L is specific leakage function

that allows the adversary to

learn the value of up to t wires


54


probing up to t wires [Ishai-Sahai-Wagner-03].


global computationally weak leakages [F-Rabin-Reyzin-Tromer-

Vaikuntanathan-10]

f(K)weak

Leakage functions not PPT, but from weak

complexity class: cannot compute certain

linear functions, e.g., parity

class of leakage functions L = AC0


55

f(K)


probing up to t wires [Ishai-Sahai-Wagner-03].


global computationally weak leakages [F-Rabin-Reyzin-Tromer-

Vaikuntanathan-10]


global noisy leakages [F-Rabin-Reyzin-Tromer-Vaikuntanathan-10]

Leakage is {wirei + noise ƞi}

Can we get circuit compilers for broader classes?

Proof-driven analysis of masking-based countermeasure

Circuit compilers for PPT leakage?

56

Juma-Vahlis-2010: uses fully homomorphic encryption

Goldreich-Rothblum-2010: encrypts every wire of

original circuit with a fresh pk/sk

Both are impractical!

Can we do better?

Dziembowski-F-11: using two source extractors

It‟s provable secure, but does this offer better real

world security than standard masking?

We are currently exploring this with practitioners!

Conclusions

57

More interaction between theoreticians and practitioners is

needed to find valid restrictions and efficient schemes

Yes, extending the black box model is possible

Many open problems, e.g.,

• Leakage resilient block-ciphers

• Security against continuous hard-to-invert leakage

• More results for computationally bounded leakage

58

Thank you!

Leakage-Resilient Cryptography - COSIC · Leakage-Resilient Cryptography Sebastian Faust Aarhus University, Denmark-- for symmetric primitives 1. How to construct cryptodevices? 2

Documents