Cryptography against Memory Attacks

1
Cryptography against Memory Attacks
Lattice Based Results
2
Recall Public-Key Encryption against Memory
Attacks
Security against adaptive a(n)-memory attacks
For every PPT adversary A,
, Prbb' 1/2.
where
PK
(PK,SK)?G(1n)
Adversary A
3
Encryption against Memory Attacks
Security against adaptive a(n)-memory attacks
For every PPT adversary A,
, Prbb' 1/2.
where
f
(PK,SK)?G(1n)
PK
Adversary
f(SK)

• captures cold-boot attacks much easier to
  achieve

4
Design Strategies

• Randomized encoding of secret-key

• Represent sk as (s, sk ? Ext (source,s)) for
  random s,source

• No good against adaptive attacks

• Increases length of storage, decreases efficiency
• Have to recover original secret-key to work with
  it.

• Design New Schemes -- LAST TIME (moni)

• Might lose other hard-earned properties
• (efficiency, homomorphism,)

• Show Old Schemes Secure (today)

• Many existing schemes (RSA, factoring-based)
  insecure

• Are there any that are secure?

5
Work AkaviaGVaikuntanathan

• Show Old Schemes Secure

Theorem Regevs lattice-based PKC is
semantically secure against

• non-adaptive mem. attacks that leak SK-l bits

- assuming hardness of learning with errors with
smaller dimension l

• adaptive mem. attacks that leak (1-e)SK bits,
  ?egt0

- assuming hardness of learning with errors with
smaller dimension and (slightly) smaller noise(e)
6
Outline

• What is a Lattice?
• q-ary lattices
• Why Lattices?
• Hard Problems
• Best Algorithms Exponential (even Quantum)
• Worst case to Average Reductions
• Simple operations on small numbers
• Why Not Lattices?
• Large dimensions to resist heuristics
• Keys ? quadratic in dimensions
• LWE LPN mod q gt 2
• Regev PKC
• Regev Proof of Security
• Regev Leakage Resistance

7
Lattices

• Basis
• b1,,bn vectors in Rn
• The lattice L is
• Lyb1x1bnxn xi integers
• The dual lattice of L is
• Lx ltx,ygt in Z, y in L

b1b2
2b2
2b1
2b2-b1
b1
b2
2b2-2b1
0
8
Basis is not unique
v2
v1
0
9
q-ary (modular) Lattices

• Lattices where membership of y in lattice is
• determined by y mod q, q prime
• Most crypto based on lattices uses q-ary lattices
  
• as a basis for their hard-on-average problem
• Let A in Zqnxm and q prime
• Can define m dimensional q-ary lattice LLq to
  be L(A) ATs mod q in Zm for s ? Zn
• The dual lattice of L is L (A) x in Zm Ax0
  mod q

10
Hard Problems on Lattices
11
Shortest Vector Problem (SVP)

• SVP Given a basis B, find a shortest vector

b2
b1
0
12
Closest Vector Problem (CVP)

• CVP Given a basis and a target vector t, find
  the closest lattice point to t
• Seems very difficult, however, checking if a
  point is in a lattice is easy

v2
v1
0
13
Approximation Versions

• In lattice based cryptography one typically
  considers approximation variant of these
  problems.
• Add approximation factor ? to the problems
• SVP? find v at most ? time the shortest non-0
  vector in lattice
• CVP? find the closest vector in the lattice
  within a factor ? from the closest
• Can define for any norm but we will use
  Euclidean, x ? ?xi2

14
Approximate Shortest Vector Problem (SVP)
Search and Decision

• SVP?-search given basis B, find an approximately
  shortest vector w s.t. wlt?v where v is
  the shortest
• Gap-SVP? given basis B ? Zmxn and r?Z determine
  whether shortest vector v, vlt r or v gtr?

b2-b1
b2
O
b1
15
Closest Vector Problem (CVP) Search vs, Decision

• Search-CVP? Given a basis and a target vector t,
  find the approximately closest lattice point
• Gap-CVP? Given B?Zmxn and t ?Qm,r ?Q, output
• 1 if dist(t,L(B)) lt r and else 0

0
16
Best Algorithms

• LLL82 approximation in poly-time,
• approximation factor is (2/v(3))n
• Schnorr approximation factor 2O(nloglogn/logn)
• AKS Best exact (or poly-factors) in time and
  space 2n
• Note comparison to factoring and discrete-log
  funding algorithms

