in the . B. ounded. R. etrieval . M. odel. Joël. Alwen, . Yevgeniy. . Dodis. , . Moni. . Naor. , Gil . Segev. , . Shabsi. . Walfish. , Daniel . Wichs. . Speaker: Daniel . Wichs. ID: 465062
DownloadNote  The PPT/PDF document "PublicKey Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, noncommercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
PublicKey Encryption in the BoundedRetrieval Model
Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs
Speaker: Daniel
Wichs
Eurocrypt
2010
Slide2Motivation
Cryptographic security analyzed in formal
“attack model”
.
Do our attack models capture
reality
?
In
reality
, extra information about secretkeys can
leak
.
Sidechannels attacks:
timing, power, heat, EM radiation, acoustics...
Coldboot attack
[HSH+ 08]
Viruses
LeakageResilient Crypto:
Add
keyleakage
to the
attack model
.
Build primitives that
provably
allow
leakage
of secret key.
Slide3Bounded Retrieval Model [Dzi06,…,ADW09]:Grow secretkey to allow for more leakage. Even many Gigabytes.Efficiency does not degrade as sk grows. {Public key, ciphertext, computation time}
f
(sk)
Model of Leakage: Memory Attacks
Adversary can learn
any efficiently computable function f : {0,1}* {0,1}L of the secret key. L = Leakage Bound.
RelativeLeakage Model[AGV09, DKL09,NS09,…]. Maximize ratio of L to sk (e.g. 90% of the key can leak).
sk
leak
[
AkaviaGoldwasserVaikuntanathan
09]
Slide4Why design schemes for the BRM?
Security against Viruses:
Upper bound how much attacker can download (e.g. 10 GB)
.
Bandwidth too low, cost too high, system security may detect.
OK
if secret key is large.
Not OK
if efficiency degrades.
Security against sidechannel attacks:
Leakage amount depends on the
complexity of computation
.
Leakageresilient schemes might be less secure:
+ Leakageresilience
)
+ Complexity
)
+ Leakage.
BRM efficiency breaks the cycle.
Slide5Prior Work on Leakage Resilience
Memory Attacks
RelativeLeakage
:
Symmetric
and PublicKey
Encryption
and
Authentication/Signatures.
[AGV09,DKL09,ADW09,
KV09,NS09,…].
Bounded Retrieval Model:
Symmetric and Public Key
“Authenticated key Agreement.”
Requires
interaction
.
[Dzi06,CDD
+
07, ADW09]
.
This work:
PublicKey Encryption
in the Bounded Retrieval Model.
Restricted types of leakage functions
.
[CDH+00, DSS01,KZ03, ISW03 , MR04, DP08, Pie09, FKPR10, GR10, FRR+10, JV10]
Does not seem applicable to e.g. virus attacks.
Slide6Definition of PKE in BRM
Key generation gets L as input. Adversary learns L bit leakage.Efficiency: pk size, ciphertext size, encryption/decryption times are all bounded by some fixed polynomials, independent of L.
Adversary
Challenger
(
pk,sk
) Ã KeyGen(1s )
pk
f : {0,1
}
* ! {0,1}L
f(
sk)
m0, m1
bÃ {0,1}
cÃEncrypt(mb,pk)
c
Output b’
, L
Pr[b’ = b]
·
½ +
negl
(s)
Slide7A “highlevel” template for constructing BRM schemes.
“Identity Based Hash Proof System” (IBHPS)Overview of IBHPS constructions and parameters.
Outline of Talk
Slide8Start with: Scheme resilient to L’ bits of leakage.Construct: Scheme resilient to L >> L’ bits of leakage.Idea: Leakage Amplification via Parallel Repetition.
Template for BRM Schemes:
1. Leakage Amplification (via ParallelRepetition)
Slide9Template for BRM Schemes:1. ParallelRepetition
Encryption
Decryption
sk
1
sk
2
sk
3
sk
n
…
SK=
PK=
pk
1
pk
2
pk
3
pkn
…
To encrypt under PK.Secretshare message m into n shares m1,…,mn.Encrypt each share mi separately under pki.
c
1, c2, …, cn
c
i
= Enc(m
i
,
pk
i
)
Slide10Theorem (?): nwise parallel repetition amplifies leakageresilience by a factor of n. Hope: Need to leak L’ bits on each of n keys to break the ‘repetition scheme’. … but maybe not a different L’ bits on each key.So is the theorem true?Not in general. Recent counterexample by [LewkoWaters 10]!Yes in special cases (“hash proof systems”). Stay tuned.
Template for BRM Schemes:
1. Security of ParallelRepetition?
Slide11Template for BRM Schemes:1. Efficiency of ParallelRepetition?
Encryption
Decryption
sk
1
sk
2
sk
3
sk
n
…
SK=
PK=
pk
1
pk
2
pk
3
pkn
…
Problem 1: Ciphertextsize, computation proportional to n. Problem 2: Publickey size proportional to n.
c
1, c2, …, cn
c
i
= Enc(m
i
,
pk
i
)
Slide12Template for BRM Schemes:2. Small random subsets.
