Moni Naor and Asaf Ziv TCC 2015 Warsaw Poland March 25 2015 Motivation DNSSEC Primary nameserver Secondary nameserver qcom NonExistent Zone File acom ccom zcom 1554124250 ID: 729763
Download Presentation The PPT/PDF document "Primary-Secondary-Resolver Membership Pr..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Primary-Secondary-Resolver Membership Proof Systems
Moni
Naor and Asaf Ziv
TCC 2015, Warsaw, Poland, March 25, 2015Slide2
Motivation- DNSSEC
Primary nameserver
Secondary
nameserver
q.com
Non-Existent
Zone
File
a.com
c.com
z.com
155.41.24.250
155.41.24.251
155.41.24.252
Resolver
2ary
c.com?
q.com?
DNSSEC demands Integrity
Integrity
Privacy
q.com
Non-Existent
a.com
155.41.24.250
c.com
155.41.24.251
z.com
155.41.24.252
and Privacy
a.com?
?
1
ary
a.com
155.41.24.250
c.com
155.41.24.251
Design
an efficient
denial of existence mechanismSlide3
The (non) Membership problem
Primary
Secondary
Resolver
2
ary
1
ary
R
= {x
1
, x
2
, …,
x
r
}
V
= {
v
1,
v2, …, vr
}
SK
PK
PK
Is
y
R
?
YES:
y
R
value is v
+ PROOF
No!
+ PROOFSlide4
Desiderata
Primary
Secondary
Resolver
2
ary
1
ary
R
= {x
i
}
V
= {
v
i
}
PK
PK
SK
Completeness
Following the protocol
honestly
→
Resolver
learns whether
x
R
Soundness
A
dishonest
Secondary
cannot
fool
a
Resolver
to reach a
wrong
conclusion
Privacy
: ZK
Resolver
learns nothing:
online
simulation
with
oracle access to
R
Performance
(f-ZK : learns only f(
R
)) Slide5
Previous Work
Primary
Secondary
Resolver
2
ary
1
ary
R
= {x
i
}
V
= {
v
i
}
PK
PK
SK
Work in DNSSEC
Provably do not achieve required properties
Zero-Knowledge
Sets
[
Micali
, Rabin & Kilian
]
Too ambitious:
Primary
is not trusted
Too inefficient: O(
log|U
|) exponentiations per proof
Separation result from PSR
Verifiable
Data
Structures
Certificate
Revocation
Lists
[
Naor-Nissim
]
General
language for such data structures
PSR
↔ OWF
ZKS
↔ CRHSlide6
Companion Paper: NSEC5
Primary
Secondary
Resolver
2
ary
1
ary
R
= {x
i
}
V
= {
v
i
}
PK
PK
SK
[Goldberg,
Naor
, Papadopoulos,
Reyzin
, Vasant
&
Ziv]
DNSSEC proposal – achieving
Integrity
and
Privacy
Requires RSA +
Random oracle
model
PSR systems efficiency “lower bound”
Reduction to Public Key Authentication
Our goal
is
constructing
efficient
PSR systems without
random oraclesSlide7
Our Constructions
Primary
Secondary
Resolver
2
ary
1
ary
R
= {x
i
}
V
= {
v
i
}
PK
PK
SK
Hierarchical Identity Based encryption (HIBE)
Described next…
Cuckoo Hashing with a Stash
Prove elements are not in
cuckoo hashing
or
stash
Verifiable Random Functions (VRF)
Compute
F(
R
)
Prove
F(x)
F(
R
)Slide8
(Hierarchical) Identity Based Encryption
encrypt message using
public
key:
“bob@weizmann.ac.il”
MK
P
- Public
Master-key
I am “bob@weizmann.ac.il”
SK
Bob
Alice
Bob
Could happen
before
or
after
the
encryption
MK
S
- Secret
Master-key
CA
MK
P
Boss
SK
Boss
SK
Bob
MK
P
Generate
SK
Bob
using
SK
BossSlide9
(Hierarchical) Identity Based Encryption
Key for Subset
SK
J
SK
I
Setup
:
→
MK
P
and
MK
s
.
Key generation
(
MK
s
,J
)
→
SK
J
(
SK
J
,I
)
→
SK
I
Encrypt
: (
MK
P
,
m,I
)
→ CT
Decrypt
: (
CT,
SK
I
)
→
m
Security
- IND-
sID
-CPASlide10
HIBE based PSR
Primary
1
ary
U
={
0,1}
n
HIBE of depth
n For every x=(b1,...,bn
)R
:
Remove ancestors x’=(b1
,…,bm) from HIBE
For every root in remaining Forest Generate secret key
SKji
{SK
j
1,…,
SKjk}
MKP
SK
PK
Secondary
Resolver
=
=
PK
PK
SKSlide11
Subset cover of non elements
Elements in
R
non-elements
Key for SubsetSlide12
HIBE based PSR
=
{
SK
j
1
,…, SKjk}1ary
Resolver
query for x
U : Encrypt random challenge
w under identity x
: Encrypt(
MKP, x,
w) = CT
Sends (CT, x)
Secondary
Resolver
PK
= MK
P
Secondary
(
receiving
x
(
x
R
)
and
CT
):
Find in
{SK
j
1
,…,
SK
j
k
}
a
prefix of
x
and generate SKx Decrypt CT and return w to the Resolver
Decrypt(SK
x, x, CT) = w
Sends back
w
PK
= MK
P
SKSlide13
The HIBE construction works!
Non-Membership
(xR)
Perfect Completeness:
For every xR
: Secondary can decrypt any message for x.
Primary
Secondary
Resolver
1
ary
R
= {x
i
}
V
= {
v
i
}
PK
PK
SK
{SK
j
1
,…,
SK
j
k
}
SK
={
SK
j
1
,…,
SK
j
k
}Slide14
The HIBE construction works!
Non-Membership
(xR)
Soundness
:
For xR to be accepted as not in
R : Decrypt successfully a random challenge Without SKx Without keys for an ancestor of xContradicting HIBE selective security
Primary
Secondary
Resolver
1
ary
R
= {x
i
}
V
= {
v
i
}
PK
PK
SK
{SK
j
1
,…,
SK
j
k
}Slide15
The HIBE construction works!
Privacy
: f-ZK (f is null)Requirement: a simulator which is
indistinguishable
form a Secondary Simulator:
Emulates Primary and replaces {SKj1,…, SKjk} with MKS.Given a query x
i: forward it to R-
oracle:xi
R: generate SKxi,
decrypt random challengesend back
to Resolver
xiR
: generate Sign(xi
,vi) and send to Resolver
Distributions are
identical - Perfect Zero-Knowledge!Slide16
Performance – HIBE by BBG05
=
{
SK
j
1
,…, SKjk}1ary
Secondary
Resolver
PK
= MK
P
SK
Primary
O(n
·
|R|
·
log|R
|) exponentiations
in a bilinear group
4
exponentiations
2 bilinear pairings
computations
O(n) multiplications
3
exponentiations
O(n) multiplications
Encrypt(
MK
P
,
x
,
w
)
=
CT
Decrypt
(
SK
x
,
x
,
CT)
=
wSlide17
Conclusions and further directions
PSR techniques:
HIBENon-interactiveDiffie-Hellman type assumptionPerfect ZKCuckoo Hashing with a stash
Interactive
Reveals |R|
Solid assumptions - Factoring and Discrete logarithmVRFNon-InteractiveReveals |R|Different
Diffie-Hellman assumptions Extremely efficient in random oracle modelFurther researchDynamic CaseUniversal Composability THANK YOU!