protecting circuits from leakage sebastian faust @ rome la sapienza, january 18, 2009 joint work...
TRANSCRIPT
![Page 1: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/1.jpg)
Protecting Circuits from Leakage
Sebastian Faust
@ Rome La Sapienza, January 18, 2009
Joint work with
KU Leuven
Tal RabinLeo ReyzinEran TromerVinod Vaikuntanathan
IBM Research
Boston University
MIT
IBM Research
![Page 2: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/2.jpg)
Beautiful Theory…
3. Prove that no adversary exists
1. Adversarial Model
2. Security Definition
![Page 3: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/3.jpg)
3
The Ugly Reality
electromagnetic acoustic
probing
cache
optical
power
![Page 4: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/4.jpg)
4
Motivation
Many provably secure
cryptosystems can be broken by
side-channel attacks
![Page 5: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/5.jpg)
5
Engineering approach
Ad-hoc countermeasures typically tailored to defeat specific attacks
But security only if protection against all known side channel attacks all new attacks during the
device's lifetime.
![Page 6: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/6.jpg)
6
Cryptographic approach
Face the music: computational devices are not black-box.
Cryptosystem should protect already at algorithmic-level against side-channel attacks
Prove security against well-defined class of resource-bounded adversaries
![Page 7: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/7.jpg)
Related Work
[CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms
[ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks
[MR04]: Micali, Reyzin: Physically Observable Cryptography
[GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs
[DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model
[Pie09]: Pietrzak: A leakage-resilient mode of operation
[AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks
[ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model
[FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures
[DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input
[SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks
...
![Page 8: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/8.jpg)
8
M
X Y
Any boolean circuitCircuit transformation
Transformed circuitt-wire
prob
ing
Y
'M
X
blac
k-bo
x
indistinguishable
[Ishai Sahai Wagner ’03]
![Page 9: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/9.jpg)
9
Our goal
Allow much stronger leakage.
![Page 10: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/10.jpg)
10
Our main construction
A transformation that makes any circuit resilient against
• Global adaptive leakageMay depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary.
• Arbitrary total leakage Bounded just per observation.
[DP08]
But we must assume something:• Leakage function is computationally weak
[MR04]
• A simple leak-free component
[MR04]
![Page 11: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/11.jpg)
11
“antennas are dumb”
computationally weak
can be powerful
Computationally-weak leakage
Assumption: the observed leakage is a computationally-weak functionof the device’s internal wires.
![Page 12: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/12.jpg)
12
Secure against global leakage
We do not assume spatial locality, such as:
• t wires
[ISW03]• “Only computation leaks information”
[MR04][DP08][Pie09][FKPR09]
![Page 13: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/13.jpg)
13
Leak-free components
• Secure memory[GKR08]
• Secure processor [G89][GO95]
• Here: simple component that samples from a fixed distribution, e.g:securely draw strings with parity 0.
• No stored secrets or state• No input, so can be precomputed
• Can be relaxed
![Page 14: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/14.jpg)
14
1. Computation model
2. Security model
3. Circuit transformation
4. Proof approach
5. Extensions
Rest of this talk
![Page 15: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/15.jpg)
15
Original circuit
Original circuit C of arbitrary functionality(e.g., crypto algorithms), with state M,over a finite field K.Example: AES encryption with secret key M.
C[M]
X Y
![Page 16: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/16.jpg)
16
Allowed gates in C:
● +
$
M C
1
Multiply in K: Add in K:
Coin: Const:
Copy:Memory:
(Boolean circuits are easily implemented.)
Original circuit
![Page 17: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/17.jpg)
17
Transformed circuit
C ’[M ’]
X Y
Same underlying gates as in C, plus opaque gate (later).
Soundness: for any X,M: C[M](X) = C ‘[M ‘](X)
Transformed state
![Page 18: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/18.jpg)
18
XM
Model: single observation in leakage class L
Y
Lf wires
f(wires)
![Page 19: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/19.jpg)
19
X0
f0 ∈L
Y0
f0(wires0)
M’1 M’2 M’3Refreshed state Refreshed state
refresh state allows total leakage to grow
Model: adaptive observations
X1
f1 ∈L
Y1
f1(wires1)
X2
f2 ∈L
Y2
f2(wires2)
![Page 20: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/20.jpg)
20
Simulation: Real:M’i
indistinguishable
Model: L-secure transformation
Adversary learns no more than by black-box access:
Xi
fi ∈L
Yi
fi (wiresi)
Actual definition little bit more complicated
Simulation:Mi
Xi Yi
![Page 21: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/21.jpg)
21
M M
Problem: Adversary learns one bit of the state
Solution: Share each value over many wires [ISW03, generalized]
Every value encoded by a linear secret sharing scheme (Enc,Dec)with security parameter t:
Motivating example
1-wire probing
Enc: K Kt (probabilistic)
Dec: Kt K (surjective linear function)
![Page 22: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/22.jpg)
22
b R {0,1}
x0
Pr[b‘ = b] - ½ ≤ negl
for all x0,x1 K:
(Enc,Dec) is L-leakage-indistinguishable if
b‘
Leakage: L-leakage-indistinguishability
))(Enc( bxfLf
Consequence:
Leakage functions in L cannot decode
Enc(xb)
x1
![Page 23: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/23.jpg)
23
For any linear encoding scheme that isL-leakage indistinguishable
we present an L -secure transformationfor any circuit and state
f’fL
Simple functions
Thm: transformed circuit can tolerate these leakage functions
Assumption: encoding can tolerate these leakage functions
L’
Main construction
‘
![Page 24: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/24.jpg)
24
f ’
?
