Topics in Cryptography
Lecture 8
Side Channels: PKC resilient to key leakage
Lecturer: Moni Naor
Recap: Side Channels
• Standard Model vs. physical implementation
– Side channel: Any information not captured by the abstract
“standard” model
• Timing attacks against secret exponentiation
– With control on timing
– Through a network
– Protection: blinding
• Cache Attacks
– Exploits which addresses are being accessed
– Counter measure: Oblivious RAM
• Memory Attacks
– DRAM retain information longer than thought
– Defines a model: any short function of the key
Adversarial Models
STANDARD MODEL:


Abstract models of computation
 Interactive Turing machines
 Private memory, randomness
 ...
Well-defined adversarial access
 Can model powerful attacks
REAL LIFE:


Physical implementations leak information
Adversarial access not always captured by
abstract models
Ek(m)
3
Thesis
of
this
course
and not only at
implementation time
Must incorporate side-channel attacks
in the design of systems
Many tools developed in the
foundations of cryptography are
helpful for protecting against
side-channel attacks
Proof by examples...
4
Homework
Timing attack of Kocher against RSA.
• Suppose: time of each multiplication involving y is
distributed according to a normal distribution
– With known parameters.
– Independent of everything else!
– Show that this allows to figure out given the first k-1
bits of the secret exponent the next bit.
Basic Timing
Whether iteration takes a long time
depends on the kth bit of secret exponent
This takes a while
to compute
This is instantaneous
Old observation: timing depends
on number of 1’s
If all multiplication take the same time: all you get
Not all multiplications were created equal
• Different timing given operands
• Assumption/Heuristic: timings of subsequent
multiplications are independent
Exact
– Given that we know the first k-1 bits of x
timing
– Given a guess for the kth bit of x
Exact
guess
– Time of remaining bits independent
Given measurement of total time can see whether there is
correlation between events:
kth step is long
Total time is long
Outline of Kocher’s Attack
• Idea: guess some bits of the exponent;
– Predict how long decryption will take
• If guess is correct: will observe correlation
If incorrect, then prediction will look random
– The more bits you already know, the stronger the signal,
thus easier to detect (error-correction property)
• Start by guessing a few top bits, look at correlations
for each guess, pick the most promising candidate
and continue
Works against systems under direct control
Homework: Oblivious Permutations
Suggest a method for permuting an array obliviously.
• Array M of size n
• The CPU has access to a permutation  on n elements.
• At the end of the process the Array M should be rearranged
according to :
– The element that was in M[i] is now in M[(i)].
• The requirement is:
for any two permutation  and ',
– an eavesdropper that sees the locations accessed cannot
distinguish whether the array is permuted according to or ',
Small (secure) space and time to permute
Model
qi
CPU
Small
private
memory
Main memory
M[qi]
Oblivious RAM Requirements
Any sequence of locations i1, i2, …
induces a distribution on sequences of requests
q1, q2…
• Functionality: should be able to figure out the original content
• Security: for any two sequence of locations i1, i2, … and i’1,
i’2, … induced distributions of requests should be
indistinguishable
Homework problem much more relaxed:
•Knowing in advance the order in which elements are accessed
•Constitute a permutation
Open ended
Ideas/hints:
• Routing permutations in networks
• Sorting networks
Memory Attacks [HSHCPCFAF 08]


Concern: Not only computation leaks information
Memory retains its content after power is lost
5
seconds
30
seconds
60
seconds
5
minutes
http://citp.princeton.edu/memory 13
Model: leakage of any function of the key

Would like to allow the adversary to learn any function
of the key

Cannot withstand learning the full key

Idea: limit the length of the function

Would like to withstand as long a leakage as possible
14
Key-Leakage Attacks
Semantic security with key leakage [AGV 09]:
For any* leakage f(sk) and for any m0 and m1 infeasible to
distinguish Epk(m0) and Epk(m1)
pk
Akavia, Goldwasser and
Vaikuntanathan
f
f(sk)
m0, m1
Output b’


Epk(mb)
(sk, pk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk
For now f : SK ! {0,1}¸ for ¸ < |sk|
15
Is this the right model?

