Leakage Resilient Computation Yevgeniy Vahlis joint work with Ali Juma, Charles Rackoff
advertisement
Leakage Resilient
Computation
Yevgeniy Vahlis
joint work with Ali Juma, Charles Rackoff
Crypto
Encryption
Box
Crypto
Encryption
Box
Message M0
Message M1
Crypto
b ∈r {0,1}
Encryption
Box
Message M0
Message M1
Crypto
b ∈r {0,1}
Encryption
Box
Encryption of Mb
Crypto
b ∈r {0,1}
Encryption
Box
Encryption of Mb
b=?
Crypto in Real Life
RSA
N=pq
Crypto in Real Life
RSA
N=pq
Message M0
Message M1
Crypto in Real Life
b ∈r {0,1}
Message M0
Message M1
RSA
N=pq
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
Crypto in Real Life
b ∈r {0,1}
RSA
N=pq
Encryption of Mb
b!
Crypto in Real Life
RSA
N=pq
Crypto in Real Life
RSA
N=pq
Solutions:
Crypto in Real Life
RSA
N=pq
Solutions:
• Heat isolation
Crypto in Real Life
RSA
N=pq
Solutions:
• Heat isolation
• Uniform cooling and quite fans
Crypto in Real Life
RSA
N=pq
Solutions:
• Heat isolation
• Uniform cooling and quite fans
• Electromagnetic isolation
Crypto in Real Life
RSA
N=pq
Solutions:
• Heat isolation
• Uniform cooling and quite fans
• Electromagnetic isolation
•???
Algorithmic Protection
RSA
N=pq
Algorithmic Protection
RSA
N=pq
In recent years:
Algorithmic Protection
RSA
N=pq
In recent years:
• Reduce assumptions about hardware
Algorithmic Protection
RSA
N=pq
In recent years:
• Reduce assumptions about hardware
• Design algorithms that are secure under leakage
Previous Work
• [Goldreich & Ostrovsky 96] protect against complete
leakage of memory when CPU is secure.
• [Ishai & Sahai & Wagner 2003] assume adversary leaks
value of a fixed number of wires
• [Micali & Reyzin 04] introduce axioms and framework
• [Goldwasser & Kalai & Rothblum 2008] one-time
programs
• [Dziembowski & Pietrzak 2008] Leakage resilient
stream cipher in the split state model
• [Faust & Reyzin & Tromer 2009] protect against AC0
leakage functions (needs secure component)
Our Results
Our Results
• A compiler that transforms any keyed
primitive HK into a stateful algorithm Gstate
•G
is resilient against length bounded
leakage in each invocation
state
• Need a fixed size, memory-less secure
component
HK
Gstate
Our Results
• A compiler that transforms any keyed
primitive HK into a stateful algorithm Gstate
•G
is resilient against length bounded
leakage in each invocation
state
• Need a fixed size, memory-less secure
component
HK
Gstate
Achieve leak-resilience for arbitrary complexity
from leak-resilience for fixed complexity
Model
Want to protect HK(x)
Two computers that communicate over a public
channel. Initialization is secure.
Init
CPU A
CPU B
Model
Want to protect HK(x)
Two computers that communicate over a public
channel. Initialization is secure.
K
Init
CPU A
CPU B
Model
Want to protect HK(x)
Two computers that communicate over a public
channel. Initialization is secure.
K
MemA1
CPU A
Init
MemB1
CPU B
Model
Evaluating HK(x)
CPU A
CPU B
MemAi
MemBi
Model
Evaluating HK(x)
CPU A
MemAi
CPU B
MemBi
x
Model
Evaluating HK(x)
CPU A
HK(x)
MemAi
CPU B
MemBi
x
Model
Evaluating HK(x)
CPU A
HK(x)
CPU B
MemAi
MemBi
MemAi+1
MemBi+1
x
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
f1
x1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
Computing...
f1
x1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
Computing...
f1
x1
f1(MemA1,RA)=L1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
x, L1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
x, L1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
f2
x, L1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
Computing...
f2
x, L1
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
Computing...
f2
x, L1
z
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
Computing...
L2=f2(MemB1,RB,z) f2
x, L1
z
Leakage
RA
help
RB
CPU A
CPU B
MemA1
MemB1
x, L1
Leakage
RA
help
RB
CPU A
CPU B
MemA1
MemB1
x, L1,L2
Leakage
RA
help
RB
CPU A
CPU B
MemA1
MemB1
x, L1,L2 ,L3...
Leakage
RA
RB
CPU A
CPU B
MemA1
MemB1
HK(x)
help
x, L1,L2 ,L3...
