PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L. Reyzin (BU), T. Rabin (IBM), E. Tromer (MIT)

Yael Daniel “Design specific crypto primitives (sigs.,enc.) secure against continual information leakage?” Today Morning THIS TALK: Any circuit → Leakage-resilient circuit (GMW/BGW/CCD for leakage-resilient crypto) [BKKV.’10] [DHLW’10]

Ishai-Sahai-Wagner: Private Circuits Any circuit → Leakage-resilient circuit

Ishai-Sahai-Wagner: Private Circuits Any circuit → Leakage-resilient circuit Key X Y Any (stateful) boolean circuit “Compiler” Compiled circuit Y X Key’ ► Think of an RSA or AES circuit with the secret key stored. ► Compiled ckt has the same functionality: C Key (X) = C’ Key’ (X)

Ishai-Sahai-Wagner: Private Circuits Any circuit → Leakage-resilient circuit against leakage of at most t wires Key X Y Y X Key’ Input/output access indistinguishable (SIM) (ADV) t-wire probing ISW+Manoj (IPSW) = Tamper-resistance

How to Side-channel Attacks Work (abstractly) ? –In contrast, [ISW03] focuses on local leakage, subset of t wires Key’ –Global Leakage: leakage function is a global fn of the state –Computationally Weak or Noisy –Hamming weight leakage, e.g., [PSPMY] can be powerful computationally weakor noisy

Can we protect against global, continual but possibly weak or noisy leakage?

Our Result Theorem: Two compilers that make any circuit resilient against: Key X Y Y X Key’ C(wires) C: any AC 0 leakage fn with “bounded” output (constant-depth with AND/NOT gates) – AC 0 leakage (compiler 1) (in each execution, leakage ≤ n 1-ε )

Our Result Theorem: Two compilers that make any circuit resilient against: Key X Y Y X Key’ Wires+noise p { w i +η i } where η i = 1 w.p. p 0 w.p. 1-p – AC 0 leakage (compiler 1) – noisy leakage (compiler 2)

Our Result Theorem: Two compilers that make any circuit resilient against: Key X Y Y X Key’ – AC 0 leakage (compiler 1) – noisy leakage (compiler 2) assuming a simple leakage-proof hardware.

Our Result Theorem: Two compilers that make any circuit resilient against: – AC 0 leakage (compiler 1) – noisy leakage (compiler 2) assuming a simple leakage-proof hardware. –Generalizes [ISW03] (modulo leak-proof device) –Captures “approximate Hamming weight”, by [Ajtai-BenOr83] for AC 0 –A simple, modular method of proving security – AC 0 leakage (compiler 1)

A Word on Leak-Proof Hardware ► Secure Memory – “only computation leaks information” [MR04,DP08] ► Secure Processor – Oblivious RAM [G89,GO94] Many Previous Usages in Leakage-Resilience – one-time memory [GKR08]

A Word on Leak-Proof Hardware Our Desiderata The leak-proof hardware shall be: – SMALL: Size much smaller than the circuit – STATELESS: Does not store any long-term secrets – COMPUTATION-INDEPENDENT: Key (If not, trivial: leak-proof device does the computation) (If not, trivial: leak-proof device contains an enc. Secret key, and does “decrypt, compute and re-encrypt”) (Device has NO INPUTS, simply samples from a distribution!)

Construction Key X Y Y X Key’

The Setup Original circuit C of arbitrary functionality. Example: AES encryption, or RSA signatures with secret key `Key‘, and so forth... X Y Key’ Key

The Setup Allowed gates in C: ● + $ M C 1 Mult (AND): Add (XOR): Coin: Const: Copy: Memory: (stores the key) Key’ Key

The Setup X Y Same underlying gates as in C, plus a leak-proof device (will describe later). Correctness: For any X,Key: C Key (X) = C‘ Key‘ (X) Key’ Key Transformed state

Security Definition X Y wires f(wires) Leakage fn = C ● + ● Key

Security Definition X0f0 ∈LX0f0 ∈L Y 0 f 0 (wires 0 ) Key’ 1 Key’ 2 Key’ 3 Refreshed key Refresh key = CONTINUAL leakage model X1f1 ∈LX1f1 ∈L Y 1 f 1 (wires 1 ) X2f2 ∈LX2f2 ∈L Y 2 f 2 (wires 2 )

Security Definition Simulation: Key Real: Key’ i STATISTICALLY indistinguishable Adversary learns no more than by black-box access: X i f i ∈ L Y i f i (wires i ) XiXi YiYi

