Transcript Leakage-Resilient Cryptography

Leakage-Resilient Cryptography
Stefan Dziembowski
University of Rome
La Sapienza
Krzysztof Pietrzak
CWI Amsterdam
Plan
1.
2.
3.
Motivation and introduction
Our model
Our construction
these slides are available at
www.dziembowski.net/Slides
How to construct secure cryptographic
devices?
cryptographic device
very secure
Security based on well-defined
mathematical problems.
CRYPTO
not secure!
The problem
cryptographic device
CRYPTO
Information leakage
Side channel information:
• power consumption,
• electromagnetic leaks,
• timing information,
etc.
cryptographic device
The standard view
cryptographic device
cryptographic device
practitioners
Implementation is
not our business!
CRYPTO
CRYPTO
theoreticians
A recent idea
Design cryptographic
protocols that are secure
even
on the machines that leak
information.
The model
(standard) black-box access
cryptographic
scheme
additional access
to the internal data
Some prior work






S. Chari, C. S. Jutla, J.R. Rao, P. Rohatgi
Towards Sound Approaches to Counteract Power-Analysis
Attacks. CRYPTO 1999
Y. Ishai, A. Sahai, and D. Wagner.
Private Circuits: Securing Hardware against Probing
Attacks.
CRYPTO 2003
S. Micali and L. Reyzin.
Physically Observable Cryptography (Extended Abstract).
TCC 2004
R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, and T. Rabin.
Algorithmic Tamper-Proof (ATP) Security:Theoretical
Foundations for Security against Hardware Tampering.
TCC 2004.
C. Petit, F.-X. Standaert, O. Pereira, T.G. Malkin, M.Yung.
A Block Cipher Based PRNG Secure Against Side-Channel
Key Recovery. ASIACCS 2008
a sequence of papers by F.-X. Standaert, T.G. Malkin, M.Yung, and
others, available at the web-page of F.-X. Standaert.
Our contribution
We construct a
stream cipher
that is secure against a
very large and well-defined class of
leakages.
Our construction is in the standard model
(i.e. without the random oracles).
stream ciphers ≈ pseudorandom generators
short key X
S
long
stream
K
a computationally bounded
adversary
should not be able
to distinguish K from
random
?
How do the stream ciphers work in practice?
short key X
S
K1
K2
time
K3
K4
X
stream K is
generated in
rounds
(one block per
round)
...
An equivalent
security definition
the adversary
knows:
should look random:
K1
K1
K2
X
K3
K3
K4
...
K2
Our assumption
We will assume that there is a leakage each time a key Ki is
generated (i.e. leakage occurs in every round).
S
K1
K2
X
K3
...
...
K4
the details follow...
Leakage-resilient stream cipher
- the model
Examples of the “leakage functions” from
the literature:

Y. Ishai, A. Sahai, and D. Wagner. Private Circuits:
Securing Hardware against Probing Attacks.
The adversary can learn the value of some
wires of a circuit that computes the
cryptographic scheme.

