cryptography against memory attacks lattice based results
TRANSCRIPT
Cryptography against
Memory Attacks
Lattice Based Results
Recall: Public-Key Encryption against Memory Attacks
Security against adaptive α(n)-memory attacks
Adversary A
PK
m0,m1
Enc PK(mb)
b'
(PK,SK)←G(1n)
For every PPT adversary A,
where |)(||)(| SKSKfi , Pr[b=b'] ≈1/2.
fi(SK)
fipoly(n) f(SK)
f
Encryption against Memory AttacksSecurity against adaptive α(n)-memory attacks
Adversary
PK
m0,m1
Enc PK(mb)
b'
(PK,SK)←G(1n
)
For every PPT adversary A,
where |)(||)(| SKSKfi , Pr[b=b'] ≈1/2.
f(SK)
• captures cold-boot attacks & much easier to achieve
f
Design Strategies
Design New Schemes -- LAST TIME (moni)
- Might lose other hard-earned properties (efficiency, homomorphism,…)
Show Old Schemes Secure (today)- Many existing schemes (RSA, factoring-based) insecure- Are there any that are secure?
Randomized encoding of secret-key
- No good against adaptive attacks- Increases length of storage, decreases efficiency- Have to recover original secret-key to work with
it….
- Represent sk as (s, sk Ext (source,s)) for random s,source
Work [Akavia+G+Vaikuntanathan]
non-adaptive mem. attacks that leak |SK|-ℓ bits
Theorem: Regev’s lattice-based PKC is semantically secure against:
adaptive mem. attacks that leak (1-ε)|SK| bits, ∀ε>0
Show Old Schemes Secure
- assuming hardness of learning with errors with smaller dimension ≈ℓ
- assuming hardness of learning with errors with smaller dimension and (slightly) smaller noise(ε)
Outline
• What is a Lattice?• q-ary lattices• Why Lattices?
– Hard Problems– Best Algorithms: Exponential (even Quantum)– Worst case to Average Reductions– Simple operations on small numbers
• Why Not Lattices?– Large dimensions to resist heuristics– Keys quadratic in dimensions
• LWE: LPN mod q > 2• Regev PKC• Regev Proof of Security• Regev: Leakage Resistance
Basis: b1,…,bn vectors in Rn
The lattice L is
L={y=b1x1+…+bnxn| xi integers}
The dual lattice of L is
L*={x | <x,y> in Z, y in L}
Lattices
b1 b2
0
2b1b1+b2 2b2
2b2-b1
2b2-2b1
Basis is not unique
0
v2
v1
v1’
v2’
Lattices where membership of y in lattice is determined by y mod q, q prime
Most crypto based on lattices uses q-ary lattices as a basis for their hard-on-average problem
Let A = in Zqnxm and q prime
– Can define m dimensional q-ary lattice L=Lq to be L(A)= {ATs mod q in Zm for s Zn}
- The dual lattice of L is L* (A) ={x in Zm | Ax=0 mod q }
q-ary (modular) Lattices
Hard Problems on Lattices
• SVP: Given a basis B, find a shortest vector
Shortest Vector Problem (SVP)
0
b2
b1
• CVP: Given a basis and a target vector t, find the closest lattice point to t
• Seems very difficult, however, checking if a point is in a lattice is easy
Closest Vector Problem (CVP)
0
v2
v1
tt
Approximation Versions
• In lattice based cryptography one typically considers approximation variant of these problems.
