Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forward-Security in the Limited Communication Model Stefan Dziembowski Warsaw University and CNR Pisa.

Published byMerryl Whitehead Modified over 8 years ago

Similar presentations

Presentation on theme: "Forward-Security in the Limited Communication Model Stefan Dziembowski Warsaw University and CNR Pisa."— Presentation transcript:

1 Forward-Security in the Limited Communication Model Stefan Dziembowski Warsaw University and CNR Pisa

2 This talk Brief introduction to the Limited Communication Model. The talk mostly is based on the following papers: [D06a] S. Dziembowski Intrusion-Resilience via the Bounded-Storage Model, TCC 2006 [D06b] S. Dziembowski On Forward-Secure Storage, accepted to CRYPTO 2006

3 Idea of the Limited Communication Model Main idea: Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen. (details follow)

4 Plan 1. Motivation and Introduction 2. Protocols for  session-key generation  entity authentication  secure storage 3. Connections to the other areas

5 Disclaimer New area, work in progress!!!

6

7 Setup: K Kauthenticates with K installs a virus the user can impersonate the user! the bank

8 Question Can cryptography prevent such an attack?

9 Can we prevent this attack? If we have a trusted hardware then this attack is preventable. This hardware can be e.g.:  a token  a list of one-time passwords Note that the human-memorized passwords don’t help (because the virus can record the key-strokes).

10 Assume there is no trusted hardware (trusted hardware costs and is not easy to use) Can we have any security in this case? Looks quite hopeless... (If the adversary can take control over our machine, than he can do whatever he wants.)

11 The contribution of [D06a] We propose a cheap method that makes the task of the adversary significantly harder Idea: Make the secret key K so large that the adversary cannot retrieve it. We consider  entity-authentication  session-key generation

12 We assume that  the secret key K is stored on a machine which can be infected by a virus  the virus can perform an arbitrary computation on K, but the output of this computation U is shorter than K:  she can retrieve U. The model (1/3)

13 The model (2/3) As long as the machine is infected, the virus has a full controll over it. We want to have security in the periods when the virus is not controlling the machine: This is called: intrusion resilience. We assume that the virus cannot modify the data on the machine.

14 The model (3/3) What else can the adversary do? She can perform active attacks: eavesdrop, substitute and fabricate messages.

15 A tool: Bounded Storage Model It turns out that this is related to the Bounded Storage Model (BSM) [Maurer 1992] In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store. The computing power of the adversary may be unlimited!

16 Some cryptographic tools

17 Symmetric encryption Key generation algorithm Alice Bob secret key K message M ciphertext C = Encr(K,M) message M = Decr(K,C) M ? secret key K Eve

18 Indistinguishability What does it mean that Eve has no information about M? To say: “She cannot guess M” is not enough... Consider the following game:  A selects messages M 0, M 1 and sends them to the oracle  selects a random bit b and a random key K, and sends C = E(K,M b ) to the adversary b?

19 One-time pad encryption Disdvantage: the key is as long as the message! [Shannon 1949]: this is optimal unless we limit the power of the adversary in some way.

20 Message Authentication Codes Observation: encryption does not guarantee integrity of a message (example: one-time pad) To ensure the integrity one has to use MACs (message authentication codes). message M M,MAC(K,M) verifies the MAC and accepts only M K K Eve can modify the transmited messages

21 Public key encryption Key generation algorithm Alice Bob Bob’s public key e Bob’s secret key d message M ciphertext C = Encr(e,M) message M = Decr(d,C) M ?

22 How to limit the power of the adversary  Classical cryptography limit the adversary to the poly-time disadvantage: we don’t know how to prove any security here  Information-theoretic cryptography assume: quantum communication, bounded-storage, noisy channels advantage: provable security!

23 The Bounded-Storage Model (BSM) can perform any computation on R, but the result U=h(R) has to be much smaller than R short initial key Y X = f(R,Y) 000110100111010010011010111001110111 111010011101010101010010010100111100 001001111111100010101001000101010010 001010010100101011010101001010010101 randomizer R: knows: U=h(R) randomizer disappears X ? Eve shouldn’t be able to distinguish X from random

24 Power of the adversary Note: The only resource that we bound is memory. The computing power is unlimited!

25 BSM – previous results Several key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04]. Of course their security depends on the bound on the memory of the adversary. We call a function s-secure if it is secure against an adversary that has memory of a size s.

