Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto...

Cryptography in The Presence of Continuous Side-Channel Attacks

Ali JumaUniversity of Toronto

Yevgeniy VahlisColumbia University

Crypto as We’ve Known It

Communication Channels

Alice Bob

• Crypto runs on dedicated and isolated devices• Adversary is 3rd party with access to communication channels• Secure communication is achievable through

encryption

New Computing Environments

Cloud ComputingMobile Computing

New Computing Environments

Cloud ComputingMobile ComputingModern computing environments create new security risks

Devices leak data through side-channels• Timing• Sound emanations• Radiation• Power consumption

How can we model a large class of side channel attacks?

Allow the adversary to select leakage function f and see f(state)

• Leaking entire state breaks security• Restrict f to shrinking functions• Other restrictions are usually needed

• Restrict f to access only “active”memory

• Use secure hardware

Modeling Leakage

State

f(state)

Adversary

Continuous Leakage

Leakage accumulates over time

Each time a computation is performed,information leaks

Even one bit of leakage can be fatal:fi(state) = ith bit of state

Two “conflicting” new goals:

1. Refresh state while maintaining functionality:e.g. if state is decryption key then for allstate’ 2 Supp(Refresh(state))state’ is also a valid decryption key

2. Leakage from different states should be hard tocombine into a new valid state

Key K Key K Key K

Key K Key K Key K

Device state over time

Leakage over time

Only Computation Leaks

We already know that computation leaks

[MR04]: “only computation leaks”

State:

CPU

Inactive

ActiveLeakage

Active

Only Computation Leaks

We already know that computation leaks

[MR04]: “only computation leaks”

More formally:state=(s1,…,sn)

An algorithm consists of m parts: P1,…,Pm and sets W1,…,Wmµ [n]

Part Pi computes and leaks on {sj | j 2 Wi} and randomness ri

We model secure hardware as Pi that does not leak on ri

Resilience To Continuous Leakage• [G87,GO96] oblivious RAMs• [ISW03] Private circuits: securing hardware against probing attacks• [MR04] Physically observable cryptography• [GKR08] One-time programs• [DP08] Leakage-resilient cryptography• [FKPR10] Leakage-resilient signatures• [FRRTV10] Protecting against computationally bounded and noisy

leakage• [JV10] On protecting cryptographic keys against continual leakage• [GR10] How to play mental solitaire under continuous side-channels• [BKKV10] Cryptography resilient to continual memory leakage• [DHLW10] Cryptography against continuous memory attacks

Key Proxies

[JRV10]: “Key Proxy”, a new primitive to immunize a cryptographic key against leakage, but allow arbitrary computation

Building blocks:• Fully homomorphic encryption• Secure hardware component independent from K

Properties:1. Resilience to polynomial time leakage assuming

that “only computation leaks”2. 2l(n) secure encryption allows l(n) leakage

Resilience to polytime leakage without any leak-free computation on the state

Key Proxies

Initialization

Key K

Initial StateEvaluation

Program P

P(K)

Updated State

A key proxy is a pair of algorithms: Initialization and Evaluation• Initialization generates an initial encoding of a key K• Evaluation allows arbitrary computation on K and updates

encoding

Key Proxies encapsulate a key and allow structured access to it

Definition of Security

Distinguisher

Initialization

EvaluationLeakage

Program P

P(K)

Key K

UpdateState

1. Adversary submits a key K2. Repeat:

1. Submit program P2. Obtain leakage3. Get P(K)

Real

1

2

Definition of Security

1. Adversary submits a key K2. Repeat:

1. Submit program P2. Obtain leakage3. Get P(K)

Real Ideal1. Adversary submits a key K2. Repeat:

1. Submit program P2. Simulator is given P, P(K)3. Obtain simulated leakage4. Get P(K)

Distinguisher Leakage

Program P

P(K)

Key K1

2

Trusted 3rd party

Simulator

P, P(K)

Main Tools: Fully Homomorphic Encryption

. . .

Encryptionof M1

Encryptionof M2

Encryptionof Mn

EvaluateAlgorithm P

Encryptionof P(M1,…,Mn) + Encryption

of 0 = Random encryptionof P(M1,…,Mn)

We require randomizableciphertexts:

Public key encryption KeyGen, Enc, Dec

Allows computation on encrypted data [G09], [DGHV10]

Main Tools: Our Secure HardwarePublic key

Encryption of 0

We use a secure chip twice

Given a public key, generate twoEncryptions of 0

Both input and output leak,but not the internal randomness

Randombits

Overview of ConstructionInitialization:

Generate (pub, pri) ←R KeyGen(1n)Encrypt K using pub: C ←R Encpub(K)View initial state as a pair(MemA, MemB) = (pri, C)

Key K

Memory BC=Encpub(K)

Memory Apri

Overview of Construction

Memory BC=Encpub(K)

Memory Apri

Construction – Step 1

Memory BC=Encpub(K)

Memory Apri

Computing on Memory A:1. Generate a new public-private key pair (pub’,pri’)

for the fully homomorphic encryption.