• Add approximation factor to the problems• SVP : find v at most time the shortest
non-0 vector in lattice• CVP: find the closest vector in the lattice
within a factor from the closest• Can define for any norm but we will use
Euclidean, ||x|| = xi2
• SVP-search: given basis B, find an approximately shortest vector w s.t. ||w||<||v|| where v is the shortest
• Gap-SVP: given basis B Zmxn and rZ determine whether shortest vector v, ||v||< r or ||v|| >r
Approximate Shortest Vector Problem (SVP):
Search and Decision
b1
b2
b2-b1
O
• Search-CVP: Given a basis and a target vector t, find the approximately closest lattice point
• Gap-CVP: Given BZmxn and t Qm,r Q, output
• 1 if dist(t,L(B)) < r and else 0
Closest Vector Problem (CVP): Search vs, Decision
0
Best Algorithms
• LLL82: approximation in poly-time, approximation factor is (2/√(3))n
• Schnorr: approximation factor 2O(nloglogn/logn)
• AKS : Best exact (or poly-factors) in time and space 2n
• Note comparison to factoring and discrete-log funding algorithms
Worst Case vs. Average Case
Worst-case Hard Average-case Hard
At least one instance
hard
Average instancehard
SAFEST TO ASSUME
=LATTICE PROBLEM
NEEDED IN CRYPTO
Ajtai
Worst Case vs. Average Case [Ajtai]
Avg: Given random matrix A Zqnxm for
q=poly(n), m > nlog q , find short vector x0 in Zq
m
s.t. Ax =0 mod q (i.e. x L* , L=Lq(A) q-ary lattice) .
Short: say ||x||=m
Ajtai showed that SVP as hard as solving Avg for any-worst-case SVP instance
( = poly (n), q=nc, m > n log q)
Uses of Lattice in Cryptography
• One Way Functions
• Hash Functions
• Public- Key Cryptography:– Ajtai-Dwork97, Regev04 : Unique SVP– GGH97, GPV08: – Regev05: GapSVP (quantum)
LPN: Learning from parity with error
•Let Let ssZZ22nn be a secret be a secret
•We have random equations modulo 2 We have random equations modulo 2 with error (everything independent):with error (everything independent):
•Without error, it’s easy!Without error, it’s easy!
ss22+s+s33+s+s44+ s+ s66+…+s+…+snn 00
ss11+s+s22+ s+ s44+ s+ s66+…+s+…+snn 11
ss11+ s+ s33+s+s44+s+s55+ …+s+ …+snn 11
ss22+s+s33+s+s44+ s+ s66+…+s+…+snn 00
..
..
..
•More formally, we need to learn More formally, we need to learn ss from from samples of the form samples of the form (t,st+e)(t,st+e) where where tt is is chosen uniformly from chosen uniformly from ZZ22
nn and and ee is a bit is a bit that is 1 with probability p=10%. that is 1 with probability p=10%.
•Easy algorithms need 2Easy algorithms need 2O(n) O(n) equations/timeequations/time
•Best algorithm needs 2Best algorithm needs 2O(n/logn)O(n/logn) equations/time [equations/time [BlumKalaiWasserman’00BlumKalaiWasserman’00]]
LPN: Learning parity with error
Regev introduced: Learning modulo q (LWE)
• Fix some prime qFix some prime q
• Let Let ssZZqqnn be a secret vector be a secret vector
• We have random equations modulo We have random equations modulo qq with error where the coefficients are mod with error where the coefficients are mod qq 2s2s11+0s+0s22+2s+2s33+1s+1s44+2s+2s55+4s+4s66+…+4s+…+4snn
22
0s0s11+1s+1s22+5s+5s33+0s+0s44+6s+6s55+6s+6s66+…+2s+…+2snn 44
6s6s11+5s+5s22+2s+2s33+0s+0s44+5s+5s55+2s+2s66+…+0s+…+0snn 22
6s6s11+4s+4s22+4s+4s33+4s+4s44+3s+3s55+3s+3s66+…+1s+…+1snn 55
..
..
..
