Provable Security against Side-Channel Attacks

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014

Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

Side-channel attacks

Side-channel attacks Sound and temperature Proofs of concept in idealized conditions Minor practical threats on embedded systems Running time Trivial solution: constant-time implementations Must be carefully addressed timing flaw still discovered in OpenSSL in 2011! timing flaws can be induced by the processor (cache, branch prediction,...)

Side-channel attacks Power consumption and EM emanations Close by nature (switching activity) Can be modeled as weighted sums of the transitions EM can be more informative (placing of the probe) but assume a raw access to the circuit Both are noisy i.e. non-deterministic Noise amplification by generating random switching activity

Provable security Traditional approach define an adversarial model (e.g. chosen plaintext attacker) define a security goal (e.g. distinguish two ciphertexts)

Provable security Traditional approach define an adversarial model (e.g. chosen plaintext attacker) define a security goal (e.g. distinguish two ciphertexts) k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c ˆb A c m E(k, ) Challenger Adversary Oracle Security reduction: If A exists with non-negligible Pr[ˆb = b] 1/2 then I can use A to efficiently solve a hard problem.

Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c ˆb A c m E(k, ) Challenger Adversary Oracle

Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l ˆb A c,l m E(k, ) Challenger Adversary Oracle

Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle

Provable security... in the presence of leakage k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle Issue: how to model the leakage?

Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

Modeling side-channel leakage The encryption oracle cannot be seen as a mathematical function E(k, ) : m c anymore, but as a computation. Two classical approaches to model computation: Turing machines (programs) Circuits How to model leaking computation?

Modeling side-channel leakage Chronology Probing model (circuits, 2003) Physically observable cryptography (Turing machines, 2004) Leakage resilient cryptography (2008) Further leakage models for circuits (2010) Noisy leakage model (2013) Presentation Leakage models for circuits Leakage models for programs

Leakage Models for Circuits [Ishai-Sahai-Wagner. CRYPTO 2003] Directed graph whose nodes are gates and edges are wires in 1 Op 1 in 2 Op 3 copy out 1 in 3 copy Op 4 out 2 $ Op 2 mem

Leakage Models for Circuits [Ishai-Sahai-Wagner. CRYPTO 2003] Directed graph whose nodes are gates and edges are wires in 1 w 1 in 2 w 2 Op 1 w 5 Op 3 w 9 copy w 12 out 1 w 6 w 3 copy w 11 in 3 w 7 Op 4 w 13 out 2 $ w 4 Op 2 w 8 mem w 10 At each cycles, the circuit leaks f(w 1, w 2,..., w n )

Leakage Models for Circuits Probing security model [Ishai-Sahai-Wagner. CRYPTO 2003] the adversary gets (w i ) i I for some chosen set I t AC 0 leakage model [Faust et al. EUROCRYPT 2010] the leakage function f belongs to the AC 0 complexity class i.e. f is computable by circuits of constant depth d Noisy circuit-leakage model [Faust et al. EUROCRYPT 2010] f : (w 1, w 2,..., w n ) (w 1 ε 1, w 2 ε 2,..., w n ε n ) { 1 with proba p < 1/2 with ε i = 0 with proba 1 p

Physically Observable Cryptography [Micali-Reyzin. TCC 04] Framework for leaking computation Strong formalism using Turing machines Assumption: Only Computation Leaks (OCL) Computation divided into subcomputations y SC(x) Each SC accesses a part of the state x and leaks f(x) f adaptively chosen by the adversary No actual proposal for f

Leakage Resilient Cryptography Model introduced in [Dziembowski-Pietrzak. STOC 08] Specialization of the Micali-Reyzin framework Leakage functions follow the bounded retrieval model [Crescenzo et al. TCC 06] f : {0, 1} n {0, 1} λ for some constant λ < n

Leakage Resilient Cryptography Example: LR stream cipher [Pietrzak. EUROCRYPT 09] Many further LR crypto primitives published so far Generic LR compilers [Goldwasser-Rothblum. FOCS 12] [Dziembowski-Faust. TCC 12]

Leakage Resilient Cryptography Limitation: the leakage of a subcomputation is limited to λ-bit values for λ < n (the input size) Side-channel leakage far bigger than n bits although it may not remove all the entropy of x Figure: Power consumption of a DES computation.

Noisy Leakage Model [Prouff-Rivain. EUROCRYPT 2013] OCL assumption (Micali-Reyzin framework) New class of noisy leakage functions An observation f(x) introduces a bounded bias in Pr[x] very generic

Notion of bias Bias of X given Y = y: β(x Y = y) = Pr[X] Pr[X Y = y] with = Euclidean norm. Bias of X given Y : β(x Y ) = Pr[Y = y] β(x Y = y). y Y β(x Y ) [ 0; Related to MI by: 1 1 X ] (indep. / deterministic relation) 1 X β(x Y ) MI(X; Y ) ln 2 ln 2 β(x Y )

Noisy Leakage Model Every subcomputation leaks a noisy function f of its input noise modeled by a fresh random tape argument ψ is some noise parameter f N (1/ψ) β ( X f(x) ) < 1 ψ Capture any form of noisy leakage

Noisy Leakage Model In practice, the multivariate Gaussian model is widely admitted f(x) N ( m x, Σ) x X The bias can be efficiently computed: β(x f(x)) = y x ( ( p y px y 1/ X ) ) 2 1/2 with p y = x φ Σ ( y m x) z φ Σ( z m x) and p x y = φ Σ( y m x) where φ Σ : y exp ( 1 2 y Σ y ). v φ Σ( y m v)

Noisy Leakage Model Illustration: univariate Hamming weight model with Gaussian noise f(x) = HW(X) + N (0, σ 2 ) 1.5 2.0 2.5 3.0 50 100 150 200 Figure: log 10 β(x f(x)) w.r.t. σ.

Noisy Leakage Model Illustration: univariate Hamming weight model with Gaussian noise f(x) = HW(X) + N (0, σ) 2500 2000 1500 1000 500 50 100 150 200 Figure: ψ = 1 β(x f(x)) w.r.t. σ.

Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

Achieving provable security against SCA k k $ K b $ {0, 1} c E(k, m b ) ˆb? = b m 0, m 1 c, l 1,..., l q ˆb A c,l m E(k, ) Challenger Adversary Oracle Describe a (protected) implementation of E(k, ) Model the leakage Provide a security reduction

General setting A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle

General setting Distinguisher A Security Game (m i, k) l(m i, k) O 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ

General setting Distinguisher A Security Game (m i, k) l($, $) O 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ

General setting Distinguisher A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ A : Adv(A-SG O( ) ) Adv(A-SG O$ ( ) )

General setting Distinguisher A Security Game (m i, k) l(m i, k) O Adversary 0/1 Leakage Oracle Security: Dist : Adv(Dist O( ) ) 2 κ A : Adv(A-SG O( ) ) Adv(A-SG O$ ( ) ) Information theoretic security: MI((m, k); l(m, k)) 2 κ

Using random sharing Principle Randomly share the internal state of the computation A d-sharing of x F is a tuple (x 1, x 2,..., x n ) s.t. x 1 + x 2 + + x n = x with n 1 degrees of randomness Subcomputations y SC(x) are replaced by (y 1, y 2,..., y n ) SC (x 1, x 2,..., x n )

Using random sharing Soundness [Chari et al. CRYPTO 99] Univariate Gaussian leakage model: l i x i + N (µ, σ 2 ) Distinguishing ( (l i ) i x = 0 ) from ( (l i ) i x = 1 ) takes q samples: q cst σ n Limitations: univariate leakage model, Gaussian noise assumption static leakage of the shares (i.e. without computation) no scheme proposed to securely compute on a shared state

Ishai-Sahai-Wagner Scheme [Ishai-Sahai-Wagner. CRYPTO 2003] Binary circuit model Goal: security against t-probing attacks Every wire w is shared in n wires w 1, w 2,..., w n Issue: how to encode logic gates? NOT gates and AND gates NOT gates encoding: w = w 1 w 2 w n

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 1 b 3 a 2 b 1 a 2 b 2 a 2 b 3 a 3 b 1 a 3 b 2 a 3 b 3

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 1 b 3 0 0 0 0 a 2 b 2 a 2 b 3 a 2 b 1 0 0 0 0 a 3 b 3 a 3 b 1 a 3 b 2 0

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 1 b 3 0 a 2 b 1 a 3 b 1 0 a 2 b 2 a 2 b 3 0 0 a 3 b 2 0 0 a 3 b 3 0 0 0

