Bounded Memory Leakage

Transcription

1 6.889: New Developments n Cryptography prl 5, 2011 Instructor: Yael Tauman Kala Bounded Memory Leakage Scrbe: Raluca da Popa When desgnng cryptographc schemes, we usually rely on the assumpton that every bt of the secret key s secret. However, n practce, loss of secrecy can happen due to sde-channel attacks. For example, an adversary can get secret nformaton usng tmng attacks, acoustc attacks, or even by gettng access to parts of the memory used by a cryptographc protocol such as n the cold-boot attack demonstrated by Halderman et al. [HSH + 09]. Wth some bts of the secret key revealed, securty guarantees may no longer hold. 1 Prelmnares 1.1 Notaton For a dstrbuton X, weusex R X to denote that x s a sample drawn from the dstrbuton X. For a set S, weusex R S to denote that x s drawn unformly at random from the set S. We use H (X) to denote the mn-entropy of a random varable X defned as H (X) = mn u U log Pr[X = u],whereu s the set of all values X may take. We use Ud to denote the unform dstrbuton over {0, 1} d. The notaton s ndcates that s s a vector. If D 1 and D 2 are dstrbutons, the notaton D 1 D 2 ndcates statstcal ndstngushablty wth an advantage of at most. 1.2 Leftover hash lemma We recall the leftover hash lemma ntroduced n prevous lectures n a form useful to some of the constructons n these notes. Theorem 1 (Leftover Hash Lemma). Fx >0. Let X be a random varable on {0, 1} n wth mn-entropy k. Let H = {H n } n N where H n = {h s } s {0,1} d for all n, be a unversal hash famly wth output length m k 2 log(1/). Then, {(h(x),h):x R X, h R H n } {(u, h) :u R U m,h R H n }. 2 Semantc Securty wth λ-bt leakage We frst recall the defnton of semantc securty and then enhance t wth λ-bt leakage reslence. Defnton 2 (Semantc securty). publc-key encrypton scheme E =(Gen, Enc, Dec) s semantcally secure f for all PPT, foranypolynomalp, for any suffcently large n N, Pr[Expt 0 (E,,n) = 1] Pr[Expt 1 (E,,n) = 1] < 1/p(n), where Expt b (E,,n) s defned as follows. Expt b (E,,n): 1. The challenger generates (PK, SK) Gen(1 n ) and sends PK to. 1-1

2 2. The adversary reples wth (m 0,m 1 ). 3. The challenger computes y Enc(PK,m b ), and sends y to. 4. outputs b. Let λ be a nonnegatve nteger ndcatng the amount of allowed leakage. Defnton 3 (Semantc Securty wth λ bt Leakage). publc-key encrypton scheme E = (Gen, Enc, Dec) s semantcally secure wth λ-bt leakage f, for all PPT, foranypolynomalp, for all suffcently large n N, we have Pr[Expt λ 0(E,,n) = 1] Pr[Expt λ 1(E,,n) = 1] < 1/p(n), where Expt λ b (E,,n) s the output of the followng game between and a challenger: 1. The adversary selects a leakage functon L : {0, 1} {0, 1} λ and sends t to the challenger. 2. Challenger generates (SK, PK) Gen(1 n ) and sends (PK,L(SK, PK)) to. 3. chooses two messages m 0 and m 1 such that m 0 = m 1 and sends (m 0,m 1 ) to the challenger. 4. Challenger sends C Enc(PK,m b ) to. 5. outputs b. Note that ths defnton s smlar to the defnton of semantc securty wth the addton of the leakage functon L. Even though the adversary chooses L before recevng PK, the defnton s stll adaptve wth respect to PK: the leakage functon L can frst look at the value of PK and choose the actual leakage based on the value of PK. The adversary s a PPT algorthm so any functon that t would run to compute a leakage functon based on PK must be polynomal-tme as well, and thus can be ncorporated n L. 2.1 Decsonal Dffe-Hellman ssumpton We recall the DDH assumpton as well as present a more general form proven equvalent by Naor and Rengold [NR04]. Let GroupGen be a probablstc polynomal-tme algorthm that takes as nput a securty parameter 1 n for some postve nteger n, and outputs (G,q,g), where q s an n-bt prme number, G s a group of order q, and g s a generator of G. Decsonal Dffe-Hellman ssumpton (DDH). The DDH assumpton s that the ensembles (G,g1,g 2,g1 r,gr 2 ) n N and (G,g 1,g 2,g r 1 1,gr 2 2 ) are computatonally ndstngushable, where n N (G,q,g) GroupGen(1 n ), and the elements g 1,g 2 G and r, r 1,r 2 Z q are chosen ndependently and unformly at random. Naor and Rengold [NR04] showed that, f DDH holds, so does the followng generalzaton of DDH consderng >2 generators. Lemma 4 ([NR04]). Under the DDH assumpton, for any postve nteger, the ensembles (g1,...,g,g r 1,...,g r ):g R G,r R Z q and (g1,...,g,g r 1 1,...,gr ):g R R G,r Zq are computatonally ndstngushable, where (G,q,g) GroupGen(1 n ). 1-2

