protecting circuits from computationally-bounded leakage
DESCRIPTION
Crypto in the Cloud workshop, MIT August 4, 2009. Protecting Circuits from Computationally-Bounded Leakage. Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/1.jpg)
Protecting Circuits fromComputationally-Bounded Leakage
Eran Tromer MIT
Joint work withSebastian Faust K.U. Leuven
Leo Reyzin Boston University
Crypto in the Cloud workshop, MITAugust 4, 2009
![Page 2: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/2.jpg)
2
Motivation
The great tragedy of Crypto –the slaying of a provably secure schemeby an ugly side channel.
![Page 3: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/3.jpg)
3
Engineering approach
Try preventing leakage.
Imagine a list of all known side channel attacks all new attacks during the
device's lifetime.
Good luck.
![Page 4: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/4.jpg)
4
Cryptographic approach
Face the music: computational devices are not black-box.
Leakage is a given, i.e., modeled by an adversarial observer. The device shouldprotect itself against it.
![Page 5: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/5.jpg)
5
Cryptographic Machinery
Standard toolbox against polynomial-time adversaries (obfuscation, oblivious RAM, fully-homomorphic encryption). Minimize assumptions on adversary's power. Looks hard/impossible/expensive to realize. Worth exploring!
New tools for a new settingModel the leakage more finely
What leaksHow much leaksHow is the leakage chosen
Devise ways to make specific functionality, or even arbitrary circuits, resilient to such leakage.
![Page 6: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/6.jpg)
Related WorkRelated Work
[CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms[ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks[MR04]: Micali, Reyzin: Physically Observable Cryptography[GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs[DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model[Pie09]: Pietrzak: A leakage-resilient mode of operation[AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks [ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model[FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures[DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input[SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks...
![Page 7: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/7.jpg)
7
M
X Y
Any boolean circuitCircuit transformation
Transformed circuitt-wire
prob
ing
Y
'M
X
black
-box
indistinguishable
[Ishai Sahai Wagner ’03]
![Page 8: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/8.jpg)
8
Our goal
Allow much stronger leakage.
In particular, don’t assume spatial locality
• t wires
[ISW03]• “Only computation leaks information”
[MR04][DP08][Pie09][FKPR09]
DRAM
![Page 9: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/9.jpg)
9
Our main construction
A transformation that makes any circuit resilient against
• Global adaptive leakageMay depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary.
• Arbitrary total leakage Bounded just per observation.
[DP08]
But we must assume something:• Leakage function is computationally weak
[MR04]
• A simple leak-free component
[MR04]
![Page 10: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/10.jpg)
10
“antennas are dumb”
computationally weak
can be powerful
Computationally-weak leakage
![Page 11: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/11.jpg)
11
Leak-free components
DRAM
• Secure memory[MR04][DP08][Pie09][FKPR09]
• Secure processor [G89][GO95]
• Here: simple component that samples from a fixed distribution, e.g:securely draw strings with parity 0.
• No stored secrets or state• No input
→ consumable leak-free “tape roll”
• Large leak-free components may be necessary in this model (more later)
• Can be relaxed
![Page 12: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/12.jpg)
12
1. Computation model2. Security model3. Circuit transformation4. Proof approach5. Extensions6. Necessity of leak-free components
Rest of this talk
![Page 13: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/13.jpg)
13
Original circuit
Original circuit C of arbitrary functionality (e.g., crypto algorithms). Computes over a finite field K.Example: AES encryption with secret key M.
C[M]
X Y
![Page 14: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/14.jpg)
14
Allowed gates in C:
● +
$
M C
1
Multiply in K: Add in K:
Coin: Const:
Copy:Memory:
(Boolean circuits are easily implemented.)
