Masking and MPC

When Crypto Theory Meets Crypto Practice

Nigel SmartUniversity of Bristol

Basic ProblemSide channels are a big problem for designers of cryptographic integrated circuits

We want to design systems which resist various (strong) forms of leakage.

A traditional method in the side-channel community is called “masking”.

But masking is (sometimes) “Multi-Party Computation” in disguise.

Simple Model

To make this simple we will assume a chip is just a circuit with various “areas” being denoted by boxes

Input Output

Simple Model

Assume the attacker can target a component of the chip for side-channel leakage, and this side-channel is perfect

i.e. All the data in that component leaks

Input Output

Simple Model

If the secret input can be deduced from the data obtained in this component of the chip then the attacker has won

Input Output

Masking : Basic Idea

The basic idea is to operate on a “splitting” of the data

We want to computey = f(x)

We writex = x1+ x2

And come up with two “functions” f1 and f2 such that y can be recovered from

y1 = f1(x1)y2 = f2(x2)

Note x1 is like a one-time pad encryption

of x by the key x2

Computing f1(x1) can reveal nothing

about x.

Side Channel Reveals Nothing

So even if the adversary compromises an entire chip portion, no data is revealed.

x

x1

y

x2y2

y1y1 = f1 (x1)

y2 = f2 (x2)

This is (essentially) a variant of the wire probe model of Ishai, Sahai and Wagner

Complex Functions

The previous idea only works for very, very simple functions.

To compute more complex functions we need to concatenate various of these small boxes together and allow some “cross talk”

We can split the data into more than two chunks if needs be.

We allow the adversary to “leak” all the data on a given path/paths

Complex Functions

Complex FunctionsProbing could be adaptive

A “proactive” adversary in the MPC jargon

“Wires” vs “Cores”

• Literature is divided into two variants– The device is a circuit and probes are on wires– The device is a set of communicating cores, and probes are

on entire cores

• The former produces ideas very different from MPC, the latter is just “MPC on a chip”

• We will look at the communicating core model first, then turn to the wire model.

“Communicating Core” Model

Multi-Party Computation

If we treat each row as a computing party then the previous slides diagram is just a three party secure computation with one bad guy

MPC

So basically Masking = MPC in disguise.

In MPC data is secret shared between n parties

Parties compute a function on the shared data

Function input is secure even if a certain threshold t is corrupt

Passive vs Active

In the context of side-channels we are looking to protect against passive eavesdroppers, i.e. those that passively listen to the side-channel from a given component

In MPC these are called semi-honest/passive adversaries

Most MPC literature is about active adversaries, i.e. ones that can deviate from the protocol

This would correspond to protecting against malware, or fault injection attacks in the side-channel world.

Passive AdversariesSo lets just consider passive adversaries.

Basic MPC theory tells us....

1. We can construct information theoretically secure protocols if

t < n/2

2. If we allow “cryptography” then we can construct secure protocols if

t < n

Passive Security With t<n/2

Some people have proposed using the MPC protocol of CCD/BGW to do this

– The basic idea on a wire level was proposed by Ishai, Sahaiand Wagner– Usually proposed at a higher level than wires though– Hardware designs for AES have been proposed using this– We only need the semi-honest/passively secure variant

The protocol/idea is very elegant and very easy to explain....

I.T. Protocols (t<n/2)We secret share using Shamir using polynomials of degree t

– Any shared data is secure as long as only t shares are leaked.– Need t+1 shares to reconstruct the data– Write [x] for the sharing, and each share is xi

– We can compute arbitrary linear functions for free• To compute [L(x,y)] from [x] and [y] each party computes L(xi, yi)

Only problem then is to compute non-linear functions– This is done by a method of

• Schur multiply, reshare and combine–See the next slides...

I.T. Protocols (t<n/2)Take n=3, t=1 and we want to multiply [x] by [y]

[x] is shared by the polynomial f = x + a*X– x1 = f(1) = x + a– x2 = f(2) = x + 2 a– x3 = f(3) = x + 3 a

[y] is shared by the polynomial g = y + b*X– y1 = f(1) = y + b– y2 = f(2) = y + 2 b– y3 = f(3) = y + 3 b

I.T. Protocols (t<n/2)

Step 1 : Schur Multiply

Each party forms si = xi * yi

This is a degree 2t=2 sharing of x*y as if we setS = f * g = (x+a*X)*(y+b*X)

= x*y + (a*y+b*a) * X + (a*b)*X2

then si = S(i)Note that (as 2*t<n) there is a linear function L such that

x*y = L(s1,s2,s3)

I.T. Protocols (t<n/2)

The si values are a degree 2t sharing of x*y, this is represented by the linear function L

We want a degree t sharing

To convert from 2t to t, we share the si via a degree t sharing, then evaluate L, which is linear.

I.T. Protocols (t<n/2)

Step 2: Resharing

Each party shares si out using a degree t sharing

Party i generates a random ci and shares si by computingsi,j = si + ci * j

i.e. Using the polynomial Ti = si + ci X

The value si,j is sent to party j. So all parties hold a sharing [si]

I.T. Protocols (t<n/2)

Step 3: RecombineAll parties hold a degree t sharing [si]

We know x*y = L(s1,s2,s3)

So to get a degree t sharing of x*y by computing[x*y] = L([s1],[s2],[s3])

locally.

I.T. Protocols (t<n/2)

Given we can compute linear functions and multiplication we can then compute any function.

The resulting protocol is secure as long as no more than t parties are corrupted

• Or no more than t “on chip units” leak data• Giving t’th order side-channel protection

But each “unit” needs a source of good randomness to perform the resharing

Reducing RandomnessCan we improve on this?

– Compute arbitrary functions– With Full Threshold (t<n)?

