Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Leakage Resilient Circuit Compilers

Published byBruce Clarke Modified over 6 years ago

Similar presentations

Presentation on theme: "Efficient Leakage Resilient Circuit Compilers"— Presentation transcript:

1 Efficient Leakage Resilient Circuit Compilers
Marcin Andrychowicz, Warsaw University, Poland Ivan Damgård, Aarhus University, Denmark Stefan Dziembowski, Warsaw University, Poland Sebastian Faust, EPFL, Switzerland Antigoni Polychroniadou, Aarhus University, Denmark

2 Theory Cryptographic Algorithms are often modeled as ‘black boxes’
E.g. Internal computation is opaque to external adversaries. Security is proven under various hardness assumptions.

3 Reality Computation Internals Leak Cache EM Radiation Power
Consumption Acoustic Timing Probing

4 Motivation Many provably secure cryptosystems can be broken by side-channel attacks

5 Two Paradigms to Fight Leakage Attacks
Consider Leakage at design level Only security of specific schemes How to securely implement any scheme? Wanted: Leakage resilient Compiler Transform any circuit to a leakage resilient circuit secure in a strong black-box sense. As a general comment about leakage resilient cryptography, there are works, that take leakage into account at design time. More specifically, given a cryptographic primitive and a specific security requirement, then these works try to design an algorithm that maintains security and is resilient to 'some' leakage attacks. So this means that whenever one wants leakage resilience against a different task, we need to design a new leakage-resilient algorithm. The solutions to the above situation are the so-called leakage resilient compilers, which transform any circuit to a leakage resilient circuit secure in a strong black-box sense. There is a nice article about the above arguments here

6 Def: Circuit Compilers

7 Def: Circuit Compilers
+ + Encoder x Circuit Compiler x - Decoder - Encoder In this paper, we revisit the problem of constructing general leakage resilient compilers that can transform any (Boolean) circuit C into a protected circuit C′ computing the same functionality as C, which additionally is resilient to certain classes of leakage functions.

8 Def: Circuit Compilers
+ + Encoder x Circuit Compiler x - Decoder - Encoder In this paper, we revisit the problem of constructing general leakage resilient compilers that can transform any (Boolean) circuit C into a protected circuit C′ computing the same functionality as C, which additionally is resilient to certain classes of leakage functions. Indistinguishable Even given leakage, execution “looks like” black-box access to C(.)

9 Def: Circuit Compilers
+ + Encoder x Circuit Compiler x - Decoder - Encoder In this paper, we revisit the problem of constructing general leakage resilient compilers that can transform any (Boolean) circuit C into a protected circuit C′ computing the same functionality as C, which additionally is resilient to certain classes of leakage functions. Goal: Reduce the overhead induced by the compiler Indistinguishable Even given leakage, execution “looks like” black-box access to C(.)

10 Def: Circuit Compilers
In all previous works the transformed circuit C′ has size at least O(k2), where k is the security parameter. C′ + + Encoder x Circuit Compiler x - Decoder - Encoder In this paper, we revisit the problem of constructing general leakage resilient compilers that can transform any (Boolean) circuit C into a protected circuit C′ computing the same functionality as C, which additionally is resilient to certain classes of leakage functions. Goal: Reduce the overhead induced by the compiler Indistinguishable Even given leakage, execution “looks like” black-box access to C(.)

11 Build Efficient Leakage Resilient Compilers
Our Goal Build Efficient Leakage Resilient Compilers

12 All previous works introduce at least quadratic overhead.
Is it possible to construct leakage resilient compilers with at most linear overhead? All previous works introduce at least quadratic overhead.

13 Prior Work on General Compilers
Three Leakage Models: ‘Local’ bounded Wire-Probing: [ISW03,…] ‘Local’ Only Computation (OC) Leakage/ Split state model: [MR04,…] ‘Global’ computational continuous weak Leakage i.e. AC0 leakage Functions [FRRTV10,…]

14 Using Techniques from secure MPC
Our Results Using Techniques from secure MPC Efficient Compliers: ‘Local’ Wire-Probing: O(polylog(k) ·|C|log |C|) Previous Best Overhead: O(k2|C|) by [ISW03] ‘Local’ OC Leakage : O(k log k log log k) Previous Best Overhead: Ω(k4) by [DF12] and Ω(k3) by [GR12] This talk ‘Global’ computational weak Leakage: O(k·|C|log|C|) Previous Best Overhead: O(k2) by [FRRTV10] and O(k3) by [R13]

