View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Topics in Cryptography
Lecture 8 Side Channels: PKC resilient to key leakage
Lecturer: Moni Naor
Recap: Side Channels• Standard Model vs. physical implementation
– Side channel: Any information not captured by the abstract “standard” model
• Timing attacks against secret exponentiation – With control on timing– Through a network– Protection: blinding
• Cache Attacks– Exploits which addresses are being accessed– Counter measure: Oblivious RAM
• Memory Attacks– DRAM retain information longer than thought– Defines a model: any short function of the key
3
Adversarial ModelsSTANDARD MODEL: Abstract models of computation
Interactive Turing machines Private memory, randomness ...
Well-defined adversarial access Can model powerful attacks
REAL LIFE: Physical implementations leak information Adversarial access not always captured by
abstract models
Ek(m)
4
Thesis of this course
Many tools developed in the foundations of cryptography are
helpful for protecting against side-channel attacks
Proof by examples...
and not only at implementation time
Must incorporate side-channel attacks
in the design of systems
Homework
Timing attack of Kocher against RSA.• Suppose: time of each multiplication involving y is
distributed according to a normal distribution – With known parameters.– Independent of everything else! – Show that this allows to figure out given the first k-1
bits of the secret exponent the next bit.
Basic Timing
This takes a whileto compute
This is instantaneous
Whether iteration takes a long timedepends on the kth bit of secret exponent
Old observation: timing depends on number of 1’s
If all multiplication take the same time: all you get
Not all multiplications were created equal
• Different timing given operands • Assumption/Heuristic: timings of subsequent
multiplications are independent– Given that we know the first k-1 bits of x– Given a guess for the kth bit of x– Time of remaining bits independentGiven measurement of total time can see whether there is
correlation between events: kth step is long Total time is long
Exact timing
Exact guess
Outline of Kocher’s Attack• Idea: guess some bits of the exponent;
– Predict how long decryption will take• If guess is correct: will observe correlation If incorrect, then prediction will look random
– The more bits you already know, the stronger the signal, thus easier to detect (error-correction property)
• Start by guessing a few top bits, look at correlations for each guess, pick the most promising candidate and continue
Works against systems under direct control
Homework: Oblivious PermutationsSuggest a method for permuting an array obliviously. • Array M of size n• The CPU has access to a permutation on n elements. • At the end of the process the Array M should be rearranged
according to : – The element that was in M[i] is now in M[(i)].
• The requirement is: for any two permutation and ', – an eavesdropper that sees the locations accessed cannot
distinguish whether the array is permuted according to or ',
Small (secure) space and time to permute
Model
CPUMain memory
Small private
memory
qi
M[qi]
Oblivious RAM RequirementsAny sequence of locations i1, i2, …
induces a distribution on sequences of requests q1, q2… • Functionality: should be able to figure out the original content• Security: for any two sequence of locations i1, i2, … and i’1,
i’2, … induced distributions of requests should be indistinguishable
Homework problem much more relaxed:
•Knowing in advance the order in which elements are accessed
•Constitute a permutation
Open ended
Ideas/hints:• Routing permutations in networks• Sorting networks
13
Memory Attacks [HSHCPCFAF 08] Concern: Not only computation leaks information Memory retains its content after power is lost
5 seconds
30 seconds
60 seconds
5 minutes
http://citp.princeton.edu/memory
14
Model: leakage of any function of the key
Would like to allow the adversary to learn any function
of the key
Cannot withstand learning the full key
Idea: limit the length of the function
Would like to withstand as long a leakage as possible
15
Key-Leakage AttacksSemantic security with key leakage [AGV 09]:For any* leakage f(sk) and for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|
m0, m1
Epk(mb)
Akavia, Goldwasser and Vaikuntanathan
16
Is this the right model? Noisy leakage
as opposed to low-bandwidth leakage
Leakage of intermediate values Are intermediate values always erased? Key generation process Decryption process
Keys generated using a “weak” random source
Not a perfect model, but still a good starting point
Discuss extensions later on
17
What We Know A generic method for protecting against key-leakage attacks
Main building block: Hash Proof Systems [CS 02] Efficient instantiations
Based on decisional Diffie-Hellman, few exponentiations
Chosen-ciphertext key-leakage attacks A generic CPA-to-CCA transformation Efficient schemes
Extensions Noisy leakage Leakage of intermediate values Weak random sources
18
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
19
Min-EntropyProbability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
X is a k-source if H1(X) ¸ k (i.e., Pr[X = x] · 2-k for all x)
Represents the probability of the most likely value of X
¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|Statistical distance:
20
ExtractorsUniversal procedure for “purifying” an imperfect source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for any k-source X
¢(Ext(X, Ud), Uℓ) ·
d random bits
“seed”
EXT
k-source of length n
ℓ almost-uniform bits
x
s
21
Strong ExtractorsOutput looks random even after seeing the seed
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if
Ext’(x, s) = s ◦ Ext(x,s)
is a (k, )-extractor
Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors
Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n] Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n + k)
22
Sidebar: Weak Key-Leakage AttacksSemantic security with weak key leakage :For any* leakage f(sk) and for random PK for any m0 and m1 infeasible to distinguish Epk(m0) and Epk(m1)
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1}¸ for ¸ < |sk|
m0, m1
Epk(mb)
What About Weak Attacks?Leakage depends on Secret Key only
Leakage function chosen by the adversary ahead of time without any knowledge of the public key.
• Depends only on the properties of the hardware devices used for storing the secret key.
Generic construction transforming any encryption scheme (G; E;D) Resilient to any weak leakage of L(1 - o(1)) bits, L secret key length.
• Parameters: – leakage parameter ¸– length of the random strings used by generation algorithm G: m
• Need: Ext: {0,1}k £ {0,1}d ! {0,1}m be (k-,)-strong extractor
Generic construction transforming any encryption scheme (G; E;D)
Ext: {0,1}k £ {0,1}d ! {0,1}m a (k-,)-strong extractor • Key generation :
– Choose x 2 {0,1}k and s 2 {0,1}d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x.
• Encryption: choose r uniformly at random and output (E(pk;M; r); s).• Decryption: ciphertext (c; s), secret key SK = x,:
– Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c).
• Resilient to any weak leakage of L(1 - o(1)) bits
Given f(x) distribution of Ext(x; s) close to uniform
25
Decisional Diffie-Hellman
gx
gyAlice Bob
Both parties compute K = gxy
DDH assumption:
(g, gx, gy, gxy) (g, gx, gy, gz)
for random x, y, z 2 Zq
(g1, g2, g1r, g2
r) (g1, g2, g1r1, g2
r2)
for random g1, g2 2 G and r, r1, r2 2 Zq
26
Outline of the Lecture Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
27
G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
A Simple Scheme: Key Generation
MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1
x1 g2x2 reveals only log(q) bits of information on
sk=(x1,x2) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸
28
G - group of order q Ext : G £ {0,1}d ! {0,1} - strong extractor
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Choose r 2 Zq and a seed s 2 {0,1}d
