Leakage-Resilient Cryptography over Large Finite Fields: Theory and Practice

Marcin Andrychowicz; Daniel Masny; Edoardo Persichetti

doi:10.1007/978-3-319-28166-7_32

ACNS 2015: Applied Cryptography and Network Security pp 655-674 | Cite as

Leakage-Resilient Cryptography over Large Finite Fields: Theory and Practice

Authors
Authors and affiliations

Marcin Andrychowicz
Daniel Masny
Edoardo PersichettiEmail author

Conference paper

First Online: 09 January 2016

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9092)

Abstract

Information leakage is a major concern in modern day IT-security. In fact, a malicious user is often able to extract information about private values from the computation performed on the devices. In specific settings, such as RFID, where a low computational complexity is required, it is hard to apply standard techniques to achieve resilience against this kind of attacks. In this paper, we present a framework to make cryptographic primitives based on large finite fields robust against information leakage with a bounded computational cost. The approach makes use of the inner product extractor and guarantees security in the presence of leakage in a widely accepted model. Furthermore, we show how to apply the proposed techniques to the authentication protocol Lapin, and we compare it to existing solutions.

Keywords

Statistical Distance Product Extractor Field Element Protocol Execution Graceful Degradation

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, to check access.

Notes

Acknowledgements

The authors would like to thank Krzysztof Pietrzak and Eike Kiltz for the helpful discussions on the leakage resilience of LPN and Tim Güneysu, Thomas Pöppelmann and Ingo von Maurich for helping with the implementation on the avr microcontroller.

Supplementary material

Open image in new window

A Refreshing Procedures for the Inner Product LRS

As a first security requirement, a refreshing procedure needs to be rerandomizing.

Definition A.1

(Rerandomizing). The refreshed encodings are uniformly distributed over the set of encodings of the encoded value.

Dziembowski and Faust in [DF11] describe two possible refreshing procedures, starting from an intuitive, but flawed, one, and then providing a secure one. The latter makes use of a leak-free component $\mathcal O_R$ that samples uniformly random pairs of orthogonal vectors, and has a complexity of $O(n^2)$ field operations. An improved version appears in [DF12]. The procedure was then revisited and adapted to the AES case in [BFGV12]. We report it in Fig. 2.

Fig. 2.
**Refreshing Procedure.** The refreshing procedure proposed in [BFGV12].

This formulation of a refreshing procedure is very simple but, as the authors incidentally mention, security is based on the (rather unrealistic) assumption that the whole procedure is leakage-free. The reason for this is that, during the interaction between $P_L$ and $P_R$, one of the parties might learn additional information about the secret state of the other one. While leakage on input and output does not cause any problem, an adversary could use this additional knowledge of one of the parties during the procedure to query a leakage function which depends partially on both the encodings. This might reveal information about the inner product of the encodings and hence of the encoded value. Even though in practice, it is not known yet, how to exploit this by a SCA.

To deal with this issue, a property called reconstructability was introduced in [FRR+10]. Let $\textsf {Op}$ be a masked operation with input (L, R), and output $(L',R')$. We call reconstructor a simulator algorithm $\textsf {Rec}$ that is able to recreate the views that both parties would have after executing $\textsf {Op}$, without actually executing it. More specifically, $\textsf {Rec}$ takes as input (L, R) and $(L',R')$, and returns $(\textsf {view}_L,\textsf {view}_R)$. In addition, it is important that the execution of $\textsf {Rec}$ does not require any interaction between the parties after they are given the input.³

Definition A.2

(Reconstructability). A masked operation $\textsf {Op}$ is said to be $\epsilon $-reconstructable if there exists a reconstructor $\textsf {Rec}$ such that, for every $X\in \mathbb F$, it holds that

$$\begin{aligned} \Delta ((L',R',\textsf {view}_L,\textsf {view}_R),(L',R',\textsf {view}_L',\textsf {view}_R'))\le \epsilon , \end{aligned}$$

where $(L,R)=\textsf {Encode}(X)$, $\textsf {view}_L$ and $\textsf {view}_R$ are the views of the two parties after the execution of $\textsf {Op}(L,R)=(L',R')$ and $(\textsf {view}_L',\textsf {view}_R')=\textsf {Rec}((L,R),(L',R'))$.

This property guarantees that leaking from the internal states during the operation on the encodings does not reveal more than just leaking from the input and output of the operation.

A reconstructable refreshing procedure was suggested by Andrychowicz in [And12] and we present it in Figure 3.

Fig. 3.
**Refreshing Procedure.** The procedure $\textsf {Refresh}^n$ is used to refresh the shares of a secret. The values $A,\tilde{A},B,\tilde{B}$ are such that $\langle A , B \rangle =-\langle \tilde{A} , \tilde{B} \rangle $ and $A_i \not = 0$ and ${\tilde{B}}_i \not = 0$ for $1 \le i \le n$.

As opposed to previous proposals, this procedure is more efficient, having a complexity of O(n) operations: it requires 2n inversions, 4n multiplications and 2n additions in the finite field. The procedure makes use of a modified leak-free component $\tilde{\mathcal O_R}$ that generates quadruples of vectors $(A, \tilde{A},B, \tilde{B})$ such that $\langle A , B \rangle =-\langle \tilde{A} , \tilde{B} \rangle $ and for $1 \le i \le n$ it holds that $A_i \not = 0$ and ${\tilde{B}}_i \not = 0$. It is easy to see that this oracle can be simulated by players in possession of $\mathcal O_R$.

Note that his refreshing algorithm assumes that the shares have all non-zero coordinates. In practice, we will use very big fields (at least $|\mathbb F| \ge 2^{256}$), so a random vector would have all non-zero coordinates with overwhelming probability.

It is easy to verify that the procedure $\textsf {Refresh}^n$ of Figure 3 verifies the rerandomizing property. First of all, it is evident that the two shares output by $\textsf {Refresh}^n$ are indeed a correct masking for the input secret, since

Open image in new window

To see that $L'$ are $R'$ are independent from the input, we set $U=R'-R$ and $\tilde{U}=L'-L$. From the condition $\langle L , R \rangle =\langle L' , R' \rangle $ follows $\langle L , U \rangle =-\langle \tilde{U} , R' \rangle $ which is the constraint of $\mathcal O_R$. Therefore $\mathcal O_R$ outputs samples of the correct distribution to make $L'$, $R'$ independent of L, R.

A reconstructor for $\textsf {Refresh}^n$ was given in [And12]. We present it in Figure 4.

Fig. 4.
**Reconstructor.** The above algorithm describes a reconstructor for the procedure $\textsf {Refresh}^n$. The only communication between the parties is the sampling of random vectors V and $\tilde{V}$, which can be done offline.

The author provides a proof that the above procedure is an $\epsilon $-reconstructor for $\textsf {Refresh}^n$ with $\epsilon =0$.

B A Shrinking Procedure for the Inner Product LRS

The $\mathsf {Shrink}$ operation is presented in Fig. 5. It transforms an encoding of length m into an encoding of length $n+1$. It is based on the implicit shrinking procedure used in the multiplication gadget in [DF12].

Fig. 5.
**Shrinking Procedure.** The procedure $\mathsf {Shrink}$ described in this figure is used to reduce the size of the shares of a secret.

Fig. 6.
**Reconstructor.** The above algorithm describes a reconstructor for the procedure $\mathsf {Shrink}$. The views created by the reconstructor for $\textsf {Refresh}$ are treated as part of the output.

The algorithm $\mathsf {Shrink}$ is interactive, so we need to analyze its security carefully. The reason for this is that for example $P_L$ learns during the execution the value of $\widehat{R}$, which reveals some partial information about the secret state of $P_R$. An adversary can use this fact and query a leakage function, which depends partially on both of the encodings, and thus break the security of LRS.

We already introduced reconstruct ability in Appendix A. Reconstructability implies that the interaction between two parties does not contradict the leakage resilience. Since the views of $P_L$ and $P_R$ during a reconstructable procedure can be simulated by a non-interactive reconstructor. This reconstructor only uses Oracles which sample randomness which is independent of sensitive values and he does not require any interaction between $P_L$ and $P_R$.

Theorem B.1

$\mathsf {Shrink}$ is 0-reconstructable.

Proof

The reconstructor for the $\mathsf {Shrink}$ operation is presented on Fig. 6. We need to show that reconstructed views $(L,\tilde{L},L',\widehat{L},\widehat{R})$ and $(R,\tilde{R},R',\widehat{R})$ have the same distribution as in the shrink down procedure. This is already clear for L, R and $L'$, $R'$ since the input is identical. In the shrink procedure $\widehat{L}$ and $\widehat{R}$ are uniform elements in $(\mathbb F\setminus \{0\})^{m-n}$ and their inner product is $\langle \widehat{L} , \widehat{R} \rangle =\tilde{L}_{n+1}$. The presented reconstructor samples $\widehat{L}$ such that this is the case. The correct distribution of $\tilde{L}$, $\tilde{R}$ follows from the correct distribution of $L'$, $R'$ and $\widehat{L}$, $\widehat{R}$: The first n field elements of $\tilde{L}$, $\tilde{R}$ are identical to the first n field elements of $L'$, $R'$ and the last $m-n$ field elements are identical to $\widehat{L}$, $\widehat{R}$. The reconstructability of the view during the refresh procedure follows from the reconstructability of the refresh procedure. $\square $

References

[And12]
Andrychowicz, M.: Efficient refreshing protocol for leakage-resilient storage based on the inner-product extractor. CoRR, abs/1209.4820 (2012)Google Scholar
[BFGV12]
Balasch, J., Faust, S., Gierlichs, B., Verbauwhede, I.: Theory and practice of a leakage resilient masking scheme. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 758–775. Springer, Heidelberg (2012)CrossRefGoogle Scholar
[BKKV10]
Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathan, V.: Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage. In: FOCS, pp. 501–510. IEEE Computer Society (2010)Google Scholar
[CG88]
Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2), 230–261 (1988)MathSciNetCrossRefMATHGoogle Scholar
[DBL12]
53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, 20–23 October 2012. IEEE Computer Society (2012)Google Scholar
[DDV10]
Davì, F., Dziembowski, S., Venturi, D.: Leakage-resilient storage. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 121–137. Springer, Heidelberg (2010)CrossRefGoogle Scholar
[DF11]
Dziembowski, S., Faust, S.: Leakage-resilient cryptography from the inner-product extractor. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 702–721. Springer, Heidelberg (2011)CrossRefGoogle Scholar
[DF12]
Dziembowski, S., Faust, S.: Leakage-resilient circuits without computational assumptions. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 230–247. Springer, Heidelberg (2012)CrossRefGoogle Scholar
[DHLAW10]
Dodis, Y., Haralambiev, K., López-Alt, A., Wichs, D.: Cryptography against continuous memory attacks. In: FOCS, pp. 511–520. IEEE Computer Society (2010)Google Scholar
[DP08]
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS 2008: Proceedings of the 49th Annual IEEE Symposium on Foundations of Computer Science, Washington, DC, USA. IEEE Computer Society (2008)Google Scholar
[FKPR10]
Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.N.: Leakage-resilient signatures. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 343–360. Springer, Heidelberg (2010)CrossRefGoogle Scholar
[FRR+10]
Faust, S., Rabin, T., Reyzin, L., Tromer, E., Vaikuntanathan, V.: Protecting circuits from leakage: the computationally-bounded and noisy cases. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 135–156. Springer, Heidelberg (2010)CrossRefGoogle Scholar
[GLS14]
Gaspar, L., Leurent, G., Standaert, F.-X.: Hardware implementation and side-channel analysis of lapin. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 206–226. Springer, Heidelberg (2014)CrossRefGoogle Scholar
[GR10]
Goldwasser, S., Rothblum, G.N.: Securing computation against continuous leakage. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 59–79. Springer, Heidelberg (2010)CrossRefGoogle Scholar
[GR12]
Goldwasser, S., Rothblum, G.N.: How to compute in the presence of leakage. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, 20–23 October 2012. IEEE Computer Society, pp. 31–40 (2012)Google Scholar
[GST13]
Genkin, D., Shamir, A., Tromer, E.: Rsa key extraction via low-bandwidth acoustic cryptanalysis. Cryptology ePrint Archive, Report 2013/857 (2013). http://eprint.iacr.org/
[HKL+12]
Heyse, S., Kiltz, E., Lyubashevsky, V., Paar, C., Pietrzak, K.: Lapin: an efficient authentication protocol based on ring-LPN. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 346–365. Springer, Heidelberg (2012)CrossRefGoogle Scholar
[HVM04]
Hankerson, D., Vanstone, S., Menezes, A.J.: Guide to Elliptic Curve Cryptography. Springer, New York (2004)MATHGoogle Scholar
[ISW03]
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
[JV10]
Juma, A., Vahlis, Y.: Protecting cryptographic keys against continual leakage. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010)Google Scholar
[LM13]
Lyubashevsky, V., Masny, D.: Man-in-the-middle secure authentication schemes from LPN and weak PRFs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 308–325. Springer, Heidelberg (2013)CrossRefGoogle Scholar
[MR04]
Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)CrossRefGoogle Scholar
[PR11]
Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 63–78. Springer, Heidelberg (2011)CrossRefGoogle Scholar
[PRR14]
Prouff, E., Rivain, M., Roche, T.: On the practical security of a leakage resilient masking scheme. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 169–182. Springer, Heidelberg (2014)CrossRefGoogle Scholar
[Rab10]
Rabin, Tal (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010)Google Scholar
[Rao07]
Rao, A.: An exposition of bourgains 2-source extractor. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 14 (2007)Google Scholar
[RP10]
Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)CrossRefGoogle Scholar
[Vaz85]
Vazirani, U.V.: Towards a strong communication complexity theory or generating quasi-random sequences from two communicating slightly-random sources. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, pp. 366–378. ACM (1985)Google Scholar

Copyright information

Authors and Affiliations

Marcin Andrychowicz
- 1
Daniel Masny
- 2
Edoardo Persichetti
- 3
Email author

1.University of WarsawWarsawPoland
2.HGI, Ruhr-Universität BochumBochumGermany
3.Dakota State UniversityMadisonUSA

Leakage-Resilient Cryptography over Large Finite Fields: Theory and Practice

Abstract

Keywords

Notes

Acknowledgements

Supplementary material

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper