slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran PowerPoint Presentation
Download Presentation
Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran

Loading in 2 Seconds...

play fullscreen
1 / 14

Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 13: Cryptographic leakage resilience (cont.). Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran. y=y(s,x). s’. x. Leakage resilience. y=y(s,x). s. x. Same I/O functionality

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Eran Tromer Slides credit: Yuval Ishai, Manoj Prabhakaran' - callie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013Lecture 13:Cryptographic leakage resilience (cont.)

Eran TromerSlides credit: Yuval Ishai, Manoj Prabhakaran

leakage resilience

y=y(s,x)

s’

x

Leakage resilience

y=y(s,x)

s

x

  • Same I/O functionality
  • Keeps secret even in the presence of side-channel attacks:leakage andtampering
slide4

Model

CIRCUIT

INPUT

OUTPUT

MEMORY

  • Circuits runs for many cycles
  • In each cycle:
    • Adversary chooses input
    • Adversary chooses an admissible attack
      • Leakage and/or tampering from a specified class
    • Adversary observes output + leakage
    • Memory state is updated
slide5

C’

T

CIRCUIT

CIRCUIT

INPUT

INPUT

OUTPUT

OUTPUT

MEMORY

MEMORY

Circuit transformers

  • T=(TC,Ts), on inputs k,t, maps C to C’ and s0 to s0’.
  • Ts must be randomized
    • Otherwise initial state s0 is revealed by probing
  • C’ can be either randomized or (better yet) deterministic.
  • Functionally equivalent: C[s0]  C’[s0’]

C

s0

s0’

security ishai sahai wagner 03

X

Y

black-box

Security [Ishai Sahai Wagner ’03]

s

x

Y

admissible leakage

Any boolean circuit

Transformed circuit

Circuit transformation

indistinguishable

slide7

C’

T

CIRCUIT

CIRCUIT

INPUT

INPUT

OUTPUT

OUTPUT

MEMORY

MEMORY

Security definition

T protects privacy: circuit Cefficient Simadmissible Advinitial state s0 :SimAdv,C[s0]  view of Adv attacking C’[s0’](Even in case of tampering, only privacy is required)

C

s0

s0’

slide8

C’

T

CIRCUIT

CIRCUIT

INPUT

INPUT

OUTPUT

OUTPUT

MEMORY

MEMORY

Relation to obfuscation

  • C’[s0’] should act like a “virtual black-box” for C[s0].
    • Even in the presence of side-channel attacks
  • Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated
    • Can’t probe all wires in a single cycle
    • Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06]
    • Can’t freely “edit” gates and wires

C

s0

s0’

simple practical schemes i
Simple/practical schemes I
  • Sum-of-wires leakage
    • Dual-Rail Logic

<Show how simulator uses adversary>

  • Sum-of-wire-transitions leakage
    • Dual-Rail Precharge Logic
  • Protecting s
  • Practical complications:
    • Capacitance imbalance
    • Glitches
    • Cell internals
simple practical schemes ii
Simple/practical schemes II
  • Single-wire leakage
    • Bit masking
  • Single-”value” leakage
    • RSA blinding
  • t-wire leakage
    • Secret sharing…
slide11

t-wire leakage [ISW03]

  • Secrets additively shared into m=2t+1 shares
  • Given shares of a=a1 … amandb=b1… bm :
    • Compute shares of NOT(a) : apply NOT to a1
    • Compute shares ci of a AND b :
      • Let zi,j , i<j, be random independent bits
      • Let zj,i=(zi,jaibj)  ajbi(i<j)
      • Let ci=aibi jizi,j
  • Re-randomize s’ at every iteration
  • Randomness gates eliminated by a random-number generator

s0’

isw03

X

Y

black-box

[ISW03]

s

X

Y

t-wireprobing

Any boolean circuit

Transformed circuit

Circuit transformation

indistinguishable

our goal
Our goal

Allow stronger leakage.

leakage classes
Leakage classes
  • Locality assumptions
    • Single wire, t wires
    • Separate sub-circuits
    • Leak-free processor (Oblivious RAM [GO95])
    • Leak-free memory (“only computation leaks information” [MR04]: leakage from CPU state and memory accessed at that program step)
  • “Simple leakgage”
    • Sums and Hamming weights
    • Low-complexity global functions
  • Specific functionality (mainly crypto)