Randomness Complexity of Private Circuits for Multiplication Sonia - - PowerPoint PPT Presentation

Randomness Complexity of Private Circuits for Multiplication

Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue, Emmanuel Prouff, Adrian Thillard, Damien Vergnaud

brief introduction

• side-channel attacks
• masking
• 𝑒-probing model

1/16

key-idea: for security at order 𝑒, split sensitive data 𝑦 into 𝑒 + 1 ran andom variables (shares) s.t. 𝑦 = 𝑦0 ⊕ 𝑦1 ⊕ ⋯ ⊕ 𝑦𝑒 2/16

key-idea: for security at order 𝑒, split sensitive data 𝑦 into 𝑒 + 1 ran andom variables (shares) s.t. 𝑦 = 𝑦0 ⊕ 𝑦1 ⊕ ⋯ ⊕ 𝑦𝑒

needs for a lot of randomness

2/16

randomness in cryptography

used everywhere:

• keys
• RSA prime factors
• ...

3/16

randomness in cryptography

used everywhere:

• keys
• RSA prime factors
• ...

strong properties:

• statistically random
• uniformly distributed
• independent
• ...

3/16

where does it come from? 4/16

where does it come from? in the real world: natural randomness 4/16

where does it come from? in the real world: natural randomness in practice:

• need special hardware
• slow
• bias or uneven distribution

4/16

where does it come from? in the real world: natural randomness in practice:

• need special hardware
• slow
• bias or uneven distribution

randomness should be considered as a resource, like space and time

4/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 0,1 𝑜′ 0,1 𝑛′ 𝑔(𝑦)

correctness: 𝑃 𝐷 𝐽 𝑦; 𝜍 ; 𝑠 = 𝑔 𝑦 , ∀ 𝑦, 𝜍, 𝑠 𝑒-priv privacy: for any set 𝑄 of 𝑒 wires in 𝐷 and for all 𝑦, 𝑧 ∈ 0,1 𝑜: {𝐷𝑄(𝐽 𝑦; 𝜍 ; 𝑠)}𝜍,𝑠 = {𝐷𝑄(𝐽 𝑧; 𝜍 ; 𝑠)}𝜍,𝑠

… … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ

5/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 0,1 𝑜′ 0,1 𝑛′ 𝑔(𝑦) … … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ

5/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 0,1 𝑛′ 𝑔(𝑦) … … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ 0,1 𝑜′

5/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 𝑔(𝑦) … … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ 0,1 𝑛′

5/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 𝑔(𝑦) … … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ

5/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 𝑔(𝑦)

correctness: 𝑃 𝐷 𝐽 𝑦; 𝜍 ; 𝑠 = 𝑔 𝑦 , ∀ 𝑦, 𝜍, 𝑠

… … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ

5/16

private circuits

𝑔: 0,1 𝑜 → 0,1 𝑛 encoder 𝐽 . . .

𝜍1

circuit 𝐷 decoder 𝑃

𝑠

1

. . . . . . . . .

𝑦 𝑔(𝑦)

correctness: 𝑃 𝐷 𝐽 𝑦; 𝜍 ; 𝑠 = 𝑔 𝑦 , ∀ 𝑦, 𝜍, 𝑠 𝑒-priv privacy: for any set 𝑄 of 𝑒 wires in 𝑫 and for all 𝑦, 𝑧 ∈ 0,1 𝑜: {𝐷𝑄(𝐽 𝑦; 𝜍 ; 𝑠)}𝜍,𝑠 = {𝐷𝑄(𝐽 𝑧; 𝜍 ; 𝑠)}𝜍,𝑠

… … 𝑠

2

𝑠

𝑆

𝜍2 𝜍ℓ

5/16

ADDITIONS ONLY . . .

𝑏0𝑐0 𝑏0𝑐1 𝑏0𝑐2 𝑏𝑒𝑐𝑒−1 𝑏𝑒𝑐𝑒

. . .

𝑑0 𝑑1 𝑑𝑒 ⊕𝑗 𝑑𝑗 = 𝑏 ⋅ 𝑐 ⊕𝑗 𝑏𝑗 = 𝑏 ⊕𝑗 𝑐𝑗 = 𝑐 encoder circuit decoder 𝑠

1

… 𝑠

2

𝑠

𝑆

𝑏, 𝑐 ∈ 0,1 2 ↦ 𝑏 ⋅ 𝑐 ∈ 0,1

this paper

6/16

ADDITIONS ONLY . . .

