private circuits protecting circuits against side-channel attacks yuval ishai technion & ucla...
TRANSCRIPT
Private CircuitsProtecting Circuits Against
Side-Channel Attacks
Yuval Ishai Technion & UCLA
Based on joint works with
Manoj Prabhakaran, Amit Sahai, David Wagner
A Live Demonstration
• Can you keep secrets?
• … and now?
Talk Overview
• The goal
• Security definition
• Overview of results and techniques
• Open questions
The Goal
s
m
AES(s,m)
s’
m
AES(s,m)
• Same I/O functionality• Keeps s secret even in the presence of side-channel attacks. - leakage - tampering
Comparison with Related Work
• Protecting general, reactive circuits– vs. realizing a specific task [DP08]– vs. a one-time computation [GKR08]
• Continuous and adaptive leakage/tampering– vs. bounded leakage [AGV09]
• Entire circuit susceptible to leakage/tampering– vs. “only computation leaks information” [MR04]– vs. “algorithmic tamper-proof security” [GLM+04]
INPUTINPUTOUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
The ModelThe Model
• In each cycle:– Adv chooses input– Adv chooses an admissible (t-bounded) attack
• Leakage and/or tampering from a specified class– Adv observes output + leakage– Memory state is updated
INPUTINPUTOUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
Circuit TransformersCircuit Transformers
• T=(TC,Ts), on inputs k,t, maps C to C’ and s0 to s0’.• Ts must be randomized
– Otherwise initial state s0 is revealed by probing
• C’ can be either randomized or (better yet) deterministic.
CINPUTINPUT
OUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
T
C’
s0 s0’
INPUTINPUTOUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
Security DefinitionSecurity Definition
• T respects functionality: C[s0] C’[s0’]
• T protects privacy: C Sim t-bounded Adv s0
SimAdv,C[s0] view of Adv attacking C’[s0’]– Even in case of tampering, only privacy is required
CINPUTINPUT
OUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
T
C’
s0 s0’
INPUTINPUTOUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
Relation with ObfuscationRelation with Obfuscation
• C’[s0’] should act like a “virtual black-box” for C[s0].– Even in the presence of side-channel attacks
• Negative results for obfuscation [BGI+01,GK05] restrict classes of attacks that can be tolerated – Can’t probe all wires in a single cycle– Can’t leak an arbitrary predicate of the state [BGI+01,GK05,DP06]– Can’t freely “edit” gates and wires
CINPUTINPUT
OUTPUTOUTPUT
CIRCUITCIRCUIT
MEMORYMEMORY
T
C’
s0 s0’
Results: Passive Attacks Results: Passive Attacks • I-Sahai-Wagner03: probing attacks
– Adv probes t wires in each cycle– Several circuit transformers
• |C’|=O(t2) |C|, randomized• |C’|=O(t2) |C|+poly(t,k), deterministic • |C’|=O~(|C|), t=~(width(C)) probes can’t be added within a cycle
– Randomized routing technique
• Faust-Rabin-Reyzin-Tromer-Vaikuntanathan10:– constant depth leakage (e.g., AC0) with t-bit output
• |C’|=O((t+k)2) |C|
– noisy leakage: each bit flipped with prob. p• |C’|=O(k2) |C|
– both require tamper-proof, randomized “opaque gates”
Results: Tampering Attacks
Results: Tampering Attacks
• I-Prabhakaran-Sahai-Wagner 06: – Permanent Reset attacks, unbounded
• |C’|=O(k2) |C|
– Permanent Set/Reset/Toggle, up to t per cycle• |C’|=poly(k,t) |C|• Requires AND gates of fan-in O(kt)
– Both constructions can be made deterministic
Probing Attacks and MPCProbing Attacks and MPC
Standard MPC
Client-Server MPC
Input clients
Servers
Output clients
[BGW88,CCD88]:Unconditional security ift<n/2 parties are passivelycorrupted.
Unconditional security ift<n/2 servers are corrupted.
Probing Attacks and MPCProbing Attacks and MPC
Client-Server MPC
Input clients
Servers
Output clients
Unconditional security ift<n/2 servers are corrupted.
