A Formal Analysis of Timing Channel Security via Bucketing
 3 Citations
 5.5k Downloads
Abstract
This paper investigates the effect of bucketing in security against timing channel attacks. Bucketing is a technique proposed to mitigate timingchannel attacks by restricting a system’s outputs to only occur at designated time intervals, and has the effect of reducing the possible timingchannel observations to a small number of possibilities. However, there is little formal analysis on when and to what degree bucketing is effective against timingchannel attacks. In this paper, we show that bucketing is in general insufficient to ensure security. Then, we present two conditions that can be used to ensure security of systems against adaptive timing channel attacks. The first is a general condition that ensures that the security of a system decreases only by a limited degree by allowing timingchannel observations, whereas the second condition ensures that the system would satisfy the first condition when bucketing is applied and hence becomes secure against timingchannel attacks. A main benefit of the conditions is that they allow separation of concerns whereby the security of the regular channel can be proven independently of concerns of sidechannel information leakage, and certain conditions are placed on the side channel to guarantee the security of the whole system. Further, we show that the bucketing technique can be applied compositionally in conjunction with the constanttimeimplementation technique to increase their applicability. While we instantiate our contributions to timing channel and bucketing, many of the results are actually quite general and are applicable to any side channels and techniques that reduce the number of possible observations on the channel.
1 Introduction
Sidechannel attacks aim to recover a computer system’s secret information by observing the target system’s side channels such as cache, power, timing and electromagnetic radiation [11, 15, 16, 17, 21, 23, 24, 25, 31, 36]. They are well recognized as a serious threat to the security of computer systems. Timingchannel (or simply timing) attacks are a class of sidechannel attacks in which the adversary makes observations on the system’s running time. Much research has been done to detect and prevent timing attacks [1, 3, 4, 6, 7, 9, 18, 20, 22, 26, 27, 30, 41].
Bucketing is a technique proposed for mitigating timing attacks [7, 14, 26, 27, 41]. It restricts the system’s outputs to only occur at designated time intervals. Therefore, bucketing has the effect of reducing the possible timingchannel observations to a small number of possibilities. This is at some cost of system’s performance because outputs must be delayed to the next bucket time. Nonetheless, in comparison to the constanttime implementation technique [1, 3, 6, 9, 20, 22] which restricts the system’s running time to be independent of secrets, bucketing is often said to be more efficient and easier to implement as it allows running times to vary depending on secrets [26, 27].^{1} For example, bucketing may be implemented in a blackboxstyle by a monitor that buffers and delays outputs [7, 41].
In this paper, we formally study the effect of bucketing on security against adaptive timing attacks. To this end, first, we give a formal notion of security against adaptive sidechannelobserving adversaries, called \((f,\epsilon )\)security. Roughly, \((f,\epsilon )\)security says that the probability that an adversary can recover the secret by making at most f(n) many queries to the system is bounded by \(\epsilon (n)\), where n is the security parameter.
Next, we show that bucketing alone is in general insufficient to guarantee security against adaptive sidechannel attacks by presenting a counterexample that has only two timing observations and yet is efficiently attackable. This motivates a search for conditions sufficient for security. We present a condition, called secretrestricted sidechannel refinement (\(\mathsf {SRSCR}{}\)), which roughly says that a system is secure if there are sufficiently large subsets of secrets such that (1) the system’s side channel reveals no more information than the regular channel on the subsets and (2) the system is secure on the subsets against adversaries who only observe the regular channel. The degree of security (i.e., f and \(\epsilon \)) is proportional to that against regularchannelonlyobserving adversaries and the size of the subsets.
Because of the insufficiency of bucketing mentioned above, applying bucketing to an arbitrary system may not lead to a system that satisfies \(\mathsf {SRSCR}{}\) (for good f and \(\epsilon \)). To this end, we present a condition, called lowinput sidechannel noninterference (\(\mathsf {LISCNI}{}\)). We show that applying bucketing to a system that satisfies the condition would result in a system that satisfies \(\mathsf {SRSCR}{}\). Therefore, \(\mathsf {LISCNI}{}\) is a sufficient condition for security under the bucketing technique. Roughly, \(\mathsf {LISCNI}{}\) says that (1) the sidechannel observation does not depend on attackercontrolled inputs (but may depend on secrets) and (2) the system is secure against adversaries who only observe the regular channel. The degree of security is proportional to that against regularchannelonlyobserving adversaries and the granularity of buckets. A main benefit of the conditions \(\mathsf {SRSCR}{}\) and \(\mathsf {LISCNI}{}\) is that they allow separation of concerns whereby the security of the regular channel can be proven independently of concerns of sidechannel information leakage, and certain conditions are placed on the side channel to guarantee the security of the whole system.
Finally, we show that the bucketing technique can be applied in a compositional manner with the constanttime implementation technique. Specifically, we show that when a system is a sequential composition of components in which one component is constanttime and the other component \(\mathsf {LISCNI}{}\), the whole system can be made secure by applying bucketing only to the nonconstanttime part. We show that the combined approach is able to ensure security of some nonconstanttime systems that cannot be made secure by applying bucketing to the whole system. We summarize the main contributions below.

A formal notion of security against adaptive sidechannelobserving adversaries, called \((f,\epsilon )\)security. (Sect. 2)

A counterexample which shows that bucketing alone is insufficient for security against adaptive sidechannel attacks. (Sect. 2.1)

A condition \(\mathsf {SRSCR}{}\) which guarantees \((f,\epsilon )\)security. (Sect. 3.1)

A condition \(\mathsf {LISCNI}{}\) which guarantees that the system satisfying it becomes one that satisfies \(\mathsf {SRSCR}{}\) and therefore becomes \((f,\epsilon )\)secure after suitable bucketing is applied. (Sect. 3.2)

