randomness complexity of private circuits for...
TRANSCRIPT
Randomness Complexity of
Private Circuits for Multiplication
Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue,
Emmanuel Prouff, Adrian Thillard, Damien Vergnaud
brief introduction
- side-channel attacks
- masking
- 𝑑-probing model
1/16
key-idea:for security at order 𝑑, split sensitive data 𝑥 into 𝑑 + 1 randomvariables (shares) s.t.
𝑥 = 𝑥0 ⊕𝑥1 ⊕⋯⊕ 𝑥𝑑
2/16
key-idea:for security at order 𝑑, split sensitive data 𝑥 into 𝑑 + 1 randomvariables (shares) s.t.
𝑥 = 𝑥0 ⊕𝑥1 ⊕⋯⊕ 𝑥𝑑
needs for a lot of randomness
2/16
randomness in cryptography
used everywhere:
- keys
- RSA prime factors
- ...
3/16
randomness in cryptography
used everywhere:
- keys
- RSA prime factors
- ...
strong properties:
- statistically random
- uniformly distributed
- independent
- ...
3/16
where does it come from?
4/16
where does it come from?
in the real world: natural randomness
4/16
where does it come from?
in the real world: natural randomness
in practice:
- need special hardware
- slow
- bias or uneven distribution
4/16
where does it come from?
in the real world: natural randomness
in practice:
- need special hardware
- slow
- bias or uneven distribution
randomness should beconsidered as a resource,
like space and time
4/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥
0,1 𝑛′ 0,1 𝑚′
𝑓(𝑥)
correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟
𝑑-privacy: for any set 𝑃 of 𝑑 wires in 𝐶 and for all 𝑥, 𝑦 ∈ 0,1 𝑛:{𝐶𝑃(𝐼 𝑥; 𝜌 ; 𝑟)}𝜌,𝑟 = {𝐶𝑃(𝐼 𝑦; 𝜌 ; 𝑟)}𝜌,𝑟
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥
0,1 𝑛′ 0,1 𝑚′
𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥
0,1 𝑚′
𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
0,1 𝑛′
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
0,1 𝑚′
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟
𝑑-privacy: for any set 𝑃 of 𝑑 wires in 𝑪 and for all 𝑥, 𝑦 ∈ 0,1 𝑛:{𝐶𝑃(𝐼 𝑥; 𝜌 ; 𝑟)}𝜌,𝑟 = {𝐶𝑃(𝐼 𝑦; 𝜌 ; 𝑟)}𝜌,𝑟
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
.
.
.
𝑐0𝑐1
𝑐𝑑
⊕𝑖 𝑐𝑖 = 𝑎 ⋅ 𝑏
⊕𝑖 𝑎𝑖 = 𝑎
⊕𝑖 𝑏𝑖 = 𝑏
encoder circuit decoder
𝑟1…
𝑟2 𝑟𝑅
𝑎, 𝑏 ∈ 0,1 2 ↦ 𝑎 ⋅ 𝑏 ∈ 0,1
this paper
6/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
.
.
.
𝑐0𝑐1
𝑐𝑑
𝑟1…
𝑟2 𝑟𝑅
6/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
.
.
.
𝑐0𝑐1
𝑐𝑑
𝑟1…
𝑟2 𝑟𝑅
how much randomness is needed?
6/16
Ishai-Sahai-Wagner scheme
𝑎0𝑏0𝑟0,1
𝑟0,1⊕𝑎0𝑏1 ⊕𝑎1𝑏0𝑎1𝑏1
⋯𝑟0,𝑑 ⊕𝑎0𝑑 ⊕ 𝑎𝑑𝑏0
𝑟1,𝑑 ⊕𝑎1𝑏𝑑 ⊕𝑎𝑑𝑏1⋮ ⋮ ⋱ ⋮
𝑟0,𝑑−1𝑟0,𝑑
𝑟1,𝑑−1𝑟1,𝑑
⋯𝑟𝑑−1,𝑑 ⊕𝑎𝑑−1𝑏𝑑 ⊕𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑐0𝑐1
⋮𝑐𝑑−1𝑐𝑑
7/16
Ishai-Sahai-Wagner scheme
randomness complexity: 𝑑(𝑑 + 1)/2
𝑎0𝑏0𝑟0,1
𝑟0,1⊕𝑎0𝑏1 ⊕𝑎1𝑏0𝑎1𝑏1
⋯𝑟0,𝑑 ⊕𝑎0𝑑 ⊕ 𝑎𝑑𝑏0
𝑟1,𝑑 ⊕𝑎1𝑏𝑑 ⊕𝑎𝑑𝑏1⋮ ⋮ ⋱ ⋮
𝑟0,𝑑−1𝑟0,𝑑
𝑟1,𝑑−1𝑟1,𝑑
⋯𝑟𝑑−1,𝑑 ⊕𝑎𝑑−1𝑏𝑑 ⊕𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑐0𝑐1
⋮𝑐𝑑−1𝑐𝑑
7/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑟1…
𝑟2 𝑟𝑅
8/16
.
.
.
𝑐0𝑐1
𝑐𝑑
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑟1…
𝑟2 𝑟𝑅
any probe (wire value) has the form:
𝑝 = ໄ
𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2
𝑎𝑖𝑏𝑗 ⊕ ໄ
𝑘∈𝑌⊆ 1,…,𝑅
𝑟𝑘
8/16
.
.
.
