Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.

Slides:



Advertisements
Similar presentations
ElGamal Security Public key encryption from Diffie-Hellman
Advertisements

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Computer Security CS 426 Lecture 3
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Cryptography Lecture 8 Stefan Dziembowski
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
P1. Public-Key Cryptography and RSA 5351: Introduction to Cryptography Spring 2013.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Cryptography Lecture 11 Arpita Patra. Generic Results in PK World  CPA-secure KEM  SKE COA-secure SKE  Hyb CPA-secure CPA SecurityCCA Security Bit.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Group theory exercise.
Secrecy of (fixed-length) stream ciphers
Topic 30: El-Gamal Encryption
Topic 3: Perfect Secrecy
Cryptography Lecture 6.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 25.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 4.
Cryptography Lecture 8.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Leakage-resilient Signatures
The power of Pairings towards standard model security
Cryptography Lecture 21.
Cryptography Lecture 24.
Cryptography Lecture 23.
Presentation transcript:

Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec 2011

Leakage-Resilient Cryptography Prove the security even if some secret information leaks (by side-channel attacks)

Leakage-Resilient Cryptography Prove the security even if some secret information leaks (by side-channel attacks) Stream Cipher [DP08][Pie09] Public-Key Encryption [AGV09][NS09] [ADW09][AND+10][BG10][DHL+10] … Signature [ADW09][KV09][FKP10][MTV+11][BSW11] … etc.

Leakage-Resilient PKE c = Enc pk (m;r) m = Dec sk (c) c

Leakage-Resilient PKE c = Enc pk (m;r) m = Dec sk (c) c Leakage of secret key [AGV09][NS09][ADW09] …

Leakage-Resilient PKE c = Enc pk (m;r) m = Dec sk (c) c Leakage of sk Leakage of secret key [AGV09][NS09][ADW09] …

Leakage-Resilient PKE Leakage of secret key [AGV09][NS09][ADW09] … Restriction: Amount of leakage is bounded c = Enc pk (m;r) m = Dec sk (c) c Leakage of sk

This Work

Leakage of randomness in encryption

This Work Leakage of randomness in encryption Restriction: Amount of leakage is bounded

This Work Leakage of randomness in encryption Restriction: Amount of leakage is bounded c = Enc pk (m;r) m = Dec sk (c) c

This Work Leakage of randomness in encryption Restriction: Amount of leakage is bounded c = Enc pk (m;r) m = Dec sk (c) c Leakage of r

Our Results

No secure randomness-LR scheme if leaks after public key is published

Our Results No secure randomness-LR scheme if leaks after public key is published Even if 1-bit leaks

Our Results No secure randomness-LR scheme if leaks after public key is published Even if 1-bit leaks Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…)

Our Results No secure randomness-LR scheme if leaks after public key is published Even if 1-bit leaks Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…) Secure randomness-LR KEM/DEM scheme even if leaks after public key is published

Our Results No secure randomness-LR scheme if leaks after public key is published Even if 1-bit leaks Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…) Secure randomness-LR KEM/DEM scheme even if leaks after public key is published Relax the leakage model (describe later)

Our Results No secure randomness-LR scheme if leaks after public key is published Even if 1-bit leaks Contrast to key-LR scheme (Secure schemes [AGV09][NS09]…) Secure randomness-LR KEM/DEM scheme even if leaks after public key is published Relax the leakage model (describe later) Leakage rate = 1 – o(1) (DDH assumption)

Model of Randomness Leakage pk m 0, m 1 c c = Enc pk (m b ;r) b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

Model of Randomness Leakage Leakage Oracle pk m 0, m 1 c c = Enc pk (m b ;r) r b’ Pr[ b’ = b ] ≤ 1/2 + negl(n)

Model of Randomness Leakage Leakage Oracle pk m 0, m 1 c c = Enc pk (m b ;r) r b’ f Pr[ b’ = b ] ≤ 1/2 + negl(n)

Model of Randomness Leakage Leakage Oracle pk m 0, m 1 c c = Enc pk (m b ;r) r b’ f f(r) Pr[ b’ = b ] ≤ 1/2 + negl(n)

Model of Randomness Leakage Leakage Oracle pk m 0, m 1 c c = Enc pk (m b ;r) r b’ f f(r) Pr[ b’ = b ] ≤ 1/2 + negl(n) |f(r)|≤ λ

