Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai, David Wagner

A Live Demonstration Can you keep secrets? … and now?

Talk Overview The goal Security definition Overview of results and techniques Open questions

The Goal s m AES(s,m) s’ m AES(s,m) Same I/O functionality Keeps s secret even in the presence of side-channel attacks. - leakage - tampering

Comparison with Related Work Protecting general, reactive circuits –vs. realizing a specific task [DP08] –vs. a one-time computation [GKR08] Continuous and adaptive leakage/tampering –vs. bounded leakage [AGV09] Entire circuit susceptible to leakage/tampering –vs. “only computation leaks information” [MR04] –vs. “algorithmic tamper-proof security” [GLM+04]

INPUT OUTPUT CIRCUIT MEMORY The Model In each cycle: –Adv chooses input –Adv chooses an admissible (t-bounded) attack Leakage and/or tampering from a specified class –Adv observes output + leakage –Memory state is updated

INPUT OUTPUT CIRCUIT MEMORY Circuit Transformers T=(T C,T s ), on inputs k,t, maps C to C’ and s 0 to s 0 ’. T s must be randomized –Otherwise initial state s 0 is revealed by probing C’ can be either randomized or (better yet) deterministic. C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’

INPUT OUTPUT CIRCUIT MEMORY Security Definition T respects functionality: C[s 0 ]  C’[s 0 ’] T protects privacy:  C  Sim  t-bounded Adv  s 0 Sim Adv,C[s0]  view of Adv attacking C’[s 0 ’] –Even in case of tampering, only privacy is required C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’

INPUT OUTPUT CIRCUIT MEMORY Relation with Obfuscation C’[s 0 ’] should act like a “virtual black-box” for C[s 0 ]. –Even in the presence of side-channel attacks Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated –Can’t probe all wires in a single cycle –Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06] –Can’t freely “edit” gates and wires C INPUT OUTPUT CIRCUIT MEMORY T C’ s0s0 s0’s0’

Results: Passive Attacks I-Sahai-Wagner03: probing attacks –Adv probes t wires in each cycle –Several circuit transformers |C’|=O(t 2 ) |C|, randomized |C’|=O(t 2 ) |C|+poly(t,k), deterministic |C’|=O~(|C|), t=  ~(width(C)) probes can’t be added within a cycle –Randomized routing technique Faust-Rabin-Reyzin-Tromer-Vaikuntanathan10: –constant depth leakage (e.g., AC 0 ) with t-bit output |C’|=O((t+k) 2 ) |C| –noisy leakage: each bit flipped with prob. p |C’|=O(k 2 ) |C| –both require tamper-proof, randomized “opaque gates”

Results: Tampering Attacks I-Prabhakaran-Sahai-Wagner 06: –Permanent Reset attacks, unbounded |C’|=O(k 2 ) |C| –Permanent Set/Reset/Toggle, up to t per cycle |C’|=poly(k,t) |C| Requires AND gates of fan-in O(kt) –Both constructions can be made deterministic

Probing Attacks and MPC Standard MPC Client-Server MPC Input clients Servers Output clients [BGW88,CCD88]: Unconditional security if t<n/2 parties are passively corrupted. Unconditional security if t<n/2 servers are corrupted.

Probing Attacks and MPC Client-Server MPC Input clients Servers Output clients Unconditional security if t<n/2 servers are corrupted. Further extending MPC model: -Reactive functionalities -Mobile adversary [OY91] -No online randomness [CH94]

MPC on Silicon xixi yiyi S2S2 output client input client initializer s0s0 S1S1 S3S3 S2S2 S1S1 S3S3 S2S2 S1S1 S3S3 S2S2 S1S1 S3S3 Conversely: Private circuit  MPC T C =protocol compiler T s = initializer algorithm

MPC on Silicon? Very different optimization goals –Typical MPC: maximize resilience / #parties –Private circuits: maximize resilience / computation Ideally: many tiny parties, constant fractional resilience Using MPC protocols from the literature –BGW88: Based on Shamir’s secret sharing 2t+1 servers, O~(t 2 )|C| computation, nontrivial field arithmetic –“GMW-lite” [GMW87,GV87,GHY87]: Based on additive (XOR) secret sharing t+1 servers O(t 2 )|C| computation in OT-hybrid model Implement OT calls via additional servers! ISW03 construction is an optimized version of this approach s0’s0’

Concrete ISW03 Implementation Secrets additively shared into m=2t+1 shares Given shares of a=a 1  …  a m, b=b 1  …  b m –Compute shares of Not(a) : apply NOT to a 1 –Compute shares c i of a AND b : Let z i,j, i<j, be random independent bits Let z j,i =(z i,j  a i b j )  a j b i Let c i =a i b i   j  i z i,j Randomness gates eliminated by using 2t+1 copies of a PRG s0’s0’

Tampering Attacks Recall model –adversary can permanently set, reset, toggle t wires in each cycle –eventually, all wires can be tampered with! –can’t use standard MPC, error-correction, signatures… Idea: “self-destruct” if tampering is detected –How to implement if even self-destruction mechanism can be tampered with? Idea: randomized mine-field –Any tampering attempt can trigger a mine –Few lucky tampering attempts do not harm

The High Level Approach Consider (unbounded) Reset attacks Encode each value in C by a pair of values –0  01 –1  10 –00, 11 interpreted as  A Reset can either leave a value unchanged or turn it to  Propagate  to outputs and memory (self-destruct) Still need to worry about correlation between secrets and  Solution: Use ISW03 to get “k-wise independence” –Adv should get lucky k times to violate privacy –Being unlucky even a single time causes self-destruction General Set/Reset/Toggle attacks handled via longer encodings

The Low-Level Details A hacker’s paradise…

The Low-Level Details A hacker’s paradise…

Further Research: Leakage Extend feasibility to other classes of leakage –other realistic leakage classes (power analysis, …) –“only computation leaks information” –… anything that does not imply obfuscation –leakage-resilient MPC? Probing attacks –improve efficiency and resilience –motivates new MPC complexity questions –potential application for “MPC-friendly codes” [CC06,…] Constant-depth leakage –eliminate “opaque gates” and randomness –is [ISW03] secure?

Interactive Compression [FRRTV10] Compression algorithm for f [HN06]: unbounded “solver” f(x) compression algorithm x y Shares of state Leakage function Observed leakage Adversary’s computation

Interactive Compression [FRRTV10] Can parity be compressed? –[Håstad]: Circuits of depth d and size 2^k 1/d can’t compute XOR k  compression to k 1/d bits is hard for such circuits –[DI06]: even compression to k.99 bits is hard!  constant-depth leakage with t= k.99 is safe Previous compression model doesn’t handle adaptive attacks –reduction to non-adaptive case yields poor bounds –motivates study of “interactive compression”

Communication Complexity Game Weak Strong X= Parity(X) Circuit complexity: Weak sends one bit Compression: Weak sends t bits in one message Interactive compression: Weak sends t bits overall Challenge: good lower bounds for interactive compression

Further Research: Tampering Tolerate an unbounded number of attacks –Possible using tamper-proof components of size k –Open: use components of size O(1) Tolerate wider classes of tampering + leakage Develop a general theory –Apply general non-malleable codes [DPW10] –Tamper-resilient MPC

Conclusion Bottomless pool of open questions Motivate independently interesting theoretical questions –Leakage- and tamper-resilient MPC –Feasibility of relaxed obfuscation –Hardness of compression Relevance to practice?