Cryptographic Resilience to Continual Information Leakage
Total Page:16
File Type:pdf, Size:1020Kb
Cryptographic Resilience to Continual Information Leakage by Daniel Wichs A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science New York University September, 2011 Professor Yevgeniy Dodis c Daniel Wichs All Rights Reserved, 2011 \It is a very sad thing that nowadays there is so little useless information." Oscar Wilde \BLMAR XnL csG cch BLDng asGL." Minoan Proverb To Elizabeth iv Acknowledgements Foremost, I would like to thank my advisor, Yevgeniy Dodis, for teaching me how to do research. I have always admired and tried to learn from Yevgeniy's enthusiasm in pursuing all kinds of new research problems, finding connections between different areas, and forging better abstractions and ways of understand- ing results. Most of all, I am grateful for the abundance of energy that Yevgeniy brought to our many collaborations. After long brainstorming sessions with Yev- geniy, I would usually emerge exhausted and slightly dazed, but also tremendously excited about the many new problems, ideas and directions that I couldn't wait to pursue. From Yevgeniy, I learned that research can be a lot of fun. Next, I would like to thank my many other mentors and their respective insti- tutions, who supported me both intellectually and financially during my summer internships: Ivan Damg˚ardand Jesper Buus Nielsen at the University of Arhus˚ in Denmark, Juan Garay at Bell Laboratories (now at AT&T), Yael Tauman Kalai at Microsoft Research, and Tal Rabin and the crypto group at IBM Research T.J. Watson. Spending my summers away from NYU allowed me to get a much broader view of research areas, institutions, and approaches, than I would have had oth- erwise. In particular, I thank Ivan and Jesper for having the patience to work with me while I was still learning the most basic concepts of cryptography, Juan for much useful advice on research, espresso, single malt scotch, and many other aspects of life, Yael for her great enthusiasm and encouragement in the research topics relating to this thesis, and Tal for providing a truly fantastic and fun place to do research. I wish to thank Moni Naor at the Weizmann Institute of Science in Israel, Stefan Dziembowski at University of Rome La Sapienza, and Krzysztof Pietrzak at CWI Amsterdam for arranging research visits to their respective insti- tutions. These visits turned out to be highly productive and great deal of fun. I would also like to thank Jo¨elAlwen, with whom I have collaborated on several results related to this thesis and discussed almost every conceivable topic in cryp- tography. I truly enjoyed and learned much from these enlightening conversations. I also thank Victor Shoup and the rest of the NYU cryptography group for all their support. The results in this thesis emerged from joint works with Yevgeniy Dodis, Kristiyan Haralambiev, Adriana L`opez-Alt, Allison Lewko and Brent Waters. I thank them all for the many wonderful discussions and for all their hard work. I thank my parents, Tomas and Adela, and my brother David, who first intro- duced me to the world and its many exciting mysteries. My parents made many sacrifices to ensure that I get a great education, and this thesis would not have been possible otherwise. Last, but certainly not least, I thank Elizabeth for all her love, support, en- couragement, patience and care. v Abstract In this thesis, we study the question of achieving cryptographic security on devices that leak information about their internal secret state to an external at- tacker. This study is motivated by the prevalence of side-channel attacks, where the physical characteristics of a computation (e.g. timing, power-consumption, temperature, radiation, acoustics, etc.) can be measured, and may reveal use- ful information about the internal state of a device. Since some such leakage is inevitably present in almost any physical implementation, we believe that this problem cannot just be addressed by physical countermeasures alone. Instead, it should already be taken into account when designing the mathematical specifica- tion of cryptographic primitives and included in the formal study of their security. In this thesis, we propose a new formal framework for modeling the leakage available to an attacker. This framework, called the continual leakage model, as- sumes that an attacker can continually learn arbitrary information about the inter- nal secret state of a cryptographic scheme at any point in time, subject only to the constraint that the rate of leakage is bounded. More precisely, our model assumes some abstract notion of time periods. In each such period, the attacker can choose to learn arbitrary functions of the current secret state of the scheme, as long as