Randomness Complexity of Private Circuits for...
Transcript of Randomness Complexity of Private Circuits for...
Randomness Complexity of
Private Circuits for Multiplication
Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue,
Emmanuel Prouff, Adrian Thillard, Damien Vergnaud
brief introduction
- side-channel attacks
- masking
- 𝑑-probing model
1/16
key-idea:for security at order 𝑑, split sensitive data 𝑥 into 𝑑 + 1 randomvariables (shares) s.t.
𝑥 = 𝑥0 ⊕𝑥1 ⊕⋯⊕ 𝑥𝑑
2/16
key-idea:for security at order 𝑑, split sensitive data 𝑥 into 𝑑 + 1 randomvariables (shares) s.t.
𝑥 = 𝑥0 ⊕𝑥1 ⊕⋯⊕ 𝑥𝑑
needs for a lot of randomness
2/16
randomness in cryptography
used everywhere:
- keys
- RSA prime factors
- ...
3/16
randomness in cryptography
used everywhere:
- keys
- RSA prime factors
- ...
strong properties:
- statistically random
- uniformly distributed
- independent
- ...
3/16
where does it come from?
4/16
where does it come from?
in the real world: natural randomness
4/16
where does it come from?
in the real world: natural randomness
in practice:
- need special hardware
- slow
- bias or uneven distribution
4/16
where does it come from?
in the real world: natural randomness
in practice:
- need special hardware
- slow
- bias or uneven distribution
randomness should beconsidered as a resource,
like space and time
4/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥
0,1 𝑛′ 0,1 𝑚′
𝑓(𝑥)
correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟
𝑑-privacy: for any set 𝑃 of 𝑑 wires in 𝐶 and for all 𝑥, 𝑦 ∈ 0,1 𝑛:{𝐶𝑃(𝐼 𝑥; 𝜌 ; 𝑟)}𝜌,𝑟 = {𝐶𝑃(𝐼 𝑦; 𝜌 ; 𝑟)}𝜌,𝑟
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥
0,1 𝑛′ 0,1 𝑚′
𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥
0,1 𝑚′
𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
0,1 𝑛′
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
0,1 𝑚′
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
private circuits
𝑓: 0,1 𝑛 → 0,1 𝑚
encoder𝐼
.
.
.
𝜌1
circuit𝐶
decoder𝑂
𝑟1
.
.
.
.
.
....
𝑥 𝑓(𝑥)
correctness: 𝑂 𝐶 𝐼 𝑥; 𝜌 ; 𝑟 = 𝑓 𝑥 , ∀ 𝑥, 𝜌, 𝑟
𝑑-privacy: for any set 𝑃 of 𝑑 wires in 𝑪 and for all 𝑥, 𝑦 ∈ 0,1 𝑛:{𝐶𝑃(𝐼 𝑥; 𝜌 ; 𝑟)}𝜌,𝑟 = {𝐶𝑃(𝐼 𝑦; 𝜌 ; 𝑟)}𝜌,𝑟
…
…
𝑟2 𝑟𝑅
𝜌2 𝜌ℓ
5/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
.
.
.
𝑐0𝑐1
𝑐𝑑
⊕𝑖 𝑐𝑖 = 𝑎 ⋅ 𝑏
⊕𝑖 𝑎𝑖 = 𝑎
⊕𝑖 𝑏𝑖 = 𝑏
encoder circuit decoder
𝑟1…
𝑟2 𝑟𝑅
𝑎, 𝑏 ∈ 0,1 2 ↦ 𝑎 ⋅ 𝑏 ∈ 0,1
this paper
6/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
.
.
.
𝑐0𝑐1
𝑐𝑑
𝑟1…
𝑟2 𝑟𝑅
6/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
.
.
.
𝑐0𝑐1
𝑐𝑑
𝑟1…
𝑟2 𝑟𝑅
how much randomness is needed?