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 2 b 1 a 1 b 3 a 3 b 1 0 a 2 b 2 a 2 b 3 a 3 b 2 0 0 a 3 b 3

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 a 1 b 2 a 2 b 1 a 1 b 3 a 3 b 1 0 r 1,2 r 1,3 0 a 2 b 2 a 2 b 3 a 3 b 2 0 0 r 2,3 0 0 a 3 b 3 0 0 0

Ishai-Sahai-Wagner Scheme AND gates encoding Input: (a i ) i, (b i ) i s.t. i a i = a, i b i = b Output: (c i ) i s.t. i c i = a b a b = ( i a )( i i b i ) = i,j a ib j Example (n = 3): a 1 b 1 (a 1 b 2 r 1,2 ) a 2 b 1 (a 1 b 3 r 1,3 ) a 3 b 1 r 1,2 a 2 b 2 (a 2 b 3 r 2,3 ) a 3 b 2 r 1,3 r 2,3 a 3 b 3

Ishai-Sahai-Wagner Scheme Sketch of security proof t-probing adversary n = 2t + 1 shares probed wires: v 1, v 2,..., v t construct a set I = {raw and column indices of v k } (v 1, v 2,..., v t ) perfectly simulated from (a i ) i I and (b i ) i I I 2t < n (a i ) i I and (b i ) i I are random I -tuples

Ishai-Sahai-Wagner Scheme (a i ) i (b i ) i $ $ $ c 0 c 1 c 2 Figure: AND gate for n = 3

Ishai-Sahai-Wagner Scheme Can be transposed to the dth-order security model the adversary must combined the leakage of at least d subcomputations to recover information in presence of noise d is a relevant security parameter [Chari et al. CRYPTO 99] Many dth-order secure schemes based on ISW scheme Not fully satisfactory an relevant adversary should use all the leakage

Security in the noisy model [Prouff-Rivain. EUROCRYPT 2013] Every y SC(x) leaks f(x) where β ( X f(x) ) < 1 ψ Information theoretic security proof: MI ( (m, k); l(m, k)) < O(ω d ) Assumtpion: the noise parameter ψ can be linearly increased Need of a leak-free component for refreshing x = (x 0, x 1,..., x d ) x = (x }{{} 0, x 1,..., x d }{{} ) i x i=x i x i =x with (x x) and (x x) mutually independent.

Overview of the proof Consider a SPN computation Figure: Example of SPN round.

Overview of the proof Classical implementation protected with sharing Figure: Example of SPN round protected with sharing.

S-Box computation [Carlet et al. FSE 12] Polynomial evaluation over GF(2 n ) Two types of elementary calculations: linear functions (additions, squares, multiplication by coefficients) multiplications over GF(2 n )

Linear functions Given a sharing X = X 0 X 1 X d X 0 X 1 X d (X 0 ) (X 1 ) (X d )

Linear functions Given a sharing X = X 0 X 1 X d X 0 X 1 X d f 0 (X 0 ) (X 0 ) (X 1 ) (X d ) f 1 (X 1 ) f d (X d )

Linear functions Given a sharing X = X 0 X 1 X d X 0 X 1 X d f 0 (X 0 ) (X 0 ) (X 1 ) (X d ) f 1 (X 1 ) f d (X d ) For f i N (1/ψ) with ψ = O( X 1 2 ω), we show MI ( X; (f 0 (X 0 ), f 1 (X 1 ),..., f d (X d )) ) 1 ω d+1

Multiplications Inputs: sharings i A i = g(x) and i B i = g(x) where X = s-box input First step: cross-products A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d........ A d B 0 A d B 1 A d B d

Multiplications Inputs: sharings i A i = g(x) and i B i = g(x) where X = s-box input First step: cross-products A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d........ A d B 0 A d B 1 A d B d f 0,0 (A 0,B 0 ) f 0,1 (A 0,B 1 ) f 0,d (A 0,B d ) f 1,0 (A 1,B 0 ) f 1,1 (A 1,B 1 ) f 1,d (A 1,B d )........ f d,0 (A d,b 0 ) f d,1 (A d,b 1 ) f d,d (A d,b d )

