Download presentation

Presentation is loading. Please wait.

Published byRamiro Mayo Modified over 2 years ago

1
1

2
Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

3
Public-Key Encryption 3 m Alice Bob c Learns nothing! Semantic Security [Goldwasser-Micali ‘82] Enc pk (m 0 ) and Enc pk (m 1 ) are computationally indistinguishable for any m 0 and m 1 Encryption must be randomized m

4
Randomness is a Liability 4

5
Randomness is difficult Weak sources in practice (keystrokes, timing) Incorrect implementations – [Heninger et al. ‘12, Lenstra et al. ‘12] on RSA public keys – Sony PS3 master signing key broken due to reuse of randomness across different EC-DSA key pairs Weak randomization attacks against RSA-OAEP [Brown ’05] many many more … 5

6
Deterministic Public-Key Encryption Encryption algorithm is deterministic 6 En c always! Why study deterministic encryption? Hedging against weak sources Can get short ciphertexts –E–Each pk therefore may define a permutation Efficiently searchable encryption –E–Encrypted keyword search [BS11] –D–Deduplication over encrypted data Can we formalize and realize meaningful notions of security for deterministic encryption? BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 …

7
Deterministic Public-Key Encryption 7 “Theory meets practice” Efficiently searchable encryption – Encrypted keyword search – Deduplication over encrypted data Can get short ciphertexts – Easier to use in legacy systems Can we formalize and realize meaningful notions of security for deterministic public key encryption? BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … 3 B’s, 3 F’s, 2 S’s

8
Deterministic Encryption Security – Restricted to high-entropy messages – Nevertheless useful for key encapsulation – Key encapsulation mechanisms [BS11] 8 3 different B’s 3 different F’s 2 different S’s 3 different B’s 3 different F’s 2 different S’s BBO07, BFO08, BFOR08, BBNRSSY09, BS11, MPRS12, FOR12

9
Security of Det. PKE ( attempt 1 ) 9 m 0, m 1 b {0,1} Guess b pk c = Enc pk (m b ) What happens if Enc is deterministic? Is c = Enc pk (m 0 ) ? If so, guess b=0 Else, guess b=1 Security cannot hold if adversary knows (or can predict) m 0 or m 1 !

10
Security of Det. PKE ( attempt 2 ) 10 M 0, M 1 m 0 M 0 m 1 M 1 b {0,1} Guess b c = Enc pk (m b ) * H ∞ (M b ) is not too small: no message is very likely to occur * Is this restriction sufficient? M 0 : sample a random message m such that c = Enc pk (m) starts with a 0 M 1 : sample a random message m such that c = Enc pk (m) starts with a 1 If M allowed to depend on pk and arbitrary then the encryption has subliminal channels NO pk

11
Security of Det. PKE [ BBO ’07 ] 11 M 0, M 1 m 0 M 0 m 1 M 1 b {0,1} Guess b c = Enc pk (m b ) * pk Not realistic assumption in practice – malicious adversary will use the pk in his attack – does not model what information will be leaked when there are accidental dependencies on the public key Question: Realistic security notions that allow the adversary to choose M after seeing pk

12
Security of Det. PKE [ BBO ’07 ] 12 M 0, M 1 m 0 M 0 m 1 M 1 b {0,1} Guess b, pk c = Enc pk (m b ) * Not realistic assumption in practice – malicious adversary will use the pk in his attack – does not model what information will be leaked when there are accidental dependencies on the public key Question: Realistic security notions that allow the adversary to choose M after seeing pk

13
Defining Deterministic Encryption If M is independent of pk then only “single shot” definition 13 M *M * pk, Enc pk (m b ) m 0 M m 1 U b {0,1} Guess b * H ∞ (M) is sufficiently large: “hard to guess” any single message M : choose random m. If Enc pk (m)=0…… output m, else repeat pk Enc pk (m b ) What happens if pk is given before choosing M b ? In [BBNRSSY09] authors consider “multi shot” definition so long as scheme satisfies anonymity

14
Our Work Formalize notions of adaptive security – Attackers given access to pk – Extensions Generic constructions in the random-oracle model – Based on any off-the-shelf (randomized) PKE Constructions in the standard model – Connection to deterministic randomness extractors – New techniques to deterministically extract via a “high- moment crooked” leftover hash lemma – New cryptographic tools (R-lossy trapdoor functions) 14

