unifying leakage models on a r nyi day
play

Unifying Leakage Models on a Rnyi Day Dahmun Goudarzi 2 Ange - PowerPoint PPT Presentation

Dec 05, 2022 •149 likes •437 views

Unifying Leakage Models on a Rnyi Day Dahmun Goudarzi 2 Ange Marnelli 3 Alain Passelgue 1 Thomas Prest 2 LSIT, 31/05/2019 Side-channel aacks in cryptography Power analysis aacks [KJJ99] Electromagnec aacks [Eck85, GMO01]

  1. Unifying Leakage Models on a Rényi Day Dahmun Goudarzi 2 Ange Mar�nelli 3 Alain Passelègue 1 Thomas Prest 2 LSIT, 31/05/2019

  2. Side-channel a�acks in cryptography Power analysis a�acks [KJJ99] Electromagne�c a�acks [Eck85, GMO01] Timing a�acks [Koc96, BB03] Acous�c a�acks [AA04, GST14] 2 / 14

  3. How do we modelize a leakage trace? Figure 1: Electromagne�c leakage trace a�er treatment [GPP + 16]. 3 / 14

  4. Leakage models Each node of interest follows a Concrete modeliza�on of leakage distribu�on X . ➳ Popular one is “Hamming weight + Gaussian” [BCO04]: Its leakage Y is a randomized func�on f ( X ) . f ( X ) = HW ( X ) + N ( 0 , σ ) Noisy leakage models ➳ “The leakage Y bias the expected distribu�on of X ”. ➵ [PR13]: bias metric is EN ( X | Y ) = E Y ∥ X − ( X | Y ) ∥ 2 ➵ [DDF14]: bias metric is SD ( X | Y ) = 1 2 E Y ∥ X − ( X | Y ) ∥ 1 ➳ Realis�c but unwieldy ➳ Defini�on implicitly depends of X Probing models ➳ “The adversary may know exactly some nodes” ➵ Threshold [ISW03]: adv. chooses exactly t nodes to probe ➵ Random [ISW03]: adv. probes each node with prob. ε ➳ Idealized but easy to use 4 / 14

  5. ... and we want to show in the most efficient way that a circuit compiler is secure for a concrete modeliza�on of leakage . The cryptographer’s problem People propose secure compilers to protect circuits. We have circuit compilers and several shades of leakage models... Concrete leakage modeliza�ons Noisy leakage models Probing models Circuit compilers 5 / 14

  6. The cryptographer’s problem People propose secure compilers to protect circuits. We have circuit compilers and several shades of leakage models... Concrete leakage modeliza�ons Noisy leakage models Probing models Circuit compilers ... and we want to show in the most efficient way that a circuit compiler is secure for a concrete modeliza�on of leakage . 5 / 14

  7. log N N log N λ log N log N N 1 1 N 1 1 Previous works Concrete leakage HW + Gaussian noise N ( 0 , σ ) Empiric Empiric Noisy leakage models √ N RE-noisy ARE-noisy SD-noisy EN-noisy leakage leakage leakage leakage [this work] [this work] [DDF14] 1 [PR13] N 1 1 Probing models Threshold Random Average probing probing random prob. [ISW03] [ISW03] [DFS15b] Secure compilers Compilers Compiler of [ADF16, of [ISW03] GJR17, AIS18] 6 / 14

  8. Empiric Empiric Previous and current works Concrete leakage HW + Gaussian noise N ( 0 , σ ) √ log N N √ Noisy leakage models log N λ · log N √ log N √ N RE-noisy ARE-noisy N SD-noisy EN-noisy 1 leakage leakage leakage leakage [this work] [this work] [DDF14] 1 [PR13] 1 N − 1 1 N 1 1 Probing models Threshold Random Average probing probing random prob. [ISW03] [ISW03] [DFS15b] Secure compilers Compilers Compiler of [ADF16, of [ISW03] GJR17, AIS18] 6 / 14

  9. Roadmap 1 Unify the noisy leakage models and propose new ones 2 Link the noisy leakage models to a concrete modeliza�on of leakage 3 Link the noisy leakage models to probing models 4 Prove compilers directly in a noisy leakage model 7 / 14

