Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor.

Topics in Cryptography

Lecture 8 Side Channels: PKC resilient to key leakage

Lecturer: Moni Naor

Recap: Side Channels• Standard Model vs. physical implementation

– Side channel: Any information not captured by the abstract “standard” model

• Timing attacks against secret exponentiation – With control on timing– Through a network– Protection: blinding

• Cache Attacks– Exploits which addresses are being accessed– Counter measure: Oblivious RAM

• Memory Attacks– DRAM retain information longer than thought– Defines a model: any short function of the key

3

Adversarial ModelsSTANDARD MODEL: Abstract models of computation

Interactive Turing machines Private memory, randomness ...

Well-defined adversarial access Can model powerful attacks

REAL LIFE: Physical implementations leak information Adversarial access not always captured by

abstract models

Ek(m)

4

Thesis of this course

Many tools developed in the foundations of cryptography are

helpful for protecting against side-channel attacks

Proof by examples...

and not only at implementation time

Must incorporate side-channel attacks

in the design of systems

Homework

Timing attack of Kocher against RSA.• Suppose: time of each multiplication involving y is

distributed according to a normal distribution – With known parameters.– Independent of everything else! – Show that this allows to figure out given the first k-1

bits of the secret exponent the next bit.

Basic Timing

This takes a whileto compute

This is instantaneous

Whether iteration takes a long timedepends on the kth bit of secret exponent

Old observation: timing depends on number of 1’s

If all multiplication take the same time: all you get

Not all multiplications were created equal

• Different timing given operands • Assumption/Heuristic: timings of subsequent

multiplications are independent– Given that we know the first k-1 bits of x– Given a guess for the kth bit of x– Time of remaining bits independentGiven measurement of total time can see whether there is

correlation between events: kth step is long Total time is long

Exact timing

Exact guess

Outline of Kocher’s Attack• Idea: guess some bits of the exponent;

– Predict how long decryption will take• If guess is correct: will observe correlation If incorrect, then prediction will look random

– The more bits you already know, the stronger the signal, thus easier to detect (error-correction property)

• Start by guessing a few top bits, look at correlations for each guess, pick the most promising candidate and continue

Works against systems under direct control

Homework: Oblivious PermutationsSuggest a method for permuting an array obliviously. • Array M of size n• The CPU has access to a permutation on n elements. • At the end of the process the Array M should be rearranged

according to : – The element that was in M[i] is now in M[(i)].

• The requirement is: for any two permutation and ', – an eavesdropper that sees the locations accessed cannot

distinguish whether the array is permuted according to or ',

Small (secure) space and time to permute

Model

CPUMain memory

Small private

memory

qi

M[qi]

Oblivious RAM RequirementsAny sequence of locations i1, i2, …

induces a distribution on sequences of requests q1, q2… • Functionality: should be able to figure out the original content• Security: for any two sequence of locations i1, i2, … and i’1,

i’2, … induced distributions of requests should be indistinguishable

Homework problem much more relaxed:

•Knowing in advance the order in which elements are accessed

•Constitute a permutation

Open ended

Ideas/hints:• Routing permutations in networks• Sorting networks

13

Memory Attacks [HSHCPCFAF 08] Concern: Not only computation leaks information Memory retains its content after power is lost

5 seconds

30 seconds

60 seconds

5 minutes

http://citp.princeton.edu/memory

14

Model: leakage of any function of the key

Would like to allow the adversary to learn any function

of the key

Cannot withstand learning the full key

Idea: limit the length of the function

Would like to withstand as long a leakage as possible

15

Key-Leakage AttacksSemantic security with key leakage [AGV 09]:For any* leakage f(sk) and for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)

(sk, pk)

pk

f

Output b’

f(sk)

b Ã {0,1}

Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|

m0, m1

Epk(mb)

Akavia, Goldwasser and Vaikuntanathan

16

Is this the right model? Noisy leakage

as opposed to low-bandwidth leakage

Leakage of intermediate values Are intermediate values always erased? Key generation process Decryption process

Keys generated using a “weak” random source

Not a perfect model, but still a good starting point

Discuss extensions later on

17

What We Know A generic method for protecting against key-leakage attacks

Main building block: Hash Proof Systems [CS 02] Efficient instantiations

Based on decisional Diffie-Hellman, few exponentiations

Chosen-ciphertext key-leakage attacks A generic CPA-to-CCA transformation Efficient schemes

Extensions Noisy leakage Leakage of intermediate values Weak random sources

18

Outline of the Talk Some tools

The generic construction by examples A simple scheme: ¸ ¼ |sk|/2

Improved schemes: ¸ ¼ |sk|

Extensions of the model

Conclusions, further work, and some rest...