15
Dec(sk,.) Defining Adaptive Det. PKE 15 M 0, M 1 m 0 M 0 m 1 M 1 Guess b c = Enc pk (m b ) * Set of distributions X of size 2 p X is fixed apriori Set of distributions X of size 2 p X is fixed apriori Fix random b {0,1} Adversary can choose M adaptively based on pk and on answers c as long as M remains in set X. General notion – p=0 : independent of pk – p=O(s.log(s)) : all circuits of size s “Multi-shot” Easily extends to CCA (chosen ciphertext- attack) security (what a surprise!) Security notion only depends on p. Holds for all X of size 2 p Security notion only depends on p. Holds for all X of size 2 p pk

16
Adaptive det. encryption 16 “Real-or-random” oracle RoR(mode,pk,M) – Real: choose m M and output Enc pk (m) – Random: choose u U and output Enc pk (u) RoR(real, pk,.) pk M c ≈p≈p RoR(rand, pk,.) pk M c Set of distributions X of size 2 p Can choose adaptively based on pk and on answers c by RoR from the set X General notion p=0 : [BBO07] p=O(s.log(s)) : all circuits of size s Dec(sk,.)

17
domain f f -1 Injective Efficiently invertible (trapdoor) Two families of functions: injective and lossy range Lossy Cannot be inverted (information theoretically) g Security The descriptions of f and g are “computationally indistinguishable” Much smaller than domain Tool: Lossy Trapdoor Functions [PW08] 17

18
f( ) π( ) Our Basic Scheme 18 Let f be an injective member of a LTDF family Let π be a “sufficiently independent” random permutation * pk = f, π sk = f -1 = Enc: = Dec: π -1 ( ) f -1 ( ) * π chosen randomly from a t-wise δ-dependent family of permutations [KNR09]

19
Proof (by pictures) 19 f f π π f f π π g g π π g g π π f πg πg π g πg π security of LTDFs M0M0 M1M1 security of LTDFs Basic scheme is adaptively secure f ≈ g High-moment Crooked Leftover Hash Lemma: Extracting randomness even if M 0 and M 1 can depend on (g, π)

20
Extracting randomness (LHL) 20 Original LHL f is universal, X is independent of f ( f, f(X) ) ≈ ( f, U ) Crooked LHL f is lossy, π is pairwise independent, X is independent of f ( f, π, f(π(X)) ) ≈ ( f, π, f(U) ) High-Moment LHL f is t-wise independent, X can depend on f but bounded ( f, f(X) ) ≈ ( f, f(U) ) High-Moment Crooked LHL f is lossy, π is t-wise independent, X can depend on f ( f, π, f(π(X)) ) ≈ ( f, π, f(U) ) [DS05] [TV00] Set of distributions of size 2 p g g π π g g π π g πg π g πg π ≈

21
High-Moment Crooked LHL 21 Generalizes the Leftover Hash Lemma [HILL89] and its “crooked” variant [DS05] Lemma – Let f:{0,1} n {0,1} n such that |Im(f)|≤2 n-ℓ – Let X be a set of sources such that for each X in X, H ∞ (X) ≥ (n-ℓ) + 3log(log(|X|)) + 2log(1/ϵ) + θ(1) – Let Π is a family of t-wise independent permutations with t ≈ log(|X|) + (n-ℓ) – Then, with probability 1-ϵ over the choice of π in Π for every X in X we have SD ( f(π(X)), f(U) ) < ϵ Choice of X can depend on f and π

22
Conclusions This work – Defining adaptive deterministic PKE – Constructions secure in the random oracle and standard model – New tools for deterministic extraction Going forward: New directions for research (a.k.a. help me write papers!) – Shorter public keys? In general, public-key needs to be longer than p In our paper: short public-key only for s-circuit size distributions in the random-oracle model – Technical questions related to extraction (work-in-progress) – Other paradigms to construct deterministic PKE schemes 22

23
Other Projects Secure Deduplication (joint work with M. Abadi, D. Boneh, I. Mironov, G. Segev) – Adversary model and security notions – Constructing secure deduplication schemes with strongest security notions – Lead to new and interesting questions about modeling and constructing encryption schemes that leak functionality Authenticated Differential Privacy (joint work with I. Mironov, G. Segev) – Explored differential privacy in the context of outsourced databases with untrusted clients and servers – Generic constructions from cryptographic hammers – Interesting motivation to develop efficient succinct non- interactive arguments that are useful in practice 23

24
Thank you! Any questions? 24

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google