17
Worst Case vs. Average Case
LATTICE PROBLEM

Worst-case Hard
Average-case Hard
At least one instancehard
Average instancehard
Ajtai
SAFEST TO ASSUME
NEEDED IN CRYPTO
18
Worst Case vs. Average Case Ajtai
Avg? Given random matrix A? Zqnxm for
qpoly(n), m gt nlog q , find short vector x?0 in
Zqm s.t. Ax 0 mod q (i.e. x? L , LLq(A) q-ary
lattice) . Short say xm Ajtai showed that
SVP? as hard as solving Avg for any-worst-case
SVP? instance (? poly (n), qnc, m gt n log q)
19
Uses of Lattice in Cryptography

• One Way Functions
• Hash Functions
• Public- Key Cryptography
• Ajtai-Dwork97, Regev04 Unique SVP
• GGH97, GPV08
• Regev05 GapSVP (quantum)

20
LPN Learning from parity with error
21
LPN Learning parity with error
22
Regev introduced Learning modulo q (LWE)
23
LWE Learning modulo q
24
Connection to Lattices Regev
25
Decision version Learning modulo q
26
Theorem Regev
27
Connection to Lattices Pekert09
28
Regevs Public-Key Encryption
Secret-key SK
qpoly(n)? n3
Public-key PK
A m-by-n matrix
m gtgt n
x low-weight error
29
Regevs Public-Key Encryption
Secret-key SK
Public-key PK
A m-by-n matrix
x low-weight error
EncPK(b)
low-weight vector
30
Regev Public Key Encryption
Secret-key SK
leak L(s)
Public-key PK
EncPK(b)
low-weight vector
if b0
if b1
DecPK(a,b)
0 if b a?s (rA)s, else output 1
very likely to be 0

• LWE Assumption (A, Asx) c (A, u)
• semantic security
• Re05 Approx Worst Case SVP quantum-hard ? LWE
  Assumption

31
Security for Adaptive Memory attack
Secret-key SK
leak L(s)
Public-key PK
EncPK(b)
if b0
if b1
- view the secret key s as a min-entropy
source - encryption act as a randomness
extractor from s
Show Ciphertext c Uniform, given public key and
leakage.
But given (A, Asx), s is unique with prob 1-neg
!!!
32
Proof of Security
c
Goal Ciphertext Uniform, given PK and leakage.
REAL WORLD
IDEAL WORLD
33
Proof of Security
Step 0 (Leap of faith)
Ignore
in ciphertext
REAL WORLD
f
Adv A
f(s)
34
Proof of Security
Step 1. Leftover hash lemma
Leftover Hash Lemma ILL
If r has large min-entropy and A is uniform and
independent of r
REAL WORLD
f
Adv A
f(s)
35
What about the leap of faith?
Step 0 (Leap of faith)
Ignore
in ciphertext
In full argument, let Adv have rx in both
distributions. The length of rx is log q O (log
n). Given rx the residual min-entropy of r is
still high (-log q) and the distribution of r
given rx, depends only on x. i.e given x,
distribution of A and r are independent of A
REAL WORLD
f
Adv A
f(s)
36
Would like to say Proof of Security
Step 2.
Change A to A' s.t
Given PK(A, Asx) and f(s), SKs has large
entropy
- Given PK(A', A'sx) and f(s), SKs has large
entropy
(GKPV09, similar to P09)
Step 3.
Leftover hash lemma ?
A
A'
37
Main Idea Lattice Lemma GKPV
Change distribution of A to A and Introduce
entropy into the distribution of secret key s

• Show A' c A
• s has large average min-entropy DRS07 given
  PK
  (A,Asx) and f(s)

A
A
?
Under LWE
38
Recall Min-Entropy
Probability distribution X over 0,1n
H1(X) - log maxx PrX x
Represents probability of the most likely value
of X
39
Average Conditional Min-Entropy DORS
Probability distribution X over 0,1n
H1(XZ) - log E z(maxx PrXxZz)
Represents the worst case predictability by an
adversary who may also observe correlated Z
probability of the most likely value of X

• Lemma DORS
• if Z takes at most 2k values, then
  H1(XZ)gtH1(X)k
• . Can Extract Given H1(XZ) gt H1(X) k and
  2-universal Ext, (S, Ext(X,S), Z) ?
  (S,U,Z)
• (any randomness extractor works with a
  distribution
• with high entropy in this sense)

40
Proof of Security
Step 2 (Lattice lemma)
Change distribution of lattice into A s.t
- Given PK(A, Asx), SKs has large min-entropy
EXPT 1
EXPT 2
f
f
Adv A
Adv A
f(A,s,x)
f(A,s,x)
41
Proof of Security
Step 3 (Leftover hash)
Extract randomness from s

large
EXPT 2
IDEAL WORLD
f
f
Adv A
Adv A
f(A,s,x)
f(A,s,x)
42
Proof of Security
Step 4
Switch back to A
Ideal world
REAL WORLD
f
f
Adv A
Adv A
f(A,s,x)
f(A,s,x)
43
Identity Based Encryption (IBE)

• Shamir86, Boneh-Franklin90 Identity Based
  Encryption (IBE)
• Can be used by user to periodically generate
  (pki,ski) keys for Laptops
• Memory Leakage from laptops do we have IBE which
  is secure against it ?

44
Identity Based Encryption AGV
Theorem 1
An IBE scheme which is semantically
secure against an n-o(n) non-adaptive memory
attack.
An IBE scheme of GentryPeikertVaikuntanathan08
is semantically secure against an n-o(n)
non-adaptive memory attack.
Theorem 2
The IBE scheme of GPV08 is semantically secure
against an (1-e)n ?? adaptive memory attack.
An identity-based encryption scheme semantically
secure against an (1-e)n?? adaptive memory
attack.
Assuming LWE random oracle model as in
GPV
45
Extending Model of Secret Key Leakage ??
Dodis, Kalai, Lovett STOC09 How about capturing
more settings ?
Same secret-key used in many applications e.g.
Signatures and encryption using same
secret Maybe no pseudo entropy left in the
secret
46
Hard to Invert Leakage functions DKL09
a(n)-Auxiliary Input Security
Adversary can choose any leakage function f to
receives f(sk)

• f is poly-time computable

• ?a(n) ?ppt A, prob (A(f(x))x lt 1/2a(n)

• Relation to memory-attacks
• Yael will give lecture here next week

47
Extending Model of Secret Key Leakage ??
Alwen, Dodis, Walfish, Wichs Bounded Retrieval
Model

• Thesis Security parameter should be independent
  of leakage
• Propose
• Absolute leakage
• PKC where everything except for secret key size
  is independent of leakage
• Other primitives as well in this model

48
Main Idea

• Use leakage-resistant IBE (Setup,KeyGen, Enc,
  Dec)
• PK master public key MPK of IBE
• SK ski for identities i1n
• Encrypt(m)
• Choose random subset of ski of size t
• Secret Share(m) with shares m1..mt and encrypt
  shares ciEnc(idi,mi). Let c c1ct
• Why? Adversary at the time of leak does not know
  which secondary keys you will decrypt with and
  ngtgtl
• Note PK is not large but SK is.

49
Problems with Main Idea Fix

• Problem Leakage function L(MPK) may leak
  information on all secondary secret keys sk1..skn
• HW Construct an example where this happens
• Main Idea
• Construct HP-IBE IBE based on Hash-Proof Systems
• Use the HP- IBE in Main Idea and get
  leakage-resistant PKE in the BRM model

50
IB-HPS Extend PKE-HPS to IB-HPS

• IB-HPS (Encap, Encap, Decap)
• (MPK,SPK)
• keyGen (id,SPK) outputs skid
• Encap (id,MPK) gives (c,k) k is symm key s.t,
• Decap (c, skid) gives k
• Encap (id) outputs c ? c where cEncap(id)
• Properties
• Decap(c,skid) unique for all skid with same id
• for cEncap(id) cEncap(id), c ? c, even given
  skid
• kDecap(c, skid) is uniformly distributed for
  cEncap(id)
• Gentrys IBE implies such IBE-HP
• Dodis etal show how to get this from Gentry IBE

51
Final Construction IB-HPS to leakage Resistant
PKE (back to original idea)

• IB-HPS (Setup, KeyGen, Encap, Encap,Decap)
• PKE-KeyGen let PKMPK, let SKski i1n for
  skikeyGen(i,MSK)
• Encryt (m,pl)
• Choose random subset of ID id1..idt of size t
• Let (C,K) (ci,ki)Encap(idi).
• Let c (ID,C,s,Ext(K,s)?m) where s random seed
• Decryt using Decap
• Claim Leakage resistant for l N-2a/tNnlogn
  -3a-5 where N nski and Ext is a strong
  extractor for a Ent (K)

