leakage-resilient cryptography microsoft research & u. toronto vinod vaikuntanathan new...

Leakage-Resilient Cryptography

Microsoft Research & U. Toronto

Vinod Vaikuntanathan

New Developments and Challenges

Secrets

Information accessible to one party and not to other(s)

Essential to cryptography!

Theory Real life

Secrets leak!

[Kocher,Jaffe,Jun’98]

[Kocher’96]

[Quisquater’01]

Cache-Timing

[Bernstein’05,OST’05]

Secrets Leak

So, what can we do about it?

Leakage-Resilient Cryptography

Can we do Crypto with no (perfect) secrecy?

Yes (in most cases)

A Fundamental Question in the Foundations of Cryptography

secret

public

Three Commandments

I. Secrets leak in arbitrary ways.

II. Secrets leak from everywhere.

III. Secrets leak all the time.

(hard-disk, RAM, cache, registers, randomness sources,…)

(No protected time periods)

(Axioms of Leakage)

[Micali-Reyzin’04]

(except: leakage is polynomial time computable,

and does not betray the entire secret key)

Interpreting the Commandments

A Simple Interpretation: Bounded Leakage [AGV09]

(or, Two Leakage Models)

— Total leakage λ < |SK| [AGV09,NS09,KV09,ADW09,ADN+10,…]

— Adversary can learn any efficiently computable function L:{0,1}* → {0,1} λ of the secret key(*).

sk L(sk)1 0 1

(*) Ideally, leakage from the entire secret state.

Interpreting the Commandments

A Simple Interpretation: Bounded Leakage [AGV09]

(or, Two Leakage Models)

— Total leakage λ < |SK| [AGV09,NS09,KV09,ADW09,ADN+10,…]

— Adversary can learn any efficiently computable function L:{0,1}* → {0,1} λ of the secret key.

Variations:

Auxiliary Input Model [DKL’09,DGKPV’10]: L is an uninvertible function of SK

Noisy Model [NS’09]: H∞(SK | L(SK)) > |SK|- λ

Interpreting the Commandments

A Realistic Interpretation: Continual Leakage

(or, Two Leakage Models)

— Rate of Leakage λ (leakage/time period) < |SK|

— Adversary can learn any efficiently computable function

Li:{0,1}* → {0,1}λ of the secret key at each “time-period”

sk

L1(sk)

L2(sk)1 0 1

0 0 1

[ISW03MR04,DP08,Pie09,FKPR10,FRRTV10,BKKV10, DHLW10…]

Interpreting the Commandments

A Realistic Interpretation: Continual Leakage

(or, Two Leakage Models)

[ISW03MR04,DP08,Pie09,FKPR10,FRRTV10,BKKV10, DHLW10…]

— Of course, secret key should be refreshed in each time.

— Non-trivial: Refresh SK without changing PK (in public-key systems), or without co-ordination (in SK systems)

Observations:

— Rate of Leakage λ (leakage/time period) < |SK|

— Adversary can learn any efficiently computable function

Li:{0,1}* → {0,1}λ of the secret key at each “time-period”

Talk Plan

PART 1: Bounded Leakage Model

– One-way Functions

PART 2: Continual Leakage Model

PART 3: Some Research Directions

– Digital Signatures

– Leakage-resilient Compilers, Tamper Resistance,…

– Public-key Encryption

A Brief History of Leakage in Crypto“We stand on the shoulders of giants…”

A Brief History of Leakage in Crypto

Privacy Amplification [von Neumann’46,…,Bennett-Brassard-Robert’85]

— “Distill an perfectly random shared key from an imperfect one”

Bounded Storage/Retrieval Models [Maurer’92,…,Di Crescenzo-Lipton-Walfish’06,Dziembowski’06]

Exposure-Resilient Cryptography[Rivest’97, Boyko’98, CDHKS’00,ISW’03,IPSW’06]

— Leakage = a subset of bits of SK

— We want to tolerate arbitrary (PPT) leakage functions (axiom 1)

— More generally, MPC, threshold crypto etc.

A Brief History of Leakage in Crypto

— “Distill an perfectly random shared key from an imperfect one”

Bounded Storage/Retrieval Models [Maurer’92,…,Di Crescenzo-Lipton-Walfish’06,Dziembowski’06]

Exposure-Resilient Cryptography[Rivest’97, Boyko’98, CDHKS’00,ISW’03,IPSW’06]

Proactive Cryptography[HJKY’95, HJJKY’97, R’98]

— “How to cope with perpetual leakage” (a continual leakage model)

Privacy Amplification [von Neumann’46,…,Bennett-Brassard-Robert’85]

[Ishai-Sahai-Wagner2003]

[Micali-Reyzin2004]

[Dodis-Ong-Prabhakaran-Sahai2004]

[Ishai-Prabhakaran-Sahai-Wagner2006]

[Dziembowski-Pietrzak2008]

