Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Published byGarey Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo."— Presentation transcript:

1 Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod Vaikuntanathan IBM Research Boston University MIT IBM Research

2 2 Theory vs. Reality K XY Standard security analysis: Controls inputs/outputs, e.g. CPA Computation completely unknown K XY Attacking the implementation: input key output Adversary obtains leakage Use physical observations: e.g. power consumption, timing,… Completely break crypto schemes! implement

3 3 Countermeasures? Hot topic: ISW03, MR04, DP08, P09, AGV09, ADW09, KV09, DKL09,… Many more citations in the paper We may try to defeat specific attacks, e.g. power analysis, timing attacks,… Or we can try to go for a broad class! Most other work: Security of specific scheme This work: How to securely implement any scheme?

4 4 How to extend the standard model? K Modeled by a leakage function f Adversary obtains leakage f(state) Real-life leakages don’t leak complete key Power consumption: e.g. f(st) ≈ Hamming weight of wires in circuit Arbitrary leakage function? No…  e.g.: f(st) = K means no security Some restrictions are necessary XY Probing: f(st) = some bits of state

5 5 Restrictions: Bounded leakage Bounded total leakage K … f(st) K K e.g. used to model cold boot attacks Continuous leakage Amount of leakage << length of key K Bounded per observation, but: total leakage >> |K|

6 6 Restrictions: Bounded leakage Bounded total leakage K … f(st) K1K1 f(st 1 ) KnKn f(st n ) Bounded per observation, but: total leakage >> |K| e.g. power analysis Continuous leakage requires refreshing of key: K  K i e.g. used to model cold boot attacks Amount of leakage << length of key K

7 7 Restrictions: Local vs. Global Local leakage Global leakage e.g. probing: leakage is oblivious to most of the computation e.g. power analysis: power consumption depends on all computation

8 8 Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) Weak or Noisy leakage K f є L = {computationally weak functions} Leakage can be described by “simple” aggregated function Is this reasonable? Yes! E.g. probing, power consumption… f(st) weak

9 9 Weak or Noisy leakage K f(st) K f є L = {Noisy functions}: Leakage is a noisy function of the secret key Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) weak noisy

10 10 Weak or Noisy leakage K f(st) K Powerful! Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) weak noisy

11 11 Weak or Noisy leakage K f(st) K Polynomial-time leakage K f(st) f є L = {PPT functions} Leakage is arbitrary PPT function Restrictions: Weak/Noisy vs. PPT (requires bounded leakage) Powerful! weak noisy PPT Probably stronger than leakage in reality

12 12 Q: Is there computation that can be protected against global, continuous, but weak or noisy leakage? A challenge… A: Any Computation! If we have a simple leak-free component Reduce some complex computation to very simple shielded component [MR04]

13 13 Earlier work: Ishai, Sahai, Wagner ‘03 Main drawback: No proof of security for global functions, e.g. Hamming Weight Q: Is there computation that can be protected against global, continuous, but weak or noisy leakage? A: Any Computation! local probing

14 14 1.Circuit Compilers 2.Our Result Rest of this talk…

15 15 Circuit compiler: C‘ with K‘ has same functionality as C with K K XY C YX K’K’ C’C’ Circuit compilers  Is resistant to continuous leakages from some large function class L (Security Definition by Simulation) Input: description of arbitrary circuit C and key K Functionality preserving:  Uses same gates as C Transformed circuit C‘: + leak-free gate (later more) Output: description of transformed circuit C‘ and key K‘

16 16 Our Result Theorem 1: A compiler that makes any circuit resilient to computationally weak leakages. Set of leakage functions L can be large, but they cannot compute a certain linear function One example: AC 0 = Const depth and poly size circuits of Λ or V gates. What does this mean? L = AC 0  L cannot compute linear function parity!

17 17 Our Result Theorem 2: A compiler that makes any circuit resilient to noisy leakages. What does this mean? Leakages are {wire i + noise ƞ i }  ƞ i = 0, with probability 1-p  ƞ i = 1, with probability p Both compilers assume leak-free gates in transformed circuit!

