Public-Key Encryption
71K - views

Public-Key Encryption

Similar presentations


Download Presentation

Public-Key Encryption




Download Presentation - The PPT/PDF document "Public-Key Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "Public-Key Encryption"— Presentation transcript:

Slide1

Public-Key Encryption in the Bounded-Retrieval Model

Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs

Speaker: Daniel

Wichs

Eurocrypt

2010

Slide2

Motivation

Cryptographic security analyzed in formal

“attack model”

.

Do our attack models capture

reality

?

In

reality

, extra information about secret-keys can

leak

.

Side-channels attacks:

timing, power, heat, EM radiation, acoustics...

Cold-boot attack

[HSH+ 08]

Viruses

Leakage-Resilient Crypto:

Add

key-leakage

to the

attack model

.

Build primitives that

provably

allow

leakage

of secret key.

Slide3

Bounded Retrieval Model [Dzi06,…,ADW09]:Grow secret-key to allow for more leakage. Even many Gigabytes.Efficiency does not degrade as |sk| grows. {Public key, ciphertext, computation time}

f

(sk)

Model of Leakage: Memory Attacks

Adversary can learn

any efficiently computable function f : {0,1}*  {0,1}L of the secret key. L = Leakage Bound.

Relative-Leakage Model[AGV09, DKL09,NS09,…]. Maximize ratio of L to |sk| (e.g. 90% of the key can leak).

sk

leak

[

Akavia-Goldwasser-Vaikuntanathan

09]

Slide4

Why design schemes for the BRM?

Security against Viruses:

Upper bound how much attacker can download (e.g. 10 GB)

.

Bandwidth too low, cost too high, system security may detect.

OK

if secret key is large.

Not OK

if efficiency degrades.

Security against side-channel attacks:

Leakage amount depends on the

complexity of computation

.

Leakage-resilient schemes might be less secure:

+ Leakage-resilience

)

+ Complexity

)

+ Leakage.

BRM efficiency breaks the cycle.

Slide5

Prior Work on Leakage Resilience

Memory Attacks

Relative-Leakage

:

Symmetric

and Public-Key

Encryption

and

Authentication/Signatures.

[AGV09,DKL09,ADW09,

KV09,NS09,…].

Bounded Retrieval Model:

Symmetric and Public Key

“Authenticated key Agreement.”

Requires

interaction

.

[Dzi06,CDD

+

07, ADW09]

.

This work:

Public-Key Encryption

in the Bounded Retrieval Model.

Restricted types of leakage functions

.

[CDH+00, DSS01,KZ03, ISW03 , MR04, DP08, Pie09, FKPR10, GR10, FRR+10, JV10]

Does not seem applicable to e.g. virus attacks.

Slide6

Definition of PKE in BRM

Key generation gets L as input. Adversary learns L bit leakage.Efficiency: pk size, ciphertext size, encryption/decryption times are all bounded by some fixed polynomials, independent of L.

Adversary

Challenger

(

pk,sk

) Ã KeyGen(1s )

pk

f : {0,1

}

* ! {0,1}L

f(

sk)

m0, m1

bà {0,1}

cÃEncrypt(mb,pk)

c

Output b’

, L

Pr[b’ = b]

·

½ +

negl

(s)

Slide7

A “high-level” template for constructing BRM schemes.

“Identity Based Hash Proof System” (IB-HPS)Overview of IB-HPS constructions and parameters.

Outline of Talk

Slide8

Start with: Scheme resilient to L’ bits of leakage.Construct: Scheme resilient to L >> L’ bits of leakage.Idea: Leakage Amplification via Parallel Repetition.

Template for BRM Schemes:

1. Leakage Amplification (via Parallel-Repetition)

Slide9

Template for BRM Schemes:1. Parallel-Repetition

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

SK=

PK=

pk

1

pk

2

pk

3

pkn

To encrypt under PK.Secret-share message m into n shares m1,…,mn.Encrypt each share mi separately under pki.

c

1, c2, …, cn

c

i

= Enc(m

i

,

pk

i

)

Slide10

Theorem (?): n-wise parallel repetition amplifies leakage-resilience by a factor of n. Hope: Need to leak L’ bits on each of n keys to break the ‘repetition scheme’. … but maybe not a different L’ bits on each key.So is the theorem true?Not in general. Recent counterexample by [Lewko-Waters 10]!Yes in special cases (“hash proof systems”). Stay tuned.

Template for BRM Schemes:

1. Security of Parallel-Repetition?

Slide11

Template for BRM Schemes:1. Efficiency of Parallel-Repetition?

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

SK=

PK=

pk

1

pk

2

pk

3

pkn

Problem 1: Ciphertext-size, computation proportional to n. Problem 2: Public-key size proportional to n.

c

1, c2, …, cn

c

i

= Enc(m

i

,

pk

i

)

Slide12

Template for BRM Schemes:2. Small random subsets.

