Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | felix-rice |
View: | 214 times |
Download: | 1 times |
PROTECTING CIRCUITS from LEAKAGE
IBM T. J. Watson
Vinod Vaikuntanathan
the computationally bounded and noisy cases
Joint with S. Faust (KU Leuven), L. Reyzin (BU), T. Rabin (IBM), E. Tromer (MIT)
Yael Daniel
“Design specific crypto primitives (sigs.,enc.) secure against continual information leakage?”
Today Morning
THIS TALK: Any circuit → Leakage-resilient circuit(GMW/BGW/CCD for leakage-resilient crypto)
[BKKV.’10] [DHLW’10]
Ishai-Sahai-Wagner: Private Circuits
Any circuit → Leakage-resilient circuit
Ishai-Sahai-Wagner: Private Circuits
Any circuit → Leakage-resilient circuit
KeyX Y
Any (stateful) boolean circuit
“Compiler” Compiled circuit
YXKey
’
► Think of an RSA or AES circuit with the secret key stored.
► Compiled ckt has the same functionality: CKey(X) = C’Key’(X)
Ishai-Sahai-Wagner: Private Circuits
Any circuit → Leakage-resilient circuitagainst leakage of at most t wires
KeyX Y YX
Key’
Inpu
t/out
put
acce
ss
indistinguishable
(SIM) (ADV)
t-wire
prob
ingISW+Manoj (IPSW) = Tamper-resistance
How to Side-channel Attacks Work (abstractly)?
– In contrast, [ISW03] focuses on local leakage, subset of t wires
Key’
– Global Leakage: leakage function is a global fn of the state
– Computationally Weak or Noisy
– Hamming weight leakage, e.g., [PSPMY]
can be powerfulcomputationally weakor noisy
Can we protect against global, continual but possibly weak or noisy leakage?
Our Result
Theorem: Two compilers that make any circuit resilient against:
KeyX Y YX
Key’
C(wire
s)
C: any AC0 leakage fn with “bounded” output (constant-depth with AND/NOT gates)
– AC0 leakage (compiler 1)
(in each execution, leakage ≤ n1-ε)
Our Result
Theorem: Two compilers that make any circuit resilient against:
KeyX Y YX
Key’
Wire
s+no
ise p
{wi+ηi} where ηi = 1 w.p. p 0 w.p. 1-p
– AC0 leakage (compiler 1)
– noisy leakage (compiler 2)
Our Result
Theorem: Two compilers that make any circuit resilient against:
KeyX Y YX
Key’
– AC0 leakage (compiler 1)
– noisy leakage (compiler 2)
assuming a simple leakage-proof hardware.
Our Result
Theorem: Two compilers that make any circuit resilient against:
– AC0 leakage (compiler 1)
– noisy leakage (compiler 2)
assuming a simple leakage-proof hardware.
– Generalizes [ISW03] (modulo leak-proof device)
– Captures “approximate Hamming weight”, by [Ajtai-BenOr83] for AC0
– A simple, modular method of proving security
– AC0 leakage (compiler 1)
A Word on Leak-Proof Hardware
► Secure Memory
– “only computation leaks information” [MR04,DP08]
► Secure Processor
– Oblivious RAM [G89,GO94]
Many Previous Usages in Leakage-Resilience
– one-time memory [GKR08]
A Word on Leak-Proof Hardware
Our DesiderataThe leak-proof hardware shall be:
– SMALL: Size much smaller than the circuit
– STATELESS: Does not store any long-term secrets– COMPUTATION-INDEPENDENT:
Key
(If not, trivial: leak-proof device does the computation)(If not, trivial: leak-proof device contains an enc. Secret key, and does “decrypt, compute and re-encrypt”)(Device has NO INPUTS, simply samples from a distribution!)
Construction
KeyX Y YX
Key’
The Setup
Original circuit C of arbitrary functionality.Example: AES encryption, or RSA signatures with secret key `Key‘, and so forth...
X Y
Key’
Key
Key
The Setup
Allowed gates in C:
● +
$
M C
1
Mult (AND): Add (XOR):
Coin: Const:
Copy:Memory:
(stores the key)
Key’
Key
The Setup
X Y
Same underlying gates as in C, plus a leak-proof device (will describe later).
Correctness: For any X,Key: CKey(X) = C‘Key‘(X)
Key’
Key
Transformed state
Security Definition
X Yf
wires
f(wires)
Leakage fn
=
C
● +
●
Key
Security Definition
X0
f0 ∈L
Y0
f0(wires0)
Key’1 Key’2 Key’3Refreshed key Refreshed key
Refresh key = CONTINUAL leakage model
X1
f1 ∈L
Y1
f1(wires1)
X2
f2 ∈L
Y2
f2(wires2)
Security Definition
Simulation:Key
Real:Key’
i
STATISTICALLYindistinguishable
Adversary learns no more than by black-box access:
Xi
fi ∈L
Yi
fi (wiresi)
Xi Yi
Construction: Overview
C
M
● +
●
Memory Encoded memory
● +
C●
M
[each bit b] [Parity encoding of b: uniformly random tuple
(b1,...,bn) s.t. ∑bi (mod 2)= b]
Construction: Overview
C
M
● +
●
Memory Encoded memory
● +
C●
M
[each bit b] [Parity encoding of b: uniformly random tuple
(b1,...,bn) s.t. ∑bi (mod 2)= b]
Two Key Properties of the Parity Encoding:Let (a1,...,an) and (b1,...,bn) be random encodings of 0 and 1.
