Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University."— Presentation transcript:

1 Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University

2 Crypto as We’ve Known It CPU Storage Input Communication Channels Alice Bob Crypto runs on dedicated and isolated devices Adversary is 3 rd party with access to communication channels Secure communication is achievable through encryption

3 New Computing Environments Cloud Computing Mobile Computing

4 New Computing Environments Cloud Computing Mobile Computing Modern computing environments create new security risks Devices leak data through side-channels Timing Sound emanations Radiation Power consumption

5 How can we model a large class of side channel attacks? Allow the adversary to select leakage function f and see f(state) Leaking entire state breaks security Restrict f to shrinking functions Other restrictions are usually needed Restrict f to access only “active” memory Use secure hardware Modeling Leakage State f(state) Adversary

6 Continuous Leakage Leakage accumulates over time Each time a computation is performed, information leaks Even one bit of leakage can be fatal: f i (state ) = ith bit of state Two “conflicting” new goals: 1.Refresh state while maintaining functionality: e.g. if state is decryption key then for all state’ 2 Supp(Refresh(state)) state’ is also a valid decryption key 2.Leakage from different states should be hard to combine into a new valid state Key K Device state over time Leakage over time

7 Only Computation Leaks We already know that computation leaks [MR04]: “only computation leaks” State: CPU Inactive Active Leakage Active

8 Only Computation Leaks We already know that computation leaks [MR04]: “only computation leaks” More formally: state=(s 1,…,s n ) An algorithm consists of m parts: P 1,…,P m and sets W 1,…, W m µ [n] Part P i computes and leaks on { s j | j 2 W i } and randomness r i We model secure hardware as P i that does not leak on r i

9 Resilience To Continuous Leakage [G87,GO96] oblivious RAMs [ISW03] Private circuits: securing hardware against probing attacks [MR04] Physically observable cryptography [GKR08] One-time programs [DP08] Leakage-resilient cryptography [FKPR10] Leakage-resilient signatures [FRRTV10] Protecting against computationally bounded and noisy leakage [JV10] On protecting cryptographic keys against continual leakage [GR10] How to play mental solitaire under continuous side-channels [BKKV10] Cryptography resilient to continual memory leakage [DHLW10] Cryptography against continuous memory attacks

10 Key Proxies [JRV10]: “Key Proxy”, a new primitive to immunize a cryptographic key against leakage, but allow arbitrary computation Building blocks: Fully homomorphic encryption Secure hardware component independent from K Properties: 1.Resilience to polynomial time leakage assuming that “only computation leaks” 2.2 l(n) secure encryption allows l(n) leakage Resilience to polytime leakage without any leak- free computation on the state

11 Key Proxies Initialization Key K Initial State Evaluation Program P P(K) Updated State A key proxy is a pair of algorithms: Initialization and Evaluation Initialization generates an initial encoding of a key K Evaluation allows arbitrary computation on K and updates encoding Key Proxies encapsulate a key and allow structured access to it

12 Definition of Security Distinguisher Initialization Evaluation Leakage Program P P(K) Key K Update State 1.Adversary submits a key K 2.Repeat: 1.Submit program P 2.Obtain leakage 3.Get P(K) Real 1 2

13 Definition of Security 1.Adversary submits a key K 2.Repeat: 1.Submit program P 2.Obtain leakage 3.Get P(K) RealIdeal 1.Adversary submits a key K 2.Repeat: 1.Submit program P 2.Simulator is given P, P(K) 3.Obtain simulated leakage 4.Get P(K) Distinguisher Leakage Program P P(K) Key K 1 2 Trusted 3 rd party Simulator P, P(K)

14 Main Tools: Fully Homomorphic Encryption... Encryption of M 1 Encryption of M 2 Encryption of M n Evaluate Algorithm P Encryption of P(M 1,…,M n ) + Encryption of 0 = Random encryption of P(M 1,…,M n ) We require randomizable ciphertexts: Public key encryption KeyGen, Enc, Dec Allows computation on encrypted data [G09], [DGHV10]

15 Main Tools: Our Secure Hardware Public key Encryption of 0 We use a secure chip twice Given a public key, generate two Encryptions of 0 Both input and output leak, but not the internal randomness Random bits

16 Overview of Construction Initialization: Generate (pub, pri) ← R KeyGen(1 n ) Encrypt K using pub: C ← R Enc pub (K) View initial state as a pair ( Mem A, Mem B ) = (pri, C) Key K Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri

17 Overview of Construction Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri

18 Construction – Step 1 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri Computing on Memory A: 1.Generate a new public-private key pair (pub’,pri’) for the fully homomorphic encryption. 2.Encrypt the old private key pri under the new public key and write the ciphertext on the public channel. 3.Overwrite the contents of Memory A with pri’ Encryption of pri under pub’ Memory A pri' Memory A pri'

19 Construction – Step 2 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Computing on Memory B: External input: program P 1.Evaluate homomorphically on encryption of pri: Dec pri (C) and P(Dec pri (C)) 2.Homomorphic evaluation produces encryptions C K of K and C P of P(K) Both under the new public key pub’ Encryption of pri under pub’ Memory A pri' Memory A pri' Program P