3 2.2 Dffcultes wth straghtforward reductons Before showng a constructon of a leakage reslent encrypton scheme, we gve some ntuton showng why a typcal securty reducton s unlkely to yeld a proof of securty. Suppose we would lke to prove that, under the DDH assumpton, E s secure wth λ-bts of leakage. The proof would typcally proceed by contradcton: suppose there exsts a PPT that breaks E, and we construct a PPT B that breaks the DDH assumpton. The adversary behaves as n Defnton 3 so t wll frst provde B wth the leakage functon L. The reducton B s supposed to return PK and L(SK, PK). In order to use L as a black box, B needs to generate SK and PK because L may be checkng that SK s correct. If L checks SK and fnds that t s not a correct secret key, t may only output certan values whch wll recognze and for whch t wll not break E. Now that B had to generate SK and PK hmself, t seems that can no longer help B because t wll not tell B anythng about the secret key that B could not compute hmself from SK and PK. Thus, t seems that B cannot explot the power of. However, the above ntuton s ncorrect. The nsght n these proofs s for B to generate an mproper encrypton C nstead of C = Enc(PK,m b ); B computes C usng some nformaton from the DDH nstance t s tryng to solve and hopefully leverage s power to learn some new nformaton. 2.3 Constructon: BHHO Naor and Segev [NS09] show that the scheme of Boneh et al. [BHHO08] can be made secure aganst bounded leakage. Boneh et al. have proposed ths scheme as a crcular-secure encrypton scheme and t can be thought of as an extenson of the El-Gamal scheme. slghtly modfed verson of the BHHO encrypton scheme s defned as follows: Gen(1 n ) : Choose s Z q,where s some polynomal n n dependng on the desred reslence to leakage, and g 1,...,g R G. Let y = =1 gs and output keys SK = s and PK = (g 1,...g,y). Enc(PK,m) for m G, performs: choose r R Z q and output (c 1,...,c l+1 )=(g1 r,...,gr,yr m) as the encrypton of m. c l+1 Dec(SK,c 1,...,c,c l+1 )= ( =1 cs ). The completeness property of the encrypton scheme s mmedate: Dec(SK,c 1,...,c,c l+1 )= c l+1 =1 cs = =1 grs =1 grs m Clam 5. Under the DDH assumpton, BHHO s a semantcally secure encrypton scheme wth λ = SK (1 o(1)) bts of leakage, where SK s the length of the secret key. Proof. We proceed by contradcton: assume there s a polynomal p(n) and a PPT that breaks the BHHO scheme above wth at least 1/p(n) advantage and construct a PPT B that breaks DDH. The algorthm B s defned as follows: lgorthm 1 (B on nput (g 1,...,g,c 1,...,c ) for securty parameter n). Recall that B has to decde f the nput s of the form (g 1,...,g,g1 r,...,gr ) or (g 1,...,g,g r 1 1,...,gr ). The reducton B emulates the securty game for as follows: = m 1-3

