Leakage-Resilient Cryptography

Leakage-ResilientCryptography StefanDziembowski UniversityofRome La Sapienza KrzysztofPietrzak CWI Amsterdam WPK 2009 Workshop on Cryptographic Protocols and Public-Key Cryptography Bertinoro, 27.05.09

Plan • Motivation and introduction • Our model • Our construction • Extension of the construction

How to construct securecryptographicdevices? cryptographicdevice very secure Security based on well-defined mathematical problems. implementation CRYPTO not secure!

The problem cryptographicdevice easy to attack implementation hard to attack CRYPTO

Information leakage • Side channel information: • power consumption, • electromagnetic leaks, • timing information, • etc. cryptographicdevice

The standard view cryptographicdevice cryptographicdevice Implementation is not our business! implementation practitioners CRYPTO CRYPTO theoreticians

A recent idea Design cryptographic protocols that are secure even on the machines that leak information.

Themodel (standard) black-box access cryptographicscheme additional accessto the internal data

Some prior work • S. Chari, C. S. Jutla, J.R. Rao, P. RohatgiTowards Sound Approaches to Counteract Power-Analysis Attacks. CRYPTO 1999 • Y. Ishai, A. Sahai, and D. Wagner. Private Circuits: Securing Hardware against Probing Attacks. CRYPTO 2003 • S. Micali and L. Reyzin. Physically Observable Cryptography (Extended Abstract). TCC 2004 • R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, and T. Rabin. Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering. TCC 2004. • C. Petit, F.-X. Standaert, O. Pereira, T.G. Malkin, M. Yung.A Block Cipher Based PRNG Secure Against Side-Channel Key Recovery. ASIACCS 2008 • a sequence of papers by F.-X. Standaert, T.G. Malkin, M. Yung, and others, available at the web-page of F.-X. Standaert.

Our contribution We construct a stream cipher that is secure against a very large and well-defined class of leakages. Our construction is in the standard model (i.e. without the random oracles).

streamciphers ≈ pseudorandomgenerators short key X long streamK a computationally bounded adversary should not be ableto distinguish K from random S ?

Howdo the stream ciphers work in practice? short key X S K1 X stream K is generated in rounds (one block per round) K2 time K3 K4 . . .

An equivalent security definition the adversary knows: should look random: K1 X K1 K1 K2 K2 K2 K3 K3 K3 K4 . . .

Our assumption We will assume that there is a leakage each time a keyKiis generated (i.e. leakage occurs in every round). S K1 X K2 K3 K4 the details follow... . . . . . .

Leakage-resilient stream cipher - the model

Examples of the “leakage functions” from the literature: • Y. Ishai, A. Sahai, and D. Wagner. Private Circuits: Securing Hardware against Probing Attacks. The adversary can learn the value of some wires of a circuit that computes the cryptographic scheme. • another example (a “Hamming attack”): The adversary can learn the sum of the secret bits.

ff We consider a very general class of leakages In every ith round theadversary choses a poly-time computable“bounded-output function” f : {0,1}n→ {0,1}m for m < n and learns f(X) X We say that the adversary “retrieved m bits” (in a given round).

How much leakage can we tolerate? In our construction the total number of retrieved bits will be larger than the length of the secret key X (but in every round the number of retrieved bits will be much less than |X|) How can we achieve it? by key evolution! this will be a parameter

Key evolution In each round the secret key X gets refreshed. Assumptions: X K1 X0 key evolution has to be deterministic (no refreshing with external randomness) X1 K2 X2 K3 also the refreshing procedure may cause leakage X3 K4

How to define security? • Is “indistinguishability” possible? • Problem • If the adversary can “retrieve” just one bit of Kithen he can distinguish it from random... Solution Indistinguishability will concern the “future” keys Ki

Security “without leakage” the adversary knows: should look random: K1 X0 K1 K1 K2 X1 K2 K2 K3 X2 K3 K3 K4

Security “with leakage” the adversary knows: should look random: ff ff ff K1 X0 f1(X0) the adversarychooses f1 K1 K1 the adversarychooses f3 the adversarychooses f2 K2 X1 f2(X1) K2 K2 K3 X2 f3(X2) K3 K3 K4

Key evolution – a problem Recall that: 1. the key evolution is deterministic 2. the “leakage function fi” can by any poly-time function. Therefore: the function fi can always compute the “future” keys

What to do? We us the principle introduced in: S. Micali and L. Reyzin. Physically Observable Cryptography. TCC 2004 “only computation leaks information” in other words: “untouched memory cells do not leak information”

Divide the memory into three parts: L, C and R accessed only inthe even rounds accessed always accessed only inthe odd rounds L C R L0 C0 R0 round 0 L1 C1 R1 round 1 L2 C2 R2 round 2 L3 C3 R3 round 3 . . . . . . . . . . . .

Ourcipher – the outline the key of the cipher= “the initial memory contents (L0, C0, R0)” L0 C0 R0 S L1 C1 R1 S L2 C2 R2 S L3 C3 R3 . . . . . . . . .

