protecting circuits from leakage sebastian faust @ rome la sapienza, january 18, 2009 joint work...
TRANSCRIPT
Protecting Circuits from Leakage
Sebastian Faust
@ Rome La Sapienza, January 18, 2009
Joint work with
KU Leuven
Tal RabinLeo ReyzinEran TromerVinod Vaikuntanathan
IBM Research
Boston University
MIT
IBM Research
Beautiful Theory…
3. Prove that no adversary exists
1. Adversarial Model
2. Security Definition
3
The Ugly Reality
electromagnetic acoustic
probing
cache
optical
power
4
Motivation
Many provably secure
cryptosystems can be broken by
side-channel attacks
5
Engineering approach
Ad-hoc countermeasures typically tailored to defeat specific attacks
But security only if protection against all known side channel attacks all new attacks during the
device's lifetime.
6
Cryptographic approach
Face the music: computational devices are not black-box.
Cryptosystem should protect already at algorithmic-level against side-channel attacks
Prove security against well-defined class of resource-bounded adversaries
Related Work
[CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms
[ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks
[MR04]: Micali, Reyzin: Physically Observable Cryptography
[GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs
[DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model
[Pie09]: Pietrzak: A leakage-resilient mode of operation
[AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks
[ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model
[FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures
[DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input
[SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks
...
8
M
X Y
Any boolean circuitCircuit transformation
Transformed circuitt-wire
prob
ing
Y
'M
X
blac
k-bo
x
indistinguishable
[Ishai Sahai Wagner ’03]
9
Our goal
Allow much stronger leakage.
10
Our main construction
A transformation that makes any circuit resilient against
• Global adaptive leakageMay depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary.
• Arbitrary total leakage Bounded just per observation.
[DP08]
But we must assume something:• Leakage function is computationally weak
[MR04]
• A simple leak-free component
[MR04]
11
“antennas are dumb”
computationally weak
can be powerful
Computationally-weak leakage
Assumption: the observed leakage is a computationally-weak functionof the device’s internal wires.
12
Secure against global leakage
We do not assume spatial locality, such as:
• t wires
[ISW03]• “Only computation leaks information”
[MR04][DP08][Pie09][FKPR09]
13
Leak-free components
• Secure memory[GKR08]
• Secure processor [G89][GO95]
• Here: simple component that samples from a fixed distribution, e.g:securely draw strings with parity 0.
• No stored secrets or state• No input, so can be precomputed
• Can be relaxed
14
1. Computation model
2. Security model
3. Circuit transformation
4. Proof approach
5. Extensions
Rest of this talk
15
Original circuit
Original circuit C of arbitrary functionality(e.g., crypto algorithms), with state M,over a finite field K.Example: AES encryption with secret key M.
C[M]
X Y
16
Allowed gates in C:
● +
$
M C
1
Multiply in K: Add in K:
Coin: Const:
Copy:Memory:
(Boolean circuits are easily implemented.)
Original circuit
17
Transformed circuit
C ’[M ’]
X Y
Same underlying gates as in C, plus opaque gate (later).
Soundness: for any X,M: C[M](X) = C ‘[M ‘](X)
Transformed state
18
XM
Model: single observation in leakage class L
Y
Lf wires
f(wires)
19
X0
f0 ∈L
Y0
f0(wires0)
M’1 M’2 M’3Refreshed state Refreshed state
refresh state allows total leakage to grow
Model: adaptive observations
X1
f1 ∈L
Y1
f1(wires1)
X2
f2 ∈L
Y2
f2(wires2)
20
Simulation: Real:M’i
indistinguishable
Model: L-secure transformation
Adversary learns no more than by black-box access:
Xi
fi ∈L
Yi
fi (wiresi)
Actual definition little bit more complicated
Simulation:Mi
Xi Yi
21
M M
Problem: Adversary learns one bit of the state
Solution: Share each value over many wires [ISW03, generalized]
Every value encoded by a linear secret sharing scheme (Enc,Dec)with security parameter t:
Motivating example
1-wire probing
Enc: K Kt (probabilistic)
Dec: Kt K (surjective linear function)
22
b R {0,1}
x0
Pr[b‘ = b] - ½ ≤ negl
for all x0,x1 K:
(Enc,Dec) is L-leakage-indistinguishable if
b‘
Leakage: L-leakage-indistinguishability
))(Enc( bxfLf
Consequence:
Leakage functions in L cannot decode
Enc(xb)
x1
23
For any linear encoding scheme that isL-leakage indistinguishable
we present an L -secure transformationfor any circuit and state
f’fL
Simple functions
Thm: transformed circuit can tolerate these leakage functions
Assumption: encoding can tolerate these leakage functions
L’
Main construction
‘
24
f ’
?