A compositional approach that combines bucketing and the constanttime technique. (Sect. 3.3)
While the paper focuses on timing channels and bucketing, many of the results are actually quite general and are applicable to side channels other than timing channels. Specifically, aside from the compositional bucketing result that exploits the “additive” nature of timing channels (cf. Sect. 3.3), the results are applicable to any side channels and techniques that reduce the number of possible sidechannel observations
The rest of the paper is organized as follows. Section 2 formalizes the setting, and defines \((f,\epsilon )\)security which is a formal notion of security against adaptive sidechannel attacks. We also show that bucketing is in general insufficient to guarantee security of systems against adaptive sidechannel attacks. Section 3 presents sufficient conditions for ensuring \((f,\epsilon )\)security: \(\mathsf {SRSCR}\) and \(\mathsf {LISCNI}\). We show that they facilitate proving the security of systems by allowing system designers to prove the security of regular channels separately from the concern of side channels. We also show that the \(\mathsf {LISCNI}\) condition may be used in combination with the constanttime implementation technique in a compositional manner so as to prove the security of systems that are neither constanttime nor can be made secure by (globally) applying bucketing. Section 4 discusses related work. Section 5 concludes the paper with a discussion on future work.
2 Security Against Adaptive SideChannel Attacks
Formally, a system (or, program) is a tuple \((\mathsf {rc},\mathsf {sc},\mathcal {S},\mathcal {I},\mathcal {O}^{\mathsf {rc}},\mathcal {O}^{\mathsf {sc}})\) where \(\mathsf {rc}\) and \(\mathsf {sc}\) are indexed families of functions (indexed by the security parameter) that represent the regularchannel and sidechannel inputoutput relation of the system, respectively. \(\mathcal {S}\) is a securityparameterindexed family of sets of secrets (or, high inputs) and \(\mathcal {I}\) is a securityparameterindexed family of sets of attackercontrolled inputs (or, low inputs). A security parameter is a natural number that represents the size of secrets, and we write \(\mathcal {S}_n\) for the set of secrets of size n and \(\mathcal {I}_n\) for the set of corresponding attackercontrolled inputs. Each indexed function \(\mathsf {rc}_n\) (respectively \(\mathsf {sc}_n\)) is a function from \(\mathcal {S}_n\times \mathcal {I}_n\) to \(\mathcal {O}^{\mathsf {rc}}_n\) (resp. \(\mathcal {O}^{\mathsf {sc}}_n\)), where \(\mathcal {O}^{\mathsf {rc}}\) and \(\mathcal {O}^{\mathsf {sc}}\) are indexed families of sets of possible regularchannel and sidechannel outputs, respectively. For \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), we write \(\mathsf {rc}_n(s,v)\) (resp. \(\mathsf {sc}_n(s,v)\)) for the regularchannel (resp. sidechannel) output given the secret s and the attackercontrolled input v.^{2} For a system \(C= (\mathsf {rc},\mathsf {sc},\mathcal {S},\mathcal {I},\mathcal {O}^{\mathsf {rc}},\mathcal {O}^{\mathsf {sc}})\), we often write \(\mathsf {rc}\langle {C}\rangle \) for \(\mathsf {rc}\), \(\mathsf {sc}\langle {C}\rangle \) for \(\mathsf {sc}\), \(\mathcal {S}\langle {C}\rangle \) for \(\mathcal {S}\), \(\mathcal {I}\langle {C}\rangle \) for \(\mathcal {I}\), \(\mathcal {O}^{\mathsf {rc}}\langle {C}\rangle \) for \(\mathcal {O}^{\mathsf {rc}}\), and \(\mathcal {O}^{\mathsf {sc}}\langle {C}\rangle \) for \(\mathcal {O}^{\mathsf {sc}}\). We often omit “\(\langle {C}\rangle \)” when it is clear from the context.
For a system \(C\) and \(s \in \mathcal {S}_n\), we write \(C_n(s)\) for the oracle which, given \(v \in \mathcal {I}_n\), returns a pair of outputs \((o_1,o_2)\in \mathcal {O}^{\mathsf {rc}}_n \times \mathcal {O}^{\mathsf {sc}}_n\) such that \(\mathsf {rc}_n(s,v) = o_1\) and \(\mathsf {sc}_n(s,v) = o_2\). An adversary \(\mathcal {A}\) is an algorithm that attempts to discover the secret by making some number of oracle queries. As standard, we assume that \(\mathcal {A}\) has the full knowledge of the system. For \(i \in \mathbb {N}\), we write \(\mathcal {A}^{C_n(s)}(i)\) for the adversary \(\mathcal {A}\) that makes at most i oracle queries to \(C_n(s)\). We impose no restriction on how the adversary chooses the inputs to the oracle. Importantly, he may choose the inputs based on the outputs of previous oracle queries. Such an adversary is said to be adaptive [25].
Also, for generality, we intentionally leave the computation class of adversaries unspecified. The methods presented in this paper work for any computation class, including the class of polynomial time randomized algorithms and the class of resourceunlimited randomized algorithms. The former is the standard for arguing the security of cryptography algorithms, and the latter ensures information theoretic security. In what follows, unless specified otherwise, we assume that the computation class of adversaries is the class of resourceunlimited randomized algorithms.
Definition 1
(\((f,\epsilon )\)security). Let \(f:\mathbb {N}\rightarrow \mathbb {N}\) and \(\epsilon :\mathbb {N}\rightarrow \mathbb {R}\) be such that \(0 < \epsilon (n) \le 1\) for all \(n \in \mathbb {N}\). We say that a system is \((f,\epsilon )\)secure if there exists \(N \in \mathbb {N}\) such that for all adversaries \(\mathcal {A}\) and \(n \ge N\), it holds that \(\Pr [ Win _{\mathcal {A}}({n},{f})] < \epsilon (n)\).
Roughly, \((f,\epsilon )\)secure means that, for all sufficiently large n, there is no attack that is able to recover secrets in f(n) number of queries with the probability of success \(\epsilon (n)\).
Example 1
(Leaky Login). Consider the program shown in Fig. 1 written in a Clike language. The program is an abridged version of the timing insecure login program from [6]. Here, pass is the secret and guess is the attackercontrolled input, each represented as a length n bit array. We show that there is an efficient adaptive timing attack against the program that recovers the secret in a linear number of queries.

\(\mathcal {S}_n = \mathcal {I}_n = \{0,1\}^n\);

\(\mathcal {O}^{\mathsf {rc}}_n = \{\texttt {true},\texttt {false}\}\) and \(\mathcal {O}^{\mathsf {sc}}_n = \{ i \in \mathbb {N}\mid i \le n\}\);

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {rc}_n(s,v) = \texttt {true}\) if \(s=v\) and \(\mathsf {rc}_n(s,v) = \texttt {false}\) if \(s \ne v\); and

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), Open image in new window .
Here, Open image in new window denotes the length i prefix of a. Note that \(\mathsf {sc}\) expresses the timingchannel observation, as its output corresponds to the number of times the loop iterated.
For a secret \(s \in \mathcal {S}_n\), the adversary \(\mathcal {A}^{C_n(s)}(n)\) efficiently recovers s as follows. He picks an arbitrary \(v_1 \in \mathcal {I}_n\) as the initial guess. By seeing the timingchannel output \(\mathsf {sc}_n(s,v_1)\), he would be able to discover at least the first bit of s, s[0], because \(s[0] = v_1[0]\) if and only if \(\mathsf {sc}_n(s,v_1) > 0\). Then, he picks an arbitrary \(v_2\in \{0,1\}^n\) satisfying \(v_2[0] = s[0]\), and by seeing the timingchannel output, he would be able to discover at least up to the second bit of s. Repeating the process n times, he will recover all n bits of s. Therefore, the system is not \((n,\epsilon )\)secure for any \(\epsilon \). This is an example of an adaptive attack since the adversary crafts the next input by using the knowledge of previous observations.\(\blacktriangle \)
Example 2

\(\mathsf {rc}\), \(\mathsf {sc}\), \(\mathcal {I}\), \(\mathcal {O}^{\mathsf {rc}}\) are as in Example 1;

For all \(n \in \mathbb {N}\), \(\mathcal {O}^{\mathsf {sc}}_n = \{i \in \mathbb {N}\mid i \le k\}\); and

For all \(n \in \mathbb {N}\) and \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), Open image in new window
2.1 Insufficiency of Bucketing
We show that bucketing is in general insufficient to guarantee the security of systems against adaptive sidechannel attacks. In fact, we show that bucketing with even just two buckets is insufficient. (Two is the minimum number of buckets that can be used to show the insufficiency because having only one bucket implies that the system is constanttime and therefore is secure.) More generally, our result applies to any side channels, and it shows that there are systems with just two possible sidechannel outputs and completely secure (i.e., noninterferent [19, 37]) regular channel that is efficiently attackable by sidechannelobserving adversaries.

\(\mathcal {S}_n = \{0,1\}^n\) and \(\mathcal {I}_n = \{i\in \mathbb {N}\mid i \le n \}\);

\(\mathcal {O}^{\mathsf {rc}}_n = \{\bullet \}\) and \(\mathcal {O}^{\mathsf {sc}}_n = \{0,1\}\);

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {rc}_n(s,v) = \bullet \); and

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {sc}_n(s,v) = s[v]\).
Note that the regular channel \(\mathsf {rc}\) only has one possible output and therefore is noninterferent. The side channel \(\mathsf {sc}\) has just two possible outputs. The side channel, given an attackercontrolled input \(v \in \mathcal {I}_n\), reveals the vth bit of s. It is easy to see that the system is linearly attackable. That is, for any secret \(s \in \mathcal {S}_n\), the adversary may recover the entire n bits of s by querying with each of the nmany possible attackercontrolled inputs. Therefore, the system is not \((n,\epsilon )\)secure for any \(\epsilon \). Note that the side channel is easily realizable as a timing channel, for example, by having a branch with the branch condition “\(s[v] = 0\)” and different running times for the branches.
We remark that the above attack is not adaptive. Therefore, the counterexample actually shows that bucketing can be made ineffective by just allowing multiple nonadaptive sidechannel observations. We also remark that the counterexample shows that some previously proposed measures are insufficient. For example, the capacity measure [5, 28, 33, 39] would not be able to detect the vulnerability of the example, because the measure is equivalent to the log of the number of possible outputs for deterministic systems.
3 Sufficient Conditions for Security Against Adaptive SideChannel Attacks
In this section, we present conditions that guarantee the security of systems against adaptive sidechannelobserving adversaries. The condition \(\mathsf {SRSCR}\) presented in Sect. 3.1 guarantees that systems that satisfy it are secure, whereas the condition \(\mathsf {LISCNI}\) presented in Sect. 3.2 guarantees that systems that satisfy it become secure once bucketing is applied. We shall show that the conditions facilitate proving \((f,\epsilon )\)security of systems by separating the concerns of regular channels from those of side channels. In addition, we show in Sect. 3.3 that the \(\mathsf {LISCNI}\) condition may be used in combination with constanttime implementation techniques in a compositional manner so as to prove the security of systems that are neither constanttime nor can be made secure by (globally) applying bucketing.
3.1 SecretRestricted SideChannel Refinement Condition
We present the secretrestricted sidechannel refinement condition (\(\mathsf {SRSCR}\)). Informally, the idea here is to find large subsets of secrets \(S' \subseteq \mathcal {P}(\mathcal {S}_n)\) such that for each \(S'' \in S'\), the secrets are difficult for an adversary to recover by only observing the regular channel, and that the side channel reveals no more information than the regular channel for those sets of secrets. Then, because \(S'\) is large, the entire system is also ensured to be secure with high probability. We adopt refinement order [29, 38], which had been studied in quantitative information flow research, to formalize the notion of “reveals no more information”. Roughly, a channel \(C_1\) is said to be a refinement of a channel \(C_2\) if, for every attackercontrolled input, every pair of secrets that \(C_2\) can distinguish can also be distinguished by \(C_1\).
We write \(\mathcal {O}^\bullet \) for the indexed family of sets such that \(\mathcal {O}^\bullet _n = \{ \bullet \}\) for all \(n \in \mathbb {N}\). Also, we write \(\mathsf {sc}^\bullet \) for the indexed family of functions such that \(\mathsf {sc}^\bullet _n(s,v) = \bullet \) for all \(n\in \mathbb {N}\) and \((s,v)\in \mathcal {S}_n\times \mathcal {I}_n\). For \(C= (\mathsf {rc},\mathsf {sc},\mathcal {S},\mathcal {I},\mathcal {O}^{\mathsf {rc}},\mathcal {O}^{\mathsf {sc}})\), we write \(C^\bullet \) for the system \((\mathsf {rc},\mathsf {sc}^\bullet ,\mathcal {S},\mathcal {I},\mathcal {O}^{\mathsf {rc}},\mathcal {O}^\bullet )\). We define the notion of regularchannel security.
Definition 2
(Regularchannel \((f,\epsilon )\)security). We say that the \(C\) is regularchannel \((f,\epsilon )\)secure if \(C^\bullet \) is \((f,\epsilon )\)secure.
Roughly, regularchannel security says that the system is secure against attacks that only observe the regular channel output.
Let us fix a system \(C= (\mathsf {rc},\mathsf {sc},\mathcal {S},\mathcal {I},\mathcal {O}^{\mathsf {rc}},\mathcal {O}^{\mathsf {sc}})\). For an indexed family of sets of sets of secrets \(S'\) (i.e., \(S'_n \subseteq \mathcal {P}(\mathcal {S}_n)\) for each n), we write \(S'' \prec S'\) when \(S''\) is an indexed family of sets of secrets such that \(S''_n \in S_n'\) for each n. Note that such \(S''\) satisfies \(S''_n \subseteq \mathcal {S}_n\) for each n. Also, for \(S'' \prec S'\), we write \(C_{S''}\) for the system that is equal to \(C\) except that its secrets are restricted to \(S''\), that is, \((\mathsf {rc},\mathsf {sc},S'',\mathcal {I},\mathcal {O}^{\mathsf {rc}},\mathcal {O}^{\mathsf {sc}})\). Next, we formalize the \(\mathsf {SRSCR}\) condition.
Definition 3
 (1)
For all \(n \in \mathbb {N}\), \(r \le \bigcup S^{ res}_n/\mathcal {S}_n\);
 (2)
For all \(S'' \prec S^{ res}\), \(C_{S''}\) is regularchannel \((f,\epsilon )\)secure; and
 (3)
For all \(n \in \mathbb {N}\), \(S \in S^{ res}_n\), \(v\in \mathcal {I}_n\) and \(s_1,s_2 \in S\), it holds that \(\mathsf {sc}_n(s_1,v) \ne \mathsf {sc}_n(s_2,v) \Rightarrow \mathsf {rc}_n(s_1,v) \ne \mathsf {rc}_n(s_2,v)\).
Condition (2) says that the system is regularchannel \((f,\epsilon )\)secure when restricted to any subset of secrets \(S'' \prec S^{ res}\). Condition (3) says that the system’s side channel reveals no more information than its regular channel for the restricted secret subsets. Condition (1) says that the ratio of the restricted set over the entire space of secrets is at least r.^{4}
We informally describe why \(\mathsf {SRSCR}\) is a sufficient condition for security. The condition guarantees that, for the restricted secrets \(S^{ res}\), the attacker gains no additional information by observing the sidechannel compared to what he already knew by observing the regular channel. Then, because r is a bound on the probability that a randomly selected secret falls in \(S^{ res}\), the system is secure provided that r is suitably large and the system is regularchannel secure. The theorem below formalizes the above intuition.
Theorem 1
(\(\mathsf {SRSCR}\) Soundness). Suppose \(C\) satisfies \(\mathsf {SRSCR}(f,\epsilon ,r)\). Then, \(C\) is \((f,\epsilon ')\)secure, where \(\epsilon ' = 1  r(1\epsilon )\).
Proof
Let \(S^{ res}\) be an indexed family of sets of secret subsets that satisfies conditions (1), (2), and (3) of \(\mathsf {SRSCR}(f,\epsilon ,r)\). By condition (2), for all sufficiently large n and adversaries \(\mathcal {A}\), \(\Pr [\textit{Win}_{\mathcal {A}}^{\bullet ,{ res}}({n},{f})] < \epsilon (n)\) where \(\textit{Win}_{\mathcal {A}}^{\bullet ,{ res}}({n},{f})\) is the modified game in which the oracle \(C_n(s)\) always outputs \(\bullet \) as its sidechannel output and the secret s is selected randomly from \(\bigcup S^{ res}_n\) (rather than from \(\mathcal {S}_n\)).
As a special case where the ratio r is 1, Theorem 1 implies that if a system satisfies \(\mathsf {SRSCR}(f,\epsilon ,1)\) then it is \((f,\epsilon )\)secure.
Example 3
To effectively apply Theorem 1, one needs to find suitable subsets of secrets \(S^{ res}\) on which the system’s regular channel is \((f,\epsilon )\)secure and the side channel satisfies the refinement relation with respect to the regular channel. As also observed in prior works [29, 38], the refinement relation is a 2safety property [13, 35] for which there are a number of effective verification methods [2, 6, 10, 32, 34]. For instance, selfcomposition [3, 4, 8, 35] is a wellknown technique that can be used to verify arbitrary 2safety properties.
We note that a main benefit of Theorem 1 is separation of concerns whereby the security of regular channel can be proven independently of side channels, and the conditions required for side channels can be checked separately. For instance, a system designer may prove the regularchannel \((f,\epsilon )\)security by an elaborate manual reasoning, while the sidechannel conditions are checked, possibly automatically, by established program verification methods such as self composition.
Remarks. We make some additional observations regarding the \(\mathsf {SRSCR}\) condition. First, while Theorem 1 derives a sound security bound, the bound may not be the tightest one. Indeed, when the adversary’s error probability (i.e., the “\(\epsilon \)” part of \((f,\epsilon )\)security) is 1, the bucketed leaky login program can be shown to be actually \((k(2^{n/k}2),1)\)secure, whereas the bound derived in Example 3 only showed that it is \((2^{n/k}2,1)\)secure. That is, there is a factor k gap in the bounds. Intuitively, the gap occurs for the example because the buckets partition a secret into k number of n/k bit blocks, and while an adversary needs to recover the bits of every block in order to recover the entire secret, the analysis derived the bound by assessing only the effort required to recover bits from one of the blocks. Extending the technique to enable tighter analyses is left for future work.
