论文信息 - Provable Security for Physical Cryptography ⋆

Provable Security for Physical Cryptography ⋆

The modern approach to cryptography is provable security, where one defines a meaningful formal security model and proves that schemes are secure in this model. An exception is the design of countermeasures against cryptographic sidechannel attacks, which even today is mostly based on heuristic arguments, which only try to prevent particular attacks. It was long believed that side-channels are a practical problem where theoretical cryptography was only of limited use, but recent results indicate that this view is too pessimistic, and in fact, it is possible to extend the realm of provable security also to side-channel attacks. This survey is a personal and incomplete view on the current state of this exciting and fast moving field. 1 Modern Cryptography For most of history, cryptography was the art of “secret communication”. The designers of encryption schemes were only guided by experience and intuition. Not surprisingly, pretty much all proposed schemes turned out to be insecure. It became evident that the only hope to get secure cryptosystems is by means of provable security, that is 1. to provide a precise and meaningful model capturing what it means to be “secure”. 2. to design systems which can be proven secure in this model. Provable security dates back at least to Shannon’s proof that the one-time pad hides all information about the encrypted message [Sha49], but only with the rise of public-key cryptography [DH76,RSA78,Ell70,Coc73,Wil74], which requires constructions with a rich mathematical structure that can also be exploited by cryptanalysts, did provable security really take off. Modern cryptographic security definitions usually consider a “security game”, which models how a potential adversary can attack the system. Classical examples are the definitions of CPA/CCA secure public-key encryption schemes [GM84,RS92], unforgeability for signatures schemes [GMR88] or pseudorandomness [Yao82,BM84]. More recent notions are security against key-dependent message attacks [CL01,BRS03,HK07,HU08] or security against selective openings [DNRS99,BHY09]. Proving security of a system then equates to showing that no (efficient) adversary can win the security game. Unfortunately, often one cannot hope to prove such a strong statement (as it e.g. would imply P 6 = NP). In this cases one shows that the existence of an adversary who can win the game would imply that some problem generally believed to be hard is actually easy. Public-key cryptosystems can be based on many well studies assumptions, like the hardness of factoring [Rab79,HK09], or the shortest vector problem in lattices ⋆ This survey accompanies a talk with the same title given at the WEWORC’09 workshop. First posted online September 27, 2009. Last update March 9, 2010 [GGH97,Reg05]. Symmetric cryptography (aka. secret-key cryptography) can be based on even much weaker assumptions, e.g. block-ciphers can be built from any one-way function [HILL99,GGM84,LR88], but for efficiency reasons, in practice block-ciphers like DES or AES are actually constructed from scratch and not via reductions ([NR97] is a notable exception). 1.1 Why Black-Box Isn’t Enough What basically all modern security notions have in common, is that the cryptographic algorithm is modelled as a “black-box”, where an adversary can only observe the input/output behavior of the cryptographic algorithm as specified by the security game. Unfortunately, such models do not capture many real world scenarios where an adversary can attack an actual implementation of a cryptosystem which potentially leaks information to the adversary that cannot be learned from black-box access alone. In the mid-90s Kocher demonstrated that the secret-key of the popular RSA cryptosystem can be recovered by simply measuring the time a cryptodevice needs to perform a decryption [Koc96a]. Such attacks, where an adversary exploits leakage of information from a cryptodevice during execution, are called “side-channel” attacks (as opposed to standard cryptanalytic attacks, where the adversary only exploits the “main-channel” – i.e. the legitimate input/output behavior– of the device.) Light-weight crypto devices like smart-cards or RFID chips are particularly susceptible to side-channel attacks, and although [Koc96b] was by no means the first side-channel attack, it came quite as a surprise to the cryptographic community how easily such devices could be broken. Since [Koc96b], many more ingenious side-channel attacks have been published, for example by measuring the power-consumption [KJJ99] or the electromagnetic radiation [QS01,GMO01] of a cryptodevice. Some attacks go beyond simply measuring some physical properties of a device. Cold-boot attacks [HSH08] exploit the fact that memory retains its content for several seconds or even minutes even after being ripped from a laptop. In a probing attack [AKA96], one measures the contents carried by some wires of the circuit which performs a computation (unlike the other attacks, probing attacks require rather elaborate equipment). A particularly intriguing class of attacks are “cache attacks” [OST06,RTSS09] which exploit leakage of information between different processes that run on the same CPU. Such leakage does occur due to the structure of memory caches on modern CPUs. Side-channel attacks are a very real threat for systems used in practice. A recent example is the complete break of the KeeLoq cipher which is used as anti-theft system in millions of cars [EKM08]. Not surprisingly, much research has concentrated on developing countermeasures against such attacks. This research is mostly done by practitioners (i.e., the cryptographic hardware community) who are also active in finding and exploiting new side-channels. It was long believed that theory can only be of limited use to prevent side-channel attacks. But recent results indicate that this view was much too pessimistic, and in fact it is possible to extend the realm of provable security also to side-channel attacks as we will see in this survey. We will only discuss countermeasures against passive attacks, where an adversary only observes leakage form a cryptodevice. In contrast, in an active attack [BDL97,BS91] the adversary does actively tamper with the device, for example by cutting wires in the circuit or by heating or overclocking it in order to introduce random errors to the computation or memory content. Currently, there are only very few results on provable security against active attacks [GLM04,IPSW06,DPW09], but this is likely to change in the near future. 2 Side-Channel Attacks and Countermeasures Countermeasures against side-channel attacks – as outlined above – can be on the hardware or algorithmic level. – On the hardware level, the aim is to construct physical devices which reduce the amount of leakage, for example by shielding the circuit (to avoid electromagnetic radiation) or by inserting transistors (to flatten the power consumption curve). – On the algorithmic level, the aim is to design cryptosystem which remain secure even if some information about the secret internal state is leaked. This is usually done by some kind of internal randomisation (called masking or blinding, cf. [oEE] for a list of relevant papers) in order to avoid the occurrence of predictable intermediate results. As argued in § 1.2 of [FRR10], due to the holographic bound conjecture – which asserts that the information contained in a volume of space is already encoded on the boundary to this region – in theory everything that goes on in a cryptodevice can be learned by measuring its surroundings. Fortunately, in practice we can still hope to get secure systems as (1) a real-world adversary will not even get close to a perfect measurement of that boundary, and (2) even if what the adversary measures contains all of the information about the secret state of the cryptodevice, it might still be computationally hard to extract any useful information (i.e. cryptographic keys) from it. In practice we thus can reasonably assume that a cryptodevice can keep at least some secrets, but it’s unrealistic to assume the other extreme, i.e. that a “useful” device like a smart-card will leak no information at all. Thus to get secure devices, a combination of hardware and algorithmic countermeasures must be in place. 2.1 Provable Security against Side-Channel Attacks? As already mentioned, most of the work on side-channel attacks and countermeasures is done by practitioners, i.e. the cryptographic hardware community, the CHES workshop is their major venue. The “side-channel cryptanalysis lounge” gives a good overview [oEE] on this field. To some extent this research is a cat and mouse game: new side-channels attacks are found, and subsequently countermeasures are proposed. Those are usually ad-hoc, in the sense that they aim at preventing some particular known type of attack and they often come without any formal security proof. Research on side-channel security is quite different from the provable-security approach followed by modern cryptography. For example, in many works on side-channel countermeasures one encounters security arguments involving simulations. Because simulations can only show that some particular countermeasure is secure against some particular attack, they are meaningless in the context of provable security, where one has to quantify over all (time and/or space bounded) adversaries. Clearly, this situation cannot be satisfying from a cryptographic point of view. What are our beautiful provably secure cryptosystems good for, when ultimately their security relies on some ad-hoc countermeasures against side-channel attacks? Despite this, until recently the theory community did not give much attention to this problem. One reason was the perception that side-channels are a practical problem, and theory can only be of limited use to prevent them. It is not obvious what “provable security” should mean in the context of side-channel at

Krzysztof Pietrzak | Krzysztof Pietrzak

[1] Paul C. Kocher,et al. Differential Power Analysis , 1999, CRYPTO.

[2] Daniel R. Simon,et al. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[3] Moni Naor,et al. Public-Key Cryptosystems Resilient to Key Leakage , 2009, SIAM J. Comput..

[4] Silvio Micali,et al. Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering , 2004, TCC.

[5] Victor Shoup,et al. Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[6] Krzysztof Pietrzak,et al. A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[7] Giovanni Di Crescenzo,et al. Perfectly Secure Password Protocols in the Bounded Retrieval Model , 2006, TCC.

[8] Ariel J. Feldman,et al. Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[9] Claude E. Shannon,et al. Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[10] Moti Yung,et al. Leakage Resilient Cryptography in Practice , 2010, Towards Hardware-Intrinsic Security.

[11] Oded Goldreich,et al. Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[12] Adi Shamir,et al. How to share a secret , 1979, CACM.

[13] Markus G. Kuhn,et al. Tamper resistance: a cautionary note , 1996 .

[14] Ronald L. Rivest,et al. All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[15] Richard J. Lipton,et al. On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[16] Madhur Tulsiani,et al. Dense Subsets of Pseudorandom Sets , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[17] M J Williamson. NON-SECRET ENCRYPTION USING A FINITE FIELD , 1998 .

[18] Stefan Dziembowski,et al. Intrusion-Resilience Via the Bounded-Storage Model , 2006, TCC.

[19] Eyal Kushilevitz,et al. Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[20] Craig Gentry,et al. Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[21] Mihir Bellare,et al. Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[22] Leonid A. Levin,et al. A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[23] Moti Yung,et al. A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..

[24] Adi Shamir,et al. Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[25] Vinod Vaikuntanathan,et al. Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[26] Yevgeniy Dodis,et al. Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks , 2010, CRYPTO.

[27] Moni Naor,et al. Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[28] Mihir Bellare,et al. Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[29] Dennis Hofheinz,et al. Towards Key-Dependent Message Security in the Standard Model , 2008, EUROCRYPT.

[30] Ueli Maurer,et al. Lower Bounds on Generic Algorithms in Groups , 1998, EUROCRYPT.

[31] Stefan Dziembowski,et al. Leakage-Resilient Storage , 2010, SCN.

[32] Amos Fiat,et al. How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[33] Yuval Ishai,et al. Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[34] Hugo Krawczyk,et al. Security under key-dependent inputs , 2007, CCS '07.

[35] Ueli Maurer,et al. A Provably-Secure Strongly-Randomized Cipher , 1991, EUROCRYPT.

[36] Salil P. Vadhan,et al. Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[37] Moti Yung,et al. A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[38] Silvio Micali,et al. Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[39] Jean-Jacques Quisquater,et al. ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[40] Silvio Micali,et al. Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[41] Taher ElGamal. On Computing Logarithms Over Finite Fields , 1985 .

[42] Yevgeniy Dodis,et al. Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[43] Moni Naor,et al. Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[44] Yael Tauman Kalai,et al. Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[45] Yonatan Aumann,et al. Information Theoretically Secure Communication in the Limited Storage Space Model , 1999, CRYPTO.

[46] Clijord C. Cocks,et al. A note on non-secret encryption , 1973 .

[47] Stefan Dziembowski,et al. Intrusion-Resilient Secret Sharing , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[48] Stefan Dziembowski,et al. Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[49] Luca Trevisan,et al. Guest column: additive combinatorics and theoretical computer science , 2009, SIGA.

[50] J. H. Ellis. THE POSSIBILITY OF SECURE NON-SECRET DIGITAL ENCRYPTION , 1998 .

[51] Eike Kiltz,et al. Practical Chosen Ciphertext Secure Encryption from Factoring , 2009, EUROCRYPT.

[52] Yvo Desmedt,et al. A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[53] M. Rabin. DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[54] Moni Naor,et al. Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[55] Hovav Shacham,et al. Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[56] Ronald Cramer,et al. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[57] Amit Sahai,et al. On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.

[58] Francis Olivier,et al. Electromagnetic Analysis: Concrete Results , 2001, CHES.

[59] Hovav Shacham,et al. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[60] Yael Tauman Kalai,et al. On cryptography with auxiliary input , 2009, STOC '09.

[61] Paul C. Kocher. Design and Validation Strategies for Obtaining Assurance in Countermeasures to Power Analysis and Related Attacks , 2005 .

[62] Yuval Ishai,et al. Private Circuits II: Keeping Secrets in Tamperable Circuits , 2006, EUROCRYPT.

[63] Paul C. Kocher,et al. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[64] Federico Poloni. Of Note , 2009 .

[65] Eli Biham,et al. Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[66] Adi Shamir,et al. A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[67] Michael Luby,et al. How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[68] Ueli Maurer,et al. Tight security proofs for the bounded-storage model , 2002, STOC '02.

[69] Jan Camenisch,et al. An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[70] Manuel Blum,et al. How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[71] Johan Håstad,et al. Almost optimal lower bounds for small depth circuits , 1986, STOC '86.

[72] Vinod Vaikuntanathan,et al. Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases , 2010, EUROCRYPT.

[73] Oded Regev,et al. On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[74] Christof Paar,et al. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[75] Silvio Micali,et al. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[76] Silvio Micali,et al. How to construct random functions , 1986, JACM.

[77] Moti Yung,et al. A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[78] Whitfield Diffie,et al. New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[79] Guy N. Rothblum,et al. Leakage-Resilient Signatures , 2010, TCC.

[80] David Cash,et al. Intrusion-Resilient Key Exchange in the Bounded Retrieval Model , 2007, TCC.

[81] Yael Tauman Kalai,et al. One-Time Programs , 2008, CRYPTO.

[82] Avi Wigderson,et al. Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[83] Vinod Vaikuntanathan,et al. Signature Schemes with Bounded Leakage Resilience , 2009, ASIACRYPT.

[84] John Black,et al. Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.