Output (g1r, g2
r, s, Ext(hr, s) © m)
Output e © Ext(u1x1 u2
x2, s)
Key generation
Encpk(m)
Decsk(u1, u2, s, e)
A Simple Scheme: Encryption Decryption
u1x1 u2
x2 = g1rx1 g2
rx2 = (g1x1 g2
x2)r = hr
29
Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits
half the size of sk
A Simple Scheme: Security Theorem
Proof by reduction:
Adversary for the encryption scheme
Distinguisher for decisional Diffie-Hellman
log(q) -|m|
30
Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits
A Simple Scheme: Security Theorem
(sk, pk)
pk
f
Output b’
f(sk)
b à {0,1}
m0, m1
Epk(mb)
31
Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits
A Simple Scheme: Security Theorem
pk(g1, g2, g1
r1, g2r2)
b’r1 r2
r1 r2
or
f
f(sk)
m0, m1
Epk(mb)
Distinguisher for DDH
33
(g1r, g2
r, s, Ext(hr, s) © m)
h = g1x1 g2
x2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable not knowing sk
A Simple Scheme: Security Proof
34
(g1r, g2
r, s, Ext((g1r)x1 (g2
r)x2, s) © m)
A Simple Scheme: Security Proof
h = g1x1 g2
x2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
35
(g1r1, g2
r2, s, Ext((g1r1)x1 (g2
r2)x2, s) © m)
A Simple Scheme: Security Proof
Valid ciphertext: r1 = r2
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
36
(g1r1, g2
r2, s, Ext((g1r1)x1 (g2
r2)x2, s) © m)
A Simple Scheme: Security Proof
(g1r1)x1 (g2
r2)x2 uniformly distributed given pk and (g1r1, g2
r2)
x1 + wx2 = log(h)r1x1 + r2wx2 = log(t)
Invalid ciphertext: r1 r2
Therefore, even given f(sk): min-entropy ¸ log(q) - ¸
Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk
computationally indistinguishable
h=g1x1 g2
x2
37
Proof of Securitypk
(g1, g2, u1, u2)
b’
If b’ = boutput “r1 = r2”otherwise “r1 r2”
f
f(sk)
m0, m1
sk = (x1, x2)= (g1, g2, g1
x1 g2x2)
u1, u2, sExt(u1
x1 u2x2, s) © mb
Case 1: u1 = g1r & u2 = g2
r Case 2: u1 = g1r1 & u2 = g2
r2
Simulation is identical to actual attack Pr[b’ = b] = 1/2 +
Challenge independent of b Pr[b’ = b] = 1/2
38
Hash Proof SystemsCiphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no information on plaintext, given pk
computationally indistinguishable
Previous scheme relies on a specific HPSmany technical
details...
Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)
39
Hash Proof SystemsCiphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk, Invalid: no information on plaintext, given pk
computationally indistinguishable
Previous scheme relies on a specific HPSmany technical
details...
Our general construction:
HPS + randomness extraction
Key-encapsulation mechanism resilient to key leakage
40
Outline of the Talk Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
41
G - group of order q
An Improved Scheme
Notation:
(x1, ..., xn) 2 Zqn
(g1, ..., gn) 2 Gn
(x1, ..., xn) ¢ (g1, ..., gn)T gixi
i=1
n
42
G - group of order q Ext : Gn-k £ {0,1}d ! {0,1} - strong extractor
Choose A 2 Gk£n and x 2 Zqn
Let y = Ax Output sk = x and pk = (A, y)
Choose R 2 Zq(n-k)£k and a seed s 2
{0,1}d
Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s)
Key generation
Encpk(m)
Decsk(Q, s, e)
An Improved Scheme
Original scheme: with k=1, n=2
43
Theorem: The scheme is resilient to any leakage of length¸ ¼ (1 – k/n) |sk|
1 – o(1)
An Improved Scheme
Based on the hardness of k-Linear [BBS 04] 1-Linear = DDH k-Linear is hard ) (k+1)-Linear is hard k-Linear is easy ; (k+1)-Linear is easy (in generic groups)
A new hash proof system Optimizes ratio between secret key and encapsulated key
44
An Improved SchemeWe show that k-Linear implies indistinguishability of: Random P 2 Gn£n of rank k Random P 2 Gn£n of rank n
(rank computed in Zqn£n relative to a fixed generator g 2 G)
In the simplified scheme:
g1 g2
g1r1 g2
r2
r1 r2 rank 1r1 r2 rank 2
[BHHO 08] proved the case k=1
Proof similar to the simplified scheme
45
The Long Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction
Choose g1,...,gk 2 G and s1,...,sk 2 {0,1}
Let h = g1s1¢¢¢gk
sk
Output sk = (s1,...,sk) and pk = (g1,...,gk, h) Choose r 2 Zq
Output (g1r,..., gk
