Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev...

Public-Key CryptosystemsResilient to Key Leakage

Weizmann Institute of Science

Moni Naor Gil Segev

Crypto in the Clouds, August 2009, MIT

2

Typical Scenario in CryptographyWant to maintain secrecy in communication

Alice and bob talk while Eve tries to listen

Alice Bob

Eve

3

Modeling an AttackFoundations of Cryptography: Rigorous

specification of security of protocols The power of the adversary

Access to the system Computational power

What it means to break the system

“Standard model”

Ek(m)

4

Adversarial ModelsSTANDARD MODEL: Abstract models of computation

Interactive Turing machines Private memory, randomness ...

Well-defined adversarial access Can model powerful attacks

REAL LIFE: Physical implementations leak information Adversarial access not always captured by

abstract models

Ek(m)

5

Adversarial Models

Ek(m)

Attacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption ....

Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08] ...

Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino,

Feldman, Appelbaum and Felten

6

Adversarial ModelsAttacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption ....

Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08] ...

Side channel:

Any information not captured by the abstract “standard” model

7

Adversarial Models

http://xkcd.com/538/

8

Two approaches for dealing with side channels

1. Make the world similar to the standard model Minimizing electromagnetic leakage, “tamper-proof”

devices,... Fixed timing (indep. of input), Oblivious RAM,...

Typically expensive or inefficient Require precise modeling

2. Make sure the underlying cryptosystem is robust to modification of standard model

Not mutually exclusive appraoches!

9

Thesis of this talk

Many tools developed in the foundations of cryptography are helpful for protecting against

side-channel attacks

Proof by example...

and not only at implementation time

Incorporate side-channel attacks in the design of systems

and workshop?

10

Modeling Side-Channels Canetti, Dodis, Halevi, Kushilevitz, and Sahai ’00

Exposure-resilient functions: functions that “look” random even if several input bits are leaked

Ishai, Prabhakaran, Sahai, and Wagner ’03 ’06Private circuit evaluation allowing several wires to leak

Micali and Reyzin ’04Computation and only computation leaks information

Dziembowski and Pietrzak ’08, Pietrzak ’09Leakage-resilient stream-ciphers Computation and only computation leaks information low-bandwidth leakage

11

“Outside of a few classified military programs, side-channel attacks have been largely ignored by computer security researchers, who have instead focused on creating ever more robust encryption schemes and network protocols.”

W. Wayt Gibbs, Scientific American, May 2009

12

Memory Attacks [HSHCPCFAF 08] Not only computation leaks information Memory retains its content after power is lost

5 seconds

30 seconds

60 seconds

5 minutes

http://citp.princeton.edu/memory

Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino,

Feldman, Appelbaum and Felten

13

Not only computation leaks information Memory retains its content after power is lost

Recover “noisy” keys Cold boot attacks Completely compromise popular disk encryption systems Reconstruct DES, AES, and RSA keys http://citp.princeton.edu/memory

Memory content can even last for several minutes

Memory Attacks [HSHCPCFAF 08]

Can exploit redundancy in round keysExtended and further analyzed by Heninger

& Shacham 09

14

Model: leakage of any function of the key

Would like to allow the adversary to learn any function

of the key

Cannot withstand learning the full key

Idea: limit the length of the function

Would like to withstand as long a leakage as possible

Want a functional definition – what the adversary

cannot succeed in doing as a result of the attack

15

Public-Key EncryptionSemantic Security against Chosen Plaintext Attacks [GM82]:For any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)

(sk, pk)

pk

m0, m1

Output b’ Epk(mb)

b Ã {0,1}

16

Key-Leakage AttacksSemantic security with key leakage [AGV 09]:For any* leakage f(sk) and for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)

(sk, pk)

pk

f

Output b’

f(sk)

b Ã {0,1}

Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|

m0, m1

Epk(mb)

Akavia, Goldwasser and Vaikuntanathan

[AGV 09]: Regev’s lattice-based scheme is resilient

to such leakage

17

Is this the right model? Noisy leakage

as opposed to low-bandwidth leakage DRAM remanence effects

Leakage of intermediate values Are intermediate values always erased? Are intermediate values always erased?

Key generation process Decryption process

Keys generated using a “weak” random source

Not a perfect model, but still a good starting point

Discuss extensions later on

Crucial for composition

18

Our Results A generic construction for protecting against key leakage

Based on any Hash Proof System [CS 02] Efficient instantiations Various number-theoretic assumptions (DDH, d-Linear, QR, Paillier)

A new hash proof system Resulting scheme resilient to leakage of L – o(L) bits Based on either DDH or d-Linear

The [BHHO 08] circular-secure scheme Fits into our generic approach Resilient to leakage of L – o(L) bits

Trade-off in

efficiency

Decisional Diffie Hellman

Boneh, Halevi, Hamburg and Ostrovsky

19

Our Results Chosen-ciphertext security

Theoretical side A generic CPA-to-CCA

transformation Leakage of L – o(L) bits

Practical side Efficient variants of Cramer-Shoup CCA1: Leakage of L/4 bits CCA2: Leakage of L/6 bits

Satisfied by our

schemes

Extensions of the [AGV 09] model Noisy leakage Leakage of intermediate values Keys generated using a “weak” random source

Related & independent work: Tauman-Kalai and Vaikuntanathan

• [BHHO 08] with hard-to-invert leakage

20

Outline of the Talk Some tools

The generic construction by examples A simple scheme: ¸ ¼ |sk|/2

Improved schemes: ¸ ¼ |sk|

Extensions of the model

Conclusions, further work, and some rest...