Multiplications Inputs: sharings i A i = g(x) and i B i = g(x) where X = s-box input First step: cross-products A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d........ A d B 0 A d B 1 A d B d For f i,j N (1/ψ) with ψ = O( X 3 2 d ω) we show MI ( X; (f i,j (A i, B j )) i,j ) 1 ω d+1

Multiplications Second step: refreshing Apply on each column and one row of A 0 B 0 A 0 B 1 A 0 B d A 1 B 0 A 1 B 1 A 1 B d........ A d B 0 A d B 1 A d B d We get a fresh (d + 1) 2 -sharing of A B V 0,0 V 0,1 V 0,d V 1,0 V 1,1 V 1,d...... V d,0 V d,1 V d,d

Multiplications Third step: summing rows Takes d elementary calculations (XORs) per row: T i,1 V i,0 V i,1 T i,2 T i,1 V i,2. T i,d T i,d 1 V i,d

Multiplications Third step: summing rows Takes d elementary calculations (XORs) per row: T i,1 V i,0 V i,1 T i,2 T i,1 V i,2.. T i,d T i,d 1 V i,d f i,1 (V i,0,v i,1 ) f i,2 (T i,1,v i,2 ) f i,d (T i,d 1,V i,d ) For f i,j N (1/ψ) with ψ = O( X 3 2 ω), we show MI ( X; (F 0, F 1,..., F d ) ) 1 ω d+1 where F i = ( f i,1(v i,0, V i,1), f i,2(t i,1, V i,2),..., f i,d (T i,d 1, V i,d ) )

Putting everything together Several sequences of subcomputations, each leaking L t with MI((m, k); L t ) 1 ω d+1 Use of share-refreshing between each sequence (L t ) t are mutually independent given (m, k) We hence have MI ( (m, k); (L 1, L 2,..., L T ) ) T MI((m, k); L t ) t=1 T ω d+1

Improved security proof [Duc-Dziembowski-Faust. EUROCRYPT 2014] Security reduction: probing model noisy model ISW scheme secure in the noisy model No need for leak-free component!

Improved security proof Consider y 1 SC 1 (x 1 ), y 2 SC 2 (x 2 ),..., y n SC n (x n ) t-probing model: l = (x i ) i I with I = t ε-random probing model: l = (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) where ϕ i is a ε-identity function i.e. { x with proba ε with ϕ i (x) = with proba 1 ε δ-noisy model: l = (f 1 (x 1 ), f 2 (x 2 ),..., f n (x n )) with β(x f i (X)) δ (here = L 1 )

From probing to random probing ε-random probing adv. A rp t-probing adv. A p with t = 2nε 1 A p works as follows { 1 with proba ε sample (z 1, z 2,..., z n ) where z i = 0 with proba 1 ε set I = {i z i = 1}, if I > t return get (x i ) i I call A rp on (y 1, y 2,..., y n ) where y i = { xi if i I if i / I If I t : (y 1, y 2,..., y n ) (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) Chernoff bound: Pr[ I > t] exp( t/6) A rp A p : Adv(A p ) Adv(A rp ) exp( t/6)

From random probing to noisy leakage Main lemma: every f s.t. β(x f(x)) δ can be written: f = f ϕ where ϕ is an ε-identity function with ε δ X, and } f efficient to sample f efficient to sample Pr[f(x) = y] eff. computable δ-noisy adversary A n ε-random probing adv. A rp get (ϕ 1 (x 1 ), ϕ 2 (x 2 ),..., ϕ n (x n )) call A n on (f 1 ϕ 1 (x 1 ), f 2 ϕ 2 (x 1 ),..., f n ϕ n (x n )) A n A rp : Adv(A rp ) = Adv(A n )

Combining both reductions Security against t-probing security against δ-noisy where δ = t + 1 2n X exp( t/6) must be negligible t 8.65 κ ISW scheme with d-sharing is secure against δ-noisy attackers where δ = d (and d 17.5 κ) n X For ISW-multiplication n = O(d 2 ) and X = F F giving δ = O(1/d F 2 ) ψ = O(d F 2 ) Limitation: ψ is still in O(d)

Conclusion New practically relevant model for leaking computation: the noisy model Need for practical investigations for the bias estimation Only 2 works proposing formal proofs in this model Open issues: a scheme secure with constant noise secure implementations with different kind of randomization (e.g. exponent/message blinding for RSA/ECC)