26 The scheme of [DM02] 0111001000 01110 1 000 100001110 0111100000 0111001000 100 01010 010 100 100 1101100000100 00 0011 1 01 00 1000 0110 10 10 0 XOR 1000 The derived key X

27 End of the introduction to cryptography

28 How is BSM related to our model? Seems that the assumptions are oposite: transmissionstorage BSMcheapexpensive LCMexpensivecheap

29 Entity authentication – the problem Alice knows the public key of the bank the bank the user can verify the authenticity of the bank the bank cannot verify the authenticity of the user How can the bank verify the authenticity of the user? We solve the following problem: C

30 Entity authentication – the solution random Y key K = R: 000110100111010010011010111001110111 111010011101010101010010010100111100 001001111111100010101001000101010010 001010010100101011010101001010010101 X = f(R,Y) verifies The communication is done via the channel C.

31 Security of the entity authentication protocol (1/3) Clearly as long as the adversary is controlling Alice’s machine, she can impersonate her. But what happens when the adversary looses control on the user’s machine?

32 Security of the entity authentication protocol (2/3)

33 Security of the entity authentication protocol (3/3) What about the active attacks? Since the communication is done via the channel C, the only thing that the adversary can do is to “act as a wire”.

34 Session-key generation The entity authentication protocols without key generation are often not very useful. It is much more practical to have a session-key generation protocol.

35 The session-key generation Alice Bob long-term key K...

36 Intrusion-resilient session-key generation Clearly leaks to the adversary. compromised sessions non-compromised sessions compromised sessions – when adversary installed a virus on the machine of at least one of the users We want the keys generated in non-compromised sessions to remain secret! time

37 Intrusion resilience = backward + forward security

38 Forward-secure session-key generation (standard method) long term key: key K for a MAC ( Encr,Decr ) – a public key encryption scheme generates a random key (e,d) for the public key encryption e,MAC(K,e) generates a random key Z C = Encr(e,Z), MAC(K,C) decrypts Z from C Z erases d

39 Our protocol Outline:  We achieve forward security in a standard way.  Only the backward security is novel. Challenge: How to generate the key K (for authentication) in a backward-secure way?

40 A (slightly wrong) idea

41 Security

42 Security – proof attempt (1/2)

43 Security – a proof attempt (2/2)

44 How the adversary can influence the outcome of the protocol 0111001000 01110 1 000 100001110 0111100000 0111001000 100 01010 010 100 100 1101100000100

45 Repairing the protocol How to repair the protocol? Our idea: add hashing

46 The Random Oracle Model We model the hash function as a random oracle containing a truly random function. The oracle can be queried by the the honest users and by the adversary.

47 Finalizing the proof So the adversary has no information about K a and K b.  If K a =K b - we are done!  Otherwise K a and K b are independent. Alice and Bob will detect it when they use K a and K b in a MAC scheme.

48 Improvements The Random Oracle Assumption was removed in Cash et al. [Cryptology ePrint Archive: Report 2005/409]. They also introduce the name Limited Communication Model.

49 Independent Work Giovanni Di Crescenzo, Richard Lipton and Shabsi Walfish Perfectly Secure Password Protocols in the Bounded Retrieval Model, TCC 2006 Main difference: the adversary can retrieve only individual bits.

50 Example The function f of [DM02] was proven secure when the memory of the adversary has a size of around 8% of the length of the randomizer. In our case the players need to store 2 randomizers, so the protocol is secure if the adversary cannot retrieve 4% of the key. Example: if |K| = 5 GB, then we can allow her to retrieve 200 MB. This can probably be improved significantly...

