/
insensornetworks[30]andasatoolforapplyingsignalprocessingtechniquestom insensornetworks[30]andasatoolforapplyingsignalprocessingtechniquestom

insensornetworks[30]andasatoolforapplyingsignalprocessingtechniquestom - PDF document

phoebe-click
phoebe-click . @phoebe-click
Follow
384 views
Uploaded On 2015-09-30

insensornetworks[30]andasatoolforapplyingsignalprocessingtechniquestom - PPT Presentation

ofrandomcoinsitneedsvariesduringthebinarysearchandalsobecausesuchaconstructionseemsusefulingeneralitshouldbebothvariableinputlengthVILandvariableoutputlengthwhichwecallalength exibleLFPRFW ID: 145559

ofrandomcoinsitneedsvariesduringthebinarysearch andalsobecausesuchaconstructionseemsusefulingeneral itshouldbebothvariableinput-length(VIL)andvariableoutput-length whichwecallalength- exible(LF)-PRF.W

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "insensornetworks[30]andasatoolforapplyin..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

insensornetworks[30]andasatoolforapplyingsignalprocessingtechniquestomultimediacontentprotection[13].YetacryptographicstudyofOPEintheprovable-securitytraditionneverappeared.Ourworkaimstobegintoremedythissituation.RelatedWork.Ourworkextendsarecentlineofresearchinthecryptographiccommunityad-dressingecient(sub-lineartime)searchonencrypteddata,whichhasbeenaddressedby[2]inthesymmetric-keysettingand[6,10,7]inthepublic-keysetting.However,theseworksfocusmainlyonsimpleexact-matchqueries.Developmentandanalysisofschemesallowingmorecomplexquerytypesthatareusedinpractice(e.g.rangequeries)hasremainedopen.Theworkof[24]suggestedenablingecientrangequeriesonencrypteddatanotbyusingOPEbutso-calledpre x-preservingencryption(PPE)[31,5].Unfortunately,asdiscussedin[24,2],PPEschemesaresubjecttocertainattacksinthiscontext;particularqueriescancompletelyrevealsomeoftheunderlyingplaintextsinthedatabase.Moreover,theirusenecessitatesspecializeddatastructuresandqueryformats,whichpractitionerswouldprefertoavoid.Allowingrangequeriesonencrypteddatainthepublic-keysettingwasstudiedin[11,28].Whiletheirschemesprovablyprovidestrongsecurity,theyarenotecientinoursetting,requiringtoscanthewholedatabaseoneveryquery.Finally,weclarifythat[1],inadditiontosuggestingtheOPEprimitive,doesprovideaconstruction.However,theconstructionisratherad-hocandhascertainlimitations,namelyitsencryptionalgorithmmusttakeasinputalltheplaintextsinthedatabase.Itisnotalwayspracticaltoassumethatusersknowalltheseplaintextsinadvance,soastatelessschemewhoseencryptionalgorithmcanprocesssingleplaintextsonthe yispreferable.Moreover,[1]doesnotde nesecuritynorprovideanyformalsecurityanalysis.DefiningsecurityofOPE.Our rstgoalistodevisearigorousde nitionofsecuritythatOPEschemesshouldsatisfy.Ofcourse,suchschemescannotsatisfyallthestandardnotionsofsecurity,suchasindistinguishabilityagainstchosen-plaintextattack(IND-CPA),astheyarenotonlydeterministic,butalsoleaktheorder-relationsamongtheplaintexts.So,althoughwecannottargetforthestrongestsecuritylevel,wewanttode nethebestpossiblesecurityundertheorder-preservingconstraintthatthetarget-applicationsrequire.(Suchanapproachwastakenpreviouslyinthecaseofdeterministicpublic-keyencryption[6,10,7],on-lineciphers[5],anddeterministicauthenticatedencryption[27].)WeakeningIND-CPA.OneapproachistotrytoweakentheIND-CPAde nitionappropriately.Indeed,inthecaseofdeterministicsymmetricencryptionthiswasdoneby[8],whichformalizesanotioncalledindistinguishabilityunderdistinctchosen-plaintextattackorIND-DCPA.(ThenotionwassubsequentlyappliedtoMACsin[4].)Sincedeterministicencryptionleaksequalityofplaintexts,theyrestricttheadversaryintheIND-CPAexperimenttomakequeriestoitsleft-right-encryption-oracleoftheform(x10;x11);:::;(xq0;xq1)suchthatx10;:::;xq0arealldistinctandx11;:::;xq1arealldistinct.Wegeneralizethistoanotionwecallindistinguishabilityunderorderedchosen-plaintextattackorIND-OCPA,askingthesesequencesinsteadtosatisfythesameorderrelations.(SeeSection3.2.)Surprisingly,wegoontoshowthatthisplausible-lookingde nitionisnotveryusefulforus,becauseitcannotbeachievedbyanOPEschemeunlessthesizeofitsciphertext-spaceisexponentialinthesizeofitsplaintext-space.Analternativeapproach.InsteadoftryingtofurtherrestricttheadversaryintheIND-OCPAde nition,weturntoanapproachalongthelinesofpseudorandomfunctions(PRFs)orpermutations(PRPs),requiringthatnoadversarycandistinguishbetweenoracleaccesstotheencryptionalgorithmoftheschemeoracorresponding\ideal"object.Inourcasethelatterisarandomorder-preserving2 ofrandomcoinsitneedsvariesduringthebinarysearch,andalsobecausesuchaconstructionseemsusefulingeneral,itshouldbebothvariableinput-length(VIL)andvariableoutput-length,whichwecallalength- exible(LF)-PRF.WeproposeagenericconstructionofanLF-PRFfromaVIL-PRFanda(keyless)VOL-PRG(pseudorandomgenerator).Ecientblockcipher-basedVIL-PRFsareknown,andwesuggestahighlyecientblockcipher-basedVOL-PRGthatisapparentlyfolklore.POPF-CCAsecurityoftheresultingOPEschemecanthenbeeasilyprovedassumingonlystandardsecurity(pseudorandomness)ofanunderlyingblockcipher.SwitchingfromNHGtoHG.Finally,ourschemeneedsanecientsamplingalgorithmfortheNHGdistribution.Unfortunately,theexistenceofsuchanalgorithmseemsopen.ItisknownthatNHGcanbeapproximatedbythenegativebinomialdistribution[26],whichinturncanbesampledeciently[16,14],andthattheapproximationimprovesasMandNgrow.However,quantifyingthequalityofapproximationfor xedparametersseemsdicult.Instead,weturntoarelatedprobabilitydistribution,namelythehypergeometric(HG)distribu-tion,forwhichaveryecientexact(notapproximated)samplingalgorithmisknown[22,23].Inourballs-and-binmodelwithMblackandN�Mwhiteballs,therandomvariableXspecifyingthenumberofblackballsinoursampleassoonasyballsarepickedfollowstheHGdistribution.Theschemebasedonthisdistribution,whichistheonedescribedinthebodyofthepaper,israthermoreinvolved,butnearlyasecient:insteadofO(logM)TNHGDrunning-timeitisO(logN)THGD(whereTNHGD;THGDaretherunning-timesofthesamplingalgorithmsfortherespectivedistributions),butweshowthatitisO(logM)THGDonaverage.Wenotethatthehypergeometricdistributionwasalsousedin[19]forsamplingpseudorandompermutationsandconstructingblockciphersforshortinputs.Theauthorsof[19]wereunawareoftheecientsamplingalgorithmsforHG[22,23]andprovidedtheirownrealizationsbasedongeneralsamplingmethods.Discussion.Itisimportanttorealizethatthe\ideal"objectinourPOPF-CCAde nition(arandomorder-preservingfunction),andcorrespondinglyourOPEconstructionmeetingit,inherentlyleaksomeinformationabouttheunderlyingplaintexts.CharacterizingthisleakageisanimportantnextstepinthestudyofOPEbutisoutsidethescopeofourcurrentpaper.(Althoughwementionthatour\big-jumpattack"ofTheorem3.1mayprovidesomeinsightinthisregard.)ThepointisthatpractitionershaveindicatedtheirdesiretouseOPEschemesinordertoachieveecientrangequeriesonencrypteddataandarewillingtolivewithitssecuritylimitations.Inresponse,weprovideaschememeetingwhatwebelievetobea\best-possible"securitynotionforOPE.Thisbeliefcanbejusti edbynotingthatitisusuallythecasethatasecuritynotionforacryptographicobjectismetbya\random"one(whichissometimesbuiltdirectlyintothede nition,asinthecaseofPRFsandPRPs).Butbeforeonefullyunderstandshowthesecuritypropertiesoftheidealobject,arandomorder-preservingfunction, tthesecurityneedsofapplications,wedonotrecommendthepracticaluseofourconstruction.Onamoregeneralprimitive.Toallowecientrangequeriesonencrypteddata,itissucienttohaveanorder-preservinghashfunctionfamilyH(notnecessarilyinvertible).TheoverallOPEschemewouldthenhavesecretkey(KEnc;KH)whereKEncisakeyforanormal(randomized)encryptionschemeandKHisakeyforH,andtheencryptionofxwouldbeEnc(KEnc;x)kH(KH;x)(cf.ecientlysearchableencryption(ESE)in[6]).Oursecuritynotion(intheCPAcase)canalsobeappliedtosuchH.Infact,therehasbeensomeworkonhashfunctionsthatareorder-preservingorhavesomerelatedproperties[25,15,20].Butnoneoftheseworksareconcernedwithsecurityinanysense.Sinceour4 Werequirethateachquery(m0;m1)thatAmakestoitsoraclesatis esjm0j=jm1j.ForanadversaryA,de neitsind-cpaadvantageagainstSEasAdvind-cpaSE(A)=Pr[Expind-cpa-1SE(A)=1]�Pr[Expind-cpa-0SE(A)=1]:Pseudorandomfunctions(PRFs).AfamilyoffunctionsisamapF:KeysD!f0;1g`,whereforeachkeyK2KeysthemapF(K;):D!f0;1g`isafunction.WerefertoF(K;)asaninstanceofF.ForanadversaryA,itsprf-advantageagainstF,AdvprfF(A),isde nedasPrhK$ Keys:AF(K;)=1i�Prhf$ FuncD;f0;1g`:Af()=1i;whereFuncD;f0;1g`denotesthesetofallfunctionsfromDtof0;1g`.3OPEanditsSecurity3.1Order-PreservingEncryption(OPE)Weareinterestedindeterministicencryptionschemesthatpreservenumericalorderingontheirplaintext-space.Letusde newhatwemeanbythis.ForA;BNwithjAjjBj,afunctionf:A!Bisorder-preserving(aka.strictly-increasing)ifforalli;j2A,f(i)�f(j)i i�j.WesaythatdeterministicencryptionschemeSE=(K;Enc;Dec)withplaintextandciphertext-spacesD;Risorder-preservingifEnc(K;)isanorder-preservingfunctionfromDtoRforallKoutputbyK(withelementsofD;Rinterpretedasnumbers,encodedasstrings).Unlessotherwisestated,weassumetheplaintext-spaceis[M]andtheciphertext-spaceis[N]forsomeNM2N.3.2SecurityofOPEAfirsttry.Securityofdeterministicsymmetricencryptionwasintroducedin[8],asanotiontheycallsecurityunderdistinctchosen-plaintextattack(IND-DCPA).(ItwillnotbeimportanttoconsiderCCAnow.)Theideaisthatbecausedeterministicencryptionleaksplaintextequality,theadversaryAintheIND-CPAexperimentde nedinSection2isrestrictedtomakeonlydistinctqueriesoneithersideofitsoracle(asotherwisethereisatrivialattack).Thatis,supposingAmakesqueries(m10;m11);:::;(mq0;mq1),theyrequirethatm1b;:::mqbarealldistinctforb2f0;1g.NotingthatanyOPEschemeanalogouslyleakstheorderrelationsamongtheplaintexts,letus rsttrygeneralizingtheaboveapproachtotakethisintoaccount.Namely,letusfurtherrequiretheabovequeriesmadebyAtosatisfymi0mj0i mi1mj1forall1i;jq.WecallsuchanAanIND-OCPAadversaryforindistinguishabilityunderorderedchosen-plaintextattack.IND-OCPAisnotuseful.De ningIND-OCPAadversaryseemslikeaplausiblewaytoanalyzesecurityforOPE.Surprisingly,itturnsoutnottobetoousefulforus.Below,weshowthatIND-OCPAisunachievablebyapracticalorder-preservingencryptionscheme,inthatanOPEschemecannotbeIND-OCPAunlessitsciphertext-spaceisextremelylarge(exponentialinthesizeoftheplaintext-space).Theorem3.1LetSE=(K;Enc;Dec)beanorder-preservingencryptionschemewithplaintext-space[M]andciphertext-space[N]forM;N2Nsuchthat2k�1N2kforsomek2N.Thenthere6 Thereasonisthatmispickedindependentlyatrandomandifb=1thenAoutputs1justwhenm+1isnotabigreverse-jumpofEnc(K;),andsinceN2kweknowthatEnc(K;)hasatmostkbigreverse-jumpsbyLemma3.2.Similarly,Pr[Expind-ocpa-0SE(A)=1]k M�1becauseifb=0thenAoutputs1justwhenmisabigjumpofEnc(K;),andsinceN2kweknowthatEnc(K;)hasatmostkbigjumpsbyLemma3.2.Subtractingyieldsthetheorem.NotethatAonlyneedstopickarandomelementof[M]anddobasicoperationsonelementsof[N],whichisO(logN)asclaimed. Discussion.TheadversaryintheproofofTheorem3.1useswhatwecallthe\big-jumpattack"todistinguishbetweenciphertextsofmessagesthatare\veryclose"and\farapart."TheattackshowsthatanypracticalOPEschemeinherentlyleaksmoreinformationabouttheplaintextsthanjusttheirordering,namelysomeinformationabouttheirrelativedistances.Wereturntothispointlater.Analternativeapproach.Instead,wetaketheapproachusedinde ningsecuritye.g.ofPRPs[17]oron-linePRPs[5],whereoneasksthatoracleaccesstothefunctioninquestionbeindistinguishablefromaccesstothecorresponding\ideal"randomobject,e.g.arandompermutationorarandomon-linepermutation.Asorder-preservingfunctionsareinjective,weconsiderthe\strong"versionofsuchade nitionwhereaninverseoracleisalsogiven.POPF-CCA.Fixanorder-preservingencryptionschemeSE=(K;Enc;Dec)withplaintext-spaceDandciphertext-spaceR,jDjjRj.ForanadversaryAagainstSE,de neitspopf-cca-advantage(orpseudorandomorder-preservingfunctionadvantageunderchosen-ciphertextattack),Advpopf-ccaSE(A),againstSEasPrhK$ K:AEnc(K;);Dec(K;)=1i�Prhg$ OPFD;R:Ag();g�1()=1i;whereOPFD;Rdenotesthesetofallorder-preservingfunctionsfromDtoR.Lazysampling.Nowinorderforthisnotiontobeuseful,i.e.tobeableshowthataschemeachievesit,wealsoneedawaytoimplementA'soraclesinthe\ideal"experimenteciently.Inotherwords,weneedtoshowhowto\lazysample"(atermfrom[9])arandomorder-preservingfunctionanditsinverse.1Asshownin[9],lazysamplingof\exotic"functionswithmanyconstraintscanbetricky.Inthecaseofarandomorder-preservingfunction,itturnsoutthatstraightforwardprocedures|whichassignarandompointintherangetoaquerieddomainpoint,subjecttotheobviousremainingconstraints|donotwork(thatis,theresultingfunctionisnotuniformlydistributedoverthesetofallsuchfunctions).Sohowcanwelazysamplesuchafunction,ifitispossibleatall?Weaddressthisissuenext.Acaveat.Beforeproceeding,wenotethatashortcomingofourPOPF-CCAnotionisitdoesnotleadtoaniceanswertothequestionofwhatinformationaboutthedataisleakedbyasecureOPEscheme,butonlyreducesthistothequestionofwhatinformationthe\idealobject"(arandomorder-preservingfunction)leaks.Althoughpractitionershaveindicatedthattheyarewillingtolivewith 1Forexample,inthecaseofarandomfunctionfromthesetofallfunctionsonecansimplyassignarandompointfromtherangetoeachnewpointqueriedfromthedomain.Inthecaseofarandompermutation,theformercanbechosenfromthesetofallpreviouslyunassignedpointsintherange,andlazysamplingofitsinversecanbedonesimilarly.Alazysamplingprocedureforarandomon-linePRPanditsinverseviaatree-basedcharacterizationwasgivenin[5].8 wepickisblackthentheleastunmappedpointinthedomainismappedtoyunderf.Ofcourse,thisexperimentistooinecienttobeperformeddirectly.Butwewillusethehypergeometricdistributiontodesignproceduresthatecientlyandrecursivelylazysamplearandomorder-preservingfunctionanditsinverse.4.2TheLazySampleAlgorithmsHerewegiveouralgorithmsLazySample,LazySampleInvthatlazysamplearandomorder-preservingfunctionfromdomainDtorangeR,jDjjRj,anditsinverse,respectively.Thealgorithmsshareandmaintainjointstate.WeassumethatbothDandRaresetsofconsecutiveintegers.Twosubroutines.Ouralgorithmsmakeuseoftwosubroutines.The rst,denotedHGD,takesinputsD;R;andy2Rtoreturnx2Dsuchthatforeachx2Dwehavex=xwithprobabilityPHGD(x�d;jRj;jDj;y�r)overthecoinsofHGD,whered=min(D)�1andr=min(R)�1.(Ecientalgorithmsforthisexist,andwediscusstheminSection4.5.)Thesecond,denotedGetCoins,takesinputs1`,D,R,andbkz,whereb2f0;1gandz2Rifb=0andz2Dotherwise,toreturncc2f0;1g`.Thealgorithms.Tode neouralgorithms,letusdenotebywcc SthatwisassignedavaluesampleduniformlyatrandomfromsetSusingcoinsccoflength`S,where`Sdenotesthenumberofcoinsneededtodoso.Let`1=`(D;R;y)denotethenumberofcoinsneededbyHGDoninputsD;R;y.OuralgorithmsaregiveninFigure1.NotethatthearraysF;I,initiallyempty,areglobalandsharedbetweenthealgorithms;also,fornow,thinkofGetCoinsasreturningfreshrandomcoins.WelaterimplementitbyusingaPRFonthesameparameterstoeliminatethejointstate.Overview.Todeterminetheimageofinputm,LazySampleemploysastrategyofmapping\rangegaps"to\domaingaps"inarecursive,binarysearchmanner.By\rangegap"or\domaingap,"wemeananimaginarybarrierbetweentwoconsecutivepointsintherangeordomain,respectively.Whenrun,thealgorithm rstmapsthemiddlerangegapy(thegapbetweenthemiddletworangepoints)toadomaingap.Todeterminethemapping,online11itsets,accordingtothehypergeometricdistribution,howmanypointsinDaremappeduptorangepointyandstoresthisvalueinarrayI.(Inthefuturethearrayisreferencedinsteadofchoosingthisvalueanew.)Thuswehavethatf(x)yf(x+1)(cf.Equation(1)),wherex=d+I[D;R;y]ascomputedonline12.So,wecanviewtherangegapbetweenyandy+1ashavingbeenmappedtothedomaingapbetweenxandx+1.Iftheinputdomainpointmisbelow(resp.above)thedomaingap,thealgorithmrecursesonline19onthelower(resp.upper)halfoftherangeandthelower(resp.upper)partofthedomain,mappingfurther\middle"rangegapstodomaingaps.Thisprocesscontinuesuntilthegapsoneithersideofmhavebeenmappedtobysomerangegaps.Finally,online07,thealgorithmsamplesarangepointuniformlyatrandomfromthe\window"de nedbytherangegapscorrespondingtom'sneighboringdomaingaps.TheisresultassignedtoarrayFastheimageofmunderthelazy-sampledfunction.4.3CorrectnessWhenGetCoinsreturnstrulyrandomcoins,itisnothardtoobservethatLazySample,LazySam-pleInvareconsistentandsampleanorder-preservingfunctionanditsinverserespectively.Butweneedastrongerclaim;namely,thatouralgorithmssamplearandomorder-preservingfunctionanditsinverse.Weshowthisbyarguingthatany(evencomputationallyunbounded)adversaryhasno10 