21

Min-Entropy

Probability distribution X over {0,1}n

H1(X) = - log maxx Pr[X = x]

X is a k-source if H1(X) ¸ k i.e., Pr[X = x] · 2-k for all x

Represents the probability of the most likely value of X

¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|

Statistical distance:

Example: • Un – uniform distribution on {0,1}n

• H1(Un) = n

22

ExtractorsUniversal procedure for “purifying” an imperfect source

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for every k-source X result is close to uniform

¢(Ext(X, Ud), Uℓ) ·

d random bits

“seed”

EXT

k-source of length n

ℓ almost-uniform bits

x

s

23

Strong ExtractorsOutput looks random even after seeing the seed

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if

Ext’(x, s) = s ◦ Ext(x,s)

is a (k, )-extractor

Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors

Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n]

Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n

+ k)

24

Sidebar: Weak Key-Leakage AttacksSemantic security with weakweak key leakage :For any* leakage f(sk) and for random PK for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)

(sk, pk)

pk

f

Output b’

f(sk)

b Ã {0,1}

Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|

m0, m1

Epk(mb)

Weak Attacks: Leakage depending on secret Key only

Leakage function chosen by the adversary ahead of time without any knowledge of the public key.

• Depends only on properties of hardware devices – used for storing the secret key.

Generic construction transforming any encryption scheme Resilient to any weak leakage of L(1 - o(1)) bits.

• Parameters: – leakage parameter: ¸– length of the random string used by generation algorithm G: m

• Need: Ext: {0,1}k £ {0,1}d ! {0,1}m be (k-,)-strong extractor

L secret key length

Generic construction from any schemeEncryption scheme: (G,E,D)Ext: {0,1}L £ {0,1}d ! {0,1}m a (L-,)-strong

extractor • Key generation :

– Choose x 2 {0,1}L and s 2 {0,1}d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x.

• Encryption: choose r uniformly at random and output (E(pk;M; r), s).• Decryption: ciphertext (c, s), secret key SK = x:

– Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c).

• Resilient to any weakweak leakage of L(1 - o(1)) bitsGiven f(x) distribution of Ext(x; s) close to uniform

Key generation algorithmG: {0,1}m {0,1}w

27

Decisional Diffie-Hellman

gx

gyAlice Bob

Both parties compute K = gxy

DDH assumption:

(g, gx, gy, gxy) (g, gx, gy, gz)

for random x, y, z 2 Zq

(g1, g2, g1r, g2

r) (g1, g2, g1r1, g2

r2)

for random g1, g2 2 G and r, r1, r2 2 Zq

28






29

G - group of order q where DDH is hard Ext : G £ {0,1}d ! {0,1} - strong

extractor Choose g1, g2 2 G and x1, x2 2 Zq

Let h = g1x1 g2

x2

Output sk = (x1, x2) and pk = (g1, g2, h)

Key generation

A Simple Scheme

MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1

x1 g2x2 reveals only log(q) bits of information on

sk=(x1, x2) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸

30

G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor

Choose g1, g2 2 G and x1, x2 2 Zq

Let h = g1x1 g2

x2


Choose r 2 Zq and a seed s 2 {0,1}d

Output (g1r, g2

r, s, Ext(hr, s) © m)

Output e © Ext(u1x1 u2

x2, s)

Key generation

Encpk(m)

Decsk(u1, u2, s, e)

A Simple Scheme

Correctness: u1x1 u2

x2 = (g1x1 g2

x2)r = hr

31

Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits

half the size of sk

A Simple Scheme: Security Theorem

Proof by reduction:

Adversary for the encryption scheme

Distinguisher for Decisional Diffie-Hellman

log(q) -|m|

32


A Simple Scheme

(sk, pk)

pk

f

Output b’

f(sk)

b Ã {0,1}

m0, m1

Epk(mb)

Suppose b’=b with probability ½+ > 1/poly

33


A Simple Scheme

pk(g1, g2, g1

r1, g2r2)

b’r1 r2

r1 r2

or

f

f(sk)

m0, m1

Epk(mb)

Distinguisher for DDH

34

(g1r, g2

r, s, Ext(hr, s) © m)

h = g1x1 g2

x2

Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk

computationally indistinguishable not knowing sk

Simple Scheme: Security Proof

35

(g1r, g2

r, s, Ext((g1r)x1 (g2

r)x2, s) © m)


h = g1x1 g2

x2


computationally indistinguishable

36

(g1r1, g2

r2, s, Ext((g1r1)x1 (g2

r2)x2, s) © m)