52
Proof idea

• Dist0 challenge(ID,C,s,Ext(K,s)?m) , leak
• Dist1 challenge(ID,C,s,Ext(K,s)?m) ,leak where
  Kdecap(ci,skid )
• By unique decapsulation from any sk
• Dist2 challenge(ID,C,s,Ext(K,s)?m), leak
  where c encap(id) kdecap(c,skid
  )
• By encapsulation indist
• Dist3 challenge(ID,C,s,U)
• by uniformity of decap from encap)
• How much leakage entropy type analysis

Indist holds even If sk was known, So certainly
if leak Is known
53
MAIN OPEN QUESTIONAssumed a total bound on
Leakage

• To extend to unbounded measurements each leaking
  a bounded amount
• Move away from deterministic schemes and
• inject fresh randomness to secrets

54

• Part 1 Memory Leaks
• Part 2 Computation Leaks
  Side Channel Attacks

55
Any computation on secrets leaks information
Algorithm with SK
Read SK Modify SK Add Jump Consume
Power Allocate Memory Emit Radiation
SK bit 1 SK bit 2 SK bit i
56
Axiom but Only Computation Leaks Information
Micali-Reyzin04
choose inputs
Identify Secure component H that computes some
elementary function Implement Cryptographic
Functionalities Securely when adversary Can
fully observe all computation except for H
57
Micali Reyzin Example

• Pseudo Random Number Generation
• Assume f one-way trapdoor permutation,
• Assume that the H lsb (f -1 (x))
• choose seed s
• compute psr HC(f -1 (s))HC(f-1 (f-1
  (x)))HC(f-k (x))
• limit Adv to not see input to H
• f (s),f

58
Axiom but Only Computation Leaks Information
Micali-Reyzin04
Lets Ask for more Security even if Adversary did
Computation himself
choose inputs
Identify Secure component H that computes some
elementary function Implement Cryptographic
Functionalities Securely when adversary Can
fully observe all computation except for H
59
Security when Adversary run entire executions
himself, except for H
UNIVERSAL , SIMPLE
Secure components H
60
One Time Program GKalaiRothblum08
Use Very simple and universal secure hardware
Enable adversary to run single executions of
any cryptographic functionality, learning nothing
but the output (provably No
computational leakage)
61
one-time programs

• A program which can be run by an adversary on
  single input, but is useless otherwise
• P is one-time program for function f if
• FunctionalityComputes fs output on one input of
  users choice
• One-Time SecrecyP leaks no more than fs output
  on single input to an adversary with full access
  to P

P
62
P is Software-Hardware Package
request
Secure Component H
Software In clear
response
63
Delegation of Cryptographic Abilityin an
insecure environment

• signature delegation

Store 100 OTP
Want to sign 100 messages in presence of side
channel attacks
(SK,PK)
OTP ( Software secure hardware)
SIGSK
64
Hardware is not a black box

• Side-channel attacks
• Every COMPUTATION made in the
• hardware on secret data leaks
• information about it
• Minimize computation in hardware

Eliminate
65
ROK
Key k0
Key k1

• ROK Read One Key, Erase second key
• Simple easy to scrutinize
• Universal same hardware for all applications
• Inspired by oblivious transfer Rabin,EGL

• No computation is ever done on
• the key which is erased
• resist all side channel attacks
• which result from computation

66
One-Time Compiler Take 2

• TheoremGKR09 If secure fully homomorphic
• encryption E exists Gentry-stoc09,
• can compile any f into a one-time program for f
• secure against all computational side channel
• attacks where program software m ROKs
• (where m length of ciphertext ) and
• Program Size O( time for single
  decryption)
• New OTP E(description of f) OTP for a
  single decryption
• To compute f(x) compute E(f(x))
  homomorphically
• decrypt E(f(x)) with OTP
• Almost

67
Observations Our Context

• May assume H resides in PC
• No need for hardware implementation of H
• Implemented in software, simply never see the
  other-key so it never leaks

68
Different Approach Break Computation into Rounds
Dziembowski-Pietrzak

• Break computation of PSRGP1Pk into rounds
• Make each round r depend only on part of SK, say
  SKr
• Leakage Model any bounded length leakage L
  function of SKr may leak but only a function of
  SKr may leak in round r only computation
  ..axiom
• Theorem secure (e,s) PSRG ?
• secure PSRG s.t. Pi?U with L O(log(1/e))
  log(1/e)/2
• given P1Pi-1 and View L(Sk0).L(skl-2)
• If also know L(skl-1), can only show Pl
  unpredictable
• E.g. e2-vn, then L n/4

69
Questions

• Other primitives whose computation can be broken
  into rounds
• Strengthen DP psrg result
• to get better dependence on e
• To accommodate leakage L(skl-1 )