- 66 Views
- Uploaded on
- Presentation posted in: General

Cryptography in The Presence of Continuous Side-Channel Attacks

Cryptography in The Presence of Continuous Side-Channel Attacks

Ali Juma

University of Toronto

Yevgeniy Vahlis

Columbia University

- Crypto runs on dedicated and isolated devices
- Adversary is 3rd party with access to communication channels

Alice

Bob

Communication Channels

Input

CPU

Storage

- Secure communication is achievable through encryption

Cloud Computing

Mobile Computing

Modern computing environments create new security risks

Cloud Computing

Mobile Computing

Devices leak data through side-channels

- Timing
- Sound emanations
- Radiation
- Power consumption

- How can we model a large class of side channel attacks?
- Allow the adversary to select
- leakage function f and see f(state)
- Leaking entire state breaks security
- Restrict f to shrinking functions
- Other restrictions are usually needed
- Restrict f to access only “active”memory
- Use secure hardware

State

f(state)

Adversary

Device state over time

Key K

Key K

Key K

Leakage accumulates over time

Each time a computation is performed,

information leaks

Even one bit of leakage can be fatal:

fi(state) = ith bit of state

Key K

Key K

Key K

Leakage over time

Two “conflicting” new goals:

Refresh state while maintaining functionality:e.g. if state is decryption key then for allstate’2 Supp(Refresh(state))state’ is also a valid decryption key

Leakage from different states should be hard tocombine into a new valid state

We already know that computation leaks

[MR04]: “only computation leaks”

State:

Active

Active

CPU

Leakage

Inactive

We already know that computation leaks

[MR04]: “only computation leaks”

- More formally:
- state=(s1,…,sn)

An algorithm consists of mparts: P1,…,Pmand sets W1,…,Wmµ [n]

Part Pi computes and leaks on {sj | j2Wi} and randomness ri

We model secure hardware as Pi that does not leak on ri

- [G87,GO96] oblivious RAMs
- [ISW03] Private circuits: securing hardware against probing attacks
- [MR04] Physically observable cryptography
- [GKR08] One-time programs
- [DP08] Leakage-resilient cryptography
- [FKPR10] Leakage-resilient signatures
- [FRRTV10] Protecting against computationally bounded and noisy leakage
- [JV10] On protecting cryptographic keys against continual leakage
- [GR10] How to play mental solitaire under continuous side-channels
- [BKKV10] Cryptography resilient to continual memory leakage
- [DHLW10] Cryptography against continuous memory attacks

[JRV10]: “Key Proxy”, a new primitive to immunize a

cryptographic key against leakage, but allow arbitrary

computation

- Building blocks:
- Fully homomorphic encryption
- Secure hardware component independent from K

Resilience to polytime leakage without any leak-free computation on the state

- Properties:
- Resilience to polynomial time leakage assuming that “only computation leaks”
- 2l(n) secure encryption allows l(n) leakage

Key Proxies encapsulate a key and allow structured access to it

A key proxy is a pair of algorithms: Initialization and Evaluation

- Initialization generates an initial encoding of a key K
- Evaluation allows arbitrary computation on K and updates encoding

Key K

Updated State

Initial State

Evaluation

Initialization

P(K)

Program P

Real

- Adversary submits a key K
- Repeat:
- Submit program P
- Obtain leakage
- Get P(K)

Program P

Evaluation

Update

State

P(K)

Key K

1

Initialization

2

Distinguisher

Leakage

Real

Ideal

- Adversary submits a key K
- Repeat:
- Submit program P
- Obtain leakage
- Get P(K)

- Adversary submits a key K
- Repeat:
- Submit program P
- Simulator is given P, P(K)
- Obtain simulated leakage
- Get P(K)

P(K)

Trusted 3rd party

1

Key K

P, P(K)

Program P

2

Distinguisher

Simulator

Leakage

Public key encryption KeyGen, Enc, Dec

Allows computation on encrypted data [G09], [DGHV10]

Encryption

of M1

Encryption

of M2

Encryption

of Mn

. . .

Evaluate

Algorithm P

We require randomizable

ciphertexts:

Encryption

of P(M1,…,Mn)

Encryption

of 0

Random encryption

of P(M1,…,Mn)

+

=

Public key

We use a secure chip twice

Random

bits

Given a public key, generate two

Encryptions of 0

Both input and output leak,

but not the internal randomness

Encryption of 0

- Initialization:
- Generate (pub, pri) ←R KeyGen(1n)
- Encrypt K using pub: C←R Encpub(K)
- View initial state as a pair
- (MemA, MemB) = (pri, C)

Key K

Memory A

pri

Memory B

C=Encpub(K)

Memory A

pri

Memory B

C=Encpub(K)

Encryption of pri under pub’

Memory A

pri

Memory A

pri'

Memory B

C=Encpub(K)

- Computing onMemory A:
- Generate a new public-private key pair (pub’,pri’) for the fully homomorphic encryption.
- Encrypt the old private key priunder the new public key and write the ciphertext on the public channel.
- Overwrite the contents of Memory A with pri’

Program P

Encryption of pri under pub’

Memory A

pri

Memory A

pri'

Memory B

C=Encpub(K)

- Computing onMemory B: External input: program P
- Evaluate homomorphically on encryption of pri:Decpri(C) and P(Decpri(C))
- Homomorphic evaluation produces encryptions CK of K and CP of P(K)Both under the new public key pub’

Program P

Encryption of pri under pub’

Memory A

pri

Memory A

pri'

Memory B

C=Encpub(K)

Memory B

C=Encpub’(K)

Encryption of P(K) under pub’