We clearly need to assume something– Theory tells us we could assume “cryptography”

The SPDZ protocol family uses cryptography to produce “Beaver triples” to enable this

– The Beaver triples are where the randomness is – Perhaps assume a “trusted component” which produces Beaver triples?– Isolating the randomness in this single component.

SPDZ LikeTo isolate the need for randomness we can consider (forexposition) a chip/protocol with three parties/units.

One unit R has access to a good source of randomness, but doesnot see any data dependent items.

Two units P1 and P2 are deterministic and use a simple additivesharing.

Adversary can corrupt/obtain full leakage of R, P1 or P2; but nottwo.

SPDZ Like

Data is shared between P1 and P2 in an additive manner– P1 holds x1

– P2 holds x2

– Data is x = x1+x2

Again computing linear functions come for free, so the only problem is non-linear functions (i.e. Multiplication)

SPDZ LikeParty R has the job of helping P1 and P2 compute multiplications.

It does this by using its random source to sample a1, a2, b1, b2, c1, and c2 such that

– a = a1+a2

– b = b1+b2

– c = c1+c2

– c = a*bThe values (a1,b1,c1) are sent to P1 and (a2,b2,c2) are sent to P2

One pair of triples per multiplication “gate” in the function

SPDZ LikeP1 and P2 use the triples to perform secure multiplications via some communication

P1 P2

R

Note P1 and P2 never send any data to R• R corresponds to the SPDZ offline phase• ie. Where “cryptography” is used in the real MPC protocol

SPDZ Like

We want to compute [x*y] given [x] and [y]

They have a triple ([a],[b],[c]) such that c=a*b

Parties “open” [x-a] to obtain e = x - aParties “open” [y-b] to obtain d = y - b

Note e is a one-time pad encryption of x under the key aDitto for d, y, and b

SPDZ Like

Parties then locally compute the linear function[z] = [c] + e * [b] + d * [a] + e*d

We have[z] = [c] + e * [b] + d * [a] + e*d

= [a*b] + (x-a) * [b] + (y-b) * [a] + (x-a)*(y-b)= [a*b] + [x*b-a*b] + [y*a-b*a] + [x*y –a*y –b*x + a*b]= [x*y]

So this computes the multiplication gate

SPDZ Like

Could generalise this to n+1 parties, P1,...,Pn and R.

Adversary can corruptThe single party ROr any subset of n-1 of the P1,...,Pn computing parties

Thus the party R needs to be highly protectedIn a traditional MPC protocol R is split into another sub-protocol run between P1,...,PnBut we wanted to isolate the randomness use on the chip.

“Wire” Model

With the wire model we just want a circuit which computes on sharings of data.

Investigated in series of papers by Nikova, Nikov, Rijmen, and co-authors

Want to reduce the amount of randomness used

Wire ModelRecall the basic setup, we want to compute

y = f(x)We write

x = x1+ x2 + x3

And come up with three “functions” f1 , f2 and f3 such that y can be recovered from (encoding the cross-talk)

y1 = f1(x1, x2, x3,r)y2 = f2(x1, x2, x3,r)y3 = f3(x1, x2, x3,r)

The three functions will be randomized by an input r– Qu: What properties do they need to ensure security

Wire Model

Nikova, Nikov, Rijmen et al identify three properties

1) CorrectnessFor all (y,x) such that

y=f(x) and all (x1,x2) such that

x = x1 + x2 + x3

we havey = f1(x1, x2, x3,r) + f2(x1, x2, x3,r) + f3(x1, x2, x3,r)

Wire Model

Nikova, Nikov, Rijmen et al identify three properties

2) Non-CompletenessThe function fi should be independent of xi

i.e. We actually havey = f1(x2, x3,r) + f2(x1, x3,r) + f3(x1, x2,r)

This means if party i+1 executes function i, then they learn nothing as they do not see the data from party i at all.

Wire ModelNikova, Nikov, Rijmen et al identify three properties

3) UniformityFor all y1, y2, y3 satisfying

y = y1 + y2 + y3

the number of x1, x2, x3,r such thatyi = fi(x1, x2, x3,r)

depends only on the number of values of x such thaty = f(x)

This means that we can compose the functions.

Wire Model

This seems to give information theoretic security, and is in the full threshold case, i.e.

t < nWhich contradicts the theory of needing

t < n/2But this is OK, as the method only computes restricted functions

– It is not general (see next slides)– Amazingly though can be used to compute some S-Boxes

of some ciphers

Examples

Does not seem to work for n=2For n=3 we can do this over GF(2) using the following functions for multiplication (addition is trivial)

F1 = a2*b2 + a2*b3 + a3*b2 + r F2 = a3*b3 + a1*b3 + a3*b1 + (a1 + b1)*r F3 = a1*b1 + a1*b2 + a2*b1 + (a1 + b1)*r + r

So we require one random bit per AND gate.

Examples

With n=4 we can dispense with the random bit

F1 = (a3 + a4)*(b2 + b3) + a2 + a4F2 = (a1 + a3)*(b1 + b4) + b1 + a4F3 = (a2 + a4)*(b1 + b4) + a2F4 = (a1 + a2)*(b2 + b3) + b1

Summary

We can use MPC idea to implement masking for side-channel protection

There are issues and trade-offs with respect to1. What functions we can compute2. The threshold (a.k.a. resistance to nth order DPA)3. How much randomness is needed, and by what units

Other Issues

There is a big difference between MPC and using threshold cryptography to protect against side-channels

– Non-ideal secret sharing schemes cost hardware for each variable– Networking for free in hardware (just wires)– No need to worry about asynchronous networks– No need to worry about active adversaries– More concern re proactive security

Questions?