Download presentation
Presentation is loading. Please wait.
1
Bounded key-dependent message security
Boaz Barak (Princeton and Microsoft Research) Iftach Haitner (Microsoft Research) Dennis Hofheinz (Karlsruhe Institute of Technology) Yuval Ishai (Technion and UCLA)
2
IND-CPA security (PKE)
m0, m1 Adversary Encpk(mb) Challenger b' Security Û "A: Pr[ b = b' ] » 1/2
3
KDM-CPA security (PKE)
f Challenger Adversary Encpk(mb) m0 ← f(sk) m1 ← rand b' Security Û "A: Pr[ b = b' ] » 1/2 (many queries, many (pk,sk) pairs)
4
KDM: previous work Definitions, applications [CL01,BRS02,BPS07]
Formal crypto, credential systems, harddisk encryption Specific families of functions f ”Small/restricted families” [HK07,HU08] Affine functions (includes key cycles): [BHHO08,ACPS09] f(sk1,sk2, … ,skn) = c1sk1 + c2sk2 + … + cnskn Any function: only RO-model solutions [BRS02,BDU08] Showstopper: black-box impossibilities [HH09] No BB reduction to OWPs for UHFs f No BB reduction to any assumption with BB use of f
![KDM: previous work Definitions, applications [CL01,BRS02,BPS07]](http://slideplayer.com/slide/11890950/67/images/4/KDM%3A+previous+work+Definitions%2C+applications+%5BCL01%2CBRS02%2CBPS07%5D.jpg "Formal crypto, credential systems, harddisk encryption. Specific families of functions f. Small/restricted families [HK07,HU08] Affine functions (includes key cycles): [BHHO08,ACPS09] f(sk1,sk2, … ,skn) = c1sk1 + c2sk2 + … + cnskn. Any function: only RO-model solutions [BRS02,BDU08] Showstopper: black-box impossibilities [HH09] No BB reduction to OWPs for UHFs f. No BB reduction to any assumption with BB use of f.")
5
Our results KDM security against size-bounded circuits f:
Bounds on users/|f| need only be known at encryption time Non-BB use of query function f in proof Application: solves soundness of formal encryption Tightness of positive result: extending [HH09] Bounded KDM impossible with BB reduction + BB use of f Main result (informal): Assume DDH or LWE holds. Then there is a bounded KDM secure PKE scheme. More formally: for all polynomials Size and Users, there is a PKE scheme that is KDM secure against arbitrarily many KDM queries with functions f of size Size(k) and Users(k) (pk,sk) instances. (k=security parameter)
6
Warmup: fully homomorphic KDM
Assume fully homomorphic PKE (Gen,Enc,Dec,Eval) with (Weak) circuit privacy: h(m)=h'(m) implies (sk, Evalpk(h,Encpk(m))) ≈ (sk, Evalpk(h',Encpk(m))) 1-circular security: (pk, Encpk(0)) ≈ (pk, Encpk(sk)) Note: Gentry's scheme achieves this (+ statistical circuit privacy)! Any such scheme is KDM secure against all efficient f Simulator may get Encpk(sk) without harming security But Encpk(sk) allows to construct arbitrary KDM queries (with Eval) Also: Paillier-variant 1-circular Þ KDM for bounded-length BP f
7
Recap: 2-message SC from FHE
Alice's input: x Alice's output: hy(x) Bob's input: y pk, Encpk(x) Encpk(hy(x)) 2-message secure computation ”the fully homomorphic way”
8
Recap: 2-message SC from GC
Alice's input: x Alice's output: hy(x) Bob's input: y OT1(x) OT2({Ki,j}) GC(hy,{Ki,j}) 2-message secure computation ”the garbled circuits way” Remark: any 2-message SC gives FHE, modulo ”compactness” (we need only ”bounded” FHE for bounded KDM anyway)
9
Recap: Yao's garbled circuits
h K1,0 K1,1 Kk,0 Kk,1 ... Input: function h: {0,1}k → {0,1}k 2k keys Ki,j Î {0,1}k Output: GC=GC(h,{Ki,j}) Properties: Given GC and K1,x1, K2,x2, … , Kk,xk, it is … easy to compute h(x), but all information on h other than h(x) and |h| computationally hidden Commonly employed together with OT to transport keys Ki,j
10
Recap: 2-message OT K1,x1, …, Kk,xk Alice's input:
x=(x1, … , xk)Î{0,1}k Alice's output: K1,x1, …, Kk,xk Bob's input: 2k keys {Ki,j} pk=OT1(x) OT2({Ki,j}) Properties: Alice gets no information on Ki,j for i≠xi Bob gets no information on x Alice may have secret state (to interpret OT2)
11
An idea that almost works
First attempt for bounded KDM secure PKE: Gen(1k) = ( sk ← rand, pk ← OT1(sk) ) Encpk(m) = ( GC(hm,{Ki,j}), OT2(pk,{Ki,j}) ) (hm(x)=m "x) Decsk(GC,OT2): obtain {Ki,j} from OT, then hm(sk)=m from GC KDM simulation constructs encryption of f(sk) as ( GC(f,{Ki,j}), OT2({Ki,j}) ) ( ≈ Encpk(f(sk)) ) Larger encoding of hm Þ larger KDM f possible (KDM bound) Problem: OT introduces new secret state as part of sk!
12
Our approach Construct OT in which selection x is the secret state
13
Targeted encryption (= special 2-message OT)
Alice's input: sk=(sk1, … , skk)Î{0,1}k Alice's output: K1,x1, …, Kk,xk Bob's input: 2k keys {Ki,j} pk { Enc'pk( ski(Ki,1-Ki,0) + Ki,0 ) } = { Enc'pk( Ki,ski ) } Properties: sk computationally hidden, Ki,j for i≠xi statistically hidden Alice has no secret state (apart from selection sk) can be implemented with affine KDM Enc'! [BHHO08,ACPS09]
14
Catching up Affine KDM PKE Targeted encryption Garbled circuits
(some special properties required, constructions exist on DDH, LWE) Targeted encryption (2-move OT such that selection bits = secret state) Garbled circuits Bounded KDM PKE
15
Loose ends With many (pk,sk) in the system (no hybrid argument possible!) Include key cycle in f* in GC(f*,{Ki,j}) f*(sk) breaks up key cycle, obtains sk, evaluates f(sk) Application to formal encryption Problem: simulate implementation of, e.g., Encpk(Sigvk(sk)) Choose KDM bounds after other primitives (Sig etc.) fixed Strongly BB impossibility of bounded KDM Apply [HH09] BB impossibility in setting with exp. secure PRF Shows that our non-BB use of query function f is unavoidable
16
Future work A-priori bounds inherent in our technique
Assuming circular-secure fully homomorphic encryption too much Full KDM security with different techniques? Affine KDM security [BHHO08,ACPS09] gives additions in f Bigger sk ([BGK09]) Þ bounded number of multiplications in f Þ [BGK09] achieve KDM for arbitrary degree-bounded poly f Affine-KDM security [BHHO08,ACPS09] versatile building block Affine-KDM security from different (generic?) assumptions?
Similar presentations
