1
Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013Lecture 13:Cryptographic leakage resilience (cont.)
Eran TromerSlides credit: Yuval Ishai, Manoj Prabhakaran
2
Primitive
Attacks
Guarantees
Functionality
Communication
Assumptions
Leakage
Tampering
Correctness
Secrecy
Functionclass
Outputform
FHE
ANY
none
yes
YES
Circuits
Encrypted
Minimal
Computational
ANY
no
Arguments
(CS proofs /PCD /SNARG)
ANY
ANY
YES
no
RAM,distributed
Plaintext
Minimal
Exoticcomputational /oracle
MPC
ANY
ANY
YES
YES
ANY
Plaintext
Heavyinteraction
Mildcomputational
Garbledcircuits
ANY
none
yes
YES
Circuits
Plaintext
Preprocessing +minimal
Mildcomputational
ANY
no
Leakageresilience
Varies
none
yes
YES
Varies
Plaintext
Minimal
Varies
Tamperresilience
Varies
Varies
Varies
Varies
Varies
Plaintext
Minimal
Varies
Obfuscation
ANY
ANY
YES
YES
YES
Plaintext
Minimal
0=1
TPM
Securehardware
Leakage resilience
s
x
y=y(s,x)
s’
x
y=y(s,x)
• Same I/O functionality
• Keeps secret even in the presence of side-channel attacks: leakage and tampering
3
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
Model
Model
•Circuits runs for many cycles
•In each cycle:
–Adversary chooses input
–Adversary chooses an admissible attack
•Leakage and/or tampering from a specified class
–Adversary observes output + leakage
–Memory state is updated
4
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
Circuit transformers
Circuit transformers
•T=(TC,Ts), on inputs k,t, maps C to C’ and s0 to s0’.
•Ts must be randomized
–Otherwise initial state s0 is revealed by probing
•C’ can be either randomized or (better yet)deterministic.
•Functionally equivalent: C[s0] C’[s0’]
C
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
T
C’
s0
s0’
5
6
s
x
Y
Any boolean circuit
Circuittransformation
Transformed circuit
admissibleleakage
Y
X
black-box
indistinguishable
Security [Ishai Sahai Wagner ’03]
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
Security definition
Security definition
T protects privacy:circuit Cefficient Simadmissible Advinitial state s0 :SimAdv,C[s0] view of Adv attacking C’[s0’](Even in case of tampering, only privacy is required)
C
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
T
C’
s0
s0’
7
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
Relation to obfuscation
Relation to obfuscation
•C’[s0’] should act like a “virtual black-box” for C[s0].
–Even in the presence of side-channel attacks
•Negative results for obfuscation [BGI+01,GK05] restrictclasses of attacks that can be tolerated
–Can’t probe all wires in a single cycle
–Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06]
–Can’t freely “edit” gates and wires
C
INPUT
INPUT
OUTPUT
OUTPUT
CIRCUIT
CIRCUIT
MEMORY
MEMORY
T
C’
s0
s0’
8
Simple/practical schemes I
•Sum-of-wires leakage
–Dual-Rail Logic
<Show how simulator uses adversary>
•Sum-of-wire-transitions leakage
–Dual-Rail Precharge Logic
•Protecting s
•Practical complications:
–Capacitance imbalance
–Glitches
–Cell internals
9
Simple/practical schemes II
•Single-wire leakage
–Bit masking
•Single-”value” leakage
–RSA blinding
•t-wire leakage
–Secret sharing…
10
t-wire leakage [ISW03]
t-wire leakage [ISW03]
•Secrets additively shared into m=2t+1 shares
•Given shares ofa=a1 … am andb=b1… bm :
–Compute shares of NOT(a) : apply NOT to a1
–Compute shares ci of a AND b :
•Let zi,j , i<j, be random independent bits
•Let zj,i=(zi,jaibj) ajbi (i<j)
•Let ci=aibi ji zi,j
•Re-randomize s’ at every iteration
•Randomness gates eliminated by a random-number generator
s0’
11
12
s
X
Y
Any boolean circuit
Circuittransformation
Transformed circuit
t-wireprobing
Y
X
black-box
indistinguishable
[ISW03]
13
Our goal
Allow stronger leakage.
14
Leakage classes
•Locality assumptions
–Single wire, t wires
–Separate sub-circuits
–Leak-free processor (Oblivious RAM [GO95])
–Leak-free memory (“only computation leaksinformation” [MR04]: leakage from CPU stateand memory accessed at that program step)
•“Simple leakgage”
–Sums and Hamming weights
–Low-complexity global functions
•Specific functionality (mainly crypto)