Chaotic Compilation A (Statistical) Cloak for a Secret Computer Peter T. Breuer ptb@hecusys.com Hecusys LLC, Atlanta, GA, USA Jonathan P. Bowen London South Bank University, UK
➊ ➊ ➊ Background ● Encrypted Computing Data remains in encrypted form ⇓ One plaintext, many encryptions ● H/W Aliasing One address, many memory locations Q. Does computing with encrypted data compromise the encryption ?
Crash course: Encrypted Computing encrypted inputs encrypted outputs encrypted internals
➊ ➊ To answer an unasked question ● “Modified logic” is really only a Modified arithmetic unit Within standard processor logic ● ● 2013 paper shows that is enough for encrypted (1-to-many) computing
➊ ➊ A Security Problem ... ● Computation is logical! If x [*] x [=] x [+] x goto hooray ● … know x means 0, 2 … no matter the encryption ● Must hide algebraic relations
➊ ➊ ➊ Human Bias ● Human programmers preferentially Introduce small numbers 0,1, 2, … ● Bias permits guesses at encryptions Success with higher than chance rate ● Lowers the effective encryption strength Makes Known-Plaintext-Attack possible
➊ ➊ ➊ ✁ ✁ ➊ Help from ISA Design ● Instruction Set Architecture Malleability ∀ ins 1 : x y . ∃ ins 2 : A[+]x B[+]y ins 1 , ins 2 are indistinguishable to an observer not privy to the encryption ● E.g. add t0 t1 E [1] [+1] add t0 t1 E [1-A+B] [+1-A+B]
➊ ➊ ➊ Malleability and Chaotic Compilation 1. ISA Malleability allows the compiler to introduce ─ offset from nominal everywhere, different ... ● per instruction input, output ● per register and memory location, per instruction ● independently , randomly , Stochastic compilation 2. M aximum entropy stochastic compilation Chaotic compilation 3. (Shannon) compiler + programmer signals statistically no relation between data at different points in runtime trace
Example – Ackermann(3,1) Result = 13 Random Random trace program entries constants
The prime sieve (array/memory ex.) Random memory address Result = 7 (a prime) Memory addresses are random, uniformly distributed ● Hardware must support that ● To maintain entropy, address of memory location is changed before every write
➊ H-Max principle ● Each instruction that writes varies maximally (h) ● E.g.: Compile e 1 +e 2 in register t0 code for e 1 to go in t1 with offset E[k 1 ] code for e 2 to go in t2 with offset E[k 2 ] add t0 t1 t2 E[k 0 -k 1 -k 2 ] ● Compiler introduces one extra instruction that writes ( add …) ● Full 32 bits of entropy are injected (k 0 ) ● Every compiler construction follows h ⇒ The whole code has the property ⇒ Traces vary to the maximal extent possible
➊ H-min Condition ● Planned deltas for registers, memory, etc. are equal where two control paths join (h) trailer instructions in each path synchronize deltas ● If e then s 1 else s 2 ● code for e in t0 with offset k0 bne t0 E [k0] else code for s 1 leaves t1 with offset k1a add t1 t1 E [k1-k1a] ... b end Two instructions share 32 bits of entropy (k1) else: code for s 2 leaves t1 with offset k1b ● add t1 t1 E [k1-k1b] ... end:
Remove H-min code ... Unroll loops and inline function calls ⇒ Every piece of code is traversed just once ⇒ Only one instruction of group governed by H-Min executes ⇒ It gets all the entropy introduced by compiler for that group ⇒ Every instruction in the trace varies maximally ⇒ Data in the trace beneath the encryption is unrelated (Shannon)
Security Proof 1. Unroll source code to exponential length in word-size n 2. Apply chaotic compilation 3. An attack of polynomial complexity in n falls in the trace of the unrolled part 4. H-min does not apply there, so H-max does 5. Every data point beneath encryption is independent 6. Attack is an attack against encrypted random data Encrypted computing does not compromise encryption
1. Chaotic compilation is stochastic compilation introducing maximum entropy 2. A stochastic compiler works with ofsets from nominal values (beneath the encryption) 3. Guaranteeing chaos means each compiler construction compiles with H-max principle 4. Removing those constructs that do not have it … 5. Leaves traces that are statistically random 6. Attack is not aided by encrypted computing
Recommend
More recommend