19

Min-EntropyProbability distribution X over {0,1}n

H1(X) = - log maxx Pr[X = x]

X is a k-source if H1(X) ¸ k (i.e., Pr[X = x] · 2-k for all x)

Represents the probability of the most likely value of X

¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|Statistical distance:

20

ExtractorsUniversal procedure for “purifying” an imperfect source

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for any k-source X

¢(Ext(X, Ud), Uℓ) ·

d random bits

“seed”

EXT

k-source of length n

ℓ almost-uniform bits

x

s

21

Strong ExtractorsOutput looks random even after seeing the seed

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if

Ext’(x, s) = s ◦ Ext(x,s)

is a (k, )-extractor

Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors

Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n] Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n + k)

22

Sidebar: Weak Key-Leakage AttacksSemantic security with weak key leakage :For any* leakage f(sk) and for random PK for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)

(sk, pk)

pk

f

Output b’

f(sk)

b Ã {0,1}

Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|

m0, m1

Epk(mb)

What About Weak Attacks?Leakage depends on Secret Key only

Leakage function chosen by the adversary ahead of time without any knowledge of the public key.

• Depends only on the properties of the hardware devices used for storing the secret key.

Generic construction transforming any encryption scheme (G; E;D) Resilient to any weak leakage of L(1 - o(1)) bits, L secret key length.

• Parameters: – leakage parameter ¸– length of the random strings used by generation algorithm G: m

• Need: Ext: {0,1}k £ {0,1}d ! {0,1}m be (k-,)-strong extractor

Generic construction transforming any encryption scheme (G; E;D)

Ext: {0,1}k £ {0,1}d ! {0,1}m a (k-,)-strong extractor • Key generation :

– Choose x 2 {0,1}k and s 2 {0,1}d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x.

• Encryption: choose r uniformly at random and output (E(pk;M; r); s).• Decryption: ciphertext (c; s), secret key SK = x,:

– Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c).

• Resilient to any weak leakage of L(1 - o(1)) bits

Given f(x) distribution of Ext(x; s) close to uniform

25

Decisional Diffie-Hellman

gx

gyAlice Bob

Both parties compute K = gxy

DDH assumption:

(g, gx, gy, gxy) (g, gx, gy, gz)

for random x, y, z 2 Zq

(g1, g2, g1r, g2

r) (g1, g2, g1r1, g2

r2)

for random g1, g2 2 G and r, r1, r2 2 Zq

26

Outline of the Lecture Some tools





27

G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor

Choose g1, g2 2 G and x1, x2 2 Zq

Let h = g1x1 g2

x2

Output sk = (x1, x2) and pk = (g1, g2, h)

Key generation

A Simple Scheme: Key Generation

MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1

x1 g2x2 reveals only log(q) bits of information on

sk=(x1,x2) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸

28

G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor


Let h = g1x1 g2

x2


Choose r 2 Zq and a seed s 2 {0,1}d

Output (g1r, g2

r, s, Ext(hr, s) © m)

Output e © Ext(u1x1 u2

x2, s)

Key generation

Encpk(m)

Decsk(u1, u2, s, e)

A Simple Scheme: Encryption Decryption

u1x1 u2

x2 = g1rx1 g2

rx2 = (g1x1 g2

x2)r = hr

29

Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits

half the size of sk

A Simple Scheme: Security Theorem

Proof by reduction:

Adversary for the encryption scheme

Distinguisher for decisional Diffie-Hellman

log(q) -|m|

30



(sk, pk)

pk

f

Output b’

f(sk)

b Ã {0,1}

m0, m1

Epk(mb)

