Cryptography against

Memory Attacks

Lattice Based Results

Recall: Public-Key Encryption against Memory Attacks

Security against adaptive α(n)-memory attacks

Adversary A

PK

m0,m1

Enc PK(mb)

b'

(PK,SK)←G(1n)

For every PPT adversary A,

where |)(||)(| SKSKfi , Pr[b=b'] ≈1/2.

fi(SK)

fipoly(n) f(SK)

f

Encryption against Memory AttacksSecurity against adaptive α(n)-memory attacks

Adversary

PK

m0,m1

Enc PK(mb)

b'

(PK,SK)←G(1n

)

For every PPT adversary A,

where |)(||)(| SKSKfi , Pr[b=b'] ≈1/2.

f(SK)

• captures cold-boot attacks & much easier to achieve

f

Design Strategies

Design New Schemes -- LAST TIME (moni)

- Might lose other hard-earned properties (efficiency, homomorphism,…)

Show Old Schemes Secure (today)- Many existing schemes (RSA, factoring-based) insecure- Are there any that are secure?

Randomized encoding of secret-key

- No good against adaptive attacks- Increases length of storage, decreases efficiency- Have to recover original secret-key to work with

it….

- Represent sk as (s, sk Ext (source,s)) for random s,source

Work [Akavia+G+Vaikuntanathan]

non-adaptive mem. attacks that leak |SK|-ℓ bits

Theorem: Regev’s lattice-based PKC is semantically secure against:

adaptive mem. attacks that leak (1-ε)|SK| bits, ∀ε>0

Show Old Schemes Secure

- assuming hardness of learning with errors with smaller dimension ≈ℓ

- assuming hardness of learning with errors with smaller dimension and (slightly) smaller noise(ε)

Outline

• What is a Lattice?• q-ary lattices• Why Lattices?

– Hard Problems– Best Algorithms: Exponential (even Quantum)– Worst case to Average Reductions– Simple operations on small numbers

• Why Not Lattices?– Large dimensions to resist heuristics– Keys quadratic in dimensions

• LWE: LPN mod q > 2• Regev PKC• Regev Proof of Security• Regev: Leakage Resistance

Basis: b1,…,bn vectors in Rn

The lattice L is

L={y=b1x1+…+bnxn| xi integers}

The dual lattice of L is

L*={x | <x,y> in Z, y in L}

Lattices

b1 b2

0

2b1b1+b2 2b2

2b2-b1

2b2-2b1

Basis is not unique

0

v2

v1

v1’

v2’

Lattices where membership of y in lattice is determined by y mod q, q prime

Most crypto based on lattices uses q-ary lattices as a basis for their hard-on-average problem

Let A = in Zqnxm and q prime

– Can define m dimensional q-ary lattice L=Lq to be L(A)= {ATs mod q in Zm for s Zn}

- The dual lattice of L is L* (A) ={x in Zm | Ax=0 mod q }

q-ary (modular) Lattices

Hard Problems on Lattices

• SVP: Given a basis B, find a shortest vector

Shortest Vector Problem (SVP)

0

b2

b1

• CVP: Given a basis and a target vector t, find the closest lattice point to t

• Seems very difficult, however, checking if a point is in a lattice is easy

Closest Vector Problem (CVP)

0

v2

v1

tt

Approximation Versions

• In lattice based cryptography one typically considers approximation variant of these problems.

