implementation and evaluation of a leakage resilient
play

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM - PowerPoint PPT Presentation

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Groschdl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of


  1. Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Großschädl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of Luxembourg PROOFS 2014 David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  2. Side-Channel Attacks Use data leaked due to the physical nature of computation: running time power consumption electromagnetic-radiation leak acoustic emanation photons emissions ground electric potential fault attacks David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  3. Side-Channel Attacks Countermeasures SCA Countermeasures flow Aimed at specific attacks input message Concrete implementations K ⋆ target computation Leakage model meaningful f ( K ⋆ , T ) Reasonably practical leakage model SCA-resistant primitives ϕ noise N actual leakage � � N X ≈ ϕ ( K ⋆ , T ) distinguisher D attack/non-attack � K = D ( X , T ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  4. Side-Channel Attacks Countermeasures SCA Countermeasures flow Aimed at specific attacks input message Concrete implementations K ⋆ target computation Leakage model meaningful f ( K ⋆ , T ) Reasonably practical leakage model SCA-resistant primitives ϕ noise N However... actual leakage � � N X ≈ ϕ ( K ⋆ , T ) distinguisher D attack/non-attack � K = D ( X , T ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  5. Side-Channel Attacks Countermeasures SCA Countermeasures flow � Aimed at specific attacks input message � Concrete implementations K ⋆ target computation � Leakage model meaningful f ( K ⋆ , T ) � Reasonably practical leakage model SCA-resistant primitives ϕ noise A new attack ( ϕ, N , D ) might be N discovered actual leakage � Endless? cat-and-mouse game � � N X ≈ ϕ ( K ⋆ , T ) distinguisher D security? � K = D ( X , T ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  6. SCA Countermeasures vs. Leakage-Resilient Cryptography SCA countermeasures Leakage-Resilient Crypto � Aimed at specific attacks � Aimed at generic attacks � Concrete implementations � No implementations � Leakage model meaningful � Leakage model generic � Reasonably practical � Not practical SCA-resistant primitives A new attack ( ϕ, N , D ) might be discovered � Endless? cat-and-mouse game � Security reduction David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  7. Meaningful Leakage-Resilient Cryptography � Aimed at general attacks � Leakage model meaningful � Reasonably practical SCA-resistant primitives � Security reduction � Concrete implementations David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  8. Meaningful Leakage-Resilient Cryptography � Aimed at general attacks � Leakage model meaningful � Reasonably practical SCA-resistant primitives � Security reduction � Concrete implementations In this work we take a step forward towards to this goal David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  9. Our contribution A more reasonable leakage modeling We depart from an existing practical ElGamal KEM and modify it using practical motivations We use the theory and practice of SCA to argue that it potentially meets the leakage bound We implement the scheme on an ARM Cortex M-3 processor David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  10. Stateful Key Encapsulation Mechanisms A stateful KEM scheme Π = ( KeyGen , Enc , Dec 1 , Dec 2 ) consists of efficient algorithms: � � KeyGen ( 1 κ ) outputs pk , ( sk 0 , sk ′ 0 ) Enc ( pk ) outputs ( K , C ) Dec 1 ( sk i − 1 , C ) updates sk i − 1 to sk i and outputs intermediate state w i Dec 2 ( sk ′ i − 1 , w i ) updates sk ′ i − 1 to sk ′ i and outputs key K or ⊥ David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  11. ElGamal KEM with Multiplicative Masking $ ← Z q . Set X = g x , sk 0 = t 0 , sk ′ KG ( κ ) : choose x , t 0 0 = x / t 0 . Return ( X , ( sk 0 , sk ′ 0 ) ) ← Z q . Compute C = g r and K = X r ; return ( C , K ) $ Enc ( pk ) choose r $ ← Z q , set sk i = sk i − 1 · t i , Y i = C sk i . Return ( t i , Y i ) Dec1 ( sk i − 1 , C ) pick t i sk ′ − 1 , and return K = Y Dec2 ( sk ′ i − 1 , ( t i , Y i ) , C ) set sk ′ i = sk ′ i − 1 · t i i . i David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  12. CCA1 with Leakage – Stateful KEM We consider chosen-ciphertext and leakage security against lunch-time attacks (CCLA1) CCLA1 Experiment KEM-Leak-Oracle O CCLA1 ( C , f i , h i ) KEM-CCLA1 KEM ( A , κ, λ ) 0 )) ← KG ∗ ( κ, λ ) ( pk , ( sk 0 , sk ′ w ← A O CCLA1 ( · ) ( pk ) r i ( sk i , w i ) ← Dec1 ∗ ( sk i − 1 , C ) r ′ $ i ← { 0 , 1 } ( sk ′ i , K ) ← Dec2 ∗ ( sk ′ i − 1 , w i ) b ( C ∗ , K 0 ) ← Enc ∗ ( pk ) Λ i := f i ( sk i − 1 , r i ) $ K 1 ← K Λ ′ i := h i ( sk ′ i − 1 , r ′ i , w i ) b ′ ← A ( w , C ∗ , K b ) i := i + 1 Return ( K , Λ i , Λ ′ i ) David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  13. CCA1 with Leakage – Stateful KEM We consider chosen-ciphertext and leakage security against lunch-time attacks (CCLA1) CCLA1 Experiment KEM-Leak-Oracle O CCLA1 ( C , f i , h i ) KEM-CCLA1 KEM ( A , κ, λ ) 0 )) ← KG ∗ ( κ, λ ) ( pk , ( sk 0 , sk ′ w ← A O CCLA1 ( · ) ( pk ) r i ( sk i , w i ) ← Dec1 ∗ ( sk i − 1 , C ) r ′ $ i ← { 0 , 1 } ( sk ′ i , K ) ← Dec2 ∗ ( sk ′ i − 1 , w i ) b ( C ∗ , K 0 ) ← Enc ∗ ( pk ) Λ i := f i ( sk i − 1 , r i ) $ K 1 ← K Λ ′ i := h i ( sk ′ i − 1 , r ′ i , w i ) b ′ ← A ( w , C ∗ , K b ) i := i + 1 Return ( K , Λ i , Λ ′ i ) Restriction on leakage functions f i , h i ˜ H ∞ ( t | f i ( σ i − 1 , r i )) ≥ H ∞ ( t ) − λ ∀ t ∈ σ i − 1 ∪ r i , � � ˜ t | h i ( σ ′ i − 1 , r ′ ∀ t ∈ σ ′ i − 1 ∪ r ′ H ∞ i , w i ) ≥ H ∞ ( t ) − λ i ∪ w i . David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  14. Leakage-Resilience of ElGamal KEM State of the art does not allow to give a security reduction with leakage If f i , h i leak λ ≥ 3 / 8 log q bits of each share of the secret key, then there exists a heuristic attack [Galindo-Vivek,IPL 2014] Probably due to the fact that any exponentiation algorithm inherently leaks information about the exponent David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  15. Leakage-Resilience of ElGamal KEM State of the art does not allow to give a security reduction with leakage If f i , h i leak λ ≥ 3 / 8 log q bits of each share of the secret key, then there exists a heuristic attack [Galindo-Vivek,IPL 2014] Probably due to the fact that any exponentiation algorithm inherently leaks information about the exponent Idea! Avoid placing secret data on your exponentiations’ exponents... David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  16. Asymmetric Pairings Let G 1 , G 2 , G T be groups of prime order q G 1 = < g >, G 2 = < G > Pairing e : G 1 × G 2 → G T bilinear: e ( g a , g b ) = e ( g , g ) ab , ∀ a , b ∈ Z non-degenerate: G T = < e ( g , G ) > David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  17. Pairing-Based Stateful ElGamal KEM (Asiacrypt 2010) $ ← Z q . Set X = g x , sk 0 = g t 0 , sk ′ 0 = g x − t 0 , and KG ( κ ) : choose x , t 0 X T = e ( X , G ) . Return ( X T , ( sk 0 , sk ′ 0 ) ) ← Z q . Compute C = G r and K = X r $ Enc ( pk ) choose r T ; return ( C , K ) ← Z q , set sk i = sk i − 1 · G t i , Y i = e ( sk i , C ) . $ Dec1 ( C , sk i − 1 ) pick t i Return ( t i , Y i ) i − 1 · G − t i , and Y ′ Dec2 ( sk ′ i − 1 , ( t i , Y i ) , C ) set sk ′ i = sk ′ i = e ( sk ′ i , C ) . Return K = Y i · Y ′ i ∈ G T David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

  18. ElGamal KEM with Multiplicative Masking $ ← Z q . Set X = g x , sk 0 = t 0 , sk ′ KG ( κ ) : choose x , t 0 0 = x / t 0 . Return ( X , ( sk 0 , sk ′ 0 ) ) ← Z q . Compute C = g r and K = X r ; return ( C , K ) $ Enc ( pk ) choose r $ ← Z q , set sk i = sk i − 1 · t i , Y i = C sk i . Return ( t i , Y i ) Dec1 ( sk i − 1 , C ) pick t i sk ′ − 1 , and return K = Y Dec2 ( sk ′ i − 1 , ( t i , Y i ) , C ) set sk ′ i = sk ′ i − 1 · t i i . i David Galindo – SCYTL Secure Electronic Voting Evaluation of a Leakage-Resilient ElGamal KEM

Recommend


More recommend