Further extending MPC model:-Reactive functionalities -Mobile adversary [OY91]-No online randomness [CH94]
MPC on Silicon
xi
yi
S2
output client
input client
initializer s0
S1 S3
S2S1 S3
S2S1 S3
S2S1 S3
Conversely:Private circuit MPC
TC=protocol compilerTs= initializer algorithm
MPC on Silicon?MPC on Silicon?• Very different optimization goals
– Typical MPC: maximize resilience / #parties– Private circuits: maximize resilience / computation
• Ideally: many tiny parties, constant fractional resilience
• Using MPC protocols from the literature– BGW88:
• Based on Shamir’s secret sharing• 2t+1 servers, O~(t2)|C| computation, nontrivial field arithmetic
– “GMW-lite” [GMW87,GV87,GHY87]: • Based on additive (XOR) secret sharing• t+1 servers O(t2)|C| computation in OT-hybrid model• Implement OT calls via additional servers!• ISW03 construction is an optimized version of this approach
s0’
Concrete ISW03 ImplementationConcrete ISW03 Implementation
• Secrets additively shared into m=2t+1 shares
• Given shares of a=a1 … am, b=b1… bm
– Compute shares of Not(a) : apply NOT to a1
– Compute shares ci of a AND b :
• Let zi,j , i<j, be random independent bits
• Let zj,i=(zi,jaibj) ajbi
• Let ci=aibi ji zi,j
• Randomness gates eliminated by using 2t+1 copies of a PRG
s0’
Tampering AttacksTampering Attacks• Recall model
– adversary can permanently set, reset, toggle t wires in each cycle
– eventually, all wires can be tampered with!– can’t use standard MPC, error-correction, signatures…
• Idea: “self-destruct” if tampering is detected– How to implement if even self-destruction mechanism can
be tampered with?
• Idea: randomized mine-field– Any tampering attempt can trigger a mine– Few lucky tampering attempts do not harm
The High Level ApproachThe High Level Approach• Consider (unbounded) Reset attacks• Encode each value in C by a pair of values
– 0 01– 1 10– 00, 11 interpreted as
• A Reset can either leave a value unchanged or turn it to • Propagate to outputs and memory (self-destruct)• Still need to worry about correlation between secrets and • Solution: Use ISW03 to get “k-wise independence”
– Adv should get lucky k times to violate privacy– Being unlucky even a single time causes self-destruction
• General Set/Reset/Toggle attacks handled via longer encodings
The Low-Level DetailsThe Low-Level Details• A hacker’s paradise…
The Low-Level DetailsThe Low-Level Details• A hacker’s paradise…
Further Research: LeakageFurther Research: Leakage• Extend feasibility to other classes of leakage
– other realistic leakage classes (power analysis, …)– “only computation leaks information”– … anything that does not imply obfuscation– leakage-resilient MPC?
• Probing attacks– improve efficiency and resilience– motivates new MPC complexity questions– potential application for “MPC-friendly codes” [CC06,…]
• Constant-depth leakage – eliminate “opaque gates” and randomness– is [ISW03] secure?
Interactive Compression [FRRTV10]
Interactive Compression [FRRTV10]
• Compression algorithm for f [HN06]:
unbounded “solver”
f(x)
compressionalgorithm
x
y
Shares of state
Leakage function
Observed leakage
Adversary’s computation
Interactive Compression [FRRTV10]
Interactive Compression [FRRTV10]
• Can parity be compressed?– [Håstad]:
Circuits of depth d and size 2^k1/d can’t compute XORk compression to k1/d bits is hard for such circuits
– [DI06]: even compression to k.99 bits is hard! constant-depth leakage with t= k.99 is safe
• Previous compression model doesn’t handle adaptive attacks– reduction to non-adaptive case yields poor bounds– motivates study of “interactive compression”
Communication Complexity Game
Communication Complexity Game
Weak Strong
X=01000100111010
Parity(X)
Circuit complexity: Weak sends one bit
Compression: Weak sends t bits in one message
Interactive compression: Weak sends t bits overall
Challenge: good lower bounds for interactive compression
Further Research: TamperingFurther Research: Tampering• Tolerate an unbounded number of attacks
– Possible using tamper-proof components of size k– Open: use components of size O(1)
• Tolerate wider classes of tampering + leakage
• Develop a general theory– Apply general non-malleable codes [DPW10]– Tamper-resilient MPC
Conclusion
• Bottomless pool of open questions
• Motivate independently interesting theoretical questions – Leakage- and tamper-resilient MPC– Feasibility of relaxed obfuscation– Hardness of compression
• Relevance to practice?