2. Encrypt the old private key pri under the new public key and write the ciphertext on the public channel.

3. Overwrite the contents of Memory A with pri’

Encryption of pri under pub’Memory Apri'


Memory BC=Encpub(K)

Memory Apri

Computing on Memory B: External input: program P1. Evaluate homomorphically on encryption of pri:

Decpri(C) and P(Decpri(C))

2. Homomorphic evaluation produces encryptions CK of K and CP of P(K)Both under the new public key pub’


Program P


Memory BC=Encpub(K)

Memory Apri

Computing on Memory B: CK = encryption of K and CP = encryption of P(K)

1. Using the secure hardware component generate two encryptions ®k and ®p of 0

2. Randomize CK and CP: CK ← CK+®k and CP ← CP+®p

3. Write CP on the public channel4. Overwrite the contents of Memory B with CK


Program P

Encryption of P(K) under pub’

Memory BC=Encpub’(K)


Memory BC=Encpub(K)

Memory Apri

Computing on Memory A: 1. Use pri’ to decrypt the encryption of P(K), and

output P(K)


Program P

Encryption of P(K) under pub’

Memory BC=Encpub’(K)

ConstructionEverything together:

Encryption of previousprivate key under pub’Generate new key pair

pub’,pri’

Previous private key pri

Compute encryptions of K, P(K) under pub’

Encryption of K underprevious public key

Randomize encryptions of K, P(K)

Encryption of K, P(K) under pub’

Encryption of Kunder pub’

Decrypt using pri’ and output P(K)

Encryption of P(K)under pub’

New private key pri'

Private key pri'

Secure Hardware ComponentsCan we rely on secure hardware to achieve leakage resilience?

Yes, but it would be nice if it is1. Independent from protected functionality: amount and

function of hardware should be same for all applications

2. Memory-less: secure against adversaries with a drill

3. Testable: operates on inputs from a known distribution

Achieving Resilience - Robustness

Leaks n bitsSize grows by function of n

Leakage grows by unknown amount

Leakage depends on the device

Robustness [GKPV09]: more leakage -> stronger assumptionbut security parameter stays the same

SecurityObservations:

After each round Memory A: a fresh private keyMemory B: a fresh encryption of K

Clearly secure without leakageBut uninteresting

Consider leakage structure ineach round: Cpri, pri0

pri0, CrProblem: Leakage on the private keyboth before and after leakage on C+ the leakage is adaptive.

Randomize

Ciphertexts are incompressible

Why do we randomize?

Fully homomorphic encryption may not preserve function privacy

EvaluateEncryption of message M

Algorithm P

Encryption of message P(M)

May containinformation about P

In our construction M=pri and P contains the encryption C of K

Without randomization the final leakage function could compute on pri and C together!

Simulator

Change 2: encrypted output is computed asC’res,i = Encpubi(Fi(K))

Change 3: output of one leak-free component is replaced by

®p,i = C’res,i - Cres,i

Change 1: memory B now contains encryptions of 0 instead of KAfter change 1 pre-randomization encrypted output is Cres,i = Encpubi(Fi(0))

Why Sim Works

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

R’i+2

Claim 1: security of n rounds reducesto security of two rounds

Proof:

Step 1:- Replace all messages Ri with randomencryptions R’i of Pi(K)

- Replace ®p,i with ®’p,i = R’i – Cres,i

Change is conceptual

Ri

Ri+1

Ri+2

Why Sim WorksClaim 1: security of n rounds reducesto security of two rounds

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

R’i+2

Proof:

Step 2:Replace encryptions of K with Encryptions of 0

Change is significantBut output is not affected

If an adversary can detect the switchthen she detects it for some i

SecurityClaim 1: security of n rounds reducesto security of two rounds

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

R’i+2

Proof:

i-th hybrid:CK,1,…, CK,i-1 are encryptions of KC’K,i,…,C’K,n are encryptions of 0®

K,i = CK,i – CK,i-1

Suppose adversary distinguishesbetween hybrids i and i+1

Rounds 1,…,i-1 and i+2,…,n areidentical in both hybrids

CK,i is used in both rounds i and i+1

CK,i or C’K,i

C’K,i+1

C’K,i+2

SecurityWe reduced the problem tothis leakage structure for tworounds:

CK,i or C’K,i

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

C’K,i+1

Ti-1prii-1

prii

prii+1

prii

prii+1

1 2

3

4

5

6Get prii+1

Leakage 6:prii+1 is needed to concludethe simulation

Security

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

CK,i or C’K,i

C’K,i+1

Ti-1prii-1

prii

prii+1

prii

prii+1

1 2

3

4

5

6Get prii+1

Claim 2: security of two rounds reducesto semantic security of fully homomorphic encryption with leakage on private key

Proof:

Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i

Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3.

Security

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

CK,i or C’K,i

C’K,i+1

Ti-1prii-1

prii

prii+1

prii

prii+1

1 2

3

4

5

6Get prii+1


Proof:

Leakage on private key happens bothbefore and after leakage on CK,i or C’K,i

Guess ¸ for leakage 4 and squeezeleakage 5 and 6 into 3.

Use the challenge CK,i/C’K,i to verify ¸

3

Security

P1 P2

P4 P3

Cpri

P1 P2

P4 P3

Cpri

R’i

R’i+1

CK,i or C’K,i

T’i+1

Ti-1prii-1

prii

prii+1

prii

prii+1

1 2


Proof:

Guess ± for leakage 2 and squeezeleakage 3 into 1

3

1

Claim 3: any 2l(n) secure public key encryption is resilient to O(l(n)) leakage on the private key

Proof idea: since we can run in time 2l(n), try all possible values of leakage.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto...

Documents

Transcript of Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto...