Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.

Published byEustace Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University."— Presentation transcript:

1 Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University

2 The main idea Bounded-Retrieval Model: Construct cryptographic protocols where the secrets are so large that they cannot be efficiently stolen. D. Dagon, W. Lee, R. J. Lipton Protecting Secret Data from Insider Attacks. Financial Cryptography 2005 G. Di Crescenzo, R. Lipton and S. Walfish Perfectly Secure Password Protocols in the Bounded Retrieval Model TCC 2006 S. Dziembowski Intrusion-Resilience via the Bounded-Storage Model TCC 2006 Perfectly Secure Password Protocols in the Bounded Retrieval Model D. Cash, Y. Z. Ding, Y. Dodis, W. Lee, R. Lipton and S. Walfish Intrusion-Resilient Authenticated Key Exchange in the Bounded Retrieval Model without Random Oracles TCC 2007 S. Dziembowski On Forward-Secure Storage CRYPTO 2006

3 Plan Introduction to the Bounded Retrieval Model  Motivation  An entity-authentication protocol  Connections to the BSM Forward-Secure Storage

4 The problem Computers can be infected by mallware! installs a virus The virus can: take control over the machine, steal some secrets stored on the machine. Can we run any crypto on such machines? retrieves some data

5 Is there any remedy? If the virus can download all the data stored on the machine then Assume that he cannot do it! the situation looks hopeless. Idea:

6 The general model installs a virusretrieves some datainstalls a virusretrieves some data no virus The total amount of retrieved data is bounded!

7 Our goal Try to preserve as much security as possible (assuming the scenario from the previous slide). Of course as long as the virus is controlling the machine nothing can be done. Therefore we care about the periods when the machine is free of viruses.

8 Two variants How does the virus decide what the retrieve? Variant 2 [CLW06,…] He can only access some individual bits on the victim’s machine (“slow memory”) Variant 1 [D06a,D06b,CDDLLW07] He can compute whatever he wants on the victim’s machine.

9 Practicality?

10 An example: entity authentication the bank How can the bank verify the authenticity of the user? We solve the following problem: the user

11 example of f: Y={y 1,…,y m } is a set of indices in R f(Y,(R 1,…,R t )) = (R y1,…,R ym ) Entity authentication – the solution random Y key R 00011010011101001001101011100111011111101001110101010101001001010011110000100111111110001010 X = f(Y,R) verifies 00011010011101001001101011100111011111101001110101010101001001010011110000100111111110001010 y1y1 y2y2 ymym 11... 0 …

12 Security of the authentication protocol Theorem [D06,CDDLLW07] The adversary that “retrieved” a constant fraction of R does is not able to impersonate the user. (This of course holds in the periods when the virus is not on the machine.)

13 A related concept: the Bounded Storage Model This is related to the Bounded Storage Model (BSM) [Maurer 1992] In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store. In the BSM the computing power of the adversary may be unlimited.

14 The Bounded-Storage Model (BSM) – an introduction can perform any computation on R, but the result U=h(R) has to be much smaller than R short initial key K X = f(K,R) 000110100111010010011010111001110111 111010011101010101010010010100111100 001001111111100010101001000101010010 001010010100101011010101001010010101 randomizer R: knows: U=h(R) randomizer disappears X ? Eve shouldn’t be able to distinguish X from random s

15 How is BSM related to our model? Seems that the assumptions are oposite: transmissionstorage BSMcheapexpensive LCMexpensivecheap

16 BSM vs. BRM Bounded-Storage Model: Bounded-Retrieval Model R comes from a satellite stored value U R is stored on a computer retrieved value U

17 Consider again the authentication protocol Observation In the authentication protocol one could use a BSM-secure function f. random Y X = f(Y,R) verifies

18 Overview of the results An entity authentication protocol A session-key exchange protocol  in the Random Oracle Model [D06a]  in the plain model [CDDLLW07] Forward Secure Storage [D06b] – “an encryption scheme secure in the BRM”

19 Plan Forward-Secure Storage  IT-secure  computationally-secure  a scheme with a conjectured hybrid security Connections with the theory of Harnik and Naor

20 Forward Secure Storage (FSS) - the motivation key K message M C = E(K,M) C installs a virus retrieves C One of the following happens: The key K leaks to the adversary or The adversary breaks the scheme The adversary can compute M

21 The idea Design an encryption scheme such that the ciphertext C is so large that the adversary cannot retrieve it completely message M ciphertext C=Encr(K,M)

22 Forward-Secure Storage – a more detailed view The adversary to compute an arbitrary function h of C. ciphertext C=Encr(K,M) function h retrieved value U=h(C) length t length s << t KM ?