LWE: Learning modulo q
• Formally, learn Formally, learn ss from samples of the from samples of the form form (a,as+x)(a,as+x) where where aa is chosen is chosen uniformly from uniformly from ZZqq
n n and and xx is chosen from is chosen from -normal dist over Z-normal dist over Zq q (i.e mean 0, variance (i.e mean 0, variance q q
to sample: to sample: choose in [0,1), multiply by q and choose in [0,1), multiply by q and round)round)
• Easy algorithms need 2Easy algorithms need 2O(nlogn) O(nlogn)
equations/timeequations/time
• Best algorithm needs 2Best algorithm needs 2O(n)O(n) equations/time equations/time [[BlumKalaiWasserman’00BlumKalaiWasserman’00]]
Connection to Lattices [Regev]
Theorem: Learning modulo q (LWE) is as Theorem: Learning modulo q (LWE) is as hard as worst-case lattice problems hard as worst-case lattice problems (gapSVP(gapSVP ) using a quantum reduction ) using a quantum reduction
where q =poly(n) is prime, where q =poly(n) is prime, m=poly(n)m=poly(n)
LWE with LWE with -normal error, -normal error, q>2sqrt(n)q>2sqrt(n) =O(n/=O(n/))
• In other words: solving the problem In other words: solving the problem implies an efficient quantum algorithm implies an efficient quantum algorithm for latticesfor lattices
Decision version: Learning modulo q
• Distinguishing Distinguishing • samples (a, u) where u is chosen samples (a, u) where u is chosen uniformly in Zuniformly in Zqq and and aa is chosen is chosen uniformly from uniformly from ZZqq
n n
• samples of the form samples of the form (a, as+x)(a, as+x) where where aa is chosen uniformly from is chosen uniformly from ZZqq
n n and and xx is is chosen from chosen from -normal dist over Z-normal dist over Zqq
Theorem [Regev ]
There is a polynomial (in n and q) There is a polynomial (in n and q) reduction from LWE-search (with m reduction from LWE-search (with m samples) samples)
to LWE-decision (with m’=mpoly(n,q) to LWE-decision (with m’=mpoly(n,q) samples) (with same error distribution)samples) (with same error distribution)
In other words can rely on LWE-decision In other words can rely on LWE-decision being being
as hard as gapSVP as long as q=poly(n)as hard as gapSVP as long as q=poly(n)
Connection to Lattices [Pekert09]
Theorem:Theorem: Learning modulo q (LWE) is as Learning modulo q (LWE) is as hard as worst-case lattice problems hard as worst-case lattice problems (gapSVP(gapSVP ) using a ) using a classical reductionclassical reduction
where q =2where q =2n/2n/2 is prime, is prime, m=poly(n)m=poly(n)
LWE with LWE with -normal error, -normal error, q>2sqrt(n)q>2sqrt(n) =O(n/=O(n/))
• In other words: solving the problem In other words: solving the problem implies an efficient quantum algorithm implies an efficient quantum algorithm for latticesfor lattices
Regev’s Public-Key Encryption
Secret-key SK:
nqZs
Public-key PK:
),( xsAA
A: m-by-n matrixx: low-weight “error”
O
a1
a2As
As+x
q=poly(n) n3
m >> n
Regev’s Public-Key Encryption
Secret-key SK:
nqZs
Public-key PK:
),( xsAA
A: m-by-n matrixx: low-weight “error”
EncPK(b): 2/)(, qbxsArAr r
“low-weight” vector
Regev Public Key Encryption
Secret-key SK:Public-key PK:
),( xsAA
EncPK(b): )(, xAsrrA r
“low-weight” vector if b=0 urA, if b=1
DecPK(a,b): 0 if b = as = (rA)s, else output 1
“very likely” to be 0rx
LWE Assumption: (A, As+x) ≈c (A, u)
semantic security
[Re05] Approx Worst Case SVP quantum-hard LWE Assumption
leak L(s)nqZs
Security for Adaptive Memory attack
Secret-key SK:Public-key PK:
),( xsAA
EncPK(b): )(, xAsrrA if b=0 urA, if b=1
- view the secret key s as a min-entropy source - encryption act as a randomness extractor from s
leak L(s)
But given (A, As+x), s is unique with prob 1-neg !!!
