Top Banner
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft CIS Seminar September 18, 2009
40

Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

Jan 01, 2016

Download

Documents

Clement Turner
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

Protecting Circuits fromComputationally-Bounded Leakage

Eran Tromer MIT

Joint work with

Sebastian Faust K.U. Leuven

Leo Reyzin Boston University

MIT/Microsoft CIS SeminarSeptember 18, 2009

Page 2: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

2

Side channel attacks

electromagnetic acoustic

probing

cache

optical

power

Page 3: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

3

Motivation

The great tragedy of Crypto –

the slaying of a provably secure

scheme

by an ugly side channel.

Page 4: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

4

Engineering approach

Try preventing leakage.

all known side channel attacks all new attacks during the

device's lifetime.

Good luck.

Page 5: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

5

Cryptographic approach

Face the music: computational devices are not black-box.

Leakage is a given, i.e., modeled by an adversarial observer. The device shouldprotect itself against it.

Page 6: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

6

Cryptographic Machinery

Standard toolbox against polynomial-time adversaries (obfuscation, oblivious RAM, fully-homomorphic encryption). Minimize assumptions on adversary's power. Looks impossible/hard/expensive to realize. Worth exploring!

New tools for a new settingModel the leakage more finely

What leaksHow much leaksHow is the leakage chosen

Devise ways to make specific functionality, or even arbitrary circuits, resilient to such leakage.

Page 7: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

Related WorkRelated Work

[CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms

[ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks

[MR04]: Micali, Reyzin: Physically Observable Cryptography

[GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs

[DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model

[Pie09]: Pietrzak: A leakage-resilient mode of operation

[AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks

[ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model

[FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures

[DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input

[SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks

...

Page 8: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

8

M

X Y

Any boolean circuitCircuit transformation

Transformed circuitt-wire

prob

ing

Y

'M

X

blac

k-bo

x

indistinguishable

[Ishai Sahai Wagner ’03]

Page 9: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

9

Our goal

Allow much stronger leakage.

Page 10: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

10

Our main construction

A transformation that makes any circuit resilient against

• Global adaptive leakageMay depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary.

• Arbitrary total leakage Bounded just per observation.

[DP08]

But we must assume something:• Leakage function is computationally weak

[MR04]

• A simple leak-free component

[MR04]

Page 11: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

11

“antennas are dumb”

computationally weak

can be powerful

Computationally-weak leakage

Assumption: the observed leakage is a computationally-weak functionof the device’s internal wires.

Page 12: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

12

Leak-free components

• Secure memory[MR04][DP08][Pie09][FKPR09]

• Secure processor [G89][GO95]

• Here: simple component that samples from a fixed distribution, e.g:securely draw strings with parity 0.

• No stored secrets or state

• No input, so can be precomputed

→ consumable leak-free “tape roll”

• Large leak-free components may be necessary in this model (more later)

• Can be relaxed

Page 13: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

13

Secure against global leakage

We do not assume spatial locality, such as:

• t wires

[ISW03]• “Only computation leaks information”

[MR04][DP08][Pie09][FKPR09]

DRAM

Page 14: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

14

1. Computation model

2. Security model

3. Circuit transformation

4. Proof approach

5. Extensions

6. Necessity of leak-free components

Rest of this talk

Page 15: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

15

Original circuit

Original circuit C of arbitrary functionality(e.g., crypto algorithms), with state M,over a finite field K.Example: AES encryption with secret key M.

C[M]

X Y

Page 16: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

16

Allowed gates in C:

● +

$

M C

1

Multiply in K: Add in K:

Coin: Const:

Copy:Memory:

(Boolean circuits are easily implemented.)

Original circuit

Page 17: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

17

Transformed circuit

C ’[M ’]

X Y

Same underlying gates as in C, plus opaque gate (later).