the number of output bits leaked is not too large. In our solutions, cryptographic schemes will continually update their internal secret state at the end of each time period. This will ensure that leakage observed in different time periods cannot be meaningfully combined to break the security of the cryptosystem. Although these updates modify the secret state of the cryptosystem, the desired functionality of the scheme is preserved, and the users can remain oblivious to these updates. We construct signatures, encryption, and secret sharing/storage schemes in this model. vi Contents Dedication................................... iv Acknowledgements..............................v Abstract.................................... vi List of Figures.................................x 1 Introduction1 2 Prior Models and Results4 2.1 Models of Full Leakage.........................4 2.1.1 Threshold Cryptography....................4 2.1.2 Forward Security........................5 2.1.3 Key-Insulated Cryptography..................5 2.2 Models of Partial Leakage.......................6 2.2.1 Oblivious RAMs........................6 2.2.2 Exposure resilient cryptography................6 2.2.3 Private circuits.........................7 2.2.4 Private Circuits for AC0 and Noisy Leakage.........8 2.2.5 Only Computation Leaks Information (OCLI)........9 2.2.6 The Bounded-Leakage Model................. 10 2.3 Tampering and Active Physical Attacks................ 14 3 The Continual-Leakage Model and Overview of Results 16 3.1 Overview of the CLM.......................... 16 3.2 CLR One-Way Relations and Signatures............... 18 3.3 CLR Public-Key Encryption...................... 19 3.4 CLR Secret Sharing (Storage)..................... 20 4 Preliminaries 24 4.1 Statistical Distance, Entropy, Extractors............... 25 4.2 Linear Algebra Notation........................ 27 4.3 Computational Hardness Assumptions................ 28 4.4 Public-Key Encryption......................... 30 vii 4.5 Non-Interactive Zero Knowledge (NIZK)............... 32 5 CLR One-Way Relations, Signatures 34 5.1 Modeling Leakage............................ 34 5.2 Defining CLR-OWR.......................... 35 5.2.1 One-Way Relations....................... 35 5.2.2 OWRs in the Bounded-Leakage Model............ 35 5.2.3 OWRs in the Continual Leakage Model............ 37 5.3 Construction (Part I): Continuous Leakage from Bounded Leakage............. 38 5.4 Construction (Part II): Generic Components............. 43 5.4.1 Syntax of Construction and Hardness Properties....... 43 5.4.2 Re-randomization via Homomorphisms............ 46 5.4.3 Leakage-Indistinguishability.................. 48 5.4.4 Summary of Component Requirements............ 50 5.5 Construction (Part III): Instantiating the Components..................... 51 5.5.1 The encryption scheme E1 ................... 51 5.5.2 The encryption scheme E2 ................... 52 5.5.3 Homomorphic NIZKs...................... 56 5.5.4 The Final CLR-OWR Scheme................. 60 5.6 Security with Leaky Updates...................... 61 5.7 Signatures................................ 65 5.8 Advanced Primitives.......................... 69 5.8.1 Identification Schemes (ID).................. 69 5.8.2 Authenticated Key Agreement(AKA)............. 69 6 CLR Encryption 71 6.1 Definition................................ 71 6.2 Hiding Ranks and Subspaces...................... 73 6.3 Warm Up: Weakly Secure Constructions............... 77 6.3.1 The Bounded Leakage Model................. 77 6.3.2 Secret Leak-Free Updates (\Floppy Model")......... 79 6.3.3 Public Leak-Free Updates................... 82 6.3.4 The Difficulty with Leaking on Updates........... 85 6.4 Construction with Full Security.................... 86 6.5 Proof Part I: Alternate Distributions................. 88 6.6 Proof Part II: (Re)Programming Updates............... 89 6.7 Proof Part III. Series of Hybrids.................... 93 6.7.1 Informal Overview....................... 93 6.7.2 Hybrid Game Definitions.................... 96 viii 6.7.3 Hybrid Indistinguishability Arguments............ 98 6.7.4 Putting It All Together..................... 105 6.8 Generalization to k-Linear....................... 105 6.8.1 Scheme Description....................... 105 6.8.2 The Generalized Proof (Sketch)................ 106 7 CLR Secret Sharing and Storage 109 7.1 Definitions................................ 109 7.1.1 Continual-Leakage-Resilient Sharing (CLRS)......... 109 7.1.2 CLRS-Friendly Encryption................... 111 7.2 Construction.............................. 111 7.3 Proof of Security............................ 114 7.3.1 Hiding Orthogonality...................... 114 7.3.2 Alternate Distributions for Keys, Ciphertexts and Updates. 115 7.3.3 Overview of Hybrid Games..................