  10. The Pointwise Mutual Informa�on Defini�on (Pointwise mutual informa�on) Let X , Y be random variables over X . We note: ( Pr [ X = x , Y = y ] ) pmi X , Y ( x , y ) = log . Pr [ X = x ] Pr [ Y = y ] Pr [ X = x , Y = y ] PMI X , Y ( x , y ) = e pmi X , Y ( x , y ) − 1 = Pr [ X = x ] Pr [ Y = y ] − 1 . Common tool in computa�onal linguis�cs [CH89] as an associa�on measure: 1 pmi ( “Sean” , “Penn” ) ≫ 0; 2 pmi ( “Banana” , “Bag” ) ≈ 0; 3 pmi ( “Bankruptcy” , “Success” ) ≪ 0. The mutual informa�on verifies MI ( X ; Y ) = E ( X , Y ) pmi X , Y . [ ] 8 / 14

  11. We show that our new metrics yield �ghter (and o�en simpler) proofs than previous works [PR13, DDF14, DFS15b, DFS16]: ARE for proofs of type noisy leakage models probing models RE for proofs of type noisy leakage models secure compilers We believe this stems from the fact that: ARE and RE are worst-case metrics; EN and SD are average-case metrics. Unifying Leakage Metrics from the PMI (Re)defining leakage metrics √ [ P [ X ] PMI 2 ] ➳ EN ( X | Y ) := E Y [PR13] E X ➳ SD ( X | Y ) := 1 2 · E X E Y [ | PMI | ] [DDF14] ➳ ARE ( X | Y ) := E Y [ max x | PMI | ] [this work, average rela�ve error ] ➳ RE ( X | Y ) := max x , y | PMI | [this work, rela�ve error ] 9 / 14

  12. Unifying Leakage Metrics from the PMI (Re)defining leakage metrics √ [ P [ X ] PMI 2 ] ➳ EN ( X | Y ) := E Y [PR13] E X ➳ SD ( X | Y ) := 1 2 · E X E Y [ | PMI | ] [DDF14] ➳ ARE ( X | Y ) := E Y [ max x | PMI | ] [this work, average rela�ve error ] ➳ RE ( X | Y ) := max x , y | PMI | [this work, rela�ve error ] ➳ We show that our new metrics yield �ghter (and o�en simpler) proofs than previous works [PR13, DDF14, DFS15b, DFS16]: ➵ ARE for proofs of type noisy leakage models − → probing models ➵ RE for proofs of type noisy leakage models ��� secure compilers ➳ We believe this stems from the fact that: ➵ ARE and RE are worst-case metrics; ➵ EN and SD are average-case metrics. 9 / 14

  13. Some Nice Proper�es Rela�ons with other metrics 1 2 · SD ( X | Y ) ≤ ARE ( X | Y ) ≤ 2 N · SD ( X | Y ) ; 2 · SD ( X | Y ) 2 ≤ MI ( X ; Y ) ≤ 2 · RE ( X | Y ) · SD ( X | Y ) . 2 ➳ The ARE- and SD-noisy leakage models are equivalent. ➳ Bounds on MI simpler/�ghter than previous ones [DFS15a, DDF14]. Self-reducibility Let f : X → Y be a randomized leakage func�on. 2 δ 1 If f is δ -RE-noisy for some X , then it is 1 − δ -RE-noisy for any X ′ . 2 δ 2 If f is δ -ARE-noisy for some X , then it is ( 1 − δ )( 1 − δ RE ) -ARE-noisy for any X ′ . ➳ Consequence: we don’t care about the underlying distribu�on. ➳ [DFS16] has a similar theorem for SD, but with a O ( N ) blow-up, and only for X uniform. 10 / 14

  14. Each metric (EN, SD, ARE, RE) can be interpreted as the average/max/... of: f X HW X k 1 f X From Concrete Leakage to Noisy Leakage 0 . 4 HW ( X ) 0 . 2 0 − 5 − 4 − 3 − 2 − 1 0 1 2 3 4 5 6 7 8 9 Figure 2: Distribu�on of HW ( X ) for X uniform in { 0 , . . . , 2 4 − 1 } 11 / 14