Noisy leakage


Leakage of intermediate values




as opposed to low-bandwidth leakage
Are intermediate values always erased?
Key generation process
Decryption process
Keys generated using a “weak” random source
Not a perfect model, but still a good starting point
Discuss extensions later on
16
What We Know

A generic method for protecting against key-leakage attacks



Chosen-ciphertext key-leakage attacks



Main building block: Hash Proof Systems [CS 02]
Efficient instantiations
 Based on decisional Diffie-Hellman, few exponentiations
A generic CPA-to-CCA transformation
Efficient schemes
Extensions



Noisy leakage
Leakage of intermediate values
Weak random sources
17
Outline of the Talk

Some tools

The generic construction by examples

A simple scheme: ¸ ¼ |sk|/2

Improved schemes: ¸ ¼ |sk|

Extensions of the model

Conclusions, further work, and some rest...
18
Min-Entropy
Probability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
Represents the probability of the most likely value of X
X is a k-source if H1(X) ¸ k
(i.e., Pr[X = x] · 2-k for all x)
Statistical distance:
¢(X,Y) = a |Pr[X=a] – Pr[Y=a]|
19
Extractors
Universal procedure for “purifying” an imperfect source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for any ksource X
¢(Ext(X, Ud), Uℓ) · 
k-source of length n
x
“seed”
d random bits
s
EXT
ℓ almost-uniform bits
20
Strong Extractors
Output looks random even after seeing the seed
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if
Ext’(x, s) = s ◦ Ext(x,s)
is a (k, )-extractor
Leftover hash lemma [ILL 89]:
Pairwise independent hash functions are strong extractors
Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n]


Output length ℓ = k – 2log(1/)
Seed length d = 2n, almost pairwise independence d = O(log n + k)
21
Sidebar: Weak Key-Leakage Attacks
Semantic security with weak key leakage :
For any* leakage f(sk) and for random PK for any m0 and m1
infeasible to distinguish Epk(m0) and Epk(m1)
f
f(sk)
pk
m0, m1
Output b’


Epk(mb)
(sk, pk)
b à {0,1}
Clearly, cannot allow f(sk) that easily reveals sk
For now f : SK ! {0,1}¸ for ¸ < |sk|
22
What About Weak Attacks?
Leakage depends on Secret Key only
Leakage function chosen by the adversary ahead of time without any
knowledge of the public key.
• Depends only on the properties of the hardware devices used for storing
the secret key.
Generic construction transforming any encryption scheme (G; E;D)
Resilient to any weak leakage of L(1 - o(1)) bits, L secret key length.
• Parameters:
– leakage parameter ¸
– length of the random strings used by generation algorithm G: m
• Need: Ext: {0,1}k £ {0,1}d ! {0,1}m be (k-,)-strong extractor
Generic construction transforming any
encryption scheme (G; E;D)
Ext: {0,1}k £ {0,1}d ! {0,1}m a (k-,)-strong extractor
• Key generation :
– Choose x 2 {0,1}k and s 2 {0,1}d
– Compute (pk; sk) = G(Ext(x; s)).
– Output PK = (pk; s) and SK = x.
• Encryption: choose r uniformly at random and output (E(pk;M; r); s).
• Decryption: ciphertext (c; s), secret key SK = x,:
– Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c).
• Resilient to any weak leakage of L(1 - o(1)) bits
Given f(x) distribution of Ext(x; s) close to uniform
Decisional Diffie-Hellman
Alice
gx
gy
Bob
Both parties compute K = gxy

DDH assumption:
x,, g
yr,1,gg
z ) r 2)
(g1(g,
, g2g, xg, 1gr,y,gg2rxy) ) (g(g,
,
g
g
g
1
2
1
2
for random x,
g1,y,g2z22GZand
q r, r1, r2 2 Zq
25
Outline of the Lecture