advantageindistinguishingoracleaccesstoarandomorder-preservingfunctionanditsinversefromthattothealgorithmsLazySample,LazySampleInv.Thefollowingtheoremstatesthisclaim.Theorem4.2SupposeGetCoinsreturnstrulyrandomcoinsoneachnewinput.Thenforany(evencomputationallyunbounded)algorithmAwehavePr[Ag();g�1()=1]=Pr[ALazySample(D;R;);LazySampleInv(D;R;)=1];whereg;g�1denoteanorder-preservingfunctionpickedatrandomfromOPFD;Randitsinverse,respectively. Proof:Sinceweconsiderunboundedadversaries,wecanignoretheinverseoracleinouranalysis,sincesuchanadversarycanalwaysqueryallpointsinthedomaintolearnallpointsintheimage.LetM=jDj,N=jRj,d=min(D)�1,andr=min(R)�1.Wewillsaythattwofunctionsg;h:D!Rareequivalentifg(m)=h(m)forallm2D.(NotethatifD=;,anytwofunctionsg;h:D!Rarevacuouslyequivalent.)LetfbeanyfunctioninOPFD;R.Toprovethetheorem,itisenoughtoshowthatthefunctionde nedbyLazySample(D;R;)isequivalenttofwithprobability1=jOPFD;Rj.WeprovethisusingstronginductiononMandN.ConsiderthebasecasewhereM=1,i.e.,D=fmgforsomem,andNM.Whenitis rstcalled,LazySample(D;R;m)willdetermineanelementcuniformlyatrandomfromRandenteritintoF[D;R;m],whereuponanyfuturecallsofLazySample(D;R;m)willalwaysoutputF[D;R;m]=c.Thus,theoutputofLazySample(D;R;m)isalwaysc,soLazySample(D;R;)isequivalenttofifandonlyifc=f(m).SincecischosenrandomlyfromR,c=f(m)withprobability1=jRj.Thus,LazySample(D;R;m)isequivalenttof(m)withprobability1=jRj=1=jOPFD;Rj.NowsupposeM�1,andNM.AsaninductionhypothesisassumethatforalldomainsD0ofsizeM0andrangesR0ofsizeN0M0,whereeitherM0Mor(M0=MandN0N),andforanyfunctionf0inOPFD0;R0,LazySample(D0;R0;)isequivalenttof0withprobability1=jOPFD0;R0j.The rsttimeitiscalled,LazySample(D;R;) rstcomputesI[D;R;y]$ HGD(R;D;y�r),wherey=r+dN=2e,r=min(R)�1.Henceforth,onthisandfuturecallsofLazySample(D;R;m),thealgorithmsetsx=d+I[D;R;y�r]andwillrunLazySample(D1;R1;m)ifmx,orrunLazySample(D2;R2;m)ifm&#x-371;x,whereD1=f1;:::;xg,R1=f1;:::;yg,D2=fx+1;:::;Mg,R2=fy+1;:::;Ng.Letf1befrestrictedtothedomainD1,andletf2befrestrictedtothedomainD2.Letx0betheuniqueintegerinD[fdgsuchthatf(z)yforallz2D,zx0,andf(z)&#x-371;yforallz2D,z&#x-371;x0.NotethenthatLazySample(D;R;)isequivalenttofifandonlyifallthreeofthefollowingeventsoccur:E1:frestrictedtorangeR1stayswithindomainD1,andfrestrictedtorangeR2stayswithindomainD2|thatis,xischosentobex0.E2:LazySample(D1;R1;)isequivalenttof1.E3:LazySample(D2;R2;)isequivalenttof2.Bythelawofconditionalprobability,andsinceE2andE3areindependent,Pr[E1\E2\E3]=Pr[E1]Pr[E2\E3jE1]=Pr[E1]Pr[E2jE1]Pr[E3jE1]:12 Fortheaveragecasebound,weusearesultofChvatal[?]thatthetailofthehypergeometricdistri-butioncanbeboundedsothatMXi=k+1PHGD(i;N;M;c)e�2t2M;wheretisafractionsuchthat0t1�c=N,andk=(c=N+t)M.Takingc=N=2,thisimpliesanupperboundontheprobabilityofthehypergeometricdistributionassigningourmiddledomaingaptoan\outlying"domaingap:Xi=2SPHGD(i;N;M;N=2)2e�2t2M(2)whereSisthesubdomain[(1=2�t)M;(1=2+t)M].ForM12,afteratmost12callstoLazySamplewewillreachadomainofsize1,andterminate.SosupposethatM12.Takingt=1=4inEquation(2)impliesthatLazySampleassignsthemiddleciphertextgaptoaplaintextgapinthe\middlesubdomain"[M=4;3M=4]withprobabilityatleast1�2e�2(1=4)2M1�2e�3=2&#x]TJ/;ø 1;�.90;‘ T; 26;&#x.318;&#x 0 T; [0;1=2:WhenadomaingapinSischosenitshrinksthecurrentdomainbyafractionofatleast3=4.So,pickinginthemiddlesubdomainlog4=3M=logM log4=32:5logMtimeswillshrinkittosizelessthan12.Sincetheprobabilitytopickinthemiddlesubdomainisgreaterthan1=2oneachrecursivecallofLazySample,weexpectatmost5logMrecursivecallstoreachdomainsizeM12.Therefore,intotalatmost5logM+12recursivecallsareneededonaveragetomapaninputdomainpoint. NotethatthealgorithmsmakeonecalltoHGDoneachrecursion,soanupper-boundontheirrunning-timesisthenatmost(logN+1)THGDintheworst-caseandatmost(5logM+12)THGDonaverage,whereTHGDdenotestherunning-timeofHGDoninputsofsizeatmostlogN.However,thisdoesnottakeintoaccountthefactthatthesizeoftheseinputsdecreaseoneachrecursion.Thus,betterboundsmaybeobtainedbyanalyzingtherunning-timeofaspeci