Presentation on theme: "Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,"— Presentation transcript:
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai, David Wagner
A Live Demonstration Can you keep secrets? … and now?
Talk Overview The goal Security definition Overview of results and techniques Open questions
The Goal s m AES(s,m) s’ m AES(s,m) Same I/O functionality Keeps s secret even in the presence of side-channel attacks. - leakage - tampering
Comparison with Related Work Protecting general, reactive circuits –vs. realizing a specific task [DP08] –vs. a one-time computation [GKR08] Continuous and adaptive leakage/tampering –vs. bounded leakage [AGV09] Entire circuit susceptible to leakage/tampering –vs. “only computation leaks information” [MR04] –vs. “algorithmic tamper-proof security” [GLM+04]
INPUT OUTPUT CIRCUIT MEMORY The Model In each cycle: –Adv chooses input –Adv chooses an admissible (t-bounded) attack Leakage and/or tampering from a specified class –Adv observes output + leakage –Memory state is updated
INPUT OUTPUT CIRCUIT MEMORY Circuit Transformers T=(T C,T s ), on inputs k,t, maps C to C’ and s 0 to s 0 ’. T s must be randomized –Otherwise initial state s 0 is revealed by probing C’ can be either randomized or (better yet) deterministic. C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’
INPUT OUTPUT CIRCUIT MEMORY Security Definition T respects functionality: C[s 0 ] C’[s 0 ’] T protects privacy: C Sim t-bounded Adv s 0 Sim Adv,C[s0] view of Adv attacking C’[s 0 ’] –Even in case of tampering, only privacy is required C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’
INPUT OUTPUT CIRCUIT MEMORY Relation with Obfuscation C’[s 0 ’] should act like a “virtual black-box” for C[s 0 ]. –Even in the presence of side-channel attacks Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated –Can’t probe all wires in a single cycle –Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06] –Can’t freely “edit” gates and wires C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’
Results: Passive Attacks I-Sahai-Wagner03: probing attacks –Adv probes t wires in each cycle –Several circuit transformers |C’|=O(t 2 ) |C|, randomized |C’|=O(t 2 ) |C|+poly(t,k), deterministic |C’|=O~(|C|), t= ~(width(C)) probes can’t be added within a cycle –Randomized routing technique Faust-Rabin-Reyzin-Tromer-Vaikuntanathan10: –constant depth leakage (e.g., AC 0 ) with t-bit output |C’|=O((t+k) 2 ) |C| –noisy leakage: each bit flipped with prob. p |C’|=O(k 2 ) |C| –both require tamper-proof, randomized “opaque gates”
Results: Tampering Attacks I-Prabhakaran-Sahai-Wagner 06: –Permanent Reset attacks, unbounded |C’|=O(k 2 ) |C| –Permanent Set/Reset/Toggle, up to t per cycle |C’|=poly(k,t) |C| Requires AND gates of fan-in O(kt) –Both constructions can be made deterministic
Probing Attacks and MPC Standard MPC Client-Server MPC Input clients Servers Output clients [BGW88,CCD88]: Unconditional security if t<n/2 parties are passively corrupted. Unconditional security if t<n/2 servers are corrupted.
Probing Attacks and MPC Client-Server MPC Input clients Servers Output clients Unconditional security if t<n/2 servers are corrupted. Further extending MPC model: -Reactive functionalities -Mobile adversary [OY91] -No online randomness [CH94]
MPC on Silicon xixi yiyi S2S2 output client input client initializer s0s0 S1S1 S3S3 S2S2 S1S1 S3S3 S2S2 S1S1 S3S3 S2S2 S1S1 S3S3 Conversely: Private circuit MPC T C =protocol compiler T s = initializer algorithm
MPC on Silicon? Very different optimization goals –Typical MPC: maximize resilience / #parties –Private circuits: maximize resilience / computation Ideally: many tiny parties, constant fractional resilience Using MPC protocols from the literature –BGW88: Based on Shamir’s secret sharing 2t+1 servers, O~(t 2 )|C| computation, nontrivial field arithmetic –“GMW-lite” [GMW87,GV87,GHY87]: Based on additive (XOR) secret sharing t+1 servers O(t 2 )|C| computation in OT-hybrid model Implement OT calls via additional servers! ISW03 construction is an optimized version of this approach s0’s0’
Concrete ISW03 Implementation Secrets additively shared into m=2t+1 shares Given shares of a=a 1 … a m, b=b 1 … b m –Compute shares of Not(a) : apply NOT to a 1 –Compute shares c i of a AND b : Let z i,j, i<j, be random independent bits Let z j,i =(z i,j a i b j ) a j b i Let c i =a i b i j i z i,j Randomness gates eliminated by using 2t+1 copies of a PRG s0’s0’
Tampering Attacks Recall model –adversary can permanently set, reset, toggle t wires in each cycle –eventually, all wires can be tampered with! –can’t use standard MPC, error-correction, signatures… Idea: “self-destruct” if tampering is detected –How to implement if even self-destruction mechanism can be tampered with? Idea: randomized mine-field –Any tampering attempt can trigger a mine –Few lucky tampering attempts do not harm
The High Level Approach Consider (unbounded) Reset attacks Encode each value in C by a pair of values –0 01 –1 10 –00, 11 interpreted as A Reset can either leave a value unchanged or turn it to Propagate to outputs and memory (self-destruct) Still need to worry about correlation between secrets and Solution: Use ISW03 to get “k-wise independence” –Adv should get lucky k times to violate privacy –Being unlucky even a single time causes self-destruction General Set/Reset/Toggle attacks handled via longer encodings
Further Research: Leakage Extend feasibility to other classes of leakage –other realistic leakage classes (power analysis, …) –“only computation leaks information” –… anything that does not imply obfuscation –leakage-resilient MPC? Probing attacks –improve efficiency and resilience –motivates new MPC complexity questions –potential application for “MPC-friendly codes” [CC06,…] Constant-depth leakage –eliminate “opaque gates” and randomness –is [ISW03] secure?
Interactive Compression [FRRTV10] Compression algorithm for f [HN06]: unbounded “solver” f(x) compression algorithm x y Shares of state Leakage function Observed leakage Adversary’s computation
Interactive Compression [FRRTV10] Can parity be compressed? –[Håstad]: Circuits of depth d and size 2^k 1/d can’t compute XOR k compression to k 1/d bits is hard for such circuits –[DI06]: even compression to k.99 bits is hard! constant-depth leakage with t= k.99 is safe Previous compression model doesn’t handle adaptive attacks –reduction to non-adaptive case yields poor bounds –motivates study of “interactive compression”
Communication Complexity Game Weak Strong X=01000100111010 Parity(X) Circuit complexity: Weak sends one bit Compression: Weak sends t bits in one message Interactive compression: Weak sends t bits overall Challenge: good lower bounds for interactive compression
Further Research: Tampering Tolerate an unbounded number of attacks –Possible using tamper-proof components of size k –Open: use components of size O(1) Tolerate wider classes of tampering + leakage Develop a general theory –Apply general non-malleable codes [DPW10] –Tamper-resilient MPC
Conclusion Bottomless pool of open questions Motivate independently interesting theoretical questions –Leakage- and tamper-resilient MPC –Feasibility of relaxed obfuscation –Hardness of compression Relevance to practice?