JournéesCodageetCryptographie2014SoniaBelaïd Leakage-ResilientPrimitivesusingRe-keying

(1)

03-27-2014 1/24 Leakage-Resilient Encryption Scheme

Leakage-Resilient PRNG with Input Conclusion

Side-Channel Attacks Countermeasures

Leakage-Resilient Primitives using Re-keying

Journées Codage et Cryptographie 2014

Sonia Belaïd ^1,2

École Normale Supérieure, 45 rue d’Ulm 75005 Paris Thales Communications & Security

Sonia.Belaid@ens.fr

Sonia Belaïd Leakage-Resilient Primitives using Re-keying

(2)

Side-Channel Attacks

I physical leakage

• timing

• power consumption

• temperature

• . . .

I statistical treatment

I key recovery

(3)

Countermeasures against Side-Channel Attacks

Masking sensitive values randomized:

x replaced by (x _m , m ₀ , . . . , m d−1 ) x = x m ? m 0 ? · · · ? m d−1

Drawbacks of Masking

8 higher-order attacks 8 performances

Re-keying

(4)

Countermeasures against Side-Channel Attacks

Masking sensitive values randomized:

x replaced by (x m , m 0 , . . . , m d−1 ) x = x _m ? m ₀ ? · · · ? m d−1

Drawbacks of Masking

8 higher-order attacks 8 performances

Re-keying

(5)

Goal

Goal:

I build leakage-resilient primitives I practical for use in constrained devices

Leakage-Resilient Cryptography Model - only computation leaks

- bounded amount of leakage per invocation

- unlimited number of invocations

Practical constraints:

- limited code size - limited storage - reasonable

execution time

(6)

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

(7)

Context

Leakage-Resilient Constructions Practical Analysis

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

(8)

Leakage-Resilient Encryption Scheme Leakage-Resilient PRNG with Input Conclusion

Context

Encryption Scheme

encryption scheme plaintext

secret key

ciphertext

- multiple use of the same key - no security proof

Contribution: Leakage-Resilient Symmetric Encryption via Re-keying

Michel Abdalla, Sonia Belaïd, Pierre-Alain Fouque

CHES 2013: 471-488

(9)

Context

Encryption Scheme

encryption scheme plaintext

secret key

ciphertext

Goal: efficient and leakage-resilient encryption scheme Related Work: Kocher’s patent 1999 but

- multiple use of the same key - no security proof

Contribution: Leakage-Resilient Symmetric Encryption via Re-keying

Michel Abdalla, Sonia Belaïd, Pierre-Alain Fouque CHES 2013: 471-488

(10)

Contributions

Scheme 1 LR encryption scheme using a LR PRF

Scheme 2 Instantiation of Scheme 1 with the [FPS12] LR PRF Scheme 3 more efficient and still LR encryption scheme with a

tweaked (not LR and not PRF) function

(11)

Context

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(12)

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(13)

Context

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(14)

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(15)

Context

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(16)

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

(17)

03-27-2014 10/24 Leakage-Resilient Encryption Scheme

Context

Scheme 3: More Efficient LR Encryption Scheme

LR Encryption Scheme from 4 re-keying function

(not LR, not PRF) 4 block cipher with

4 short-cuts between keys 4 uniformly random values:

- one triplet per level [FPS12], - PRG with public seed [YS13]

but

8 additional constraint on the message

(18)

Security Aspects

I block cipher with random inputs → plaintext added to the output I same primitive for the block cipher and the weak PRFs

I secret keys used at most three times :

→ avoid the recomputation of previous keys

(19)

Context

Instantiation

weak PRF

(20)

Instantiation

weak PRF

block

cipher

(21)

Context

Instantiation

weak PRF

block

cipher PRG

(22)

Instantiation

weak PRF

block

cipher PRG

unmasked

AES

(23)

Context

PRNG with Input from CCS 2013 Leakage-Resilient Generic Construction Instantiation

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

(24)

Context

Pseudo-Random Generators

Related Works: PRNG

- robust with input: Dodis et al. CCS’13 - leakage-resilient: Yu et al. CCS’10

Contribution: Leakage-Resilient PRNG with Input

Michel Abdalla, Sonia Belaïd, David Pointcheval, Sylvain Ruhault,

Damien Vergnaud

(25)

Context

Pseudo-Random Generators

Goal: efficient and leakage-resilient PRNG

Related Works: PRNG

- robust with input: Dodis et al. CCS’13 - leakage-resilient: Yu et al. CCS’10

Contribution: Leakage-Resilient PRNG with Input

Michel Abdalla, Sonia Belaïd, David Pointcheval, Sylvain Ruhault, Damien Vergnaud

(26)

PRNG with Input from CCS 2013

I setup() outputs seed = (X , X ⁰ );

I S = refresh(S, I; X) = S · X + I;

I (S, R) = next(S; X ⁰ ) = G([X ⁰ S] ^m ₁ ).

G : {0, 1} ^m → {0, 1} ^n+` is a secure PRG (K ← [X ⁰ S] ^m ₁ ).

(27)

Context

Security Properties

Attacker A Capabilities

I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness

If enough entropy is provided, A cannot distinguish (S, R) from a uniformly random string with a significant advantage.

(28)

Context

Security Properties

Attacker A Capabilities I ask for outputs (S, R)

Robustness

If enough entropy is provided, A cannot

distinguish (S, R) from a uniformly random

string with a significant advantage.

(29)

Context

Security Properties

Attacker A Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness

If enough entropy is provided, A cannot distinguish (S, R) from a uniformly random string with a significant advantage.

(30)

Context

Security Properties

Attacker A Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

distinguish (S, R) from a uniformly random

string with a significant advantage.

