Bounded key-dependent message security Boaz Barak (Princeton and Microsoft Research) Iftach Haitner (Microsoft Research) Dennis Hofheinz (Karlsruhe Institute of Technology) Yuval Ishai (Technion and UCLA)

IND-CPA security (PKE) m0, m1 Adversary Encpk(mb) Challenger b' Security Û "A: Pr[ b = b' ] » 1/2

KDM-CPA security (PKE) f Challenger Adversary Encpk(mb) m0 ← f(sk) m1 ← rand b' Security Û "A: Pr[ b = b' ] » 1/2 (many queries, many (pk,sk) pairs)

KDM: previous work Definitions, applications [CL01,BRS02,BPS07] Formal crypto, credential systems, harddisk encryption Specific families of functions f ”Small/restricted families” [HK07,HU08] Affine functions (includes key cycles): [BHHO08,ACPS09] f(sk1,sk2, … ,skn) = c1sk1 + c2sk2 + … + cnskn Any function: only RO-model solutions [BRS02,BDU08] Showstopper: black-box impossibilities [HH09] No BB reduction to OWPs for UHFs f No BB reduction to any assumption with BB use of f

Our results KDM security against size-bounded circuits f: Bounds on users/|f| need only be known at encryption time Non-BB use of query function f in proof Application: solves soundness of formal encryption Tightness of positive result: extending [HH09] Bounded KDM impossible with BB reduction + BB use of f Main result (informal): Assume DDH or LWE holds. Then there is a bounded KDM secure PKE scheme. More formally: for all polynomials Size and Users, there is a PKE scheme that is KDM secure against arbitrarily many KDM queries with functions f of size Size(k) and Users(k) (pk,sk) instances. (k=security parameter)

Warmup: fully homomorphic KDM Assume fully homomorphic PKE (Gen,Enc,Dec,Eval) with (Weak) circuit privacy: h(m)=h'(m) implies (sk, Evalpk(h,Encpk(m))) ≈ (sk, Evalpk(h',Encpk(m))) 1-circular security: (pk, Encpk(0)) ≈ (pk, Encpk(sk)) Note: Gentry's scheme achieves this (+ statistical circuit privacy)! Any such scheme is KDM secure against all efficient f Simulator may get Encpk(sk) without harming security But Encpk(sk) allows to construct arbitrary KDM queries (with Eval) Also: Paillier-variant 1-circular Þ KDM for bounded-length BP f

Recap: 2-message SC from FHE Alice's input: x Alice's output: hy(x) Bob's input: y pk, Encpk(x) Encpk(hy(x)) 2-message secure computation ”the fully homomorphic way”

Recap: 2-message SC from GC Alice's input: x Alice's output: hy(x) Bob's input: y OT1(x) OT2({Ki,j}) GC(hy,{Ki,j}) 2-message secure computation ”the garbled circuits way” Remark: any 2-message SC gives FHE, modulo ”compactness” (we need only ”bounded” FHE for bounded KDM anyway)

Recap: Yao's garbled circuits h K1,0 K1,1 Kk,0 Kk,1 ... Input: function h: {0,1}k → {0,1}k 2k keys Ki,j Î {0,1}k Output: GC=GC(h,{Ki,j}) Properties: Given GC and K1,x1, K2,x2, … , Kk,xk, it is … easy to compute h(x), but all information on h other than h(x) and |h| computationally hidden Commonly employed together with OT to transport keys Ki,j

Recap: 2-message OT K1,x1, …, Kk,xk Alice's input: x=(x1, … , xk)Î{0,1}k Alice's output: K1,x1, …, Kk,xk Bob's input: 2k keys {Ki,j} pk=OT1(x) OT2({Ki,j}) Properties: Alice gets no information on Ki,j for i≠xi Bob gets no information on x Alice may have secret state (to interpret OT2)

An idea that almost works First attempt for bounded KDM secure PKE: Gen(1k) = ( sk ← rand, pk ← OT1(sk) ) Encpk(m) = ( GC(hm,{Ki,j}), OT2(pk,{Ki,j}) ) (hm(x)=m "x) Decsk(GC,OT2): obtain {Ki,j} from OT, then hm(sk)=m from GC KDM simulation constructs encryption of f(sk) as ( GC(f,{Ki,j}), OT2({Ki,j}) ) ( ≈ Encpk(f(sk)) ) Larger encoding of hm Þ larger KDM f possible (KDM bound) Problem: OT introduces new secret state as part of sk!

Our approach Construct OT in which selection x is the secret state

Targeted encryption (= special 2-message OT) Alice's input: sk=(sk1, … , skk)Î{0,1}k Alice's output: K1,x1, …, Kk,xk Bob's input: 2k keys {Ki,j} pk { Enc'pk( ski(Ki,1-Ki,0) + Ki,0 ) } = { Enc'pk( Ki,ski ) } Properties: sk computationally hidden, Ki,j for i≠xi statistically hidden Alice has no secret state (apart from selection sk) can be implemented with affine KDM Enc'! [BHHO08,ACPS09]

Catching up Affine KDM PKE Targeted encryption Garbled circuits (some special properties required, constructions exist on DDH, LWE) Targeted encryption (2-move OT such that selection bits = secret state) Garbled circuits Bounded KDM PKE

Loose ends With many (pk,sk) in the system (no hybrid argument possible!) Include key cycle in f* in GC(f*,{Ki,j}) f*(sk) breaks up key cycle, obtains sk, evaluates f(sk) Application to formal encryption Problem: simulate implementation of, e.g., Encpk(Sigvk(sk)) Choose KDM bounds after other primitives (Sig etc.) fixed Strongly BB impossibility of bounded KDM Apply [HH09] BB impossibility in setting with exp. secure PRF Shows that our non-BB use of query function f is unavoidable

Future work A-priori bounds inherent in our technique Assuming circular-secure fully homomorphic encryption too much Full KDM security with different techniques? Affine KDM security [BHHO08,ACPS09] gives additions in f Bigger sk ([BGK09]) Þ bounded number of multiplications in f Þ [BGK09] achieve KDM for arbitrary degree-bounded poly f Affine-KDM security [BHHO08,ACPS09] versatile building block Affine-KDM security from different (generic?) assumptions?