31



pk(g1, g2, g1

r1, g2r2)

b’r1 r2

r1 r2

or

f

f(sk)

m0, m1

Epk(mb)

Distinguisher for DDH

33

(g1r, g2

r, s, Ext(hr, s) © m)

h = g1x1 g2

x2

Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk

computationally indistinguishable not knowing sk

A Simple Scheme: Security Proof

34

(g1r, g2

r, s, Ext((g1r)x1 (g2

r)x2, s) © m)


h = g1x1 g2

x2


computationally indistinguishable

35

(g1r1, g2

r2, s, Ext((g1r1)x1 (g2

r2)x2, s) © m)


Valid ciphertext: r1 = r2



36

(g1r1, g2

r2, s, Ext((g1r1)x1 (g2

r2)x2, s) © m)


(g1r1)x1 (g2

r2)x2 uniformly distributed given pk and (g1r1, g2

r2)

x1 + wx2 = log(h)r1x1 + r2wx2 = log(t)

Invalid ciphertext: r1 r2

Therefore, even given f(sk): min-entropy ¸ log(q) - ¸



h=g1x1 g2

x2

37

Proof of Securitypk

(g1, g2, u1, u2)

b’

If b’ = boutput “r1 = r2”otherwise “r1 r2”

f

f(sk)

m0, m1

sk = (x1, x2)= (g1, g2, g1

x1 g2x2)

u1, u2, sExt(u1

x1 u2x2, s) © mb

Case 1: u1 = g1r & u2 = g2

r Case 2: u1 = g1r1 & u2 = g2

r2

Simulation is identical to actual attack Pr[b’ = b] = 1/2 +

Challenge independent of b Pr[b’ = b] = 1/2

38

Hash Proof SystemsCiphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no information on plaintext, given pk


Previous scheme relies on a specific HPSmany technical

details...

Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)

39

Hash Proof SystemsCiphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk, Invalid: no information on plaintext, given pk


Previous scheme relies on a specific HPSmany technical

details...

Our general construction:

HPS + randomness extraction

Key-encapsulation mechanism resilient to key leakage

40

Outline of the Talk Some tools





41

G - group of order q

An Improved Scheme

Notation:

(x1, ..., xn) 2 Zqn

(g1, ..., gn) 2 Gn

(x1, ..., xn) ¢ (g1, ..., gn)T gixi

i=1

n

42

G - group of order q Ext : Gn-k £ {0,1}d ! {0,1} - strong extractor

Choose A 2 Gk£n and x 2 Zqn

Let y = Ax Output sk = x and pk = (A, y)

Choose R 2 Zq(n-k)£k and a seed s 2

{0,1}d

Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s)

Key generation

Encpk(m)

Decsk(Q, s, e)

An Improved Scheme

Original scheme: with k=1, n=2

43

Theorem: The scheme is resilient to any leakage of length¸ ¼ (1 – k/n) |sk|

1 – o(1)

An Improved Scheme

Based on the hardness of k-Linear [BBS 04] 1-Linear = DDH k-Linear is hard ) (k+1)-Linear is hard k-Linear is easy ; (k+1)-Linear is easy (in generic groups)

A new hash proof system Optimizes ratio between secret key and encapsulated key

44

An Improved SchemeWe show that k-Linear implies indistinguishability of: Random P 2 Gn£n of rank k Random P 2 Gn£n of rank n

(rank computed in Zqn£n relative to a fixed generator g 2 G)

In the simplified scheme:

g1 g2

g1r1 g2

r2

r1 r2 rank 1r1 r2 rank 2

[BHHO 08] proved the case k=1

Proof similar to the simplified scheme

45

The Long Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction

Choose g1,...,gk 2 G and s1,...,sk 2 {0,1}

Let h = g1s1¢¢¢gk

sk

Output sk = (s1,...,sk) and pk = (g1,...,gk, h) Choose r 2 Zq

Output (g1r,..., gk

r, hr ¢ m)

Output e ¢ (u1s1 ¢ u2

s2 ¢ ¢ uksk)-1

Key generation

Encpk(m)

Decsk(u1,...,uk,e)

