Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University

Crypto as We’ve Known It CPU Storage Input Communication Channels Alice Bob Crypto runs on dedicated and isolated devices Adversary is 3 rd party with access to communication channels Secure communication is achievable through encryption

New Computing Environments Cloud Computing Mobile Computing

New Computing Environments Cloud Computing Mobile Computing Modern computing environments create new security risks Devices leak data through side-channels Timing Sound emanations Radiation Power consumption

How can we model a large class of side channel attacks? Allow the adversary to select leakage function f and see f(state) Leaking entire state breaks security Restrict f to shrinking functions Other restrictions are usually needed Restrict f to access only “active” memory Use secure hardware Modeling Leakage State f(state) Adversary

Continuous Leakage Leakage accumulates over time Each time a computation is performed, information leaks Even one bit of leakage can be fatal: f i (state ) = ith bit of state Two “conflicting” new goals: 1.Refresh state while maintaining functionality: e.g. if state is decryption key then for all state’ 2 Supp(Refresh(state)) state’ is also a valid decryption key 2.Leakage from different states should be hard to combine into a new valid state Key K Device state over time Leakage over time

Only Computation Leaks We already know that computation leaks [MR04]: “only computation leaks” State: CPU Inactive Active Leakage Active

Only Computation Leaks We already know that computation leaks [MR04]: “only computation leaks” More formally: state=(s 1,…,s n ) An algorithm consists of m parts: P 1,…,P m and sets W 1,…, W m µ [n] Part P i computes and leaks on { s j | j 2 W i } and randomness r i We model secure hardware as P i that does not leak on r i

Resilience To Continuous Leakage [G87,GO96] oblivious RAMs [ISW03] Private circuits: securing hardware against probing attacks [MR04] Physically observable cryptography [GKR08] One-time programs [DP08] Leakage-resilient cryptography [FKPR10] Leakage-resilient signatures [FRRTV10] Protecting against computationally bounded and noisy leakage [JV10] On protecting cryptographic keys against continual leakage [GR10] How to play mental solitaire under continuous side-channels [BKKV10] Cryptography resilient to continual memory leakage [DHLW10] Cryptography against continuous memory attacks

Key Proxies [JRV10]: “Key Proxy”, a new primitive to immunize a cryptographic key against leakage, but allow arbitrary computation Building blocks: Fully homomorphic encryption Secure hardware component independent from K Properties: 1.Resilience to polynomial time leakage assuming that “only computation leaks” 2.2 l(n) secure encryption allows l(n) leakage Resilience to polytime leakage without any leak- free computation on the state

Key Proxies Initialization Key K Initial State Evaluation Program P P(K) Updated State A key proxy is a pair of algorithms: Initialization and Evaluation Initialization generates an initial encoding of a key K Evaluation allows arbitrary computation on K and updates encoding Key Proxies encapsulate a key and allow structured access to it

Definition of Security Distinguisher Initialization Evaluation Leakage Program P P(K) Key K Update State 1.Adversary submits a key K 2.Repeat: 1.Submit program P 2.Obtain leakage 3.Get P(K) Real 1 2

Definition of Security 1.Adversary submits a key K 2.Repeat: 1.Submit program P 2.Obtain leakage 3.Get P(K) RealIdeal 1.Adversary submits a key K 2.Repeat: 1.Submit program P 2.Simulator is given P, P(K) 3.Obtain simulated leakage 4.Get P(K) Distinguisher Leakage Program P P(K) Key K 1 2 Trusted 3 rd party Simulator P, P(K)

Main Tools: Fully Homomorphic Encryption... Encryption of M 1 Encryption of M 2 Encryption of M n Evaluate Algorithm P Encryption of P(M 1,…,M n ) + Encryption of 0 = Random encryption of P(M 1,…,M n ) We require randomizable ciphertexts: Public key encryption KeyGen, Enc, Dec Allows computation on encrypted data [G09], [DGHV10]

Main Tools: Our Secure Hardware Public key Encryption of 0 We use a secure chip twice Given a public key, generate two Encryptions of 0 Both input and output leak, but not the internal randomness Random bits

Overview of Construction Initialization: Generate (pub, pri) ← R KeyGen(1 n ) Encrypt K using pub: C ← R Enc pub (K) View initial state as a pair ( Mem A, Mem B ) = (pri, C) Key K Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri

Overview of Construction Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri

Construction – Step 1 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri Computing on Memory A: 1.Generate a new public-private key pair (pub’,pri’) for the fully homomorphic encryption. 2.Encrypt the old private key pri under the new public key and write the ciphertext on the public channel. 3.Overwrite the contents of Memory A with pri’ Encryption of pri under pub’ Memory A pri' Memory A pri'

Construction – Step 2 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Computing on Memory B: External input: program P 1.Evaluate homomorphically on encryption of pri: Dec pri (C) and P(Dec pri (C)) 2.Homomorphic evaluation produces encryptions C K of K and C P of P(K) Both under the new public key pub’ Encryption of pri under pub’ Memory A pri' Memory A pri' Program P

Construction – Step 3 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Computing on Memory B: C K = encryption of K and C P = encryption of P(K) 1.Using the secure hardware component generate two encryptions ® k and ® p of 0 2.Randomize C K and C P : C K ← C K + ® k and C P ← C P + ® p 3.Write C P on the public channel 4.Overwrite the contents of Memory B with C K Encryption of pri under pub’ Memory A pri' Memory A pri' Program P Encryption of P(K) under pub’ Memory B C=Enc pub’ (K) Memory B C=Enc pub’ (K)

Construction – Step 4 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri Computing on Memory A: 1.Use pri’ to decrypt the encryption of P(K), and output P(K) Encryption of pri under pub’ Memory A pri' Memory A pri' Program P Encryption of P(K) under pub’ Memory B C=Enc pub’ (K) Memory B C=Enc pub’ (K)

Construction Everything together: Encryption of previous private key under pub’ Generate new key pair pub’,pri’ Previous private key pri Compute encryptions of K, P(K) under pub’ Encryption of K under previous public key Randomize encryptions of K, P(K) Encryption of K, P(K) under pub’ Encryption of K under pub’ Decrypt using pri’ and output P(K) Encryption of P(K) under pub’ New private key pri' Private key pri'

Secure Hardware Components Can we rely on secure hardware to achieve leakage resilience? Yes, but it would be nice if it is 1.Independent from protected functionality: amount and function of hardware should be same for all applications 2.Memory-less: secure against adversaries with a drill 3.Testable: operates on inputs from a known distribution

Achieving Resilience - Robustness Leaks n bits Size grows by function of n Leakage grows by unknown amount Leakage depends on the device Robustness [GKPV09]: more leakage -> stronger assumption but security parameter stays the same

Security Observations: After each round Memory A: a fresh private key Memory B: a fresh encryption of K Clearly secure without leakage But uninteresting Consider leakage structure in each round: C pri, pri 0 pri 0, C r Problem: Leakage on the private key both before and after leakage on C + the leakage is adaptive. Randomize Ciphertexts are incompressible

Why do we randomize? Fully homomorphic encryption may not preserve function privacy Evaluate Encryption of message M Algorithm P Encryption of message P(M) May contain information about P In our construction M=pri and P contains the encryption C of K Without randomization the final leakage function could compute on pri and C together!

Simulator Change 2: encrypted output is computed as C’ res,i = Enc pubi ( F i (K )) Change 3: output of one leak-free component is replaced by ® p,i = C’ res,i - C res,i Change 1: memory B now contains encryptions of 0 instead of K After change 1 pre-randomization encrypted output is C res,i = Enc pubi ( F i (0 ))

Why Sim Works P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 R’ i+2 Claim 1: security of n rounds reduces to security of two rounds Proof: Step 1: - Replace all messages R i with random encryptions R’ i of P i (K ) - Replace ® p,i with ® ’ p,i = R’ i – C res,i Change is conceptual RiRi R i+1 R i+2

Why Sim Works Claim 1: security of n rounds reduces to security of two rounds P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 R’ i+2 Proof: Step 2: Replace encryptions of K with Encryptions of 0 Change is significant But output is not affected If an adversary can detect the switch then she detects it for some i

Security Claim 1: security of n rounds reduces to security of two rounds P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 R’ i+2 Proof: i-th hybrid: C K,1,…, C K,i-1 are encryptions of K C’ K,i,…, C’ K,n are encryptions of 0 ® K,i = C K,i – C K,i-1 Suppose adversary distinguishes between hybrids i and i+1 Rounds 1,…,i-1 and i+2,…,n are identical in both hybrids C K,i is used in both rounds i and i+1 C K,i or C’ K,i C’ K,i+1 C’ K,i+2

Security We reduced the problem to this leakage structure for two rounds: C K,i or C’ K,i P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C’ K,i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i Get pri i+1 Leakage 6: pri i+1 is needed to conclude the simulation

Security P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C K,i or C’ K,i C’ K,i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i Get pri i+1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key Proof: Leakage on private key happens both before and after leakage on C K,i or C’ K,i Guess ¸ for leakage 4 and squeeze leakage 5 and 6 into 3.

Security P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C K,i or C’ K,i C’ K,i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i Get pri i+1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key Proof: Leakage on private key happens both before and after leakage on C K,i or C’ K,i Guess ¸ for leakage 4 and squeeze leakage 5 and 6 into 3. Use the challenge C K,i /C’ K,i to verify ¸ 3

Security P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C K,i or C’ K,i T’ i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key Proof: Guess ± for leakage 2 and squeeze leakage 3 into Claim 3: any 2 l(n) secure public key encryption is resilient to O(l(n)) leakage on the private key Proof idea: since we can run in time 2 l(n), try all possible values of leakage.