Construction: Overview C M ● + ● Memory Encoded memory ● + C ● M [each bit b] [ Parity encoding of b: uniformly random tuple (b 1,...,b n ) s.t. ∑b i (mod 2)= b ]

Construction: Overview C M ● + ● Memory Encoded memory ● + C ● M [each bit b] [ Parity encoding of b: uniformly random tuple (b 1,...,b n ) s.t. ∑b i (mod 2)= b ] Two Key Properties of the Parity Encoding: Let (a 1,...,a n ) and (b 1,...,b n ) be random encodings of 0 and 1. ► AC 0 indisinguishable [Has86,DI06]: For any ε >0 and AC 0 circuit C with output length n 1-ε, C(a 1,...,a n ) ≈ s C(b 1,...,b n ). ► Noise indistinguishable (using xor lemma) : For any p < 1/2, N p (a 1,...,a n ) ≈ s N p (b 1,...,b n ).

Construction: Overview C M ● + ● Wires Wire Bundles ● + C ● M Invariant: Each wire-bundle carries an encoding of the corresponding wire value

Construction: Overview C M ● + ● Gates Gadgets ● + C ● M Operates on encodings. e.g., Enc(a), Enc(b) → Enc(a+b) Enc Dec

Proof Technique TWO STEPS  Individual Gadgets are leakage-resilient:  Composition Lemma: – The internals of the gadget can be “simulated“ given only the inputs and the output. – If all the individual gadgets are leakage-resilient, so is the entire (transformed) circuit – We call this “reconstructibility“. – assuming the gadgets are “rerandomizing“.

Proof Technique TWO STEPS  Individual Gadgets are leakage-resilient: – The internals of the gadget can be “simulated“ given only the inputs and the output. – We call this “reconstructibility“.  Composition Lemma: – If all the individual gadgets are leakage-resilient, so is the entire (transformed) circuit – assuming the gadgets are “rerandomizing“.

Proof Technique TWO STEPS  Individual Gadgets are leakage-resilient: – The internals of the gadget can be “simulated“ given only the inputs and the output. – We call this “reconstructibility“.  Composition Lemma: – Assume that the individual gadgets are leakage- resilient and re-randomizing, then the entire (transformed) circuit is leakage-resilient

Assume gadgets are re-randomizing ● + C ● M Re-randomizing: Output of the gadget is a uniformly random encoding of the corresponding bit (given leakage from internals) Proof of Composition Lemma: – Hybrid Argument H 0 : Encoding of real values H w : Encodings of 0... H i : i th wire is encoding of real value H i+1 : i th wire is encoding of 0 – Reduction: If you can distinguish between H i and H i+1 (given leakage), you can distinguish between Encodings of 0 and 1. – Reduction has to be VERY efficient (in AC 0 )!

Construction of the Gadgets + ADD GADGET + (a 1,...,a n ) (b 1,...,b n ) (c 1,...,c n ) a1a1 b1b1 + anan bnbn... ADD gadget n add gates + + Outputs uniformly random parity encoding of 0. (c 1,...,c n ) s.t. ∑c i = 0 c1c1 cncn

Proof Technique TWO STEPS  Individual Gadgets are leakage-resilient: – Given ANY consistent input encodings a and b, and output encoding o, simulate the internal wires of the gadget  Composition Lemma: – Assume that the individual gadgets are leakage- resilient and re-randomizing, then the entire (transformed) circuit is leakage-resilient

Simulation of the Gadget Internals + ADD GADGET + (a 1,...,a n ) (b 1,...,b n ) (c 1,...,c n ) a1a1 b1b1 + anan bnbn... ADD gadget + + c1c1 cncn o1o1 onon – The input wires are the a‘s and b‘s, output is o‘s – The internal wires are the c‘s – SIM: Set c i = o i – (a i + b i ) – Identical to the real distribution!!

I Won’t Tell you the Complicated Part (or, the MULT GADGET) –The challenging case Enc(0) + Dec Enc(0) + B S –TRICK: Have enough “degrees of freedom” that the reconstructor can use

Noisy Leakage B –Can be broken with Noisy Leakage –Adv gets a noisy version of all a i b j –If a 1 =0, all the a 1 b j are 0. –We construct a new MULT gadget for noisy leakage –If a 1 =1, half of them are 0, half 1 –Can distinguish between the two cases for any p < 1/2

Open Questions Is leak-proof (secure) hardware necessary? Can we protect against general leakage? – Subsequent work: Juma-Vahlis and Goldwasser-Rothblum Security against continual polynomial-time leakage – Comp. assumptions (FHE [JV10] and DDH [GR10]) –“Only computation leaks information” [MR04] – Leak-proof hardware (like us)

Questions?