Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai, David Wagner.
Download ReportTranscript Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai, David Wagner.
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai, David Wagner A Live Demonstration • Can you keep secrets? • … and now? Talk Overview • • • • The goal Security definition Overview of results and techniques Open questions The Goal AES(s,m) AES(s,m) s s’ m m • Same I/O functionality • Keeps s secret even in the presence of side-channel attacks. - leakage - tampering Comparison with Related Work • Protecting general, reactive circuits – vs. realizing a specific task [DP08] – vs. a one-time computation [GKR08] • Continuous and adaptive leakage/tampering – vs. bounded leakage [AGV09] • Entire circuit susceptible to leakage/tampering – vs. “only computation leaks information” [MR04] – vs. “algorithmic tamper-proof security” [GLM+04] The Model CIRCUIT INPUT • In each cycle: OUTPUT MEMORY – Adv chooses input – Adv chooses an admissible (t-bounded) attack • Leakage and/or tampering from a specified class – Adv observes output + leakage – Memory state is updated Circuit Transformers CIRCUIT CIRCUIT INPUT INPUT C C’ OUTPUT OUTPUT T s0 s 0’ MEMORY MEMORY • T=(TC,Ts), on inputs k,t, maps C to C’ and s0 to s0’. • Ts must be randomized – Otherwise initial state s0 is revealed by probing • C’ can be either randomized or (better yet) deterministic. Security Definition CIRCUIT CIRCUIT INPUT INPUT C C’ OUTPUT OUTPUT T s0 s 0’ MEMORY MEMORY • T respects functionality: C[s0] C’[s0’] • T protects privacy: C Sim t-bounded Adv s0 SimAdv,C[s0] view of Adv attacking C’[s0’] – Even in case of tampering, only privacy is required Relation with Obfuscation CIRCUIT CIRCUIT INPUT INPUT C C’ OUTPUT OUTPUT T s0 s 0’ MEMORY MEMORY • C’[s0’] should act like a “virtual black-box” for C[s0]. – Even in the presence of side-channel attacks • Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated – Can’t probe all wires in a single cycle – Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06] – Can’t freely “edit” gates and wires Results: Passive Attacks • I-Sahai-Wagner03: probing attacks – Adv probes t wires in each cycle – Several circuit transformers • |C’|=O(t2) |C|, randomized • |C’|=O(t2) |C|+poly(t,k), deterministic • |C’|=O~(|C|), t=~(width(C)) probes can’t be added within a cycle – Randomized routing technique • Faust-Rabin-Reyzin-Tromer-Vaikuntanathan10: – constant depth leakage (e.g., AC0) with t-bit output • |C’|=O((t+k)2) |C| – noisy leakage: each bit flipped with prob. p • |C’|=O(k2) |C| – both require tamper-proof, randomized “opaque gates” Results: Tampering Attacks • I-Prabhakaran-Sahai-Wagner 06: – Permanent Reset attacks, unbounded • |C’|=O(k2) |C| – Permanent Set/Reset/Toggle, up to t per cycle • |C’|=poly(k,t) |C| • Requires AND gates of fan-in O(kt) – Both constructions can be made deterministic Probing Attacks and MPC Output clients Servers Standard MPC [BGW88,CCD88]: Unconditional security if t<n/2 parties are passively corrupted. Input clients Client-Server MPC Unconditional security if t<n/2 servers are corrupted. Probing Attacks and MPC Output clients Further extending MPC model: -Reactive functionalities -Mobile adversary [OY91] -No online randomness [CH94] Servers Input clients Client-Server MPC Unconditional security if t<n/2 servers are corrupted. MPC on Silicon output client yi initializer s0 TC=protocol compiler Ts= initializer algorithm S1 S2 S3 S1 S2 S3 S1 S2 S3 S1 S2 S3 xi input client Conversely: Private circuit MPC MPC on Silicon? • Very different optimization goals – Typical MPC: maximize resilience / #parties – Private circuits: maximize resilience / computation • Ideally: many tiny parties, constant fractional resilience s 0’ • Using MPC protocols from the literature – BGW88: • Based on Shamir’s secret sharing • 2t+1 servers, O~(t2)|C| computation, nontrivial field arithmetic – “GMW-lite” [GMW87,GV87,GHY87]: • • • • Based on additive (XOR) secret sharing t+1 servers O(t2)|C| computation in OT-hybrid model Implement OT calls via additional servers! ISW03 construction is an optimized version of this approach Concrete ISW03 Implementation • Secrets additively shared into m=2t+1 shares • Given shares of a=a1 … am, b=b1… bm – Compute shares of Not(a) : apply NOT to a1 – Compute shares ci of a AND b : s0’ • Let zi,j , i<j, be random independent bits • Let zj,i=(zi,jaibj) ajbi • Let ci=aibi ji zi,j • Randomness gates eliminated by using 2t+1 copies of a PRG Tampering Attacks • Recall model – adversary can permanently set, reset, toggle t wires in each cycle – eventually, all wires can be tampered with! – can’t use standard MPC, error-correction, signatures… • Idea: “self-destruct” if tampering is detected – How to implement if even self-destruction mechanism can be tampered with? • Idea: randomized mine-field – Any tampering attempt can trigger a mine – Few lucky tampering attempts do not harm The High Level Approach • Consider (unbounded) Reset attacks • Encode each value in C by a pair of values – 0 01 – 1 10 – 00, 11 interpreted as • • • • A Reset can either leave a value unchanged or turn it to Propagate to outputs and memory (self-destruct) Still need to worry about correlation between secrets and Solution: Use ISW03 to get “k-wise independence” – Adv should get lucky k times to violate privacy – Being unlucky even a single time causes self-destruction • General Set/Reset/Toggle attacks handled via longer encodings The Low-Level Details • A hacker’s paradise… The Low-Level Details • A hacker’s paradise… Further Research: Leakage • Extend feasibility to other classes of leakage – – – – other realistic leakage classes (power analysis, …) “only computation leaks information” … anything that does not imply obfuscation leakage-resilient MPC? • Probing attacks – improve efficiency and resilience – motivates new MPC complexity questions – potential application for “MPC-friendly codes” [CC06,…] • Constant-depth leakage – eliminate “opaque gates” and randomness – is [ISW03] secure? Interactive Compression [FRRTV10] • Compression algorithm for f [HN06]: Shares of state x Leakage function compression algorithm Observed leakage y Adversary’s computation f(x) unbounded “solver” Interactive Compression [FRRTV10] • Can parity be compressed? – [Håstad]: Circuits of depth d and size 2^k1/d can’t compute XORk compression to k1/d bits is hard for such circuits – [DI06]: even compression to k.99 bits is hard! constant-depth leakage with t= k.99 is safe • Previous compression model doesn’t handle adaptive attacks – reduction to non-adaptive case yields poor bounds – motivates study of “interactive compression” Communication Complexity Game Weak Strong X=01000100111010 Parity(X) Circuit complexity: Weak sends one bit Compression: Weak sends t bits in one message Interactive compression: Weak sends t bits overall Challenge: good lower bounds for interactive compression Further Research: Tampering • Tolerate an unbounded number of attacks – Possible using tamper-proof components of size k – Open: use components of size O(1) • Tolerate wider classes of tampering + leakage • Develop a general theory – Apply general non-malleable codes [DPW10] – Tamper-resilient MPC Conclusion • Bottomless pool of open questions • Motivate independently interesting theoretical questions – Leakage- and tamper-resilient MPC – Feasibility of relaxed obfuscation – Hardness of compression • Relevance to practice?