On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Slides:



Advertisements
Similar presentations
Merkle Puzzles Are Optimal
Advertisements

On Black-Box Separations in Cryptography
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
8. Data Integrity Techniques
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Bounded key-dependent message security
Topic 36: Zero-Knowledge Proofs
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Topic 26: Discrete LOG Applications
Selective-opening security in the presence of randomness failures
Modern symmetric-key Encryption
Secrecy of (fixed-length) stream ciphers
Topic 14: Random Oracle Model, Hashing Applications
Cryptography Lecture 19.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 25.
On the Efficiency of 2 Generic Cryptographic Constructions
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Leakage-resilient Signatures
Cryptography Lecture 21.
Cryptography Lecture 18.
Cryptography Lecture 24.
Blockchains Lecture 4.
Presentation transcript:

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A August 04, 2009 Thomas Holenstein Princeton University

outline  Define Key Dependent Message (KDM) secure encryption scheme  Two (impossibility) results – On fully-black-box reductions from KDM security to TDP – On strongly-black-box reductions from KDM security to “any” hardness assumption

Weak Key Dependant Message Security An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A A h 1 :{0,1} n  {0,1} m Enc k (h 1 (k)) h 2 Enc k (h 2 (k)) … ¼C¼C k à {0,1} n Challenger … A h 1 :{0,1} n  {0,1} m Enc k (U m ) h 2 Enc k (U m ) k à {0,1} n Challenger A cannot find k What class of query functions (e.g., h) should be considered? In most settings, we should consider any (efficient) function

Feasibility Results  Limited output length functions: – [Hofheinz-Unruh ‘08] based on any PKE  Family of affine functions: – [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH – [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE  Efficient functions ???  Any function – [Black-Rogway-Shrimpton ‘02] based on Random Oracle

Our Impossibility Results (informal) It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against  the family of poly-wise independent hash functions, based on OWF – extends to TDP  any function, based on “any assumption” We focus on the private key setting Hold also for the “many PK keys” setting

outline  Define Key Dependent Message (KDM) secure encryption scheme  Our (impossibility) results – On fully black-box reductions from KDM security to TDP – On strongly black-box reduction from KDM security to “any” hardness assumption

Black-box construction Black-box proof of security Adversary for breaking KDM ) Inverter for breaking OWF Fully-Black-Box Reduction from KDM security to OWF Adversary for KDM Inverter for OWF OWF (Enc,Dec) OWF

Black-box proof of security A R OWF ¼ Y Ã {0,1} n x 2 ¼ - 1 (y) Breaks the KDM security of (Enc ¼,Dec ¼ )

Impossibility Result for OWF Based Schemes There exists no fully-black-box reduction from KDM- secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions More formally: Let (Enc (),Dec () ) be a OWF based encryption scheme, and let v(n) = |Enc () (M)|, for M 2 {0,1} 2n. Then (Enc (),Dec () ) cannot be proved (in a black-box way) to be KDM-secure against H v(n)+n – a family of (v(n)+n)-independent hash functions from {0,1} n to {0,1} 2n

Our adversary A R OWF ¼ Y à {0,1} n x 2 ¼ - 1 (y) 1.A breaks the (weak) KDM security of (Enc ¼,Dec ¼ ) 2. ¼ is hard to invert in the presence of A. Proof: a la ’ [Simon ‘98] / [Gennaro-Trevisan ‘ 01, H-Hoch-Reingold- Segev ‘07 ] 1n1n h c k … 1) Select h à H v(n)+n 2) On input C, output (the first) k s.t. Dec k (C) = h(k)

outline  Define Key Dependent Message (KDM) secure encryption scheme  Our (impossibility) results – On fully black-box reductions from KDM security to TDP – On strongly black-box reductions from KDM security to “any” hardness assumption

Let ¡ be a cryptographic assumption (e.g., factoring is hard)  Arbitrary construction  Black-box proof of security.  The query function h is treated as a black box Strongly Black-Box Reduction from KDM security to ¡ Adversary for KDM Adversary for ¡

Strongly Black-box proof of security A R for breaking ¡ ¡ A break the KDM security of (Enc,Dec) Factoring is hard n = pq p,q 1n1n h c k … 1.h is only accessed via its input/output interface 2.Access to h is not given to a “third party”

Impossibility Result for Strongly Black-Box Reductions Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against O n – the family of random functions from {0,1} n to {0,1} 2n. Then ¡ can be broken unconditionally

Our Adversary A R ¡ Breaks the KDM security of (Enc,Dec) 1) Select h à O n 2) On query C, output (the first) k s.t. Dek k (C) = h(k) 1.A breaks the (weak) KDM security of (Enc,Dec) 2. R A, ¡ can be efficiently emulated

The Emulation R ¡ hÃOnhÃOn h(x 1 ) x1x1 h(x 2 ) x2x2 … 1.Answer to h(x i ) with a random y i 2 { 0,1} 2n (while keeping consistency) 2. On query C, return (the first) x i s.t Dec x i (C) = y i Proof Idea: the probability that h(k)= Dec k (C ) for non-queried k, is 2 -2n c k A 1n1n h

Further Issues  Both bounds hold for 1-1 PRF Open questions  Prove feasibility result against larger class of functions  Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.