“built-in” extractor

k ¼ ¸ + 2log(q)

46

Proof: a natural extractorDDH implies the computational indistinguishability of: g1

r,..., gkr for random r

g1r1,..., gk

rk for random r1, r2, … rk

pk(g1,…, gk, u1, …, uk)

b’

If b’ = boutput “equal r”ow: “not equal r’s”

f

f(sk)

m0, m1

sk = (s1, …, sk)= (g1, …, gk, g1

s1 g2s2 ¢ gk

sk)

u1,…,uk, (u1s1 ¢ ¢ ¢

uksk )mb

Case 1: ui = gir Case 2: ui = gi

ri

47

Security of SchemeDDH implies the computational indistinguishability of: g1

r,..., gkr for random r

g1r1,..., gk

rk for random r1, r2, … rk

Want to argue that if g1r1,..., gk

rk is used, then there is no information about message m

The adversary knows: h = g1

s1¢¢¢gksk

u1=g1r1, u2=g2

r2, ..., uk= gkrk

Gets, instead of hr ¢ mb : (u1s1¢ u2

s2 ¢ ¢ ¢ uksk ) ¢ mb

g1r1s1 ¢¢¢ gk

rks1

Information on i=1k wiri si

Fact: i=1k wiri si is a pairwise

independent family

•Indexed by r1, r2, … rkCan apply the leftover hash lemma!

gi=g1wi

48

Circular Secure Encryption Several public keys

(pk1, sk1), (pk2, sk2), … (pkk, skk)Goal: want to be able to reconstruct all keys from one Provide Epk1

(sk2), Epk1(sk3), …, Epk1

(skk)

Epk2(sk1), Epk2

(sk3), …, Epk2 skk)

…Is it secure? There are cycles… No known example of insecurity! BHHO: first proof of resiliency

Chosen Ciphertext Attacks• How to define?• When does the leakage take place?• How to define CCA2?

What is known:• The general technique for obtaining CCA – still

applicable.• Can get 1-o(1) leakage• Specific schemes with (1) leakage

Recall: NIZKFor full specification need to clarify• When is x chosen – before or after ?

– Adaptive

• What does the simulator get?• Does soundness need to hold given a simulated

– Cannot hold for simulated (false statement)– Simulation soundness

For NP: Can be based on the existence of trapdoor permutations

with some structure

Relevant for soundness and zk

Achieving resistance to CCA with NIZK• Two independent keys of some ``good” PKC KP1

and KP2

• A public random string for NIZK of the language {(KP1

, KP2, C1, C2)| C1 and C2 encrypt the same message}

• To encrypt message m: generate ciphertexts C1 and C2 and add a proof of consistency

– Ciphertext: C1, C2,

• To decrypt – Verify proof and then – Decrypt only if ciphertexts passed the consistency checks

C2 Proof of consistencyC1

Important point: may decrypt with two different private keys

52

Outline of the Lecture Some tools





53

ExtensionsNoisy leakage Leakage not necessarily of bounded length

H1(sk | pk, leakage) > H1 (sk | pk) - ¸

Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition

Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan:

The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert

54

ExtensionsWeak random source Keys generated using a low-entropy adversarially chosen source


Let h = g1x1 g2

x2


Key generation

(g1, g2) chosen once and shared by all users Only need H1(x1,x2 | g1, g2) ¼ log(q) + |plaintext|

55

ExtensionsLeakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code,

then decrypt Not so contrived...

Output e ¢ (u1s1¢¢

¢uksk)-1

Decsk(u1,...,uk,e)

Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s1,..., sk) can be much larger

56

Conclusions Must incorporate side-channel attacks in the design of systems Many tools developed in the foundations of cryptography are helpful for

protecting against side-channel attacks

Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys?

As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels? A falsifiable hardware assumption?

57

Can leverage the physical world !!

Conclusions

Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06]

Randomized response Secure computation using tamper-proof hardware [Katz07,

MS08] Human competitive nature and love of games [HN09] Voting

Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor.

Documents

key slide

long time

exact timing exact guess

implementation time

direct control slide

moni naor slide

basic timing

bits of x