𝑏0𝑐0 𝑏0𝑐1 𝑏0𝑐2 𝑏𝑒𝑐𝑒−1 𝑏𝑒𝑐𝑒

. . .

𝑑0 𝑑1 𝑑𝑒 𝑠

1

… 𝑠

2

𝑠

𝑆

6/16

ADDITIONS ONLY . . .

𝑏0𝑐0 𝑏0𝑐1 𝑏0𝑐2 𝑏𝑒𝑐𝑒−1 𝑏𝑒𝑐𝑒

. . .

𝑑0 𝑑1 𝑑𝑒 𝑠

1

… 𝑠

2

𝑠

𝑆

how much randomness is needed? 6/16

Ishai-Sahai-Wagner scheme

𝑏0𝑐0 𝑠

0,1

𝑠

0,1 ⊕ 𝑏0𝑐1 ⊕ 𝑏1𝑐0

𝑏1𝑐1 ⋯ 𝑠

0,𝑒 ⊕ 𝑏0𝑒 ⊕ 𝑏𝑒𝑐0

𝑠

1,𝑒 ⊕ 𝑏1𝑐𝑒 ⊕ 𝑏𝑒𝑐1

⋮ ⋮ ⋱ ⋮ 𝑠

0,𝑒−1

𝑠

0,𝑒

𝑠

1,𝑒−1

𝑠

1,𝑒

⋯ 𝑠

𝑒−1,𝑒 ⊕ 𝑏𝑒−1𝑐𝑒 ⊕ 𝑏𝑒𝑐𝑒−1

𝑏𝑒𝑐𝑒 𝑑0 𝑑1

⋮

𝑑𝑒−1 𝑑𝑒

7/16

Ishai-Sahai-Wagner scheme randomness complexity: 𝑒(𝑒 + 1)/2

𝑏0𝑐0 𝑠

0,1

𝑠

0,1 ⊕ 𝑏0𝑐1 ⊕ 𝑏1𝑐0

𝑏1𝑐1 ⋯ 𝑠

0,𝑒 ⊕ 𝑏0𝑒 ⊕ 𝑏𝑒𝑐0

𝑠

1,𝑒 ⊕ 𝑏1𝑐𝑒 ⊕ 𝑏𝑒𝑐1

⋮ ⋮ ⋱ ⋮ 𝑠

0,𝑒−1

𝑠

0,𝑒

𝑠

1,𝑒−1

𝑠

1,𝑒

⋯ 𝑠

𝑒−1,𝑒 ⊕ 𝑏𝑒−1𝑐𝑒 ⊕ 𝑏𝑒𝑐𝑒−1

𝑏𝑒𝑐𝑒 𝑑0 𝑑1

⋮

𝑑𝑒−1 𝑑𝑒

7/16

ADDITIONS ONLY . . .

𝑏0𝑐0 𝑏0𝑐1 𝑏0𝑐2 𝑏𝑒𝑐𝑒−1 𝑏𝑒𝑐𝑒 𝑠

1

… 𝑠

2

𝑠

𝑆

8/16 . . .

𝑑0 𝑑1 𝑑𝑒

ADDITIONS ONLY . . .

𝑏0𝑐0 𝑏0𝑐1 𝑏0𝑐2 𝑏𝑒𝑐𝑒−1 𝑏𝑒𝑐𝑒 𝑠

1

… 𝑠

2

𝑠

𝑆

any probe (wire value) has the form: 𝑞 = ໄ

𝑗,𝑘 ∈𝑌⊆ 0,…,𝑒 2

𝑏𝑗𝑐

𝑘

⊕ ໄ

𝑙∈𝑍⊆ 1,…,𝑆

𝑠

𝑙

8/16 . . .

𝑑0 𝑑1 𝑑𝑒

any probe (wire value) has the form: 𝑞 = ໄ

𝑗,𝑘 ∈𝑌⊆ 0,…,𝑒 2

𝑏𝑗𝑐

𝑘

⊕ ໄ

𝑙∈𝑍⊆ 1,…,𝑆

𝑠

𝑙

= Ԧ 𝑏𝑢 ⋅ 𝑁𝑞 ⋅ 𝑐 ⊕ Ԧ 𝑡𝑞

𝑢 ⋅ Ԧ

𝑠 with Ԧ 𝑏 = 𝑏0, … , 𝑏𝑒 , 𝑐 = 𝑐0, … , 𝑐𝑒 , Ԧ 𝑠 = 𝑠

0, … , 𝑠 𝑆 ,

𝑁𝑞 ∈ 0,1

𝑒+1 × 𝑒+1 , Ԧ

𝑡𝑞 ∈ 0,1 𝑆 8/16

any probe (wire value) has the form: 𝑞 = ໄ

𝑗,𝑘 ∈𝑌⊆ 0,…,𝑒 2

𝑏𝑗𝑐

𝑘

⊕ ໄ

𝑙∈𝑍⊆ 1,…,𝑆

𝑠

𝑙

= Ԧ 𝑏𝑢 ⋅ 𝑁𝑞 ⋅ 𝑐 ⊕ Ԧ 𝑡𝑞

𝑢 ⋅ Ԧ

𝑠 with Ԧ 𝑏 = 𝑏0, … , 𝑏𝑒 , 𝑐 = 𝑐0, … , 𝑐𝑒 , Ԧ 𝑠 = 𝑠

0, … , 𝑠 𝑆 ,

𝑁𝑞 ∈ 0,1

𝑒+1 × 𝑒+1 , Ԧ

𝑡𝑞 ∈ 0,1 𝑆

any sum of probes has the form: Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 ⊕ Ԧ 𝑡𝑢 ⋅ Ԧ 𝑠

8/16

algebraic characterization

condition 1: a set of probes 𝑄 = 𝑞1, … , 𝑞ℓ satisfies condition 1 iff: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and 1, … , 1 is in the row (or column) space of 𝑁 9/16

algebraic characterization

condition 1: a set of probes 𝑄 = 𝑞1, … , 𝑞ℓ satisfies condition 1 iff: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and 1, … , 1 is in the row (or column) space of 𝑁 the theorem: 𝐷 is 𝑒-private ⇔ there does not exist 𝑄 = 𝑞1, … , 𝑞ℓ , ℓ ≤ 𝑒 that satisfies condition 1 9/16

proof sketch

⇒ assume 𝑞1, … , 𝑞ℓ such that: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and(1, … , 1) is in the column space of 𝑁

10/16

proof sketch

⇒ assume 𝑞1, … , 𝑞ℓ such that: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and(1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1)

10/16

proof sketch

⇒ assume 𝑞1, … , 𝑞ℓ such that: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and(1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 = ൞ 1 2 if 𝑁 ⋅ 𝑐 ≠ (1, … , 1) 1 if 𝑁 ⋅ 𝑐 = 1, … , 1

10/16

proof sketch

⇒ assume 𝑞1, … , 𝑞ℓ such that: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and(1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 = ൞ 1 2 if 𝑁 ⋅ 𝑐 ≠ (1, … , 1) 1 if 𝑁 ⋅ 𝑐 = 1, … , 1 then, Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 > Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = ത 𝑏

10/16

proof sketch

⇒ assume 𝑞1, … , 𝑞ℓ such that: ⨁𝑗=1

ℓ

𝑞𝑗 = Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 and(1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 = ൞ 1 2 if 𝑁 ⋅ 𝑐 ≠ (1, … , 1) 1 if 𝑁 ⋅ 𝑐 = 1, … , 1 then, Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 > Pr Ԧ 𝑏𝑢 ⋅ 𝑁 ⋅ 𝑐 = ത 𝑏 ⇐ a lot more technical...

10/16

upper bound

11/16

upper bound th theorem: there exists a 𝑒-private circuit for multiplication with randomness complexity Õ(𝑒).

