Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Published byGriffin Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy."— Presentation transcript:

1 Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy covered ID schemes, Signatures, Interactive Encryption/Authentication/AKA

2 Leakage Resilience and the BRM  Leakage Resilience: Cryptographic schemes that remain secure even if adversary learns partial information about sk.  Goal: High relative leakage.  Bounded Retrieval Model: Absolute size of leakage can be arbitrarily large (bits, Mb, Gb…).  Accommodate any leakage threshold by increasing key size flexibly.  No other loss of efficiency! sk leak f(sk) 90% of |sk| [AGV09, NS09,…] [Dzi06, CLW06,…]

3 Why have schemes in the BRM?  Security against viruses:  Virus downloads arbitrary information from local storage and sends it to a remote attacker.  In practice, virus cannot download too much (< 10 GB).  Bandwidth too low, Cost too high, System security may detect.  Security against side-channel attacks:  Adversary gets some “physical output” of computation.  May be unreasonable to learn “too much” info, even after many physical readings.  How much is “too much” depends on physical implementation (few Kb - few Mb).

4 Prior Work  Leakage Resilience (No BRM):  Symmetric-Key Authenticated Encryption [DKL09]  Public-Key Encryption [AGV09, NS09, KV09]  Signatures [ADW09, Katz09]  Bounded Retrieval Model:  Secret Sharing [DP07]  Symmetric-Key Identification and Authenticated Key Agreement [Dzi06,CDD + 07]  Public-Key ID schemes, Signatures, Authenticated Key Agreement [ADW09]  Now: Public-Key Encryption in the BRM.

5 Public-Key Encryption in the BRM  Goal: PKE parameterized by security parameter s (e.g. 256 bits) and leakage bound L (e.g. 256 bits - 10GB).  Secret Key size is flexible: |sk| = (1 + ε)L.  Public Keys and Ciphertexts are short, only depend on s.  Decryption is local. Number of bits accessed is proportional to s.  Naïve Attempt : “Take any leakage-resilient PKE tolerating l (|sk|) leakage. Increase security parameter s until l (|sk|) > L.”  Problem: Public-key/Ciphertext size depends on L. May be huge.  Problem: Decryption is not local.  Problem: Computation over groups with 10 GB description length.  Positive: Very Secure!

6 PKE in the BRM via Composition of PKE  Attempt #1: “Compose n copies of Leakage-Resilient PKE”  Generate n pairs (pk 1,sk 1 ),…, (pk n, sk n ). Set PK = (pk 1,…, pk n ), SK = (sk 1,…, sk n ).  To encrypt m:  Compute shares (s 1,…, s n ) such that m = s 1 + …+ s n.  Set c 1 =Enc(pk 1, s 1 ),…, c n =Enc(pk n, s n ).  Ciphertext is C = (c 1,…, c n ).  Hope: Composed scheme amplifies leakage from l to L = n l bits without unnecessary increase in security parameter.  Intuition: To break the composed scheme, must leak l bits about each of (sk 1,…, sk n ).  Unfortunately ciphertext size, public key size and locality are still large. Can intuition be formalized? Stay tuned… pk 1 pk 2 … pk n PKSK sk 1 sk 2 … sk n

7 PKE in the BRM via Composition of IBE  Attempt #2: Use Leakage-Resilient IBE to Reduce Public-Key Size.  Generate a master-key pair (MPK, MSK) for an IBE.  Use MSK to generate keys sk 1,…, sk n for identities 1,…,n.  Set PK = MPK, SK = (sk 1,…, sk n ). Delete MSK.  To encrypt m:  Compute shares (s 1,…, s t ) such that m = s 1 + …+ s t.  Choose t random identities ID i ∊ [n].  Set c 1 =Enc(ID 1, s 1 ),…, c n =Enc(ID t, s t ).  Ciphertext is C = (ID 1,…, ID t, c 1,…, c t ).  Good news: Ciphertext, Public-Key, Locality is proportional to security parameter.  Need leakage resilient IBE. (Of Independent Interest)  Is the composition secure? MPK SK sk 1 sk 2 … sk n ID=1 ID=2 ID=n Random Subset of [n]

8 Does Composition Amplify Leakage Resilience?  Composition of Leakage-Resilient PKE (Attempt 1):  Intuition does not formalize into a reduction.  Problem: cannot simulate L bits leakage on SK = (sk 1,…, sk n ) by leaking only l < L bits of sk i.  Do not know of an counterexample (even artificial).  but black-box reductions won’t work…  Composition using Leakage-Resilient IBE (Attempt 2):  Have an (artificial) counterexample. Idea: secret keys of identities 1,…,n contain secret-sharing of master secret key.  Good news: composition amplifies leakage resilience for PKE/IBE of special form.  Based on hash-proof-systems [CS02, NS09].

9 Leakage Resilience from Hash-Proof Systems  Earlier today: construction of Leakage-Resilient PKE from Hash- Proof Systems [NS09].  R= {(pk,sk) pairs}. Many valid sk for each pk.  Three algorithms (Encap, BadEncap, Decap)  Good encapsulation: (e, k) = Encap(pk).  Bad encapsulation: e = BadEncap(pk).  Decapsulation: k = Decap(e, sk).  Can’t distinguish if e is good or bad (even given sk).  For fixed pk, bad e: Decap(e,sk) is statistically uniform.  Encryption/Decryption: use k as a one-time-pad.  Encrypt(m, pk) = (e, k+m) where (e,k) = Encap(pk).

10 Composition of Hash Proof Systems  Let PK = (pk 1,…, pk n ), SK = (sk 1,…, sk n ).  Encrypt(m,pk) = (E, K+m) where  E = (e 1,…, e n, r) for (e i, k i ) = Encap(pk i )  K = Extract(k 1,…, k n ; r)

11 Theorem: Composition of Hash-Proof Systems Amplifies Leakage  Show that: E = [e 1,…, e n, r], Leak(SK), K = Extract(k 1,…, k n ; r) Where (e i,k i ) = Encap(pk i ) E = [e 1,…, e n, r], Leak(SK), K = Extract(k 1,…, k n ; r) Where e i = Encap(pk i ), k i = Decap(e i, sk i ) E = [e 1,…, e n, r], Leak(SK), K = Extract(k 1,…, k n ; r) Where e i = BadEncap(pk i ), k i = Decap(e i, sk i ) E = [(e 1,…, e n ), r], Leak(SK), Uniform |Uniform| = n|k i | - |Leak(SK)| - O(S) INDISTINGUISHABLE

12 How to get PKE in BRM?  Recap: “Attempt 1” scheme can be fixed using Hash- Proof Systems.  Long ciphertexts, public-keys, and no locality.  How to fix “Attempt 2” scheme based on IBE?  Need “Identity Based Hash-Proof System” (IB-HPS).  Formalized this new notion.  Result 1: IB-HPS gives us Leakage-Resilient IBE.  Result 2: IB-HPS gives us efficient PKE in BRM.  Resulting IBE is used to instantiate “Attempt 2” scheme.  Constructions?

13 Constructing IB-HPS  Construction based on the [Gentry06] IBE.  Based on “q-ABDHA” (pairing stuff....)  Allows leakage of (½ - ε ) of secret key.  Construction based on [GPV08] IBE.  Based on “LWE” (lattice stuff + RO)  Proven as leakage-resilient IBE by [AGV09].  Allows leakage of (1 - ε ) of secret key.

Download ppt "Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.

PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
See you at the next conference! Hope you like our slides Hello everybody!

See you at the next conference! Hope you like our slides Hello everybody!
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.

Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.

Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.

Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.

Similar presentations

Ads by Google