Secondly, the statement of Theorem 1 says that when regular channel of the system is \((f,\epsilon )\)secure for certain subsets of secrets, then the whole system is \((f,\epsilon ')\)secure under certain conditions. This may give an impression that only the adversarysuccess probability parameter (i.e., \(\epsilon \)) of \((f,\epsilon )\)security is affected by the additional consideration of side channels, leaving the number of oracle queries parameter (i.e., f) unaffected. However, as also seen in Example 2, the two parameters are often correlated so that smaller f implies smaller \(\epsilon \) and vice versa. Therefore, Theorem 1 suggests that the change in the probability parameter (i.e., from \(\epsilon \) to \(\epsilon '\)) may need to be compensated by a change in the degree of security with respect to the number of oracle queries.
Finally, condition (2) of \(\mathsf {SRSCR}\) stipulates that the regular channel is \((f,\epsilon )\)secure for each restricted family of sets of secrets \(S'' \prec S^{ res}\) rather than the entire space of secrets \(\mathcal {S}\). In general, a system can be less secure when secrets are restricted because the adversary has a smaller space of secrets to search. Indeed, in the case when the error probability is 1, the regular channel of the bucketed leaky login program can be shown to be \((2^n2,1)\)secure, but when restricted to each \(S'' \prec S^{ res}\) used in the analysis of Example 3, it is only \((2^{n/k}2,1)\)secure. That is, there is an implicit correlation between the sizes of the restricted subsets and the degree of regularchannel security. Therefore, finding \(S^{ res}\) such that each \(S'' \in S^{ res}_n\) is large and satisfies the conditions is important for deriving good security bounds, even when the ratio \(\bigcup S^{ res}_n/\mathcal {S}_n\) is large as in the analysis of the bucketed leaky login program.
3.2 LowInput SideChannel NonInterference Condition
While \(\mathsf {SRSCR}\) facilitates proving security of systems by separating regular channels from side channels, it requires one to identify suitable subsets of secrets \(S^{ res}\) that satisfy the conditions. This can be a hurdle to applying the proof method. To this end, this section presents a condition, called lowinput sidechannel noninterference (\(\mathsf {LISCNI}\)), which guarantees that a system satisfying it becomes secure after applying bucketing (or other techniques) to reduce the number of sidechannel outputs. Unlike \(\mathsf {SRSCR}\), the condition does not require identifying secret subsets. Roughly, the condition stipulates that the regular channel is secure (for the entire space of secrets) and that the sidechannel outputs are independent of attackercontrolled inputs.
We show that the system satisfying the condition becomes a system satisfying \(\mathsf {SRSCR}\) once bucketing is applied, where the degree of security (i.e., the parameters f, \(\epsilon \), r of \(\mathsf {SRSCR}\)) will be proportional to the degree of regularchannel security and the granularity of buckets. Roughly, this holds because for a system whose sidechannel outputs are independent of attackercontrolled inputs, bucketing is guaranteed to partition the secrets into a small number of sets (relative to the bucket granularity) such that for each of the sets, the side channel cannot distinguish the secrets in the set, and the regularchannel security transfers to a certain degree to the case when the secrets are restricted to the ones in the set.
As we shall show next, while the condition is not permissive enough to prove security of the leaky login program (cf. Examples 1, 2 and 3), it covers interesting scenarios such as fast modular exponentiation (cf. Example 4). Also, as we shall show in Sect. 3.3, the condition may be used compositionally in combination with the constanttime implementation technique [1, 3, 9, 22] to further widen its applicability.
Definition 4
 (1)
\(C\) is regularchannel \((f,\epsilon )\)secure; and
 (2)
For all \(n \in \mathbb {N}\), \(s\in \mathcal {S}_n\), and \(v_1,v_2 \in \mathcal {I}_n\), it holds that \(\mathsf {sc}_n(s,v_1) = \mathsf {sc}_n(s,v_2)\).
Condition (2) says that the sidechannel outputs are independent of low inputs (i.e., attackercontrolled inputs). We note that this is noninterference with respect to low inputs, whereas the usual notion of noninterference says that the outputs are independent of high inputs (i.e., secrets) [19, 37].^{5}
The \(\mathsf {LISCNI}\) condition ensures the security of systems after bucketing is applied. We next formalize the notion of “applying bucketing”.
Definition 5
 (1)
\(\mathsf {rc}\langle {C'}\rangle = \mathsf {rc}\langle {C}\rangle \), \(\mathcal {S}\langle {C'}\rangle = \mathcal {S}\langle {C}\rangle \), \(\mathcal {I}\langle {C'}\rangle = \mathcal {I}\langle {C}\rangle \), and \(\mathcal {O}^{\mathsf {rc}}\langle {C'}\rangle = \mathcal {O}^{\mathsf {rc}}\langle {C}\rangle \);
 (2)
For all \(n \in \mathbb {N}\), \(\mathcal {O}^{\mathsf {sc}}\langle {C'}\rangle _n = \{\star _1,\dots ,\star _k\}\) where \(\star _i \ne \star _j\) for each \(i \ne j\); and
 (3)
For all \(n \in \mathbb {N}\), \(s_1,s_2 \in \mathcal {S}_n\) and \(v_1,v_2 \in \mathcal {I}_n\), \(\mathsf {sc}\langle {C}\rangle _n(s_1,v_1) = \mathsf {sc}\langle {C}\rangle _n(s_2,v_2) \Rightarrow \mathsf {sc}\langle {C'}\rangle _n(s_1,v_2) = \mathsf {sc}\langle {C'}\rangle _n(s_2,v_2)\).
Roughly, kbucketing partitions the side channel outputs into k number of buckets. We note that our notion of “bucketing” is quite general in that it does not specify how the side channel outputs are partitioned into the buckets. Indeed, as we shall show next, the security guarantee derived by \(\mathsf {LISCNI}\) only requires the fact that side channel outputs are partitioned into a small number of buckets. This makes our results applicable to any techniques (beyond the usual bucketing technique for timing channels [7, 14, 26, 27, 41]) that reduce the number of possible sidechannel outputs.
Below states that a system satisfying the \(\mathsf {LISCNI}\) condition becomes one that satisfies the \(\mathsf {SRSCR}\) condition after suitable bucketing is applied.
Theorem 2
(\(\mathsf {LISCNI}\) Soundness). Suppose that \(C\) satisfies \(\mathsf {LISCNI}(f,\epsilon )\). Let \(k > 0\) be such that \(k\cdot \epsilon \le 1\). Then, \({ Bkt}_{k}({C})\) satisfies \(\mathsf {SRSCR}(f,k\cdot \epsilon ,1/k)\).
Proof
Let \(C' = { Bkt}_{k}({C})\). By condition (2) of kbucketing and condition (2) of \(\mathsf {LISCNI}(f,\epsilon )\), we have that for all \(n \in \mathbb {N}\), \(s\in \mathcal {S}_n\) and \(v_1,v_2 \in \mathcal {I}_n\), \(\mathsf {sc}\langle {C'}\rangle _n(s,v_1) = \mathsf {sc}\langle {C'}\rangle _n(s,v_2)\). Therefore, by kbucketing, there must be an indexed family of sets of secrets \(S'\) such that for all n, (a) \(S'_n \subseteq \mathcal {S}_n\), (b) \(S'_n \ge \mathcal {S}_n/k\), and (c) for all \(s_1,s_2 \in S'_n\) and \(v_1,v_2 \in \mathcal {I}_n\), \(\mathsf {sc}\langle {C'}\rangle _n(s_1,v_1) = \mathsf {sc}\langle {C'}\rangle _n(s_2,v_2)\). Note that such \(S'\) can be found by, for each n, choosing a bucket into which a maximal number of secrets fall. We define an indexed family of sets of sets of secrets \(S^{ res}\) to be such that \(S^{ res}_n\) is the singleton set \(\{ S'_n \}\) for each n.
We show that \(C'\) satisfies conditions (1), (2), and (3) of \(\mathsf {SRSCR}(f,k\cdot \epsilon ,1/k)\) with the restricted secret subsets \(S^{ res}\) defined above. Firstly, (1) is satisfied because \(S'_n \ge \mathcal {S}_n/k\). Also, (3) is satisfied because of property (c) above (i.e., the side channel is noninterferent for the subset).
It remains to show that (2) is satisfied. That is, \(C'_{S'}\) is regularchannel \((f,k\cdot \epsilon )\)secure. For contradiction, suppose that \(C'_{S'}\) is not regularchannel \((f,k\cdot \epsilon )\)secure, that is, there exists a regularchannel attack \(\mathcal {A}\) that queries (the regular channel of) \(C'_{S'}\) at most f(n) many times and successfully recovers the secret with probability at least \(k\cdot \epsilon (n)\). Then, we can construct a regularchannel adversary for \(C\) which simply runs \(\mathcal {A}\) (on any secret from \(\mathcal {S}_n\)). Note that the adversary makes at most f(n) many queries. We argue that the probability that the adversary succeeds in recovering the secret is at least \(\epsilon \). That is, we show that \(\Pr [\textit{Win}_{\mathcal {A}}^{\bullet }({n},{f})] \ge \epsilon (n)\) (for sufficiently large n) where \(\textit{Win}_{\mathcal {A}}^{\bullet }({n},{f})\) is the modified game in which the oracle always outputs \(\bullet \) as its sidechannel output.
As a corollary of Theorems 1 and 2, we have the following.
Corollary 1
Suppose that \(C\) satisfies \(\mathsf {LISCNI}(f,\epsilon )\). Let \(k > 0\) be such that \(k\cdot \epsilon \le 1\). Then, \({ Bkt}_{k}({C})\) is \((f,\epsilon ')\)secure where \(\epsilon ' = 1  1/k + \epsilon \).
Example 4
(Fast Modular Exponentiation). Fast modular exponentiation is an operation that is often found in cryptography algorithms such as RSA [23, 30]. Figure 2 shows its implementation written in a Clike language. It computes \(\mathtt{y}^\mathtt{x}\;\texttt {mod}\;\mathtt{m}\) where \(\mathtt{x}\) is the secret represented as a length \(\mathtt{n}\) bit array and \(\mathtt{y}\) is an attacker controlledinput. The program is not constanttime (assuming that then and else branches in the loop have different running times), and effective timing attacks have been proposed for the program [23, 30].