15 Our result on global computational weak Leakage
Informal Theorem : A compiler that makes any circuit resilient to computationally weak leakages. The compiler increases the circuit size by a factor of O(k). Global adaptive leakage Arbitrary total leakage However we must assume something [MR04]: Leakage function is computationally weak Simple opaque gates. May depend on whole state and intermediate results, and chosen adaptively by the adversary. (Bounded just per observation)

16 The Compiler C′ + Encoder x Decoder - Encoder

17 The Compiler: From wires to wire bundles
+ Encoder x Decoder - Encoder

18 Packed Secret Sharing (PSS)
PSS is a central tool in information theoretic secure MPC protocols. f Standard Secret Sharing : P2 P3 P4 P5 P1 P6 P7 Degree of f denoted by d

19 Packed Secret Sharing (PSS)
PSS is a central tool in information theoretic secure MPC protocols. f Packed Secret Sharing (PSS) : Transform circuit to work on PSS with O(log|C|) overhead [DIK10]* l=3 P2 P3 P4 P5 P1 P6 P7 *Introduces Permutation gates.

20 + + - - C C′ x x … … … … … Every wire is encoded with PSS.
Inputs are encoded; outputs are decoded. C C′ + + Encoder x x - Decoder - Encoder Wire bundle that carries the encoding of w, e.g. k shares of w. Notation: (w1,…,wk)=[w]d Each wire w

21 PSS is is secure against AC0 leakages
A function is in AC0 if it can be computed by a poly-size O(1) depth boolean circuit with unbounded fan-in AND, OR (and NOT) gates. PSS Encoding is AC0 indistinguishable, i.e. Inner product hard to compute in AC0.

22 The Compiler: From gates to gadgets
+ Encoder x Decoder - Encoder

23 Every gate is replaced by a gadget operating on encoded PSS bundles
+ + Encoder x x - Decoder - Encoder Gadgets: built from normal gates and opaque gates and operate on encodings Gates

24 Opaque Gates [G89,GoldOstr95]…Leak-free processor: oblivious RAM
[MR04], [DP08], [GKR08], [DF12]…Leak-free memory: “only computation leaks”, one-time programs [FRRTV10],… Opaque Gates [GR12],[R13]… Ciphertext banks Opaque Gates: simple gates that sample from a fixed distribution e.g: securely draw strings with inner product 0. Stateless: No secrets are stored Small and simple Computation independent: No inputs, so can be pre-computed

25 The Compiler: Addition & Subtraction gadgets
+ Encoder x Decoder - Encoder

26 The Compiler: Addition & Subtraction gadgets
+ Encoder x Decoder - Encoder

27 The Compiler: Addition & Subtraction gadgets
Goal : c=a+b⇒[a+b]d ←[a]d +[b]d [0]d← Opaque gate [a+b]d = [a]d+[b]d+[0]d OR [a-b]d = [a]d-[b]d+[0]d

28 The Compiler: Multiplication gadgets
+ Encoder x Decoder - Encoder

29 The Compiler: Multiplication gadgets
+ Encoder x Decoder - Encoder

30 The Compiler: Multiplication gadgets
Goal: c = ab ⇒ [ab]d ← [a]d[b]d [r]d,[r]2d ← Opaque gate [ab]2d = [a]d[b]d [ab +r]2d =[ab]2d +[r]2d (ab+r) ← Decode([ab+r]2d) [ab+r] d ←Encode (ab+r) [ab]d = [ab+r]d − [r]d Permutation gadget follow the same approach

31 Compiler: High-Level Circuit topology is preserved.
Every wire is encoded; Inputs are encoded; outputs are decoded. Every gate is converted into a gadget operating on encodings.

32 Security of the Compiled Circuit
Prove security via ‘swallow’ reconstractors per gadget (technique introduced in [FRRTV10]) Reconstractor: on input the inputs and outputs of a gadget and is able to simulate its internals in a way that looks indistinguishable for leakages from AC0.

33 Conclusion Three efficient circuit compilers …. Question
compile any circuit ‘Local’ Wire-Probing ‘Local’ OC Leakage ‘Global’ Computational weak Leakage ‘Local’ Wire-Probing ‘Local’ OC Leakage : ‘Global’ Computational weak Leakage: Question Connection to Obfuscation

34 Thank you!

Download ppt "Efficient Leakage Resilient Circuit Compilers"

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.

LEAKAGE and TAMPER Resilient Random Access Machine (LTRAM) Pratyay Mukherjee Aarhus University Joint work with Sebastian Faust, Jesper Buus Nielsen and.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University Crypto.

Protecting Circuits from Computationally-Bounded Leakage Eran Tromer MIT Joint work with Sebastian Faust K.U. Leuven Leo Reyzin Boston University Crypto.

Similar presentations

Ads by Google