Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs

(Full Version)
  • Kimmo Järvinen
  • Vladimir Kolesnikov
  • Ahmad-Reza Sadeghi
  • Thomas Schneider
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6225)

Abstract

The power of side-channel leakage attacks on cryptographic implementations is evident. Today’s practical defenses are typically attack-specific countermeasures against certain classes of side-channel attacks. The demand for a more general solution has given rise to the recent theoretical research that aims to build provably leakage-resilient cryptography. This direction is, however, very new and still largely lacks practitioners’ evaluation with regard to both efficiency and practical security. A recent approach, One-Time Programs (OTPs), proposes using Yao’s Garbled Circuit (GC) and very simple tamper-proof hardware to securely implement oblivious transfer, to guarantee leakage resilience.

Our main contributions are (i) a generic architecture for using GC/ OTP modularly, and (ii) hardware implementation and efficiency analysis of GC/OTP evaluation. We implemented two FPGA-based prototypes: a system-on-a-programmable-chip with access to hardware crypto accelerator (suitable for smartcards and future smartphones), and a stand-alone hardware implementation (suitable for ASIC design). We chose AES as a representative complex function for implementation and measurements. As a result of this work, we are able to understand, evaluate and improve the practicality of employing GC/OTP as a leakage-resistance approach.

References

  1. 1.
    Akkar, M.-L., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC’09, pp. 169–178. ACM, New York (2009)Google Scholar
  4. 4.
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008)Google Scholar
  5. 5.
    Goyal, V., Ishai, Y., Sahai, A., Venkatesan, R., Wadia, A.: Founding cryptography on tamper-proof hardware tokens. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 308–326. Springer, Heidelberg (2010)Google Scholar
  6. 6.
    Gunupudi, V., Tate, S.: Generalized non-interactive oblivious transfer using count-limited objects with applications to secure mobile agents. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 98–112. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Järvinen, K., Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: Garbled circuits for leakage-resilience: Hardware implementation and evaluation of one-time programs. Cryptology ePrint Archive, Report 2010/276(2010), http://eprint.iacr.org
  8. 8.
    Järvinen, K., Kolesnikov, V., Sadeghi, A.-R., Schneider, T.: Embedded SFE: Offloading server and network using hardware tokens. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 207–221. Springer, Heidelberg (2010)Google Scholar
  9. 9.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Kolesnikov, V., Schneider, T.: Improved garbled circuit: Free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Kolesnikov, V., Schneider, T.: A practical universal circuit construction and secure evaluation of private functions. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 83–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Lindell, Y., Pinkas, B.: A proof of Yao’s protocol for secure two-party computation. Journal of Cryptology 22(2), 161–188 (2009)MATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay — a secure two-party computation system. In: USENIX Security’04. USENIX Association (2004)Google Scholar
  14. 14.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)MATHGoogle Scholar
  15. 15.
    Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: SODA’01, pp. 448–457. Society for Industrial and Applied Mathematics (2001)Google Scholar
  17. 17.
    Pietrzak, K.: Provable security for physical cryptography. In: WEWORC’09 (2009), http://homepages.cwi.nl/~pietrzak/publications/Pie09b.pdf
  18. 18.
    Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009)Google Scholar
  19. 19.
    Sadeghi, A.-R., Schneider, T.: Generalized universal circuits for secure evaluation of private functions with application to data classification. In: ICISC 2008. LNCS, vol. 5461, pp. 336–353. Springer, Heidelberg (2008)Google Scholar
  20. 20.
    Satoh, A., Sugawara, T., Homma, N., Aoki, T.: High-performance concurrent error detection scheme for AES hardware. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 100–112. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Standaert, F.-X., Pereira, O., Yu, Y., Quisquater, J.-J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. Cryptology ePrint Archive, Report 2009/341 (2009), http://eprint.iacr.org/
  22. 22.
    STMicroelectronics. Smartcard MCU with 32-bit ARM SecurCore SC300 CPU and 1.25 Mbytes high-density Flash memory. Data brief (October 2008), http://www.st.com/stonline/products/literature/bd/15066/st33f1m.pdf
  23. 23.
    Tiri, K.: Side-channel attack pitfalls. In: DAC’07, pp. 15–20. ACM, New York (2007)Google Scholar
  24. 24.
    Tiri, K., Hwang, D., Hodjat, A., Lai, B.-C., Yang, S., Schaumont, P., Verbauwhede, I.: Prototype IC with WDDL and differential routing — DPA resistance assessment. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 354–365. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: DATE’04, vol. 1, pp. 246–251. IEEE, Los Alamitos (2004)Google Scholar
  26. 26.
    Trusted Computing Group (TCG). TPM main specification. Technical report, TCG (May 2009), http://www.trustedcomputinggroup.org
  27. 27.
    Valiant, L.G.: Universal circuits (preliminary report). In: STOC’76, pp. 196–203. ACM, New York (1976)Google Scholar
  28. 28.
    Weingart, S.H.: Physical security devices for computer subsystems: A survey of attacks and defences. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 302–317. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  29. 29.
    Yao, A.C.: How to generate and exchange secrets. In: FOCS’86, pp. 162–167. IEEE, Los Alamitos (1986)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Kimmo Järvinen
    • 1
  • Vladimir Kolesnikov
    • 2
  • Ahmad-Reza Sadeghi
    • 3
  • Thomas Schneider
    • 3
  1. 1.Dep. of Information and Comp. ScienceAalto UniversityFinland
  2. 2.Alcatel-Lucent Bell LaboratoriesMurray HillUSA
  3. 3.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany

Personalised recommendations