Leakage-Resilient Cryptography Microsoft Research & U. Toronto Vinod Vaikuntanathan New Developments and Challenges

Secrets Information accessible to one party and not to other(s) Essential to cryptography! TheoryReal life Secrets leak! [Kocher,Jaffe,Jun’98] [Kocher’96] [Quisquater’01] Cache-Timing [Bernstein’05,OST’05]

Secrets Leak So, what can we do about it?

Leakage-Resilient Cryptography Can we do Crypto with no (perfect) secrecy? Yes (in most cases) A Fundamental Question in the Foundations of Cryptography secret public

Three Commandments I.Secrets leak in arbitrary ways. II.Secrets leak from everywhere. III.Secrets leak all the time. (hard-disk, RAM, cache, registers, randomness sources,…) (No protected time periods) (Axioms of Leakage) [Micali-Reyzin’04] (except: leakage is polynomial time computable, and does not betray the entire secret key)

Interpreting the Commandments A Simple Interpretation: Bounded Leakage [AGV09] (or, Two Leakage Models) — Total leakage λ < |SK| [AGV09,NS09,KV09,ADW09,ADN+10,…] — Adversary can learn any efficiently computable function L:{0,1}* → {0,1} λ of the secret key (*). sk L(sk) (*) Ideally, leakage from the entire secret state.

Interpreting the Commandments A Simple Interpretation: Bounded Leakage [AGV09] (or, Two Leakage Models) — Total leakage λ < |SK| [AGV09,NS09,KV09,ADW09,ADN+10,…] — Adversary can learn any efficiently computable function L:{0,1}* → {0,1} λ of the secret key. Variations:  Auxiliary Input Model [DKL’09,DGKPV’10]: L is an uninvertible function of SK  Noisy Model [NS’09]: H ∞ (SK | L(SK)) > |SK|- λ

Interpreting the Commandments A Realistic Interpretation: Continual Leakage (or, Two Leakage Models) — Rate of Leakage λ (leakage/time period) < |SK| — Adversary can learn any efficiently computable function L i :{0,1}* → {0,1} λ of the secret key at each “time-period” sk L 1 (sk) L 2 (sk) [ISW03MR04,DP08,Pie09,FKPR10,FRRTV10,BKKV10, DHLW10…]

Interpreting the Commandments A Realistic Interpretation: Continual Leakage (or, Two Leakage Models) [ISW03MR04,DP08,Pie09,FKPR10,FRRTV10,BKKV10, DHLW10…] — Of course, secret key should be refreshed in each time. — Non-trivial: Refresh SK without changing PK (in public- key systems), or without co-ordination (in SK systems) Observations: — Rate of Leakage λ (leakage/time period) < |SK| — Adversary can learn any efficiently computable function L i :{0,1}* → {0,1} λ of the secret key at each “time-period”

Talk Plan PART 1: Bounded Leakage Model –One-way Functions PART 2: Continual Leakage Model PART 3: Some Research Directions –Digital Signatures –Leakage-resilient Compilers, Tamper Resistance,… –Public-key Encryption

A Brief History of Leakage in Crypto “We stand on the shoulders of giants…”

A Brief History of Leakage in Crypto  Privacy Amplification [von Neumann’46,…,Bennett-Brassard- Robert’85] — “Distill an perfectly random shared key from an imperfect one” Bounded Storage/Retrieval Models [Maurer’92,…,Di Crescenzo-Lipton-Walfish’06,Dziembowski’06]  Exposure-Resilient Cryptography [Rivest’97, Boyko’98, CDHKS’00,ISW’03,IPSW’06] — Leakage = a subset of bits of SK — We want to tolerate arbitrary (PPT) leakage functions (axiom 1) — More generally, MPC, threshold crypto etc.

A Brief History of Leakage in Crypto — “Distill an perfectly random shared key from an imperfect one” Bounded Storage/Retrieval Models [Maurer’92,…,Di Crescenzo-Lipton-Walfish’06,Dziembowski’06]  Exposure-Resilient Cryptography [Rivest’97, Boyko’98, CDHKS’00,ISW’03,IPSW’06]  Proactive Cryptography [HJKY’95, HJJKY’97, R’98] — “How to cope with perpetual leakage” (a continual leakage model)  Privacy Amplification [von Neumann’46,…,Bennett-Brassard- Robert’85]

[Ishai-Sahai-Wagner2003] [Micali-Reyzin2004] [Dodis-Ong-Prabhakaran-Sahai2004] [Ishai-Prabhakaran-Sahai-Wagner2006] [Dziembowski-Pietrzak2008] [Akavia-Goldwasser-V.2009] [Pietrzak2009] [Dodis-Kalai-Lovett2009] [Naor-Segev2009] [Dodis-Goldwasser-Kalai-Peikert-V.2009] [Katz-V.2009] [Faust-Kiltz-Pietrzak-Rothblum2009] [Alwen-Dodis-Wichs2009] [Goldwasser-Kalai-Peikert-V.2010] [Alwen-Dodis-Naor-Segev-Walfish-Wichs2009] [Juma-Vahlis.2010] [Faust-Rabin-Reyzin-Tromer-V.2010] [Brakerski-Kalai-Katz-V.2010] [Goldwasser-Rothblum.2010] [Dodis-Haralambiev-Lopez-alt-Wichs.2010] [Lewko-Waters.2010] [Chow-Dodis-Rouselakis-Waters.2010] [Boyle-Wichs-Segev.2011] [Kiltz-Pietrzak.2011] [Malkin-Teranishi-Vahlis-Yung.2011] [Jain-Pietrzak.2011] [Halevi-Lin.2011] [Lewko-Rouselakis-Waters.2011] [Lewko-Lewko-Waters.2011] …

Bounded Leakage

Leakage-Resilient One-way Functions Easy Observation: “Hardness  Leakage-resilience” –Similar connections for other primitives (enc,sig,…) –Need 2 O(n) -hardness to get O(n)-LR.

Leakage-Resilient One-way Functions Theorem [KV09,ADW09]: If there are Universal One-way Hash Functions, then there are LR one-way functions. –Corollary [NY89,Rom90]: If OWF exist, then LR OWFs exist.

Leakage-Resilient One-way Functions Proof:  Information-theoretic + Crypto techniques  A Blue-print for most leakage-resilience proofs

Leakage-Resilient One-way Functions Proof: reduction (UOWHF-breaker) adversary

Leakage-Resilient One-way Functions Proof: reduction adversary y=f(x) x — H ∞ (x) = n — Adversary returns x'≠x w.p ≥ 1/2 → breaks UOWHF 

A Blueprint for Leakage Proofs — Problem with many solutions — Hard: given one solution, find another — Security redn has one soln, computes leakage using that — Adversary doesn’t have enough info to pin-point the solution — Adversary returns a different soln, unwittingly solves the hard problem (information-theoretic argument) (computational argument)

An Open Question Theorem [KV09,ADW09]: Any Universal One-way Hash Fn (uowhf) f:{0,1} n → {0,1} n-L-1 is an L-leakage-resilient OWF. xy=F(x) Is there an leakage-resilient injective OWF? Show injective OWF = injective LR-OWF (or, separation?) OPEN:

Leakage-Resilient Signatures PK Sign SK (m) L(SK ) L m Cannot produce sign for a new m* sk

Leakage-Resilient Signatures Theorem [KV09]: λ -leakage-resilient OWF (+simulation- extractable NIZK [S99,DDOPS01]) → λ -leakage-resilient signatures Sign(m): SimExt-NIZK m for “ ∃ x s.t PK contains h(x)” SK: x PK: (f,y=f(x),CRS nizk ), where f is an λ -LR OWF, — Signature contains no (computational) info. on SK — Forgery ⇒ extract a secret-key. Proof Idea: Sim-Ext — Break LR OWF. similar to [Bellare-Goldwasser’92]

LR Signatures: Subsequent Results  [ADW09]: Fiat-Shamir transform + LR OWFs → LR- Sigs in the random oracle model.  [DHLW10]: Efficient LR Sigs without random oracles (using bilinear maps).  [BKK V 10,DHLW10]: Continual LR Sigs  [BSW11,MTVY11]: (continual) LR Sigs where the randomness used for signing can leak as well.  [LLW10]: Continual LR Sigs where the key update phase leaks as well

Leakage-Resilient Public-key Encryption (cpa) PK L(SK ) L sk Enc(b) (b← $ {0,1}) Cannot predict b

– [AGV09]: based on Lattices – [NS09,DGKPV10] based on Diffie-Hellman (show that [Regev05,GPV08] is leakage-resilient) (show that [BHHO08] is leakage-resilient) – [NS09] from any hash proof system [CS02] Leakage-Resilient Public-key Encryption Theorem: For every λ < |SK| - secparam, (cpa-secure) public-key encryption that tolerates λ bits of leakage:

Adv. breaks cpa-security Construction Outline Old Idea: One Public Key, many possible Secret Keys PK Public Key Space Secret Key space Hard Problem: Given one SK, find another. For starters: Adv. finds sk. – Reduction knows one SK, simulates leakage from it – Adv. gets pk+leakage → not enough info to fully specify SK – Adv. finds SK′ ≠ SK → breaks hard problem. Proof:

Adv. breaks cpa-security Construction Outline Old Idea: One Public Key, many possible Secret Keys For starters: Adv. finds sk. M DEC M C ENC PK M M ► Correctness  All secret keys decrypt C to the same message

Adv. breaks cpa-security Construction Outline Old Idea: One Public Key, many possible Secret Keys New Idea: REAL Encryption vs. FAKE Encryption PK C Fake ENC M C Real ENC DEC M1M1 M3M3 M2M2 ► Different secret keys decrypt c to different messages ► and yet, Fake ≈ Real (even given an SK) ≈

Security Proof L(SK) M1M1 M3M3 M2M2 C Fake ENC “Fake World” ??? “Real World” M MC Real ENC PK DEC

LR Public-key Encryption: Subsequent Results  [NS09]: CPA-secure → CCA-secure with the same leakage-resilience (idea: use Naor-Yung)  [AGV09,ADN+10,CDRW10]: leakage-resilient IBE (with leakage from the user secret keys).  [LW10]: leakage-resilient IBE (with leakage from the master secret key as well), LR HIBE, ABE etc.  [BKK V 10,DHLW10]: Continual LR Encryption  [LLW10]: Continual LR Enc where the key update phase leaks as well  [HL11]: “After-the-fact” Leakage

Continual Leakage

Continual LR Public-key Encryption  Unbounded leakage, but bounded in each time period  Challenge: keep the public key the same  Solution idea: “refresh” (randomize) the secret key sk 1 L 1 (sk 1 ) L 2 (sk 2 ) sk 2 – users (encryptors) are oblivious of the updates!

Continual LR Public-key Encryption Theorem: [BKKV10] CLR-secure public-key encryption schemes that tolerate (in every time step): – (1/2-ε)|SK| leakage, based on decisional linear – (1-ε)|SK| leakage, based on symmetric external DH assumptions in bilinear groups. sk 1 L 1 (sk 1 ) L 2 (sk 2 ) sk 2

Continual LR Public-key Encryption Other Results:  [BKKV10]: CLR-secure signatures and IBE (with leakage from user secret keys)  Concurrently, [DHLW10]: efficient CLR-secure signatures, ID schemes and AKA schemes sk 1 L 1 (sk 1 ) L 2 (sk 2 ) sk 2  [LLW11]: tolerates large leakage from updates

Continual LR Public-key Encryption How to update SK? (without changing PK) pk sk space  First Idea: Resample from the key-space!  PROBLEM: This is supposed to be hard! sk 1 sk 2 sk 3 sk 4 L 1 (SK 1 ) L 2 (SK 2 ) L 3 (SK 3 ) L 4 (SK 4 )

New Idea: “Neighborhood of SKs” Given a secret key: –Easy to resample inside neighborhood. –Hard to find a secret key outside of neighborhood. pk corresp. sk space Sampling in neighborhood ≈ c entire space.  Adv. can’t tell the difference. “Proof” outline: –Reduction knows sk and updates in neighborhood. –To Adv., updates “look like” from entire space. –Even given leakage, Adv. cannot recover any leaked key entirely  will have to come up with new sk’≠sk. –WHP sk’ not in neighborhood  breaks hard problem.

Some Open Questions

SO FAR: Designed SPECIFIC crypto primitives (sigs.,enc.) secure against continual leakage QUESTION: Any circuit → Continual Leakage-resilient circuit — Yao/GMW/BGW/CCD for leakage-resilient crypto Foundational Questions — Automatically leakage-proof commonly used cryptosystems, e.g., RSA / AES

Foundational Questions Many Partial Results  [Ishai-Sahai-Wagner’03] : Any circuit → “Probing-resilient” circuit secure against leakage of ≤ t wires  [FRRT V ’09] : Any circuit → circuit secure against AC 0 leakage  [JV’10,GR’10] : Any circuit → circuit secure against polynomial-time leakage (assuming a small piece of secure hardware) (assuming a small piece of secure hardware + secure memory) OPEN: a compiler against general leakage functions (without secure hardware)  [BGIRSVY’00,Imp’10] : This has connections to program obfuscation!

Practical Questions  In theory, we have practical constructions – How about truly practical constructions? (e.g. [YSPY’10]) – Perhaps relax the model in a meaningful way  Given a side-channel attack, how much information does it leak? [SVO+10] model reality

To Conclude…  Tons of Open Problems — Parallel Repetition for Leakage Amplification [DW,LW]: Suppose scheme S tolerates L bits. Can we “repeat it in parallel” n times and get nL bit leakage-tolerance? — Tamper Resistance [IPSW, GLMMR, DPW, Malkin et al.]: Many attacks, Boneh-Lipton, Shamir’s bug attacks... Very Active Field, Lots of work recently! Information-theoretic + Computational Techniques Entropy

Thanks! Questions? You can find me here …