Model of Randomness Leakage Leakage Oracle pk m 0, m 1 c c = Enc pk (m b ;r) r b’ f f(r) Pr[ b’ = b ] ≤ 1/2 + negl(n) |f(r)|≤ λ leakage rate = λ /|r|

Randomness leakage after public key is published Theorem. No secure randomness-LR scheme exists if randomness leaks after public key is published

Proof: Adversary’s strategy: Set f(r) := { i-th bit of Enc pk (m 0 ; r) } for random i If f(r) ≠ { i-th bit of c }, output 1, o.w. a random guess When b = 0, Pr[ b = b’ ] = 1/2 When b = 1, Pr[ b = b’ ] ≥ 1/2 + 1/|c| since f(r) ≠ { i-th bit of c } w.p. at least 1/|c| Randomness leakage after public key is published

Randomness leakage is more serious than key leakage !! 1-bit leakage  insecurity Secure key-LR scheme [AGV09][NS09]… Randomness leakage after public key is published

Randomness leakage is more serious than key leakage !! 1-bit leakage  insecurity Secure key-LR scheme [AGV09][NS09]… Relax the leakage model Fit for KEM/DEM framework Randomness leakage after public key is published

KEM/DEM Framework KEM ≈ PKE for random messages Random message is used as secret key of DEM

KEM/DEM Framework KEM ≈ PKE for random messages Random message is used as secret key of DEM (c 1, K) = KEM.Enc pk (r 1 ) c 2 = DEM.Enc K (m;r 2 )

KEM/DEM Framework KEM ≈ PKE for random messages Random message is used as secret key of DEM (c 1, K) = KEM.Enc pk (r 1 ) c 1, c 2 c 2 = DEM.Enc K (m;r 2 )

KEM/DEM Framework KEM ≈ PKE for random messages Random message is used as secret key of DEM (c 1, K) = KEM.Enc pk (r 1 ) K = KEM.Dec sk (c 1 ) c 1, c 2 c 2 = DEM.Enc K (m;r 2 ) m = DEM.Dec K (c 2 )

Randomness Leakage in KEM/DEM (c 1, K) = KEM.Enc pk (r 1 ) K = KEM.Dec sk (c 1 ) c 2 = DEM.Enc K (m;r 2 ) m = DEM.Dec K (c 2 ) c 1, c 2 f(r 1, r 2 )

Randomness Leakage in KEM/DEM (c 1, K) = KEM.Enc pk (r 1 ) K = KEM.Dec sk (c 1 ) c 2 = DEM.Enc K (m;r 2 ) m = DEM.Dec K (c 2 ) c 1, c 2 Relaxation: Rand. for KEM/DEM leaks independently

Randomness Leakage in KEM/DEM K = KEM.Dec sk (c 1 ) m = DEM.Dec K (c 2 ) r1r1 KEM DEM r2r2 c 1, c 2 (c 1, K) = KEM.Enc pk (r 1 ) c 2 = DEM.Enc K (m;r 2 ) Relaxation: Rand. for KEM/DEM leaks independently The situation that KEM/DEM are implemented by different chips

Randomness Leakage in KEM/DEM Relaxation: Rand. for KEM/DEM leaks independently The situation that KEM/DEM are implemented by different chips K = KEM.Dec sk (c 1 ) m = DEM.Dec K (c 2 ) r1r1 KEM DEM r2r2 c 1, c 2 (c 1, K) = KEM.Enc pk (r 1 ) c 2 = DEM.Enc K (m;r 2 )

Randomness Leakage in KEM/DEM Leakage Oracle pk m 0, m 1 c 1, c 2 r1r1 b’ f f(r 1 ) |f(r 1 )|≤ λ (c 1, K) = KEM.Enc pk (r 1 ) c 2 = DEM.Enc K (m;r 2 ) Leakage Oracle * r2r2 r2r2 entire string! ① ② ③ ④ ⑤

Randomness Leakage in KEM/DEM Leakage Oracle pk m 0, m 1 c 1, c 2 r1r1 b’ f f(r 1 ) |f(r 1 )|≤ λ (c 1, K) = KEM.Enc pk (r 1 ) c 2 = DEM.Enc K (m;r 2 ) Leakage Oracle * r2r2 r2r2 entire string! Remark: (1) Rand. for KEM/DEM leaks independently + (2) Messages are independent of DEM leakage ① ② ③ ④ ⑤

Secure randomness-LR KEM/DEM scheme

Idea: key-LR scheme  randomness-LR scheme

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !!