crealizationofHGD.4.5RealizingHGDAnecientimplementationofsamplingalgorithmHGDwasdesignedbyKachitvichyanukulandSchmeiser[22].Theiralgorithmisexact;itisnotanapproximationbyarelateddistribution.ItisimplementedinWolframMathematicaandotherlibraries,andisfastevenforlargeparameters.However,onsmallparametersthealgorithmsof[29]performbetter.SincetheparametersizetoHGDinourLazySamplealgorithmsshrinksacrosstherecursivecallsfromlargetosmall,itcouldbeadvantageoustoswitchalgorithmsatsomethreshold.Wereferthereaderto[29,22,23,14]formoredetails.Wecommentthatthealgorithmsof[22]aretechnicallyonly\exact"whentheunderlying oating-pointoperationscanbeperformedtoin niteprecision.Inpractice,onehastobecarefuloftruncationerror.Forsimplicity,Theorem4.2didnottakethisintoaccount,asintheorytheerrorcanbemadearbitrarilysmallbyincreasingtheprecisionof oating-pointoperations(independentlyofM;N).ButwemakethispointexplicitinTheorem5.3thatanalyzessecurityofouractualscheme.5OurOPESchemeanditsAnalysisAlgorithmsLazySample,LazySampleInvcannotbedirectlyconvertedintoencryptionandde-cryptionproceduresbecausetheyshareandupdateajointstate,namelyarraysFandI,which14 Proposition5.1LetAbeanadversaryagainstTapeGenthatmakesatmostqqueriestoitsoracleoftotalinputlength`inandtotaloutputlength`out.ThenthereexistsanadversaryB1againstFandanadversaryB2againstGsuchthatAdvlf-prfTapeGen(A)2(AdvprfF(B1)+Advvol-prgG(B2)):AdversariesB1;B2makeatmostqqueriesoftotalinputlength`inortotaloutputlength`outtotheirrespectiveoraclesandruninthetimeofA. Proof:Weuseastandardhybridargument,changingtheexperimentwhereAhasoracleTapeGen(K;;)intoonewithoracleOR(;)intwosteps.Namely, rstchangetheformeroracletooninput`;xoutputnotG(`;F(K;x))butG(`;s)foraindependentrandoms2f0;1gk.ThechangeinA'sadvantageisboundedbyAdvprfF(B1),whereB1isthePRFadversaryagainstFthatrunsA,respondingtoaquery`;xbyqueryingitsownoraclewithxtoreceiveresponsey,andthenreturningG(`;y)toA.NextchangeA'soracletooninput`;xreturnOR(`;x).ThistimethechangeinA'sadvantageisboundedbyAdvvol-prgG(B2),whereB2istheVOL-PRGadversaryagainstGthatrunsA,respondingtoaquery`;xwiththeresponseitreceivestoquery`toitsownoracle,andthepropositionfollows. Concretely,wesuggestthefollowingblockcipher-basedconsistentVOL-PRGforG.LetE:f0;1gkf0;1gn!f0;1gnbeablockcipher.De netheassociatedVOL-PRGG[E]withseed-lengthkandmax-imumoutputlengthn2n,whereG[E]oninputs2f0;1gkand1`outputsthe rst`bitsofthesequenceE(s;h1i)kE(s;h2i)k:::(Herehiidenotesthen-bitbinaryencodingofi2N.)ThefollowingsaysthatG[E]isaconsistentVOL-PRGifEisaPRF.Proposition5.2LetE:f0;1gkf0;1gn!f0;1gnbeablockcipher,andletAbeanadversaryagainstG[E]makingatmostqoraclequerieswhoseresponsestotalatmostpnbits.ThenthereisanadversaryBagainstEsuchthatAdvvol-prgG[E](A)2qAdvprfE(B):AdversaryBmakesatmostpqueriestoitsoracleandrunsinthetimeofA.Furthermore,G[E]isconsistent. ItiseasytoprovetheaboveforaVOL-PRGadversarymaking1query,andthenthepropositionfollowsbyastandardhybridargument.Now,toinstantiatetheVIL-PRFFintheTapeGenconstruction,wesuggestOMAC(aka.CMAC)[21],whichisalsoblockcipher-basedandintroducesnoadditionalassumption.Thenthesecret-keyforTapeGenconsistsonlyofthatforOMAC,whichinturnconsistsofjustonekeyfortheunderlyingblockcipher(e.g.AES).5.2OurOPESchemeanditsAnalysisThescheme.LetTapeGenbeasabove,withkey-spaceKeys.Ourassociatedorder-preservingencryptionschemeOPE[TapeGen]=(K;Enc;Dec)isde nedasfollows.Theplaintextandciphertext-spacesaresetsofconsecutiveintegersD;R,respectively.AlgorithmKreturnsarandomK2Keys.AlgorithmsEnc;DecarethesameasLazySample,LazySampleInv,respectively,exceptthatHGD16 Proof:Advpopf-ccaOPE[TapeGen](A)=Pr[AEnc(K;);Dec(K;)=1]�Pr[Ag();g�1()=1]=Pr[AEnc(K;);Dec(K;)=1]�Pr[ALazySample(D;R;);LazySampleInv(D;R;)=1]Advlf-prfTapeGen(B)+:The rstequationisbyde nition.ThesecondequationisduetoTheorem4.2.Thelastinequalityisjusti edasfollows.AdversaryBisgivenanoracleforeitherTapeGenorarandomfunctionwithcorrespondinginputsandoutputslengths.ItrunsAandrepliestoitsoraclequeriesbysimulatingEncandDecalgorithms.NotethatonlytheprocedureTapeGenusedbythesealgorithmsusesthesecretkey.Bsimulatesitusingitsownoracle.ByconstructionourEncandDecalgorithmsdi erfromLazySampleandLazySampleInvrespectivelyonlyintheuseofrandomtape,whichistrulyrandominonecaseandpseudorandominanother.Thusanydi erenceintheprobabilitiesinthesecondlinewillresultthedi erenceB'soutputdistributionwhichisAdvprfTapeGen(B).Aboverepresentsan\errorterm"duetothefactthatthe\exact"hypergeometricsamplingalgorithmof[22]technicallyrequiresin nite oating-pointprecision,whichisnotpossibleintherealworld.OnewaytoboundwouldbetoboundtheprobabilitythatanadversarycandistinguishtheusedHGDsamplingalgorithmfromtheideal(in niteprecision)one.B'srunningtimeandresourcesarejusti edbyobservingthealgorithmsandtheireciencyanalysis. Efficiency.Theeciencyofourschemefollowsfromourpreviousanalyses.UsingthesuggestedimplementationofTapeGeninSubsection5.1,encryptionanddecryptionrequirethetimeforatmostlogN+1invocationsofHGDoninputsofsizeatmostlogNplusatmost(5logM+12)(5logN+0+1)=128invocationsofAESonaveragefor0inthetheorem.5.3OnChoosingNOnewaytochoosethesizeoftheciphertext-spaceNforourschemeisjusttoensurethenumberoffunctions[M]to[N]isverylarge,saymorethan280.(Weassumethatthesizeoftheplaintext-spaceMisgiven.)Thenumberofsuchfunctions,whichisgivenby�NM,ismaximizedwhenM=N=2.And,since(N=M)M�NM,itisgreaterthan280aslongasM=N=2�80.However,oncewehaveagreaterunderstandingofwhatinformationaboutthedataisleakedbyarandomorder-preservingfunction(the\idealobject"inourPOPF-CCAde nition),moresophisticatedcriteriamightbeusedtoselectN.Infact,itwouldalsobepossibletoviewourschememoreasa\tool"likeablockcipherratherthanafull- edgedencryptionschemeitself,andtotrytouseittodesignanOPEschemewithbettersecurityinsomecases.Weleavetheseasinterestingandimportantdirectionsforfuturework.6OnUsingtheNegativeHypergeometricDistributionIntheballs-and-binsmodeldescribedinSection4.1withMblackandN�Mwhiteballsinthebin,considertherandomvariableYdescribingthetotalnumberofballsinoursampleafterwepickthex-thblackball.Thisrandomvariablefollowsthenegativehypergeometric(NHG)distribution.Formally,PNHGD(y;N;M;x)=�y�1x�1�N�yM�x �NM:18 usethesubroutineGetCoinsfrombefore,whichtakesinputs1`,D,R,andbkz,whereb2f0;1gandz2Rifb=0andz2Dotherwise,toreturncc2f0;1g`.Also,recallthatthearrayI,initiallyempty,isglobalandsharedbetweenthealgorithms.ThealgorithmdescriptionsaregiveninFigure4.LazySample?(D;R;m)01M jDj;N jRj02d min(D)�1;r min(R)�103x d+dM=2e09IfI[D;R;x]isunde nedthen10cc$ GetCoins(1`1;D;R;0kx)11I[D;R;x]$ NHGD(D;R;x;cc)12y I[D;R;x]06Ifm=xthen07Returny08Ifmxthen09D fd+1;:::;x�1g10R fr+1;:::;y�1g11Else12D fx+1;:::;d+Mg13R fy+1;:::;r+Ng14ReturnLazySample?(D;R;m) LazySampleInv?(D;R;c)15IfjDj=0thenreturn?16M jDj;N jRj17d min(D)�1;r min(R)�118x d+dM=2e09IfI[D;R;x]isunde nedthen10cc$ GetCoins(1`1;D;R;0kx)11I[D;R;x]$ NHGD(D;R;x;cc)12y I[D;R;x]21Ifc=ythen22Returnx23Ifcythen24D fd+1;:::;x�1g25R fr+1;:::;y�1g26Else27D fx+1;:::;d+Mg28R fy+1;:::;r+Ng29ReturnLazySampleInv?(D;R;c)Figure4:TherevisedLazySample?,LazySampleInv?algorithmsfortheNHGDscheme.WiththeserevisedversionsofLazySample?,LazySampleInv?,wesupplyarevisedversionofTheorem4.2fortheNHGDcase.Theorem6.1SupposeGetCoinsreturnstrulyrandomcoinsoneachnewinput.Thenforany(evencomputationallyunbounded)algorithmAwehavePr[Ag();g�1()=1]=Pr[ALazySample?(D;R;);LazySampleInv?(D;R;)=1];whereg;g�1denoteanorder-preservingfunctionpickedatrandomfromOPFD;Randitsinverse,respectively. Proof:Sinceweconsiderunboundedadversaries,wecanignoretheinverseoracleinouranalysis,sincesuchanadversarycanalwaysqueryallpointsinthedomaintolearnallpointsintheimage.LetM=jDj,N=jRj,d=min(D)�1,andr=min(R)�1.Wewillsaythattwofunctionsg;h:D!Rareequivalentifg(m)=h(m)forallm2D.(NotethatifD=;,anytwofunctionsg;h:D!Rarevacuouslyequivalent.)LetfbeanyfunctioninOPFD;R.Toprovethetheorem,itisenoughtoshowthatthefunctionde nedbyLazySample?(D;R;)isequivalenttofwithprobability1=jOPFD;Rj.WeprovethisusingstronginductiononMandN.ConsiderthebasecasewhereM=1,i.e.,D=fmgforsomem,andNM.Whenitis rstcalled,LazySample?(D;R;m)willdeterminerandomcoinscc,thenentertheresultofNHGD(D;R;m;cc)intoI[D;R;m],whereuponthisanyfuturecallsofLazySample?(D;R;m)will20 Therefore,LazySample?(D;R;)isequivalenttofwithprobability1=�NM=1=jOPFD;Rj.SincefwasanarbitraryelementofOPFD;R,theresultfollows. Now,itisstraightforwardtoprovetheformalstatementofcorrectnessasbefore.Theorem6.2LetOPE[TapeGen]betheOPEschemede nedabovewithplaintext-spaceofsizeMandciphertext-spaceofsizeN.ThenforanyadversaryAagainstOPE[TapeGen]makingatmostqqueriestoitsoraclescombined,thereisanadversaryBagainstTapeGensuchthatAdvpopf-ccaOPE[TapeGen](A)Advlf-prfTapeGen(B)+:AdversaryBmakesatmostq1=q(logN+1)queriesofsizeatmost5logN+1toitsoracle,whoseresponsestotalq10bitsonaverage,anditsrunning-timeisthatofA.Above,;0areconstantsdependingonlyonNHGDandtheprecisionoftheunderlying oating-pointcomputations(notonM;N). Proof:TheproofofthistheoremisidenticaltothatofTheorem5.3,exceptthatitusesTheorem6.1asalemmaratherthanTheorem4.2. 6.3EciencyoftheNHGDSchemeEciency-wise,itisnothardtoseethattoencryptasingleplaintext,eachalgorithmperformslogM+1recursionsintheworst-case(asopposedtologN+1fortheHG-basedalgorithms),asthealgorithm ndsthedesiredplaintextviaabinarysearchovertheplaintextspace,ateachrecursioncallingNHGDtodeterminetheencryptionofthemidpoint(de nedasthelastplaintextinthe rsthalfofthecurrentplaintextdomain).Theexpectednumberofrecursionsiseasilydeducedas1 M"(logM+1)+logMXk=12k�1k#:AsimpleinductiveproofshowsthatthisvalueisbetweenlogM�1andlogM.Thisfallsinlinewithwhatweexpectfromabinary-searchstrategy,wheretheexpectednumberofiterationsistypicallyonlyabout1fewerthantheworst-casenumberofiterations.ThealgorithmsofthecorrespondingOPEschemecanbeobtainedfollowingthesameideaofeliminatingstatebyusingalength- exiblePRFasdescribedinSection5.2.ThesecuritystatementisthesameasthatofTheorem5.3,wherethelasttermnowcorrespondstotheerrorprobabilityoftheNHGDalgorithm.AcknowledgementsWethankAnnaLysyanskaya,SilvioMicali,LeonidReyzin,RonRivest,PhilRogawayandtheanony-mousreviewersofEurocrypt2009forhelpfulcommentsandreferences.AlexandraBoldyrevaandAdamO'NeillaresupportedinpartbyAlexandra'sNSFCAREERaward0545659andNSFCyberTrustaward0831184.YounhoLeewassupportedinpartbytheKoreaResearchFoundationGrantfundedbytheKoreanGovernment(MOEHRD)(KRF:2007-357-D00243).Also,heissupportedbyProfessorMustaqueAhamadthroughthefundingprovidedbyIBMISSandAT&T.22 [18]O.Goldreich,S.Goldwasser,andA.Nussboim.Ontheimplementationofhugerandomobjects.FOCS'03,IEEE,2003.[19]L.GranboulanandT.Pornin.Perfectblockcipherswithsmallblocks.InFSE'07,pp.452{465.Springer,2007.[20]P.Indyk,R.Motwani,P.Raghavan,andS.Vempala.Locality-preservinghashinginmultidimen-sionalspaces.InSTOC'97,pp.s618{625.ACM,1997.ACM.[21]T.IwataandK.Kurosawa.OMAC:One-KeyCBCMAC.InFSE'03,pp.137{161.Springer,2003.[22]V.KachitvichyanukulandB.W.Schmeiser.Computergenerationofhypergeometricrandomvariates.JournalofStatisticalComputationandSimulation,22(2):127{145,1985.[23]V.KachitvichyanukulandB.W.Schmeiser.Algorithm668:H2PEC:samplingfromthehyper-geometricdistribution.ACMTransactionsonMathematicalSoftware,14(4):397{398,1988.[24]J.LiandE.Omiecinski.Eciencyandsecuritytrade-o insupportingrangequeriesonencrypteddatabases.InDBSec'05,pp.69{83.Springer,2005.[25]N.LinialandO.Sasson.Non-expansivehashing.InSTOC'96,pp.509{518.ACM,1996.[26]F.Lopez-BlazquezandB.SalamancaMi~no.Exactandapproximatedrelationsbetweennegativehypergeometricandnegativebinomialprobabilities.CommunicationsinStatistics.TheoryandMethods,30(5):957{967,2001.[27]P.RogawayandT.Shrimpton.Aprovable-securitytreatmentofthekey-wrapproblem.InEUROCRYPT'06,pp.373{390.Springer,2006.[28]E.Shi,J.Bethencourt,T-H.H.Chan,D.Song,andA.Perrig.Multi-dimensionalrangequeryoverencrypteddata.InSymposiumonSecurityandPrivacy'07,pp.350{364.IEEE,2007.[29]A.J.Walker.Anecientmethodforgeneratingdiscreterandomvariableswithgeneraldistribu-tions.ACMTransactionsonMathematicalSoftware,3:253{256,1977.[30]D.Westho ,J.Girao,andM.Acharya.Concealeddataaggregationforreversemulticasttracinsensornetworks:Encryption,keydistribution,androutingadaptation.IEEETransactionsonMobileComputing,5(10):1417{1431,2006.[31]J.Xu,J.Fan,M.H.Ammar,andS.B.Moon.Pre x-preservingIPaddressanonymization:Measurement-basedsecurityevaluationandanewcryptography-basedscheme.InICNP'02,pp.280{289.IEEE,2002.24

Related Contents


Next Show more