another example (a “Hamming attack”):
The adversary can learn the sum of the secret
bits.
We consider a very general class of
leakages
ff
In every ith round the
adversary choses
a poly-time computable
“bounded-output
function”
X
f : {0,1}n → {0,1}m
for m < n
and learns f(X)
We say that the adversary “retrieved m bits”
(in a given round).
How much leakage can we tolerate?
In our construction
the total number of retrieved bits
will be
larger than
the length of the secret key X
(but in every round the number of retrieved bits
will be much less than |X|)
this will be
a parameter
How can we achieve it?
by key evolution!
Key evolution
In each round the secret key X gets refreshed.
Assumptions:
key evolution has to be
deterministic
(no refreshing with external
randomness)
also the refreshing
procedure may cause
leakage
X
K1
X0
K2
X1
K3
X2
K4
X3
How to define security?
Is “indistinguishability” possible?
Problem
If the adversary can “retrieve” just one bit of Ki
then he can distinguish it from random...
Solution
Indistinguishability will concern the “future” keys Ki
Security “without
leakage”
the adversary
knows:
should look random:
K1
X0
K1
K2
X1
K2
K3
X2
K3
K4
Security “with leakage”
the adversary
knows:
should look random:
K1
the adversary
chooses f1
ff
X0
f1(X0)
K1
K2
K2
K3
f2(X1)
the adversary
chooses f3
K3
f3(X2)
ff
X2
the adversary
chooses f2
ff
X1
K4
Key evolution – a problem
Recall that:
1. the key evolution is deterministic
2. the “leakage function fi” can by any poly-time function.
Therefore:
the function fi can always compute the “future” keys
What to do?
We us the principle introduced in:
S. Micali and L. Reyzin.
Physically Observable Cryptography.
TCC 2004
“only computation leaks information”
in other words:
“untouched memory cells do not leak information”
Divide the memory into three parts: L, C and R
round 0
accessed only in
the odd rounds
accessed
always
accessed only in
the even rounds
L
C
R
L0
C0
R0
modified
round 1
L1
unmodified
C1
unmodified
round 2
L2
modified
C2
modified
round 3
R1
L3
R2
unmodified
C3
unmodified
R3
modified
...
...
...
...
Our cipher – the outline
the key of the cipher =
“the initial memory contents (L0, C0, R0)”
L0
C0
R0
S
unmodified
L1
C1
R1
S
L2
unmodified
C2
R2
S
unmodified
L3
C3
R3
...
...
...
The output
The output is the contents of the “central” part of the memory.
C→K
(L0, C
K0, R0)
L0
C
K0
R0
S
All the keys
Ki
will be given
“for free”
to the
adversary
L1
C
K1
R1
C
K2
R2
S
L2
S
L3
C
K3
R3
The details of the model
(L0, K0, R0)
L0
K0
K0
R0
K1
R1
S
L2
R2
S
L3
K3
K2
K3
f3(R2)
K3
R3
K1
f2(L1)
K2
K2
should look
random:
f1(R0)
K1
S
L1
the adversary
knows:
K4
Leakage-resilient stream cipher
- the construction
How to construct such a cipher?
Idea
Use the randomness extractors.
A function
Ext : {0,1}k × {0,1}r → {0,1}m
is an (ε, n)-randomness extractor if for
• a uniformly random K, and
• every X with min-entropy n
we have that
(Ext(K,X),K) is ε – close to uniform.
Alternating extraction [DP, FOCS07]
L
K0
R
K1= Ext(K0, R)
L
K1
R
K2
R
K2 = Ext(K1, L)
L
K3 = Ext(K2, R)
L
K3
R
...
...
...
A fact from [DP07]
Even if
a constant fraction of L and R leaks
the keys K1,K2,..
look “almost uniform”
Idea: “add key evolution to [DP07]”
What to do?
Use a pseudorandom generator (prg) in the following
way:
Ki
R
Ki+1= Ext(Ki, R)
Ki+1
Ki
Ri
(Ki+1, Yi+1) = Ext(Ki, R)
R
Ki+1
Ri+1 = prg(Yi+1)
Our scheme
L0
K0
R0
0, R)
0, R0)
(K1,KY1=1)Ext(K
= Ext(K
L10
K1
1)
R1 = prg(Y
R0
1, L11,)L1)
(K2K, 2Y=2)Ext(K
= Ext(K
2)
L2 = prg(Y
L0
K2
R20
33
2, R)
2, R2)
(K3K
,Y
=) Ext(K
= Ext(K
K3
...
...
3)
R3 = prg(Y
R0
...
L30
Our results (1/2)
assume the existence of pseudorandom generators
then
the cipher constructed on the previous slides is
secure against the adversary that in every round
retrieves:
λ = ω( log(length of the key))
bits
this covers many real-life attacks
(e.g. the “Hamming attack”)
35
Our results (2/2)
assume the existence of pseudorandom generators
secure against exponential-size circuits
then
the cipher constructed on the previous slides is
secure against the adversary that in every round
retrieves:
λ = ϴ(length of the key)
bits
36
An open problem
Y. Ishai, A. Sahai, and D. Wagner.
Private Circuits: Securing Hardware against
Probing Attacks.
CRYPTO 2003
generic construction, weaker model
anything in between?
This paper:
specific construction, stronger model
Thank you for your attention!