Show: Ciphertext ≈c Uniform, given public key and leakage.
nqZs
Proof of Security
Goal: Ciphertext ≈ Uniform, given PK and leakage.
AdvA
f
f(s)
),( xsAA
',uuAdvA
f
f(s)
),( xsAA
)(, xsArAr
c
≈c
REAL WORLD IDEAL WORLD
Proof of Security
Step 0 (Leap of faith)
AdvA
f
f(s)
),( xsAA
sArAr ,
“REAL” WORLD
Ignore xr
in ciphertext
Proof of Security
Step 1. Leftover hash lemma
AdvA
f
f(s)
),( xsAA
sArAr ,
“REAL” WORLD
Leftover Hash Lemma [ILL]
),(),( uAArA sIf r has “large min-entropy” and A is uniform and independent of r
AdvA
f
f(s)
),( xsAA
suu ,
EXPT 1
≈s
Would like to say: Proof of Security
AdvA
f
f(s)
),( xsAA
suu ,
EXPT 1
Step 2.
Change A to A' s.t
- A ≈ A'c
Given PK=(A, As+x) and f(s), SK=s has large entropy- Given PK=(A', A's+x) and f(s), SK=s has large
entropy
Step 3.
Leftover hash lemma →
)',(),( uusuu s
≈c
AdvA
f
f(s)
)','( xsAA
',uu
IDEAL WORLD
O
a1
a2
As
As+x
O
a1 a2
≈c
A'A
([GKPV’09], similar to [P’09])
Main Idea: Lattice Lemma [GKPV]
O
a1
a2
As
As+x
O
a1 a2
A
Change distribution of A to A’ and ``Introduce entropy’’ into the distribution of secret key s
- Show A' ≈c A - s has large average min-entropy [DRS07] given PK =(A’,A’s+x) and f(s)
A’
Under LWE
Average Conditional Min-Entropy [DORS]
Probability distribution X over {0,1}n
H’1(X|Z) = - log E z(maxx Pr[X=x|Z=z])
Lemma [DORS]:
• if Z takes at most 2k values, then H’1(X|Z)>H’1(X)–k
•. Can Extract: Given H’1(X|Z) > H’1(X) – k and 2-universal Ext, (S, Ext(X,S), Z) (S,U,Z)
(any randomness extractor works with a distribution
with high entropy in this sense)
Represents the worst case predictability by an adversary who may also observe correlated Z probability of the most likely value of X
Proof of Security
AdvA
f
f(A’,s,x)
),( xsAA
suu ,
EXPT 1
Step 2 (Lattice lemma)Change distribution of lattice into A s.t- A ≈ A'
c
- Given PK=(A, As+x), SK=s has large min-entropy
AdvA
f
f(A’,s,x)
)','( xsAA
suu ,
EXPT 2
≈c
Proof of Security
AdvA
f
f(A’,s,x)
)','( xsAA
suu ,
EXPT 2
Step 3 (Leftover hash)
Extract randomness from s
≈s
AdvA
f
f(A’,s,x)
)','( xsAA
',uu
IDEAL WORLD
“large”))(,,|( sfxsAAsH
Proof of Security
AdvA
f
f(A’,s,x)
)','( xsAA
Ideal world
Step 4 Switch back to A
≈c
AdvA
f
f(A,s,x)
),( xsAA
',uu
REAL WORLD
',uu
Identity Based Encryption (IBE)
• Shamir[86], Boneh-Franklin[90]: Identity Based Encryption (IBE)
– Can be used by user to periodically generate (pki,ski) keys for Laptops
• Memory Leakage from laptops: do we have IBE which is secure against it ?
Identity Based Encryption [AGV]
Theorem 1:
Theorem 2:
An IBE scheme which is semantically secureagainst an n-o(n) non-adaptive memory attack.
Assuming: LWE + random oracle model as in GPV
An identity-based encryption scheme semantically
secure against an (1-)n adaptive memory attack.
An IBE scheme of GentryPeikertVaikuntanathan08 is semantically secure against an n-o(n) non-adaptive memory attack.
The IBE scheme of GPV08 is semantically secure against an (1-)n adaptive memory attack.
Extending Model of Secret Key Leakage ??
Dodis, Kalai, Lovett STOC09: How about capturing more settings ?
Same secret-key used in many applications: e.g. Signatures and encryption using same secret
Maybe no pseudo entropy left in the secret
Hard to Invert Leakage functions [DKL09]
• nppt A, prob (A(f(x))=x] < 1/2α(n)
Adversary can choose any leakage function f to receives f(sk)
• f is poly-time computable
Relation to memory-attacks Yael will give lecture here next week
(n)-Auxiliary Input Security:
Extending Model of Secret Key Leakage ??
Alwen, Dodis, Walfish, Wichs: Bounded Retrieval Model
Thesis: Security parameter should be independent of leakagePropose: Absolute leakagePKC where everything except for secret key size is independent of leakageOther primitives as well in this model
Main Idea
Use leakage-resistant IBE = (Setup,KeyGen, Enc, Dec)
• PK = master public key MPK of IBE
• SK =ski for identities i=1…n
Encrypt(m):
• Choose random subset of ski of size t
• Secret Share(m) with shares m1..mt and encrypt shares ci=Enc(idi,mi). Let c = c1…ct
Why? Adversary at the time of leak does not know which secondary keys you will decrypt with and n>>l
Note: PK is not large but SK is.
Problems with Main Idea & Fix
• Problem: Leakage function L(MPK) may leak information on all secondary secret keys sk1..skn
– HW: Construct an example where this happens
• Main Idea’: – Construct HP-IBE: IBE based on Hash-Proof
Systems– Use the HP- IBE in Main Idea and get leakage-
resistant PKE in the BRM model
IB-HPS [Extend PKE-HPS to IB-HPS]
• IB-HPS: (Encap, Encap*, Decap) – (MPK,SPK)
– keyGen (id,SPK) outputs skid
– Encap (id,MPK) gives (c,k) [k is symm key] s.t,
– Decap (c, skid) gives k
– Encap* (id) outputs c’ c where c=Encap(id)
• Properties:– Decap(c,skid) unique for all skid with same id
– for c=Encap(id) c’=Encap*(id), c’ c, even given skid
– k=Decap(c, skid) is uniformly distributed for c’=Encap*(id)
• Gentry’s IBE implies such IBE-HP
– Dodis etal show how to get this from Gentry IBE
Final Construction: IB-HPS to leakage Resistant PKE (back to original idea)
• IB-HPS = (Setup, KeyGen, Encap, Encap*,Decap)
• PKE-KeyGen: let PK=MPK, let SK={ski i=1…n} for ski=keyGen(i,MSK)
• Encryt (m,pl):
– Choose random subset of ID= id1..idt of size t
– Let (C,K)= {(ci,ki)=Encap(idi)}.
