SNI-in-the-head: Protecting MPC-in-the-head Protocols against Side-channel Analysis

MPC-in-the-head based protocols have recently gained much popularity and are at the brink of seeing widespread usage. With widespread use come the spectres of implementation issues and implementation attacks such as side-channel attacks. We show that implementations of protocols implementing the MPC-in-the-head paradigm are vulnerable to side-channel attacks. As a case study, we choose the ZKBoo-protocol of Giacomelli, Madsen, and Orlandi (USENIX 2016) and show that even a single leaked value is sufficient to break the security of the protocol. To show that this attack is not just a theoretical vulnerability, we apply differential power analysis to show the vulnerabilities via a simulation. In order to remedy this situation, we extend and generalize the ZKBoo-protocol by making use of the notion of strong non-interference of Barthe et al. (CCS 2016). To apply this notion to ZKBoo, we construct novel versions of strongly non-interfering gadgets that balance the randomness across the different branches evenly. Finally, we show that each circuit can be decomposed into branches using only these balanced strongly non-interfering gadgets. This allows us to construct a version of ZKBoo, called $(n+1)$-ZKBoo which is secure against side-channel attacks with limited overhead in both signature-size and running time. Furthermore, $(n+1)$-ZKBoo is scalable to the desired security against adversarial probes. We experimentally confirm that the attacks successful against ZKBoo no longer work on $(n+1)$-ZKBoo. Moreover, we present an extensive performance analysis and quantify the overhead of our scheme using a practical implementation.

[1]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[2]  Benjamin Grégoire,et al.  Compositional Verification of Higher-Order Masking: Application to a Verifying Masking Compiler , 2015, IACR Cryptol. ePrint Arch..

[3]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[4]  Mark Zhandry,et al.  Revisiting Post-Quantum Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[5]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[6]  Daniel Kales,et al.  Improving the Performance of the Picnic Signature Scheme , 2020, IACR Cryptol. ePrint Arch..

[7]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[8]  Adrian Thillard,et al.  Randomness Complexity of Private Circuits for Multiplication , 2016, EUROCRYPT.

[9]  François-Xavier Standaert,et al.  Composable Masking Schemes in the Presence of Physical Defaults and the Robust Probing Model , 2018, IACR Cryptol. ePrint Arch..

[10]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[11]  Daniel Smith-Tone,et al.  Report on Post-Quantum Cryptography , 2016 .

[12]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[13]  Jean-Sébastien Coron,et al.  Faster Evaluation of SBoxes via Common Shares , 2016, CHES.

[14]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[15]  Rafail Ostrovsky,et al.  Constructing Non-malleable Commitments: A Black-Box Approach , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[16]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[17]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 1, Basic Tools , 2001 .

[18]  François-Xavier Standaert,et al.  How (not) to Use Welch's T-test in Side-Channel Security Evaluations , 2018, IACR Cryptol. ePrint Arch..

[19]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[20]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[21]  Stefan Mangard,et al.  Formal Verification of Masked Hardware Implementations in the Presence of Glitches , 2018, IACR Cryptol. ePrint Arch..

[22]  Emmanuela Orsini,et al.  BBQ: Using AES in Picnic Signatures , 2019, IACR Cryptol. ePrint Arch..

[23]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[24]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[25]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[26]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[27]  Andris Ambainis,et al.  Quantum Attacks on Classical Proof Systems: The Hardness of Quantum Rewinding , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[28]  Kasteelpark Arenberg,et al.  Sigma protocols for MQ, PKP and SIS, and fishy signature schemes , 2020 .

[29]  Benjamin Grégoire,et al.  maskVerif: Automated Verification of Higher-Order Masking in Presence of Physical Defaults , 2019, ESORICS.

[30]  Jean-Sébastien Coron,et al.  Higher-Order Side Channel Security and Mask Refreshing , 2013, FSE.

[31]  Yehuda Lindell,et al.  Efficient Secure Two-Party Protocols: Techniques and Constructions , 2010 .

[32]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[33]  Benjamin Grégoire,et al.  Strong Non-Interference and Type-Directed Higher-Order Masking , 2016, CCS.

[34]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[35]  Jonathan Katz,et al.  Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures , 2018, IACR Cryptol. ePrint Arch..

[36]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[37]  Andr'e Chailloux Quantum security of the Fiat-Shamir transform of commit and open protocols , 2019, IACR Cryptol. ePrint Arch..

[38]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[39]  Thomas Eisenbarth,et al.  Differential Power Analysis of the Picnic Signature Scheme , 2020, IACR Cryptol. ePrint Arch..

[40]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[41]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.