18 18 Leak-free gates  Leak-free processor: oblivious RAM (1) Many previous usages in leakage-resilience:  Leak-free memory: “only computation leaks”, one-time programs (2) Our leak-free gate is: Small & simple: Much smaller than size of Stateless: No secrets are stored Computation independent: No inputs For Theorem 1: random t-bit string (b 1,…,b t ) with parity 0 (1) [G89,GoldOstr95], (2) [MicRey04], [DziPie08], [GoldKalRoth08] For Theorem 2: above properties, but a bit more complicated

19 19 Compiler: high-level C M ● + ● ● + C ● M Circuit topology is preserved 1. Memory:Encoded memory Bit b e.g. “Parity” encoding”: uniform t-bit string (b 1 …b t ) with parity b

20 20 Compiler: high-level C M ● + ● ● + C ● M 2. Each wire w Wire bundle that carries the encoding of w, e.g. a t-bit string with parity w

21 21 Two key properties of our encoding Let (a 1,…a t ) and (b 1,…b t ) be bit strings with parity 0 and 1 (resp.) f(a 1,…a t ) or f(b 1,…b t ) 2. Noise indistinguishable [XOR Lemma] (a 1 + ƞ 1,+…a t + ƞ t ) or (b 1 + ƞ 1,…b t + ƞ t ) ?? in AC 0 Flip each bit with prob. p 1. L=AC 0 indistinguishable [Has86,DubrovIshai06] ??

22 22 Compiler: high-level C M ● + ● ● + C ● M 3. Gates Gadgets: built from normal gates and leak-free gates and operate on encodings Properties of the encoding do not suffice for security!

23 23 Conclusion Two circuit compilers …. global leakages : i.e. leakage can depend on all the computation, all intermediate results,… continuous leakage : the amount of leakage over time is unbounded  eliminate leak-free gates compile any circuit Open problems:  For security parameter t: blow-up ≈ t 2

24 24 Thank you!

25 25 Simulation: Real: indistinguishable L-Security: Simulation [ISW03] Intuition: Adversary learns no more than by input/output access X1f1 ∈LX1f1 ∈L Y 1 f 1 (wires 1 ) Simulation: K1K1 X1X1 Y1Y1 … K’1K’1 Xnfn ∈LXnfn ∈L Y n f n (wires n ) K’nK’n … refresh key Can e.g. be some low complexity function class

Download ppt "Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Computing with adversarial noise Aram Harrow (UW -> MIT) Matt Hastings (Duke/MSR) Anup Rao (UW)

Computing with adversarial noise Aram Harrow (UW -> MIT) Matt Hastings (Duke/MSR) Anup Rao (UW)
Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.

Protecting Circuits from Leakage Sebastian Rome La Sapienza, January 18, 2009 Joint work with KU Leuven Tal Rabin Leo Reyzin Eran Tromer Vinod.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.

Circuits Resilient to Additive Manipulation with Applications to Secure Computation Yuval Ishai Technion Daniel Genkin Manoj Prabhakaran Amit Sahai Eran.
Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,

Private Circuits Protecting Circuits Against Side-Channel Attacks Yuval Ishai Technion & UCLA Based on joint works with Manoj Prabhakaran, Amit Sahai,
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.

PRATYAY MUKHERJEE AARHUS UNIVERSITY AARHUS UNIVERSITY PRATYAY MUKHERJEE 28. MARCH 2014 NEW RESULTS IN NON-MALLEABLE CODES PRATYAY MUKHERJEE 28. MARCH 2014.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Computability and Complexity 32-1 Computability and Complexity Andrei Bulatov Boolean Circuits.

Computability and Complexity 32-1 Computability and Complexity Andrei Bulatov Boolean Circuits.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Digital Logic

1 Digital Logic

Similar presentations

Ads by Google