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen : Enc :

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc : 1n1n param,sk sample

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample param,r 1 m, K KEM DEM

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc : C = KEM DEM param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc : C = param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc :  sk  pk C = sample param,sk param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen : PK = SK = Enc :  sk  pk C = sample param,sk param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen :  r 1  c 1 PK = SK = Enc :  sk  pk C = sample param,r 1 sample param,sk param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen :  param  r 1  c 1 PK = (param, c 1 ), SK = r 1 Enc :  sk  pk  K  c 2 C = (pk, c 2 ) sample 1n1n param,sk m, K param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample m, K Rand.-LR KEM/DEM scheme: Gen :  param  r 1  c 1 PK = (param, c 1 ), SK = r 1 Enc :  sk  pk  K  c 2 C = (pk, c 2 ) sample 1n1n param,sk m, K Need to exist algorithms to generate same K from (param, pk, r) and (param, c 1, sk) param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample Rand.-LR KEM/DEM scheme: Gen :  param  r 1  c 1 PK = (param, c 1 ), SK = r 1 Enc :  sk  pk  K  c 2 C = (pk, c 2 ) sample 1n1n param,sk m, K HPS m, K Need to exist algorithms to generate same K from (param, pk, r) and (param, c 1, sk) param,r 1

Secure randomness-LR KEM/DEM scheme Idea: key-LR scheme  randomness-LR scheme Exchange the roles of key and randomness !! Key-LR KEM/DEM scheme: Gen :  param  sk  pk PK = (param, pk), SK = sk Enc :  r 1  c 1  K  c 2 C = (c 1, c 2 ) sample 1n1n param,sk sample Rand.-LR KEM/DEM scheme: Gen :  param  r 1  c 1 PK = (param, c 1 ), SK = r 1 Enc :  sk  pk  K  c 2 C = (pk, c 2 ) sample 1n1n param,sk m, K HPS HPS-based scheme [NS09] rate = 1 – o(1) m, K Need to exist algorithms to generate same K from (param, pk, r) and (param, c 1, sk) param,r 1

Conclusions Leakage of randomness in PKE Our results No secure scheme if leakage occurs after PK is published Secure KEM/DEM scheme even if leakage occurs after PK is published Restriction: Rand. in KEM/DEM leaks independently + message is independent of DEM leakage Idea: key-LR  randomness-LR Leakage rate: 1 – o(1) from key-LR scheme [NS09]

Thank you

Related work Hedged public-key encryption [BBN+09] Adversary can choose a joint distribution of message and randomness (with enough entropy) If uniform randomness  CPA-security otherwise  weaker security Can be seen as randomness-LR PKE Randomness leakage = Choice of distribution Corresponding to randomness leakage before public key is published – Message must be independent of public key

Secure randomness-LR KEM/DEM scheme ElGamal-based scheme of [NS09]  leak rate = 1/2 HPS-based scheme of [NS09]  leak rate = 1 – o(1) Key-LR scheme [NS09]: Gen : g 1,g 2 ∈ R G  param x 1, x 2 ∈ R Z p  sk h = g 1 x1 g 2 x2  pk PK = (param, pk), SK = sk Enc : r ∈ R Z p  r g 1 r, g 2 r  c 1 h r  K s ∈ R {0,1} t Ext(K,s)+m  c 2 C = (c 1, c 2 ) Our scheme: Gen : g 1,g 2 ∈ R G  param r ∈ R Z p  r g 1 r, g 2 r  c 1 PK = (param, c 1 ), SK = r Enc : x 1, x 2 ∈ R Z p  sk h = g 1 x1 g 2 x2  pk (g 1 r ) x1 (g 2 r ) x2  K s ∈ R {0,1} t Ext(K, s)+m  c 2 C = (pk, c 2 )

Leakage occurs before public key is published Leakage Oracle pk m 0, m 1 c c = Enc pk (m b ;r) r b’ f f(r)

Leakage occurs before public key is published π’ = (Gen’, Enc’, Dec’) Gen’(1 n ) : s  U t, (pk, sk)  Gen(1 n ), pk’ = (pk, s), sk’ = sk Enc’ pk’ (m) : r  U k, c = Enc pk (m; Ext(r,s)) Dec’ sk’ (c) = Dec sk (c) Theorem. If π = (Gen, Enc, Dec) is CPA-secure, then π’ is randomness-LR secure Proof: Ext(r,s) is (almost) uniform even if f(r) leaks Remark: Only one-message (or bounded-poly- many message) security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.