Some tools

The generic construction by examples

A simple scheme: ¸ ¼ |sk|/2

Improved schemes: ¸ ¼ |sk|

Extensions of the model

Conclusions, further work, and some rest...
26
A Simple Scheme: Key Generation


G - group of order q
Ext : G £ {0,1}d ! {0,1} - strong extractor
Key generation



Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2x2
Output sk = (x1, x2) and pk = (g1, g2, h)
MAIN IDEA:
 Redundancy: any pk corresponds to many possible sk’s
x
x
 h=g1 1 g2 2 reveals only log(q) bits of information on sk=(x1,x2)
 Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸
27
A Simple Scheme: Encryption Decryption


G - group of order q
Ext : G £ {0,1}d ! {0,1} - strong extractor
Key generation




Encpk(m)

Decsk(u1, u2, s, e)

Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2x2
Output sk = (x1, x2) and pk = (g1, g2, h)
d
Choose r 2 Zq and a seed s 2 {0,1}
Output (g1r, g2r, s, Ext(hr, s) © m)
Output e © Ext(u1x1 u2x2, s)
u1x1 u2x2 = g1rx1 g2rx2 = (g1x1 g2x2)r = hr
28
A Simple Scheme: Security Theorem
Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits
log(q) -|m|
half the
size of sk
Proof by reduction:
Adversary for the
encryption scheme
Distinguisher for
decisional Diffie-Hellman
29
A Simple Scheme: Security Theorem
Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits
pk
f
f(sk)
m0, m1
Output b’
Epk(mb)
(sk, pk)
b à {0,1}
30
A Simple Scheme: Security Theorem
Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits
(g1, g2, g1r1, g2r2)
pk
f
f(sk)
m0, m1
r1 = r2
or
r1  r2
Epk(mb)
b’
Distinguisher for DDH
31
A Simple Scheme: Security Proof
Ciphertexts can be generated in two modes
 Valid: plaintext can be recovered, knowing sk
 Invalid: no info. on plaintext, given pk
computationally
indistinguishable
not knowing sk
(g1r, g2r, s, Ext(hr, s) © m)
h = g1x1 g2x2
33
A Simple Scheme: Security Proof
Ciphertexts can be generated in two modes
 Valid: plaintext can be recovered, knowing sk
 Invalid: no info. on plaintext, given pk
computationally
indistinguishable
(g1r, g2r, s, Ext((g1r)x1 (g2r)x2, s) © m)
h = g1x1 g2x2
34
A Simple Scheme: Security Proof
Ciphertexts can be generated in two modes
 Valid: plaintext can be recovered, knowing sk
 Invalid: no info. on plaintext, given pk
computationally
indistinguishable
(g1r1, g2r2, s, Ext((g1r1)x1 (g2r2)x2, s) © m)
Valid ciphertext: r1 = r2
35
A Simple Scheme: Security Proof
Ciphertexts can be generated in two modes
 Valid: plaintext can be recovered, knowing sk
 Invalid: no info. on plaintext, given pk
computationally
indistinguishable
(g1r1, g2r2, s, Ext((g1r1)x1 (g2r2)x2, s) © m)
Invalid ciphertext: r1  r2
x1 + wx2 = log(h)
r1x1 + r2wx2 = log(t)
(g1r1)x1 (g2r2)x2 uniformly distributed given pk and (g1r1, g2r2)
Therefore, even given f(sk):
min-entropy ¸ log(q) - ¸
h=g1x1 g2x2
36
Proof of Security
(g1, g2, u1, u2)
sk = (x1, x2)
pk = (g1, g2, g1x1 g2x2)
f
f(sk)
If b’ = b
output “r1 = r2”
otherwise “r1  r2”
m0, m1

Ext(u1x1 u2x2, s) © mb
b’
Case 1: u1 = g1r & u2 = g2r

u1, u2, s
Simulation is identical to actual attack
Pr[b’ = b] = 1/2 + 
Case 2: u1 = g1r1 & u2 = g2r2


Challenge independent of b
Pr[b’ = b] = 1/2
37
Hash Proof Systems
Ciphertexts can be generated in two modes
 Valid: plaintext can be recovered, knowing sk
 Invalid: no information on plaintext, given pk
computationally
indistinguishable
Previous scheme relies on a specific HPS
many technical
details...
Known instantiations:
 Decisional Diffie-Hellman
 Linear family (bilinear groups)
 Quadratic residuosity
 Composite residuosity (Paillier)
38
Hash Proof Systems
Ciphertexts can be generated in two modes
 Valid: plaintext can be recovered, knowing sk,
 Invalid: no information on plaintext, given pk
computationally
indistinguishable
Previous scheme relies on a specific HPS
many technical
details...
Our general construction:
HPS + randomness extraction
Key-encapsulation mechanism resilient to key leakage
39
Outline of the Talk

Some tools

The generic construction by examples

A simple scheme: ¸ ¼ |sk|/2

Improved schemes: ¸ ¼ |sk|

Extensions of the model

Conclusions, further work, and some rest...
40
An Improved Scheme

G - group of order q
Notation:
(x1, ..., xn) 2 Zqn
(g1, ..., gn) 2 Gn
n
(x1, ..., xn) ¢ (g1, ..., gn)T =  gixi
i=1
41
An Improved Scheme


G - group of order q
Ext : Gn-k £ {0,1}d ! {0,1} - strong extractor
Key
generation
Encpk(m)
Decsk(Q, s, e)



Choose A 2 Gk£n and x 2 Zqn
Let y = Ax
Output sk = x and pk = (A, y)
d

Choose R 2 Zq(n-k)£k and a seed s 2 {0,1}
Output (RA, s, Ext(Ry, s) © m)

Output e © Ext(Qx, s)

Original scheme: with k=1, n=2
42
An Improved Scheme
Theorem: The scheme is resilient to any leakage of length
¸ ¼ (1 – k/n) |sk|
1 – o(1)
A new hash proof system
 Optimizes ratio between secret key and encapsulated key
Based on the hardness of k-Linear [BBS 04]
 1-Linear = DDH
 k-Linear is hard ) (k+1)-Linear is hard
 k-Linear is easy ; (k+1)-Linear is easy (in generic groups)
43
An Improved Scheme
We show that k-Linear implies indistinguishability of:
 Random P 2 Gn£n of rank k
[BHHO 08] proved
 Random P 2 Gn£n of rank n
the case k=1
(rank computed in Zqn£n relative to a fixed generator g 2 G)
In the simplified scheme:
g1
g2
r1 = r2 rank 1
g1r1
g2r2
r1  r2 rank 2
Proof similar to the simplified scheme
44
The Long Scheme


Originally proposed by [BHHO 08] as a “circular-secure” scheme
Fits into our generic construction
k ¼ ¸ + 2log(q)
Key
generation
Encpk(m)
Decsk(u1,...,uk,e)






Choose g1,...,gk 2 G and s1,...,sk 2 {0,1}
Let h = g1s1¢¢¢gksk
Output sk = (s1,...,sk) and pk = (g1,...,gk, h)
Choose r 2 Zq
Output (g1r,..., gkr, hr ¢ m)
“built-in”
extractor
Output e ¢ (u1s1 ¢ u2s2 ¢ ¢ uksk)-1
45
Proof: a natural extractor
DDH implies the computational indistinguishability of:
 g1r,..., gkr for random r
 g1r1,..., gkrk for random r1, r2, … rk
(g1,…, gk, u1, …, uk)
sk = (s1, …, sk)
pk = (g1, …, gk, g1s1 g2s2 ¢ gksk)
f
f(sk)
If b’ = b
output “equal r”
ow: “not equal r’s”
Case 1: ui = gir
b’
m0, m1
u1,…,uk, (u1s1 ¢ ¢ ¢ uksk
)mb
Case 2: ui = giri
46
Security of Scheme
DDH implies the computational indistinguishability of:
r
r
 g1 ,..., gk for random r
 g1r1,..., gkrk for random r1, r2, … rk
Want to argue that if g1r1,..., gkrk is used, then there is no information
about message m
The adversary knows:
 h = g1s1¢¢¢gksk


u1=g1r1, u2=g2r2, ..., uk= gkrk
Gets, instead of hr ¢ mb : (u1s1¢ u2s2 ¢ ¢ ¢ uksk ) ¢ mb
g1r1s1 ¢¢¢ gkrks1
Information on i=1k wiri si
Can apply the leftover hash lemma!
wi
gi=g1
Fact: i=1k wiri si is a pairwise
independent family
•Indexed by r1, r2, … rk
47
Circular Secure Encryption
Several public keys
(pk1, sk1), (pk2, sk2), … (pkk, skk)
Goal: want to be able to reconstruct all keys
from one
 Provide Epk (sk2), Epk (sk3), …, Epk (skk)
1
1
1
Epk2(sk1), Epk2(sk3), …, Epk2 skk)
…
Is it secure?
 There are cycles…
 No known example of insecurity!
 BHHO: first proof of resiliency

48
Chosen Ciphertext Attacks
• How to define?
• When does the leakage take place?
• How to define CCA2?
What is known:
• The general technique for obtaining CCA – still
applicable.
• Can get 1-o(1) leakage
• Specific schemes with (1) leakage
Recall: NIZK
Relevant for
soundness and zk
For full specification need to clarify
• When is x chosen – before or after ?
– Adaptive
• What does the simulator get?
• Does soundness need to hold given a simulated 
– Cannot hold for simulated (false statement)
– Simulation soundness
For NP: Can be based on the existence of trapdoor permutations
with some structure
Achieving resistance to CCA with NIZK
• Two independent keys of some ``good” PKC KP1 and KP2
• A public random string  for NIZK of the language
{(KP1, KP2, C1, C2)| C1 and C2 encrypt the same message}
• To encrypt message m: generate ciphertexts C1 and C2 and add
a proof of consistency 
– Ciphertext: C1, C2, 
• To decrypt
Important point:
may decrypt with two different
private keys
– Verify proof and then
– Decrypt only if ciphertexts passed the consistency checks
C1
C2
Proof of consistency
Outline of the Lecture

Some tools

The generic construction by examples

A simple scheme: ¸ ¼ |sk|/2

Improved schemes: ¸ ¼ |sk|

Extensions of the model

Conclusions, further work, and some rest...
52
Extensions
Noisy leakage

Leakage not necessarily of bounded length
H1(sk | pk, leakage) > H1 (sk | pk) - ¸
Hard-to-invert leakage

Tauman-Kalai and Vaikuntanathan:
The BHHO scheme is resilient to any f(sk) that is sub-exponentially
hard to invert
Leakage of intermediate values: Key generation



Once the keys are generated, are all intermediate values erased?
Leakage depends on the random bits used for generating the keys
Crucial for security under composition
53
Extensions
Weak random source

Keys generated using a low-entropy adversarially chosen source
Key
generation





Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2x2
Output sk = (x1, x2) and pk = (g1, g2, h)
(g1, g2) chosen once and shared by all users
Only need H1(x1,x2 | g1, g2) ¼ log(q) + |plaintext|
54
Extensions
Leakage of intermediate values: Decryption


Contrived example: First encode sk using a good error-correcting code,
then decrypt
Not so contrived...
Decsk(u1,...,uk,e)



Output e ¢ (u1s1¢¢¢uksk)-1
Decryption has “low bandwidth”
Only O(log q) bits at any point in time
sk = (s1,..., sk) can be much larger
55
Conclusions




Must incorporate side-channel attacks in the design of systems
Many tools developed in the foundations of cryptography are helpful for
protecting against side-channel attacks
Leakage-resilient encryption from general assumptions?
Dealing with “iterative”/continual leakage and refreshed keys?



As in leakage-resilient stream-ciphers [DP08, P09]
Other primitives? Other side channels?
A falsifiable hardware assumption?
56
Conclusions
Can leverage the physical world !!




Visual cryptography [NS94]
Timing for concurrent composition [DNS98]
Authentication: low-bandwidth human channel [NSS06]
Tamper-evident seals (scratch-off cards) [MN06]




Randomized response
Secure computation using tamper-proof hardware [Katz07,
MS08]
Human competitive nature and love of games [HN09]
Voting
57