Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod Vaikuntanathan IBM Research Boston University MIT IBM Research
Beautiful Theory… 3. Prove that no adversary exists 1.Adversarial Model 2.Security Definition
3 The Ugly Reality electromagneticacoustic probing cache optical power
4 Motivation Many provably secure cryptosystems can be broken by side-channel attacks
5 Engineering approach Ad-hoc countermeasures typically tailored to defeat specific attacks But security only if protection against all known side channel attacks all new attacks during the device's lifetime.
6 Cryptographic approach Face the music: computational devices are not black-box. Cryptosystem should protect already at algorithmic-level against side- channel attacks Prove security against well-defined class of resource-bounded adversaries
Related Work [CDHKS00]: Canetti, Dodis, Halevi, Kushilevitz, Sahai: Exposure-Resilient Functions and All-Or-Nothing Transforms [ISW03]: Ishai, Sahai, Wagner: Private Circuits: Securing Hardware against Probing Attacks [MR04]: Micali, Reyzin: Physically Observable Cryptography [GTR08]: Goldwasser, Tauman-Kalai, Rothblum: One-Time Programs [DP08]: Dziembowski, Pietrzak: Leakage-Resilient Cryptography in the Standard Model [Pie09]: Pietrzak: A leakage-resilient mode of operation [AGV09]: Akavia, Goldwasser, Vaikuntanathan: Simultaneous Hardcore Bits and Cryptography against Memory Attacks [ADW09]: Alwen, Dodis, Wichs: Leakage-Resilient Public-Key Cryptography in the Bounded Retrieval Model [FKPR09]: Faust, Kiltz, Pietrzak, Rothblum: Leakage-Resilient Signatures [DHT09]: Dodis, Lovett, Tauman-Kalai: On Cryptography with Auxiliary Input [SMY09]: Standaert, Malkin, Yung: A Unified Framework for the Analysis of Side-Channel Key-Recovery Attacks...
8 M XY Any boolean circuit Circuit transformation Transformed circuit t-wire probing YX black-box indistinguishable [Ishai Sahai Wagner 03]
9 Our goal Allow much stronger leakage.
10 Our main construction A transformation that makes any circuit resilient against Global adaptive leakage May depend on whole state and intermediate results, and chosen adaptively by a powerful on-line adversary. Arbitrary total leakage Bounded just per observation.[DP08] But we must assume something: Leakage function is computationally weak [ MR04] A simple leak-free component [ MR04]
11 antennas are dumb computationally weak can be powerful Computationally-weak leakage Assumption: the observed leakage is a computationally-weak function of the devices internal wires.
12 Secure against global leakage We do not assume spatial locality, such as: t wires [ISW03] Only computation leaks information [MR04][DP08][Pie09][FKPR09]
13 Leak-free components Secure memory [GKR08] Secure processor [G89][GO95] Here: simple component that samples from a fixed distribution, e.g: securely draw strings with parity 0. No stored secrets or state No input, so can be precomputed Can be relaxed
14 1.Computation model 2.Security model 3.Circuit transformation 4.Proof approach 5.Extensions Rest of this talk
15 Original circuit Original circuit C of arbitrary functionality (e.g., crypto algorithms), with state M, over a finite field K. Example: AES encryption with secret key M. C[M]C[M] X Y
16 Allowed gates in C: + $ MC 1 Multiply in K: Add in K: Coin:Const: Copy:Memory: (Boolean circuits are easily implemented.) Original circuit
17 Transformed circuit C [M ]C [M ] X Y Same underlying gates as in C, plus opaque gate (later). Soundness: for any X,M: C[M](X) = C [M](X) Transformed state
18 X M Model: single observation in leakage class L Y wires f (wires)
19 X 0 f 0 L Y 0 f 0 (wires 0 ) M 1 M 2 M 3 Refreshed state refresh state allows total leakage to grow Model: adaptive observations X 1 f 1 L Y 1 f 1 (wires 1 ) X 2 f 2 L Y 2 f 2 (wires 2 )
20 Simulation: Real: M i indistinguishable Model: L-secure transformation Adversary learns no more than by black-box access: X i f i L Y i f i (wires i ) Actual definition little bit more complicated Simulation: MiMi XiXi YiYi
