1 / 35

Public-Key Encryption in the Bounded-Retrieval Model

Public-Key Encryption in the Bounded-Retrieval Model. Speaker: Daniel Wichs. Joël Alwen, Yevgeniy Dodis , Moni Naor , Gil Segev , Shabsi Walfish , Daniel Wichs. Motivation: Leakage-Resilient Crypto. Security proofs in crypto assume idealized adversarial model .

kiona-estes
Télécharger la présentation

Public-Key Encryption in the Bounded-Retrieval Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-Key Encryption in the Bounded-Retrieval Model Speaker: Daniel Wichs Joël Alwen, YevgeniyDodis, MoniNaor, Gil Segev, ShabsiWalfish, Daniel Wichs

  2. Motivation: Leakage-Resilient Crypto • Security proofs in crypto assume idealized adversarial model. • e.g. adversary sees public-keys, ciphertexts but not secret-keys. • Reality: schemes broken using “key-leakage attacks”. • Side-channels: timing, power consumption, heat, acoustics, radiation. • The cold-boot attack. • Hackers, Malware, Viruses. • Usual Crypto Response: Not our problem. • Blame the Electrical Engineers, OS programmers… • Leakage-Resilient Crypto: Let’s try to help. • Primitives that provably allow some leakage of secret key. • Assume leakage is arbitrary but incomplete.

  3. Models of Leakage Resilience • Adversary can learn any efficiently computable function f : {0,1}*  {0,1}L of the secret key. L = Leakage Bound. sk • Relative Leakage Model [AGV09, DKL09, NS09,…]. • “Standard” cryptosystem with small keys (e.g. 1,024 bits). • Leakage L is a large portion of key size. (e.g. 50% of key size). • Bounded Retrieval Model [Dzi06,…,ADW09]: • Leakage L is a parameter.Can be large. (e.g. few bits or many Gigabytes). • Increase sk size to allow L bits of leakage. • System must remain efficient as Lgrows: Public keys, ciphertexts, encryption/decryption times should be small, independent of L. f(sk) leak

  4. Why design schemes for the BRM? • Security against Hackers/Malware/Viruses: • Attacker can download arbitrary info from compromised system. • Leakage is large, but still bounded (e.g. < 10 GB). • Bandwidth too low, Cost too high, System security may detect. • Protect against such attacks by making secret key large. • OK since storage is cheap. Everything else needs to remain efficient! • Security against side-channel attacks: • After many physical measurements, overall leakage may be large. • Still may be reasonable that it is bounded on absolute scale. • How “bounded” is it? Varies! (few Kb – few Mb).

  5. Prior Work on Leakage Resilience • Restricted classes of leakage functions. • Individual bits of memory [CDH+00, DSS01,KZ03]. Individual wires of comp [ISW03] • “Only Computation Leaks Information” [MR04, DP08, Pie09] • Low Complexity functions [FRT09] Does not seem applicable to e.g. hacking/malware attacks. • Relative Leakage Model. • Symmetric-Key Authenticated Encryption [DKL09] • Public-Key ID, Signatures, AKA [ADW09, KV09] • Public-Key Encryption [AGV09, NS09] • Bounded Retrieval Model. • Symmetric-Key Identification,Authenticated Key Agreement [Dzi06,CDD+07] • Public-Key ID, “Entropic” Sigs, AKA [ADW09] • This work: Public-Key Encryption (and IBE) in the BRM.

  6. Definition of Leakage-Resilient PKE in BRM Adversary Challenger |Pr[b = b’]- ½| is negligible pk (pk,sk) à KeyGen(1s ) , L • Relative Leakage: 9 L = L(s) for which scheme secure. • L should be “relatively large”: maximize ratio of L to|sk|. • BRM: Secure 8 polynomial L = L(s). KeyGen depends on L. • Efficiency: 9 polynomial p(s)8 polynomial L(s): {pk size, cipher text size, encryption/decryption times} ≤ p(s) • Relative Leakage: also maximize ratio of L to |sk|. f : {0,1}*! {0,1}L f(sk) m0, m1 c bà {0,1} cÃEncrypt(mb,pk) Output b’

  7. Outline of Talk • A template for constructing BRM schemes in 3 easy steps. • Explains connection of Public-Key Encryption in BRM to IBE. • Highlights main ideas, but is incomplete. • Define Hash Proof Systems (HPS) and Identity-Based HPS. • HPS ) leakage-resilient PKE in relative-leakage model [NS09]. • IB-HPS ) leakage-resilient IBE in relative-leakage model. • Brief overview of IB-HPS constructions and parameters. • Show how IB-HPS naturally extends to the BRM. • Get PKE and IBE schemes in the BRM.