[Akavia-Goldwasser-V.2009][Pietrzak2009][Dodis-Kalai-Lovett2009][Naor-Segev2009][Dodis-Goldwasser-Kalai-Peikert-V.2009][Katz-V.2009][Faust-Kiltz-Pietrzak-Rothblum2009][Alwen-Dodis-Wichs2009][Goldwasser-Kalai-Peikert-V.2010][Alwen-Dodis-Naor-Segev-Walfish-Wichs2009][Juma-Vahlis.2010][Faust-Rabin-Reyzin-Tromer-V.2010][Brakerski-Kalai-Katz-V.2010][Goldwasser-Rothblum.2010][Dodis-Haralambiev-Lopez-alt-Wichs.2010][Lewko-Waters.2010][Chow-Dodis-Rouselakis-Waters.2010][Boyle-Wichs-Segev.2011][Kiltz-Pietrzak.2011][Malkin-Teranishi-Vahlis-Yung.2011][Jain-Pietrzak.2011][Halevi-Lin.2011][Lewko-Rouselakis-Waters.2011][Lewko-Lewko-Waters.2011] …

Bounded Leakage

Leakage-Resilient One-way Functions

Easy Observation: “Hardness Leakage-resilience”

– Similar connections for other primitives (enc,sig,…)

– Need 2O(n)-hardness to get O(n)-LR.

Leakage-Resilient One-way Functions

Theorem [KV09,ADW09]: If there are Universal One-way Hash Functions, then there are LR one-way functions.

– Corollary [NY89,Rom90]: If OWF exist, then LR OWFs exist.

Leakage-Resilient One-way Functions

Proof:

Information-theoretic + Crypto techniques

A Blue-print for most leakage-resilience proofs

Leakage-Resilient One-way Functions

Proof: reduction (UOWHF-breaker)

adversary

𝑓 ,𝑥

𝑥 ′ ≠ 𝑥s.t.

𝑓 , 𝑓 (𝑥 ) ,𝐿(𝑥)

𝑥 ′

Leakage-Resilient One-way Functions

Proof: reduction

adversary

𝑓 ,𝑥

𝑥 ′ ≠ 𝑥s.t.

𝑓 , 𝑓 (𝑥 ) ,𝐿(𝑥)

y=f(x)x

{0,1 }𝑛

— H∞(x) = n — H∞(x | f(x)) ≥ — H∞(x | f(x), L(x)) ≥ — H∞(x | f(x), L(x)) ≥

— Adversary returns x'≠x w.p ≥ 1/2 → breaks UOWHF

𝑥 ′

A Blueprint for Leakage Proofs

— Problem with many solutions

— Hard: given one solution, find another

— Security redn has one soln, computes leakage using that

— Adversary doesn’t have enough info to pin-point the solution

— Adversary returns a different soln, unwittingly solves the hard problem

(information-theoretic argument)

(computational argument)

Leakage-Resilient Signatures

PK

SignSK(m)

L(SK)

L

m

Cannot produce

sign for a new m*

sk

Leakage-Resilient Signatures

Theorem [KV09]: λ-leakage-resilient OWF (+simulation-

extractable NIZK [S99,DDOPS01]) → λ-leakage-resilient signatures

Sign(m): SimExt-NIZKm for “∃x s.t PK contains h(x)”

SK: xPK: (f,y=f(x),CRSnizk), where f is an λ-LR OWF,

— Signature contains no (computational) info. on SK

— Forgery extract a secret-key.⇒

Proof Idea:

Sim-Ext

— Break LR OWF.

similar to [Bellare-Goldwasser’92]

LR Signatures: Subsequent Results

[ADW09]: Fiat-Shamir transform + LR OWFs → LR-Sigs in the random oracle model.

[DHLW10]: Efficient LR Sigs without random oracles (using bilinear maps).

[BKKV10,DHLW10]: Continual LR Sigs

[BSW11,MTVY11]: (continual) LR Sigs where the randomness used for signing can leak as well.

[LLW10]: Continual LR Sigs where the key update phase leaks as well

Leakage-Resilient Public-key Encryption(cpa)

PK

L(SK)

Lsk Enc(b)

(b←${0,1})

Cannot predict b

– [AGV09]: based on Lattices

– [NS09,DGKPV10] based on Diffie-Hellman

(show that [Regev05,GPV08] is leakage-resilient)

(show that [BHHO08] is leakage-resilient)

– [NS09] from any hash proof system [CS02]

Leakage-Resilient Public-key Encryption

Theorem: For every λ < |SK| - secparam, (cpa-secure)

public-key encryption that tolerates λ bits of leakage:

Adv. breaks

cpa-securityConstruction Outline

Old Idea: One Public Key, many possible Secret Keys

PK

Public Key Space Secret Key space

Hard Problem: Given one SK, find another.

For starters:

Adv. finds sk.

– Reduction knows one SK, simulates leakage from it

– Adv. gets pk+leakage → not enough info to fully specify SK

– Adv. finds SK′ ≠ SK → breaks hard problem.

