Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy covered ID schemes, Signatures, Interactive Encryption/Authentication/AKA

Leakage Resilience and the BRM  Leakage Resilience: Cryptographic schemes that remain secure even if adversary learns partial information about sk.  Goal: High relative leakage.  Bounded Retrieval Model: Absolute size of leakage can be arbitrarily large (bits, Mb, Gb…).  Accommodate any leakage threshold by increasing key size flexibly.  No other loss of efficiency! sk leak f(sk) 90% of |sk| [AGV09, NS09,…] [Dzi06, CLW06,…]

Why have schemes in the BRM?  Security against viruses:  Virus downloads arbitrary information from local storage and sends it to a remote attacker.  In practice, virus cannot download too much (< 10 GB).  Bandwidth too low, Cost too high, System security may detect.  Security against side-channel attacks:  Adversary gets some “physical output” of computation.  May be unreasonable to learn “too much” info, even after many physical readings.  How much is “too much” depends on physical implementation (few Kb - few Mb).

Prior Work  Leakage Resilience (No BRM):  Symmetric-Key Authenticated Encryption [DKL09]  Public-Key Encryption [AGV09, NS09, KV09]  Signatures [ADW09, Katz09]  Bounded Retrieval Model:  Secret Sharing [DP07]  Symmetric-Key Identification and Authenticated Key Agreement [Dzi06,CDD + 07]  Public-Key ID schemes, Signatures, Authenticated Key Agreement [ADW09]  Now: Public-Key Encryption in the BRM.

Public-Key Encryption in the BRM  Goal: PKE parameterized by security parameter s (e.g. 256 bits) and leakage bound L (e.g. 256 bits - 10GB).  Secret Key size is flexible: |sk| = (1 + ε)L.  Public Keys and Ciphertexts are short, only depend on s.  Decryption is local. Number of bits accessed is proportional to s.  Naïve Attempt : “Take any leakage-resilient PKE tolerating l (|sk|) leakage. Increase security parameter s until l (|sk|) > L.”  Problem: Public-key/Ciphertext size depends on L. May be huge.  Problem: Decryption is not local.  Problem: Computation over groups with 10 GB description length.  Positive: Very Secure!

PKE in the BRM via Composition of PKE  Attempt #1: “Compose n copies of Leakage-Resilient PKE”  Generate n pairs (pk 1,sk 1 ),…, (pk n, sk n ). Set PK = (pk 1,…, pk n ), SK = (sk 1,…, sk n ).  To encrypt m:  Compute shares (s 1,…, s n ) such that m = s 1 + …+ s n.  Set c 1 =Enc(pk 1, s 1 ),…, c n =Enc(pk n, s n ).  Ciphertext is C = (c 1,…, c n ).  Hope: Composed scheme amplifies leakage from l to L = n l bits without unnecessary increase in security parameter.  Intuition: To break the composed scheme, must leak l bits about each of (sk 1,…, sk n ).  Unfortunately ciphertext size, public key size and locality are still large. Can intuition be formalized? Stay tuned… pk 1 pk 2 … pk n PKSK sk 1 sk 2 … sk n

PKE in the BRM via Composition of IBE  Attempt #2: Use Leakage-Resilient IBE to Reduce Public-Key Size.  Generate a master-key pair (MPK, MSK) for an IBE.  Use MSK to generate keys sk 1,…, sk n for identities 1,…,n.  Set PK = MPK, SK = (sk 1,…, sk n ). Delete MSK.  To encrypt m:  Compute shares (s 1,…, s t ) such that m = s 1 + …+ s t.  Choose t random identities ID i ∊ [n].  Set c 1 =Enc(ID 1, s 1 ),…, c n =Enc(ID t, s t ).  Ciphertext is C = (ID 1,…, ID t, c 1,…, c t ).  Good news: Ciphertext, Public-Key, Locality is proportional to security parameter.  Need leakage resilient IBE. (Of Independent Interest)  Is the composition secure? MPK SK sk 1 sk 2 … sk n ID=1 ID=2 ID=n Random Subset of [n]

Does Composition Amplify Leakage Resilience?  Composition of Leakage-Resilient PKE (Attempt 1):  Intuition does not formalize into a reduction.  Problem: cannot simulate L bits leakage on SK = (sk 1,…, sk n ) by leaking only l < L bits of sk i.  Do not know of an counterexample (even artificial).  but black-box reductions won’t work…  Composition using Leakage-Resilient IBE (Attempt 2):  Have an (artificial) counterexample. Idea: secret keys of identities 1,…,n contain secret-sharing of master secret key.  Good news: composition amplifies leakage resilience for PKE/IBE of special form.  Based on hash-proof-systems [CS02, NS09].

Leakage Resilience from Hash-Proof Systems  Earlier today: construction of Leakage-Resilient PKE from Hash- Proof Systems [NS09].  R= {(pk,sk) pairs}. Many valid sk for each pk.  Three algorithms (Encap, BadEncap, Decap)  Good encapsulation: (e, k) = Encap(pk).  Bad encapsulation: e = BadEncap(pk).  Decapsulation: k = Decap(e, sk).  Can’t distinguish if e is good or bad (even given sk).  For fixed pk, bad e: Decap(e,sk) is statistically uniform.  Encryption/Decryption: use k as a one-time-pad.  Encrypt(m, pk) = (e, k+m) where (e,k) = Encap(pk).

Composition of Hash Proof Systems  Let PK = (pk 1,…, pk n ), SK = (sk 1,…, sk n ).  Encrypt(m,pk) = (E, K+m) where  E = (e 1,…, e n, r) for (e i, k i ) = Encap(pk i )  K = Extract(k 1,…, k n ; r)

Theorem: Composition of Hash-Proof Systems Amplifies Leakage  Show that: E = [e 1,…, e n, r], Leak(SK), K = Extract(k 1,…, k n ; r) Where (e i,k i ) = Encap(pk i ) E = [e 1,…, e n, r], Leak(SK), K = Extract(k 1,…, k n ; r) Where e i = Encap(pk i ), k i = Decap(e i, sk i ) E = [e 1,…, e n, r], Leak(SK), K = Extract(k 1,…, k n ; r) Where e i = BadEncap(pk i ), k i = Decap(e i, sk i ) E = [(e 1,…, e n ), r], Leak(SK), Uniform |Uniform| = n|k i | - |Leak(SK)| - O(S) INDISTINGUISHABLE

How to get PKE in BRM?  Recap: “Attempt 1” scheme can be fixed using Hash- Proof Systems.  Long ciphertexts, public-keys, and no locality.  How to fix “Attempt 2” scheme based on IBE?  Need “Identity Based Hash-Proof System” (IB-HPS).  Formalized this new notion.  Result 1: IB-HPS gives us Leakage-Resilient IBE.  Result 2: IB-HPS gives us efficient PKE in BRM.  Resulting IBE is used to instantiate “Attempt 2” scheme.  Constructions?

Constructing IB-HPS  Construction based on the [Gentry06] IBE.  Based on “q-ABDHA” (pairing stuff....)  Allows leakage of (½ - ε ) of secret key.  Construction based on [GPV08] IBE.  Based on “LWE” (lattice stuff + RO)  Proven as leakage-resilient IBE by [AGV09].  Allows leakage of (1 - ε ) of secret key.