Randomness Complexity of Private Circuits for Multiplication Sonia - PowerPoint PPT Presentation

Randomness Complexity of Private Circuits for Multiplication Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue , Emmanuel Prouff, Adrian Thillard, Damien Vergnaud

brief introduction - side-channel attacks - masking - 𝑒 -probing model 1/16

key-idea: for security at order 𝑒 , split sensitive data 𝑦 into 𝑒 + 1 ran andom variables (shares) s.t. 𝑦 = 𝑦 0 ⊕ 𝑦 1 ⊕ ⋯ ⊕ 𝑦 𝑒 2/16

key-idea: for security at order 𝑒 , split sensitive data 𝑦 into 𝑒 + 1 ran andom variables (shares) s.t. 𝑦 = 𝑦 0 ⊕ 𝑦 1 ⊕ ⋯ ⊕ 𝑦 𝑒 needs for a lot of randomness 2/16

randomness in cryptography used everywhere: - keys - RSA prime factors - ... 3/16

randomness in cryptography used everywhere: - keys - RSA prime factors - ... strong properties: - statistically random - uniformly distributed - independent - ... 3/16

where does it come from? 4/16

where does it come from? in the real world: natural randomness 4/16

where does it come from? in the real world: natural randomness in practice: - need special hardware - slow - bias or uneven distribution 4/16

where does it come from? in the real world: natural randomness randomness should be considered as a resource, in practice: - need special hardware like space and time - slow - bias or uneven distribution 4/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 0,1 𝑜 ′ 0,1 𝑛 ′ 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder decoder . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . correctness: 𝑃 𝐷 𝐽 𝑦; 𝜍 ; 𝑠 = 𝑔 𝑦 , ∀ 𝑦, 𝜍, 𝑠 privacy: for any set 𝑄 of 𝑒 wires in 𝐷 and for all 𝑦, 𝑧 ∈ 0,1 𝑜 : 𝑒 -priv {𝐷 𝑄 (𝐽 𝑦; 𝜍 ; 𝑠)} 𝜍,𝑠 = {𝐷 𝑄 (𝐽 𝑧; 𝜍 ; 𝑠)} 𝜍,𝑠 5/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 0,1 𝑜 ′ 0,1 𝑛 ′ 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder decoder . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . 5/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 0,1 𝑛 ′ 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder decoder 0,1 𝑜 ′ . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . 5/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder 0,1 𝑛 ′ decoder . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . 5/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder decoder . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . 5/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder decoder . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . correctness: 𝑃 𝐷 𝐽 𝑦; 𝜍 ; 𝑠 = 𝑔 𝑦 , ∀ 𝑦, 𝜍, 𝑠 5/16

private circuits 𝑔: 0,1 𝑜 → 0,1 𝑛 𝑠 𝑠 𝑠 1 2 𝑆 … 𝜍 2 𝜍 1 𝜍 ℓ … circuit . encoder decoder . . . 𝑦 𝑔(𝑦) 𝐷 . . . 𝐽 𝑃 . . . . . correctness: 𝑃 𝐷 𝐽 𝑦; 𝜍 ; 𝑠 = 𝑔 𝑦 , ∀ 𝑦, 𝜍, 𝑠 privacy: for any set 𝑄 of 𝑒 wires in 𝑫 and for all 𝑦, 𝑧 ∈ 0,1 𝑜 : 𝑒 -priv {𝐷 𝑄 (𝐽 𝑦; 𝜍 ; 𝑠)} 𝜍,𝑠 = {𝐷 𝑄 (𝐽 𝑧; 𝜍 ; 𝑠)} 𝜍,𝑠 5/16

this paper 𝑏, 𝑐 ∈ 0,1 2 ↦ 𝑏 ⋅ 𝑐 ∈ 0,1 circuit decoder encoder 𝑠 𝑠 𝑠 1 2 𝑆 … 𝑏 0 𝑐 0 𝑏 0 𝑐 1 ADDITIONS 𝑏 0 𝑐 2 𝑑 0 𝑑 1 ⊕ 𝑗 𝑏 𝑗 = 𝑏 ⊕ 𝑗 𝑑 𝑗 = 𝑏 ⋅ 𝑐 . . . . ⊕ 𝑗 𝑐 𝑗 = 𝑐 . . 𝑑 𝑒 ONLY 𝑏 𝑒 𝑐 𝑒−1 𝑏 𝑒 𝑐 𝑒 6/16

𝑠 𝑠 𝑠 1 2 𝑆 … 𝑏 0 𝑐 0 𝑏 0 𝑐 1 ADDITIONS 𝑏 0 𝑐 2 𝑑 0 𝑑 1 . . . . . . 𝑑 𝑒 ONLY 𝑏 𝑒 𝑐 𝑒−1 𝑏 𝑒 𝑐 𝑒 6/16

𝑠 𝑠 𝑠 1 2 𝑆 … 𝑏 0 𝑐 0 𝑏 0 𝑐 1 ADDITIONS 𝑏 0 𝑐 2 𝑑 0 𝑑 1 how much randomness is needed? . . . . . . 𝑑 𝑒 ONLY 𝑏 𝑒 𝑐 𝑒−1 𝑏 𝑒 𝑐 𝑒 6/16

Ishai-Sahai-Wagner scheme 𝑠 0,𝑒 ⊕ 𝑏 0 𝑒 ⊕ 𝑏 𝑒 𝑐 0 𝑑 0 𝑏 0 𝑐 0 𝑠 0,1 ⊕ 𝑏 0 𝑐 1 ⊕ 𝑏 1 𝑐 0 ⋯ 𝑠 𝑑 1 𝑏 1 𝑐 1 𝑠 1,𝑒 ⊕ 𝑏 1 𝑐 𝑒 ⊕ 𝑏 𝑒 𝑐 1 0,1 ⋮ ⋮ ⋱ ⋮ ⋮ 𝑑 𝑒−1 𝑠 𝑠 𝑠 𝑒−1,𝑒 ⊕ 𝑏 𝑒−1 𝑐 𝑒 ⊕ 𝑏 𝑒 𝑐 𝑒−1 0,𝑒−1 1,𝑒−1 ⋯ 𝑠 𝑠 𝑑 𝑒 𝑏 𝑒 𝑐 𝑒 0,𝑒 1,𝑒 7/16

Ishai-Sahai-Wagner scheme 𝑠 0,𝑒 ⊕ 𝑏 0 𝑒 ⊕ 𝑏 𝑒 𝑐 0 𝑑 0 𝑏 0 𝑐 0 𝑠 0,1 ⊕ 𝑏 0 𝑐 1 ⊕ 𝑏 1 𝑐 0 ⋯ 𝑠 𝑑 1 𝑏 1 𝑐 1 𝑠 1,𝑒 ⊕ 𝑏 1 𝑐 𝑒 ⊕ 𝑏 𝑒 𝑐 1 0,1 ⋮ ⋮ ⋱ ⋮ ⋮ 𝑑 𝑒−1 𝑠 𝑠 𝑠 𝑒−1,𝑒 ⊕ 𝑏 𝑒−1 𝑐 𝑒 ⊕ 𝑏 𝑒 𝑐 𝑒−1 0,𝑒−1 1,𝑒−1 ⋯ 𝑠 𝑠 𝑑 𝑒 𝑏 𝑒 𝑐 𝑒 0,𝑒 1,𝑒 randomness complexity: 𝑒(𝑒 + 1)/2 7/16

𝑠 𝑠 𝑠 1 2 𝑆 … 𝑏 0 𝑐 0 𝑑 0 𝑏 0 𝑐 1 ADDITIONS 𝑑 1 𝑏 0 𝑐 2 . . . . . . ONLY 𝑏 𝑒 𝑐 𝑒−1 𝑑 𝑒 𝑏 𝑒 𝑐 𝑒 8/16

any probe (wire value) has the form: 𝑞 = ໄ 𝑏 𝑗 𝑐 ⊕ ໄ 𝑠 𝑘 𝑙 𝑗,𝑘 ∈𝑌⊆ 0,…,𝑒 2 𝑙∈𝑍⊆ 1,…,𝑆 𝑠 𝑠 𝑠 1 2 𝑆 … 𝑏 0 𝑐 0 𝑑 0 𝑏 0 𝑐 1 ADDITIONS 𝑑 1 𝑏 0 𝑐 2 . . . . . . ONLY 𝑏 𝑒 𝑐 𝑒−1 𝑑 𝑒 𝑏 𝑒 𝑐 𝑒 8/16

