Public-Key Encryption

Presentation on theme: "Public-Key Encryption"— Presentation transcript:

Public-Key Encryption in the Bounded-Retrieval Model

Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs

Speaker: Daniel

Wichs

Eurocrypt

2010

Motivation

Cryptographic security analyzed in formal

“attack model”

.

Do our attack models capture

reality

?

In

reality

, extra information about secret-keys can

leak

.

Side-channels attacks:

timing, power, heat, EM radiation, acoustics...

Cold-boot attack

[HSH+ 08]

Viruses

Leakage-Resilient Crypto:

Add

key-leakage

to the

attack model

.

Build primitives that

provably

allow

leakage

of secret key.

Bounded Retrieval Model [Dzi06,…,ADW09]:Grow secret-key to allow for more leakage. Even many Gigabytes.Efficiency does not degrade as |sk| grows. {Public key, ciphertext, computation time}

f

(sk)

Model of Leakage: Memory Attacks

Adversary can learn

any efficiently computable function f : {0,1}*  {0,1}L of the secret key. L = Leakage Bound.

Relative-Leakage Model[AGV09, DKL09,NS09,…]. Maximize ratio of L to |sk| (e.g. 90% of the key can leak).

sk

leak

[

Akavia-Goldwasser-Vaikuntanathan

09]

Why design schemes for the BRM?

Security against Viruses:

Upper bound how much attacker can download (e.g. 10 GB)

.

Bandwidth too low, cost too high, system security may detect.

OK

if secret key is large.

Not OK

if efficiency degrades.

Security against side-channel attacks:

Leakage amount depends on the

complexity of computation

.

Leakage-resilient schemes might be less secure:

+ Leakage-resilience

)

+ Complexity

)

+ Leakage.

BRM efficiency breaks the cycle.

Prior Work on Leakage Resilience

Memory Attacks

Relative-Leakage

:

Symmetric

and Public-Key

Encryption

and

Authentication/Signatures.

[AGV09,DKL09,ADW09,

KV09,NS09,…].

Bounded Retrieval Model:

Symmetric and Public Key

“Authenticated key Agreement.”

Requires

interaction

.

[Dzi06,CDD

+

07, ADW09]

.

This work:

Public-Key Encryption

in the Bounded Retrieval Model.

Restricted types of leakage functions

.

[CDH+00, DSS01,KZ03, ISW03 , MR04, DP08, Pie09, FKPR10, GR10, FRR+10, JV10]

Does not seem applicable to e.g. virus attacks.

Definition of PKE in BRM

Key generation gets L as input. Adversary learns L bit leakage.Efficiency: pk size, ciphertext size, encryption/decryption times are all bounded by some fixed polynomials, independent of L.

Adversary

Challenger

(

pk,sk

) Ã KeyGen(1s )

pk

f : {0,1

}

* ! {0,1}L

f(

sk)

m0, m1

bà {0,1}

cÃEncrypt(mb,pk)

c

Output b’

, L

Pr[b’ = b]

·

½ +

negl

(s)

A “high-level” template for constructing BRM schemes.

“Identity Based Hash Proof System” (IB-HPS)Overview of IB-HPS constructions and parameters.

Outline of Talk

Start with: Scheme resilient to L’ bits of leakage.Construct: Scheme resilient to L >> L’ bits of leakage.Idea: Leakage Amplification via Parallel Repetition.

Template for BRM Schemes:

1. Leakage Amplification (via Parallel-Repetition)

Template for BRM Schemes:1. Parallel-Repetition

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

…

SK=

PK=

pk

1

pk

2

pk

3

pkn

…

To encrypt under PK.Secret-share message m into n shares m1,…,mn.Encrypt each share mi separately under pki.

c

1, c2, …, cn

c

i

= Enc(m

i

,

pk

i

)

Theorem (?): n-wise parallel repetition amplifies leakage-resilience by a factor of n. Hope: Need to leak L’ bits on each of n keys to break the ‘repetition scheme’. … but maybe not a different L’ bits on each key.So is the theorem true?Not in general. Recent counterexample by [Lewko-Waters 10]!Yes in special cases (“hash proof systems”). Stay tuned.

Template for BRM Schemes:

1. Security of Parallel-Repetition?

Template for BRM Schemes:1. Efficiency of Parallel-Repetition?

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

…

SK=

PK=

pk

1

pk

2

pk

3

pkn

…

Problem 1: Ciphertext-size, computation proportional to n. Problem 2: Public-key size proportional to n.

c

1, c2, …, cn

c

i

= Enc(m

i

,

pk

i

)

Template for BRM Schemes:2. Small random subsets.

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

…

SK=

PK=

pk

1

pk

2

pk

3

pkn

…

Encryptor chooses small random subset of t << n indices.Encrypts t shares under the corresponding t public-keys.Hope: to break scheme, need to have leaked L’ bits on almost all indices (all of the ones that are later chosen).

(idx

1, c1)…,(idxt, ct)

c

i

= Enc(m

i

,

pk

idx

i

)

Template for BRM Schemes:3. Adding a Master Public Key.

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

…

SK=

PK=

Use Identity-Based Encryption (IBE)

PK

is master-public-key of IBE. SK consists of keys ski for identities i=1,…,n.

(idx

1, c1)…,(idxt, ct)

ci = Enc(mi, idxi)

MPK

Template for BRM Schemes:3. Adding a Master Public Key.

Encryption

Decryption

sk

1

sk

2

sk

3

sk

n

…

SK=

PK=

Scheme meets

efficiency

requirements of the BRM.Security?Does not amplify leakage-resilience in general.Rest of talk: make it work with special IBE.

(idx

1, c1)…,(idxt, ct)

ci = Enc(mi, idxi)

MPK

A “high-level” template for constructing BRM schemes.

“Identity Based Hash Proof System” (IB-HPS) IB-HPS constructions and parameters.

Outline of Talk

A KEM can be used to encrypt a random message m. (pk, sk)ÃKeyGen(1s)(c, m)ÃEncap(pk)m à Dec(c, sk)

Key Encapsulation Mechanism (KEM)

Hash Proof System (HPS): A Special KEM

For each pk, many possible sk. KeyGen outputs skÃSKpk .Correctness: if (c, m)ÃEncap(pk) then Dec(c, sk) = m for all sk.Bad Encapsulation: c* Ã Encap*(pk).Dec(c*, sk) is different for each sk. Can’t distinguish c* from c (even given sk).

SKpk

Dec(c,

SK

pk

)

Dec(

c*

,

SK

pk

)

HPS and Leakage Resilient KEM

Theorem [Naor-Segev 09]: A HPS is a Leakage-Resilient KEM. L ¼ log(|SKpk |).Proof:

sk

Ã

SK

pk

Dec(c,

sk

)

Show: Looks random

Can’t distinguish

‘bad’

ciphertext

m

still has entropy given view of adv.

Use extractors.

If leakage

< log(|

SK

pk

|)

adv still has uncertainty about sk.

Dec (

c*

,

sk

)

Parallel-Repetition of HPS

Theorem: Parallel repetition of a HPS amplifies leakage-resilience.Leakage of HPS is L ¼ log(|SKpk |) n-wise parallel repetition results in new HPS with SK’pk = SKpk x SKpk x … x SKpkCan show that “random subset selection” also works.

n

times

Identity-Based Hash Proof System (IB-HPS)

Global ‘master’ parameters: (MPK, MSK).For each identity, the secret-key skID comes from a large set.Can efficiently sample from any SKID only if given MSK.Encapsulation targets a specific identity:Good (c, m) Ã Encap(ID, MPK) Bad c* Ã Encap*(ID, MPK).

SKID1

SK

ID2

…

Applications of IB-HPS

Directly gives leakage-resilient

IBE

in relative-leakage model.

Can be used to instantiate

our framework. Leakage-amplification works!

)

Get

PKE/IBE

in the

B

ounded

R

etrieval

M

odel

.

A “high-level” template for constructing BRM schemes.

“Identity Based Hash Proof System” (IB-HPS) IB-HPS constructions and parameters.

Outline of Talk

Constructions

Scheme

Assumption

Relative

Leakage

Bilinear

Groups

[Gen06]

ABDHE

Standard Model

1/2

Quadratic

Residuosity

[BGH07]

QR

RO Model

1/O(s)

Lattices

[GPV08]

LWE

RO Model

(1-

²

)

Thank You!

Questions?

Constructions

Three constructions of IB-HPS based on prior IBE schemes.

[Gentry 06]:

Based on a “bilinear groups” assumptions (TABDHE) in standard model.

Gives relative leakage

½

.

[

Boneh

-Gentry-Hamburg 07]:

Based on “quadratic

residuosity

” in Random Oracle model.

Gives relative leakage

1/s

(

s

= security parameter).

[Gentry-

Peikert

-

Vaikuntanathan

08]:

Based on lattices and the LWE problem in Random Oracle model.

Already used to get leakage-resilient IBE.

[AGV09]

Gives relative leakage

(1-

²

)

for any

²

>0

.