(31)

Context

Security Properties

Attacker A Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness

If enough entropy is provided, A cannot distinguish (S, R) from a uniformly random string with a significant advantage.

(32)

Context

New Security Properties

Attacker A ^L Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

Robustness with Leakage

If enough entropy is provided, A ^L cannot

distinguish (S, R) from a uniformly random

string with a significant advantage.

(33)

Context

New Security Properties

Attacker A ^L Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

I collect the leakage: λ bits of information on the manipulated data at each invocation

Robustness with Leakage

If enough entropy is provided, A ^L cannot distinguish (S, R) from a uniformly random string with a significant advantage.

(34)

New Security Properties

Attacker A ^L Capabilities I ask for outputs (S, R) I compromise the inputs I

I compromise the internal state S

I collect the leakage: λ bits of information on the manipulated data at each invocation

Robustness with Leakage

If enough entropy is provided, A ^L cannot

distinguish (S, R) from a uniformly random

string with a significant advantage.

(35)

Context

Limitations in Presence of Leakage: Generator G

I setup() outputs seed = (X , X ⁰ );

I S = refresh(S, I; X) = S · X + I;

I (S, R) = next(S; X ⁰ ) = G([X ⁰ S] ^m ₁ ).

→ Diffential Power Analysis of G

(36)

New Generic Construction

I setup() outputs seed = (X , X ⁰ , X ⁰⁰ );

I S = refresh(S, I; X) = S · X + I;

I (S, R) = next(S; X ⁰ , X ⁰⁰ ) = G([X ⁰ S] ^m ₁ , X ⁰⁰ ).

New security property for PRG G

G is a leakage-resilient and secure PRG.

(37)

Context

Leakage-Resilient Instantiation

F p

0

F

⁰

C

F p

1

pub lic v ar iab les

F

⁰

C + 1

K

0

T

0

K

0

T

₁

X

⁰⁰

X

⁰⁰

. . . . . .

F p

n+`−2

F

⁰

C + n + ` − 2

F p

n+`−1

F

⁰

C + n + ` − 1

K

κ−1

T

n+`−2

K

κ−1

T

n+`−1

X

⁰⁰

X

⁰⁰

(K 0 || . . . ||K _κ−1 ||C) ← [X ⁰ S] ^m ₁ m is (κ + 1) times larger than in CCS’13

(38)

JournéesCodageetCryptographie2014SoniaBelaïd Leakage-ResilientPrimitivesusingRe-keying

Leakage-Resilient Primitives using Re-keying

Journées Codage et Cryptographie 2014

Sonia Belaïd 1,2

École Normale Supérieure, 45 rue d’Ulm 75005 Paris Thales Communications & Security

Sonia.Belaid@ens.fr

Side-Channel Attacks

I physical leakage

• timing

• power consumption

• temperature

• . . .

I statistical treatment

I key recovery

Countermeasures against Side-Channel Attacks

Masking sensitive values randomized:

x replaced by (x m , m 0 , . . . , m d−1 ) x = x m ? m 0 ? · · · ? m d−1

Drawbacks of Masking

8 higher-order attacks 8 performances

Re-keying

Countermeasures against Side-Channel Attacks

Masking sensitive values randomized:

x replaced by (x m , m 0 , . . . , m d−1 ) x = x m ? m 0 ? · · · ? m d−1

Drawbacks of Masking

8 higher-order attacks 8 performances

Re-keying

Goal

Goal:

I build leakage-resilient primitives I practical for use in constrained devices

Leakage-Resilient Cryptography Model - only computation leaks

- bounded amount of leakage per invocation

- unlimited number of invocations

Practical constraints:

- limited code size - limited storage - reasonable

execution time

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

Outline

1 Leakage-Resilient Encryption Scheme

2 Leakage-Resilient PRNG with Input

3 Conclusion

Encryption Scheme

encryption scheme plaintext

secret key

ciphertext

- multiple use of the same key - no security proof

Contribution: Leakage-Resilient Symmetric Encryption via Re-keying

Michel Abdalla, Sonia Belaïd, Pierre-Alain Fouque

CHES 2013: 471-488

Encryption Scheme

encryption scheme plaintext

secret key

ciphertext

Goal: efficient and leakage-resilient encryption scheme Related Work: Kocher’s patent 1999 but

- multiple use of the same key - no security proof

Contribution: Leakage-Resilient Symmetric Encryption via Re-keying

Michel Abdalla, Sonia Belaïd, Pierre-Alain Fouque CHES 2013: 471-488

Contributions

Scheme 1 LR encryption scheme using a LR PRF

Scheme 2 Instantiation of Scheme 1 with the [FPS12] LR PRF Scheme 3 more efficient and still LR encryption scheme with a

tweaked (not LR and not PRF) function

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Faust, Pietrzak, Schipper: Practical Leakage-Resilient Symmetric Cryptography. CHES 2012

Schemes 1 and 2

• Re-keying Primitive I leakage-resilient PRF

• Block Cipher I as a PRF

I not leakage-resilient

- instantiated with the [FPS12] LR PRF

Sonia Belaïd ^1,2

x replaced by (x _m , m ₀ , . . . , m d−1 ) x = x m ? m 0 ? · · · ? m d−1

x replaced by (x m , m 0 , . . . , m d−1 ) x = x _m ? m ₀ ? · · · ? m d−1

I setup() outputs seed = (X , X ⁰ );

I (S, R) = next(S; X ⁰ ) = G([X ⁰ S] ^m ₁ ).

G : {0, 1} ^m → {0, 1} ^n+` is a secure PRG (K ← [X ⁰ S] ^m ₁ ).