11/16 randomness complexity of ISW: 𝑃 𝑒2 needs for a quadratic complexity?

proof sketch

probabilistic method: non-constructive! 12/16

proof sketch

probabilistic method: non-constructive! 𝑠

1, … , 𝑠 𝑆 random bits

𝜍𝑗,𝑘 = ⊕1≤𝑙≤𝑆 𝛽𝑗,𝑘,𝑙 ⋅ 𝑠

𝑗 with 𝛽𝑗,𝑘,𝑙 ← 0,1 $

12/16

proof sketch

probabilistic method: non-constructive! 𝑠

1, … , 𝑠 𝑆 random bits

𝜍𝑗,𝑘 = ⊕1≤𝑙≤𝑆 𝛽𝑗,𝑘,𝑙 ⋅ 𝑠

𝑗 with 𝛽𝑗,𝑘,𝑙 ← 0,1

𝑏0𝑐0 𝑏1𝑐0 𝑏0𝑐1 𝑏1𝑐1 ⋯ 𝑏0𝑐𝑒 𝑏1𝑐𝑒 ⋮ ⋮ ⋱ ⋮ 𝑏𝑒𝑐0 𝑏𝑒𝑐1 ⋯ 𝑏𝑒𝑐𝑒 𝑑0 𝑑1

⋮

𝑑𝑒

$

12/16

proof sketch

𝑑0 𝑑1

⋮

𝑑𝑒

…

= 𝑏𝑗𝑐

𝑘

⊕ ⊕ ⊕

12/16 probabilistic method: non-constructive! 𝑠

1, … , 𝑠 𝑆 random bits

𝜍𝑗,𝑘 = ⊕1≤𝑙≤𝑆 𝛽𝑗,𝑘,𝑙 ⋅ 𝑠

𝑗 with 𝛽𝑗,𝑘,𝑙 ← 0,1 $

proof sketch

𝑑0 𝑑1

⋮

𝑑𝑒

…

= 𝑏𝑗𝑐

𝑘

⊕ ⊕ ⊕ ⊕ ⊕ ⊕

= 𝜍𝑗,𝑘

12/16 probabilistic method: non-constructive! 𝑠

1, … , 𝑠 𝑆 random bits

𝜍𝑗,𝑘 = ⊕1≤𝑙≤𝑆 𝛽𝑗,𝑘,𝑙 ⋅ 𝑠

𝑗 with 𝛽𝑗,𝑘,𝑙 ← 0,1 $

proof sketch

𝑑0 𝑑1

⋮

𝑑𝑒

…

= 𝑏𝑗𝑐

𝑘

⊕ ⊕ ⊕ ⊕ ⊕ ⊕

= 𝜍𝑗,𝑘 correctness: 𝜍𝑒,𝑒 = ⊕𝑗,𝑘 𝜍𝑗,𝑘

12/16 probabilistic method: non-constructive! 𝑠

1, … , 𝑠 𝑆 random bits

𝜍𝑗,𝑘 = ⊕1≤𝑙≤𝑆 𝛽𝑗,𝑘,𝑙 ⋅ 𝑠

𝑗 with 𝛽𝑗,𝑘,𝑙 ← 0,1 $

proof sketch

𝑑0 𝑑1

⋮

𝑑𝑒

…

= 𝑏𝑗𝑐

𝑘

⊕ ⊕ ⊕ ⊕ ⊕ ⊕

= 𝜍𝑗,𝑘 correctness: 𝜍𝑒,𝑒 = ⊕𝑗,𝑘 𝜍𝑗,𝑘 𝑒-privacy: if 𝑆 = Õ 𝑒 , Pr 𝑗𝑡 𝑡𝑓𝑑𝑣𝑠𝑓 > 0 ⇒ at least one algorithm is 𝑒-private

12/16 probabilistic method: non-constructive! 𝑠

1, … , 𝑠 𝑆 random bits

𝜍𝑗,𝑘 = ⊕1≤𝑙≤𝑆 𝛽𝑗,𝑘,𝑙 ⋅ 𝑠

𝑗 with 𝛽𝑗,𝑘,𝑙 ← 0,1 $

lower bounds

13/16

lower bounds

theorem:

• 1. 𝑒-privacy ⇒ at least 𝑒 random bits (for 𝑒 ≥ 2)
• 2. 𝑒-privacy ⇒ at least 𝑒 + 1 random bits (for 𝑒 ≥ 3)

13/16

proof sketch of 1.

lemma: 𝑇0, 𝑇1 two sets of at most 𝑒 probes and 𝑡𝑐 = ⊕𝑞∈𝑇𝑐 𝑞 (𝑠

𝑗 ∉ 𝑡𝑐, ∀𝑗, 𝑐) ∧ (𝑡0 ⊕ 𝑡1 = 𝑏 ⋅ 𝑐) ⇒ 𝐷 is not 𝑒-private

14/16

proof sketch of 1.

suppose an algorithm 𝐷 with only 𝑠

1, … , 𝑠 𝑒−1 and let 𝑑0, … , 𝑑𝑒 the output of 𝐷

let 𝑂 = 𝑜𝑗,𝑘 1≤𝑗≤𝑒−1

1≤𝑘≤𝑒

∈ 0,1 (𝑒−1)×𝑒 s.t. 𝑜𝑗,𝑘 = 1 ⇔ 𝑠𝑗 ∈ 𝑑

𝑘

lemma: 𝑇0, 𝑇1 two sets of at most 𝑒 probes and 𝑡𝑐 = ⊕𝑞∈𝑇𝑐 𝑞 (𝑠

𝑗 ∉ 𝑡𝑐, ∀𝑗, 𝑐) ∧ (𝑡0 ⊕ 𝑡1 = 𝑏 ⋅ 𝑐) ⇒ 𝐷 is not 𝑒-private

14/16

proof sketch of 1.

suppose an algorithm 𝐷 with only 𝑠

1, … , 𝑠 𝑒−1 and let 𝑑0, … , 𝑑𝑒 the output of 𝐷

let 𝑂 = 𝑜𝑗,𝑘 1≤𝑗≤𝑒−1

1≤𝑘≤𝑒

∈ 0,1 (𝑒−1)×𝑒 s.t. 𝑜𝑗,𝑘 = 1 ⇔ 𝑠𝑗 ∈ 𝑑

𝑘

𝑂 has dimension 𝑒 − 1 × 𝑒 ⇒ 𝐿𝑓𝑠 𝑂 ≠ 0

lemma: 𝑇0, 𝑇1 two sets of at most 𝑒 probes and 𝑡𝑐 = ⊕𝑞∈𝑇𝑐 𝑞 (𝑠

𝑗 ∉ 𝑡𝑐, ∀𝑗, 𝑐) ∧ (𝑡0 ⊕ 𝑡1 = 𝑏 ⋅ 𝑐) ⇒ 𝐷 is not 𝑒-private

14/16

proof sketch of 1.

suppose an algorithm 𝐷 with only 𝑠

1, … , 𝑠 𝑒−1 and let 𝑑0, … , 𝑑𝑒 the output of 𝐷

let 𝑂 = 𝑜𝑗,𝑘 1≤𝑗≤𝑒−1

1≤𝑘≤𝑒

∈ 0,1 (𝑒−1)×𝑒 s.t. 𝑜𝑗,𝑘 = 1 ⇔ 𝑠

𝑗 ∈ 𝑑 𝑘

𝑂 has dimension 𝑒 − 1 × 𝑒 ⇒ 𝐿𝑓𝑠 𝑂 ≠ 0 let 𝑥 ∈ 𝐿𝑓𝑠 𝑂 − {0} 𝑇0 = 𝑑0 ∪ 𝑑𝑗 𝑥𝑗 = 0 and 𝑇1 = 𝑑𝑗 𝑥𝑗 = 1 satisfy requirements of lemma...

lemma: 𝑇0, 𝑇1 two sets of at most 𝑒 probes and 𝑡𝑐 = ⊕𝑞∈𝑇𝑐 𝑞 (𝑠

𝑗 ∉ 𝑡𝑐, ∀𝑗, 𝑐) ∧ (𝑡0 ⊕ 𝑡1 = 𝑏 ⋅ 𝑐) ⇒ 𝐷 is not 𝑒-private

14/16

automatic tool for finding attacks

• rder

2 3 4 5 6 [BBDFGS15] <1 ms 36 ms 108 ms 6,3 s 26 min this paper <10 ms <10 ms <10 ms <10 ms <10 ms

• based on the algebraic characterization
• relies on coding theory (information set decoding algorithms)
• not perfectly sound...
• much faster than Easycrypt-based [BBDFGS15]

table: time to find an attack

15/16

16/16

16/16

16/16

thank you!