  8. Template for BRM Schemes:1. Leakage Amplification (via Parallel-Repetition) • Wait! That’s not how leakage works! • Learningf(sk’) withL = nL’bit output NOT the same as learning gi(ski)withL’bit output. • Q: Does parallel-repetition amplify leakage-resilience? • A1:No general black-box reduction is possible. • A2: Works if original PKE has extra properties. • What about efficiency? Does not satisfy BRM. • Assume: Have scheme resilient to L’ bits of leakage. • Given L, construct scheme resilient to Lbits of leakage. • Answer 1: Inflate the security parameter s until L’(s) > L. • Answer 2: Parallel-Repetition. Take n copies of the scheme. • Choose n pairs (pk1,sk1),…,(pkn,skn). Set PK = (pk1,…,pkn ) , SK = (sk1,…,skn) • To encrypt under PK: • n-out-of-n “secret-share” message: SS(m) = (m1,…,mn). • Encrypt each share mi separately ci = Enc(mi, pki). • Send C = (c1,…,cn). • Intuition:Scheme should tolerate L = nL’ bits of leakage. • If leakage on SK is < L = nL’bits then leakage on some ski is < L’ bits.

  9. Template for BRM Schemes:2. Efficiency via Random-Subset Selection Scheme from last slide Encryption Decryption PK SK c1 = Enc(m1, pk1) pk1 sk1 c2 = Enc(m2, pk2) pk2 sk2 c3 = Enc(m3, pk3) pk3 sk3 c4 = Enc(m4, pk4) pk4 sk4 c5 = Enc(m5, pk5) pk5 sk5 … … cn = Enc(mn, pkn) skn pkn • n-out-of-n “secret-share” message: SS(m) = (m1,…,mn). • Encrypt each share mi under pki.

  10. Template for BRM Schemes:2. Efficiency via Random-Subset Selection Encryption Decryption PK SK keys={2,4,…,n} pk1 sk1 pk2 sk2 pk3 sk3 pk4 sk4 pk5 sk5 … … skn pkn • Choose t random key-pairs and only use these to encrypt.

  11. Template for BRM Schemes:2. Efficiency via Random-Subset Selection Encryption Decryption PK SK keys={2,4,…,n} pk1 sk1 c1 = Enc(m1, pk2) pk2 sk2 pk3 sk3 c2 = Enc(m2, pk4) pk4 sk4 pk5 sk5 … … … ct = Enc(mt, pkn) skn pkn • Choose t random key-pairs and only use these to encrypt. • t-out-of-t “secret-share” message: SS(m) = (m1,…,mt). • Encrypt each share mi under the ith chosen public-key. • Hope: t can be much smaller than n, only proportional to s. • Leakage < εL’n meansonly εfraction of secret-keys “badly compromised”.

  12. Template for BRM Schemes:3. Adding a Master Public Key. Encryption Decryption PK = MPK SK keys={2,4,…,n} sk1 c1 = Enc(m1, ID=1) sk2 sk3 c2 = Enc(m2, ID=4) sk4 sk5 … … ct = Enc(mt, ID = n) skn • Use Identity-Based Encryption (IBE). • The component secret keys ski correspond to secret-keys for identities i. • The master-secret-key msk of the IBE is only used to generate SK.

  13. Template for BRM Schemes:3. Adding a Master Public Key. Encryption Decryption PK = MPK SK keys={2,4,…,n} sk1 c1 = Enc(m1, ID=1) sk2 sk3 c2 = Enc(m2, ID=4) sk4 sk5 … … ct = Enc(mt, ID = n) skn • Scheme meets the efficiency requirements of the BRM. • Security? • Does not amplify leakage-resilience in general (counterexample). • Rest of talk: making it work with “special” IBE constructions.

  14. Outline of Talk • A template for constructing BRM schemes in 3 easy steps. • Highlights main ideas, but is incomplete. • Explains connection of Public-Key Encryption in BRM to IBE. • Define Hash Proof Systems (HPS) and Identity-Based HPS. • HPS ) leakage-resilient PKE in relative-leakage model [NS09]. • IB-HPS ) leakage-resilient IBE in relative-leakage model. • Brief overview of IB-HPS constructions and parameters. • Show how IB-HPS naturally extends to the BRM. • Use IB-HPS to get PKE and IBE schemes in the BRM.

