Post on 17-Dec-2015
Public-Key CryptosystemsResilient to Key Leakage
Weizmann Institute of Science
Moni Naor Gil Segev
Crypto in the Clouds, August 2009, MIT
2
Typical Scenario in CryptographyWant to maintain secrecy in communication
Alice and bob talk while Eve tries to listen
Alice Bob
Eve
3
Modeling an AttackFoundations of Cryptography: Rigorous
specification of security of protocols The power of the adversary
Access to the system Computational power
What it means to break the system
“Standard model”
Ek(m)
4
Adversarial ModelsSTANDARD MODEL: Abstract models of computation
Interactive Turing machines Private memory, randomness ...
Well-defined adversarial access Can model powerful attacks
REAL LIFE: Physical implementations leak information Adversarial access not always captured by
abstract models
Ek(m)
5
Adversarial Models
Ek(m)
Attacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption ....
Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08] ...
Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino,
Feldman, Appelbaum and Felten
6
Adversarial ModelsAttacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption ....
Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08] ...
Side channel:
Any information not captured by the abstract “standard” model
7
Adversarial Models
http://xkcd.com/538/
8
Two approaches for dealing with side channels
1. Make the world similar to the standard model Minimizing electromagnetic leakage, “tamper-proof”
devices,... Fixed timing (indep. of input), Oblivious RAM,...
Typically expensive or inefficient Require precise modeling
2. Make sure the underlying cryptosystem is robust to modification of standard model
Not mutually exclusive appraoches!
9
Thesis of this talk
Many tools developed in the foundations of cryptography are helpful for protecting against
side-channel attacks
Proof by example...
and not only at implementation time
Incorporate side-channel attacks in the design of systems
and workshop?
10
Modeling Side-Channels Canetti, Dodis, Halevi, Kushilevitz, and Sahai ’00
Exposure-resilient functions: functions that “look” random even if several input bits are leaked
Ishai, Prabhakaran, Sahai, and Wagner ’03 ’06Private circuit evaluation allowing several wires to leak
Micali and Reyzin ’04Computation and only computation leaks information
Dziembowski and Pietrzak ’08, Pietrzak ’09Leakage-resilient stream-ciphers Computation and only computation leaks information low-bandwidth leakage
11
“Outside of a few classified military programs, side-channel attacks have been largely ignored by computer security researchers, who have instead focused on creating ever more robust encryption schemes and network protocols.”
W. Wayt Gibbs, Scientific American, May 2009
12
Memory Attacks [HSHCPCFAF 08] Not only computation leaks information Memory retains its content after power is lost
5 seconds
30 seconds
60 seconds
5 minutes
http://citp.princeton.edu/memory
Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino,
Feldman, Appelbaum and Felten
13
Not only computation leaks information Memory retains its content after power is lost
Recover “noisy” keys Cold boot attacks Completely compromise popular disk encryption systems Reconstruct DES, AES, and RSA keys http://citp.princeton.edu/memory
Memory content can even last for several minutes
Memory Attacks [HSHCPCFAF 08]
Can exploit redundancy in round keysExtended and further analyzed by Heninger
& Shacham 09
14
Model: leakage of any function of the key
Would like to allow the adversary to learn any function
of the key
Cannot withstand learning the full key
Idea: limit the length of the function
Would like to withstand as long a leakage as possible
Want a functional definition – what the adversary
cannot succeed in doing as a result of the attack
15
Public-Key EncryptionSemantic Security against Chosen Plaintext Attacks [GM82]:For any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
m0, m1
Output b’ Epk(mb)
b à {0,1}
16
Key-Leakage AttacksSemantic security with key leakage [AGV 09]:For any* leakage f(sk) and for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|
m0, m1
Epk(mb)
Akavia, Goldwasser and Vaikuntanathan
[AGV 09]: Regev’s lattice-based scheme is resilient
to such leakage
17
Is this the right model? Noisy leakage
as opposed to low-bandwidth leakage DRAM remanence effects
Leakage of intermediate values Are intermediate values always erased? Are intermediate values always erased?
Key generation process Decryption process
Keys generated using a “weak” random source
Not a perfect model, but still a good starting point
Discuss extensions later on
Crucial for composition
18
Our Results A generic construction for protecting against key leakage
Based on any Hash Proof System [CS 02] Efficient instantiations Various number-theoretic assumptions (DDH, d-Linear, QR, Paillier)
A new hash proof system Resulting scheme resilient to leakage of L – o(L) bits Based on either DDH or d-Linear
The [BHHO 08] circular-secure scheme Fits into our generic approach Resilient to leakage of L – o(L) bits
Trade-off in
efficiency
Decisional Diffie Hellman
Boneh, Halevi, Hamburg and Ostrovsky
19
Our Results Chosen-ciphertext security
Theoretical side A generic CPA-to-CCA
transformation Leakage of L – o(L) bits
Practical side Efficient variants of Cramer-Shoup CCA1: Leakage of L/4 bits CCA2: Leakage of L/6 bits
Satisfied by our
schemes
Extensions of the [AGV 09] model Noisy leakage Leakage of intermediate values Keys generated using a “weak” random source
Related & independent work: Tauman-Kalai and Vaikuntanathan
• [BHHO 08] with hard-to-invert leakage
20
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
21
Min-Entropy
Probability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
X is a k-source if H1(X) ¸ k i.e., Pr[X = x] · 2-k for all x
Represents the probability of the most likely value of X
¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|
Statistical distance:
Example: • Un – uniform distribution on {0,1}n
• H1(Un) = n
22
ExtractorsUniversal procedure for “purifying” an imperfect source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for every k-source X result is close to uniform
¢(Ext(X, Ud), Uℓ) ·
d random bits
“seed”
EXT
k-source of length n
ℓ almost-uniform bits
x
s
23
Strong ExtractorsOutput looks random even after seeing the seed
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if
Ext’(x, s) = s ◦ Ext(x,s)
is a (k, )-extractor
Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors
Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n]
Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n
+ k)
24
Sidebar: Weak Key-Leakage AttacksSemantic security with weakweak key leakage :For any* leakage f(sk) and for random PK for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|
m0, m1
Epk(mb)
Weak Attacks: Leakage depending on secret Key only
Leakage function chosen by the adversary ahead of time without any knowledge of the public key.
• Depends only on properties of hardware devices – used for storing the secret key.
Generic construction transforming any encryption scheme Resilient to any weak leakage of L(1 - o(1)) bits.
• Parameters: – leakage parameter: ¸– length of the random string used by generation algorithm G: m
• Need: Ext: {0,1}k £ {0,1}d ! {0,1}m be (k-,)-strong extractor
L secret key length
Generic construction from any schemeEncryption scheme: (G,E,D)Ext: {0,1}L £ {0,1}d ! {0,1}m a (L-,)-strong
extractor • Key generation :
– Choose x 2 {0,1}L and s 2 {0,1}d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x.
• Encryption: choose r uniformly at random and output (E(pk;M; r), s).• Decryption: ciphertext (c, s), secret key SK = x:
– Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c).
• Resilient to any weakweak leakage of L(1 - o(1)) bitsGiven f(x) distribution of Ext(x; s) close to uniform
Key generation algorithmG: {0,1}m {0,1}w
27
Decisional Diffie-Hellman
gx
gyAlice Bob
Both parties compute K = gxy
DDH assumption:
(g, gx, gy, gxy) (g, gx, gy, gz)
for random x, y, z 2 Zq
(g1, g2, g1r, g2
r) (g1, g2, g1r1, g2
r2)
for random g1, g2 2 G and r, r1, r2 2 Zq
28
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
29
G - group of order q where DDH is hard Ext : G £ {0,1}d ! {0,1} - strong
extractor Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
A Simple Scheme
MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1
x1 g2x2 reveals only log(q) bits of information on
sk=(x1, x2) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸
30
G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Choose r 2 Zq and a seed s 2 {0,1}d
Output (g1r, g2
r, s, Ext(hr, s) © m)
Output e © Ext(u1x1 u2
x2, s)
Key generation
Encpk(m)
Decsk(u1, u2, s, e)
A Simple Scheme
Correctness: u1x1 u2
x2 = (g1x1 g2
x2)r = hr
31
Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits
half the size of sk
A Simple Scheme: Security Theorem
Proof by reduction:
Adversary for the encryption scheme
Distinguisher for Decisional Diffie-Hellman
log(q) -|m|
32
Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits
A Simple Scheme
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
m0, m1
Epk(mb)
Suppose b’=b with probability ½+ > 1/poly
33
Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits
A Simple Scheme
pk(g1, g2, g1
r1, g2r2)
b’r1 r2
r1 r2
or
f
f(sk)
m0, m1
Epk(mb)
Distinguisher for DDH
34
(g1r, g2
r, s, Ext(hr, s) © m)
h = g1x1 g2
x2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable not knowing sk
Simple Scheme: Security Proof
35