– Let c= (ID,C,s,Ext(K,s)m) where s random seed• Decryt using Decap
Claim: Leakage resistant for l= N-2/t[N+nlogn] -3-5 where N= n|ski| and Ext is a strong extractor for a = Ent (K)
Proof idea
• Dist0: challenge=(ID,C,s,Ext(K,s)m) , leak• Dist1: challenge=(ID,C,s,Ext(K*,s)m) ,leak where
K*=decap(ci,skid )
• [By unique decapsulation from any sk]• Dist2: challenge=(ID,C*,s,Ext(K*,s)m), leak
where c* = encap*(id) k*=decap(c*,skid )
• [By encapsulation indist]• Dist3: challenge=(ID,C*,s,U)• [by uniformity of decap from encap*)• How much leakage: entropy type analysis
Indist holds even If sk was known, So certainly if leakIs known
MAIN OPEN QUESTION:Assumed a total bound on Leakage
• To extend to unbounded measurements each leaking a bounded amount– Move away from deterministic schemes andinject fresh randomness to secrets
• Part 1 Memory Leaks
• Part 2 Computation Leaks: Side Channel Attacks
Any computation on secrets leaks information
Read SKModify SKAdd Jump Consume PowerAllocate MemoryEmit Radiation
SK bit 1SK bit 2
…SK bit i
Algorithm with SK
Axiom: but Only Computation Leaks Information [Micali-Reyzin04]
Identify: Secure component Hthat computes some elementary function Implement Cryptographic Functionalities Securely when adversary Can fully observe all computation except for H
choose inputs
Micali Reyzin Example:
• Pseudo Random Number Generation:– Assume f one-way trapdoor permutation, – Assume that the H = lsb (f -1 (x))
• choose seed s • compute psr= HC(f -1 (s))||HC(f-1 (f-1 (x)))||
…||HC(f-k (x))• limit Adv to not see input to H
• f (s),…f
Axiom: but Only Computation Leaks Information [Micali-Reyzin04]
Identify: Secure component Hthat computes some elementary function Implement Cryptographic Functionalities Securely when adversary Can fully observe all computation except for H
choose inputs
Lets Ask for more: Security even if Adversary did Computation himself
Security when Adversary run entire executions himself, except for H
Securecomponents H
UNIVERSAL , SIMPLE
One Time Program [ G+Kalai+Rothblum08]
Use Very simple and universal secure hardware
Enable adversary to run single executions of any cryptographicfunctionality, learning nothing but the
output(provably No computational leakage)
A program which can be run by an adversary on single input, but is useless otherwise
P is one-time program for function f if1. Functionality
Computes f’s output on one input of user’s choice
2. One-Time SecrecyP leaks no more than f’s output on single input to an adversary with full access to P
P
x
f(x)
one-time programs
f(x)
P is Software-Hardware Package
Software
In clear
request
response
xSecure
Component H
– signature delegation
Delegation of Cryptographic Abilityin an insecure environment
(SK,PK)Want to sign
100 messages in presence of side channel
attacks
Store 100 OTP
SIGSK OTP = ( Software + secure hardware)
Hardware is not a black box
Side-channel attacks
Every COMPUTATION made in thehardware on secret data leaks information about it
Minimize computation in hardwareEliminate
ROK
ROK – Read One Key, Erase second keySimple: easy to scrutinize Universal: same hardware for all applicationsInspired by oblivious transfer [Rabin,EGL]
Key k0
Key k1 kb
b
No computation is ever done on the key which is erased resist all side channel attacks which result from computation
One-Time Compiler: Take 2
Theorem[GKR09] If secure fully homomorphic
encryption E exists [Gentry-stoc09], can compile any f into a one-time program for fsecure against all computational side channel attacks where program = software + m ROKs (where m = length of ciphertext ) andProgram Size O( time for single decryption)
New OTP: E(description of f) + OTP for a single decryptionTo compute f(x): compute E(f(x)) homomorphically;
decrypt E(f(x)) with OTP Almost…
Observations: Our Context
• May assume H resides in PC• No need for hardware implementation of H• Implemented in software, simply never see
the `other-key’ so it never leaks
Different Approach: Break Computation into Rounds [Dziembowski-Pietrzak]
• Break computation of PSRG=P1…Pk into rounds
• Make each round r depend only on part of SK, say SKr
• Leakage Model: any bounded length leakage L function of SKr may leak but only a function of SKr may leak in round r [ ` only computation ..axiom’]
Theorem: secure (,s) PSRG secure PSRG s.t. PiU with |L| =O(log(1/)) =log(1/)/2
– given P1…Pi-1 and View = L(Sk0)….L(skl-2)
– If also know L(skl-1), can only show Pl unpredictable
– E.g. =2-√n, then L =n/4
Questions
• Other primitives whose computation can be broken into rounds
• Strengthen [DP] psrg result – to get better dependence on e
– To accommodate leakage L(skl-1 )