Download
1 / 17
170 likes | 265 Vues
Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption. Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan ). Public-Key Encryption. c. m. m. Bob. Alice. Learns nothing!. Semantic Security [ Goldwasser-Micali ‘82].
E N D
Breaking the AdaptivityBarrier forDeterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and SalilVadhan)
Public-Key Encryption c m m Bob Alice Learns nothing! Semantic Security [Goldwasser-Micali ‘82] Encpk(m0) and Encpk(m1) are computationallyindistinguishablefor anym0and m1 Encryption must be randomized
Randomness is difficult • Weak sources in practice (keystrokes, timing) • Incorrect implementations • [Heninger et al. ‘12, Lenstra et al. ‘12] on RSA public keys • Sony PS3 master signing key broken due to reuse of randomness across different EC-DSA key pairs • Weak randomization attacks against RSA-OAEP [Brown ’05] • many many more …
Deterministic Public-Key Encryption “Theory meets practice” • Efficiently searchable encryption • Encryptedkeyword search • Deduplicationover encrypteddata • Can get short ciphertexts • Easier to use in legacy systems • Can we formalize and realize meaningful notions of security for deterministic public key encryption? BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … 3 B’s, 3 F’s, 2 S’s
Security of Det. PKE (attempt 1) pk m0, m1 b {0,1} Guess b c = Encpk(mb) • What happens if Enc is deterministic? Is c = Encpk(m0) ? If so, guess b=0 Else, guess b=1 Security cannot hold if adversary knows (or can predict) m0 or m1!
Security of Det. PKE (attempt 2) pk M0 , M1 * m0 M0 m1 M1 b {0,1} Guess b c = Encpk(mb) * H∞(Mb) is not too small: no message is very likely to occur • Is this restriction sufficient? NO If M allowed to depend on pkand arbitrarythen the encryption has subliminal channels M0: sample a random message m such thatc = Encpk(m) starts with a 0 M1:sample a random message m such thatc = Encpk(m) starts with a 1
Security of Det. PKE [BBO ’07] pk M0 , M1 * m0 M0 m1 M1 b {0,1} Guess b c = Encpk(mb) • Not realistic assumption in practice • malicious adversary will use the pkin his attack • does not model what information will be leaked when there are accidental dependencies on the public key Question: Realistic security notions that allow the adversary to choose M after seeing pk
Our Work • Formalize notions of adaptive security • Attackers given access to pk • Extensions • Generic constructions in the random-oracle model • Based on any off-the-shelf (randomized) PKE • Constructions in the standardmodel • Connection to deterministic randomness extractors • New techniques to deterministically extract via a “high-moment crooked” leftover hash lemma • New cryptographic tools (R-lossy trapdoor functions)
Defining Adaptive Det. PKE Dec(sk,.) M0 , M1 * Fix random b {0,1} pk m0 M0 m1 M1 c = Encpk(mb) Guess b (what a surprise!) • Adversary can choose Madaptively based on pkand on answers c as long as M remains in set X. • General notion • p=0 : independent of pk • p=O(s.log(s)) : all circuits of size s • “Multi-shot” • Easily extends to CCA (chosen ciphertext-attack) security Set of distributions X of size 2p X is fixed apriori Security notion only depends on p. Holds for all X of size 2p
Tool: Lossy Trapdoor Functions [PW08] Two families of functions: injective and lossy • Injective • Efficiently invertible(trapdoor) • Lossy • Cannot be inverted(informationtheoretically) f g f-1 domain range Much smaller than domain Security The descriptions of f and g are “computationally indistinguishable”
Our Basic Scheme Let f be an injective member of a LTDF family Let π be a “sufficiently independent” random permutation * pk= f ,πsk= f-1 f( ) = π( ) Enc: π-1( ) = f-1( ) Dec: * π chosen randomly from a t-wise δ-dependent family of permutations [KNR09]
Proof (by pictures) Basic scheme is adaptively secure f π gπ security of LTDFs g f π π M0 f g π π security of LTDFs f g M1 ≈ f π gπ High-moment Crooked Leftover Hash Lemma: Extracting randomness even if M0 and M1 can depend on (g, π)
Extracting randomness (LHL) Original LHL f is universal, X is independent of f ( f, f(X) ) ≈( f, U ) Set of distributions of size 2p [DS05] [TV00] Crooked LHL f is lossy, π is pairwise independent,X is independentof f ( f, π, f(π(X)) ) ≈( f, π, f(U) ) High-Moment LHL f is t-wise independent,X can dependon f but bounded ( f, f(X) ) ≈( f, f(U) ) High-Moment Crooked LHL f is lossy, π is t-wise independent,X can dependon f ( f, π, f(π(X)) ) ≈( f, π, f(U) ) g g ≈ π π gπ gπ
High-Moment Crooked LHL • Generalizes the Leftover Hash Lemma [HILL89] and its “crooked” variant [DS05] • Lemma • Let f:{0,1}n {0,1}n such that |Im(f)|≤2n-ℓ • Let X be a set of sources such that for each X in X, H∞(X) ≥ (n-ℓ) + 3log(log(|X|)) + 2log(1/ϵ) + θ(1) • Let Π is a family of t-wise independent permutations witht ≈ log(|X|) + (n-ℓ) • Then, with probability 1-ϵ over the choice of π in Πfor everyXinX we have SD(f(π(X)), f(U)) < ϵ • Choice of X can depend on f and π
Conclusions • This work • Defining adaptive deterministic PKE • Constructions secure in the random oracle and standard model • New tools for deterministic extraction • Going forward: New directions for research (a.k.a. help me write papers!) • Shorter public keys? • In general, public-key needs to be longer than p • In our paper: short public-key only for s-circuit size distributions in the random-oracle model • Technical questions related to extraction (work-in-progress) • Other paradigms to construct deterministic PKE schemes