Soundness: for any X,M: C[M](X) = C ‘[M ‘](X)

Transformed state

Page 18: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

18

XM

Model: single observation in leakage class L

Y

Lf wires

f(wires)

Page 19: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

19

X0

f0 ∈L

Y0

f0(wires0)

M’1 M’2 M’3Refreshed state Refreshed state

refresh state allows total leakage to grow

Model: adaptive observations

X1

f1 ∈L

Y1

f1(wires1)

X2

f2 ∈L

Y2

f2(wires2)

Page 20: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

20

Simulation:Mi

Real:M’i

indistinguishable

Model: L-secure transformation

Adversary learns no more than by black-box access:

Xi

fi ∈L

Yi

fi (wiresi)

Xi Yi

Next: constructions

Page 21: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

21

M M

Problem: Adversary learns one bit of the state

Solution: Share each value over many wires [ISW03, generalized]

Every value encoded by a linear secret sharing scheme (Enc,Dec)with security parameter t:

Motivating example

1-wire probing

Enc: K Kt (probabilistic)

Dec: Kt K (surjective linear function)

Page 22: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

22

b R {0,1}

x0

Pr[b‘ = b] - ½ ≤ negl

for all x0,x1 K:

(Enc,Dec) is L-leakage-indistinguishable if

b‘

Leakage: L-leakage-indistinguishability

))(Enc( bxfLf

Consequence:

Leakage functions in L cannot decode

Enc(xb)

x1

Page 23: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

23

For any linear encoding scheme that isL-leakage indistinguishable

we present an L -secure transformationfor any circuit and state

f’fL

Simple functions

Thm: transformed circuit can tolerate these leakage functions

Assumption: encoding can tolerate these leakage functions

L’

Main construction

Page 24: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

24

f ’

?

Enc(x)

f ’AC0

?

f AC0

DecParity

Some known circuit lower bounds imply L-leakage-indistinguishability

hard for AC0

depth: 2 size: O(t2)

Theorem

const depth and poly size circuits

Unconditional resilience against AC0 leakage

Page 25: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

25

C[M] C ’[M’

]

Transformation: high level

• The state is encoded: M ’ = Enc(M)

• Circuit topology is preserved

• Every wire is encoded

• Inputs are encoded; outputs are decoded

• Every gate is converted into a gadget operating on encodings

Page 26: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

26

+

)(Enc aa

)(Enc bb

)(Dec aa

)(Dec bb

c )(Enc cc

c

f(wires)

Easy to attack

Notation: )(Enc xx

Computing on encodingsfirst attempt

Page 27: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

27

+1a

+

1b

tbta

1c

tc

f(wires)???

Works well for a single gate... but does not compose.Exponential security loss (for AC0).

Computing on encodingssecond attempt – use linearity

)(Enc aa

)(Enc bb

c

Page 28: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

28

MX

Y

Since f can verify arbitrary gates in circuit, wires must be consistent with X and Y.Problem: simulator does not know the state M, so hard to simulate internal wires!

Solution: to fool the adversary, introduce a non-verifiable atomic gate.

X, f

Y, f (wires)

Intuition: wire simulation

M Y

f

Xwires

Page 29: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

29

Fool adversary:gate is non-verifiable by functions in L.

Opaque gate: Enc(0)

• Samples from a fixed distribution.

• No inputs

• Can be realized by a leak-free “consumable tape“

Opaque gate

Page 30: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

30

Wire simulator’s advantage:can change output of opaque without getting noticed(L-leakage-indistinguishable)

Using the opaque gate

Full transformationfor gate:+

a

b oba

)(

???

c

c

Lf

a

bEnc(0)

cba

,,So can simulate

this gate independentof all others gates.

Page 31: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

31

Other gates

• Similar transformation for other gates.• The challenging case is the non-linear gate: multiplication.

