Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private CircuitsProtecting Circuits Against

Side-Channel Attacks

Yuval Ishai Technion & UCLA

Based on joint works with

Manoj Prabhakaran, Amit Sahai, David Wagner

A Live Demonstration

• Can you keep secrets?

• … and now?

Talk Overview

• The goal

• Security definition

• Overview of results and techniques

• Open questions

The Goal

s

m

AES(s,m)

s’

m

AES(s,m)

• Same I/O functionality• Keeps s secret even in the presence of side-channel attacks. - leakage - tampering

Comparison with Related Work

• Protecting general, reactive circuits– vs. realizing a specific task [DP08]– vs. a one-time computation [GKR08]

• Continuous and adaptive leakage/tampering– vs. bounded leakage [AGV09]

• Entire circuit susceptible to leakage/tampering– vs. “only computation leaks information” [MR04]– vs. “algorithmic tamper-proof security” [GLM+04]

INPUTINPUTOUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

The ModelThe Model

• In each cycle:– Adv chooses input– Adv chooses an admissible (t-bounded) attack

• Leakage and/or tampering from a specified class– Adv observes output + leakage– Memory state is updated

INPUTINPUTOUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

Circuit TransformersCircuit Transformers

• T=(TC,Ts), on inputs k,t, maps C to C’ and s0 to s0’.• Ts must be randomized

– Otherwise initial state s0 is revealed by probing

• C’ can be either randomized or (better yet) deterministic.

CINPUTINPUT

OUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

T

C’

s0 s0’

INPUTINPUTOUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

Security DefinitionSecurity Definition

• T respects functionality: C[s0] C’[s0’]

• T protects privacy: C Sim t-bounded Adv s0

SimAdv,C[s0] view of Adv attacking C’[s0’]– Even in case of tampering, only privacy is required

CINPUTINPUT

OUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

T

C’

s0 s0’

INPUTINPUTOUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

Relation with ObfuscationRelation with Obfuscation

• C’[s0’] should act like a “virtual black-box” for C[s0].– Even in the presence of side-channel attacks

• Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated – Can’t probe all wires in a single cycle– Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06]– Can’t freely “edit” gates and wires

CINPUTINPUT

OUTPUTOUTPUT

CIRCUITCIRCUIT

MEMORYMEMORY

T

C’

s0 s0’

Results: Passive Attacks Results: Passive Attacks • I-Sahai-Wagner03: probing attacks

– Adv probes t wires in each cycle– Several circuit transformers

• |C’|=O(t2) |C|, randomized• |C’|=O(t2) |C|+poly(t,k), deterministic • |C’|=O~(|C|), t=~(width(C)) probes can’t be added within a cycle

– Randomized routing technique

• Faust-Rabin-Reyzin-Tromer-Vaikuntanathan10:– constant depth leakage (e.g., AC0) with t-bit output

• |C’|=O((t+k)2) |C|

– noisy leakage: each bit flipped with prob. p• |C’|=O(k2) |C|

– both require tamper-proof, randomized “opaque gates”

Results: Tampering Attacks

Results: Tampering Attacks

• I-Prabhakaran-Sahai-Wagner 06: – Permanent Reset attacks, unbounded

• |C’|=O(k2) |C|

– Permanent Set/Reset/Toggle, up to t per cycle• |C’|=poly(k,t) |C|• Requires AND gates of fan-in O(kt)

– Both constructions can be made deterministic

Probing Attacks and MPCProbing Attacks and MPC

Standard MPC

Client-Server MPC

Input clients

Servers

Output clients

[BGW88,CCD88]:Unconditional security ift<n/2 parties are passivelycorrupted.

Unconditional security ift<n/2 servers are corrupted.

Probing Attacks and MPCProbing Attacks and MPC

Client-Server MPC

Input clients

Servers

Output clients

Unconditional security ift<n/2 servers are corrupted.