Proof:

Adv. breaks

cpa-securityConstruction Outline

Old Idea: One Public Key, many possible Secret Keys

For starters:

Adv. finds sk.

M

DEC

MCENC

PK M

M

► Correctness All secret keys decrypt C to the same message

Adv. breaks

cpa-securityConstruction Outline

Old Idea: One Public Key, many possible Secret Keys

New Idea: REAL Encryption vs. FAKE Encryption

PK

CFakeENC

MC

RealENC

DEC

M1

M3

M2

► Different secret keys decrypt c to different messages

► and yet, Fake ≈ Real (even given an SK)

≈

Security Proof

L(SK)

M1

M3

M2CFakeENC

“Fake World”

???

“Real World”

MM CReal

ENCPK

DEC

LR Public-key Encryption: Subsequent Results

[NS09]: CPA-secure → CCA-secure with the same leakage-resilience (idea: use Naor-Yung)

[AGV09,ADN+10,CDRW10]: leakage-resilient IBE (with leakage from the user secret keys).

[LW10]: leakage-resilient IBE (with leakage from the master secret key as well), LR HIBE, ABE etc.

[BKKV10,DHLW10]: Continual LR Encryption

[LLW10]: Continual LR Enc where the key update phase leaks as well

[HL11]: “After-the-fact” Leakage

Continual Leakage

Continual LR Public-key Encryption

Unbounded leakage, but bounded in each time period

Challenge: keep the public key the same

Solution idea: “refresh” (randomize) the secret key

sk1

L1(sk1)

L2(sk2)1 0 1

0 0 1sk2

– users (encryptors) are oblivious of the updates!

Continual LR Public-key Encryption

Theorem: [BKKV10] CLR-secure public-key encryption schemes that tolerate (in every time step):

– (1/2-ε)|SK| leakage, based on decisional linear– (1-ε)|SK| leakage, based on symmetric external DH

assumptions in bilinear groups.

sk1

L1(sk1)

L2(sk2)1 0 1

0 0 1sk2

Continual LR Public-key Encryption

Other Results:

[BKKV10]: CLR-secure signatures and IBE (with leakage from user secret keys)

Concurrently, [DHLW10]: efficient CLR-secure signatures, ID schemes and AKA schemes

sk1

L1(sk1)

L2(sk2)1 0 1

0 0 1sk2

[LLW11]: tolerates large leakage from updates

Continual LR Public-key Encryption

How to update SK? (without changing PK)

pk

sk space

First Idea: Resample from the key-space!

PROBLEM: This is supposed to be hard!

sk1sk

2

sk3

sk4

L1(SK1)

L2 (SK2)

L3(SK3)

L4(SK4)

New Idea: “Neighborhood of SKs”

• Given a secret key:– Easy to resample inside neighborhood.– Hard to find a secret key outside of neighborhood.

pk

corresp. sk space

• Sampling in neighborhood ≈c entire space. Adv. can’t tell the difference.

• “Proof” outline:– Reduction knows sk and updates in neighborhood.– To Adv., updates “look like” from entire space.– Even given leakage, Adv. cannot recover any

leaked key entirely will have to come up with new sk’≠sk.

– WHP sk’ not in neighborhood breaks hard problem.

Some Open Questions

SO FAR: Designed SPECIFIC crypto primitives (sigs.,enc.) secure against continual leakage

QUESTION:

Any circuit → Continual Leakage-resilient circuit

— Yao/GMW/BGW/CCD for leakage-resilient crypto

Foundational Questions

— Automatically leakage-proof commonly used cryptosystems, e.g., RSA / AES

Foundational Questions

Many Partial Results

[Ishai-Sahai-Wagner’03] : Any circuit → “Probing-resilient” circuit secure against leakage of ≤ t wires

[FRRTV’09] : Any circuit → circuit secure against AC0 leakage

[JV’10,GR’10] : Any circuit → circuit secure against polynomial-time leakage

(assuming a small piece of secure hardware)

(assuming a small piece of secure hardware + secure memory)

OPEN: a compiler against general

leakage functions(without secure hardware)

[BGIRSVY’00,Imp’10] : This has connections to program obfuscation!

Practical Questions

In theory, we have practical constructions

– How about truly practical constructions? (e.g. [YSPY’10])

– Perhaps relax the model in a meaningful way

Given a side-channel attack, how much information does it leak? [SVO+10]

modelreality

To Conclude…

Tons of Open Problems

— Parallel Repetition for Leakage Amplification [DW,LW]:

Suppose scheme S tolerates L bits. Can we “repeat it in parallel” n times and get nL bit leakage-tolerance?

— Tamper Resistance [IPSW, GLMMR, DPW, Malkin et al.]:

Many attacks, Boneh-Lipton, Shamir’s bug attacks...

Very Active Field, Lots of work recently!Information-theoretic + Computational Techniques

Entropy

Thanks!

Questions?

You can find me here …