\(\mathcal {S}_n = \mathcal {I}_n = \{0,1\}^n\);

\(\mathcal {O}^{\mathsf {rc}}_n = \mathcal {O}^{\mathsf {sc}}_n = \mathbb {\mathbb {N}}\);

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {rc}_n(s,v) = v^s\;\textit{mod}\;\mathtt{m}\); and

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {sc}_n(s,v) = \textit{time}_\mathtt{t} \cdot \textit{num}(s,1) + \textit{time}_\mathtt{f} \cdot \textit{num}(s,0)\).
Here, \(\textit{num}(s,b) = \{i \in \mathbb {N}\mid i < n \wedge s[i] = b\}\) for \(b \in \{0,1\}\), and \(\textit{time}_\mathtt{t}\) (resp. \(\textit{time}_\mathtt{f}\)) is the running time of the then (resp. else) branch.
Let the computation class of adversaries be the class of randomized polynomial time algorithms. Then, under the standard computational assumption that inverting modular exponentiation is hard, one can show that \(C\) satisfies \(\mathsf {LISCNI}(f,\epsilon )\) for any f and negligible \(\epsilon \). This follows because the sidechannel outputs are independent of low inputs, and the regularchannel is \((f,\epsilon )\)secure for any f and negligible \(\epsilon \) under the assumption.^{7} Therefore, it can be made \((f,\epsilon )\)secure for any f and negligible \(\epsilon \) by applying bucketing. \(\blacktriangle \)
Remarks. We make some additional observations regarding the \(\mathsf {LISCNI}\) condition. First, similar to condition (3) of \(\mathsf {SRSCR}\), the lowinput independence condition of \(\mathsf {LISCNI}\) (condition (2)) is a 2safety property and is amenable to various verification methods proposed for the class of properties. In fact, because the condition is essentially sidechannel noninterference but with respect to low inputs instead of high inputs, it can be checked by the methods for checking ordinary sidechannel noninterference by reversing the roles of high inputs and low inputs [1, 3, 6, 9, 20].
Secondly, we note that the leaky login program from Example 1 does not satisfy \(\mathsf {LISCNI}\). This is because the program’s side channel is not noninterferent with respect to low inputs. Indeed, given any secret \(s \in \mathcal {S}_n\), one can vary the running times by choosing low inputs \(v,v' \in \mathcal {I}_n\) with differing lengths of matching prefixes, that is, Open image in new window . Nevertheless, as we have shown in Examples 2 and 3, the program becomes secure once bucketing is applied. In fact, it becomes one that satisfies \(\mathsf {SRSCR}\) as shown in Example 3. Ideally, we would like to find a relatively simple condition (on systems before bucketing is applied) that covers many systems that would become secure by applying bucketing. However, finding such a condition that covers a system like the leaky login program may be nontrivial. Indeed, predicting that the leaky login program become secure after applying bucketing appears to require more subtle analysis of interaction between low inputs and high inputs. (In fact, it can be shown that arbitrarily partitioning the sidechannel outputs to a small number of buckets does not ensure security for this program.) Extending the technique to cover such scenarios is left for future work.
3.3 Combining Bucketing and ConstantTime Implementation Compositionally
Definition 6
 (1)
\(C\) is regularchannel \((f,\epsilon )\)secure; and
 (2)
For all \(n \in \mathbb {N}\), \(v \in \mathcal {I}_n\), and \(s_1,s_2 \in \mathcal {S}_n\), \(\mathsf {sc}_n(s_1,v) = \mathsf {sc}_n(s_2,v)\).
Note that \(\mathsf {CT}\) requires that the side channel is noninterferent (with respect to secrets). The following theorem is immediate from the definition, and states that \(\mathsf {CT}\) is a sufficient condition for security.
Theorem 3
(\(\mathsf {CT}\) Soundness). If \(C\) satisfies \(\mathsf {CT}(f,\epsilon )\), then \(C\) is \((f,\epsilon )\)secure.
To motivate the combined application of \(\mathsf {CT}\) and \(\mathsf {LISCNI}\), let us consider the following example which is neither constanttime nor can be made secure by (globally) applying bucketing.
Example 5
Figure 3 shows a simple, albeit contrived, program that we will use to motivate the combined approach. Here, \(\texttt {sec}\) is a nbit secret and \(\texttt {inp}\) is a nbit attackercontrolled input. Both \(\texttt {sec}\) and \(\texttt {inp}\) are interpreted as unsigned nbit integers where − and > are the usual unsigned integer subtraction and comparison operations. The regular channel always outputs \(\mathtt{true}\) and hence is noninterferent. Therefore, only the timing channel is of concern.