Enc(x)
f ’ AC0
?
f AC0
DecParity
Some known circuit lower bounds imply L-leakage-indistinguishability of encodings
hard for AC0
depth: 2 size: O(t2)
Theorem
const depth and poly size circuits
Unconditional resilience against AC0 leakage
Is this practical?
Not really…
• AC0 not very realistic class of leakage functions
• sec parameter t has to be large (blow up ≈t2)
But…
• AC0 can approximate hamming weight
• Very powerful adversary (adaptive, statistical security)
• Make reasonable assumption on power of leakage functions (very important future work!)
26
C[M] C ’[M’]
Transformation: high level
• The state is encoded: M ’ = Enc(M)
• Circuit topology is preserved
• Every wire is encoded
• Inputs are encoded; outputs are decoded
• Every gate is converted into a gadget operating on encodings
27
+
)(Enc aa
)(Enc bb
)(Dec aa
)(Dec bb
c )(Enc cc
c
f(wires)
Easy to attack
Notation: )(Enc xx
Computing on encodingsfirst attempt
28
+1a
+
1b
tbta
1c
tc
f(wires)???
Works well for a single gate... but does not compose.Exponential security loss (for AC0).
Computing on encodingssecond attempt – use linearity
)(Enc aa
)(Enc bb c
29
MX
Y
Since f can verify arbitrary gates in circuit, wires must be consistent with X and Y.Problem: simulator does not know the state M, so hard to simulate internal wires!
Solution: to fool the adversary, introduce a non-verifiable atomic gate.
X, f
Y, f (wires)
Intuition: wire simulation
M Y
f
Xwires
30
Fool adversary:gate is non-verifiable by functions in L.
Opaque gate: Enc(0)
• Samples from a fixed distribution.
• No inputs
Opaque gate
31
Wire simulator’s advantage:can change output of opaque without getting noticed(L-leakage-indistinguishable)
Using the opaque gate
Full transformationfor gate:+
a
b oba
)(
???
c
c
Lf
a
bEnc(0)
cba
,,So can simulate
this gate independentof all others gates.
32
Other gates
• Similar transformation for other gates.• The challenging case is the non-linear gate: multiplication.
Hard to make leak-resilient; standard MPC doesn’t work.Trick: give wire simulator enough degrees of freedom.
a
b
Enc(0)a
b
jiba
Enc(0)Enc(0)
+
Dec
Dec
Dec
Enc(0)
+qo
B S
c
33
This property (suitably defined)
composes!
If every gadgethas a (shallow) wire simulator
then the whole transformed circuithas a (shallow) wire simulator.
Wire simulator composability
Security for 1 round follows easily.
For multiple rounds there’s extra work due to adaptivity of the leakage and inputs.
34
Summary of (positive) results
Linear encoding +leakage class
which can’t decode +leak-free Enc(0) gates
AC0 / ACC0[q] leakage +leak-free 0-parity gates
Any encoding +leakage class
which can’t decode +leak-free gates (relaxed)
Noisy leakage +leak-free encoding gates
Public-key encryption + Gen+Dec+Enc
gadgets
35
Achieved
• New model for side-channel leakage, which allows global leakage ofunbounded total size
• Constructions for generic circuit transformation,for example, against all leakage in AC0 or noisy leakages.
• General proof technique + several additional applications.
Open problems
• More leakage classes: find a reasonable assumption on the power of leakage functions!
• Smaller leak-free components
• Proof/falsify black-box necessity conjecture
• Circumvent necessity result (e.g., non-blackbox constructions)
Conclusions
http://eprint.iacr.org/2009/379