23 Computational power of the adversary We consider the following variants: computational: the adversary is limited to poly-time information-theoretic: the adversary is infinitely- powerful hybrid: the adversary gains infinite power after he computed the function h. This models the fact that the in the future the current cryptosystems may be broken!

24 Information-theoretic solution – a wrong idea KR X M Y f(), = message key ciphertext in the BSM encryption f – secure in the BSM xor ciphertext (R,Y) Shannon theoremthis cannot work!

25 What exactly goes wrong? Suppose the adversary has some information about M. He can see (R, f(K,R) xor M ). So, he can solve (for K) the equation W = f(K,R) xor M. If he has enough information about M, and K is short, he will succed! Idea: “Blind” the message M! denote it W

26 A better idea KR X M Y f(), = message key is a pair (K,Z) ciphertext (R,Y) Z xor

27 Why does it work? Intuition The adversary can compute any function h of: Y is of no use for him, since it is xor-ed with a random string Z! So if this FSS scheme can be broken then also the BSM function f can be broken (by an adversary that uses the same amount of memory). RY = f(K,R) xor M xor Z

28 Problem with the information-theoretic scheme The secret key needs to be larger than the message! What if we want the key to be shorter? We need to switch to the computational setting...

29 Computational FSS (with a short key) (Encr,Decr) – an IT-secure FSS (E,D) – a standard encryption scheme Encr 1 ( Encr( E( ) ) )=,,, K KK’ M K’ is a random key for the standard encryption scheme M Intuition: when the adversary learns K he has no idea about K’ and therefore no idea about M. large small

30 Hybrid security What about the hybrid security? Recall the scenario: ciphertext C=Encr(K,M) h retrieved value U=h(C) M?M?

31 Is this scheme secure in the hybrid model? The adversary retrives only the second part! Later, when she gets infinite computing power, she can recover the message M! Thus, the scheme is not secure in the hybrid model! Encr( E( ) ),, KK’ M

32 A scheme (Encr 2,Decr 2 ) Does there exist an FSS scheme with hybrid security (and a short key)? Idea: Generate K pseudorandomly! (Encr,Decr) – an IT-secure FSS G – a cryptographic PRG Encr 2 ( )=, KM Encr(), G(K)M

33 Is the scheme from the previous slide secure? It cannot be IT-secure, but is it computationally-secure? secure in the hybrid model? We leave it as an open problem. Looks secure... We can show the following: Very informally, it is secure if one-way functions cannot be used to construct Oblivious Transfer.

34 Computational security of Encr 2 (1/2) there exists an adversary A that breaks the (Encr 2,Decr 2 ) scheme We show that if then one can construct an Oblivious Transfer protocol with: an unconditional privacy of the Sender privacy of the Receiver based on the security of the PRG G.

35 Computational security of Encr 2 (2/2) Simplification: assume that |M| = 1 and the adversary can guess it with probability 1. We construct an honest-but-curious Rabin OT. receiver Encr(X,M) K M U - memory of the adversary A computationally-limited sender cannot distinguish these cases! If X is random then the receiver learns nothing about M (this follows from the IT-security of Encr)! If then the adversary outputs M. if if then X := G(K) X random sender input: M

36 How to interpret this result? Which PRGs G are safe to use in this protocol? In some sense: “those that cannot be used to construct OT”. But maybe there exist “wrong” PRGs... (see: S. Dziembowski and U. Maurer On Generating the Initial Key in the Bounded- Storage Model, EUROCRYPT '04)

37 Hybrid security of Encr 2 The argument for the hybrid security is slightly weaker. We can construct only an OT-protocol with a computationally- unbounded algorithm for the Receiver... This is because the receiver has to simulate an unbounded adversary. receiver

38 Summary IT security hybrid security comp. security the first scheme secure the second scheme not secure secure the third scheme not secure maybe secure

39 A complexity-theoretic view Suppose the adversary wants to know if a given C is a ciphertext of some message M. NP-language: L = {C : there exists K such that C = Encr(K,M)}. standard encryption FSS is C in L? Can we compress C to some U, s.t. |U| << |C| so that later we can decide if C is in L basing on U, and using infinite computing power?

40 The theory of Harnik and Naor This question was recently studied in: Danny Harnik, Moni Naor On the Compressibility of NP Instances and Cryptographic Applications FOCS 2006 See also: Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient Sampling STOC 2006

41 Compressibility of NP Instances Informally, an NP language L is compressible if there exists an efficient algorithm that compresses every string X to a shorter string U, in such a way that an infinitely-powerful solver can decide if X is in L basing only on U. Proving that some language is incompressible (from standard assumptions) is an open problem.. This is why showing an FSS scheme provably-secure in the hybrid model may be hard!

42 Thanks!

Download ppt "Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University."

Similar presentations

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.

Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google