Original circuit
![Page 15: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/15.jpg)
15
C’[M’]
X Y
Same underlying gates as in C, plus opaque gate (later).Soundness: For any X,M: C[M](X) = C‘[M‘](X)
Transformed state
Transformed circuit [IW03]
![Page 16: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/16.jpg)
16
XM
Model: single observation in leakage class L
YLf
wires
f(wires)
![Page 17: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/17.jpg)
17
X0
f0 ∈L
Y0
f0(wires0)
M’1 M’2 M’3Refreshed state Refreshed state
refresh state allows total leakage to be large!
Model: adaptive observations
X1
f1 ∈L
Y1
f1(wires1)
X2
f2 ∈L
Y2
f2(wires2)
![Page 18: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/18.jpg)
18
Simulation:Mi
statistical
Real:M’i
indistinguishable
Model: L-secure transformation
Adversary learns no more than by black-box access:
Xifi ∈L
Yifi (wiresi)
Xi Yi
![Page 19: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/19.jpg)
19
M M
Problem: Adversary learns one bit of the stateSolution: Share each value over many wires [ISW03, generalized]
Every value encoded by a linear secret sharing scheme (Enc,Dec)with security parameter t:
Motivating example
Identity 1-bit-output
Enc: K Kt (probabilistic)
Dec: Kt K (surjective, linear function)
![Page 20: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/20.jpg)
20
b {0,1}
Enc(x0) Enc(x1)
Pr[b‘ = b] - ½ ≤ negl
For all x0,x1 K:(Enc,Dec) is L-leakage-indistinguishable:
b‘
Leakage: L-leakage-indistinguishability
))(Enc( bxfLf
Consequence:
Leakage functions in L cannot decode
![Page 21: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/21.jpg)
21
For any linear encoding scheme that isL-leakage indistinguishable
we present an L -secure transformationfor any circuit and state
f’fL
Simple functions
Thm: transformed circuit can tolerate these leakage functions
Assumption: encoding can tolerate these leakage functions
L’
Main construction
‘
![Page 22: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/22.jpg)
22
f ’
?
Enc(x)
f ’?
f
Parity
Some known circuit lower bounds imply L-leakage-indistinguishability
hard for AC0
AC0
depth: 2 size: O(t2)
Theorem
AC0
const depth and poly size circuits
Unconditional resilience against AC0 leakage
![Page 23: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/23.jpg)
23
C[M] C ’[M’
]
Transformation: high level
• The state is encoded: M ’ = Enc(M)
• Circuit topology is preserved
• Every wire is encoded
• Inputs are encoded; outputs are decoded
• Every gate is converted into a gadget operating on encodings
![Page 24: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/24.jpg)
24
+
.......
.......)(Enc aa
)(Enc bb
)(Dec aa
)(Dec bb
c )(Enc cc
c
f(wires)
Easy to attack
Notation: )(Enc xx
Computing on encodingsfirst attempt
![Page 25: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/25.jpg)
25
+
.......
.......
)(Enc aa
)(Enc bb
1a
c
+
....
1b
tbta
1c
tc
f(wires)???
Works well for a single gate... but does not compose.Exponential security loss (for AC0).
Computing on encodingssecond attempt – use linearity
![Page 26: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/26.jpg)
26
MX
Y
Since f can verify arbitrary gates in circuit, wires must be consistent with X and Y. M
Y
..............
....
f(wires)XProblem: simulator does not
know state MSolution: to fool the adversary, introducenon-verifiable atomic gate.
X, f
Y, f (wires)
Intuition: wire simulation
![Page 27: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/27.jpg)
27
Fool adversary:gate is non-verifiable by functions in L.
Opaque gate: Enc(0)
• Samples from a fixed distribution.
• No inputs
• Can be realized by a leak-free “consumable tape“
Opaque gate
![Page 28: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/28.jpg)
28
Wire’s simulator advantage:can change output of opaque without getting noticed(L-leakage-indistinguishable)
Using the opaque gate
Full transformationfor gate:+
a
b oba
)(
???
c c
Lf
a
bEnc(0)
cba ,,So we can simulate this independentof all others gates
![Page 29: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/29.jpg)
29
Other gates• Similar transformation for other gates.• The challenging case is the non-linear gate,
field multiplication. Hard to make leak-resilient; standard MPC doesn’t work.Trick: give wire simulator enough degrees of freedom.
a
b
Enc(0)a
b
jiba
Enc(0)Enc(0)
+Dec
Dec
Dec
Enc(0)
+qo
B S
c
![Page 30: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/30.jpg)
30
All of our gadgets have shallow wire simulators that areL-leakage indistinguishable from honest:
Proof technique:wire simulators
Honest evaluation
???