21 MM Problem: Adversary learns one bit of the state Solution: Share each value over many wires [ISW03, generalized] Every value encoded by a linear secret sharing scheme (Enc,Dec) with security parameter t: Motivating example 1-wire probing Enc: K K t (probabilistic) Dec: K t K (surjective linear function)
22 b R {0,1} x0x0 Pr[b = b] - ½ negl for all x 0,x 1 K: (Enc,Dec) is L-leakage-indistinguishable if b Leakage: L-leakage-indistinguishability Consequence : Leakage functions in L cannot decode Enc (x b ) x1x1
23 For any linear encoding scheme that is L-leakage indistinguishable we present an L -secure transformation for any circuit and state f f L Simple functions Thm: transformed circuit can tolerate these leakage functions Assumption: encoding can tolerate these leakage functions L Main construction
24 f ? Enc(x) f AC 0 ? Dec Parity Some known circuit lower bounds imply L-leakage-indistinguishability of encodings hard for AC 0 depth: 2 size: O(t 2 ) Theorem const depth and poly size circuits Unconditional resilience against AC 0 leakage
Is this practical? Not really… AC 0 not very realistic class of leakage functions sec parameter t has to be large (blow up t 2 ) But… AC 0 can approximate hamming weight Very powerful adversary (adaptive, statistical security) Make reasonable assumption on power of leakage functions (very important future work!)
26 C[M]C[M] C [M] Transformation: high level The state is encoded: M = Enc(M) Circuit topology is preserved Every wire is encoded Inputs are encoded; outputs are decoded Every gate is converted into a gadget operating on encodings
27 + f(wires) Easy to attack Notation: Computing on encodings first attempt
f(wires) ??? Works well for a single gate... but does not compose. Exponential security loss (for AC 0 ). Computing on encodings second attempt – use linearity
29 M X Y Since f can verify arbitrary gates in circuit, wires must be consistent with X and Y. Problem: simulator does not know the state M, so hard to simulate internal wires! Solution: to fool the adversary, introduce a non-verifiable atomic gate. X, f Y, f (wires) Intuition: wire simulation M Y f X wires
30 Fool adversary: gate is non-verifiable by functions in L. Opaque gate: Enc(0) Samples from a fixed distribution. No inputs Opaque gate
31 Wire simulators advantage: can change output of opaque without getting noticed (L-leakage-indistinguishable) Using the opaque gate Full transformation for gate: + ??? Enc(0) So can simulate this gate independent of all others gates.
32 Other gates Similar transformation for other gates. The challenging case is the non-linear gate: multiplication. Hard to make leak-resilient; standard MPC doesnt work. Trick: give wire simulator enough degrees of freedom. Enc(0) + Dec Enc(0) + B S
33 This property (suitably defined) composes ! If every gadget has a (shallow) wire simulator then the whole transformed circuit has a (shallow) wire simulator. Wire simulator composability Security for 1 round follows easily. For multiple rounds theres extra work due to adaptivity of the leakage and inputs.
34 Summary of (positive) results Linear encoding + leakage class which cant decode + leak-free Enc(0) gates AC 0 / ACC 0 [q] leakage + leak-free 0-parity gates Any encoding + leakage class which cant decode + leak-free gates (relaxed) Noisy leakage + leak-free encoding gates Public-key encryption + Gen+Dec+Enc gadgets
35 Achieved New model for side-channel leakage, which allows global leakage of unbounded total size Constructions for generic circuit transformation, for example, against all leakage in AC 0 or noisy leakages. General proof technique + several additional applications. Open problems More leakage classes: find a reasonable assumption on the power of leakage functions! Smaller leak-free components Proof/falsify black-box necessity conjecture Circumvent necessity result (e.g., non-blackbox constructions) Conclusions