provable security against side channel attacks
play

Provable Security against Side-Channel Attacks Matthieu Rivain - PowerPoint PPT Presentation

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA


  1. Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar – Aug. 11th 2014

  2. Outline 1 � Introduction 2 � Modeling side-channel leakage 3 � Achieving provable security against SCA

  3. Outline 1 � Introduction 2 � Modeling side-channel leakage 3 � Achieving provable security against SCA

  4. Side-channel attacks

  5. Side-channel attacks

  6. Side-channel attacks

  7. Side-channel attacks

  8. Side-channel attacks

  9. Side-channel attacks Sound and temperature � Proofs of concept in idealized conditions � Minor practical threats on embedded systems Running time � Trivial solution: constant-time implementations � Must be carefully addressed ◮ timing flaw still discovered in OpenSSL in 2011! ◮ timing flaws can be induced by the processor (cache, branch prediction, ...)

  10. Side-channel attacks Power consumption and EM emanations � Close by nature (switching activity) � Can be modeled as weighted sums of the transitions � EM can be more informative (placing of the probe) but assume a raw access to the circuit � Both are noisy i.e. non-deterministic � Noise amplification by generating random switching activity

  11. Side-channel attacks Power consumption and EM emanations � Close by nature (switching activity) � Can be modeled as weighted sums of the transitions � EM can be more informative (placing of the probe) but assume a raw access to the circuit � Both are noisy i.e. non-deterministic � Noise amplification by generating random switching activity This talk: leakage = power consuption + EM emanations

  12. Provable security Traditional approach � define an adversarial model ( e.g. chosen plaintext attacker) � define a security goal ( e.g. distinguish two ciphertexts)

  13. Provable security Traditional approach � define an adversarial model ( e.g. chosen plaintext attacker) � define a security goal ( e.g. distinguish two ciphertexts) k $ k ← K m 0 , m 1 c $ b ← { 0 , 1 } c ∗ ← E ( k, m b ) A E ( k, · ) c ∗ m ˆ ˆ ? b b = b Adversary Oracle Challenger

  14. Provable security Traditional approach � define an adversarial model ( e.g. chosen plaintext attacker) � define a security goal ( e.g. distinguish two ciphertexts) k $ k ← K m 0 , m 1 c $ b ← { 0 , 1 } c ∗ ← E ( k, m b ) A E ( k, · ) c ∗ m ˆ ˆ ? b b = b Adversary Oracle Challenger Security reduction: If A exists with non-negligible | Pr [ˆ b = b ] − 1 / 2 | then I can use A to efficiently solve a hard problem.

  15. Provable security ... in the presence of leakage k $ ← K k m 0 , m 1 c $ b ← { 0 , 1 } c ∗ ← E ( k, m b ) A E ( k, · ) c ∗ m ˆ ? b ˆ b = b Adversary Oracle Challenger

  16. Provable security ... in the presence of leakage k $ ← K k m 0 , m 1 c , ℓ $ b ← { 0 , 1 } c ∗ ← E ( k, m b ) A E ( k, · ) c ∗ , ℓ ∗ m ˆ ? b ˆ b = b Adversary Oracle Challenger

  17. Provable security ... in the presence of leakage k $ ← K k m 0 , m 1 c , ℓ $ b ← { 0 , 1 } c ∗ , ℓ ∗ 1 , . . . , ℓ ∗ c ∗ ← E ( k, m b ) A E ( k, · ) q m ˆ ? b ˆ b = b Adversary Oracle Challenger

  18. Provable security ... in the presence of leakage k $ ← K k m 0 , m 1 c , ℓ $ b ← { 0 , 1 } c ∗ , ℓ ∗ 1 , . . . , ℓ ∗ c ∗ ← E ( k, m b ) A E ( k, · ) q m ˆ ? b ˆ b = b Adversary Oracle Challenger Issue: how to model the leakage?

  19. Outline 1 � Introduction 2 � Modeling side-channel leakage 3 � Achieving provable security against SCA

  20. Modeling side-channel leakage The encryption oracle cannot be seen as a mathematical function E ( k, · ) : m �→ c anymore, but as a computation. � Two classical approaches to model computation: ◮ Turing machines (programs) ◮ Circuits � How to model leaking computation?

  21. Modeling side-channel leakage Chronology � Probing model (circuits, 2003) � Physically observable cryptography (Turing machines, 2004) � Leakage resilient cryptography (2008) � Further leakage models for circuits (2010) � Noisy leakage model (2013) Presentation � Leakage models for circuits � Leakage models for programs

  22. Modeling side-channel leakage Chronology � Probing model (circuits, 2003) � Physically observable cryptography (Turing machines, 2004) � Leakage resilient cryptography (2008) � Further leakage models for circuits (2010) � Noisy leakage model (2013) Presentation � Leakage models for circuits � Leakage models for programs

  23. Modeling side-channel leakage Chronology � Probing model (circuits, 2003) � Physically observable cryptography (Turing machines, 2004) � Leakage resilient cryptography (2008) � Further leakage models for circuits (2010) � Noisy leakage model (2013) Presentation � Leakage models for circuits � Leakage models for programs

  24. Leakage Models for Circuits � [Ishai-Sahai-Wagner. CRYPTO 2003] � Directed graph whose nodes are gates and edges are wires in 1 Op 1 copy in 2 Op 3 out 1 copy in 3 Op 4 out 2 Op 2 mem $

  25. Leakage Models for Circuits � [Ishai-Sahai-Wagner. CRYPTO 2003] � Directed graph whose nodes are gates and edges are wires w 1 in 1 w 5 Op 1 w 2 w 9 w 12 copy in 2 Op 3 out 1 w 6 w 3 copy w 11 in 3 w 13 w 7 Op 4 out 2 w 10 w 4 w 8 Op 2 mem $ � At each cycles, the circuit leaks f ( w 1 , w 2 , . . . , w n )

  26. Leakage Models for Circuits � Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] ◮ the adversary gets ( w i ) i ∈I for some chosen set |I| ≤ t � AC 0 leakage model [Faust et al. EUROCRYPT 2010] ◮ the leakage function f belongs to the AC 0 complexity class ◮ i.e. f is computable by circuits of constant depth d � Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] ◮ f : ( w 1 , w 2 , . . . , w n ) �→ ( w 1 ⊕ ε 1 , w 2 ⊕ ε 2 , . . . , w n ⊕ ε n ) � 1 with proba p < 1 / 2 with ε i = 0 with proba 1 − p

  27. Leakage Models for Circuits � Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] ◮ the adversary gets ( w i ) i ∈I for some chosen set |I| ≤ t � AC 0 leakage model [Faust et al. EUROCRYPT 2010] ◮ the leakage function f belongs to the AC 0 complexity class ◮ i.e. f is computable by circuits of constant depth d � Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] ◮ f : ( w 1 , w 2 , . . . , w n ) �→ ( w 1 ⊕ ε 1 , w 2 ⊕ ε 2 , . . . , w n ⊕ ε n ) � 1 with proba p < 1 / 2 with ε i = 0 with proba 1 − p � These models fail in capturing EM and PC leakages!

  28. Leakage Models for Circuits � Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] ◮ the adversary gets ( w i ) i ∈I for some chosen set |I| ≤ t � AC 0 leakage model [Faust et al. EUROCRYPT 2010] ◮ the leakage function f belongs to the AC 0 complexity class ◮ i.e. f is computable by circuits of constant depth d � Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] ◮ f : ( w 1 , w 2 , . . . , w n ) �→ ( w 1 ⊕ ε 1 , w 2 ⊕ ε 2 , . . . , w n ⊕ ε n ) � 1 with proba p < 1 / 2 with ε i = 0 with proba 1 − p � These models fail in capturing EM and PC leakages! � Circuits not convenient to model software implementations (or algorithms / protocols)

  29. Physically Observable Cryptography � [Micali-Reyzin. TCC’04] � Framework for leaking computation � Strong formalism using Turing machines � Assumption: Only Computation Leaks (OCL) � Computation divided into subcomputations y ← SC ( x ) � Each SC accesses a part of the state x and leaks f ( x ) � f adaptively chosen by the adversary � No actual proposal for f

  30. Leakage Resilient Cryptography � Model introduced in [Dziembowski-Pietrzak. STOC’08] � Specialization of the Micali-Reyzin framework � Leakage functions follow the bounded retrieval model [Crescenzo et al. TCC’06] f : { 0 , 1 } n → { 0 , 1 } λ for some constant λ < n

  31. Leakage Resilient Cryptography � Example: LR stream cipher [Pietrzak. EUROCRYPT’09] � Many further LR crypto primitives published so far � Generic LR compilers ◮ [Goldwasser-Rothblum. FOCS’12] ◮ [Dziembowski-Faust. TCC’12]

  32. Leakage Resilient Cryptography � Limitation: the leakage of a subcomputation is limited to λ -bit values for λ < n (the input size) � Side-channel leakage far bigger than n bits ◮ although it may not remove all the entropy of x Figure: Power consumption of a DES computation.

  33. Noisy Leakage Model � [Prouff-Rivain. EUROCRYPT 2013] � OCL assumption (Micali-Reyzin framework) � New class of noisy leakage functions � An observation f ( x ) introduces a bounded bias in Pr [ x ] ◮ very generic

  34. Notion of bias � Bias of X given Y = y : β ( X | Y = y ) = � Pr [ X ] − Pr [ X | Y = y ] � with � · � = Euclidean norm. � Bias of X given Y : � β ( X | Y ) = Pr [ Y = y ] β ( X | Y = y ) . y ∈Y � � � 1 � β ( X | Y ) ∈ 1 − 0; (indep. / deterministic relation) |X| � Related to MI by: ln 2 β ( X | Y ) ≤ MI( X ; Y ) ≤ |X| 1 ln 2 β ( X | Y )

  35. Noisy Leakage Model � Every subcomputation leaks a noisy function f of its input ◮ noise modeled by a fresh random tape argument � ψ is some noise parameter � � < 1 � f ∈ N (1 /ψ ) ⇒ X | f ( X ) β ψ � Capture any form of noisy leakage

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend