JournéesCodageetCryptographie2014SoniaBelaïd Leakage-ResilientPrimitivesusingRe-keying

41  Download (0)

Texte intégral

(1)

03-27-2014 1/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Side-Channel Attacks Countermeasures

Leakage-Resilient Primitives using Re-keying

Journées Codage et Cryptographie 2014

Sonia Belaïd 1,2

École Normale Supérieure, 45 rue d’Ulm 75005 Paris Thales Communications & Security

Sonia.Belaid@ens.fr

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(2)

Side-Channel Attacks

I physical leakage

• timing

• power consumption

• temperature

• . . .

I statistical treatment

I key recovery

(3)

03-27-2014 3/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Side-Channel Attacks Countermeasures

Countermeasures against Side-Channel Attacks

Masking sensitive values randomized:

x replaced by (x m , m 0 , . . . , m d−1 ) x = x m ? m 0 ? · · · ? m d−1

Drawbacks of Masking

8 higher-order attacks 8 performances

Re-keying

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(4)

Countermeasures against Side-Channel Attacks

Masking sensitive values randomized:

x replaced by (x m , m 0 , . . . , m d−1 ) x = x m ? m 0 ? · · · ? m d−1

Drawbacks of Masking

8 higher-order attacks 8 performances

Re-keying

(5)

03-27-2014 4/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Side-Channel Attacks Countermeasures

Goal

Goal:

I build leakage-resilient primitives I practical for use in constrained devices

Leakage-Resilient Cryptography Model - only computation leaks

- bounded amount of leakage per invocation

- unlimited number of invocations

Practical constraints:

- limited code size - limited storage - reasonable

execution time

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(6)

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

(7)

03-27-2014 6/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(8)

Leakage-Resilient Encryption Scheme Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Encryption Scheme

encryption scheme plaintext

secret key

ciphertext

- multiple use of the same key - no security proof

Contribution: Leakage-Resilient Symmetric Encryption via Re-keying

Michel Abdalla, Sonia Belaïd, Pierre-Alain Fouque

CHES 2013: 471-488

(9)

03-27-2014 7/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Encryption Scheme

encryption scheme plaintext

secret key

ciphertext

Goal: efficient and leakage-resilient encryption scheme Related Work: Kocher’s patent 1999 but

- multiple use of the same key - no security proof

Contribution: Leakage-Resilient Symmetric Encryption via Re-keying

Michel Abdalla, Sonia Belaïd, Pierre-Alain Fouque CHES 2013: 471-488

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(10)

Contributions

Scheme 1 LR encryption scheme using a LR PRF

Scheme 2 Instantiation of Scheme 1 with the [FPS12] LR PRF Scheme 3 more efficient and still LR encryption scheme with a

tweaked (not LR and not PRF) function

(11)

03-27-2014 9/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(12)

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(13)

03-27-2014 9/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(14)

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(15)

03-27-2014 9/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(16)

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(17)

03-27-2014 10/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Scheme 3: More Efficient LR Encryption Scheme

LR Encryption Scheme from 4 re-keying function

(not LR, not PRF) 4 block cipher with

4 short-cuts between keys 4 uniformly random values:

- one triplet per level [FPS12], - PRG with public seed [YS13]

but

8 additional constraint on the message

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(18)

Security Aspects

I block cipher with random inputs → plaintext added to the output I same primitive for the block cipher and the weak PRFs

I secret keys used at most three times :

→ avoid the recomputation of previous keys

(19)

03-27-2014 12/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Instantiation

weak PRF

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(20)

Instantiation

weak PRF

block

cipher

(21)

03-27-2014 12/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

Leakage-Resilient Constructions Practical Analysis

Instantiation

weak PRF

block

cipher PRG

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(22)

Instantiation

weak PRF

block

cipher PRG

unmasked

AES

(23)

03-27-2014 13/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(24)

Leakage-Resilient Encryption Scheme Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Pseudo-Random Generators

Related Works: PRNG

- robust with input: Dodis et al. CCS’13 - leakage-resilient: Yu et al. CCS’10

Contribution: Leakage-Resilient PRNG with Input

Michel Abdalla, Sonia Belaïd, David Pointcheval, Sylvain Ruhault,

Damien Vergnaud

(25)

03-27-2014 14/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Pseudo-Random Generators

Goal: efficient and leakage-resilient PRNG

Related Works: PRNG

- robust with input: Dodis et al. CCS’13 - leakage-resilient: Yu et al. CCS’10

Contribution: Leakage-Resilient PRNG with Input

Michel Abdalla, Sonia Belaïd, David Pointcheval, Sylvain Ruhault, Damien Vergnaud

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(26)

PRNG with Input from CCS 2013

I setup() outputs seed = (X , X 0 );

I S = refresh(S, I; X) = S · X + I;

I (S, R) = next(S; X 0 ) = G([X 0 S] m 1 ).

G : {0, 1} m → {0, 1} n+` is a secure PRG (K ← [X 0 S] m 1 ).

(27)

03-27-2014 16/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Security Properties

Attacker A Capabilities

I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness

If enough entropy is provided, A cannot distinguish (S, R) from a uniformly random string with a significant advantage.

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(28)

Leakage-Resilient Encryption Scheme Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Security Properties

Attacker A Capabilities I ask for outputs (S, R)

Robustness

If enough entropy is provided, A cannot

distinguish (S, R) from a uniformly random

string with a significant advantage.

(29)

03-27-2014 16/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Security Properties

Attacker A Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness

If enough entropy is provided, A cannot distinguish (S, R) from a uniformly random string with a significant advantage.

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(30)

Leakage-Resilient Encryption Scheme Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Security Properties

Attacker A Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

distinguish (S, R) from a uniformly random

string with a significant advantage.

(31)

03-27-2014 16/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Security Properties

Attacker A Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness

If enough entropy is provided, A cannot distinguish (S, R) from a uniformly random string with a significant advantage.

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(32)

Leakage-Resilient Encryption Scheme Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

New Security Properties

Attacker A L Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness with Leakage

If enough entropy is provided, A L cannot

distinguish (S, R) from a uniformly random

string with a significant advantage.

(33)

03-27-2014 17/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

New Security Properties

Attacker A L Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

I collect the leakage: λ bits of information on the manipulated data at each invocation

Robustness with Leakage

If enough entropy is provided, A L cannot distinguish (S, R) from a uniformly random string with a significant advantage.

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(34)

New Security Properties

Attacker A L Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

I collect the leakage: λ bits of information on the manipulated data at each invocation

Robustness with Leakage

If enough entropy is provided, A L cannot

distinguish (S, R) from a uniformly random

string with a significant advantage.

(35)

03-27-2014 18/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Limitations in Presence of Leakage: Generator G

I setup() outputs seed = (X , X 0 );

I S = refresh(S, I; X) = S · X + I;

I (S, R) = next(S; X 0 ) = G([X 0 S] m 1 ).

→ Diffential Power Analysis of G

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(36)

New Generic Construction

I setup() outputs seed = (X , X 0 , X 00 );

I S = refresh(S, I; X) = S · X + I;

I (S, R) = next(S; X 0 , X 00 ) = G([X 0 S] m 1 , X 00 ).

New security property for PRG G

G is a leakage-resilient and secure PRG.

(37)

03-27-2014 20/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Leakage-Resilient Instantiation

F p

0

F

0

C

F p

1

pub lic v ar iab les

F

0

C + 1

K

0

T

0

K

0

T

1

X

00

X

00

. . . . . .

F p

n+`−2

F

0

C + n + ` − 2

F p

n+`−1

F

0

C + n + ` − 1

K

κ−1

T

n+`−2

K

κ−1

T

n+`−1

X

00

X

00

(K 0 || . . . ||K κ−1 ||C) ← [X 0 S] m 1 m is (κ + 1) times larger than in CCS’13

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(38)

Practical Analysis

CCS’13 (2 −40 security):

I internal state S: 489 bits I threshold: γ = 449 I AES: 5 calls with 1 secret

key

Our Construction (2 −40 security):

I internal state S: 1408 bits I threshold: γ = 1370 I AES: 12 calls with 6 secret

keys (2 calls per secret key)

I Efficiency: about five times slower than CCS 13

I Security: higher security levels can be achieved with a tweaked

instantiation

(39)

03-27-2014 22/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(40)

Conclusion

Summary

? leakage-resilient and efficient symmetric encryption

? leakage-resilient and efficient PRNG with input

Further Work

? more efficient leakage-resilient primitives

? leakage-resilience evaluation of different modes of operation

(41)

03-27-2014 24/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Thank you

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

Figure

Updating...

Références

Sujets connexes :