• Add approximation factor to the problems• SVP : find v at most time the shortest

non-0 vector in lattice• CVP: find the closest vector in the lattice

within a factor from the closest• Can define for any norm but we will use

Euclidean, ||x|| = xi2

• SVP-search: given basis B, find an approximately shortest vector w s.t. ||w||<||v|| where v is the shortest

• Gap-SVP: given basis B Zmxn and rZ determine whether shortest vector v, ||v||< r or ||v|| >r

Approximate Shortest Vector Problem (SVP):

Search and Decision

b1

b2

b2-b1

O

• Search-CVP: Given a basis and a target vector t, find the approximately closest lattice point

• Gap-CVP: Given BZmxn and t Qm,r Q, output

• 1 if dist(t,L(B)) < r and else 0

Closest Vector Problem (CVP): Search vs, Decision

0

Best Algorithms

• LLL82: approximation in poly-time, approximation factor is (2/√(3))n

• Schnorr: approximation factor 2O(nloglogn/logn)

• AKS : Best exact (or poly-factors) in time and space 2n

• Note comparison to factoring and discrete-log funding algorithms

Worst Case vs. Average Case

Worst-case Hard Average-case Hard

At least one instance

hard

Average instancehard

SAFEST TO ASSUME

=LATTICE PROBLEM

NEEDED IN CRYPTO

Ajtai

Worst Case vs. Average Case [Ajtai]

Avg: Given random matrix A Zqnxm for

q=poly(n), m > nlog q , find short vector x0 in Zq

m

s.t. Ax =0 mod q (i.e. x L* , L=Lq(A) q-ary lattice) .

Short: say ||x||=m

Ajtai showed that SVP as hard as solving Avg for any-worst-case SVP instance

( = poly (n), q=nc, m > n log q)

Uses of Lattice in Cryptography

• One Way Functions

• Hash Functions

• Public- Key Cryptography:– Ajtai-Dwork97, Regev04 : Unique SVP– GGH97, GPV08: – Regev05: GapSVP (quantum)

LPN: Learning from parity with error

•Let Let ssZZ22nn be a secret be a secret

•We have random equations modulo 2 We have random equations modulo 2 with error (everything independent):with error (everything independent):

•Without error, it’s easy!Without error, it’s easy!

ss22+s+s33+s+s44+ s+ s66+…+s+…+snn 00

ss11+s+s22+ s+ s44+ s+ s66+…+s+…+snn 11

ss11+ s+ s33+s+s44+s+s55+ …+s+ …+snn 11

ss22+s+s33+s+s44+ s+ s66+…+s+…+snn 00

..

..

..

•More formally, we need to learn More formally, we need to learn ss from from samples of the form samples of the form (t,st+e)(t,st+e) where where tt is is chosen uniformly from chosen uniformly from ZZ22

nn and and ee is a bit is a bit that is 1 with probability p=10%. that is 1 with probability p=10%.

•Easy algorithms need 2Easy algorithms need 2O(n) O(n) equations/timeequations/time

•Best algorithm needs 2Best algorithm needs 2O(n/logn)O(n/logn) equations/time [equations/time [BlumKalaiWasserman’00BlumKalaiWasserman’00]]

LPN: Learning parity with error

Regev introduced: Learning modulo q (LWE)

• Fix some prime qFix some prime q

• Let Let ssZZqqnn be a secret vector be a secret vector

• We have random equations modulo We have random equations modulo qq with error where the coefficients are mod with error where the coefficients are mod qq 2s2s11+0s+0s22+2s+2s33+1s+1s44+2s+2s55+4s+4s66+…+4s+…+4snn

22

0s0s11+1s+1s22+5s+5s33+0s+0s44+6s+6s55+6s+6s66+…+2s+…+2snn 44

6s6s11+5s+5s22+2s+2s33+0s+0s44+5s+5s55+2s+2s66+…+0s+…+0snn 22

6s6s11+4s+4s22+4s+4s33+4s+4s44+3s+3s55+3s+3s66+…+1s+…+1snn 55

..

..

..