  15. Each metric (EN, SD, ARE, RE) can be interpreted as the average/max/... of: f X HW X k 1 f X From Concrete Leakage to Noisy Leakage 0 . 4 f ( X ) f ( X ) | ( HW ( X ) = k ) 0 . 2 0 − 5 − 4 − 3 − 2 − 1 0 1 2 3 4 5 6 7 8 9 Figure 2: Distribu�on of f ( X ) = HW ( X ) + N ( 0 , σ ) and f ( X ) | ( HW ( X ) = k ) 11 / 14

  16. From Concrete Leakage to Noisy Leakage 0 . 4 f ( X ) f ( X ) | ( HW ( X ) = k ) 0 . 2 0 − 5 − 4 − 3 − 2 − 1 0 1 2 3 4 5 6 7 8 9 Figure 2: Distribu�on of f ( X ) = HW ( X ) + N ( 0 , σ ) and f ( X ) | ( HW ( X ) = k ) Each metric (EN, SD, ARE, RE) can be interpreted as the average/max/... of: f ( X ) | ( HW ( X ) = k ) � � − 1 � � � . f ( X ) � � � 11 / 14

  17. From Concrete Leakage to Noisy Leakage 0 . 4 f ( X ) f ( X ) | ( HW ( X ) = k ) 0 . 2 0 − 5 − 4 − 3 − 2 − 1 0 1 2 3 4 5 6 7 8 9 Figure 2: Distribu�on of f ( X ) = HW ( X ) + N ( 0 , σ ) and f ( X ) | ( HW ( X ) = k ) We show that (omi�ng constant factors): ➳ ARE ( X | f ( X )) ∼ log N √ ➳ EN ( X | f ( X )) ∼ 1 log N σ σ N √ log N ➳ RE ( X | f ( X )) ∼ τ log N ➳ SD ( X | f ( X )) ∼ σ σ Key takeaway: SD, RE and ARE essen�ally scale at the same speed. 11 / 14

  18. Simula�ng a noisy adversary with a random probing adversary [DDF14]: a N δ -random prob. adv. can simulate a δ -SD-noisy adv. [this work]: a δ -random prob. adv. can simulate a δ -ARE-noisy adv. Cri�cal step is expressing ε 1 y min x f x y from δ : if δ SD X f X , we lose a factor N because “sum N max” if δ ARE X f X , no loss because “max max” We believe a fundamental reason is that random probing and ARE-noisy are “worst-case”, whereas SD-noisy is “average-case”. We also show that an ARE-noisy adv. can simulate a random probing adv.: Consequence: ARE-noisy SD-noisy rand. prob. avg. rand. Noisy Leakage ⇔ Random Probing Simula�on-based proofs: “an adversary S can simulate an adversary A ”. ➳ if A can break a scheme, so can S . ➳ if S cannot break a scheme, neither can A . 12 / 14

  19. We also show that an ARE-noisy adv. can simulate a random probing adv.: Consequence: ARE-noisy SD-noisy rand. prob. avg. rand. Noisy Leakage ⇔ Random Probing Simula�on-based proofs: “an adversary S can simulate an adversary A ”. ➳ if A can break a scheme, so can S . ➳ if S cannot break a scheme, neither can A . Simula�ng a noisy adversary with a random probing adversary ➳ [DDF14]: a ( N · δ ) -random prob. adv. can simulate a δ -SD-noisy adv. ➳ [this work]: a δ -random prob. adv. can simulate a δ -ARE-noisy adv. ➳ Cri�cal step is expressing ε = 1 − ∑ y min x P [ f ( x ) = y ] from δ : ➵ if δ = SD ( X | f ( X )) , we lose a factor N because “sum ≤ N × max” ➵ if δ = ARE ( X | f ( X )) , no loss because “max ≤ max” ➳ We believe a fundamental reason is that random probing and ARE-noisy are “worst-case”, whereas SD-noisy is “average-case”. 12 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unifying Cubical Models of Homotopy Type Theory Anders M ortberg Stockholm University

Unifying Cubical Models of Homotopy Type Theory Anders M ortberg Stockholm University

Unifying Cubical Models of Homotopy Type Theory Anders M ortberg Stockholm University HoTTest, October 23, 2019 Unifying cubical models of HoTT There is by now quite a zoo of cubical models: BCH, CCHM, CHM, AFH, ABCFHL, Dedekind cubes,

1.1k views • 64 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Probability Functional Descent: A Unifying Perspective on GANs, VI, and RL Casey Chu <