Enc(x)
f ’ AC0
?
f AC0
DecParity
Some known circuit lower bounds imply L-leakage-indistinguishability of encodings
hard for AC0
depth: 2 size: O(t2)
Theorem
const depth and poly size circuits
Unconditional resilience against AC0 leakage
![Page 25: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/25.jpg)
Is this practical?
Not really…
• AC0 not very realistic class of leakage functions
• sec parameter t has to be large (blow up ≈t2)
But…
• AC0 can approximate hamming weight
• Very powerful adversary (adaptive, statistical security)
• Make reasonable assumption on power of leakage functions (very important future work!)
![Page 26: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/26.jpg)
26
C[M] C ’[M’]
Transformation: high level
• The state is encoded: M ’ = Enc(M)
• Circuit topology is preserved
• Every wire is encoded
• Inputs are encoded; outputs are decoded
• Every gate is converted into a gadget operating on encodings
![Page 27: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/27.jpg)
27
+
)(Enc aa
)(Enc bb
)(Dec aa
)(Dec bb
c )(Enc cc
c
f(wires)
Easy to attack
Notation: )(Enc xx
Computing on encodingsfirst attempt
![Page 28: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/28.jpg)
28
+1a
+
1b
tbta
1c
tc
f(wires)???
Works well for a single gate... but does not compose.Exponential security loss (for AC0).
Computing on encodingssecond attempt – use linearity
)(Enc aa
)(Enc bb c
![Page 29: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/29.jpg)
29
MX
Y
Since f can verify arbitrary gates in circuit, wires must be consistent with X and Y.Problem: simulator does not know the state M, so hard to simulate internal wires!
Solution: to fool the adversary, introduce a non-verifiable atomic gate.
X, f
Y, f (wires)
Intuition: wire simulation
M Y
f
Xwires
![Page 30: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/30.jpg)
30
Fool adversary:gate is non-verifiable by functions in L.
Opaque gate: Enc(0)
• Samples from a fixed distribution.
• No inputs
Opaque gate
![Page 31: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/31.jpg)
31
Wire simulator’s advantage:can change output of opaque without getting noticed(L-leakage-indistinguishable)
Using the opaque gate
Full transformationfor gate:+
a
b oba
)(
???
c
c
Lf
a
bEnc(0)
cba
,,So can simulate
this gate independentof all others gates.
![Page 32: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/32.jpg)
32
Other gates
• Similar transformation for other gates.• The challenging case is the non-linear gate: multiplication.
Hard to make leak-resilient; standard MPC doesn’t work.Trick: give wire simulator enough degrees of freedom.
a
b
Enc(0)a
b
jiba
Enc(0)Enc(0)
+
Dec
Dec
Dec
Enc(0)
+qo
B S
c
![Page 33: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/33.jpg)
33
This property (suitably defined)
composes!
If every gadgethas a (shallow) wire simulator
then the whole transformed circuithas a (shallow) wire simulator.
Wire simulator composability
Security for 1 round follows easily.
For multiple rounds there’s extra work due to adaptivity of the leakage and inputs.
![Page 34: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/34.jpg)
34
Summary of (positive) results
Linear encoding +leakage class
which can’t decode +leak-free Enc(0) gates
AC0 / ACC0[q] leakage +leak-free 0-parity gates
Any encoding +leakage class
which can’t decode +leak-free gates (relaxed)
Noisy leakage +leak-free encoding gates
Public-key encryption + Gen+Dec+Enc
gadgets
![Page 35: Protecting Circuits from Leakage Sebastian Faust @ Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod](https://reader038.vdocument.in/reader038/viewer/2022110116/5519baa255034660578b4969/html5/thumbnails/35.jpg)
35
Achieved
• New model for side-channel leakage, which allows global leakage ofunbounded total size
• Constructions for generic circuit transformation,for example, against all leakage in AC0 or noisy leakages.
• General proof technique + several additional applications.
Open problems
• More leakage classes: find a reasonable assumption on the power of leakage functions!
• Smaller leak-free components
• Proof/falsify black-box necessity conjecture
• Circumvent necessity result (e.g., non-blackbox constructions)
Conclusions
http://eprint.iacr.org/2009/379