- Computing onMemory B: CK = encryption ofK and CP= encryption of P(K)
- Using the secure hardware component generate two encryptions ®k and ®p of 0
- Randomize CKand CP: CK ← CK+®k and CP ← CP+®p
- Write CP on the public channel
- Overwrite the contents of Memory B with CK

Program P

Encryption of pri under pub’

Memory A

pri

Memory A

pri'

Memory B

C=Encpub(K)

Memory B

C=Encpub’(K)

Encryption of P(K) under pub’

- Computing onMemory A:
- Use pri’ to decrypt the encryption of P(K), and output P(K)

Everything together:

Encryption of K under

previous public key

Previous private key pri

Encryption of previous

private key under pub’

Compute encryptions of K, P(K) under pub’

Generate new key pair pub’,pri’

Encryption of K,

P(K) under pub’

New private key

pri'

Encryption of P(K)

under pub’

Randomize encryptions of K, P(K)

Decrypt using pri’ and output P(K)

Encryption of K

under pub’

Private key pri'

Can we rely on secure hardware to achieve leakage resilience?

Yes, but it would be nice if it is

Independent from protected functionality: amount and function of hardware should be same for all applications

Memory-less: secure against adversaries with a drill

Testable: operates on inputs from a known distribution

Leakage depends on the device

Robustness [GKPV09]: more leakage -> stronger assumptionbut security parameter stays the same

Leakage grows by

unknown amount

Leaks n bits

Size grows by

function of n

- Observations:
- After each round Memory A: a fresh private keyMemory B: a fresh encryption of K

Clearly secure without leakage

But uninteresting

Consider leakage structure in

each round:

pri, pri0

C

pri0, Cr

Randomize

Problem: Leakage on the private key

both before and after leakage on C

+ the leakage is adaptive.

Ciphertexts are incompressible

Fully homomorphic encryption may not preserve function privacy

May contain

information

about P

Evaluate

Encryption of message M

Encryption of message P(M)

In our construction M=pri and P contains the encryption C of K

Algorithm P

Without randomization the final leakage function could compute on pri and C together!

Change 1: memory B now contains encryptions of 0 instead of K

After change 1 pre-randomization encrypted output is Cres,i = Encpubi(Fi(0))

Change 2: encrypted output is computed as

C’res,i = Encpubi(Fi(K))

Change 3: output of one leak-free component is replaced by

®p,i = C’res,i - Cres,i

Cpri

Claim 1: security of n rounds reduces

to security of two rounds

P1

P2

Ri

R’i

P4

P3

Proof:

Step 1:

- Replace all messages Ri with random

encryptions R’i of Pi(K)

- Replace ®p,i with ®’p,i = R’i – Cres,i

Change is conceptual

Cpri

P1

P2

Ri+1

R’i+1

P4

P3

Cpri

P1

P2

R’i+2

Ri+2

P4

P3

Cpri

Claim 1: security of n rounds reduces

to security of two rounds

P1

P2

R’i

P4

P3

Proof:

Step 2:

Replace encryptions of K with

Encryptions of 0

Change is significant

But output is not affected

If an adversary can detect the switch

then she detects it for some i

Cpri

P1

P2

R’i+1

P4

P3

Cpri

P1

P2

R’i+2

P4

P3

Cpri

Claim 1: security of n rounds reduces

to security of two rounds

P1

P2

R’i

P4

P3

Proof:

i-th hybrid:

CK,1,…, CK,i-1 are encryptions of K

C’K,i,…,C’K,nare encryptions of 0

®K,i = CK,i – CK,i-1

Suppose adversary distinguishes

between hybrids i and i+1

Rounds 1,…,i-1 and i+2,…,n are

identical in both hybrids

CK,i is used in both rounds i and i+1

CK,i or C’K,i

Cpri

P1

P2

R’i+1

P4

P3

C’K,i+1

Cpri

P1

P2

R’i+2

P4

P3

C’K,i+2

prii-1

Ti-1

We reduced the problem to

this leakage structure for two

rounds:

1

2

Cpri

R’i

P1

P2

prii

3

P4

P3

prii

CK,i or C’K,i

Cpri

4

R’i+1

P1

P2

prii+1

5

Leakage 6:

prii+1 is needed to conclude

the simulation

P4

P3

prii+1

C’K,i+1

6

Get prii+1

prii-1

Ti-1

Claim 2: security of two rounds reduces

to semantic security of fully homomorphic encryption with leakage on private key

1

2

Cpri

R’i

P1

P2

Proof:

prii

3

P4

P3

Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i

Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3.

prii

CK,i or C’K,i

Cpri

4

R’i+1

P1

P2

prii+1

5

P4

P3

prii+1

C’K,i+1

6

Get prii+1

prii-1

Ti-1

Claim 2: security of two rounds reduces

to semantic security of fully homomorphic encryption with leakage on private key

1

2

Cpri

R’i

P1

P2

Proof:

prii

3

3

P4

P3

Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i

Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3.

Use the challenge CK,i/C’K,i to verify ¸

prii

CK,i or C’K,i

Cpri

4

R’i+1

P1

P2

prii+1

5

P4

P3

prii+1

C’K,i+1

6

Get prii+1

prii-1

Ti-1

Claim 2: security of two rounds reduces

to semantic security of fully homomorphic encryption with leakage on private key

1

1

2

Cpri

R’i

P1

P2

Proof:

prii

3

P4

P3

Guess ± for leakage 2 and squeezeleakage 3 into 1

prii

CK,i or C’K,i

Cpri

R’i+1

P1

P2

Claim 3: any 2l(n) secure public key encryption is resilient to O(l(n)) leakage on the private key

prii+1

P4

P3

prii+1

T’i+1

Proof idea: since we can run in time 2l(n), try all possible values of leakage.