6/16
Ishai-Sahai-Wagner scheme
𝑎0𝑏0𝑟0,1
𝑟0,1⊕𝑎0𝑏1 ⊕𝑎1𝑏0𝑎1𝑏1
⋯𝑟0,𝑑 ⊕𝑎0𝑑 ⊕ 𝑎𝑑𝑏0
𝑟1,𝑑 ⊕𝑎1𝑏𝑑 ⊕𝑎𝑑𝑏1⋮ ⋮ ⋱ ⋮
𝑟0,𝑑−1𝑟0,𝑑
𝑟1,𝑑−1𝑟1,𝑑
⋯𝑟𝑑−1,𝑑 ⊕𝑎𝑑−1𝑏𝑑 ⊕𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑐0𝑐1
⋮𝑐𝑑−1𝑐𝑑
7/16
Ishai-Sahai-Wagner scheme
randomness complexity: 𝑑(𝑑 + 1)/2
𝑎0𝑏0𝑟0,1
𝑟0,1⊕𝑎0𝑏1 ⊕𝑎1𝑏0𝑎1𝑏1
⋯𝑟0,𝑑 ⊕𝑎0𝑑 ⊕ 𝑎𝑑𝑏0
𝑟1,𝑑 ⊕𝑎1𝑏𝑑 ⊕𝑎𝑑𝑏1⋮ ⋮ ⋱ ⋮
𝑟0,𝑑−1𝑟0,𝑑
𝑟1,𝑑−1𝑟1,𝑑
⋯𝑟𝑑−1,𝑑 ⊕𝑎𝑑−1𝑏𝑑 ⊕𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑐0𝑐1
⋮𝑐𝑑−1𝑐𝑑
7/16
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑟1…
𝑟2 𝑟𝑅
8/16
.
.
.
𝑐0𝑐1
𝑐𝑑
ADDITIONS
ONLY
.
.
.
𝑎0𝑏0𝑎0𝑏1
𝑎0𝑏2
𝑎𝑑𝑏𝑑−1
𝑎𝑑𝑏𝑑
𝑟1…
𝑟2 𝑟𝑅
any probe (wire value) has the form:
𝑝 = ໄ
𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2
𝑎𝑖𝑏𝑗 ⊕ ໄ
𝑘∈𝑌⊆ 1,…,𝑅
𝑟𝑘
8/16
.
.
.
𝑐0𝑐1
𝑐𝑑
any probe (wire value) has the form:
𝑝 = ໄ
𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2
𝑎𝑖𝑏𝑗 ⊕ ໄ
𝑘∈𝑌⊆ 1,…,𝑅
𝑟𝑘
= Ԧ𝑎𝑡 ⋅ 𝑀𝑝 ⋅ 𝑏 ⊕ Ԧ𝑠𝑝𝑡 ⋅ Ԧ𝑟
with Ԧ𝑎 = 𝑎0, … , 𝑎𝑑 , 𝑏 = 𝑏0, … , 𝑏𝑑 , Ԧ𝑟 = 𝑟0, … , 𝑟𝑅 ,
𝑀𝑝 ∈ 0,1 𝑑+1 × 𝑑+1 , Ԧ𝑠𝑝 ∈ 0,1 𝑅
8/16
any probe (wire value) has the form:
𝑝 = ໄ
𝑖,𝑗 ∈𝑋⊆ 0,…,𝑑 2
𝑎𝑖𝑏𝑗 ⊕ ໄ
𝑘∈𝑌⊆ 1,…,𝑅
𝑟𝑘
= Ԧ𝑎𝑡 ⋅ 𝑀𝑝 ⋅ 𝑏 ⊕ Ԧ𝑠𝑝𝑡 ⋅ Ԧ𝑟
with Ԧ𝑎 = 𝑎0, … , 𝑎𝑑 , 𝑏 = 𝑏0, … , 𝑏𝑑 , Ԧ𝑟 = 𝑟0, … , 𝑟𝑅 ,
𝑀𝑝 ∈ 0,1 𝑑+1 × 𝑑+1 , Ԧ𝑠𝑝 ∈ 0,1 𝑅
any sum of probes has the form:
Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 ⊕ Ԧ𝑠𝑡 ⋅ Ԧ𝑟
8/16
algebraic characterization
condition 1: a set of probes 𝑃 = 𝑝1, … , 𝑝ℓ satisfies condition 1 iff:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and 1,… , 1 is in the row (or column) space of 𝑀
9/16
algebraic characterization
condition 1: a set of probes 𝑃 = 𝑝1, … , 𝑝ℓ satisfies condition 1 iff:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and 1,… , 1 is in the row (or column) space of 𝑀
theorem:𝐶 is 𝑑-private
⇔there does not exist 𝑃 = 𝑝1, … , 𝑝ℓ , ℓ ≤ 𝑑 that satisfies condition 1
9/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞
1
2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)
1 if 𝑀 ⋅ 𝑏 = 1,… , 1
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞
1
2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)
1 if 𝑀 ⋅ 𝑏 = 1,… , 1
then, Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 > Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = ത𝑎
10/16
proof sketch
⇒ assume 𝑝1, … , 𝑝ℓ such that:
⨁𝑖=1ℓ 𝑝𝑖 = Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏
and(1, … , 1) is in the column space of 𝑀
⇒ there exists 𝑏′ ∈ 0,1 𝑑+1 s.t. 𝑀 ⋅ 𝑏′ = (1,… , 1)
Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 = ൞
1
2if 𝑀 ⋅ 𝑏 ≠ (1,… , 1)
1 if 𝑀 ⋅ 𝑏 = 1,… , 1
then, Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = 𝑎 > Pr Ԧ𝑎𝑡 ⋅ 𝑀 ⋅ 𝑏 = ത𝑎
⇐ a lot more technical...
10/16
upper bound
11/16
upper bound
theorem:there exists a 𝑑-private circuit for multiplication with randomness complexity Õ(𝑑).
11/16
randomness complexity of ISW: 𝑂 𝑑2
needs for a quadratic complexity?
proof sketch
probabilistic method: non-constructive!
12/16
proof sketch
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
12/16
proof sketch
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
𝑎0𝑏0𝑎1𝑏0
𝑎0𝑏1𝑎1𝑏1
⋯𝑎0𝑏𝑑𝑎1𝑏𝑑
⋮ ⋮ ⋱ ⋮𝑎𝑑𝑏0 𝑎𝑑𝑏1 ⋯ 𝑎𝑑𝑏𝑑
𝑐0𝑐1⋮𝑐𝑑
$
12/16
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…
= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…
= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗
correctness: 𝜌𝑑,𝑑 =⊕𝑖,𝑗 𝜌𝑖,𝑗
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
proof sketch
𝑐0𝑐1⋮𝑐𝑑
…
= 𝑎𝑖𝑏𝑗
⊕ ⊕ ⊕⊕ ⊕⊕ = 𝜌𝑖,𝑗
correctness: 𝜌𝑑,𝑑 =⊕𝑖,𝑗 𝜌𝑖,𝑗
𝑑-privacy: if 𝑅 = Õ 𝑑 , Pr 𝑖𝑠 𝑠𝑒𝑐𝑢𝑟𝑒 > 0 ⇒ at least one algorithm is 𝑑-private
12/16
probabilistic method: non-constructive!
𝑟1, … , 𝑟𝑅 random bits𝜌𝑖,𝑗 =⊕1≤𝑘≤𝑅 𝛼𝑖,𝑗,𝑘 ⋅ 𝑟𝑖 with 𝛼𝑖,𝑗,𝑘 ← 0,1
$
lower bounds
13/16
lower bounds
theorem:1. 𝑑-privacy ⇒ at least 𝑑 random bits (for 𝑑 ≥ 2)2. 𝑑-privacy ⇒ at least 𝑑 + 1 random bits (for 𝑑 ≥ 3)
13/16
proof sketch of 1.
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
proof sketch of 1.
suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶
let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑
∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
proof sketch of 1.
suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶
let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑
∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗
𝑁 has dimension 𝑑 − 1 × 𝑑 ⇒ 𝐾𝑒𝑟 𝑁 ≠ 0
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
proof sketch of 1.
suppose an algorithm 𝐶 with only 𝑟1, … , 𝑟𝑑−1 and let 𝑐0, … , 𝑐𝑑 the output of 𝐶
let 𝑁 = 𝑛𝑖,𝑗 1≤𝑖≤𝑑−11≤𝑗≤𝑑
∈ 0,1 (𝑑−1)×𝑑 s.t. 𝑛𝑖,𝑗 = 1 ⇔ 𝑟𝑖 ∈ 𝑐𝑗
𝑁 has dimension 𝑑 − 1 × 𝑑 ⇒ 𝐾𝑒𝑟 𝑁 ≠ 0
let 𝑤 ∈ 𝐾𝑒𝑟 𝑁 − {0}
𝑆0 = 𝑐0 ∪ 𝑐𝑖 𝑤𝑖 = 0 and 𝑆1 = 𝑐𝑖 𝑤𝑖 = 1 satisfy requirements of lemma...
lemma: 𝑆0, 𝑆1 two sets of at most 𝑑 probes and 𝑠𝑏 =⊕𝑝∈𝑆𝑏 𝑝
(𝑟𝑖 ∉ 𝑠𝑏 , ∀𝑖, 𝑏) ∧ (𝑠0 ⊕ 𝑠1 = 𝑎 ⋅ 𝑏) ⇒ 𝐶 is not 𝑑-private
14/16
automatic tool for finding attacks
order 2 3 4 5 6
[BBDFGS15] <1 ms 36 ms 108 ms 6,3 s 26 min
this paper <10 ms <10 ms <10 ms <10 ms <10 ms
- based on the algebraic characterization- relies on coding theory (information set decoding algorithms)- not perfectly sound...- much faster than Easycrypt-based [BBDFGS15]
table: time to find an attack
15/16
16/16
16/16
16/16
thank you!