1 / 20

On Everlasting Security in the Hybrid Bounded Storage Model

On Everlasting Security in the Hybrid Bounded Storage Model. Danny Harnik Moni Naor. Talk Overview. The Bounded Storage Model and everlasting security. The Hybrid Bounded Storage Model Negative results for encryption Positive results for encryption. The Bounded Storage Model.

tobias-gregory
Télécharger la présentation

On Everlasting Security in the Hybrid Bounded Storage Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor

  2. Talk Overview • The Bounded Storage Model and everlasting security. • The Hybrid Bounded Storage Model • Negative results for encryption • Positive results for encryption

  3. The Bounded Storage Model Alternative cryptographic setting: • “Mainstream Cryptography”: Assume parties are time bounded (run in polynomial time). • This model: Assume parties have bounded storage.

  4. Alice Bob Adversary Bounded Storage Model - the setting [Maurer 92] • A long random string R is transmitted. • Honest parties store small portions of R. • Adversary allowed to store almost all of R. • Random string is no longer available. • Bound is only at end of transmit stage. A long random string R of length r A long random string R of length N Stores ¾r bits (Arbitrary function of R)

  5. Alice Bob Eavesdropper Shared Key Encryption • Parties meet in advance and share a (short) secret key k. • When R is transmitted Alice and Bob store Sk, a small portion of R,determined by k. • Adversary does not know k and with overwhelming probability does not store all of Sk. • Use Sk to encrypt the message. A long random string R of length r Sk Sk k k ??

  6. Shared Key Encryption - Properties • Abundance of work on this setting: • [Mau92,CM97,AR99,ADR02,DR02,DM02,Lu02, Vad03]. • State of the art requires low storage from Alice and Bob: • |Sk| = log r + log 1/ε + m • |k| = log r + log 1/ε • Everlasting security [ADR]: Security guaranteed even if at a later stage the adversary learns the keykor gains more memory. • Security does not require any computational assumptions. • What if Alice & Bob don’t meet in advance???

  7. Public Key Encryption in the BSM • [CM97] show a method of constructing a Key Agreement protocol in the BSM. • Local storage requirements for Alice and Bob are very high. • Require r½+δ storage space. • Can one do better? • No, the solution is tight as shown by a lower bound of [DM04]. • Need to change the model…

  8. Alice Bob Eavesdropper The Hybrid BSM • Idea: use a computational Key Agreement protocol to agree on the shared key k • E.g. run the Diffie-Helman KA protocol. • Then use a standard shared key BSM scheme with everlasting security. • Even if the eavesdropper breaks the KA protocol and learns k, it will be after the broadcast, and too late. • The computational assumption is with a strict time limit: Cannot break the KA before the end of the transmission of R. • Assumption can be made with high level of confidence. KA k k A long random string R of length r Sk Sk ?? k

  9. Previous works on the Hybrid BSM Given a CNF formula Φwith m clauses over n variables (and m>>n), efficiently find a formula Ψof total length poly(n, log m) that is satisfiable iff Φwas satisfiable • Suggested in [ADR00]. • Revisited by Dziembowski & Maurer in [DM04]: show that the rationale of the hybrid BSM does not necessarily work: • Show a specific (non natural) KA protocol that when combined with a specific (standard) shared key BSM scheme can be fully broken. • Open question, what about a “natural” KA scheme? • In [HN05]: show that if a compression algorithm for SAT exists then the hybrid BSM model is no more powerful than the standard BSM model.

  10. This Work • A first rigorous study of the Hybrid BSM. • Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: • Indistinguishability of encryptions. • Semantic security. • Negative results: • Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. • Positive results: Show augmentations of the model that allows low memory everlasting security. • Hybrid BSM with a random oracle. • Bounded Accessibility Model (BAM) • Show a low memory hybrid BSM OT protocol in each of the augmented models.

  11. Alice Bob Eavesdropper time Definitions: The General Hybrid Scheme • divide time into two parts: • Until the end of the transmission of R. • After the transmission. • Everlasting security (indistinguishability):  m1,m2 every adversary (C1,C2) cannot distinguish between encryptions of m1and m2 A1,B1 KAscheme combined with shared key BSM scheme C1 KA Basic Hybrid scheme of [DM04] • Poly time • Low memory • Poly time • Bounded storage • Output is bounded in length A long random string R of length r SC SA SB SA SB SC A2,B2 C2 SA m • Poly time • Low memory • Encryption A2(m, SA) • No time bound • No space bound

  12. This Work • A first rigorous study of the Hybrid BSM. • Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: • Indistinguishability of encryptions. • Semantic security. • Negative results: • Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. • Positive results: Show augmentations of the model that allows low memory everlasting security. • Hybrid BSM with a random oracle. • Bounded Accessibility Model (BAM) • Show a low memory hybrid BSM OT protocol in each of the augmented models.

  13. Negative results – Big Picture • [DM04]: Show a specific hybrid scheme is insecure. • [HN05] Conditional result: • If Compression of SAT exists then every Hybrid BSM scheme can be broken. • This result: • Cannot prove the security of a hybrid scheme using BB techniques • True even if the construction itself is non-BB

  14. No Black-Box Proof • We show an oracle “world” where: • Any low memory hybrid scheme can be broken. • Any computational key agreement remains secure. • Corollary: There is no Black-box proof of security of everlasting security of a hybrid scheme. • Proof (of corollary): • BB proof is an efficient procedure that breaks the KA scheme using BB calls to an adversary (C1,C2) of the hybrid scheme. • Such a proof relativizes to other worlds, including the world mentioned above. • Since in the world any hybrid scheme can be broken, a BB proof means that also any KA may be broken, which is a contradiction. • Same holds for any cryptographic primitive that is secure against a polynomial time adversary. • E,g, Oblivious transfer, trapdoor permutation… Any computational cryptographic primitive Note: Only calls to C1, since C2 is unbounded…

  15. The OracleW • Oracle W: • Input: An NP relation RL and an instance x and parameter m. • Output: A random witness w{0,1}m such that RL(x,w) = 1 • If no such witness exists then output  Theorem: Let E be any hybrid BSM scheme where Alice and Bob use storage of size sA and sB, then any adversary with storage sA · sB and access to the oracle W can break E. • Proof uses a technical Lemma from [DM04]

  16. 2k . . . . . . . . . . . . 2m The OracleZ • Table is useless to a polynomial time adversary !!! • Looks like a random table. • A hybrid adversary may store i and find π-1(i) after the transmission. • The world we present consists of a different oracle Z: • Input: RL, x and m. • Output: i = π(W(RL, x, m)) • Z also contains an inverting table for π. • The ithrow sums up toπ-1(i) • Otherwise random • Rather than giving out the answers to W the oracle gives an “encrypted” answer to W. • The “encryption” is a random permutation π. i   = π-1(i)

  17. This Work • A first rigorous study of the Hybrid BSM. • Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: • Indistinguishability of encryptions. • Semantic security. • Negative results: • Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. • Positive results: Show augmentations of the model that allows low memory everlasting security. • Hybrid BSM with a random oracle. • Bounded Accessibility Model (BAM) • Show a low memory hybrid BSM OT protocol in each of the augmented models.

  18. Alice Bob Hybrid BSM with a Random Oracle • The broadcast string R: • Too long to store but possible to read • Disappears ! • Random Oracle RO: • Too long to read (in polynomial time) • Always present. • Theorem: Low memory hybrid BSM scheme with everlasting security in presence of RO. • Run KA to get computational key kKA • Use k = RO(kKA) as key to shared key BSM encryption scheme. • If compression of SAT [HN05] exists then this is an example of a task that is: • Simple with a random oracle. • Altogether impossible without it. KA kKA kKA k = RO(kKA) k = RO(kKA)

  19. The Bounded Accessibility Model (BAM) • Assume that the adversary cannot read all of the broadcast string R. • E.g. cannot store an XOR of all of the bits of R. • Theorem: Low memory hybrid BAM scheme with everlasting security. • The scheme is the basic scheme: • Use KA to agree on a shared key k. • Use a shared key BSM scheme. Note: The hybrid is necessary, since the lower bound of [DM04] holds in this model as well. • No low memory BAM encryption scheme.

  20. Open problems • Main open question: is there low memory hybrid BSM encryption? • Solution would require to resolve the issue of compressibility [HN05]. • Other reasonable models? • The BSM allows the adversary unreasonable power. • may compute using unlimited space. • Can run offline computations.

More Related