51 Practicality? Note: the trusted server can generate the key pseudo-randomly and just store the seed.

52 The contribution of [D06b] : Forward- Secure Storage (FSS) C = Encr(K,M) M secret key K C Eve can compute any value U = h(C) with |U| << |C| U K M ? M = Decr(K,C)

53 How realistic is this scenario that the key K leaks?  The encryption scheme can be broken. We model this by granting to the adversary an unlimitted computing power. This is called an information-theoretic model.  The user can loose the key, esp. if she uses it for a longer period. In this case we assume that the computing power is limited (polynomial). This is called a computational model. (weaker model but allows more efficient solutions)

54 Formal security definition of the FSS (1/2) Consider the following game between an adversary A and an oracle  : A selects two messages M 0, M 1 and sends them to the oracle A stores an arbitrary U = h(C) (with |U| << |C|)  selects a random bit b and a random key K, computes C = Encr(K,M b ) and send it to the adversary  sends K to the adversary b?b?  A

55 Formal security definition of the FSS (2/2) We require that that the adversary has no chances of guessing b correctly with a probability significantly better than 0.5. (In the computational case we will also assume that the adversary is performing only poly-time computations.)

56 Information-theoretic solution – a wrong idea

57 Can it work? From the Shannon theorem it cannot be correct! Why? Because the key is shorter than the message... So it can be broken even without an assumption that the key leaks

58 A better idea Rf(Y,R) M Z YMZ key: message: |Z| = |M|

59 Security proof (1/4) Suppose: A – an adversary that breaks the FSS scheme, i.e. wins the distinguishing game with probability 0.5 + , for some non-negligible . We construct an adversary B that breaks the function f in the following sense: B will get a string X equal to and will guess if (0) or (1) occured. The adversary B will do it by simulating the adversary A. (0)a random stringwith prob. 0.5 (1)f(K,R)with prob. 0.5

60 Security proof (2/4) B A R M 0,M 1 select a random string W send (R,W) to A store the internal state of A X K select a random bit b set Z := X M b send (K,Z) to A if A guesses b correctly then output “X = f(Y,R)’’, otherwise output “X is random”. (against BSM) (against FSS)

61 Observation 2 If X is random then the adversary A guesses b correctly with probability exactly 0.5. Proof From the point of view of the adversary the random variables:  (K,Z = X M b )  b are independent!qed Security proof (3/4) Observation 1 If X = f(Y,R) then the adversary A guesses b correctly with probability at least 0.5 + 

62 Security proof (4/4) X = f(Y,R) X is random prob. 0.5 prob. 0.5 +  prob. 0.5 -  prob. 0.5 A is right A is wrong B is right in these cases probability: 0.5 (0.5 + ) + 0.25 = 0.5 + /2 A is wrong

63 Problem with the information-theoretic scheme The secret key needs to be larger than the message! What if we want the key to be shorter?

64 Computational FSS (with a short key) – idea 1 key K Idea 1: Use a short secret key K’ and expand it pseudorandomly to a longer key K. key K’ key K cryptographic pseudorandom generator Encr(K, ) message M Encr(K, ) message M (Encr,Decr) – IT-secure FSS

65 (A tool: cryptographic PRG) A cryptographic pseudorandom generator is a function that expands a short seed s into a much longer string x, in such a way that x cannot be distinguished from a random string (in poly-time) (assuming that s was chosen uniformly at random)

66 Idea 1 – intuition Idea 1 should work because: “from the point of view of the adversary K is indistinguishable from uniform” Turns out that this intuition is wrong... (although probably most of PRGs work well here)

67 Example (1/3) Suppose that we stored on a computer: a long string R=(R 1,...,R t ) of length t an encrypted index i = 1,...,t: E(K,i) (where E is some encryption scheme) An adversary gets access to this computer and can retrieve t/2 bits. Later, she learns K. Can she now compute R i ? With probability 0.5 – trivial. Turns out: can be done with probability 1 !!! (for a very weird encryption function E)

68 A Tool – Private Information Retrieval user database an index i = 1,...,ta string R=(R 1,...,R t ) query Q(N,i) answer A(Q(N,i),R) RiRi 1.the database doesn’t learn i 2. |A(Q(N,i),R)| << t generates and stores some secret N A(Q(N,i),R)N

69 PIR – implementation See e.g.: Eyal Kushilevitz and Rafail Ostrovsky, Replication Is Not Needed: Single Database, Computationally-Private Information Retrieval, FOCS’97

70 PIR of [KO97]

71 Quadratic Residues Z N * - a group of numbers {1,…,N}, relatively prime with N A number a is a quadratic residue modulo N (denote: QR(N)) if there exits b, such that a = b 2 mod N Suppose N=pq, where p and q – large primes ZN*ZN* QR(N) ZN+ZN+ QNR(N)

