Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor

Recap: Side Channels Standard Model vs. physical implementation –Side channel: Any information not captured by the abstract “standard” model Timing attacks against secret exponentiation – With control on timing –Through a network –Protection: blinding Cache Attacks –Exploits which addresses are being accessed –Counter measure: Oblivious RAM Memory Attacks –DRAM retain information longer than thought – Defines a model: any short function of the key

3 Adversarial Models STANDARD MODEL: Abstract models of computation Interactive Turing machines Private memory, randomness... Well-defined adversarial access Can model powerful attacks REAL LIFE: Physical implementations leak information Adversarial access not always captured by abstract models E k (m)

4 Thesis of this course Many tools developed in the foundations of cryptography are helpful for protecting against side-channel attacks Proof by examples... and not only at implementation time Must incorporate side-channel attacks in the design of systems

Homework Timing attack of Kocher against RSA. Suppose: time of each multiplication involving y is distributed according to a normal distribution –With known parameters. – Independent of everything else! –Show that this allows to figure out given the first k-1 bits of the secret exponent the next bit.

Basic Timing This takes a while to compute This is instantaneous Whether iteration takes a long time depends on the k th bit of secret exponent Old observation: timing depends on number of 1’s If all multiplication take the same time: all you get

Not all multiplications were created equal Different timing given operands Assumption/Heuristic : timings of subsequent multiplications are independent –Given that we know the first k-1 bits of x –Given a guess for the k th bit of x –Time of remaining bits independent Given measurement of total time can see whether there is correlation between events: k th step is long Total time is long Exact timing Exact guess

Outline of Kocher’s Attack Idea: guess some bits of the exponent; –Predict how long decryption will take If guess is correct: will observe correlation If incorrect, then prediction will look random –The more bits you already know, the stronger the signal, thus easier to detect (error-correction property) Start by guessing a few top bits, look at correlations for each guess, pick the most promising candidate and continue Works against systems under direct control

Homework: Oblivious Permutations Suggest a method for permuting an array obliviously. Array M of size n The CPU has access to a permutation  on n elements. At the end of the process the Array M should be rearranged according to  : –The element that was in M[i] is now in M[  (i)]. The requirement is: for any two permutation  and  ', –an eavesdropper that sees the locations accessed cannot distinguish whether the array is permuted according to or  ', Small (secure) space and time to permute

Model CPU Main memory Small private memory qiqi M[q i ]

Oblivious RAM Requirements Any sequence of locations i 1, i 2, … induces a distribution on sequences of requests q 1, q 2 … Functionality : should be able to figure out the original content Security : for any two sequence of locations i 1, i 2, … and i’ 1, i’ 2, … induced distributions of requests should be indistinguishable Homework problem much more relaxed: Knowing in advance the order in which elements are accessed Constitute a permutation

Open ended Ideas/hints: Routing permutations in networks Sorting networks

13 Memory Attacks [HSHCPCFAF 08] Concern: Not only computation leaks information Memory retains its content after power is lost 5 seconds 30 seconds 60 seconds 5 minutes

14 Model: leakage of any function of the key Would like to allow the adversary to learn any function of the key Cannot withstand learning the full key Idea: limit the length of the function Would like to withstand as long a leakage as possible

15 Key-Leakage Attacks Semantic security with key leakage [AGV 09]: For any* leakage f(sk) and for any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk f Output b’ f(sk) b à {0,1} Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1} ¸ for ¸ < |sk| m 0, m 1 E pk (m b ) Akavia, Goldwasser and Vaikuntanathan

16 Is this the right model? Noisy leakage as opposed to low-bandwidth leakage Leakage of intermediate values Are intermediate values always erased? Key generation process Decryption process Keys generated using a “weak” random source Not a perfect model, but still a good starting point Discuss extensions later on

17 What We Know A generic method for protecting against key-leakage attacks Main building block: Hash Proof Systems [CS 02] Efficient instantiations Based on decisional Diffie-Hellman, few exponentiations Chosen-ciphertext key-leakage attacks A generic CPA-to-CCA transformation Efficient schemes Extensions Noisy leakage Leakage of intermediate values Weak random sources