Encryption
Decryption
sk
1
sk
2
sk
3
sk
n
…
SK=
PK=
pk
1
pk
2
pk
3
pkn
…
Encryptor chooses small random subset of t << n indices.Encrypts t shares under the corresponding t publickeys.Hope: to break scheme, need to have leaked L’ bits on almost all indices (all of the ones that are later chosen).
(idx
1, c1)…,(idxt, ct)
c
i
= Enc(m
i
,
pk
idx
i
)
Slide13Template for BRM Schemes:3. Adding a Master Public Key.
Encryption
Decryption
sk
1
sk
2
sk
3
sk
n
…
SK=
PK=
Use IdentityBased Encryption (IBE)
PK
is masterpublickey of IBE. SK consists of keys ski for identities i=1,…,n.
(idx
1, c1)…,(idxt, ct)
ci = Enc(mi, idxi)
MPK
Slide14Template for BRM Schemes:3. Adding a Master Public Key.
Encryption
Decryption
sk
1
sk
2
sk
3
sk
n
…
SK=
PK=
Scheme meets
efficiency
requirements of the BRM.Security?Does not amplify leakageresilience in general.Rest of talk: make it work with special IBE.
(idx
1, c1)…,(idxt, ct)
ci = Enc(mi, idxi)
MPK
Slide15A “highlevel” template for constructing BRM schemes.
“Identity Based Hash Proof System” (IBHPS) IBHPS constructions and parameters.
Outline of Talk
Slide16A KEM can be used to encrypt a random message m. (pk, sk)ÃKeyGen(1s)(c, m)ÃEncap(pk)m Ã Dec(c, sk)
Key Encapsulation Mechanism (KEM)
Slide17Hash Proof System (HPS): A Special KEM
For each pk, many possible sk. KeyGen outputs skÃSKpk .Correctness: if (c, m)ÃEncap(pk) then Dec(c, sk) = m for all sk.Bad Encapsulation: c* Ã Encap*(pk).Dec(c*, sk) is different for each sk. Can’t distinguish c* from c (even given sk).
SKpk
Dec(c,
SK
pk
)
Dec(
c*
,
SK
pk
)
Slide18HPS and Leakage Resilient KEM
Theorem [NaorSegev 09]: A HPS is a LeakageResilient KEM. L ¼ log(SKpk ).Proof:
sk
Ã
SK
pk
Dec(c,
sk
)
Show: Looks random
Can’t distinguish
‘bad’
ciphertext
m
still has entropy given view of adv.
Use extractors.
If leakage
< log(
SK
pk
)
adv still has uncertainty about sk.
Dec (
c*
,
sk
)
Slide19ParallelRepetition of HPS
Theorem: Parallel repetition of a HPS amplifies leakageresilience.Leakage of HPS is L ¼ log(SKpk ) nwise parallel repetition results in new HPS with SK’pk = SKpk x SKpk x … x SKpkCan show that “random subset selection” also works.
n
times
Slide20IdentityBased Hash Proof System (IBHPS)
Global ‘master’ parameters: (MPK, MSK).For each identity, the secretkey skID comes from a large set.Can efficiently sample from any SKID only if given MSK.Encapsulation targets a specific identity:Good (c, m) Ã Encap(ID, MPK) Bad c* Ã Encap*(ID, MPK).
SKID1
SK
ID2
…
Slide21Applications of IBHPS
Directly gives leakageresilient
IBE
in relativeleakage model.
Can be used to instantiate
our framework. Leakageamplification works!
)
Get
PKE/IBE
in the
B
ounded
R
etrieval
M
odel
.
Slide22A “highlevel” template for constructing BRM schemes.
“Identity Based Hash Proof System” (IBHPS) IBHPS constructions and parameters.
Outline of Talk
Slide23Constructions
Scheme
Assumption
Relative
Leakage
Bilinear
Groups
[Gen06]
ABDHE
Standard Model
1/2
Quadratic
Residuosity
[BGH07]
QR
RO Model
1/O(s)
Lattices
[GPV08]
LWE
RO Model
(1
²
)
Slide24Thank You!
Questions?
Slide25Constructions
Three constructions of IBHPS based on prior IBE schemes.
[Gentry 06]:
Based on a “bilinear groups” assumptions (TABDHE) in standard model.
Gives relative leakage
½
.
[
Boneh
GentryHamburg 07]:
Based on “quadratic
residuosity
” in Random Oracle model.
Gives relative leakage
1/s
(
s
= security parameter).
[Gentry
Peikert

Vaikuntanathan
08]:
Based on lattices and the LWE problem in Random Oracle model.
Already used to get leakageresilient IBE.
[AGV09]
Gives relative leakage
(1
²
)
for any
²
>0
.
Slide26Next Slides