r, hr ¢ m)
Output e ¢ (u1s1 ¢ u2
s2 ¢ ¢ uksk)-1
Key generation
Encpk(m)
Decsk(u1,...,uk,e)
“built-in” extractor
k ¼ ¸ + 2log(q)
46
Proof: a natural extractorDDH implies the computational indistinguishability of: g1
r,..., gkr for random r
g1r1,..., gk
rk for random r1, r2, … rk
pk(g1,…, gk, u1, …, uk)
b’
If b’ = boutput “equal r”ow: “not equal r’s”
f
f(sk)
m0, m1
sk = (s1, …, sk)= (g1, …, gk, g1
s1 g2s2 ¢ gk
sk)
u1,…,uk, (u1s1 ¢ ¢ ¢
uksk )mb
Case 1: ui = gir Case 2: ui = gi
ri
47
Security of SchemeDDH implies the computational indistinguishability of: g1
r,..., gkr for random r
g1r1,..., gk
rk for random r1, r2, … rk
Want to argue that if g1r1,..., gk
rk is used, then there is no information about message m
The adversary knows: h = g1
s1¢¢¢gksk
u1=g1r1, u2=g2
r2, ..., uk= gkrk
Gets, instead of hr ¢ mb : (u1s1¢ u2
s2 ¢ ¢ ¢ uksk ) ¢ mb
g1r1s1 ¢¢¢ gk
rks1
Information on i=1k wiri si
Fact: i=1k wiri si is a pairwise
independent family
•Indexed by r1, r2, … rkCan apply the leftover hash lemma!
gi=g1wi
48
Circular Secure Encryption Several public keys
(pk1, sk1), (pk2, sk2), … (pkk, skk)Goal: want to be able to reconstruct all keys from one Provide Epk1
(sk2), Epk1(sk3), …, Epk1
(skk)
Epk2(sk1), Epk2
(sk3), …, Epk2 skk)
…Is it secure? There are cycles… No known example of insecurity! BHHO: first proof of resiliency
Chosen Ciphertext Attacks• How to define?• When does the leakage take place?• How to define CCA2?
What is known:• The general technique for obtaining CCA – still
applicable.• Can get 1-o(1) leakage• Specific schemes with (1) leakage
Recall: NIZKFor full specification need to clarify• When is x chosen – before or after ?
– Adaptive
• What does the simulator get?• Does soundness need to hold given a simulated
– Cannot hold for simulated (false statement)– Simulation soundness
For NP: Can be based on the existence of trapdoor permutations
with some structure
Relevant for soundness and zk
Achieving resistance to CCA with NIZK• Two independent keys of some ``good” PKC KP1
and KP2
• A public random string for NIZK of the language {(KP1
, KP2, C1, C2)| C1 and C2 encrypt the same message}
• To encrypt message m: generate ciphertexts C1 and C2 and add a proof of consistency
– Ciphertext: C1, C2,
• To decrypt – Verify proof and then – Decrypt only if ciphertexts passed the consistency checks
C2 Proof of consistencyC1
Important point: may decrypt with two different private keys
52
Outline of the Lecture Some tools
The generic construction by examples A simple scheme: ¸ ¼ |sk|/2
Improved schemes: ¸ ¼ |sk|
Extensions of the model
Conclusions, further work, and some rest...
53
ExtensionsNoisy leakage Leakage not necessarily of bounded length
H1(sk | pk, leakage) > H1 (sk | pk) - ¸
Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition
Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan:
The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert
54
ExtensionsWeak random source Keys generated using a low-entropy adversarially chosen source
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
(g1, g2) chosen once and shared by all users Only need H1(x1,x2 | g1, g2) ¼ log(q) + |plaintext|
55
ExtensionsLeakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code,
then decrypt Not so contrived...
Output e ¢ (u1s1¢¢
¢uksk)-1
Decsk(u1,...,uk,e)
Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s1,..., sk) can be much larger
56
Conclusions Must incorporate side-channel attacks in the design of systems Many tools developed in the foundations of cryptography are helpful for
protecting against side-channel attacks
Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys?
As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels? A falsifiable hardware assumption?
57
Can leverage the physical world !!
Conclusions
Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06]
Randomized response Secure computation using tamper-proof hardware [Katz07,
MS08] Human competitive nature and love of games [HN09] Voting