18 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

19 Min-Entropy Probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k (i.e., Pr[X = x] · 2 -k for all x ) Represents the probability of the most likely value of X ¢ (X,Y) =  a  |Pr[X=a] – Pr[Y=a]| Statistical distance :

20 Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if for any k - source X ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s

21 Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -strong extractor if Ext’(x, s) = s ◦ Ext(x,s) is a (k,  ) -extractor Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2 n ] Output length ℓ = k – 2log(1/  ) Seed length d = 2n, almost pairwise independence d = O(log n + k)

22 Sidebar: Weak Key-Leakage Attacks Semantic security with weak key leakage : For any* leakage f(sk) and for random PK for any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk f Output b’ f(sk) b à {0,1} Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1} ¸ for ¸ < |sk| m 0, m 1 E pk (m b )

What About Weak Attacks? Leakage depends on Secret Key only Leakage function chosen by the adversary ahead of time without any knowledge of the public key. Depends only on the properties of the hardware devices used for storing the secret key. Generic construction transforming any encryption scheme (G; E;D) Resilient to any weak leakage of L(1 - o(1)) bits, L secret key length. Parameters : –leakage parameter ¸ –length of the random strings used by generation algorithm G : m Need: Ext: {0,1} k £ {0,1} d ! {0,1} m be (k-,  ) - strong extractor

Generic construction transforming any encryption scheme (G; E;D) Ext: {0,1} k £ {0,1} d ! {0,1} m a (k-,  ) - strong extractor Key generation : – Choose x 2 {0,1} k and s 2 {0,1} d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x. Encryption: choose r uniformly at random and output ( E(pk;M; r); s). Decryption: ciphertext (c; s), secret key SK = x,: – Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c). Resilient to any weak leakage of L(1 - o(1)) bits Given f(x) distribution of Ext(x; s) close to uniform

25 Decisional Diffie-Hellman gxgx gygy AliceBob Both parties compute K = g xy DDH assumption: (g, g x, g y, g xy )  (g, g x, g y, g z ) for random x, y, z 2 Z q (g 1, g 2, g 1 r, g 2 r )  (g 1, g 2, g 1 r 1, g 2 r 2 ) for random g 1, g 2 2 G and r, r 1, r 2 2 Z q

26 Outline of the Lecture Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

27 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation A Simple Scheme: Key Generation MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 ) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸

28 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Choose r 2 Z q and a seed s 2 {0,1} d Output (g 1 r, g 2 r, s, Ext(h r, s) © m) Output e © Ext(u 1 x 1 u 2 x 2, s) Key generation Enc pk (m) Dec sk (u 1, u 2, s, e) A Simple Scheme: Encryption Decryption u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

29 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits half the size of sk A Simple Scheme: Security Theorem Proof by reduction: Adversary for the encryption scheme Distinguisher for decisional Diffie-Hellman log(q) -|m|

30 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits A Simple Scheme: Security Theorem (sk, pk) pk f Output b’ f(sk) b à {0,1} m 0, m 1 E pk (m b )

31 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits A Simple Scheme: Security Theorem pk (g 1, g 2, g 1 r 1, g 2 r 2 ) b’ r 1  r 2 r 1  r 2 or f f(sk) m 0, m 1 E pk (m b ) Distinguisher for DDH

32 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 ) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸ Extract the remaining entropy and mask the plaintext PROBLEM: Resulting ciphertexts contain no information on the plaintext Cannot be decrypted... TOOL: Hash Proof Systems A Simple Scheme: Security Proof

33 (g 1 r, g 2 r, s, Ext(h r, s) © m) h = g 1 x 1 g 2 x 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable not knowing sk A Simple Scheme: Security Proof

34 (g 1 r, g 2 r, s, Ext((g 1 r ) x 1 (g 2 r ) x 2, s) © m) A Simple Scheme: Security Proof h = g 1 x 1 g 2 x 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

35 (g 1 r 1, g 2 r 2, s, Ext((g 1 r 1 ) x 1 (g 2 r 2 ) x 2, s) © m) A Simple Scheme: Security Proof Valid ciphertext: r 1 = r 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

36 (g 1 r 1, g 2 r 2, s, Ext((g 1 r 1 ) x 1 (g 2 r 2 ) x 2, s) © m) A Simple Scheme: Security Proof (g 1 r 1 ) x 1 (g 2 r 2 ) x 2 uniformly distributed given pk and (g 1 r 1, g 2 r 2 ) x 1 + wx 2 = log(h) r 1 x 1 + r 2 wx 2 = log(t) Invalid ciphertext: r 1  r 2 Therefore, even given f(sk): min-entropy ¸ log(q) - ¸ Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable h=g 1 x 1 g 2 x 2

37 Proof of Security pk (g 1, g 2, u 1, u 2 ) b’ If b’ = b output “r 1 = r 2 ” otherwise “r 1  r 2 ” f f(sk) m 0, m 1 sk = (x 1, x 2 ) = (g 1, g 2, g 1 x 1 g 2 x 2 ) u 1, u 2, s Ext(u 1 x 1 u 2 x 2, s) © m b Case 1: u 1 = g 1 r & u 2 = g 2 r Case 2: u 1 = g 1 r 1 & u 2 = g 2 r 2 Simulation is identical to actual attack Pr[b’ = b] = 1/2 +  Challenge independent of b Pr[b’ = b] = 1/2

38 Hash Proof Systems Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no information on plaintext, given pk computationally indistinguishable Previous scheme relies on a specific HPS many technical details... Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)

39 Hash Proof Systems Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk, Invalid: no information on plaintext, given pk computationally indistinguishable Previous scheme relies on a specific HPS many technical details... Our general construction: HPS + randomness extraction Key-encapsulation mechanism resilient to key leakage

40 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

41 G - group of order q An Improved Scheme Notation: (x 1,..., x n ) 2 Z q n (g 1,..., g n ) 2 G n (x 1,..., x n ) ¢ (g 1,..., g n ) T  g i x i i=1 n

42 G - group of order q Ext : G n-k £ {0,1} d ! {0,1} - strong extractor Choose A 2 G k £ n and x 2 Z q n Let y = Ax Output sk = x and pk = (A, y) Choose R 2 Z q (n-k) £ k and a seed s 2 {0,1} d Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s) Key generation Enc pk (m) Dec sk (Q, s, e) An Improved Scheme Original scheme: with k=1, n=2

43 Theorem: The scheme is resilient to any leakage of length ¸ ¼ (1 – k/n) |sk| 1 – o(1) An Improved Scheme Based on the hardness of k -Linear [BBS 04] 1 -Linear = DDH k -Linear is hard ) (k+1) -Linear is hard k -Linear is easy ; (k+1) -Linear is easy (in generic groups) A new hash proof system Optimizes ratio between secret key and encapsulated key

44 An Improved Scheme We show that k -Linear implies indistinguishability of: Random P 2 G n £ n of rank k Random P 2 G n £ n of rank n (rank computed in Z q n £ n relative to a fixed generator g 2 G ) In the simplified scheme: g1g1 g2g2 g1r1g1r1 g2r2g2r2 r 1  r 2 rank 1 r 1  r 2 rank 2 [BHHO 08] proved the case k=1 Proof similar to the simplified scheme

45 The Long Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction Choose g 1,...,g k 2 G and s 1,...,s k 2 {0,1} Let h = g 1 s 1 ¢¢¢ g k s k Output sk = (s 1,...,s k ) and pk = (g 1,...,g k, h) Choose r 2 Z q Output (g 1 r,..., g k r, h r ¢ m) Output e ¢ (u 1 s 1 ¢ u 2 s 2 ¢ ¢ u k s k ) -1 Key generation Enc pk (m) Dec sk (u 1,...,u k,e) “built-in” extractor k ¼ ¸ + 2log(q)

46 Proof: a natural extractor DDH implies the computational indistinguishability of: g 1 r,..., g k r for random r g 1 r 1,..., g k r k for random r 1, r 2, … r k pk (g 1,…, g k, u 1, …, u k ) b’ If b’ = b output “ equal r” ow: “ not equal r’ s ” f f(sk) m 0, m 1 sk = (s 1, …, s k ) = (g 1, …, g k, g 1 s 1 g 2 s 2 ¢ g k s k ) u 1,…,u k, (u 1 s 1 ¢ ¢ ¢ u k s k ) m b Case 1: u i = g i r Case 2: u i = g i r i