► AC0 indisinguishable [Has86,DI06]: For any ε >0 and AC0 circuit C with output length n1-ε, C(a1,...,an) ≈s C(b1,...,bn).
► Noise indistinguishable(using xor lemma) : For any p < 1/2, Np(a1,...,an) ≈s Np(b1,...,bn).
Construction: Overview
C
M
● +
●
Wires Wire Bundles
● +
C●
M
Invariant: Each wire-bundle carries an encoding of the corresponding wire value
Construction: Overview
C
M
● +
●
Gates Gadgets
● +
C●
M
Operates on encodings. e.g., Enc(a), Enc(b) → Enc(a+b)
Enc
Dec
Proof TechniqueTWO STEPS
Individual Gadgets are leakage-resilient:
Composition Lemma:
– The internals of the gadget can be “simulated“ given only the inputs and the output.
– If all the individual gadgets are leakage-resilient, so is the entire (transformed) circuit
– We call this “reconstructibility“.
– assuming the gadgets are “rerandomizing“.
Proof TechniqueTWO STEPS
Individual Gadgets are leakage-resilient:
– The internals of the gadget can be “simulated“ given only the inputs and the output.
– We call this “reconstructibility“.
Composition Lemma:
– If all the individual gadgets are leakage-resilient, so is the entire (transformed) circuit
– assuming the gadgets are “rerandomizing“.
Proof TechniqueTWO STEPS
Individual Gadgets are leakage-resilient:
– The internals of the gadget can be “simulated“ given only the inputs and the output.
– We call this “reconstructibility“.
Composition Lemma:
– Assume that the individual gadgets are leakage-resilient and re-randomizing, then the entire (transformed) circuit is leakage-resilient
Assume gadgets are re-randomizing
● +
C●
M
Re-randomizing: Output of the gadget is a uniformly random encoding of the corresponding bit (given leakage from internals)
Proof of Composition Lemma:
– Hybrid Argument
H0: Encoding of real values
Hw: Encodings of 0
......
Hi: ith wire is encoding of real value
Hi+1: ith wire is encoding of 0
– Reduction: If you can distinguish between Hi and Hi+1 (given leakage), you can distinguish between Encodings of 0 and 1.
– Reduction has to be VERY efficient (in AC0)!
Construction of the Gadgets
+
ADD GADGET
+
(a1,...,an)
(b1,...,bn)
(c1,...,cn)a1
b1
+an
bn
...
ADD gadget
n add gates
+
+
Outputs uniformly random parity encoding of 0.
(c1,...,cn) s.t. ∑ci = 0
c1
cn
Proof TechniqueTWO STEPS
Individual Gadgets are leakage-resilient:
– Given ANY consistent input encodings a and b, and output encoding o, simulate the internal wires of the gadget
Composition Lemma:
– Assume that the individual gadgets are leakage-resilient and re-randomizing, then the entire (transformed) circuit is leakage-resilient
Simulation of the Gadget Internals
+
ADD GADGET
+
(a1,...,an)
(b1,...,bn)
(c1,...,cn)
a1
b1
+an
bn
...
ADD gadget+
+c1
cn
o1
on
– The input wires are the a‘s and b‘s, output is o‘s
– The internal wires are the c‘s
– SIM: Set ci = oi – (ai + bi)
– Identical to the real distribution!!
I Won’t Tell you the Complicated Part(or, the MULT GADGET)
– The challenging case
a
b
Enc(0)a
b
jiba
Enc(0)Enc(0)
+
DecDec
Dec
Enc(0)
+qo
B S
c
– TRICK: Have enough “degrees of freedom” that the reconstructor can use
Noisy Leakage
a
b
jiba
B
– Can be broken with Noisy Leakage
– Adv gets a noisy version of all aibj
– If a1=0, all the a1bj are 0.
– We construct a new MULT gadget for noisy leakage
–If a1=1, half of them are 0, half 1
–Can distinguish between the two cases for any p < 1/2
Open Questions
Is leak-proof (secure) hardware necessary?
Can we protect against general leakage?
– Subsequent work: Juma-Vahlis and Goldwasser-Rothblum
Security against continual polynomial-time leakage
– Comp. assumptions (FHE [JV10] and DDH [GR10])
–“Only computation leaks information” [MR04]
– Leak-proof hardware (like us)
Questions?