Probability Functional Descent: A Unifying Perspective on GANs, VI, and RL Casey Chu <

Probability Functional Descent: A Unifying Perspective on GANs, VI, and RL Casey Chu < caseychu@stanford.edu > Jose Blanchet Peter Glynn Deep generative models Deep generative models Variational inference Deep generative models

275 views • 16 slides
Unifying Models of Cognition Rens Bod VICI-Project Integrating Cognition Institute for

Unifying Models of Cognition Rens Bod VICI-Project Integrating Cognition Institute for

Unifying Models of Cognition Rens Bod VICI-Project Integrating Cognition Institute for Logic, Language and Computation University of Amsterdam Goals of this Lecture Ill give you a very brief introduction to the work in my Vici- group

1.13k views • 44 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Bayesian Language Games Unifying and evaluating agent-based models of horizontal and vertical

Bayesian Language Games Unifying and evaluating agent-based models of horizontal and vertical

Bayesian Language Games Unifying and evaluating agent-based models of horizontal and vertical language evolution Bas Cornelissen The (Little) Tower of Babel by Pieter Bruegel the Elder (c. 1563) oil on panel; 60 cm 74.5 cm; Museum Boijmans

750 views • 28 slides
Unifying Visual-Semantic Embeddings with Multimodal Neural Language Models Jamie Ryan Kiros,

Unifying Visual-Semantic Embeddings with Multimodal Neural Language Models Jamie Ryan Kiros,

Unifying Visual-Semantic Embeddings with Multimodal Neural Language Models Jamie Ryan Kiros, Ruslan Salakhutdinov, Richard Zemel Presentation by David Madras University of Toronto January 25, 2017 Image Captioning ??????? Image Retrieval

430 views • 32 slides
Unifying Heterogeneous Cray Unifying Heterogeneous Cray Resources and Systems into an

Unifying Heterogeneous Cray Unifying Heterogeneous Cray Resources and Systems into an

Unifying Heterogeneous Cray Unifying Heterogeneous Cray Resources and Systems into an Intelligent Single-scheduled Environment Scott Jackson Engineering Confidential and Proprietary Overview Introduction Heterogeneous Resources

690 views • 34 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water leakage can occur . To prevent leakage-related damages it sends an alert whenever water is detected. The device also visualizes its status on the online

234 views • 10 slides
Unifying Data Units and Models in (Co-)Clustering C. Biernacki Joint work with A. Lourme 24 e

Unifying Data Units and Models in (Co-)Clustering C. Biernacki Joint work with A. Lourme 24 e

Introduction Units in model-based clustering Units in model-based co-clustering Conclusion Unifying Data Units and Models in (Co-)Clustering C. Biernacki Joint work with A. Lourme 24 e rencontres de la Soci et e Francophone de

1.03k views • 48 slides
Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24 and December 3, 2015 Vivid Economics Overview Definition Theory Evidence Addressing leakage Why? Which sectors? How? 2

408 views • 29 slides
Hidden Markov Model, Kalman Filter and A Unifying View Mu Li April 16, 2013 Outline Hidden

Hidden Markov Model, Kalman Filter and A Unifying View Mu Li April 16, 2013 Outline Hidden

Recitations for 10-701: Hidden Markov Model, Kalman Filter and A Unifying View Mu Li April 16, 2013 Outline Hidden Markov Model Kalman Filter A Unifying View of Linear Gaussian Models based on slides from Simma & Batzoglou Outline

770 views • 37 slides
Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

GLSVLSI 2007 17th edition of ACM Great Lakes Symposium on VLSI Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank Sill, Jiaxi You, Dirk Timmermann Institute of Applied Microelectronics and Computer

738 views • 32 slides
Unifying Cubical Models of Univalent Type Theory Evan Cavallo Anders Mrtberg Carnegie Mellon

Unifying Cubical Models of Univalent Type Theory Evan Cavallo Anders Mrtberg Carnegie Mellon

Unifying Cubical Models of Univalent Type Theory Evan Cavallo Anders Mrtberg Carnegie Mellon University Stockholm University Andrew W Swan University of Amsterdam CSL 2020 JAN 16 0 Univalent Type Theory Dependent type theory CSL