The output The output is the contents of the “central” part of the memory. C → K (L0, K0, R0) (L0, C0, R0) L0 L0 C0 K0 R0 R0 S S All the keysKi will be given “for free” to the adversary L1 L1 K1 C1 R1 R1 S S L2 L2 C2 K2 R2 R2 S S L3 L3 K3 C3 R3 R3

should look random: the adversary knows: The details of the model (L0, K0, R0) K0 K1 f1(R0) L0 K0 R0 K1 K2 S L1 f2(L1) K1 R1 K2 K3 S f3(R2) L2 K2 R2 K3 K4 S L3 K3 R3

Leakage-resilient stream cipher - the construction

How to construct such a cipher? Idea Use the randomness extractors. A function Ext : {0,1}k × {0,1}r → {0,1}m is an (ε,n)-randomness extractorif for • a uniformly random K, and • everyXwithmin-entropyn • we have that • (Ext(K,X),K) is ε – close to uniform.

Alternating extraction [DP, FOCS07] L K0 R K1= Ext(K0, R) L K1 R K2 = Ext(K1, L) L K2 R K3 = Ext(K2, R) L K3 R . . . . . . . . .

A fact from [DP07] Even if a constant fraction of L and R leaks the keys K1,K2,.. look “almost uniform”

Idea: “add key evolution to [DP07]” What to do? Use a pseudorandom generator (prg) in the following way: Ki R Ki Ri Ki+1= Ext(Ki, R) (Ki+1, Yi+1) = Ext(Ki, R) Ki+1 R Ki+1 Ri+1 = prg(Yi+1)

Our scheme L0 L0 K0 K0 R0 R0 (K1, Y1) = Ext(K0, R0) K1= Ext(K0, R) L1 L0 K1 K1 R0 R1 = prg(Y1) (K2, Y2) = Ext(K1, L1) K2 = Ext(K1, L1) L0 L2 = prg(Y2) K2 K2 R0 R2 K3 = Ext(K2, R) (K3, Y3) = Ext(K2, R2) L0 L3 K3 K3 R0 R3 = prg(Y3) . . . . . . . . .

Our results (1/2) assume the existence of pseudorandom generators the cipher constructed on the previous slides is secure against the adversary that in every round retrieves: λ = ω( log(lengthof the key)) bits then this covers many real-life attacks (e.g. the “Hamming attack”)

Our results (2/2) assume the existence of pseudorandom generators secure against exponential-size circuits the cipher constructed on the previous slides is secure against the adversary that in every round retrieves: λ = ϴ(lengthof the key) bits then

Main ingredients of the proof • Alternating extraction • The following lemma: prg– pseudorandom generator f – bounded-output function S – seed for the prgdistributed uniformly then: with a high probability the distributionPprg(S)|f(S) = x wherex := f(S) is indistinguishable from a distribution having high min-entropy this was proven independently in:Omer Reingold, Luca Trevisan, MadhurTulsiani, and SalilVadhan.Dense subsets of pseudorandom sets. FOCS 2008

Plan • Motivation and introduction • Our model • Our construction • Extension of the construction

Look again at our model: K1 ? K1 X0 K2 ? K2 X1 K3 ? K3 X2 K4 ? K4 X3 K5 ? K6 ? X4 K5 K7 ? X5 K6

Problem – forward security What if the adversary doesn’t learn the Ki’s? Does the leakage in the ith round reveal something about the previous keys? K1 X0 K1 ? K2 X1 the adversary doesn’t learn it K2 ? K3 X2 K3 ? K4 X3

Forward security – the definition K1 ? suppose the adversary didn’t learn K3 K1 X0 K2 ? K2 X1 K3 ? even if the entire state later leaks K3 should look random K3 X2 K4 ? K4 X3 K5 ? K6 ? X4 K5 K7 ? X5 K6

Forward security - the solution Idea: use different keys for “output” and for the “extraction” use Kifor refreshing the state & output Ki output Kiout use Kinextfor refreshing the state OLD: NEW: Ki Ri Kinext Kiout Ri (Ki+1,Yi+1) = Ext(Ki,Ri) (Ki+1next, Ki+1out,Yi+1) = Ext(Kinext,Ri) Ki+1 Ri+1 = prg(Yi+1) K1+1next Ki+1out Ri+1 = prg(Yi)

The modified scheme L0 L0 K0next K0 R0 R0 (K1next, K1out,Y1) = Ext(K0next, R0) (K1, Y1) = Ext(K0, R0) L1 L1 K1next K1 K1out R1 = prg(Y1) R1 = prg(Y1) (K2next, K2out,Y2) = Ext(K1next, L1) (K2, Y2) = Ext(K1, L1) L2 = prg(Y2) L2 = prg(Y2) K2 K2next K2out R2 R2 (K3next, K3out,Y3) = Ext(K2next, R2) (K3, Y3) = Ext(K2, R2) L3 L3 K3 K3next K3out R3 = prg(Y3) R3 = prg(Y3) . . . . . . . . .

Subsequent work using the “computation leaks information” paradigm: • Krzysztof PietrzakA Leakage-Resilient Mode of Operation. EUROCRYPT 2009 • Public-key crypto in the generic groups Kiltz and Pietrzak [Bertinoro 2009] other: • Joel Alwen, YevgeniyDodis and Daniel Wichs, Leakage Resilient Public-Key Cryptography in the Bounded Retrieval ModelCRYPTO 2009 • YevgeniyDodis, Yael TaumanKalai and Shachar Lovett, On Cryptography with Auxiliary InputSTOC 2009 • A. Akavia, S. Goldwasser and V. VaikuntanathanSimultaneous Hardcore Bits and Cryptography against Memory Attacks TCC 2009 • MoniNaor and Gil SegevPublic-Key Cryptosystems Resilient to Key Leakage

Thank you!

Leakage-Resilient Cryptography