\(\mathcal {S}_n = \mathcal {I}_n = \{0,1\}^n\);

\(\mathcal {O}^{\mathsf {rc}}_n = \{ \bullet \}\);

\(\mathcal {O}^{\mathsf {sc}}_n = \{ i \in \mathbb {N}\mid i \le 2^{n+1} \}\);

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {rc}_n(s,v) = \bullet \); and

For all \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {sc}_n(s,v) = s+v\).
Note that the side channel outputs the sum of the high input and the low input. It is easy to see that the system is not constanttime (i.e., not \(\mathsf {CT}(f,\epsilon )\) for any f and \(\epsilon \)). Furthermore, the system is not secure as is, because an adversary can immediately recover the secret by querying with any input and subtracting the input from the sidechannel output.

\(\mathsf {rc}\langle {C'}\rangle \), \(\mathcal {S}\langle {C'}\rangle \), \(\mathcal {I}\langle {C'}\rangle \), and \(\mathcal {O}^{\mathsf {rc}}\langle {C'}\rangle \) are same as those of \(C_\mathtt{comp}\);

For all \(n\in \mathbb {N}\), \(\mathcal {O}^{\mathsf {sc}}\langle {C'}\rangle _n = \{0,1 \}\); and

For all \(n\in \mathbb {N}\) and \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {sc}\langle {C'}\rangle _n(s,v) = 0\) if \(s + v \le 2^n\), and \(\mathsf {sc}\langle {C'}\rangle _n(s,v) = 1\) otherwise.
We show that there exists an efficient adaptive attack against \(C'\). Let \(s \in \mathcal {S}_n\). The adversary \(\mathcal {A}\) recovers s by only making linearly many queries via the following process. First, \(\mathcal {A}\) queries with the input \(v_1 = 2^{n1}\). By observing the sidechannel output, \(\mathcal {A}\) will know whether \(0 \le s \le 2^{n1}\) (i.e., the sidechannel output was 0) or \(2^{n1} < s \le 2^n\) (i.e., the sidechannel output was 1). In the former case, \(\mathcal {A}\) picks the input \(v_2 = 2^{n1} + 2^{n2}\) for the next query, and in the latter case, he picks \(v_2 = 2^{n2}\). Continuing the process in a binary search manner and reducing the space of possible secrets by 1/2 in each query, \(\mathcal {A}\) is able to hone in on s within n many queries. Therefore, \(C'\) is not \((n,\epsilon )\)secure for any \(\epsilon \). \(\blacktriangle \)
Next, we present the compositional bucketing approach. Roughly, our compositionality theorem (Theorem 4) states that the sequential composition of a constanttime system with a system whose side channel is noninterferent with respect to low inputs can be made secure by applying bucketing to only the nonconstanttime component. As with \(\mathsf {LISCNI}\), the degree of security of the composed system is relative to the that of the regular channel and the granularity of buckets.
To state the compositionality theorem, we explicitly separate the conditions on side channels of \(\mathsf {CT}\) and \(\mathsf {LISCNI}\) from those on regular channels and introduce terminologies that only refer to the sidechannel conditions. Let us fix \(C\). We say that \(C\) satisfies \({\mathsf {CT}}^{\mathsf {sc}}\), if it satisfies condition (2) of \(\mathsf {CT}\), that is, for all \(n \in \mathbb {N}\), \(v \in \mathcal {I}_n\), and \(s_1,s_2 \in \mathcal {S}_n\), \(\mathsf {sc}_n(s_1,v) = \mathsf {sc}_n(s_2,v)\). Also, we say that \(C\) satisfies \(\mathsf {LISCNI}^{\mathsf {sc}}\) if it satisfies condition (2) of \(\mathsf {LISCNI}\), that is, for all \(n \in \mathbb {N}\), \(s\in \mathcal {S}_n\), and \(v_1,v_2 \in \mathcal {I}_n\), \(\mathsf {sc}_n(s,v_1) = \mathsf {sc}_n(s,v_2)\). Next, we define sequential composition of systems.
Definition 7

\(\mathcal {S}\langle {C}\rangle = \mathcal {S}(C^\dagger )\) and \(\mathcal {I}\langle {C}\rangle = \mathcal {I}(C^\dagger )\); and

For all \(n \in \mathbb {N}\) and \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {sc}\langle {C'}\rangle _n(s,v) = \mathsf {sc}\langle {C^\dagger }\rangle _n(s,v) + \mathsf {sc}\langle {C^\ddagger }\rangle _n(s,v)\).
We note that the definition of sequential composition specifically targets the case when the side channel is a timing channel, and says that the sidechannels outputs are numeric values and that the sidechannel output of the composed system is the sum of those of the components. Also, the definition leaves the composition of regular channels open, and allows the regular channel of the composed system to be any function from \(\mathcal {S}_n\times \mathcal {I}_n\). We are now ready to state the compositionality theorem.
Theorem 4
(Compositionality). Let \(C^\dagger \) be a system that satisfies \(\mathsf {LISCNI}^{\mathsf {sc}}\) and \(C^\ddagger \) be a system that satisfies \({\mathsf {CT}}^{\mathsf {sc}}\). Suppose that \({ Bkt}_{k}({C^\dagger });C^\ddagger \) is regularchannel \((f,\epsilon )\)secure where \(k\cdot \epsilon \le 1\). Then, \({ Bkt}_{k}({C^\dagger });C^\ddagger \) is \((f,\epsilon ')\)secure, where \(\epsilon ' = 1  1/k + \epsilon \).
Proof
By Theorem 1, it suffices to show that \({ Bkt}_{k}({C^\dagger });C^\ddagger \) satisfies \(\mathsf {SRSCR}(f,k\cdot \epsilon ,1/k)\). By an argument similar to the proof of Theorem 2, there must be an indexed family of sets of secrets \(S'\) such that, for all \(n \in \mathbb {N}\), (a) \(S'_n \subseteq \mathcal {S}_n\), (b) \(S'_n \ge \mathcal {S}_n/k\), and (c) for all \(s_1,s_2 \in S'_n\) and \(v_1,v_2 \in \mathcal {I}_n\), \(\mathsf {sc}\langle {{ Bkt}_{k}({C^\dagger })}\rangle _n(s_1,v_1) = \mathsf {sc}\langle {{ Bkt}_{k}({C^\dagger })}\rangle _n(s_2,v_2)\). We define an indexed family of sets of sets of secrets \(S^{ res}\) to be such that \(S^{ res}_n\) is the singleton set \(\{ S'_n \}\) for each n.
We show that \(C= { Bkt}_{k}({C^\dagger });C^\ddagger \) satisfies conditions (1), (2), and (3) of \(\mathsf {SRSCR}(f,\) \(k\cdot \epsilon ,1/k)\) with the restricted secret subsets \(S^{ res}\) defined above. Firstly, (1) is satisfied because \(S'_n \ge \mathcal {S}_n/k\). Also, because \({ Bkt}_{k}({C^\dagger });C^\ddagger \) is regularchannel \((f,\epsilon )\)secure, we can show that (2) is satisfied by an argument similar to the one in the proof of Theorem 2.
We note that the notion of sequential composition is symmetric. Therefore, Theorem 4 implies that the composing the components in the reverse order, that is, \(C^\ddagger ;{ Bkt}_{k}({C^\dagger })\), is also secure provided that its regular channel is secure.
The compositionality theorem suggests the following compositional approach to ensuring security. Given a system \(C\) that is a sequential composition of a component whose side channel outputs are independent of high inputs (i.e., satisfies \({\mathsf {CT}}^{\mathsf {sc}}\)) and a component whose side channel outputs are independent of low inputs (i.e., satisfies \(\mathsf {LISCNI}^{\mathsf {sc}}\)), we can ensure the security of \(C\) by proving its regularchannel security and applying bucketing only to the nonconstanttime component.
Example 6