574 views • 36 slides
with Layer-by-Layer Control of the Coverage and Composition Denis Alikin 1 , Alexander Abramov 1 ,

with Layer-by-Layer Control of the Coverage and Composition Denis Alikin 1 , Alexander Abramov 1 ,

Chemical Solution Deposition of BiFeO 3 Films with Layer-by-Layer Control of the Coverage and Composition Denis Alikin 1 , Alexander Abramov 1 , Alexander Sobol, Vladislav Slabov, Lev Trusov, Violetta Safina, Alexander Vasiliev, Vladimir Shur,

137 views • 10 slides
Radiation damage of MPPC by gamma-ray irradiation with 60 Co T. Matsubara, H. Tanaka, K. Nitta, M.

Radiation damage of MPPC by gamma-ray irradiation with 60 Co T. Matsubara, H. Tanaka, K. Nitta, M.

PD07 : International workshop on new photon-detectors June 27-29, 2007 @ Kobe University, Japan Radiation damage of MPPC by gamma-ray irradiation with 60 Co T. Matsubara, H. Tanaka, K. Nitta, M. Kuze Tokyo Institute of Technology For photon

345 views • 34 slides
30 nm I n 0.7 Ga 0.3 As I nverted-type HEMT with Reduced Gate Leakage Current g for Logic

30 nm I n 0.7 Ga 0.3 As I nverted-type HEMT with Reduced Gate Leakage Current g for Logic

30 nm I n 0.7 Ga 0.3 As I nverted-type HEMT with Reduced Gate Leakage Current g for Logic Applications T.-W. Kim , D.-H. Kim* and J. A. del Alamo Microsystems Technology Laboratories MIT Presently with Teledyne Scientific Sponsors: Intel

441 views • 20 slides
The ATLAS Pixel Detector & The MonLeak Scan Sal Rodrguez* Universidad Nacional

The ATLAS Pixel Detector & The MonLeak Scan Sal Rodrguez* Universidad Nacional

The ATLAS Pixel Detector & The MonLeak Scan Sal Rodrguez* Universidad Nacional Autnoma de Mxico *Supervisor: Jed Biesiada, LBNL The ATLAS Inner Detector A high-resolution tracking sub-detectors closest to the interaction point.

273 views • 13 slides
Identification of Methane Emissions in an Urban Setting ESRL Global Monitoring Annual Meeting

Identification of Methane Emissions in an Urban Setting ESRL Global Monitoring Annual Meeting

Identification of Methane Emissions in an Urban Setting ESRL Global Monitoring Annual Meeting May17-18, 2011 Collaborators in this effort Nathan Phillips & Lucy Hutyra Boston University Jocelyn Turnbull & Colm Sweeney

208 views • 18 slides
Motivation MHD turbulence = Ang. Mom. transporter;! Field dissipation and growth cannot be

Motivation MHD turbulence = Ang. Mom. transporter;! Field dissipation and growth cannot be

3-D GRMHD Simulations of Accreting Binary Black Holes Based on: Noble++2012 Zilhao & Noble 2014 Zilhao++2015 (in press, PRD) Noble++in-prep Scott C. Noble (U. Tulsa)! [yes, thats in Oklahoma] ! M. Campanelli (RIT)! D. Bowen

1.35k views • 32 slides
Quantifying Agulhas Leakage in a Coupled Climate Model Yu Yu Cheng 09. 09.20. 20.2018 2018

Quantifying Agulhas Leakage in a Coupled Climate Model Yu Yu Cheng 09. 09.20. 20.2018 2018

Quantifying Agulhas Leakage in a Coupled Climate Model Yu Yu Cheng 09. 09.20. 20.2018 2018 Pu PuPPY Sc Scientific Com omputing Climate Models What is a climate model? The Navier-Stokes Equations in three dimensions. Land-ice Atm.

547 views • 27 slides
CSC 2400: Computer Systems Bit-Level vs. Logical Operators Review Addition q 2s complement

CSC 2400: Computer Systems Bit-Level vs. Logical Operators Review Addition q 2s complement

CSC 2400: Computer Systems Bit-Level vs. Logical Operators Review Addition q 2s complement addition is just binary addition - assume all integers have the same number of bits - for now, assume no overflow 01101000 (104) 11110110 (-10) +

696 views • 46 slides

More recommend