72 Facts about QR Given the factorization p,q of n it is easy to 1. generate random elements of QR(N) and QNR(N), 2. decide membership in QR(N) and QNR(N). The second point is hard without the knowledge of the factorization of N. A product of a and b is a quadratic residue iff exactly one of a,b is a quadratic residue

73 PIR of [KO97] - actions of the user 123… i t Basic idea: arrange the string R into a square s x s – matrix, where s = √t a1a1 a2a2 acac asas The user on input i: 1.generates a random N we will work in Z N + 2.produces a 1,…,a s, such that: only a c is QNR 3.sends N,a 1,…,a s, to the database row d

74 PIR of [KO97] - actions of the database 011010 100011 011100 a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 R: a1a1 a22a22 a32a32 a4a4 a52a52 a6a6 b 1 := a 1 a 2 2 a 3 2 a 4 a 5 2 a 6 b 2 := a 1 2 a 2 a 3 a 4 a 5 2 a 6 2 b 3 := a 1 a 2 2 a 3 2 a 4 2 a 5 a 6 … it is a QR iff R i =1 The database sends b 1,…,b s to the user

75 PIR of [KO97] – final remarks The user just looks at b d and decides that  R i = 1 if b d is a QR  R i = 0, otherwise. Security follows from the fact that the database cannot distinguish QR from QNR

76 PIR of [KO97] – the end

77 Example (2/3) a long string R=(R 1,...,R t ) of length t an encrypted index i = 1,...,t: E(K,i) We construct the encryption scheme (E,D). ingridients: (E’,D’) - some encryption scheme with a key K’. PIR (E,D): key K: user’ secret NK’ E(K,i): Q(N,i)E’(K’,i) this is secure...

78 Example (3/3) a long string R=(R 1,...,R t ) of length t Q(N,i)E’(K,i) user’s secret NK’ The adversary simulates the user and stores A(Q(N,i),R) A(Q(N,i),R) RiRi

79 Idea 2 Recall the Idea 1: message M’ use message M as a key for encryption (E,D) key K’ key K cryptographic pseudorandom generator Encr(K, ) message M a random message M E(M, message M’ ) (E,D) --- some encryption scheme

80 Idea 2 – security proof (sketch) message M’ Encr(K, ) a random message M E(M, ) Suppose we have an adversary A that breaks the scheme E(L, Consider a modified scheme a random message L message M’ From the security of (E,D): A cannot break the modfied scheme. Hence we can construct an adversary that breaks the original scheme!

81 Complexity-theoretic view on encryption C The adversary knows C and she knows that M = M 0 or M = M 1 and wants to decide if there exists K such that C = Encr(K,M 0 ) this is an NP – language! Observe that if |M| >> |K| then the probability that for random M 0 and M 1 and a random K 0 there exists K 1 such that Encr(K 0,M 0 ) = Encr(K 1,M 1 ) is negligible keys messages C0C0 C0C0 C0C0 C0C0 C0C0 C0C0 M0M0 M1M1 K0K0

82 Complexity-theoretic view FSS exists P ≠NP => In case of FSS the adversary 1. stores some information about C (“compresses it”) 2. later obtains the witness K P ≠NP and there exist NP problems that are “incompressible” classical encryption exists

83 Compressibility of NP-instances This notion was recently studied in: Danny Harnik, Moni Naor On the Compressibility of NP Instances and Cryptographic Applications ECCC Report TR06-022, 2006 See also: Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient Sampling STOC 2006

84 The contribution of [HN06] They describe a hierarchy of incompressible NP-languages. The show several implications for cryptography and complexity of the assumption that certain languages are incompressible.

85 The idea of [HN06] Def. An NP-language L is compressible to L’ if there exists an poly-time algorithm Z such that:  Z(x) L’ x L  the length of Z(x) is polynomial in x and in log w, where w is the witness of x Compression is witness-retrievable if one can compute (in poly-time) the witness for Z(x) from w and Z(x). (Observe that we need the witness-retrievability in our case!)

86 The end Questions ?

Download ppt "Forward-Security in the Limited Communication Model Stefan Dziembowski Warsaw University and CNR Pisa."

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google