\(\mathcal {S}\) and \(\mathcal {I}\) are as in \(C_\mathtt{comp}\);

For all \(n \in \mathbb {N}\), \(\mathcal {O}^{\mathsf {sc}}\langle {C^\dagger }\rangle _n = \mathcal {O}^{\mathsf {sc}}\langle {C^\ddagger }\rangle _n = \{ i \in \mathbb {N}\mid i \le 2^n \}\); and

For all \(n \in \mathbb {N}\) and \((s,v) \in \mathcal {S}_n\times \mathcal {I}_n\), \(\mathsf {sc}\langle {C^\dagger }\rangle _n(s,v) = s\) and \(\mathsf {sc}\langle {C^\ddagger }\rangle _n(s,v) = v\).
Note that \(C^\ddagger \) satisfies \({\mathsf {CT}}^{\mathsf {sc}}\) as its sidechannel outputs are highinput independent, and, \(C^\dagger \) satisfies \(\mathsf {LISCNI}^{\mathsf {sc}}\) as its sidechannel outputs are lowinput independent. By applying bucketing only to the component \(C^\dagger \), we obtain the system \({ Bkt}_{k}({C^\dagger });C^\ddagger \). The regularchannel of \({ Bkt}_{k}({C^\dagger });C^\ddagger \) (i.e., that of \(C_\mathtt{comp}\)) is \((f,\epsilon )\)secure for any f and negligible \(\epsilon \) because it is noninterferent (with respect to high inputs) and the probability that an adversary may recover a secret for such a system is at most \(1/\mathcal {S}_n\).^{8} Therefore, by Theorem 4, \({ Bkt}_{k}({C^\dagger });C^\ddagger \) is \((f,\epsilon )\)secure for any f and negligible \(\epsilon \). \(\blacktriangle \)
The above example shows that compositional bucketing can be used to ensure security of nonconstanttime systems that cannot be made secure by a wholesystem bucketing. It is interesting to observe that the constanttime condition, \({\mathsf {CT}}^{\mathsf {sc}}\), requires the sidechannel outputs to be independent of high inputs but allows dependency on low inputs, while \(\mathsf {LISCNI}^{\mathsf {sc}}\) is the dual and says that the sidechannel outputs are independent of low inputs but may depend on high inputs. Our compositionality theorem (Theorem 4) states that a system consisting of such parts can be made secure by applying bucketing only to the part that satisfies the latter condition.
It is easy to see that sequentially composing components that satisfy \({\mathsf {CT}}^{\mathsf {sc}}\) results in a system that satisfies \({\mathsf {CT}}^{\mathsf {sc}}\), and likewise, sequentially composing components that satisfy \(\mathsf {LISCNI}^{\mathsf {sc}}\) results in a system that satisfies \(\mathsf {LISCNI}^{\mathsf {sc}}\). Therefore, such compositions can be used freely in conjunction with the compositional bucketing technique of this section. We also conjecture that components that are made secure by compositional bucketing can themselves be sequentially composed to form a secure system (possibly with some decrease in the degree of security). We leave a more detailed investigation for future work.
4 Related Work
As remarked in Sect. 1, much research has been done on defending against timing attacks and more generally side channel attacks. For instance, there have been experimental evaluation on the effectiveness of bucketing and other timingchannel mitigation schemes [14, 18], and other works have proposed informationtheoretic methods for formally analyzing the security of (deterministic and probabilistic) systems against adaptive adversaries [12, 25].
However, few prior works have formally analyzed the effect of bucketing on timing channel security (or similar techniques for other side channels) against adaptive adversaries. Indeed, to our knowledge, the only prior work to do so are the series of works by Köpf et al. [26, 27] who investigated the effect of bucketing applied to blinded cryptography algorithms. They show that applying bucketing to a blinded cryptography algorithm whose regular channel is INDCCA2 secure results in an algorithm that is INDCCA2 secure against timingchannelobserving adversaries. In addition, they show bounds on information leaked by such bucketed blinded cryptography algorithms in terms of quantitative information flow [5, 28, 33, 39, 40]. By contrast, we analyze the effect of applying bucketing to general systems, show that bucketing is in general insufficient against adaptive adversaries, and present novel conditions that guarantee security against such adversaries. (In fact, the results of [26, 27] may be seen as an instance of our \(\mathsf {LISCNI}{}\) condition because blinding makes the behavior of cryptographic algorithms effectively independent of attackercontrolled inputs.) Also, our results are given in the form of \((f,\epsilon )\)security, which can provide precise bounds on the number of queries needed by adaptive adversaries to recover secrets.
Next, we compare our work with the works on constanttime implementations (i.e., timingchannel noninterference) [1, 3, 6, 9, 20, 22]. The previous works have proposed methods for verifying that the given system is constanttime [3, 6, 9, 20] or transforming it to one that is constanttime [1, 22]. As we have also discussed in this paper (cf. Theorem 3), it is easy to see that the constanttime condition directly transfers the regularchannelonly security to the security for the case with timing channels. By contrast, security implied by bucketing is less straightforward. In this paper, we have shown that bucketing is in general insufficient to guarantee the security of systems even when their regular channel is perfectly secure. And, we have presented results that show that, under certain conditions, the regularchannelonly security can be transferred to the sidechannelobserving case to certain degrees. Because there are advantages of bucketing such as efficiency and ease of implementation [7, 14, 26, 27, 41], we hope that our results will contribute to a better understanding of the bucketing technique and foster further research on the topic.
5 Conclusion and Future Work
In this paper, we have presented a formal analysis of the effectiveness of the bucketing technique against adaptive timingchannelobserving adversaries. We have shown that bucketing is in general insufficient against such adversaries, and presented two novel conditions, \(\mathsf {SRSCR}\) and \(\mathsf {LISCNI}\), that guarantee security against such adversaries. \(\mathsf {SRSCR}\) states that a system that satisfies it is secure, whereas \(\mathsf {LISCNI}\) states that the a system that satisfies it becomes secure when bucketing is applied. We have shown that both conditions facilitate proving the security of systems against adaptive sidechannelobserving adversaries by allowing a system designer to prove the security of the system’s regular channel separately from the concerns of its sidechannel behavior. By doing so, the security of the regularchannel is transferred, to certain degrees, to the full sidechannelaware security. We have also shown that the \(\mathsf {LISCNI}\) condition can be used in conjunction with the constanttime implementation technique in a compositional manner to further increase its applicability. We have formalized our results via the notion of \((f,\epsilon )\)security, which gives precise bounds on the number of queries needed by adaptive adversaries to recover secrets.
While we have instantiated our results to timing channel and bucketing, many of the results are actually quite general and are applicable to side channels other than timing channels. Specifically, aside from the compositional bucketing result that exploits the “additive” nature of timing channels, the results are applicable to any side channels and techniques that reduce the number of possible sidechannel observations.
As future work, we would like to extend our results to probabilistic systems. Currently, our results are limited to deterministic systems, and such an extension would be needed to assess the effect of bucketing when it is used together with countermeasure techniques that involve randomization. We would also like to improve the conditions and the security bounds thereof to be able to better analyze systems such as the leaky login program shown in Examples 1, 2 and 3. Finally, we would like to extend the applicability of the compositional bucketing technique by considering more patterns of compositions, such as sequentially composing components that themselves have been made secure by compositional bucketing.