LWE: Learning modulo q

• Formally, learn Formally, learn ss from samples of the from samples of the form form (a,as+x)(a,as+x) where where aa is chosen is chosen uniformly from uniformly from ZZqq

n n and and xx is chosen from is chosen from -normal dist over Z-normal dist over Zq q (i.e mean 0, variance (i.e mean 0, variance q q

to sample: to sample: choose in [0,1), multiply by q and choose in [0,1), multiply by q and round)round)

• Easy algorithms need 2Easy algorithms need 2O(nlogn) O(nlogn)

equations/timeequations/time

• Best algorithm needs 2Best algorithm needs 2O(n)O(n) equations/time equations/time [[BlumKalaiWasserman’00BlumKalaiWasserman’00]]

Connection to Lattices [Regev]

Theorem: Learning modulo q (LWE) is as Theorem: Learning modulo q (LWE) is as hard as worst-case lattice problems hard as worst-case lattice problems (gapSVP(gapSVP ) using a quantum reduction ) using a quantum reduction

where q =poly(n) is prime, where q =poly(n) is prime, m=poly(n)m=poly(n)

LWE with LWE with -normal error, -normal error, q>2sqrt(n)q>2sqrt(n) =O(n/=O(n/))

• In other words: solving the problem In other words: solving the problem implies an efficient quantum algorithm implies an efficient quantum algorithm for latticesfor lattices

Decision version: Learning modulo q

• Distinguishing Distinguishing • samples (a, u) where u is chosen samples (a, u) where u is chosen uniformly in Zuniformly in Zqq and and aa is chosen is chosen uniformly from uniformly from ZZqq

n n

• samples of the form samples of the form (a, as+x)(a, as+x) where where aa is chosen uniformly from is chosen uniformly from ZZqq

n n and and xx is is chosen from chosen from -normal dist over Z-normal dist over Zqq

Theorem [Regev ]

There is a polynomial (in n and q) There is a polynomial (in n and q) reduction from LWE-search (with m reduction from LWE-search (with m samples) samples)

to LWE-decision (with m’=mpoly(n,q) to LWE-decision (with m’=mpoly(n,q) samples) (with same error distribution)samples) (with same error distribution)

In other words can rely on LWE-decision In other words can rely on LWE-decision being being

as hard as gapSVP as long as q=poly(n)as hard as gapSVP as long as q=poly(n)

Connection to Lattices [Pekert09]

Theorem:Theorem: Learning modulo q (LWE) is as Learning modulo q (LWE) is as hard as worst-case lattice problems hard as worst-case lattice problems (gapSVP(gapSVP ) using a ) using a classical reductionclassical reduction

where q =2where q =2n/2n/2 is prime, is prime, m=poly(n)m=poly(n)

LWE with LWE with -normal error, -normal error, q>2sqrt(n)q>2sqrt(n) =O(n/=O(n/))

• In other words: solving the problem In other words: solving the problem implies an efficient quantum algorithm implies an efficient quantum algorithm for latticesfor lattices

Regev’s Public-Key Encryption

Secret-key SK:

nqZs

Public-key PK:

),( xsAA

A: m-by-n matrixx: low-weight “error”

O

a1

a2As

As+x

q=poly(n) n3

m >> n

Regev’s Public-Key Encryption

Secret-key SK:

nqZs

Public-key PK:

),( xsAA

A: m-by-n matrixx: low-weight “error”

EncPK(b): 2/)(, qbxsArAr r

“low-weight” vector

Regev Public Key Encryption

Secret-key SK:Public-key PK:

),( xsAA

EncPK(b): )(, xAsrrA r

“low-weight” vector if b=0 urA, if b=1

DecPK(a,b): 0 if b = as = (rA)s, else output 1

“very likely” to be 0rx

LWE Assumption: (A, As+x) ≈c (A, u)

semantic security

[Re05] Approx Worst Case SVP quantum-hard LWE Assumption

leak L(s)nqZs

Security for Adaptive Memory attack

Secret-key SK:Public-key PK:

),( xsAA

EncPK(b): )(, xAsrrA if b=0 urA, if b=1

- view the secret key s as a min-entropy source - encryption act as a randomness extractor from s

leak L(s)

But given (A, As+x), s is unique with prob 1-neg !!!

Show: Ciphertext ≈c Uniform, given public key and leakage.

nqZs

Proof of Security

Goal: Ciphertext ≈ Uniform, given PK and leakage.

AdvA

f

f(s)

),( xsAA

',uuAdvA

f

f(s)

),( xsAA

)(, xsArAr

c

≈c

REAL WORLD IDEAL WORLD

Proof of Security

Step 0 (Leap of faith)

AdvA

f

f(s)

),( xsAA

sArAr ,

“REAL” WORLD

Ignore xr

in ciphertext

Proof of Security

Step 1. Leftover hash lemma

AdvA

f

f(s)

),( xsAA

sArAr ,

“REAL” WORLD

Leftover Hash Lemma [ILL]

),(),( uAArA sIf r has “large min-entropy” and A is uniform and independent of r

AdvA

f

f(s)

),( xsAA

suu ,

EXPT 1

≈s

Would like to say: Proof of Security

AdvA

f

f(s)

),( xsAA

suu ,

EXPT 1

Step 2.

Change A to A' s.t

- A ≈ A'c

Given PK=(A, As+x) and f(s), SK=s has large entropy- Given PK=(A', A's+x) and f(s), SK=s has large

entropy

Step 3.

Leftover hash lemma →

)',(),( uusuu s

≈c

AdvA

f

f(s)

)','( xsAA

',uu

IDEAL WORLD

O

a1

a2

As

As+x

O

a1 a2

≈c

A'A

([GKPV’09], similar to [P’09])

Main Idea: Lattice Lemma [GKPV]

O

a1

a2

As

As+x

O

a1 a2

A

Change distribution of A to A’ and ``Introduce entropy’’ into the distribution of secret key s

- Show A' ≈c A - s has large average min-entropy [DRS07] given PK =(A’,A’s+x) and f(s)

A’

Under LWE

Average Conditional Min-Entropy [DORS]

Probability distribution X over {0,1}n

H’1(X|Z) = - log E z(maxx Pr[X=x|Z=z])

Lemma [DORS]:

• if Z takes at most 2k values, then H’1(X|Z)>H’1(X)–k

•. Can Extract: Given H’1(X|Z) > H’1(X) – k and 2-universal Ext, (S, Ext(X,S), Z) (S,U,Z)

(any randomness extractor works with a distribution

with high entropy in this sense)

Represents the worst case predictability by an adversary who may also observe correlated Z probability of the most likely value of X

Proof of Security

AdvA

f

f(A’,s,x)

),( xsAA

suu ,

EXPT 1

Step 2 (Lattice lemma)Change distribution of lattice into A s.t- A ≈ A'

c

- Given PK=(A, As+x), SK=s has large min-entropy

AdvA

f

f(A’,s,x)

)','( xsAA

suu ,

EXPT 2

≈c

Proof of Security

AdvA

f

f(A’,s,x)

)','( xsAA

suu ,

EXPT 2

Step 3 (Leftover hash)

Extract randomness from s

≈s

AdvA

f

f(A’,s,x)

)','( xsAA

',uu

IDEAL WORLD

“large”))(,,|( sfxsAAsH

Proof of Security

AdvA

f

f(A’,s,x)

)','( xsAA

Ideal world

Step 4 Switch back to A

≈c

AdvA

f

f(A,s,x)

),( xsAA

',uu

REAL WORLD

',uu

Identity Based Encryption (IBE)

• Shamir[86], Boneh-Franklin[90]: Identity Based Encryption (IBE)

– Can be used by user to periodically generate (pki,ski) keys for Laptops

• Memory Leakage from laptops: do we have IBE which is secure against it ?

Identity Based Encryption [AGV]

Theorem 1:

Theorem 2:

An IBE scheme which is semantically secureagainst an n-o(n) non-adaptive memory attack.

Assuming: LWE + random oracle model as in GPV

An identity-based encryption scheme semantically

secure against an (1-)n adaptive memory attack.

An IBE scheme of GentryPeikertVaikuntanathan08 is semantically secure against an n-o(n) non-adaptive memory attack.

The IBE scheme of GPV08 is semantically secure against an (1-)n adaptive memory attack.

Extending Model of Secret Key Leakage ??

Dodis, Kalai, Lovett STOC09: How about capturing more settings ?

Same secret-key used in many applications: e.g. Signatures and encryption using same secret

Maybe no pseudo entropy left in the secret

Hard to Invert Leakage functions [DKL09]

• nppt A, prob (A(f(x))=x] < 1/2α(n)

Adversary can choose any leakage function f to receives f(sk)

• f is poly-time computable

Relation to memory-attacks Yael will give lecture here next week

(n)-Auxiliary Input Security:

Extending Model of Secret Key Leakage ??

Alwen, Dodis, Walfish, Wichs: Bounded Retrieval Model

Thesis: Security parameter should be independent of leakagePropose: Absolute leakagePKC where everything except for secret key size is independent of leakageOther primitives as well in this model

Main Idea

Use leakage-resistant IBE = (Setup,KeyGen, Enc, Dec)

• PK = master public key MPK of IBE

• SK =ski for identities i=1…n

Encrypt(m):

• Choose random subset of ski of size t

• Secret Share(m) with shares m1..mt and encrypt shares ci=Enc(idi,mi). Let c = c1…ct

Why? Adversary at the time of leak does not know which secondary keys you will decrypt with and n>>l

Note: PK is not large but SK is.

Problems with Main Idea & Fix

• Problem: Leakage function L(MPK) may leak information on all secondary secret keys sk1..skn

– HW: Construct an example where this happens

• Main Idea’: – Construct HP-IBE: IBE based on Hash-Proof

Systems– Use the HP- IBE in Main Idea and get leakage-

resistant PKE in the BRM model

IB-HPS [Extend PKE-HPS to IB-HPS]

• IB-HPS: (Encap, Encap*, Decap) – (MPK,SPK)

– keyGen (id,SPK) outputs skid

– Encap (id,MPK) gives (c,k) [k is symm key] s.t,

– Decap (c, skid) gives k

– Encap* (id) outputs c’ c where c=Encap(id)

• Properties:– Decap(c,skid) unique for all skid with same id

– for c=Encap(id) c’=Encap*(id), c’ c, even given skid

– k=Decap(c, skid) is uniformly distributed for c’=Encap*(id)

• Gentry’s IBE implies such IBE-HP

– Dodis etal show how to get this from Gentry IBE

Final Construction: IB-HPS to leakage Resistant PKE (back to original idea)

• IB-HPS = (Setup, KeyGen, Encap, Encap*,Decap)

• PKE-KeyGen: let PK=MPK, let SK={ski i=1…n} for ski=keyGen(i,MSK)

• Encryt (m,pl):

– Choose random subset of ID= id1..idt of size t

– Let (C,K)= {(ci,ki)=Encap(idi)}.

– Let c= (ID,C,s,Ext(K,s)m) where s random seed• Decryt using Decap

Claim: Leakage resistant for l= N-2/t[N+nlogn] -3-5 where N= n|ski| and Ext is a strong extractor for a = Ent (K)

Proof idea

• Dist0: challenge=(ID,C,s,Ext(K,s)m) , leak• Dist1: challenge=(ID,C,s,Ext(K*,s)m) ,leak where

K*=decap(ci,skid )

• [By unique decapsulation from any sk]• Dist2: challenge=(ID,C*,s,Ext(K*,s)m), leak

where c* = encap*(id) k*=decap(c*,skid )

• [By encapsulation indist]• Dist3: challenge=(ID,C*,s,U)• [by uniformity of decap from encap*)• How much leakage: entropy type analysis

Indist holds even If sk was known, So certainly if leakIs known

MAIN OPEN QUESTION:Assumed a total bound on Leakage

• To extend to unbounded measurements each leaking a bounded amount– Move away from deterministic schemes andinject fresh randomness to secrets