47 Security of Scheme DDH implies the computational indistinguishability of: g 1 r,..., g k r for random r g 1 r 1,..., g k r k for random r 1, r 2, … r k Want to argue that if g 1 r 1,..., g k r k is used, then there is no information about message m The adversary knows: h = g 1 s 1 ¢¢¢ g k s k u 1 = g 1 r 1, u 2 = g 2 r 2,..., u k = g k r k Gets, instead of h r ¢ m b : (u 1 s 1 ¢ u 2 s 2 ¢ ¢ ¢ u k s k ) ¢ m b g 1 r 1 s 1 ¢¢¢ g k r k s 1 Information on  i=1 k w i r i s i Fact:  i=1 k w i r i s i is a pairwise independent family Indexed by r 1, r 2, … r k Can apply the leftover hash lemma! g i =g 1 w i

48 Circular Secure Encryption Several public keys (pk 1, sk 1 ), (pk 2, sk 2 ), … (pk k, sk k ) Goal: want to be able to reconstruct all keys from one Provide E pk 1 (sk 2 ), E pk 1 (sk 3 ), …, E pk 1 (sk k ) E pk 2 (sk 1 ), E pk 2 (sk 3 ), …, E pk 2 sk k ) … Is it secure? There are cycles … No known example of insecurity! BHHO: first proof of resiliency

Chosen Ciphertext Attacks How to define? When does the leakage take place? How to define CCA2? What is known: The general technique for obtaining CCA – still applicable. Can get 1-o(1) leakage Specific schemes with  (1 ) leakage

Recall: NIZK For full specification need to clarify When is x chosen – before or after  ? – Adaptive What does the simulator get? Does soundness need to hold given a simulated  –Cannot hold for simulated (false statement) – Simulation soundness For NP : Can be based on the existence of trapdoor permutations with some structure Relevant for soundness and zk

Achieving resistance to CCA with NIZK Two independent keys of some ``good” PKC K P 1 and K P 2 A public random string  for NIZK of the language {(K P 1, K P 2, C 1, C 2 )| C 1 and C 2 encrypt the same message } To encrypt message m: generate ciphertexts C 1 and C 2 and add a proof of consistency  –Ciphertext: C 1, C 2,  To decrypt –Verify proof and then –Decrypt only if ciphertexts passed the consistency checks C2C2 Proof of consistency C1C1 Important point: may decrypt with two different private keys

52 Outline of the Lecture Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

53 Extensions Noisy leakage Leakage not necessarily of bounded length H 1 (sk | pk, leakage) > H 1 (sk | pk) - ¸ Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan: The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert

54 Extensions Weak random source Keys generated using a low-entropy adversarially chosen source Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation (g 1, g 2 ) chosen once and shared by all users Only need H 1 (x 1,x 2 | g 1, g 2 ) ¼ log(q) + |plaintext|

55 Extensions Leakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code, then decrypt Not so contrived... Output e ¢ (u 1 s 1 ¢¢¢ u k s k ) -1 Dec sk (u 1,...,u k,e) Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s 1,..., s k ) can be much larger

56 Conclusions Must incorporate side-channel attacks in the design of systems Many tools developed in the foundations of cryptography are helpful for protecting against side-channel attacks Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys? As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels? A falsifiable hardware assumption?

57 Can leverage the physical world !! Conclusions Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06] Randomized response Secure computation using tamper-proof hardware [Katz07, MS08] Human competitive nature and love of games [HN09] Voting

58 Modeling Side-Channels Canetti, Dodis, Halevi, Kushilevitz, and Sahai ’00 Exposure-resilient functions: functions that “look” random even if several input bits are leaked Ishai, Prabhakaran, Sahai, and Wagner ’03 ’06 Private circuit evaluation allowing several wires to leak Micali and Reyzin ’04 Computation and only computation leaks information Dziembowski and Pietrzak ’08, Pietrzak ’09 Leakage-resilient stream-ciphers Computation and only computation leaks information, low-bandwidth leakage Akavia, Goldwasser, and Vaikuntanathan ‘09 Memory attacks Regev’s scheme is resilient to leakage of L/polylog(L) bits of the secret key