Footnotes
 1.
Sometimes, the terminology “constanttime implementation” is used to mean even stricter requirements, such as requiring control flows to be secret independent [3, 9]. In this paper, we use the terminology for a more permissive notion in which only the running time is required to be secret independent.
 2.
We restrict to deterministic systems in this paper. Extension to probabilistic systems is left for future work.
 3.
A similar analysis can be done for any strictly sublinear number of buckets.
 4.
It is easy to relax the notion to be asymptotic so that the conditions need to hold only for \(n \ge N\) for some \(N\in \mathbb {N}\).
 5.
As with \(\mathsf {SRSCR}\), it is easy to relax the notion to be asymptotic so that condition (2) only needs to hold for large n.
 6.
This is admittedly an optimistic assumption. Indeed, proposed timing attacks exploit the fact that the running time of the operation can depend on \(\mathtt{y}\) [23, 30]. Here, we assume that the running time of the operation is made independent of \(\mathtt{y}\) by some means (e.g., by adopting the constanttime implementation technique).
 7.
The latter holds because \((f,\epsilon )\)security is asymptotic and the probability that any regularchannel adversary of the computation class may correctly guess the secret for this system is negligible (under the computational hardness assumption). Therefore, a similar analysis can be done for any subpolynomial number of buckets.
 8.
Therefore, a similar analysis can be done for any strictly subexponential number of buckets.
Notes
Acknowledgements
We thank the anonymous reviewers for useful comments. This work was supported by JSPS KAKENHI Grant Numbers 17H01720 and 18K19787, JSPS CoretoCore Program, A.Advanced Research Networks, JSPS Bilateral Collaboration Research, and Office of Naval Research (ONR) award #N000141712787.
References
 1.Agat, J.: Transforming out timing leaks. In: POPL (2000)Google Scholar
 2.Aguirre, A., Barthe, G., Gaboardi, M., Garg, D., Strub, P.: A relational logic for higherorder programs. In: PACMPL, vol. 1, issue ICFP (2017)Google Scholar
 3.Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constanttime implementations. In: USENIX Security Symposium (2016)Google Scholar
 4.Almeida, J.B., Barbosa, M., Pinto, J.S., Vieira, B.: Formal verification of sidechannel countermeasures using selfcomposition. Sci. Comput. Program. 78(7), 796–812 (2013)CrossRefGoogle Scholar
 5.Alvim, M.S., Chatzikokolakis, K., Palamidessi, C., Smith, G.: Measuring information leakage using generalized gain functions. In: CSF (2012)Google Scholar
 6.Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of selfcomposition for proving the absence of timing channels. In: PLDI (2017)Google Scholar
 7.Askarov, A., Zhang, D., Myers, A.C.: Predictive blackbox mitigation of timing channels. In: CCS (2010)Google Scholar
 8.Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by selfcomposition. Math. Struct. Comput. Sci. 21(6), 1207–1252 (2011)MathSciNetCrossRefGoogle Scholar
 9.Barthe, G., Grégoire, B., Laporte, V.: Secure compilation of sidechannel countermeasures: the case of cryptographic “constanttime”. In: CSF (2018)Google Scholar
 10.Benton, N.: Simple relational correctness proofs for static analyses and program transformations. In: POPL (2004)Google Scholar
 11.Blot, A., Yamamoto, M., Terauchi, T.: Compositional synthesis of leakage resilient programs. In: POST (2017)Google Scholar
 12.Boreale, M., Pampaloni, F.: Quantitative information flow under generic leakage functions and adaptive adversaries. Logical Methods Comput. Sci. 11(4:5), 1–31 (2015)MathSciNetzbMATHGoogle Scholar
 13.Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)CrossRefGoogle Scholar
 14.Dantas, Y.G., Gay, R., Hamann, T., Mantel, H., Schickel, J.: An evaluation of bucketing in systems with nondeterministic timing behavior. In: Janczewski, L.J., Kutyłowski, M. (eds.) SEC 2018. IAICT, vol. 529, pp. 323–338. Springer, Cham (2018). https://doi.org/10.1007/9783319998282_23CrossRefGoogle Scholar
 15.Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4 (2015)CrossRefGoogle Scholar
 16.Eldib, H., Wang, C.: Synthesis of masking countermeasures against side channel attacks. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 114–130. Springer, Cham (2014). https://doi.org/10.1007/9783319088679_8CrossRefGoogle Scholar
 17.Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). https://doi.org/10.1007/3540447091_21CrossRefGoogle Scholar
 18.Gay, R., Mantel, H., Sudbrock, H.: An empirical bandwidth analysis of interruptrelated covert channels. IJSSE 6(2), 1–22 (2015)Google Scholar
 19.Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy (1982)Google Scholar
 20.Hedin, D., Sands, D.: Timing aware information flow security for a JavaCardlike bytecode (2005)Google Scholar
 21.Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451464_27CrossRefGoogle Scholar
 22.Kobayashi, N., Shirane, K.: Typebased information analysis for lowlevel languages. In: APLAS (2002)Google Scholar
 23.Kocher, P.C.: Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3540686975_9CrossRefGoogle Scholar
 24.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051_25CrossRefGoogle Scholar
 25.Köpf, B., Basin, D.A.: Automatically deriving informationtheoretic bounds for adaptive sidechannel attacks. J. Comput. Secur. 19(1), 1–31 (2011)CrossRefGoogle Scholar
 26.Köpf, B., Dürmuth, M.: A provably secure and efficient countermeasure against timing attacks. In: CSF (2009)Google Scholar
 27.Köpf, B., Smith, G.: Vulnerability bounds and leakage resilience of blinded cryptography under timing attacks. In: CSF (2010)Google Scholar
 28.Malacaria, P.: Assessing security threats of looping constructs. In: POPL (2007)Google Scholar
 29.Malacaria, P.: Algebraic foundations for quantitative information flow. Math. Struct. Comput. Sci. 25(2), 404–428 (2015)MathSciNetCrossRefGoogle Scholar
 30.Pasareanu, C.S., Phan, Q., Malacaria, P.: Multirun sidechannel analysis using symbolic execution and maxSMT. In: CSF (2016)Google Scholar
 31.Quisquater, J.J., Samyde, D.: ElectroMagnetic Analysis (EMA): measures and countermeasures for smart cards. In: Attali, I., Jensen, T. (eds.) Esmart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001). https://doi.org/10.1007/3540454187_17CrossRefzbMATHGoogle Scholar
 32.Reynolds, J.C.: The Craft of Programming. Prentice Hall International Series in Computer Science. Prentice Hall, London (1981)zbMATHGoogle Scholar
 33.Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642005961_21CrossRefGoogle Scholar
 34.Sousa, M., Dillig, I.: Cartesian Hoare logic for verifying ksafety properties. In: PLDI (2016)Google Scholar
 35.Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005). https://doi.org/10.1007/11547662_24CrossRefGoogle Scholar
 36.Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)MathSciNetCrossRefGoogle Scholar
 37.Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2/3), 167–187 (1996)CrossRefGoogle Scholar
 38.Yasuoka, H., Terauchi, T.: Quantitative information flow  verification hardness and possibilities. In: CSF (2010)Google Scholar
 39.Yasuoka, H., Terauchi, T.: On bounding problems of quantitative information flow. J. Comput. Secur. 19(6), 1029–1082 (2011)CrossRefGoogle Scholar
 40.Yasuoka, H., Terauchi, T.: Quantitative information flow as safety and liveness hyperproperties. Theor. Comput. Sci. 538, 167–182 (2014)MathSciNetCrossRefGoogle Scholar
 41.Zhang, D., Askarov, A., Myers, A.C.: Languagebased control and mitigation of timing channels. In: PLDI (2012)Google Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.