any probe (wire value) has the form: 𝑞 = ໄ 𝑏 𝑗 𝑐 ⊕ ໄ 𝑠 𝑘 𝑙 𝑗,𝑘 ∈𝑌⊆ 0,…,𝑒 2 𝑙∈𝑍⊆ 1,…,𝑆 𝑏 𝑢 ⋅ 𝑁 𝑞 ⋅ 𝑐 ⊕ Ԧ 𝑢 ⋅ Ԧ = Ԧ 𝑡 𝑞 𝑠 with Ԧ 𝑏 = 𝑏 0 , … , 𝑏 𝑒 , 𝑐 = 𝑐 0 , … , 𝑐 𝑒 , Ԧ 𝑠 = 𝑠 0 , … , 𝑠 𝑆 , 𝑒+1 × 𝑒+1 , Ԧ 𝑡 𝑞 ∈ 0,1 𝑆 𝑁 𝑞 ∈ 0,1 8/16

any probe (wire value) has the form: 𝑞 = ໄ 𝑏 𝑗 𝑐 ⊕ ໄ 𝑠 𝑘 𝑙 𝑗,𝑘 ∈𝑌⊆ 0,…,𝑒 2 𝑙∈𝑍⊆ 1,…,𝑆 𝑏 𝑢 ⋅ 𝑁 𝑞 ⋅ 𝑐 ⊕ Ԧ 𝑢 ⋅ Ԧ = Ԧ 𝑡 𝑞 𝑠 any sum of probes has the form: with Ԧ 𝑏 = 𝑏 0 , … , 𝑏 𝑒 , 𝑐 = 𝑐 0 , … , 𝑐 𝑒 , Ԧ 𝑠 = 𝑠 0 , … , 𝑠 𝑆 , 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ⊕ Ԧ 𝑡 𝑢 ⋅ Ԧ Ԧ 𝑠 𝑒+1 × 𝑒+1 , Ԧ 𝑡 𝑞 ∈ 0,1 𝑆 𝑁 𝑞 ∈ 0,1 8/16

algebraic characterization condition 1: a set of probes 𝑄 = 𝑞 1 , … , 𝑞 ℓ satisfies condition 1 iff: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and 1, … , 1 is in the row (or column) space of 𝑁 9/16

algebraic characterization condition 1: a set of probes 𝑄 = 𝑞 1 , … , 𝑞 ℓ satisfies condition 1 iff: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and 1, … , 1 is in the row (or column) space of 𝑁 the theorem: 𝐷 is 𝑒 -private ⇔ there does not exist 𝑄 = 𝑞 1 , … , 𝑞 ℓ , ℓ ≤ 𝑒 that satisfies condition 1 9/16

proof sketch ⇒ assume 𝑞 1 , … , 𝑞 ℓ such that: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and (1, … , 1) is in the column space of 𝑁 10/16

proof sketch ⇒ assume 𝑞 1 , … , 𝑞 ℓ such that: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and (1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) 10/16

proof sketch ⇒ assume 𝑞 1 , … , 𝑞 ℓ such that: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and (1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) 1 if 𝑁 ⋅ 𝑐 ≠ (1, … , 1) 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 = ൞ Pr Ԧ 2 1 if 𝑁 ⋅ 𝑐 = 1, … , 1 10/16

proof sketch ⇒ assume 𝑞 1 , … , 𝑞 ℓ such that: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and (1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) 1 if 𝑁 ⋅ 𝑐 ≠ (1, … , 1) 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 = ൞ Pr Ԧ 2 1 if 𝑁 ⋅ 𝑐 = 1, … , 1 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 > Pr Ԧ 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = ത then, Pr Ԧ 𝑏 10/16

proof sketch ⇒ assume 𝑞 1 , … , 𝑞 ℓ such that: 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 ℓ ⨁ 𝑗=1 𝑞 𝑗 = Ԧ and (1, … , 1) is in the column space of 𝑁 ⇒ there exists 𝑐′ ∈ 0,1 𝑒+1 s.t. 𝑁 ⋅ 𝑐′ = (1, … , 1) 1 if 𝑁 ⋅ 𝑐 ≠ (1, … , 1) 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 = ൞ Pr Ԧ 2 1 if 𝑁 ⋅ 𝑐 = 1, … , 1 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = 𝑏 > Pr Ԧ 𝑏 𝑢 ⋅ 𝑁 ⋅ 𝑐 = ത then, Pr Ԧ 𝑏 ⇐ a lot more technical... 10/16

upper bound 11/16

upper bound randomness complexity of ISW: 𝑃 𝑒 2 needs for a quadratic complexity? th theorem: there exists a 𝑒 -private circuit for multiplication with randomness complexity Õ(𝑒) . 11/16

proof sketch probabilistic method: non-constructive! 12/16