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

SK=

PK=

pk

1

pk

2

pk

3

pkn

Encryptor chooses small random subset of t << n indices.Encrypts t shares under the corresponding t public-keys.Hope: to break scheme, need to have leaked L’ bits on almost all indices (all of the ones that are later chosen).

(idx

1, c1)…,(idxt, ct)

c

i

= Enc(m

i

,

pk

idx

i

)

Slide13

Template for BRM Schemes:3. Adding a Master Public Key.

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

SK=

PK=

Use Identity-Based Encryption (IBE)

PK

is master-public-key of IBE. SK consists of keys ski for identities i=1,…,n.

(idx

1, c1)…,(idxt, ct)

ci = Enc(mi, idxi)

MPK

Slide14

Template for BRM Schemes:3. Adding a Master Public Key.

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

SK=

PK=

Scheme meets

efficiency

requirements of the BRM.Security?Does not amplify leakage-resilience in general.Rest of talk: make it work with special IBE.

(idx

1, c1)…,(idxt, ct)

ci = Enc(mi, idxi)

MPK

Slide15

A “high-level” template for constructing BRM schemes.

“Identity Based Hash Proof System” (IB-HPS) IB-HPS constructions and parameters.

Outline of Talk

Slide16

A KEM can be used to encrypt a random message m. (pk, sk)ÃKeyGen(1s)(c, m)ÃEncap(pk)m à Dec(c, sk)

Key Encapsulation Mechanism (KEM)

Slide17

Hash Proof System (HPS): A Special KEM

For each pk, many possible sk. KeyGen outputs skÃSKpk .Correctness: if (c, m)ÃEncap(pk) then Dec(c, sk) = m for all sk.Bad Encapsulation: c* Ã Encap*(pk).Dec(c*, sk) is different for each sk. Can’t distinguish c* from c (even given sk).

SKpk

Dec(c,

SK

pk

)

Dec(

c*

,

SK

pk

)

Slide18

HPS and Leakage Resilient KEM

Theorem [Naor-Segev 09]: A HPS is a Leakage-Resilient KEM. L ¼ log(|SKpk |).Proof:

sk

Ã

SK

pk

Dec(c,

sk

)

Show: Looks random

Can’t distinguish

‘bad’

ciphertext

m

still has entropy given view of adv.

Use extractors.

If leakage

< log(|

SK

pk

|)

adv still has uncertainty about sk.

Dec (

c*

,

sk

)

Slide19

Parallel-Repetition of HPS

Theorem: Parallel repetition of a HPS amplifies leakage-resilience.Leakage of HPS is L ¼ log(|SKpk |) n-wise parallel repetition results in new HPS with SK’pk = SKpk x SKpk x … x SKpkCan show that “random subset selection” also works.

n

times

Slide20

Identity-Based Hash Proof System (IB-HPS)

Global ‘master’ parameters: (MPK, MSK).For each identity, the secret-key skID comes from a large set.Can efficiently sample from any SKID only if given MSK.Encapsulation targets a specific identity:Good (c, m) Ã Encap(ID, MPK) Bad c* Ã Encap*(ID, MPK).

SKID1

SK

ID2

Slide21

Applications of IB-HPS

Directly gives leakage-resilient

IBE

in relative-leakage model.

Can be used to instantiate

our framework. Leakage-amplification works!

)

Get

PKE/IBE

in the

B

ounded

R

etrieval

M

odel

.

Slide22

A “high-level” template for constructing BRM schemes.

“Identity Based Hash Proof System” (IB-HPS) IB-HPS constructions and parameters.

Outline of Talk

Slide23

Constructions

Scheme

Assumption

Relative

Leakage

Bilinear

Groups

[Gen06]

ABDHE

Standard Model

1/2

Quadratic

Residuosity

[BGH07]

QR

RO Model

1/O(s)

Lattices

[GPV08]

LWE

RO Model

(1-

²

)

Slide24

Thank You!

Questions?

Slide25

Constructions

Three constructions of IB-HPS based on prior IBE schemes.

[Gentry 06]:

Based on a “bilinear groups” assumptions (TABDHE) in standard model.

Gives relative leakage

½

.

[

Boneh

-Gentry-Hamburg 07]:

Based on “quadratic

residuosity

” in Random Oracle model.

Gives relative leakage

1/s

(

s

= security parameter).

[Gentry-

Peikert

-

Vaikuntanathan

08]:

Based on lattices and the LWE problem in Random Oracle model.

Already used to get leakage-resilient IBE.

[AGV09]

Gives relative leakage

(1-

²

)

for any

²

>0

.

Slide26

Slide27

Slide28

Slide29

Slide30

Slide31

Slide32