(g1r, g2
r, s, Ext((g1r)x1 (g2
r)x2, s) © m)
Simple Scheme: Security Proof
h = g1x1 g2
x2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
36
(g1r1, g2
r2, s, Ext((g1r1)x1 (g2
r2)x2, s) © m)
Simple Scheme: Security Proof
Valid ciphertext: r1 r2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
37
(g1r1, g2
r2, s, Ext((g1r1)x1 (g2
r2)x2, s) © m)
Simple Scheme: Security Proof
(g1r1)x1 (g2
r2)x2 uniformly distributed given pk and (g1r1,
g2r2)
x1 + wx2 = log(h)r1x1 + r2wx2 = log(t)
Invalid ciphertext: r1 r2
Therefore, even given f(sk): min-entropy ¸ log(q) - ¸
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
h=g1x1 g2
x2By applying the
extractor we get back a random string
38
Proof of Securitypk
(g1, g2, u1, u2)
b’
If b’ boutput “r1 r2”otherwise “r1 r2”
f
f(sk)
m0, m1
sk = (x1, x2)= (g1, g2, g1
x1 g2x2)
h u1, u2, s,Ext(u1
x1 u2x2, s) © mb i
Case 1: u1 = g1r & u2 = g2
r Case 2: u1 = g1r1 & u2 = g2
r2
Simulation is identical to actual attack
Pr[b’ = b] = 1/2 +
Challenge independent of b Pr[b’ = b] = 1/2
up to
39
Hash Proof SystemsKey-encapsulation mechanism with an additional property:
Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random
computationally indistinguishable
Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext
Our general construction:
Hash proof system + strong extractor
Key-encapsulation mechanism resilient to key leakage
40
Hash Proof SystemsKey-encapsulation mechanism with an additional property:
Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random
computationally indistinguishable
Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext
Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)
41
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
42
G - group of order q
An Improved Scheme
Notation:
(x1, ..., xn) 2 Zqn
(g1, ..., gn) 2 Gn
(x1, ..., xn) ¢ (g1, ..., gn)T gixi
i=1
n
43
G - group of order q Ext : Gn-k £ {0,1}d ! {0,1} - strong extractor
Choose A 2 Gk£n and x 2 Zqn
Let y = Ax Output sk = x and pk = (A, y)
Choose R 2 Zq(n-k)£k and a seed s 2
{0,1}d
Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s)
Key generation
Encpk(m)
Decsk(Q, s, e)
An Improved Scheme
44
Theorem: The scheme is resilient to any leakage of length¸ ¼ (1 – k/n) |sk|
1 – o(1)
An Improved Scheme
Based on the hardness of k-Linear [BBS 04] 1-Linear = DDH k-Linear is hard ) (k+1)-Linear is hard k-Linear is easy ; (k+1)-Linear is easy (in generic groups)
A new hash proof system Optimizes ratio between secret key and encapsulated key
45
An Improved SchemeWe show that k-Linear implies indistinguishability of: Random P 2 Gn£n of rank k Random P 2 Gn£n of rank n
(rank computed in Zqn£n relative to a fixed generator g 2 G)
In the simplified scheme:
g1 g2
g1r1 g2
r2
r1 r2 rank 1r1 r2 rank 2
[BHHO 08] proved the case k=1
Proof similar to the simplified scheme
46
The “Long” Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction
Choose g1,...,gk 2 G and s1,...,sk 2 {0,1}
Let h = g1s1¢¢¢gk
sk
Output sk = (s1,...,sk) and pk = (g1,...,gk, h) Choose r 2 Zq
Output (g1r,..., gk
r, hr ¢ m)
Output e ¢ (u1s1¢¢¢uk
sk)-1
Key generation
Encpk(m)
Decsk(u1,...,uk,e)
“built-in” extractor
k ¼ ¸+2log(q)
Boneh, Halevi, Hamburg and Ostrovsky
47
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
48
ExtensionsNoisy leakage Leakage not necessarily of bounded length
H1(sk | pk, leakage) > H1 (sk | pk) - ¸
Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition
Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan:
The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert
49
ExtensionsWeak random source Keys generated using a low-entropy adversarially chosen source
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
(g1, g2) chosen once and shared by all users Only need H1(x1,x2 | g1, g2) ¼ log(q) + |plaintext|
50
ExtensionsLeakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code,
then decrypt Not so contrived...
Output e ¢ (u1s1¢¢
¢uksk)-1
Decsk(u1,...,uk,e)
Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s1,..., sk) can be much larger
51
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
52
Must incorporate side-channel attacks
in the design of systems
Conclusions
Many tools developed in the foundations of cryptography are
helpful for protecting against side-channel attacks
We can build efficientcryptosystems resilient to a wide
range of side-channel attacks Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys?
As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels?
Signature Scheme [Katz Vaikuntanathan 09] Bounded Retrieval Model [Alwen, Dodis, Walfish, Wichs 09] Hard-to-invert leakage [DKL09, KV09] Block Cipher??
A falsifiablefalsifiable assumption with side channels?
53
Can leverage the physical world !!
Conclusions
Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06]
Randomized response Secure computation using tamper-proof hardware [Katz07,
MS08] Human competitive nature and love of games [HN09] Voting
54
תודה רבהThank You
To appear, Crypto 2009
Available: •www.wisdom.weizmann.ac.il/~naor/PAPERS/leakage_abs.html•IACR Archive