Chaotic Compilation A (Statistical) Cloak for a Secret Computer - - PowerPoint PPT Presentation

Chaotic Compilation A (Statistical) Cloak for a Secret Computer Peter T. Breuer ptb@hecusys.com

Hecusys LLC, Atlanta, GA, USA

Jonathan P. Bowen

London South Bank University, UK

Background

• Encrypted Computing

Data remains in encrypted form

One plaintext, many encryptions

• H/W Aliasing

One address, many memory locations

• Q. Does computing with encrypted

data compromise the encryption ?

⇓

Crash course: Encrypted Computing

encrypted inputs encrypted outputs encrypted internals

To answer an unasked question

• “Modified logic” is really only a

Modified arithmetic unit

Within standard processor logic

• 2013 paper shows that is enough for

encrypted (1-to-many) computing

A Security Problem ...

• Computation is logical!
• If x [*] x [=] x [+] x

goto hooray

… know x means 0, 2

… no matter the encryption

• Must hide algebraic relations

Human Bias

• Human programmers preferentially

Introduce small numbers 0,1, 2, …

• Bias permits guesses at encryptions

Success with higher than chance rate

• Lowers the effective encryption strength

Makes Known-Plaintext-Attack possible

Help from ISA Design

• Instruction Set Architecture

Malleability

∀ ins1 : x

y . ∃ ins2 : A[+]x

B[+]y

ins1, ins2 are indistinguishable to an

• bserver not privy to the encryption
• E.g. add t0 t1 E[1]

add t0 t1 E[1-A+B]

[+1] [+1-A+B]

Malleability and Chaotic Compilation

• 1. ISA Malleability allows the compiler to introduce

─ offset from nominal everywhere, different ...

• per instruction input, output
• per register and memory location, per instruction
• independently, randomly,

Stochastic compilation

• 2. Maximum entropy stochastic compilation

Chaotic compilation

• 3. (Shannon) compiler + programmer signals

statistically no relation between data at different points in runtime trace

Example – Ackermann(3,1)

Result = 13 Random trace entries Random program constants

The prime sieve (array/memory ex.)

Result = 7 (a prime) Random memory address Memory addresses are random, uniformly distributed

• Hardware must support that
• To maintain entropy, address of memory location is changed before every write

H-Max principle

• Each instruction that writes varies maximally (h)
• E.g.: Compile e1+e2 in register t0

code for e1 to go in t1 with offset E[k1] code for e2 to go in t2 with offset E[k2] add t0 t1 t2 E[k0-k1-k2]

• Compiler introduces one extra instruction that writes (add …)
• Full 32 bits of entropy are injected (k0)
• Every compiler construction follows h

⇒ The whole code has the property

⇒Traces vary to the maximal extent possible

H-min Condition

• Planned deltas for registers, memory, etc. are equal

where two control paths join (h)

trailer instructions in each path synchronize deltas

• If e then s1 else s2
• code for e in t0 with offset k0

bne t0 E[k0] else code for s1 leaves t1 with offset k1a add t1 t1 E[k1-k1a] ... b end else: code for s2 leaves t1 with offset k1b

• add t1 t1 E[k1-k1b]

... end: Two instructions share 32 bits of entropy (k1)

Remove H-min code ...

Unroll loops and inline function calls

⇒ Every piece of code is traversed just once ⇒ Only one instruction of group governed by H-Min executes ⇒ It gets all the entropy introduced by compiler for that group ⇒ Every instruction in the trace varies maximally ⇒ Data in the trace beneath the encryption is unrelated

(Shannon)

Security Proof

1.Unroll source code to exponential length in word-size n 2.Apply chaotic compilation 3.An attack of polynomial complexity in n falls in the

trace of the unrolled part

4.H-min does not apply there, so H-max does 5.Every data point beneath encryption is independent 6.Attack is an attack against encrypted random data

Encrypted computing does not compromise encryption

• 1. Chaotic compilation is stochastic compilation

introducing maximum entropy

• 2. A stochastic compiler works with ofsets from

nominal values (beneath the encryption)

• 3. Guaranteeing chaos means each compiler

construction compiles with H-max principle

• 4. Removing those constructs that do not have it …
• 5. Leaves traces that are statistically random
• 6. Attack is not aided by encrypted computing