20 Construction – Step 3 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Computing on Memory B: C K = encryption of K and C P = encryption of P(K) 1.Using the secure hardware component generate two encryptions ® k and ® p of 0 2.Randomize C K and C P : C K ← C K + ® k and C P ← C P + ® p 3.Write C P on the public channel 4.Overwrite the contents of Memory B with C K Encryption of pri under pub’ Memory A pri' Memory A pri' Program P Encryption of P(K) under pub’ Memory B C=Enc pub’ (K) Memory B C=Enc pub’ (K)

21 Construction – Step 4 Memory B C=Enc pub (K) Memory B C=Enc pub (K) Memory A pri Memory A pri Computing on Memory A: 1.Use pri’ to decrypt the encryption of P(K), and output P(K) Encryption of pri under pub’ Memory A pri' Memory A pri' Program P Encryption of P(K) under pub’ Memory B C=Enc pub’ (K) Memory B C=Enc pub’ (K)

22 Construction Everything together: Encryption of previous private key under pub’ Generate new key pair pub’,pri’ Previous private key pri Compute encryptions of K, P(K) under pub’ Encryption of K under previous public key Randomize encryptions of K, P(K) Encryption of K, P(K) under pub’ Encryption of K under pub’ Decrypt using pri’ and output P(K) Encryption of P(K) under pub’ New private key pri' Private key pri'

23 Secure Hardware Components Can we rely on secure hardware to achieve leakage resilience? Yes, but it would be nice if it is 1.Independent from protected functionality: amount and function of hardware should be same for all applications 2.Memory-less: secure against adversaries with a drill 3.Testable: operates on inputs from a known distribution

24 Achieving Resilience - Robustness Leaks n bits Size grows by function of n Leakage grows by unknown amount Leakage depends on the device Robustness [GKPV09]: more leakage -> stronger assumption but security parameter stays the same

25 Security Observations: After each round Memory A: a fresh private key Memory B: a fresh encryption of K Clearly secure without leakage But uninteresting Consider leakage structure in each round: C pri, pri 0 pri 0, C r Problem: Leakage on the private key both before and after leakage on C + the leakage is adaptive. Randomize Ciphertexts are incompressible

26 Why do we randomize? Fully homomorphic encryption may not preserve function privacy Evaluate Encryption of message M Algorithm P Encryption of message P(M) May contain information about P In our construction M=pri and P contains the encryption C of K Without randomization the final leakage function could compute on pri and C together!

27 Simulator Change 2: encrypted output is computed as C’ res,i = Enc pubi ( F i (K )) Change 3: output of one leak-free component is replaced by ® p,i = C’ res,i - C res,i Change 1: memory B now contains encryptions of 0 instead of K After change 1 pre-randomization encrypted output is C res,i = Enc pubi ( F i (0 ))

28 Why Sim Works P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 R’ i+2 Claim 1: security of n rounds reduces to security of two rounds Proof: Step 1: - Replace all messages R i with random encryptions R’ i of P i (K ) - Replace ® p,i with ® ’ p,i = R’ i – C res,i Change is conceptual RiRi R i+1 R i+2

29 Why Sim Works Claim 1: security of n rounds reduces to security of two rounds P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 R’ i+2 Proof: Step 2: Replace encryptions of K with Encryptions of 0 Change is significant But output is not affected If an adversary can detect the switch then she detects it for some i

30 Security Claim 1: security of n rounds reduces to security of two rounds P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 R’ i+2 Proof: i-th hybrid: C K,1,…, C K,i-1 are encryptions of K C’ K,i,…, C’ K,n are encryptions of 0 ® K,i = C K,i – C K,i-1 Suppose adversary distinguishes between hybrids i and i+1 Rounds 1,…,i-1 and i+2,…,n are identical in both hybrids C K,i is used in both rounds i and i+1 C K,i or C’ K,i C’ K,i+1 C’ K,i+2

31 Security We reduced the problem to this leakage structure for two rounds: C K,i or C’ K,i P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C’ K,i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i+1 1 2 3 4 5 6 Get pri i+1 Leakage 6: pri i+1 is needed to conclude the simulation

32 Security P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C K,i or C’ K,i C’ K,i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i+1 1 2 3 4 5 6 Get pri i+1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key Proof: Leakage on private key happens both before and after leakage on C K,i or C’ K,i Guess ¸ for leakage 4 and squeeze leakage 5 and 6 into 3.

33 Security P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C K,i or C’ K,i C’ K,i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i+1 1 2 3 4 5 6 Get pri i+1 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key Proof: Leakage on private key happens both before and after leakage on C K,i or C’ K,i Guess ¸ for leakage 4 and squeeze leakage 5 and 6 into 3. Use the challenge C K,i /C’ K,i to verify ¸ 3

34 Security P1P1 P2P2 P4P4 P3P3 C pri P1P1 P2P2 P4P4 P3P3 R’ i R’ i+1 C K,i or C’ K,i T’ i+1 T i-1 pri i-1 pri i pri i+1 pri i pri i+1 1 2 Claim 2: security of two rounds reduces to semantic security of fully homomorphic encryption with leakage on private key Proof: Guess ± for leakage 2 and squeeze leakage 3 into 1 3 1 Claim 3: any 2 l(n) secure public key encryption is resilient to O(l(n)) leakage on the private key Proof idea: since we can run in time 2 l(n), try all possible values of leakage.

Download ppt "Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google