4 1. Receve L from. 2. Run Gen(1 n ) to obtan (SK, PK) and send PK and L(SK, PK) to. 3. B receves m 0 and m 1 from. 4. B flps a con b and computes C = Enc (SK,m b )=(c 1,...,c, =1 cs m b ) 5. reples wth ts guess b. 6. If guesses rght (that s, b = b ), B outputs 0 (meanng the nput s of the frst form), else B outputs 1 (meanng the nput s of the second form). Let us compute the probablty of B dstngushng correctly. There are two cases for the nputs to B, each equally lkely. Case 1: (c 1 = g1 r,...,c = g r ). We can see that, n ths case, receves the rght dstrbuton of nputs t expects and therefore, t can dstngush wth probablty at least 1/2 + 1/p(n); thus, B wll also make the correct decson wth probablty at least 1/2 + 1/p(n). Case 2: (c 1 = g r 1 1,...,c = g r ). In ths case, we would lke to make sure that does not guess b correctly too often because ths would cause B to output the wrong answer. The approach s to show that C hdes b nformaton-theoretcally even wth leakage, and thus wll guess the correct answer wth probablty at most 1/2 plus a neglgble amount. In ths case, the vew of can be summarzed by (PK,L(PK, SK),g r 1 1,...,gr, =1 gr s m b ) and we want to argue that t s statstcally ndstngushable from (PK,L(PK, SK),g r 1 1,...,gr,U) wth some small error. Note that dstngushng between these two ensembles s at least as hard as dstngushng between a second par of ensembles, (PK, L(SK, PK), r 1,..., r, r, s) and (PK, L(SK, PK), r 1,...,r, U), as follows. For some generator g of G, consder replacng each g = g δ for some δ n the frst par of ensembles and rewrtng the ensembles. The reducton now becomes straghtforward: t conssts of smply rasng g to the power of r and r, s. To prove that (PK, L(SK, PK), r 1,..., r, r, s) and (PK, L(SK, PK), r 1,..., r, U) are statstcally close, we apply the leftover hash lemma, Theorem 1. Consder the collecton of hash functons H n consstng of h r ( s) = r, s q. We can see that ths s a unversal hash famly. To apply the leftover hash lemma we need H ( s) log q+2 log(1/). We have that H ( s) = log q λ log q because s (the secret key) s log q bts long, λ of them leak due to L, and log q of them leak due to r, s. Therefore, as long as λ log q 2 log q 2 log 1/ = SK (1 o(1)), by Theorem 1, the dstrbutons n queston have statstcal dfference at most /2. Puttng together these two cases: Pr[B wns] = 1/2Pr[B wns Case 1] + 1/2Pr[B wns Case 2] 1/2(1/2+ 1/p(n))+ 1/2(1/2 /2) = 1/2+ 1/2(1/p(n) /2). We can choose to be n log n ; n ths case, B s advantage remans nonneglgble at breakng the DDH assumpton (by contradctng Lemma 4) and the leakage tolerated becomes log q 2 log q 2 log 2 n = SK (1 o(1)). In the constructon of ths proof, we allowed the leakage λ to be SK (1 o(1)). If n log q s the sze of the securty parameter, and the sze of the secret key s a polynomal n ths sze, say n c, we allow leakage of at most n c+1 2n; ths amount of leakage s sgnfcant and can be made larger than any fracton of the secret key s length. The followng queston now arses naturally: what f we allow a larger leakage to happen as long as t s stll computatonally nfeasble for an adversary to fnd SK? We may gve away SK nformaton-theoretcally, but a polynomally-bounded adversary may stll not be able to compute 1-4

5 SK. In the proof above, we provded nformaton-theoretc guarantees, but we may be able to provde computatonal guarantees wth such a settng. We explore ths drecton next. 3 Semantc securty wth auxlary nput Semantc securty wth respect to auxlary nputs was frst defned by Dods et al. [DKL09]. Defnton 6 (Semantc securty wth 2 λ -hard-to-nvert auxlary nput). publc-key encrypton scheme E =(Gen, Enc, Dec) wth message space M = {M n } n N s semantcally secure wth auxlary nput f for any PPT adversary, anypolynomalp, and any suffcently large n N, where wn(e,,n): Pr[wn(E,,n) = 1] < 1/2+1/p(n), dversary chooses a leakage functon L and sends t to the challenger. Challenger computes (SK, PK) Gen(1 n ) and sends (PK,L(SK, PK)) to the adversary. reples wth two messages m 0 and m 1. The challenger flps a con b and sends Enc(PK,m b ) to. reples wth b, ts guess for b. If b = b and L s 2 λ -hard-to-nvert ( wns), output 1 else output 0. By 2 λ -hard-to-nvert, we mean that for all PPT B,Pr[(PK, SK) Gen(1 n ), B(PK,L(PK, SK)) = SK] 1/2 λ. Dods et al. [DGK + 10] show that BHHO s secure wth 2 lλ -hard-to-nvert auxlary nput. s part of ther proof, they extend the Goldrech-Levn theorem to large felds. Thus, let us frst state ths theorem: Theorem 7 (Goldrech-Levn for large felds [DGK + 10]). Let q be a prme, and let H be an arbtrary subset of GF(q). Let f : H n {0, 1} be any (possbly randomzed) functon. If there s a dstngusher D that runs n tme t such that Pr[ s H n,y f( s), r GF(q) n : D(y, r, r, s) = 1] Pr[ s H n,y f( s), r GF(q) n,u GF(q) :D(y, r, u) = 1] =, then there s an nverter that runs n tme t = t poly(n, H, 1/) such that Pr[ s H n,y f( s) :(y) = s] n q 2. Clam 8 ([DGK + 10]). Under the DDH assumpton, BHHO s secure wth 2 λ -hard-to-nvert auxlary nput. Proof. The constructon of the reducton s the same as n the proof of Clam 5: lgorthm 1. We now consder a sequence of four experments wth ether the same or computatonally ndstngushable nput dstrbutons to the adversary. The last dstrbuton wll enable us to prove the 1-5

6 clam easly. Let dv () (n) be the advantage of the adversary n guessng rght n Experment for securty parameter n. Experment 0: Ths experment s the same as n Defnton 6. Experment 1: Ths s the same experment as Experment 0, except that nstead of C = Enc(PK,m b ), the challenger sends C = Enc (SK,m b )=(g1,...,g r r,c= g rs m b ). Now let us argue that the nput dstrbutons to the adversary are the same n Experment 0 and Experment 1. We can see that for both Enc(PK,m b ) and Enc (SK,m b ), the challenger chooses r R Z q. For the same r, we can see that Enc (SK,m b )=Enc(PK,m b ). Experment 2: In ths experment, we have c R G for =1,...,l and C = =1 cs =1 m b. We would lke to clam that the advantage of the adversary n Experments 1 and 2 only dffers by a neglgble amount. Clam: If DDH s hard for G, then for every PPT, dv (1) (n) dv(2) (n) negl(n). Proof: We would lke to show that (PK,L(SK, PK),c 1,...,c, =1 cs R : c G) (Exp.1) and (SK,L(SK, PK),g1 r,...,gr, =1 grs : r R Z q ) (Exp. 2) are computatonally ndstngushable (where we omtted the dstrbutons from whch some random varables are drawn for brevty). ssumng there exsts a dstngusher for these two dstrbutons D 12, we want to construct a dstngusher D DDH that breaks the DDH assumpton from Lemma 4. Upon recevng nput for the general DDH problem (g 1,...g,c 1,...c ), D DDH smply generates SK and PK as n the case of the BHHO scheme usng g 1,...,g, and provdes to D 12 (PK,L(SK, PK),c 1,...,c, =1 cs ). D DDH outputs exactly what D 12 outputs and we can see that they have the same wnnng probablty. Therefore D DDH has nonneglgble advantage of breakng the general DDH problem; by Lemma 4 and assumng DDH, we reach a contradcton. Experment 3: In ths experment, C s replaced wth C =(g r 1,...,g r,g u R ) for r Zq, u R Z q, and some fxed generator g of G. Now we clam that the advantage of the adversary n Experments 2 and 3 only dffers by a neglgble factor: Clam: For every PPT, dv (2) (n) dv(3) (n) negl(n). R R Proof: In Experment 2, choosng c 1,...,c G s equvalent to choosng r1,...,r Zq for some fxed generator g of G. Therefore, we need to prove that (PK,L(SK, PK),g r 1,...,g r, =1 gr s m b ) (see Exp. 2) and (PK,L(SK, PK),g r 1,...,g r, =1 gu ) (see Exp. 3) are computatonally ndstngushable. Note that t s enough to prove D 1 =(PK,L(SK, PK),,r 1,...,r, r, s) s computatonally ndstngushable from D 2 =(PK,L(SK, PK),,r 1,...,r,u). The reason s that we can reduce the computatonal ndstngushablty of the ntal dstrbutons to the computatonal ndstngushablty of D 1 and D 2. The reducton would smply consst of rasng g to the power of r before feedng to a dstngusher for the second par of dstrbutons. We now use Goldrech-Levn for large numbers. From Theorem 7, t follows that f we can dstngush D 1 and D 2 wth δ>2 lλ /4 advantage, we can nvert L and obtan SK wth probablty: 1-6

7 δ 3 q 512nq 3 >q 1 512n2 3lλ /4 poly(n) >q2 lλ Ths contradcts our computatonal hardness assumpton about L; we can thus conclude that Experments 2 and 3 are computatonally ndstngushable. Note that n Experment 3, the cphertext C sent by the challenger s a random value ndependent of the bt b, and therefore the adversary has zero advantage of guessng ths bt. By followng the sequence of experment ndstngushablty we proved above, the overall adversary advantage of breakng BHHO s at most neglgble, thus concludng our proof. 4 The GPV Cryptosystem The GPV cryptosystem [GPV08] s a constructon based on lattces. Before we present the cryptosystem, let us present the Learnng wth Errors ssumpton on whch t s based. Learnng wth Errors ssumpton (LWE). Consder ntegers n, m, q and a probablty dstrbuton χ on Z q, typcally taken to be a normal dstrbuton that has been dscretzed. The nput s a par (, v) where Z m n q s chosen unformly, and v s ether chosen unformly from Z m q or chosen to be s + x for a unformly chosen s Z n q and a vector x Zq m chosen accordng to χ m. The assumpton s that no PPT can dstngush wth some non-neglgble probablty between these two cases. The GPV cryptosystem s the followng bt-encrypton scheme. Let n, m, and q be nteger parameters of the scheme. Gen(1 n ): r {0, R 1} m, Z m n q, SK = r, PK =(, r). Output (SK, PK). Enc(PK,b) for b {0, 1}: Choose s R Z n q, x R χ m, and x R χ. Output( s + x, r s + x + bq/2). Dec(SK, (c 1,c 2 )): Compute c 2 c 1 r = bq/2 + x r x. Output 0 f ths value s closer to 0 than to q/2, and output 1 otherwse. Snce x r x s small n comparson to q, we can see that the decrypton wll return the correct result and the completeness property of E thus follows. Clam 9. GPV s secure wth λ-bt of leakage under LWE. Proof. s before, we would lke to construct a PPT B that can break LWE wth nonneglgble advantage gven a PPT that can break GPV. B receves an nput of the form (, y), whch could be (, v) or (, s + x). The constructon for B s the same as lgorthm 1 except that Enc SK (m b)=(y, ry x +bq/2), where x s generated such that the dstrbuton of rx x s statstcally ndstngushable from the dstrbuton of x and y s the second term receved by B as nput. Let s consder each case of B s nputs: B receves (, s+ x) and therefore receves ( s+ x, s r + xr x +bq/2) for C. Sncex s drawn from a dstrbuton such that rx x would nduce a statstcally ndstngushable dstrbuton, we can see that the nputs to wll be statstcally ndstngushable from what expects and therefore, wll guess the rght b wth nonneglgble probablty. 1-7

8 B receves (, v). receves ( v, r v x + bq/2). Usng the leftover hash lemma, Theorem 1, we can bound by 1/2+/2 the probablty wth whch succeeds n guessng the rght b and hence mslead B nto outputtng an ncorrect bt. We can choose = n log n to enable B to mantan the nonneglgble advantage gven by the frst case. Combnng the two steps, we can see that B wll have nonneglgble probablty of breakng LWE, thus reachng a contradcton. When applyng LHL, Theorem 1, we obtan m n log q λ 2 log(1/), therefore, enablng λ m n log q 2 log(1/) leakage. The GPV cryptosystem can also be proven secure wth auxlary nput. References [BHHO08] Dan Boneh, Sha Halev, Mke Hamburg, and Rafal Ostrovsky. Crcular-secure encrypton from decson Dffe-Hellman. In Proceedngs of the 28th nnual Internatonal Cryptology Conference, CRYPTO 08, pages , Berln, Hedelberg, Sprnger-Verlag. [DGK + 10] Yevgeny Dods, Shaf Goldwasser, Yael Tauman Kala, Chrs Pekert, and Vnod Vakuntanathan. Publc-key encrypton schemes wth auxlary nputs. In TCC, pages , [DKL09] [GPV08] [HSH + 09] Yevgeny Dods, Yael Tauman Kala, and Shachar Lovett. On cryptography wth auxlary nput Crag Gentry, Chrs Pekert, and Vnod Vakuntanathan. Trapdoors for hard lattces and new cryptographc constructons. In Proceedngs of the 40th annual CM symposum on Theory of computng, STOC 08, pages , New York, NY, US, CM. J. lex Halderman, Seth D. Schoen, Nada Hennger, Wllam Clarkson, Wllam Paul, Joseph. Calandrno, rel J. Feldman, Jacob ppelbaum, and Edward W. Felten. Lest we remember: cold-boot attacks on encrypton keys. Commun. CM, 52(5):91 98, [NR04] Mon Naor and Omer Rengold. Number-theoretc constructons of effcent pseudorandom functons. J. CM, pages , [NS09] Mon Naor and Gl Segev. Publc-key cryptosystems reslent to key leakage. In CRYPTO, pages 18 35,