Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.

Published byNeil Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN."— Presentation transcript:

1 Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN 2012 IMI Crypto Seminar 2012.12.17

2 One day in a class, Alice Student 1Student 2Student 3 ・・・

3 One day in a class, Alice Student 1Student 2Student 3 ・・・ The class “Introduction to Cryptography”

4 One day in a class, Alice Student 1Student 2Student 3 ・・・ The class “Introduction to Cryptography” The final exam has finished.

5 One day in a class, Alice Student 1Student 2Student 3 ・・・ Do you understand public-key encryption ?

6 One day in a class, Alice Student 1Student 2Student 3 ・・・ Yes ! Do you understand public-key encryption ?

7 One day in a class, Alice Student 1Student 2Student 3 ・・・ Good ! So, I’ll send your grades by PKE.

8 One day in a class, Alice Student 1Student 2Student 3 ・・・ Good ! So, I’ll send your grades by PKE. Please send me your public keys. All right ?

9 One day in a class, Alice Student 1Student 2Student 3 ・・・ Yes ! Good ! So, I’ll send your grades by PKE. Please send me your public keys. All right ?

10 One day in a class, Alice

11 One day in a class, Alice Although I said so, it is troublesome to encrypt all the grades.

12 One day in a class, Alice But, since I promised to use PKE, I have to do… Although I said so, it is troublesome to encrypt all the grades.

13 One day in a class, Alice But, since I promised to use PKE, I have to do… What happened ? Although I said so, it is troublesome to encrypt all the grades.

14 What happened is … Alice Student 1Student 2Student 3 ・・・ Grades: m 1, m 2, m 3, …

15 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, …

16 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, …

17 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … It’s troublesome to encrypt honestly…

18 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … It’s troublesome to encrypt honestly… Wait !

19 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … The grades are personal information for students. Their security is not my concern.

20 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Want to cut corners… The grades are personal information for students. Their security is not my concern.

21 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, …

22 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Encrypt by using all-zero string as randomness CTs: c 1, c 2, c 3, …

23 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Encrypt by using all-zero string as randomness CTs: c 1, c 2, c 3, … c1c1 c2c2 c3c3 ・・・

24 What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Grades were not sent securely ! Encrypt by using all-zero string as randomness CTs: c 1, c 2, c 3, … c1c1 c2c2 c3c3 ・・・

25 The lesson from this example

26 If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised

27 The lesson from this example If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised The reason is that Alice is “lazy”

28 The lesson from this example If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised The reason is that Alice is “lazy” Traditional crypto did not consider lazy parties

29 The lesson from this example If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised The reason is that Alice is “lazy” Traditional crypto did not consider lazy parties Many people tend to be lazy in the real life…  Need secure protocols even for lazy parties

30 Our results Define the security of PKE for lazy parties Lazy parties as rational players Construct secure PKEs for lazy parties

31 Practical motivation Lazy parties is an example of protocols that may not work if players behave in their own interests The problem of lazy parties reveals the motivation of using bad randomness in PKE Secure PKEs for lazy parties  Secure PKEs for which users have an incentive to use good randomness

32 Lazy parties in PKE Sender (S) and Receiver (R) are lazy Lazy S (and R) (1) wants to securely transmit msgs in M S (and M R ) (2) doesn’t want to generate costly randomness Choose (a) Costly true randomness (Good randomness) or (b) Zero-cost fixed string (Bad randomness) Define a game between S, R, and an adversary (Adv) A variant of usual CPA game Lazy parties behave to maximize their payoffs The goal is to design PKE secure for m ∈ M S ∪ M R

33 CPA Game Challenge Dealer Adv. SenderReceiver c  Enc pk (m b ; r S ) 3. b  R {0,1} pk c mbmb Enc Dealer Gen Dealer 1. G/B pk, sk 4. G/B c 1-b. If R chose B, r R  A(1 k ) c m 0, m 1 mbmb 2. (m 0, m 1 )  A(pk) 5. Output b’  A(c) (pk, sk)  Gen(1 k ; r R ) 1-a. If R chose G, r R  Samp(Gen) 4-a. If S chose G, r S  Samp(Enc) 4-b. If S chose B r R  A

34 Remarks on CPA Game We define the game more generally Sender may run Gen algorithm Encryption may be interactive Output of the Game: Out = (Win, Val S, Val R, Num S, Num R ) Win = 1 if b = b’, 0 otherwise Val w = 1 if m ∈ M w, 0 otherwise Num w : #{ G output by w : w ∈ {S, R} }

35 Payoff function Payoff when the output of CPA game is Out = (Win, Val S, Val R, Num S, Num R ) u w (Out) = (-α w )WinVal w + (-β w )Num w α w, β w > 0 are real numbers α w /2 > q w β w is assumed . q w : Maximum of Num w Costly good randomness is worth for achieving the security Payoff when following the pair of strategies (σ S, σ R ) U w (σ S, σ R ) = min E[u w (Out)] min is taken over all Advs, message spaces M S, M R

36 Security of PKE for lazy parties For PKE scheme Π, strategies (σ S, σ R ), (Π, σ S, σ R ) is CPA secure with (strict) Nash equilibrium 1. If players follow (σ S, σ R ), then for any adversary, message spaces M S, M R, Pr[Win(Val S + Val R ) ≠ 0] ≤ 1/2 + negl(k) 2. (σ S, σ R ) is a (strict) Nash equilibrium

