TY - JOUR

T1 - Protecting circuits from computationally bounded and noisy leakage

AU - Faust, Sebastian

AU - Rabin, Tal

AU - Reyzin, Leonid

AU - Tromer, Eran

AU - Vaikuntanathan, Vinod

N1 - Publisher Copyright:
© 2014 Society for Industrial and Applied Mathematics.

PY - 2014

Y1 - 2014

N2 - Physical computational devices leak side-channel information that may, and often does, reveal secret internal states. We present a general transformation that compiles any circuit into a circuit with the same functionality but resilience against well-defined classes of leakage. Our construction requires a small, stateless, and computation-independent leak-proof component that draws random elements from a fixed distribution. In essence, we reduce the problem of shielding arbitrarily complex circuits to the problem of shielding a single, simple component. Our approach is based on modeling the adversary as a powerful observer that inspects the device via a limited measurement apparatus. We allow the apparatus to access all the bits of the computation (except those inside the leak-proof component), and the amount of leaked information to grow unbounded over time. However, we assume that the apparatus is limited in the amount of output bits per iteration and the ability to decode certain linear encodings. While our results apply in general to such leakage classes, in particular, we obtain security against (a) constant-depth circuits leakage, where the leakage function is computed by an AC0 circuit (composed of NOT gates and unbounded fan-in AND and OR gates); (b) noisy leakage, where the leakage function reveals all the bits of the internal state of the circuit, but each bit is perturbed by independent binomial noise-i.e., flipped with some probability p. Namely, for some number p ∈ (0, 1/2], each bit of the computation is flipped with probability p, and remains unchanged with probability 1 - p.

AB - Physical computational devices leak side-channel information that may, and often does, reveal secret internal states. We present a general transformation that compiles any circuit into a circuit with the same functionality but resilience against well-defined classes of leakage. Our construction requires a small, stateless, and computation-independent leak-proof component that draws random elements from a fixed distribution. In essence, we reduce the problem of shielding arbitrarily complex circuits to the problem of shielding a single, simple component. Our approach is based on modeling the adversary as a powerful observer that inspects the device via a limited measurement apparatus. We allow the apparatus to access all the bits of the computation (except those inside the leak-proof component), and the amount of leaked information to grow unbounded over time. However, we assume that the apparatus is limited in the amount of output bits per iteration and the ability to decode certain linear encodings. While our results apply in general to such leakage classes, in particular, we obtain security against (a) constant-depth circuits leakage, where the leakage function is computed by an AC0 circuit (composed of NOT gates and unbounded fan-in AND and OR gates); (b) noisy leakage, where the leakage function reveals all the bits of the internal state of the circuit, but each bit is perturbed by independent binomial noise-i.e., flipped with some probability p. Namely, for some number p ∈ (0, 1/2], each bit of the computation is flipped with probability p, and remains unchanged with probability 1 - p.

KW - Leakage resilience

KW - Models

KW - Side channel attacks

UR - http://www.scopus.com/inward/record.url?scp=84911902674&partnerID=8YFLogxK

U2 - 10.1137/120880343

DO - 10.1137/120880343

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:84911902674

SN - 0097-5397

VL - 43

SP - 1564

EP - 1614

JO - SIAM Journal on Computing

JF - SIAM Journal on Computing

IS - 5

ER -