Valid ciphertext: r1 r2



37

(g1r1, g2

r2, s, Ext((g1r1)x1 (g2

r2)x2, s) © m)


(g1r1)x1 (g2

r2)x2 uniformly distributed given pk and (g1r1,

g2r2)

x1 + wx2 = log(h)r1x1 + r2wx2 = log(t)

Invalid ciphertext: r1 r2

Therefore, even given f(sk): min-entropy ¸ log(q) - ¸



h=g1x1 g2

x2By applying the

extractor we get back a random string

38

Proof of Securitypk

(g1, g2, u1, u2)

b’

If b’ boutput “r1 r2”otherwise “r1 r2”

f

f(sk)

m0, m1

sk = (x1, x2)= (g1, g2, g1

x1 g2x2)

h u1, u2, s,Ext(u1

x1 u2x2, s) © mb i

Case 1: u1 = g1r & u2 = g2

r Case 2: u1 = g1r1 & u2 = g2

r2

Simulation is identical to actual attack

Pr[b’ = b] = 1/2 +

Challenge independent of b Pr[b’ = b] = 1/2

up to

39

Hash Proof SystemsKey-encapsulation mechanism with an additional property:

Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random


Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext

Our general construction:

Hash proof system + strong extractor

Key-encapsulation mechanism resilient to key leakage

40

Hash Proof SystemsKey-encapsulation mechanism with an additional property:

Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random


Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext

Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)

41






42

G - group of order q

An Improved Scheme

Notation:

(x1, ..., xn) 2 Zqn

(g1, ..., gn) 2 Gn

(x1, ..., xn) ¢ (g1, ..., gn)T gixi

i=1

n

43

G - group of order q Ext : Gn-k £ {0,1}d ! {0,1} - strong extractor

Choose A 2 Gk£n and x 2 Zqn

Let y = Ax Output sk = x and pk = (A, y)

Choose R 2 Zq(n-k)£k and a seed s 2

{0,1}d

Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s)

Key generation

Encpk(m)

Decsk(Q, s, e)

An Improved Scheme

44

Theorem: The scheme is resilient to any leakage of length¸ ¼ (1 – k/n) |sk|

1 – o(1)

An Improved Scheme

Based on the hardness of k-Linear [BBS 04] 1-Linear = DDH k-Linear is hard ) (k+1)-Linear is hard k-Linear is easy ; (k+1)-Linear is easy (in generic groups)

A new hash proof system Optimizes ratio between secret key and encapsulated key

45

An Improved SchemeWe show that k-Linear implies indistinguishability of: Random P 2 Gn£n of rank k Random P 2 Gn£n of rank n

(rank computed in Zqn£n relative to a fixed generator g 2 G)

In the simplified scheme:

g1 g2

g1r1 g2

r2

r1 r2 rank 1r1 r2 rank 2

[BHHO 08] proved the case k=1

Proof similar to the simplified scheme

46

The “Long” Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction

Choose g1,...,gk 2 G and s1,...,sk 2 {0,1}

Let h = g1s1¢¢¢gk

sk

Output sk = (s1,...,sk) and pk = (g1,...,gk, h) Choose r 2 Zq

Output (g1r,..., gk

r, hr ¢ m)

Output e ¢ (u1s1¢¢¢uk

sk)-1

Key generation

Encpk(m)

Decsk(u1,...,uk,e)

“built-in” extractor

k ¼ ¸+2log(q)

Boneh, Halevi, Hamburg and Ostrovsky

47






48

ExtensionsNoisy leakage Leakage not necessarily of bounded length

H1(sk | pk, leakage) > H1 (sk | pk) - ¸

Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition

Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan:

The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert

49

ExtensionsWeak random source Keys generated using a low-entropy adversarially chosen source

Choose g1, g2 2 G and x1, x2 2 Zq

Let h = g1x1 g2

x2


Key generation

(g1, g2) chosen once and shared by all users Only need H1(x1,x2 | g1, g2) ¼ log(q) + |plaintext|

50

ExtensionsLeakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code,

then decrypt Not so contrived...

Output e ¢ (u1s1¢¢

¢uksk)-1

Decsk(u1,...,uk,e)

Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s1,..., sk) can be much larger

51






52

Must incorporate side-channel attacks

in the design of systems

Conclusions

Many tools developed in the foundations of cryptography are

helpful for protecting against side-channel attacks

We can build efficientcryptosystems resilient to a wide

range of side-channel attacks Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys?

As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels?

Signature Scheme [Katz Vaikuntanathan 09] Bounded Retrieval Model [Alwen, Dodis, Walfish, Wichs 09] Hard-to-invert leakage [DKL09, KV09] Block Cipher??

A falsifiablefalsifiable assumption with side channels?

53

Can leverage the physical world !!

Conclusions

Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06]

Randomized response Secure computation using tamper-proof hardware [Katz07,

MS08] Human competitive nature and love of games [HN09] Voting

54

תודה רבהThank You

To appear, Crypto 2009

Available: •www.wisdom.weizmann.ac.il/~naor/PAPERS/leakage_abs.html•IACR Archive

Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev...

Documents

Transcript of Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev...