Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Computing with adversarial noise Aram Harrow (UW -> MIT) Matt Hastings (Duke/MSR) Anup Rao (UW)
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Computability and Complexity 32-1 Computability and Complexity Andrei Bulatov Boolean Circuits.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Digital Logic
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University Crypto.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
How to play ANY mental game
Cryptography on Non-Trusted Machines Stefan Dziembowski.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University MIT/Microsoft.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography In the Bounded Quantum-Storage Model Christian Schaffner, BRICS University of Århus, Denmark 9 th workshop on QIP 2006, Paris Tuesday, January.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.
The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009.
In1200/04-PDS 1 TU-Delft Digital Logic. in1200/04-PDS 2 TU-Delft Unit of Information l Computers consist of digital (binary) circuits l Unit of information:
1 Information Security – Theory vs. Reality , Winter Lecture 13: Cryptographic leakage resilience (cont.) Eran Tromer Slides credit:
Protecting Cryptographic Memory against Tampering Attack PRATYAY MUKHERJEE PhD Dissertation Seminar Supervised by Jesper Buus Nielsen October 8, 2015.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
1 Information Security – Theory vs. Reality , Winter Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer.
1 Information Security – Theory vs. Reality , Winter Lecture 9: Leakage resilience (continued) Lecturer: Eran Tromer.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Non-malleable Reductions and Applications Divesh Aggarwal * Yevgeniy Dodis * Tomasz Kazana ** Maciej Obremski ** Non-Malleable Codes from Two-Source Extractors.
Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.
Efficient Leakage Resilient Circuit Compilers
Topic 14: Random Oracle Model, Hashing Applications
A Tamper and Leakage Resilient von Neumann Architecture
Cryptography Lecture 6.
Cryptography Lecture 10.
Information Security CS 526
Indistinguishability by adaptive procedures with advice, and lower bounds on hardness amplification proofs Aryeh Grinberg, U. Haifa Ronen.
Provable Security at Implementation-level
Cryptography Lecture 4.
Cryptography Lecture 5.
Cryptography Lecture 8.
Leakage-resilient Signatures
On Derandomizing Algorithms that Err Extremely Rarely
Presentation transcript:

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod Vaikuntanathan IBM Research Boston University MIT IBM Research

2 Theory vs. Reality K XY Standard security analysis: Controls inputs/outputs, e.g. CPA Computation completely unknown K XY Attacking the implementation: input key output Adversary obtains leakage Use physical observations: e.g. power consumption, timing,… Completely break crypto schemes! implement

3 Countermeasures? Hot topic: ISW03, MR04, DP08, P09, AGV09, ADW09, KV09, DKL09,… Many more citations in the paper We may try to defeat specific attacks, e.g. power analysis, timing attacks,… Or we can try to go for a broad class! Most other work: Security of specific scheme This work: How to securely implement any scheme?

4 How to extend the standard model? K Modeled by a leakage function f Adversary obtains leakage f(state) Real-life leakages don’t leak complete key Power consumption: e.g. f(st) ≈ Hamming weight of wires in circuit Arbitrary leakage function? No…  e.g.: f(st) = K means no security Some restrictions are necessary XY Probing: f(st) = some bits of state

5 Restrictions: Bounded leakage Bounded total leakage K … f(st) K K e.g. used to model cold boot attacks Continuous leakage Amount of leakage << length of key K Bounded per observation, but: total leakage >> |K|

6 Restrictions: Bounded leakage Bounded total leakage K … f(st) K1K1 f(st 1 ) KnKn f(st n ) Bounded per observation, but: total leakage >> |K| e.g. power analysis Continuous leakage requires refreshing of key: K  K i e.g. used to model cold boot attacks Amount of leakage << length of key K

7 Restrictions: Local vs. Global Local leakage Global leakage e.g. probing: leakage is oblivious to most of the computation e.g. power analysis: power consumption depends on all computation

8 Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) Weak or Noisy leakage K f є L = {computationally weak functions} Leakage can be described by “simple” aggregated function Is this reasonable? Yes! E.g. probing, power consumption… f(st) weak

9 Weak or Noisy leakage K f(st) K f є L = {Noisy functions}: Leakage is a noisy function of the secret key Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) weak noisy

10 Weak or Noisy leakage K f(st) K Powerful! Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) weak noisy

11 Weak or Noisy leakage K f(st) K Polynomial-time leakage K f(st) f є L = {PPT functions} Leakage is arbitrary PPT function Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) Powerful! weak noisy PPT Probably stronger than leakage in reality

12 Q: Is there computation that can be protected against global, continuous, but weak or noisy leakage? A challenge… A: Any Computation! If we have a simple leak-free component Reduce some complex computation to very simple shielded component [MR04]

13 Earlier work: Ishai, Sahai, Wagner ‘03 Main drawback: No proof of security for global functions, e.g. Hamming Weight Q: Is there computation that can be protected against global, continuous, but weak or noisy leakage? A: Any Computation! local probing

14 1.Circuit Compilers 2.Our Result Rest of this talk…

15 Circuit compiler: C‘ with K‘ has same functionality as C with K K XY C YX K’K’ C’C’ Circuit compilers  Is resistant to continuous leakages from some large function class L (Security Definition by Simulation) Input: description of arbitrary circuit C and key K Functionality preserving:  Uses same gates as C Transformed circuit C‘: + leak-free gate (later more) Output: description of transformed circuit C‘ and key K‘

16 Our Result Theorem 1: A compiler that makes any circuit resilient to computationally weak leakages. Set of leakage functions L can be large, but they cannot compute a certain linear function One example: AC 0 = Const depth and poly size circuits of Λ or V gates. What does this mean? L = AC 0  L cannot compute linear function parity!

17 Our Result Theorem 2: A compiler that makes any circuit resilient to noisy leakages. What does this mean? Leakages are {wire i + noise ƞ i }  ƞ i = 0, with probability 1-p  ƞ i = 1, with probability p Both compilers assume leak-free gates in transformed circuit!

18 Leak-free gates  Leak-free processor: oblivious RAM (1) Many previous usages in leakage-resilience:  Leak-free memory: “only computation leaks”, one-time programs (2) Our leak-free gate is: Small & simple: Much smaller than size of Stateless: No secrets are stored Computation independent: No inputs For Theorem 1: random t-bit string (b 1,…,b t ) with parity 0 (1) [G89,GoldOstr95], (2) [MicRey04], [DziPie08], [GoldKalRoth08] For Theorem 2: above properties, but a bit more complicated

19 Compiler: high-level C M ● + ● ● + C ● M Circuit topology is preserved 1. Memory:Encoded memory Bit b e.g. “Parity” encoding”: uniform t-bit string (b 1 …b t ) with parity b

20 Compiler: high-level C M ● + ● ● + C ● M 2. Each wire w Wire bundle that carries the encoding of w, e.g. a t-bit string with parity w

21 Two key properties of our encoding Let (a 1,…a t ) and (b 1,…b t ) be bit strings with parity 0 and 1 (resp.) f(a 1,…a t ) or f(b 1,…b t ) 2. Noise indistinguishable [XOR Lemma] (a 1 + ƞ 1,+…a t + ƞ t ) or (b 1 + ƞ 1,…b t + ƞ t ) ?? in AC 0 Flip each bit with prob. p 1. L=AC 0 indistinguishable [Has86,DubrovIshai06] ??

22 Compiler: high-level C M ● + ● ● + C ● M 3. Gates Gadgets: built from normal gates and leak-free gates and operate on encodings Properties of the encoding do not suffice for security!

23 Conclusion Two circuit compilers …. global leakages : i.e. leakage can depend on all the computation, all intermediate results,… continuous leakage : the amount of leakage over time is unbounded  eliminate leak-free gates compile any circuit Open problems:  For security parameter t: blow-up ≈ t 2

24 Thank you!

25 Simulation: Real: indistinguishable L-Security: Simulation [ISW03] Intuition: Adversary learns no more than by input/output access X1f1 ∈LX1f1 ∈L Y 1 f 1 (wires 1 ) Simulation: K1K1 X1X1 Y1Y1 … K’1K’1 Xnfn ∈LXnfn ∈L Y n f n (wires n ) K’nK’n … refresh key Can e.g. be some low complexity function class

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.