Lf
a
b c
ca
b
![Page 31: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/31.jpg)
31
This property (suitably defined)
composes!
If every gadgethas a (shallow) wire simulator
then the whole transformed circuithas a (shallow) wire simulator.
Wire simulator composability
Security for single round follows easily.
For multiple rounds there’s extra work due to adaptivity of the leakage and inputs.
![Page 32: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/32.jpg)
32
• Loss in the reduction to leakage-indistinguishabilityof the encoding scheme: very small.
• Necessary since we prove security againstlow computational classes.
• This makes the computational-security proof very delicate.
Security proof: bottom line
f ’
?
Enc(b)
f ’?
f depth: 2
size: O(t2)Theorem
![Page 33: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/33.jpg)
33
General proof technique. Theorem:
If every gadget has (shallow) wire simulators, then the transformation is (almost) as leakage-indistinguishable as the encoding.
Applications:• Resilience against polynomial-time leakage using public-key
encryption.– Assumes leak-free GenKey-Decrypt-Compute-Encrypt components.– Proof is extremely easy!
• Resilience against noisy leakage [Rabin Vaikuntanathan 2009]
– Easy alternative proof.
• Theorem for hire!
Wire simulators redux
![Page 34: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/34.jpg)
34
Nested-composition theorem: Can replace each leak-free gate with a gadget of the same I/O functionality (based on different gates), if the gadget has a wire simulator that is leakage-indistinguishable.
Example: reduce randomness in the AC0 opaque gate.• Can be implemented using
polylog(t) randomness + PRG. [Nis91]
• Can be implemented shallowly using any polylog(t)-independent source. [Bra09]
Wire simulators strike again
![Page 35: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/35.jpg)
35
Summary of (positive) results
Linear encoding +leakage class
which can’t decode +leak-free Enc(0) gates
AC0 / ACC0[q] leakage +leak-free 0-parity gates
Any encoding +leakage class
which can’t decode +gadgets with wire sim.
Noisy leakage +leak-free encoding gates
(alt. proof of [RV09])
Public-key encryption + Gen+Dec+Enc
gadgets with wire sim.
Linear encoding +leakage class
which can’t decode +Enc(0) gadget with wire sim.
![Page 36: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/36.jpg)
36
Theorem: any sound transformation that has wire simulators fooling nontrivial leakage classes requires large leak-free components(grow with security parameter, which grows with circuit size).
Necessity of leak-free components
Intuition: otherwise leakage functions fL can verify the simulated wire values, and thus force the wire simulator to honestly compute the function.
Then shallow circuits (wire simulators) can computeany function computable by polysize circuits!• Impossible if the simulation (and encoding) are constant-depth.
• More generally, implies unlikely complexity-theoretic collapses, e.g, NC=P/poly.Conjecture: necessity holds for all circuit transformations which are secure against nontrivial leakage via a black-box reduction to the leakage-indistignuishability of encodings.
![Page 37: Protecting Circuits from Computationally-Bounded Leakage](https://reader035.vdocuments.us/reader035/viewer/2022081520/5681558c550346895dc362bc/html5/thumbnails/37.jpg)
37
Achieved• New model for side-channel leakage, which allows global leakage of
unbounded total size
• Constructions for generic circuit transformation,for example, against all leakage in AC0.
• Partial impossibility results.
• General proof technique + additional applications.
Open problems• More leakage classes
• Smaller leak-free components
• Proof/falsify black-box necessity conjecture
• Circumvent necessity result (e.g., non-blackbox constructions)
Conclusions
http://eprint.iacr.org/2009/341