• Part 1 Memory Leaks

• Part 2 Computation Leaks: Side Channel Attacks

Any computation on secrets leaks information

Read SKModify SKAdd Jump Consume PowerAllocate MemoryEmit Radiation

SK bit 1SK bit 2

…SK bit i

Algorithm with SK

Axiom: but Only Computation Leaks Information [Micali-Reyzin04]

Identify: Secure component Hthat computes some elementary function Implement Cryptographic Functionalities Securely when adversary Can fully observe all computation except for H

choose inputs

Micali Reyzin Example:

• Pseudo Random Number Generation:– Assume f one-way trapdoor permutation, – Assume that the H = lsb (f -1 (x))

• choose seed s • compute psr= HC(f -1 (s))||HC(f-1 (f-1 (x)))||

…||HC(f-k (x))• limit Adv to not see input to H

• f (s),…f

Axiom: but Only Computation Leaks Information [Micali-Reyzin04]

Identify: Secure component Hthat computes some elementary function Implement Cryptographic Functionalities Securely when adversary Can fully observe all computation except for H

choose inputs

Lets Ask for more: Security even if Adversary did Computation himself

Security when Adversary run entire executions himself, except for H

Securecomponents H

UNIVERSAL , SIMPLE

One Time Program [ G+Kalai+Rothblum08]

Use Very simple and universal secure hardware

Enable adversary to run single executions of any cryptographicfunctionality, learning nothing but the

output(provably No computational leakage)

A program which can be run by an adversary on single input, but is useless otherwise

P is one-time program for function f if1. Functionality

Computes f’s output on one input of user’s choice

2. One-Time SecrecyP leaks no more than f’s output on single input to an adversary with full access to P

P

x

f(x)

one-time programs

f(x)

P is Software-Hardware Package

Software

In clear

request

response

xSecure

Component H

– signature delegation

Delegation of Cryptographic Abilityin an insecure environment

(SK,PK)Want to sign

100 messages in presence of side channel

attacks

Store 100 OTP

SIGSK OTP = ( Software + secure hardware)

Hardware is not a black box

Side-channel attacks

Every COMPUTATION made in thehardware on secret data leaks information about it

Minimize computation in hardwareEliminate

ROK

ROK – Read One Key, Erase second keySimple: easy to scrutinize Universal: same hardware for all applicationsInspired by oblivious transfer [Rabin,EGL]

Key k0

Key k1 kb

b

No computation is ever done on the key which is erased resist all side channel attacks which result from computation

One-Time Compiler: Take 2

Theorem[GKR09] If secure fully homomorphic

encryption E exists [Gentry-stoc09], can compile any f into a one-time program for fsecure against all computational side channel attacks where program = software + m ROKs (where m = length of ciphertext ) andProgram Size O( time for single decryption)

New OTP: E(description of f) + OTP for a single decryptionTo compute f(x): compute E(f(x)) homomorphically;

decrypt E(f(x)) with OTP Almost…

Observations: Our Context

• May assume H resides in PC• No need for hardware implementation of H• Implemented in software, simply never see

the `other-key’ so it never leaks

Different Approach: Break Computation into Rounds [Dziembowski-Pietrzak]

• Break computation of PSRG=P1…Pk into rounds

• Make each round r depend only on part of SK, say SKr

• Leakage Model: any bounded length leakage L function of SKr may leak but only a function of SKr may leak in round r [ ` only computation ..axiom’]

Theorem: secure (,s) PSRG secure PSRG s.t. PiU with |L| =O(log(1/)) =log(1/)/2

– given P1…Pi-1 and View = L(Sk0)….L(skl-2)

– If also know L(skl-1), can only show Pl unpredictable

– E.g. =2-√n, then L =n/4

Questions

• Other primitives whose computation can be broken into rounds

• Strengthen [DP] psrg result – to get better dependence on e

– To accommodate leakage L(skl-1 )