B ounded R etrieval M odel Joël Alwen Yevgeniy Dodis Moni Naor Gil Segev Shabsi Walfish Daniel Wichs Speaker Daniel Wichs Eurocrypt ID: 933448
Download Presentation The PPT/PDF document "Public-Key Encryption in the" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Public-Key Encryption in the Bounded-Retrieval Model
Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs
Speaker: Daniel
Wichs
Eurocrypt
2010
Slide2MotivationCryptographic security analyzed in formal “attack model”. Do our attack models capture reality?In
reality, extra information about secret-keys can leak. Side-channels attacks: timing, power, heat, EM radiation, acoustics...Cold-boot attack [HSH+ 08]VirusesLeakage-Resilient Crypto:Add key-leakage to the attack model.Build primitives that provably allow leakage
of secret key.
Slide3B
ounded Retrieval Model [Dzi06,…,ADW09]:Grow secret-key to allow for more leakage. Even many Gigabytes.Efficiency does not degrade as
|sk| grows. {Public key, ciphertext, computation time}
f(sk)
Model of Leakage: Memory Attacks
Adversary can learn
any
efficiently computable function
f : {0,1}*
{0,1}
L of the secret key. L = Leakage Bound.
Relative-Leakage Model[AGV09, DKL09,NS09,…]. Maximize ratio of L to |sk| (e.g. 90% of the key can leak).
sk
leak
[
Akavia-Goldwasser-Vaikuntanathan
09]
Slide4Why design schemes for the BRM?Security against Viruses:Upper bound how much attacker can download (e.g. 10 GB).Bandwidth too low, cost too high, system security may detect.OK if secret key is large. Not OK if efficiency degrades.
Security against side-channel attacks:Leakage amount depends on the complexity of computation.Leakage-resilient schemes might be less secure:+ Leakage-resilience ) + Complexity ) + Leakage. BRM efficiency breaks the cycle.
Slide5Prior Work on Leakage ResilienceMemory AttacksRelative-Leakage: Symmetric and Public-Key Encryption and Authentication/Signatures.
[AGV09,DKL09,ADW09, KV09,NS09,…].Bounded Retrieval Model: Symmetric and Public Key “Authenticated key Agreement.” Requires interaction. [Dzi06,CDD+07, ADW09].This work: Public-Key Encryption in the Bounded Retrieval Model.Restricted types of leakage functions
. [CDH+00, DSS01,KZ03, ISW03 , MR04, DP08, Pie09, FKPR10, GR10, FRR+10, JV10]Does not seem applicable to e.g. virus attacks.
Slide6Definition of PKE in BRMKey generation gets L as input. Adversary learns L bit leakage.Efficiency: pk size, ciphertext size, encryption/decryption times are all bounded by some fixed polynomials, independent of
L.AdversaryChallenger(pk,sk) Ã
KeyGen(1s )
pk
f : {0,1
}
*
!
{
0,1}
L
f(sk)
m0, m1bà {0,1} cÃEncrypt(mb,pk)cOutput b’, L
Pr[b’ = b]
·
½ +
negl
(s)
Slide7A “high-level” template for constructing BRM schemes.“Identity Based Hash Proof System” (IB-HPS)
Overview of IB-HPS constructions and parameters.Outline of Talk
Slide8Start with: Scheme resilient to L’ bits of leakage.Construct: Scheme resilient to L >> L’ bits of leakage.
Idea: Leakage Amplification via Parallel Repetition. Template for BRM Schemes:1. Leakage Amplification (via Parallel-Repetition)
Slide9Template for BRM Schemes:1. Parallel-Repetition
EncryptionDecryption
sk1
sk2
sk
3
sk
n
…
SK=
PK=
pk
1
pk2pk3pkn…To encrypt under PK
.
Secret-share message
m into n shares
m1
,…,mn.
Encrypt
each share
m
i
separately under
pk
i
.
c
1
,
c
2
, …,
c
n
c
i
= Enc(m
i
,
pk
i
)
Slide10Theorem (?): n-wise parallel repetition amplifies leakage-resilience by a factor of n. Hope: Need to leak L’ bits on each of n keys to break the ‘repetition scheme’.
… but maybe not a different L’ bits on each key.So is the theorem true?Not in general. Recent counterexample by [Lewko-Waters 10]!Yes in special cases (“hash proof systems”). Stay tuned.Template for BRM Schemes:1. Security of Parallel-Repetition?
Slide11Template for BRM Schemes:1. Efficiency of Parallel-Repetition?
EncryptionDecryption
sk1
sk2
sk
3
sk
n
…
SK=
PK=
pk
1
pk2pk3pkn…Problem
1: Ciphertext-size, computation proportional to
n.
Problem 2: Public-key size proportional to n.
c
1
,
c
2
, …,
c
n
c
i
= Enc(m
i
,
pk
i
)
Slide12Template for BRM Schemes:2. Small random subsets.
EncryptionDecryption
sk
1sk2
sk
3
sk
n
…
SK=
PK=
pk
1
pk2pk3pkn…Encryptor chooses small random subset of t <<
n indices.
Encrypts t shares under the corresponding
t public-keys.
Hope:
to break scheme, need to have leaked
L’
bits on almost all indices (all of the ones that are later chosen).
(idx
1
, c
1
)…,(
idx
t
,
c
t
)
c
i
= Enc(m
i
,
pk
idx
i
)
Slide13Template for BRM Schemes:3. Adding a Master Public Key.
EncryptionDecryption
sk
1sk2
sk
3
sk
n
…
SK=
PK=
Use Identity-Based Encryption (IBE)
PK
is master-public-key of IBE. SK consists of keys ski for identities i=1,…,n.(idx1, c
1
)…,(idxt,
ct)
c
i = Enc(m
i, idx
i
)
MPK
Slide14Template for BRM Schemes:3. Adding a Master Public Key.
EncryptionDecryption
sk
1sk2
sk
3
sk
n
…
SK=
PK=
Scheme meets
efficiency
requirements of the BRM.Security?Does not amplify leakage-resilience in general.Rest of talk: make it work with special IBE.
(idx
1, c
1)…,(idx
t
, ct)
c
i
= Enc(m
i
,
idx
i
)
MPK
Slide15A “high-level” template for constructing BRM schemes.“Identity Based Hash Proof System” (IB-HPS) IB-HPS constructions and parameters.Outline of Talk
Slide16A KEM can be used to encrypt a random message m. (pk, sk
)ÃKeyGen(1s)(c, m)ÃEncap(pk)m à Dec(c, sk)Key Encapsulation Mechanism (KEM)
Slide17Hash Proof System (HPS): A Special KEMFor each pk, many possible sk. KeyGen outputs skÃ
SKpk .Correctness: if (c, m)ÃEncap(pk) then Dec(c, sk) = m for all sk.
Bad Encapsulation: c* Ã Encap*(
pk).Dec(c*, sk) is different for each
sk
.
Can’t distinguish
c*
from
c
(even given
sk
).SKpk
Dec(c, SKpk)
Dec(
c*
,
SK
pk
)
Slide18HPS and Leakage Resilient KEMTheorem [Naor-Segev 09]: A HPS is a Leakage-Resilient KEM. L ¼
log(|SKpk |).Proof:
sk
Ã
SK
pk
Dec(c,
sk
)
Show: Looks random
Can’t distinguish
‘bad’
ciphertext
m
still has entropy given view of adv.
Use extractors.
If leakage
< log(|
SK
pk
|)
adv still has uncertainty about
sk
.
Dec (
c*
,
sk
)
Slide19Parallel-Repetition of HPSTheorem: Parallel repetition of a HPS amplifies leakage-resilience.Leakage of HPS is L ¼ log(|
SKpk |) n-wise parallel repetition results in new HPS with SK’pk = SKpk x SKpk x … x
SKpk
Can show that “random subset selection” also works.
n
times
Slide20Identity-Based Hash Proof System (IB-HPS)Global ‘master’ parameters: (MPK, MSK).For each identity, the secret-key skID comes from a large set.Can efficiently sample from any
SKID only if given MSK.Encapsulation targets a specific identity:Good (c, m) Ã Encap(ID, MPK) Bad c* Ã Encap*(ID, MPK).
SKID1
SK
ID2
…
Slide21Applications of IB-HPSDirectly gives leakage-resilient IBE in relative-leakage model. Can be used to instantiate our framework. Leakage-amplification works! )
Get PKE/IBE in the Bounded Retrieval Model.
Slide22A “high-level” template for constructing BRM schemes.“Identity Based Hash Proof System” (IB-HPS) IB-HPS constructions and parameters.Outline of Talk
Slide23ConstructionsSchemeAssumption
RelativeLeakageBilinear Groups[Gen06]ABDHEStandard Model1/2Quadratic Residuosity[BGH07]QR RO Model1/O(s)Lattices
[GPV08]LWERO Model
(1-²)
Slide24Thank You!Questions?
Slide25ConstructionsThree constructions of IB-HPS based on prior IBE schemes.[Gentry 06]: Based on a “bilinear groups” assumptions (TABDHE) in standard model.Gives relative leakage ½.
[Boneh-Gentry-Hamburg 07]: Based on “quadratic residuosity” in Random Oracle model.Gives relative leakage 1/s (s = security parameter). [Gentry-Peikert-Vaikuntanathan 08]: Based on lattices and the LWE problem in Random Oracle model.Already used to get leakage-resilient IBE. [AGV09]Gives relative leakage (1- ²) for any
²>0.