private circuits a modular approach

Private Circuits A Modular Approach Yuval Amit Prabhanjan Ishai - PowerPoint PPT Presentation

Private Circuits A Modular Approach Yuval Amit Prabhanjan Ishai Sahai Ananth Surveillance Devices Credit card details SSN number Passwords PGP keys Surveillance Devices Credit card details SSN number Passwords PGP keys


  1. Private Circuits A Modular Approach Yuval Amit Prabhanjan Ishai Sahai Ananth

  2. Surveillance Devices Credit card details SSN number Passwords PGP keys …

  3. Surveillance Devices Credit card details SSN number Passwords PGP keys … Side Channel Attacks Adversary can obtain partial information (leakage) about the computation

  4. Leakage-Resilient Cryptography GOAL Protecting cryptographic schemes against side-channel attacks

  5. This Work: Leakage-Resilient Circuit Compilers [ISW03]

  6. ̂ Circuit Compilers C C Compile

  7. ̂ ̂ ̂ ̂ Circuit Compilers C C Compile x x Encode $$ C ( C ( x ) x ) Decode

  8. ̂ Remarks • , contain NAND gates C C

  9. ̂ ̂ Remarks • , contain NAND gates C C - other bases for : results can be adapted C

  10. ̂ ̂ Remarks • , contain NAND gates C C - other bases for : results can be adapted C • Circuit compilation is deterministic

  11. ̂ ̂ Remarks • , contain NAND gates C C - other bases for : results can be adapted C • Circuit compilation is deterministic - compiled circuit is reusable; no trapdoors

  12. ̂ ̂ ̂ Remarks • , contain NAND gates C C - other bases for : results can be adapted C • Circuit compilation is deterministic - compiled circuit is reusable; no trapdoors • can contain random-bit gates C

  13. Leakage-Resilient Circuit Compilers

  14. ̂ ̂ Leakage-Resilient Circuit Compilers 1 NAND 1 0 NAND NAND 0 1 1 1 . . . . . . C ( x )

  15. ̂ ̂ ̂ ̂ Leakage-Resilient Circuit Compilers 1 NAND 1 0 … … Leak NAND NAND Bounded Leakage 0 1 1 1 . . . . . . C ( x ) Leakage on computation of on x C

  16. What is Leak ? • Global leakage: Leak is function of entire computation - low-complexity leakage classes [FRRTV11,Rot12] • Local leakage: adversary has partial view of computation - Wire-probing attacks [ISW03,…] - Split-state leakage-resilient compiler [GR12,…]

  17. What is Leak ? • Global leakage: Leak is function of entire computation - low-complexity leakage classes [FRRTV11,Rot12] • Local leakage: adversary has partial view of computation - Wire-probing attacks [ISW03,…] - Split-state leakage-resilient compiler [GR12,…]

  18. What is Leak ? • Global leakage: Leak is function of entire computation - low-complexity leakage classes [FRRTV11,Rot12] • Local leakage: adversary has partial view of computation - Wire-probing attacks [ISW03,…] - Split-state leakage-resilient compiler [MR03,DP08,GR12,…]

  19. What is Leak ? • Global leakage: Leak is function of entire computation - low-complexity leakage classes [FRRTV11,Rot12] • Local leakage: adversary has partial view of computation This Work! - Wire-probing attacks [ISW03,…] - Split-state leakage-resilient compiler [MR03,DP08,GR12,…]

  20. Wire-probing attacks [ISW03, …] ? 1 NAND NAND ? 0 1 0 … … Leak NAND NAND NAND NAND ? 1 ? ? 0 1 1 1 . . . . . . . . . . . . Subset of values in the computation leaked

  21. Leakage-Resilience: Wire-probing attacks [ISW03,…] Worst Case Leakage: threshold t - Any t wires are leaked - Perfect simulation given t bits of input

  22. Leakage-Resilience: Wire-probing attacks [ISW03,…] Worst Case Leakage: threshold t - Any t wires are leaked - Perfect simulation given t bits of input Following [ISW03], several works study this setting… [RP10,KHL11,GM11,CPR13,CGPQR12,…] MPC on Silicon Applying MPC techniques to design secure hardware

  23. Leakage-Resilience: Wire-probing attacks [ISW03,…] Worst Case Leakage: threshold t - Any t wires are leaked - Perfect simulation given t bits of input Recent years: focus on randomness complexity [IKLOPSZ13,BBPPTV16,BBPPTV17]

  24. Randomness Complexity Randomness Complexity = # of random-bit gates

  25. Randomness Complexity Randomness Complexity = # of random-bit gates How many random bit-gates are needed?

  26. Randomness Complexity Randomness Complexity = # of random-bit gates How many random bit-gates are needed? [IKLOPSZ13] random bit-gates sufficient, for any t 3+ ε ε > 0

  27. Randomness Complexity Randomness Complexity = # of random-bit gates How many random bit-gates are needed? [IKLOPSZ13] random bit-gates sufficient, for any t 3+ ε ε > 0 t 3+ ε Q: Is tight?

  28. Randomness Complexity Randomness Complexity = # of random-bit gates How many random bit-gates are needed? [IKLOPSZ13] random bit-gates sufficient, for any t 3+ ε ε > 0 t 3+ ε Q: Is tight? NO!

  29. Results: Worst-Case Probing Leakage resilient compilers for -sized circuits and threshold t s

  30. Results: Worst-Case Probing Leakage resilient compilers for -sized circuits and threshold s t - secure against -wire probing attacks t

  31. Results: Worst-Case Probing Leakage resilient compilers for -sized circuits and threshold s t - secure against -wire probing attacks t - compiled circuit has size s ⋅ poly ( t )

  32. Results: Worst-Case Probing Leakage resilient compilers for -sized circuits and threshold s t - secure against -wire probing attacks t - compiled circuit has size s ⋅ poly ( t ) t 1+ ε - randomness complexity = , for any ε > 0

  33. Leakage-Resilience: Random Wire-probing attacks [ISW03,Ajtai10,ADF16]

  34. ̂ ̂ Leakage-Resilience: Random Wire-probing attacks [ISW03,Ajtai10,ADF16] Probabilistic Leakage: parameterized by (p,e) Real World Ideal World C ( Simulate leakage Every wire in x ) just given C leaked with probability p ≈ e

  35. ̂ ̂ Leakage-Resilience: Random Wire-probing attacks [ISW03,Ajtai10,ADF16] Probabilistic Leakage: parameterized by (p,e) Real World Ideal World C ( Simulate leakage Every wire in x ) just given C leaked with probability p ≈ e Related to Noisy Leakage Model: [CJJR99,FRRTV10,DDF15,…]

  36. Prior works: Random Wire-Probing Attacks p = constant, e = negligible

  37. Prior works: Random Wire-Probing Attacks p = constant, e = negligible • [Ajtai10]: - highly complex

  38. Prior works: Random Wire-Probing Attacks p = constant, e = negligible • [Ajtai10]: - highly complex • [ADF16]: - simplifies Ajtai’s result - still uses heavy machinery (AG codes and expanders)

  39. Results: Random-Wire Probing Leakage-resilient circuit compiler against (p,e) -random probing attacks - for some 0 < p < 1 - e negligible in circuit size

  40. Results: Random-Wire Probing Leakage-resilient circuit compiler against (p,e) -random probing attacks - for some 0 < p < 1 - e negligible in circuit size p = 0.000065

  41. Results: Random-Wire Probing Leakage-resilient circuit compiler against (p,e) -random probing attacks - for some 0 < p < 1 - e negligible in circuit size - Simple composition-based approach; uses only elementary tools

  42. Results: Random-Wire Probing Leakage-resilient circuit compiler against (p,e) -random probing attacks - for some 0 < p < 1 - e negligible in circuit size Large gates: construction with p close to 1

  43. Leakage Tolerance

  44. ̂ ̂ ̂ Leakage Tolerance x = x C ( x ) = C ( x ) Input encoding and Output decoding algorithms are identity functions

  45. ̂ ̂ ̂ Leakage Tolerance x = x C ( x ) = C ( x ) Input encoding and Output decoding algorithms are identity functions This implies leakage-resilience!

  46. Security Notions A fraction of input and output will be leaked • Worst-case: parameterized by t

  47. Security Notions A fraction of input and output will be leaked • Worst-case: parameterized by t Leakage simulatable given - t bits of input - t bits of output

  48. Security Notions A fraction of input and output will be leaked • Probabilistic: parameterized by (p, p’ ,e) Leakage simulatable given - every bit of input x w/ probability p’ - every bit of output C(x) w/ probability p’

  49. Results: Leakage Tolerance Worst Case: t-wire probing attacks t 1+ ε • construction: randomness complexity • lower bound: require at least t random-bit gates

  50. Results: Leakage Tolerance Probabilistic Case: ( p , p’ ,e)-random probing attacks 0 1 p p < 0.00006, any p’ > p p > 0.8, any p’ > p Exists! Doesn’t exist

  51. Techniques

  52. Goal for this talk - Leakage-resilient circuit compiler - (p,e) -random probing attacks

  53. ̂ Starting Point: t-out-n Secure MPC C Π ( C ) x 1 x 2 x n x 1 x 2 x n P 1 P 2 … P n P 1 P 2 … P n

  54. ̂ Starting Point: t-out-n Secure MPC C Π ( C ) x 1 x 2 x n x 1 x 2 x n ≡ P 1 P 1 … P n P 1 P 2 … P n Passive Leak State of P2 Corruption of P2

  55. ̂ Leakage-Resilient Circuit Compiler C = Π ( C ′ � ) C’ Input: shares of x Output: shares of C(x) - reconstruct x - compute C(x) - share C(x)

  56. Leakage-Resilient Circuit Compiler Security?

  57. Leakage-Resilient Circuit Compiler Security? If at most t wires leaked then the leakage can be simulated

  58. Leakage-Resilient Circuit Compiler If at most t wires leaked then the leakage can be simulated Probability that more than t wires are leaked = Simulation error e 12poly( | C | ) ⋅ p ) ≤ exp ( Simulation − (1 + t ) 2 Error (by Chernoff) e

Recommend


More recommend