Leakage
RA
help
RB
CPU A
CPU B
MemA1
MemB1
HK(x)
Our construction needs
2 flows
x, L1,L2 ,L3...
Definition of Security
Definition of Security
Real World
Gstate
Definition of Security
Real World
x, leakage( )
Gstate
Definition of Security
Real World
x, leakage( )
Gstate
HK(x), leakage(state)
Definition of Security
Real World
x, leakage( )
Gstate
HK(x), leakage(state)
HK
Simulator
Ideal World
Definition of Security
Real World
x, leakage( )
Gstate
HK(x), leakage(state)
x
HK
leakage( )
Simulator
Ideal World
Definition of Security
Real World
x, leakage( )
Gstate
HK(x), leakage(state)
x
leakage( )
Fake
Leakage
Simulator
HK(x)
HK
Ideal World
Main Tool
Fully Homomorphic Encryption (FHE)
First construction by Gentry at STOC 09
Based on Ideal Lattices
Other restricted constructions are known
[Boneh Goh Nissim 2005]
[Melchor Gaborit Herranz 2008]
Homomorphic Encryption
Regular Public Key Encryption
Generate
Keys
pub
Encrypt
pri
C(M)
Decrypt
M
Homomorphic Encryption
Regular Public Key Encryption
Generate
Keys
pub
Encrypt
pri
Homomorphic Encryption
C(M)
Decrypt
M
Homomorphic Encryption
Regular Public Key Encryption
Generate
Keys
pub
Encrypt
C(M)
Decrypt
M
pri
Homomorphic Encryption
Cf(f(M))
Evaluate
f( )
Homomorphic Encryption
Regular Public Key Encryption
Generate
Keys
pub
Encrypt
C(M)
Decrypt
M
pri
Homomorphic Encryption
C(f(M))
Randomize
Cf(f(M))
Evaluate
f( )
Our Construction
Initialization(K):
Generate keys pri,pub
C(K) = Encpub(K)
CPU A
CPU B
Our Construction
Initialization(K):
Generate keys pri,pub
C(K) = Encpub(K)
MemA1=pri
MemB1=C(K)
CPU A
CPU B
First Attempt
Step 1: CPU A
Generate
Keys
MemAi=prii
Renc
Encrypt
Rgen
First Attempt
Step 1: CPU A
Generate
Keys
MemAi=prii
pubi+1
Renc
Encrypt
Rgen
First Attempt
Step 1: CPU A
Generate
Keys
MemAi=prii
pubi+1
Renc
Encrypt
C(prii)
Rgen
First Attempt
Step 1: CPU A
Generate
Keys
MemAi=prii
pubi+1
Renc
Encrypt
C(prii)
Send to CPU B
Rgen
First Attempt
Step 1: CPU A
prii+1
MemAi=prii+1
Generate
Keys
pubi+1
Renc
Encrypt
C(prii)
Send to CPU B
Rgen
First Attempt
Step 1: CPU A
prii+1
MemAi=prii+1
Generate
Keys
pubi+1
Renc
Encrypt
C(prii)
Send to CPU B
Rgen
First Attempt
Step 2: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
MemBi=Ci(K)
Decrypt
H
First Attempt
Step 2: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
MemBi=Ci(K)
Decrypt
H
First Attempt
Step 2: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
MemBi=Ci(K)
prii
Decrypt
H
First Attempt
Step 2: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
MemBi=Ci(K)
prii
K
Decrypt
H
First Attempt
Step 2: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
K
Decrypt
MemBi=Ci(K)
Ci+1(K)
H
Ci+1(HK(x))
First Attempt
Step 2: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
K
Decrypt
MemBi+1=Ci+1(K)
Ci+1(K)
H
Ci+1(HK(x))
First Attempt
Step 3: CPU A
MemAi=prii+1
Ci+1(HK(x))
Decrypt
First Attempt
Step 3: CPU A
MemAi=prii+1
Ci+1(HK(x))
Decrypt
HK(x)
First Attempt
Looks great!
What goes wrong?
Step 3: CPU A
MemAi=prii+1
Ci+1(HK(x))
Decrypt
HK(x)
First Attempt
Looks great!
What goes wrong?
Step 3: CPU A
MemAi=prii+1
Ci+1(HK(x))
Ci+1(HK(x)) carries history
May contain K
Decrypt
HK(x)
First Attempt
Looks great!
What goes wrong?
Step 3: CPU A
MemAi=prii+1
Ci+1(HK(x))
Ci+1(HK(x)) carries history
May contain K
Decrypt’
Decrypt
HK(x)
K
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
MemB
MemB
(K)(K)
i+1i=Cii+1
Ci+1(K)
H
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
Randomize
MemB
MemB
(K)(K)
i+1i=Cii+1
Ci+1(K)
Ci+1(HK(x))
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
Randomize
MemB
MemB
(K)(K)
i+1i=Cii+1
Ci+1(K)
Ci+1(HK(x))
Second Attempt
Step 3: CPU A
This time Ci+1(HK(x)) only
contains HK(x)
MemAi=prii+1
Ci+1(HK(x))
Decrypt
HK(x)
Second Attempt
Step 3: CPU A
This time Ci+1(HK(x)) only
contains HK(x)
MemAi=prii+1
Ci+1(HK(x))
Decrypt’
Decrypt
HK(x)
?
Second Attempt
Step 3: CPU A
This time Ci+1(HK(x)) only
contains HK(x)
MemAi=prii+1
Are we done?
Not quite...
Ci+1(HK(x))
Decrypt’
Decrypt
HK(x)
?
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
Randomize
MemBi+1=Ci+1(K)
Ci+1(K)
Ci+1(HK(x))
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
Randomize
MemBi+1=Ci+1(K)
Ci+1(K)
Ci+1(HK(x))
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
MemBi+1=Ci+1(K)
Ci+1(K)
H
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
What did we forget?
MemBi+1=Ci+1(K)
Ci+1(K)
Second Attempt
Step 2’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
What did we forget?
MemBi+1=Ci+1(K)
Ci+1(K)
Ci+1(K) also carries
history*
Third Attempt
Step 2’’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
MemBi+1=Ci+1(K)
Ci+1(K)
H
Third Attempt
Step 2’’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
Randomize
MemBi+1=Ci+1(K)
Ci+1(K)
H
Third Attempt
Step 2’’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
Randomize
MemBi+1=Ci+1(K)
Ci+1(K)
H
Third Attempt
Step 2’’: CPU B
Evaluate relative to pubi+1
Input: x
Ci+1(prii)
prii
Decrypt
K
H
Randomize
MemBi+1=Ci+1(K)
Ci+1(K)
Now it works!
Complete Construction
Memory A: prii
Randomness: rgen
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Memory B: CK
Randomness: r, r’
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = Randomize(C’K ; r’)
Complete Construction
Memory A: prii
Randomness: rgen
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Memory B: CK
Randomness: r, r’
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = Randomize(C’K ; r’)
Proof
Hybrid 1
Memory A: prii
Randomness: rgen
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Memory B: CK
Randomness: r, r’
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = Randomize(C’K ; r’)
Hybrid 1
Memory A: prii
Randomness: rgen
Memory B: CK
Randomness: r, r’
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = Randomize(C’K ; r’)
C’’reply = Enc(HK(x), pubi+1)
Hybrid 1
Memory A: prii
Randomness: rgen
Memory B: CK
Randomness: r, r’
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = Randomize(C’K ; r’)
C’’reply = Enc(HK(x), pubi+1)
Doesn’t change the distribution
Hybrid 2
Memory A: prii
Randomness: rgen
Memory B: CK
Randomness: r, r’
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = Randomize(C’K ; r’)
C’’reply = Enc(HK(x), pubi+1)
Hybrid 2
Memory A: prii
Randomness: rgen
Memory B: CK
Randomness: r, r’
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = C’’K
C’’reply = Enc(HK(x), pubi+1)
C’’K = Enc(0...0, pubi+1)
Hybrid 2
Memory A: prii
Randomness: rgen
Memory B: CK
Randomness: r, r’
pubi+1,prii+1 = KeyGen(rgen)
Cpri = Enc(prii,pubi+1)
Set Memory A = prii+1
Cpri
Creply = Evaluate(Cpri, CK, x, HK(x); r)
C’K = Evaluate(Cpri, CK, x, K; r’)
C’’reply
Y = Dec(C’reply ; prii+1)
Output Y
C’reply = Randomize(Creply ; r)
set Memory B = C’’K
C’’reply = Enc(HK(x), pubi+1)
C’’K = Enc(0...0, pubi+1)
Changes the distribution
completely
Why Should This Work?
• Very informally: Ciphertexts are
incompressible.
• This means that leakage on B can help
only if Adv knows enough about pri
• But Adv sees only leakage on pri which is
insufficient to break semantic security
Open Questions
• Can we get rid of the leak-free component?
• Granularity of leakage.
Thank you!