  15. Hash Proof Systems • Simplified presentation as a key-encapsulation scheme: • (pk, sk)ÃKeyGen(1s) • (c, k)ÃEncap(pk) • k’ ÃDecap(c, sk) • Correctness: k = k’ (with overwhelming prob). • KEM Security: (pk, c, k) ¼c (pk, c, $) • HPS is a special way to prove KEM security.

  16. Hash Proof Systems • Simplified presentation as a key-encapsulation scheme: • (pk, sk)ÃKeyGen(1s) • (c, k)ÃEncap(pk) (valid encapsulation) • c* Ã Encap*(pk) (invalid encapsulation) • k’ ÃDecap(c, sk) • Correctness: k = k’ (with overwhelming prob). • KEM Security: (pk, c, k) ¼c (pk, c, $) • HPS is a special way to prove KEM security.

  17. Hash Proof Systems • Simplified presentation as a key-encapsulation scheme: • (pk, sk)ÃKeyGen(1s) • (c, k)ÃEncap(pk) (valid encapsulation) • c* Ã Encap*(pk) (invalid encapsulation) • k’ ÃDecap(c, sk) • Correctness: k = k’ (with overwhelming prob). • Valid/invalid indistinguishability given sk: (pk, sk, c) ≈c (pk, sk, c*) • Decapsulation of an invalid ciphertextc* has statistical entropy: • (m, ½)-Universality: • Conditioned on fixed value of pk: H1(sk) ¸ m. • 8sksk’ Prc*[Decap(c*, sk) = Decap(c*, sk’)] ·½. • Smoothness: for fixed pk, (c*, k*) ¼s (c*,$) where k*ÃDecap(c*, sk). • L-Leakage-smoothness: (c*, k*,f(sk)) ¼s (c*, $, f(sk)) where |f(sk)|=L.

  18. Hash Proof Systems • Relationship Between Universality/Smoothness/Leakage • An (m, ½)-Universal HPS with k 2 {0,1}vis “L-Leakage smooth” when L < m – v – (s) , ½ < (1/2v)(1 + negl(s)). • Any “smooth” HPS with k 2 {0,1}v can be composed with an extractor to get “L-leakage smooth” HPS with L = v - (s). • Simplified presentation as a key-encapsulation scheme: • (pk,sk)ÃKeyGen(1s) • (c, k)ÃEncap(pk) (valid encapsulation) • c*Ã Encap*(pk) (invalid encapsulation) • k’ ÃDecap(c, sk) • Correctness: k = k’ (with overwhelming prob). • Valid/invalid indistinguishability given sk: (pk, sk, c) ≈c (pk, sk, c*) • Decapsulation of an invalid ciphertextc* has statistical entropy: • (m, ½)-Universality: • Conditioned on fixed value of pk: H1(sk) ¸ m. • 8sksk’ Prc*[Decap(c*, sk) = Decap(c*, sk’)] ·½. • Smoothness: for fixed pk, (c*, k*) ¼s (c*,$) where k*ÃDecap(c*, sk). • L-Leakage-smoothness: (c*, k*,f(sk)) ¼s (c*, $, f(sk)) where |f(sk)|=L.

  19. HPS ) Leakage-Resilient PKE [NS09] • Theorem : A smooth HPS is a good KEM (standard). A L-leakage-smooth HPS is a L-leakage-resilient KEM: (pk, f(sk), c, k) ¼c (pk, f(sk), c, $) where (c, k) ÃEncap(pk) • Proof: (pk, f(sk), c, k) ¼s (pk, f(sk), c, k’) where (c, k) ÃEncap(pk) k’ ÃDecap(c, sk) ¼c (pk, f(sk), c*, k’) where c*ÃEncap*(pk) k’ ÃDecap(c*, sk) ¼s(pk, f(sk),c*, $) ¼c (pk, f(sk), c, $) Correctness Valid/Invalid Indistinguishability L-Leakage-Smoothness Valid/Invalid Indistinguishability

  20. Example Based on DDH • Params: prime p, group G of order p, generators (g, h) • KeyGen: sk = (a, b) pk = gahb • Encap(pk): c = (gx, hx) k = (pk)x = gaxhbx • Decap(c, sk): Parse c = (u,v) k’ = uavb • Encap*(pk): c* = (gx, hy) • Correctness: If u=gx, v=hxthen k’ = (gx)a(hx)b = k. • Valid/Invalid indistinguishability follows from DDH. • (m,½)-universal for m= log(p), ½ = 1/p. Also smooth. • Need an extractor to get L-leakage-smoothness for L ¼ log(p), L/|sk| ¼ ½. • Generalizes to t generators: m = (t-1)log(p), ½ = 1/p. • No extractor! Construction is L-Leakage-smooth for L ¼ (t-2)log(p), L/|sk| ¼ (1- 2/t) ¼ (1- ²).