Further extending MPC model:-Reactive functionalities -Mobile adversary [OY91]-No online randomness [CH94]

MPC on Silicon

xi

yi

S2

output client

input client

initializer s0

S1 S3

S2S1 S3

S2S1 S3

S2S1 S3

Conversely:Private circuit MPC

TC=protocol compilerTs= initializer algorithm

MPC on Silicon?MPC on Silicon?• Very different optimization goals

– Typical MPC: maximize resilience / #parties– Private circuits: maximize resilience / computation

• Ideally: many tiny parties, constant fractional resilience

• Using MPC protocols from the literature– BGW88:

• Based on Shamir’s secret sharing• 2t+1 servers, O~(t2)|C| computation, nontrivial field arithmetic

– “GMW-lite” [GMW87,GV87,GHY87]: • Based on additive (XOR) secret sharing• t+1 servers O(t2)|C| computation in OT-hybrid model• Implement OT calls via additional servers!• ISW03 construction is an optimized version of this approach

s0’

Concrete ISW03 ImplementationConcrete ISW03 Implementation

• Secrets additively shared into m=2t+1 shares

• Given shares of a=a1 … am, b=b1… bm

– Compute shares of Not(a) : apply NOT to a1

– Compute shares ci of a AND b :

• Let zi,j , i<j, be random independent bits

• Let zj,i=(zi,jaibj) ajbi

• Let ci=aibi ji zi,j

• Randomness gates eliminated by using 2t+1 copies of a PRG

s0’

Tampering AttacksTampering Attacks• Recall model

– adversary can permanently set, reset, toggle t wires in each cycle

– eventually, all wires can be tampered with!– can’t use standard MPC, error-correction, signatures…

• Idea: “self-destruct” if tampering is detected– How to implement if even self-destruction mechanism can

be tampered with?

• Idea: randomized mine-field– Any tampering attempt can trigger a mine– Few lucky tampering attempts do not harm

The High Level ApproachThe High Level Approach• Consider (unbounded) Reset attacks• Encode each value in C by a pair of values

– 0 01– 1 10– 00, 11 interpreted as

• A Reset can either leave a value unchanged or turn it to • Propagate to outputs and memory (self-destruct)• Still need to worry about correlation between secrets and • Solution: Use ISW03 to get “k-wise independence”

– Adv should get lucky k times to violate privacy– Being unlucky even a single time causes self-destruction

• General Set/Reset/Toggle attacks handled via longer encodings

The Low-Level DetailsThe Low-Level Details• A hacker’s paradise…

The Low-Level DetailsThe Low-Level Details• A hacker’s paradise…

Further Research: LeakageFurther Research: Leakage• Extend feasibility to other classes of leakage

– other realistic leakage classes (power analysis, …)– “only computation leaks information”– … anything that does not imply obfuscation– leakage-resilient MPC?

• Probing attacks– improve efficiency and resilience– motivates new MPC complexity questions– potential application for “MPC-friendly codes” [CC06,…]

• Constant-depth leakage – eliminate “opaque gates” and randomness– is [ISW03] secure?

Interactive Compression [FRRTV10]

Interactive Compression [FRRTV10]

• Compression algorithm for f [HN06]:

unbounded “solver”

f(x)

compressionalgorithm

x

y

Shares of state

Leakage function

Observed leakage

Adversary’s computation

Interactive Compression [FRRTV10]

Interactive Compression [FRRTV10]

• Can parity be compressed?– [Håstad]:

Circuits of depth d and size 2^k1/d can’t compute XORk compression to k1/d bits is hard for such circuits

– [DI06]: even compression to k.99 bits is hard! constant-depth leakage with t= k.99 is safe

• Previous compression model doesn’t handle adaptive attacks– reduction to non-adaptive case yields poor bounds– motivates study of “interactive compression”

Communication Complexity Game

Communication Complexity Game

Weak Strong

X=01000100111010

Parity(X)

Circuit complexity: Weak sends one bit

Compression: Weak sends t bits in one message

Interactive compression: Weak sends t bits overall

Challenge: good lower bounds for interactive compression

Further Research: TamperingFurther Research: Tampering• Tolerate an unbounded number of attacks

– Possible using tamper-proof components of size k– Open: use components of size O(1)

• Tolerate wider classes of tampering + leakage

• Develop a general theory– Apply general non-malleable codes [DPW10]– Tamper-resilient MPC

Conclusion

• Bottomless pool of open questions

• Motivate independently interesting theoretical questions – Leakage- and tamper-resilient MPC– Feasibility of relaxed obfuscation– Hardness of compression

• Relevance to practice?