Hard to make leak-resilient; standard MPC doesn’t work.Trick: give wire simulator enough degrees of freedom.

a

b

Enc(0)a

b

jiba

Enc(0)Enc(0)

+

Dec

Dec

Dec

Enc(0)

+qo

B S

c

Page 32: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

32

Other gates

• Similar transformation for other gates.• The challenging case is the non-linear gate: multiplication.

Hard to make leak-resilient; standard MPC doesn’t work.Trick: give wire simulator enough degrees of freedom.

a

b

Enc(0)a

b

jiba

Enc(0)Enc(0)

+

Dec

Dec

Dec

Enc(0)

+c

qo

B S

Page 33: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

33

All of our gadgets have shallow wire simulators that areL-leakage indistinguishable from honest:

Proof technique:wire simulators

Honest evaluation

???

Lf

a

b c

ca

b

Page 34: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

34

This property (suitably defined)

composes!

If every gadgethas a (shallow) wire simulator

then the whole transformed circuithas a (shallow) wire simulator.

Wire simulator composability

Security for 1 round follows easily.

For multiple rounds there’s extra work due to adaptivity of the leakage and inputs.

Page 35: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

35

• Loss in the reduction to leakage-indistinguishabilityof the encoding scheme: very small.

• Necessary since we prove security againstlow computational classes.

• This makes the computational-security proof very delicate.

Security proof: bottom line

f ’

?

Enc(b)

f ’

?

f

depth: 2 size: O(t2)Theorem

Page 36: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

36

General proof technique. Theorem:

If every gadget has (shallow) wire simulators, then the transformation is (almost)as leakage-indistinguishable as the encoding.

Applications:

• Resilience against polynomial-time leakage using public-key encryption.– Assumes leak-free GenKey-Decrypt-Compute-Encrypt components.

– Proof is extremely easy!

• Resilience against noisy leakage [Rabin Vaikuntanathan 2009]

– Easy alternative proof.

• Theorem for hire!

Wire simulators redux

Page 37: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

37

Nested-composition theorem: Can replace each leak-free gate with a gadget of the (based on different gates)if the gadget has a wire simulator that isleakage-indistinguishable.

Example: reduce randomness in the AC0 opaque gate.

• Can be implemented usingpolylog(t) randomness + PRG. [Nis91]

• Can be implemented shallowly usingany polylog(t)-independent source. [Bra09]

Wire simulators strike again

Page 38: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

38

Summary of (positive) results

Linear encoding +leakage class

which can’t decode +leak-free Enc(0) gates

AC0 / ACC0[q] leakage +leak-free 0-parity gates

Any encoding +leakage class

which can’t decode +gadgets with wire sim.

Noisy leakage +leak-free encoding gates

(alt. proof of [RV09])

Public-key encryption + Gen+Dec+Enc

gadgets with wire sim.

Linear encoding +leakage class

which can’t decode +Enc(0) gadget with wire sim.

Page 39: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

39

Theorem: any sound transformation that has wire simulators fooling nontrivial leakage classes requires large leak-free components(grow with security parameter, which grows with circuit size).

Necessity of leak-free components

Intuition: otherwise leakage functions fL can verify the simulated wire values, and thus force the wire simulator to honestly compute the function.

Then shallow circuits (wire simulators) can computeany function computable by polysize circuits!

• Impossible if the simulation (and encoding) are constant-depth.• More generally, implies unlikely complexity-theoretic collapses, e.g, NC=P/poly.

Conjecture: necessity holds for all circuit transformations which are secure against nontrivial leakage via a black-box reduction to the leakage-indistignuishability of encodings.

Page 40: Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.

40

Achieved

• New model for side-channel leakage, which allows global leakage ofunbounded total size

• Constructions for generic circuit transformation,for example, against all leakage in AC0.

• Partial impossibility results.

• General proof technique + additional applications.

Open problems

• More leakage classes

• Smaller leak-free components

• Proof/falsify black-box necessity conjecture

• Circumvent necessity result (e.g., non-blackbox constructions)

Conclusions

http://eprint.iacr.org/2009/379