  21. Identity-Based HPS (IB-HPS) • (mpk, msk) ÃParamGen(1s) • skIDÃ KeyGen(ID, msk) • (c, k)ÃEncap(ID, mpk) (valid encapsulation) • c* Ã Encap*(ID, mpk) (invalid encapsulation) • k’ ÃDecap(c, skID) • Valid/Invalid indistinguishability holds for all ID, even if adversary sees “all” identity-secret keys skID (but not msk). • Decapsulation of an invalid ciphertextc* has statistical entropy: • (m, ½)-Universality: • Conditioned on fixed value of mpk, msk, ID: H1(skID) ¸ m. • 8skIDskID’ Prc*[Decap(c*, skID) = Decap(c*, skID’)] ·½. • L-leakage smoothness: for fixed mpk, msk, ID(f(skID),c*, k*) ¼s (f(skID), c*, $) if |f(sk)|=L.

  22. IB-HPS: Valid/Invalid Indistinguishability |Pr[b = b’]- ½| is negligible (mpk, msk) à ParamGen(1s ) mpk ID skID Challenge ID bà {0,1} c If b=0, c à Encap(ID) else c à Encap*(ID) ID skID Output b’

  23. Identity-Based HPS (IB-HPS) • (mpk, msk) ÃParamGen(1s) • skIDÃ KeyGen(ID, msk) • (c, k)ÃEncap(ID, mpk) (valid encapsulation) • c* Ã Encap*(ID, mpk) (invalid encapsulation) • k’ ÃDecap(c, skID) • Valid/Invalid indistinguishability holds for all ID, even if adversary sees the identity-secret keys skID (but not msk). • Decapsulation of an invalid ciphertextc* has statistical entropy: • (m, ½)-Universality: • Conditioned on fixed value of mpk, msk, ID: H1(skID) ¸ m. • 8skIDskID’ Prc*[Decap(c*, skID) = Decap(c*, skID’)] ·½. • L-leakage smoothness: for fixed mpk, msk, ID(f(skID),c*, k*) ¼s (f(skID), c*, $) if |f(sk)|=L.

  24. IB-HPS ) Leakage-Resilient IBE • Theorem: A “smooth” IB-HPS is a IB-KEM. A “L-leakage-smooth” IB-HPS is a “L-leakage-resilient” IB-KEM. • Allows leakage from secret-keys of all identities, but not the master secret key. • Allows us to construct leakage-resilient IBE. • Proof is analogous to the non-identity-based setting.

  25. Outline of Talk • A template for constructing BRM schemes in 3 easy steps. • Highlights main ideas, but is incomplete. • Explains connection of Public-Key Encryption in BRM to IBE. • Define Hash Proof Systems (HPS) and Identity-Based HPS. • HPS ) leakage-resilient PKE in relative-leakage model [NS09]. • IB-HPS ) leakage-resilient IBE in relative-leakage model. • Brief overview of IB-HPS constructions and parameters. • Show how IB-HPS naturally extends to the BRM. • Get PKE and IBE schemes in the BRM.

  26. Constructions • Three constructions of IB-HPS based on prior IBE schemes. • [Gen06]: Using “bilinear groups. • Based on the “q-TABDHE” assumption in the standard model. • Leakage-resilient IBE with relative-leakage ¼ ½. • [BGH07]: Based on “quadratic residuosity”. • Requires Random Oracles or an “interactive assumption”. • Only 1 bit of entropy in identity-secret-key. No leakage in IBE. • Fixed with BRM transformation (stay tuned). • [GPV08]: Based on lattices and the LWE problem. • Requires Random Oracles or an “interactive assumption”. • Leakage-resilient IBE with relative-leakage ¼ (1-²). [AGV09] • All schemes are “smooth” and (m,½)-universal for m¸ 1, ½· ½.

  27. Outline of Talk • A template for constructing BRM schemes in 3 easy steps. • Highlights main ideas, but is incomplete. • Explains connection of Public-Key Encryption in BRM to IBE. • Define Hash Proof Systems (HPS) and Identity-Based HPS. • HPS ) leakage-resilient PKE in relative-leakage model [NS09]. • IB-HPS ) leakage-resilient IBE in relative-leakage model. • Brief overview of IB-HPS constructions and parameters. • Show how IB-HPS naturally extends to the BRM. • Use IB-HPS to get PKE and IBE schemes in the BRM.

  28. Leakage Amplification of IB-HPS • IB-HPS with small leakage ) IB-HPS with BIG leakage. • Map n “identities” in small scheme to single identity in BIG scheme. • Secret-keys in BIG scheme consists of n “components” small keys. • To encapsulate: select random “t-out-of-n” small identities. Encapsulate to each one separately. • Apply a “universal-hash-function” g to symmetric-keys k1,…, kt. SK for Bob sk1 ID = “Bob_1” Encap: S=(S1,…,St) 2 [n]t (ci, ki) ÃEncap(“Bob_”Si) g: universal hash C = (S, c1,…,ct, g) K = g(k1,…,kt) ID = “Bob” sk2 ID = “Bob_2” sk3 sk4 sk5 … skn ID = “Bob_n”

  29. Leakage Amplification of IB-HPS • Assume: we start with (m, ½)-universal IB-HPS, for constant ½ < 1. • Theorem: For any constant ² >0, there exists a t = O(s) such that construction is L-leakage smooth for L = (1-²)nm – s. • Proof: Identity-secret-keys in construction have H1(SK) = nm. Universal? No! If keys differ in a single component then Prc*[Decap(C*, skID) = Decap(C*, skID’)] is high. SK for Bob sk1 ID = “Bob_1” Encap: S=(S1,…,St) 2 [n]t (ci, ki) ÃEncap(“Bob_”Si) g: universal hash C = (S, c1,…,ct, g) K = g(k1,…,kt) ID = “Bob” sk2 ID = “Bob_2” sk3 sk4 sk5 … skn ID = “Bob_n”

  30. “Approximate” Leftover-Hash Lemma • New notion: “approximately universal” hashing. • Any two values that are “far enough” in Hamming distance are unlikely to collide. • “Approximate” Leftover-Hash Lemma generalizes LHL. • Need extra log (volume of Hamming ball) entropy over LHL. • Easy to show: construction is “approximately universal”. SK for Bob sk1 ID = “Bob_1” Encap: S=(S1,…,St) 2 [n]t (ci, ki) ÃEncap(“Bob_”Si) g: universal hash C = (S, c1,…,ct, g) K = g(k1,…,kt) ID = “Bob” sk2 ID = “Bob_2” sk3 sk4 sk5 … skn ID = “Bob_n”

  31. Putting it all together… • Theorem: Assume there exist (m,½)-universal IB-HPS with m¸ 1 and ½ < 1. Then there exists PKE (and IBE) schemes in the BRM. • For any ²> 0: • Secret-key size can be made as small as |SK| =(1+ ²)(|sk|/m)L • Relative leakage as large as L/|SK| = (1- ²)m/|sk|. • No matter what the leakage bound L is: • Public-key size |PK| is the same as |mpk|. • Ciphertext size, encryption/decryption times differ by an O(s) factor from those of the small scheme.

  32. Extensions • Smaller ciphertexts in BRM. • Anonymous encapsulation (property of QR, Lattice schemes): • Sample ciphertextc and “witness” w independently of ID. • Using witness w, can compute symmetric-key k for anyID. • Gives us anonymous IBE. • In BRM construction, only need to send one ciphertextc. • We get different “approximately universal” parameters. Only good for QR scheme. • CCA security. • Generic Naor-Yung paradigm preserves leakage [NS09] and BRM efficiency. • Efficient CCA secure leakage-resilient IBE based on [Gen06]. • Relative leakage is (1/6 - ²).

  33. Parameters

  34. Open Questions • Does PKE in BRM require IBE? • Or at least some simplified version of it? • Is there a counterexample to parallel-repetition amplifying leakage-resilience of PKE? (no random-subsets, IBE). • More constructions of IB-HPS. Can we get best of all worlds? • No RO, (1- ²)-relative-leakage, anonymous encapsulation. • Efficient CCA secure PKE in BRM without RO and large relative-leakage.

  35. Thank You! Questions?

More Related