𝑐0𝑐1
𝑐𝑑
any probe (wire value) has the form:
𝑝 = ໄ
𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2
𝑎𝑖𝑏𝑗 ⊕ ໄ
𝑘∈𝑌⊆ 1,…,𝑅
𝑟𝑘
= Ԧ𝑎𝑡 ⋅ 𝑀𝑝 ⋅ 𝑏 ⊕ Ԧ𝑠𝑝𝑡 ⋅ Ԧ𝑟
with Ԧ𝑎 = 𝑎0, … , 𝑎𝑑 , 𝑏 = 𝑏0, … , 𝑏𝑑 , Ԧ𝑟 = 𝑟0, … , 𝑟𝑅 ,
𝑀𝑝 ∈ 0,1 𝑑+1 × 𝑑+1 , Ԧ𝑠𝑝 ∈ 0,1 𝑅
8/16
any probe (wire value) has the form:
𝑝 = ໄ
𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2
𝑎𝑖𝑏𝑗 ⊕ ໄ
𝑘∈𝑌⊆ 1,…,𝑅
𝑟𝑘
= Ԧ𝑎𝑡 ⋅ 𝑀𝑝 ⋅ 𝑏 ⊕ Ԧ𝑠𝑝𝑡 ⋅ Ԧ𝑟
with Ԧ𝑎 = 𝑎0, … , 𝑎𝑑 , 𝑏 = 𝑏0, … , 𝑏𝑑 , Ԧ𝑟 = 𝑟0, … , 𝑟𝑅 ,
𝑀𝑝 ∈ 0,1 𝑑+1 × 𝑑+1 , Ԧ𝑠𝑝 ∈ 0,1 𝑅
any sum of probes has the form:
Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 ⊕ Ԧ𝑠𝑡 ⋅ Ԧ𝑟
8/16
algebraic characterization
condition 1: a set of probes 𝑃 = 𝑝1, … , 𝑝ℓ satisfies condition 1 iff:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and 1,… , 1 is in the row (or column) space of 𝑀
9/16
algebraic characterization
condition 1: a set of probes 𝑃 = 𝑝1, … , 𝑝ℓ satisfies condition 1 iff:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and 1,… , 1 is in the row (or column) space of 𝑀
theorem:𝐶 is 𝑑-private
⇔there does not exist 𝑃 = 𝑝1, … , 𝑝ℓ , ℓ ≤ 𝑑 that satisfies condition 1
9/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞
1
2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)
1 if 𝑀 ⋅ 𝑏 = 1,… , 1
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞
1
2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)
1 if 𝑀 ⋅ 𝑏 = 1,… , 1
then, Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 > Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = ത𝑎
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞
1
2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)
1 if 𝑀 ⋅ 𝑏 = 1,… , 1
then, Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 > Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = ത𝑎
⇐ a lot more technical...
10/16
upper bound
11/16
upper bound
theorem:there exists a 𝑑-private circuit for multiplication with randomness complexity Õ(𝑑).
11/16
randomness complexity of ISW: 𝑂 𝑑2
needs for a quadratic complexity?
proof sketch
probabilistic method: non-constructive!
12/16
proof sketch
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
12/16
proof sketch
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
𝑎0𝑏0𝑎1𝑏0
𝑎0𝑏1𝑎1𝑏1
⋯𝑎0𝑏𝑑𝑎1𝑏𝑑
⋮ ⋮ ⋱ ⋮𝑎𝑑𝑏0 𝑎𝑑𝑏1 ⋯ 𝑎𝑑𝑏𝑑
𝑐0𝑐1⋮𝑐𝑑
$
12/16
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…
= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…
= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗
correctness: 𝜌𝑑,𝑑 =⊕𝑖,𝑗 𝜌𝑖,𝑗
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…
= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗
correctness: 𝜌𝑑,𝑑 =⊕𝑖,𝑗 𝜌𝑖,𝑗
𝑑-privacy: if 𝑅 = Õ 𝑑 , Pr 𝑖𝑠 𝑠𝑒𝑐𝑢𝑟𝑒 > 0 ⇒ at least one algorithm is 𝑑-private
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
lower bounds
13/16
lower bounds
theorem:1. 𝑑-privacy ⇒ at least 𝑑 random bits (for 𝑑 ≥ 2)2. 𝑑-privacy ⇒ at least 𝑑 + 1 random bits (for 𝑑 ≥ 3)
13/16
proof sketch of 1.
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
proof sketch of 1.
suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶
let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑
∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
proof sketch of 1.
suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶
let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑
∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗
𝑁 has dimension 𝑑 − 1 × 𝑑 ⇒ 𝐾𝑒𝑟 𝑁 ≠ 0
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
proof sketch of 1.
suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶
let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑
∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗
𝑁 has dimension 𝑑 − 1 × 𝑑 ⇒ 𝐾𝑒𝑟 𝑁 ≠ 0
let 𝑤 ∈ 𝐾𝑒𝑟 𝑁 − {0}
𝑆0 = 𝑐0 ∪ 𝑐𝑖 𝑤𝑖 = 0 and 𝑆1 = 𝑐𝑖 𝑤𝑖 = 1 satisfy requirements of lemma...
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
automatic tool for finding attacks
order 2 3 4 5 6
[BBDFGS15] <1 ms 36 ms 108 ms 6,3 s 26 min
this paper <10 ms <10 ms <10 ms <10 ms <10 ms
- based on the algebraic characterization- relies on coding theory (information set decoding algorithms)- not perfectly sound...- much faster than Easycrypt-based [BBDFGS15]
table: time to find an attack
15/16
16/16
16/16
16/16
thank you!