cryptography in the presence of continuous side-channel attacks ali juma university of toronto...
Post on 20-Dec-2015
216 views
TRANSCRIPT
Cryptography in The Presence of Continuous Side-Channel Attacks
Ali JumaUniversity of Toronto
Yevgeniy VahlisColumbia University
Crypto as We’ve Known It
Communication Channels
Alice Bob
• Crypto runs on dedicated and isolated devices• Adversary is 3rd party with access to communication channels• Secure communication is achievable through
encryption
New Computing Environments
Cloud ComputingMobile ComputingModern computing environments create new security risks
Devices leak data through side-channels• Timing• Sound emanations• Radiation• Power consumption
How can we model a large class of side channel attacks?
Allow the adversary to select leakage function f and see f(state)
• Leaking entire state breaks security• Restrict f to shrinking functions• Other restrictions are usually needed
• Restrict f to access only “active”memory
• Use secure hardware
Modeling Leakage
State
f(state)
Adversary
Continuous Leakage
Leakage accumulates over time
Each time a computation is performed,information leaks
Even one bit of leakage can be fatal:fi(state) = ith bit of state
Two “conflicting” new goals:
1. Refresh state while maintaining functionality:e.g. if state is decryption key then for allstate’ 2 Supp(Refresh(state))state’ is also a valid decryption key
2. Leakage from different states should be hard tocombine into a new valid state
Key K Key K Key K
Key K Key K Key K
Device state over time
Leakage over time
Only Computation Leaks
We already know that computation leaks
[MR04]: “only computation leaks”
State:
CPU
Inactive
ActiveLeakage
Active
Only Computation Leaks
We already know that computation leaks
[MR04]: “only computation leaks”
More formally:state=(s1,…,sn)
An algorithm consists of m parts: P1,…,Pm and sets W1,…,Wmµ [n]
Part Pi computes and leaks on {sj | j 2 Wi} and randomness ri
We model secure hardware as Pi that does not leak on ri
Resilience To Continuous Leakage• [G87,GO96] oblivious RAMs• [ISW03] Private circuits: securing hardware against probing attacks• [MR04] Physically observable cryptography• [GKR08] One-time programs• [DP08] Leakage-resilient cryptography• [FKPR10] Leakage-resilient signatures• [FRRTV10] Protecting against computationally bounded and noisy
leakage• [JV10] On protecting cryptographic keys against continual leakage• [GR10] How to play mental solitaire under continuous side-channels• [BKKV10] Cryptography resilient to continual memory leakage• [DHLW10] Cryptography against continuous memory attacks
Key Proxies
[JRV10]: “Key Proxy”, a new primitive to immunize a cryptographic key against leakage, but allow arbitrary computation
Building blocks:• Fully homomorphic encryption• Secure hardware component independent from K
Properties:1. Resilience to polynomial time leakage assuming
that “only computation leaks”2. 2l(n) secure encryption allows l(n) leakage
Resilience to polytime leakage without any leak-free computation on the state
Key Proxies
Initialization
Key K
Initial StateEvaluation
Program P
P(K)
Updated State
A key proxy is a pair of algorithms: Initialization and Evaluation• Initialization generates an initial encoding of a key K• Evaluation allows arbitrary computation on K and updates
encoding
Key Proxies encapsulate a key and allow structured access to it
Definition of Security
Distinguisher
Initialization
EvaluationLeakage
Program P
P(K)
Key K
UpdateState
1. Adversary submits a key K2. Repeat:
1. Submit program P2. Obtain leakage3. Get P(K)
Real
1
2
Definition of Security
1. Adversary submits a key K2. Repeat:
1. Submit program P2. Obtain leakage3. Get P(K)
Real Ideal1. Adversary submits a key K2. Repeat:
1. Submit program P2. Simulator is given P, P(K)3. Obtain simulated leakage4. Get P(K)
Distinguisher Leakage
Program P
P(K)
Key K1
2
Trusted 3rd party
Simulator
P, P(K)
Main Tools: Fully Homomorphic Encryption
. . .
Encryptionof M1
Encryptionof M2
Encryptionof Mn
EvaluateAlgorithm P
Encryptionof P(M1,…,Mn) + Encryption
of 0 = Random encryptionof P(M1,…,Mn)
We require randomizableciphertexts:
Public key encryption KeyGen, Enc, Dec
Allows computation on encrypted data [G09], [DGHV10]
Main Tools: Our Secure HardwarePublic key
Encryption of 0
We use a secure chip twice
Given a public key, generate twoEncryptions of 0
Both input and output leak,but not the internal randomness
Randombits
Overview of ConstructionInitialization:
Generate (pub, pri) ←R KeyGen(1n)Encrypt K using pub: C ←R Encpub(K)View initial state as a pair(MemA, MemB) = (pri, C)
Key K
Memory BC=Encpub(K)
Memory Apri
Construction – Step 1
Memory BC=Encpub(K)
Memory Apri
Computing on Memory A:1. Generate a new public-private key pair (pub’,pri’)
for the fully homomorphic encryption.
2. Encrypt the old private key pri under the new public key and write the ciphertext on the public channel.
3. Overwrite the contents of Memory A with pri’
Encryption of pri under pub’Memory Apri'
Construction – Step 2
Memory BC=Encpub(K)
Memory Apri
Computing on Memory B: External input: program P1. Evaluate homomorphically on encryption of pri:
Decpri(C) and P(Decpri(C))
2. Homomorphic evaluation produces encryptions CK of K and CP of P(K)Both under the new public key pub’
Encryption of pri under pub’Memory Apri'
Program P
Construction – Step 3
Memory BC=Encpub(K)
Memory Apri
Computing on Memory B: CK = encryption of K and CP = encryption of P(K)
1. Using the secure hardware component generate two encryptions ®k and ®p of 0
2. Randomize CK and CP: CK ← CK+®k and CP ← CP+®p
3. Write CP on the public channel4. Overwrite the contents of Memory B with CK
Encryption of pri under pub’Memory Apri'
Program P
Encryption of P(K) under pub’
Memory BC=Encpub’(K)
Construction – Step 4
Memory BC=Encpub(K)
Memory Apri
Computing on Memory A: 1. Use pri’ to decrypt the encryption of P(K), and
output P(K)
Encryption of pri under pub’Memory Apri'
Program P
Encryption of P(K) under pub’
Memory BC=Encpub’(K)
ConstructionEverything together:
Encryption of previousprivate key under pub’Generate new key pair
pub’,pri’
Previous private key pri
Compute encryptions of K, P(K) under pub’
Encryption of K underprevious public key
Randomize encryptions of K, P(K)
Encryption of K, P(K) under pub’
Encryption of Kunder pub’
Decrypt using pri’ and output P(K)
Encryption of P(K)under pub’
New private key pri'
Private key pri'
Secure Hardware ComponentsCan we rely on secure hardware to achieve leakage resilience?
Yes, but it would be nice if it is1. Independent from protected functionality: amount and
function of hardware should be same for all applications
2. Memory-less: secure against adversaries with a drill
3. Testable: operates on inputs from a known distribution
Achieving Resilience - Robustness
Leaks n bitsSize grows by function of n
Leakage grows by unknown amount
Leakage depends on the device
Robustness [GKPV09]: more leakage -> stronger assumptionbut security parameter stays the same
SecurityObservations:
After each round Memory A: a fresh private keyMemory B: a fresh encryption of K
Clearly secure without leakageBut uninteresting
Consider leakage structure ineach round: Cpri, pri0
pri0, CrProblem: Leakage on the private keyboth before and after leakage on C+ the leakage is adaptive.
Randomize
Ciphertexts are incompressible
Why do we randomize?
Fully homomorphic encryption may not preserve function privacy
EvaluateEncryption of message M
Algorithm P
Encryption of message P(M)
May containinformation about P
In our construction M=pri and P contains the encryption C of K
Without randomization the final leakage function could compute on pri and C together!
Simulator
Change 2: encrypted output is computed asC’res,i = Encpubi(Fi(K))
Change 3: output of one leak-free component is replaced by
®p,i = C’res,i - Cres,i
Change 1: memory B now contains encryptions of 0 instead of KAfter change 1 pre-randomization encrypted output is Cres,i = Encpubi(Fi(0))
Why Sim Works
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
R’i+2
Claim 1: security of n rounds reducesto security of two rounds
Proof:
Step 1:- Replace all messages Ri with randomencryptions R’i of Pi(K)
- Replace ®p,i with ®’p,i = R’i – Cres,i
Change is conceptual
Ri
Ri+1
Ri+2
Why Sim WorksClaim 1: security of n rounds reducesto security of two rounds
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
R’i+2
Proof:
Step 2:Replace encryptions of K with Encryptions of 0
Change is significantBut output is not affected
If an adversary can detect the switchthen she detects it for some i
SecurityClaim 1: security of n rounds reducesto security of two rounds
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
R’i+2
Proof:
i-th hybrid:CK,1,…, CK,i-1 are encryptions of KC’K,i,…,C’K,n are encryptions of 0®
K,i = CK,i – CK,i-1
Suppose adversary distinguishesbetween hybrids i and i+1
Rounds 1,…,i-1 and i+2,…,n areidentical in both hybrids
CK,i is used in both rounds i and i+1
CK,i or C’K,i
C’K,i+1
C’K,i+2
SecurityWe reduced the problem tothis leakage structure for tworounds:
CK,i or C’K,i
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
C’K,i+1
Ti-1prii-1
prii
prii+1
prii
prii+1
1 2
3
4
5
6Get prii+1
Leakage 6:prii+1 is needed to concludethe simulation
Security
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
CK,i or C’K,i
C’K,i+1
Ti-1prii-1
prii
prii+1
prii
prii+1
1 2
3
4
5
6Get prii+1
Claim 2: security of two rounds reducesto semantic security of fully homomorphic encryption with leakage on private key
Proof:
Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i
Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3.
Security
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
CK,i or C’K,i
C’K,i+1
Ti-1prii-1
prii
prii+1
prii
prii+1
1 2
3
4
5
6Get prii+1
Claim 2: security of two rounds reducesto semantic security of fully homomorphic encryption with leakage on private key
Proof:
Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i
Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3.
Use the challenge CK,i/C’K,i to verify ¸
3
Security
P1 P2
P4 P3
Cpri
P1 P2
P4 P3
Cpri
R’i
R’i+1
CK,i or C’K,i
T’i+1
Ti-1prii-1
prii
prii+1
prii
prii+1
1 2
Claim 2: security of two rounds reducesto semantic security of fully homomorphic encryption with leakage on private key
Proof:
Guess ± for leakage 2 and squeezeleakage 3 into 1
3
1
Claim 3: any 2l(n) secure public key encryption is resilient to O(l(n)) leakage on the private key
Proof idea: since we can run in time 2l(n), try all possible values of leakage.