37 Solution concepts (σ S, σ R ) is a Nash equilibrium : For any w ∈ {S, R} and σ w ’, U w (σ S *, σ R * ) ≤ U w (σ S, σ R ) + negl(k) where (σ S *, σ R * ) = (σ S ’, σ R ) if w = S (σ S, σ R ’) otherwise (σ S, σ R ) is a strict Nash equilibrium : 1. (σ S, σ R ) is a Nash equilibrium 2. For any w ∈ {S, R} and σ w ’ ≠ σ w, U w (σ S *, σ R * ) ≤ U w (σ S, σ R ) – 1/k c where c is a constant

38 First observation (Impossibility results) Sender must generate a secret key A game for distinguishing m 0, m 1 ∈ M R \ M S  S uses Bad randomness  Adv can correctly distinguish since Adv knows all the inputs to S except m b Encryption must be interactive A game for distinguishing (m 0, m 0 ) and (m 0, m 1 ) for m 0, m 1 ∈ M R \ M S  S uses Bad randomness  Adv can correctly distinguish if two msgs were encrypted by same randomness

39 Secure PKE for lazy parties (1. Basic setting) Two-round PKE Π two Idea: R generates randomness for encryption R follows since doesn’t know whether m ∈ M R Sender Receiver c2c2 Encryption (pk S, sk S )  Gen(1 k ; r 1 S ) pk S c 1  Enc(pk S, r 2 R ; r 3 R ) c1c1 r 2 R  Dec(sk S, c 1 ) c 2 = m r 2 R m = c 2 r 2 R Key Generation r 2 R  R U

40 A problem of Π two : If R knows that m ∈ M R, R uses Bad randomness ( m ∈ M S \ M R is not sent securely ) Secure PKE for lazy parties (1. Basic setting)

41 R may know whether m ∈ M R Secure PKE for lazy parties (2. R knows additional information)

42 R may know whether m ∈ M R Three-round PKE Π three Idea: Key agreement to share randomness Shared randomness is Good if S or R uses Good Use the shared randomness for encryption Secure PKE for lazy parties (2. R knows additional information)

43 Three-round PKE Π three Sender Receiver c 2, c 3 Encryption r = r 2 R r 2 S (= r L ◦ r R ) (pk R, sk R )  Gen(1 k ; r 1 R ) pk R (pk S, sk S )  Gen(1 k ; r 1 S ) pk S c 1  Enc(pk S, r 2 R ; r 3 R ) c1c1 r 2 R  Dec(sk S, c 1 ) c 2  Enc(pk R, r 2 S ; r 3 S ) r 2 S  Dec(sk R, c 2 ) r = r 2 R r 2 S (= r L ◦ r R ) c 4  Enc(pk S, m; r R ) c4c4 c 3  Enc(pk R, m; r L ) m  Dec(sk R, c 3 ) Key Generation r 2 R  R U r 2 S  R U

44 Non-interactive PKE for lazy parties

45 Additional assumption: Players don’t want to reveal their secret keys

46 Non-interactive PKE for lazy parties Additional assumption: Players don’t want to reveal their secret keys Singcryption scheme is secure for lazy parties if signing key (secret key) can be computed from ciphertext and randomness  S uses Good to avoid revealing secret key

47 Conclusions “Lazy parties” may compromise the security An example of protocols that may not work if players behave in their own interests Our results Define the security of PKE for lazy parties Construct secure PKEs for lazy parties

48 Conclusions “Lazy parties” may compromise the security An example of protocols that may not work if players behave in their own interests Our results Define the security of PKE for lazy parties Construct secure PKEs for lazy parties Thank you

49 Lazy parties (1) They are not concerned about the security in a certain situation (2) They are unwilling to do a costly task, although they behave in an honest-looking way Costly task: Ex. random generation (computation is costly) increasing # rounds to finish (time is costly) Honest-looking behavior: Ex. using all-zero string as randomness

50 A problem of Π three If both S and R knows that m ∈ M S ∩ M R, it’s difficult to determine which of S/R uses Good Exits two different (strict) Nash strategies

51 A problem of Π three If both S and R knows that m ∈ M S ∩ M R, it’s difficult to determine which of S/R uses Good Exits two different (strict) Nash strategies Solution: R uses the all-zero string as randomness in Enc if R knows m ∈ M S ∩ M R All-zero string is a signal to R

52 The security proof of Π three (a) r = r 2 R r 2 S is Good if S or R uses Good (b) m ∈ M S M R can be guessed from c 4 (c) m ∈ M R M S can be guessed from c 3 Key Gen ( S ) Key Gen ( R ) Enc ( S ) Enc ( R ) Security Good - ✓ - ✓ Bad---No -Bad--No (a) (b) (c)

53 CPA Game Challenge Dealer Adv. SenderReceiver c  Enc pk (m b ; r S ) 3. b  R {0,1} pk c mbmb Enc Deale Gen Dealer 1. G/B pk, sk 4. G/B c aux R aux S c m 0, m 1 mbmb ⊥ if G r S if B aux S = 2. (m 0, m 1 )  A 1 (pk, aux R ) 5. Output b’  A 2 (c, aux S ) Pr[ b = b’ ] ≤ 1/2 + negl(k) (pk, sk)  Gen(1 k ; r R ) ⊥ if G r R if B aux R =

54 Impossibility results Proposition 1. If Sender does not have a secret key, then the scheme is not CPA secure with Nash equilibrium A game for distinguishing m 0, m 1 ∈ M R \ M S  S uses Bad randomness  Adv can correctly distinguish since Adv knows all the inputs to S except m b  Sender must generate a secret key

Download ppt "Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN."

Similar presentations

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google