Default

Protecting Circuits from LeakageSebastian Faust

@ Rome La Sapienza, January 18, 2009

Joint work withKU LeuvenTal RabinLeo ReyzinEran TromerVinod VaikuntanathanIBM ResearchBoston UniversityMITIBM Research1Beautiful Theory

3. Prove that no adversary existsAdversarial Model

Security Definition

3

The Ugly Reality

electromagneticacousticprobingcacheopticalpower

4MotivationMany provably secure cryptosystems can be broken by side-channel attacks4The great tragedy of Science the slaying of a beautiful hypothesis by an ugly fact. Thomas Henry Huxley Bloodshed!5Engineering approachAd-hoc countermeasures typically tailored to defeat specific attacksBut security only if protection againstall known side channel attacksall new attacks during thedevice's lifetime.

56Cryptographic approachFace the music: computational devices are not black-box.

Cryptosystem should protect already at algorithmic-level against side-channel attacks

Prove security against well-defined class of resource-bounded adversaries

6Related Work[CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms[ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks[MR04]: Micali, Reyzin: Physically Observable Cryptography[GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs[DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model[Pie09]: Pietrzak: A leakage-resilient mode of operation[AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks [ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model[FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures[DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input[SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks...

778MXYAny boolean circuit

Circuit transformation

Transformed circuit

t-wireprobing

Y

Xblack-box

indistinguishable[Ishai Sahai Wagner 03]9

Our goalAllow much stronger leakage.10

Our main constructionA transformation that makes any circuit resilient againstGlobal adaptive leakageMay depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary.Arbitrary total leakage Bounded just per observation.[DP08]

But we must assume something:Leakage function is computationally weak[MR04]A simple leak-free component[MR04]

11

antennas are dumb

computationally weak

can be powerful

Computationally-weak leakageAssumption: the observed leakage is a computationally-weak functionof the devices internal wires.12

Secure against global leakageWe do not assume spatial locality, such as:

t wires [ISW03]Only computation leaks information [MR04][DP08][Pie09][FKPR09]

13Leak-free components

Secure memory[GKR08]

Secure processor[G89][GO95]

Here: simple component that samples from a fixed distribution, e.g:securely draw strings with parity 0.No stored secrets or stateNo input, so can be precomputed Can be relaxed13Secure memory: reasonable for software attacks, less so for hardware attacksSecure processor: nontrivial crypto functionality; for simple circuits, as hard as the original problem14Computation modelSecurity modelCircuit transformationProof approachExtensions

Rest of this talk15

Original circuitOriginal circuit C of arbitrary functionality(e.g., crypto algorithms), with state M,over a finite field K.Example: AES encryption with secret key M.C[M]XY

151516Allowed gates in C:+$MC1Multiply in K:Add in K:Coin:Const:Copy:Memory:(Boolean circuits are easily implemented.)

Original circuit161617Transformed circuitC [M ]XYSame underlying gates as in C, plus opaque gate (later).Soundness: for any X,M: C[M](X) = C [M ](X)Transformed state

18

XMModel: single observation in leakage class LY

wiresf(wires)19X0f0 L

Y0f0(wires0)M1M2M3Refreshed stateRefreshed staterefresh state allows total leakage to grow

Model: adaptive observationsX1f1 L

Y1f1(wires1)

X2f2 L

Y2f2(wires2)

20Simulation:

Real:Miindistinguishable

Model: L-secure transformationAdversary learns no more than by black-box access:Xifi LYifi (wiresi)Actual definition little bit more complicated

Simulation:Mi

Xi

Yi202021MMProblem: Adversary learns one bit of the stateSolution: Share each value over many wires [ISW03, generalized]Every value encoded by a linear secret sharing scheme (Enc,Dec)with security parameter t:

Motivating example1-wire probingEnc: K Kt (probabilistic)Dec: Kt K (surjective linear function)

212122b R {0,1}

x0Pr[b = b] - neglfor all x0,x1 K:(Enc,Dec) is L-leakage-indistinguishable ifbLeakage: L-leakage-indistinguishability

Consequence: Leakage functions in L cannot decode

Enc(xb)x122Slow down to absorb notation23For any linear encoding scheme that isL-leakage indistinguishablewe present an L -secure transformationfor any circuit and stateffL Simple functionsThm: transformed circuit can tolerate these leakage functionsAssumption: encoding can tolerate these leakage functionsL Main construction24f

?Enc(x)f AC0? f AC0

DecParitySome known circuit lower bounds imply L-leakage-indistinguishability of encodingshard for AC0depth: 2 size: O(t2)Theoremconst depth and poly size circuits

Unconditional resilience against AC0 leakage

24Similar to encryption indistinguishability security (semantic security)24Is this practical?Not really AC0 not very realistic class of leakage functions sec parameter t has to be large (blow up t2)But AC0 can approximate hamming weight Very powerful adversary (adaptive, statistical security) Make reasonable assumption on power of leakage functions (very important future work!)26C[M]C [M]

Transformation: high levelThe state is encoded: M = Enc(M)Circuit topology is preservedEvery wire is encodedInputs are encoded; outputs are decodedEvery gate is converted into a gadget operating on encodings

27

+

f(wires)Easy to attackNotation:

Computing on encodingsfirst attempt28+

+

f(wires)???

Works well for a single gate... but does not compose.Exponential security loss (for AC0).Computing on encodingssecond attempt use linearity

29MXYSince f can verify arbitrary gates in circuit, wires must be consistent with X and Y.Problem: simulator does not know the state M, so hard to simulate internal wires!Solution: to fool the adversary, introduce a non-verifiable atomic gate.X, fY, f (wires)

Intuition: wire simulation

MYfXwires292930Fool adversary:gate is non-verifiable by functions in L.Opaque gate:Enc(0)Samples from a fixed distribution.No inputsOpaque gate303031Wire simulators advantage:can change output of opaque without getting noticed(L-leakage-indistinguishable)

Using the opaque gateFull transformationfor gate:+

???

Enc(0)

So can simulate this gate independentof all others gates.313132Other gatesSimilar transformation for other gates.The challenging case is the non-linear gate: multiplication.Hard to make leak-resilient; standard MPC doesnt work.Trick: give wire simulator enough degrees of freedom.

Enc(0)

Enc(0)Enc(0)+DecDecDecEnc(0)+

BS

33This property (suitably defined)composes!

If every gadgethas a (shallow) wire simulatorthen the whole transformed circuithas a (shallow) wire simulator.

Wire simulator composability

Security for 1 round follows easily.

For multiple rounds theres extra work due to adaptivity of the leakage and inputs.34Summary of (positive) resultsLinear encoding +leakage classwhich cant decode +leak-free Enc(0) gatesAC0 / ACC0[q] leakage +leak-free 0-parity gatesAny encoding +leakage classwhich cant decode +leak-free gates (relaxed)Noisy leakage +leak-free encoding gates

Public-key encryption + Gen+Dec+Enc gadgets35AchievedNew model for side-channel leakage, which allows global leakage ofunbounded total sizeConstructions for generic circuit transformation,for example, against all leakage in AC0 or noisy leakages.General proof technique + several additional applications.Open problemsMore leakage classes: find a reasonable assumption on the power of leakage functions!Smaller leak-free componentsProof/falsify black-box necessity conjectureCircumvent necessity result (e.g., non-blackbox constructions)Conclusionshttp://eprint.iacr.org/2009/379