DownloadNote - The PPT/PDF document "Public-Key Encryption in the Bounded-Ret..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Public-Key Encryption in the Bounded-Retrieval Model
Slide1
Public-Key Encryption in the Bounded-Retrieval Model
Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs
Earlier Today:
Yevgeniy
covered
ID schemes, Signatures, Interactive Encryption/Authentication/AKA
Slide2
Leakage Resilience and the BRM
Leakage Resilience: Cryptographic schemes that remain secure even if adversary learns partial information about sk.Goal: High relative leakage.Bounded Retrieval Model: Absolute size of leakage can be arbitrarily large (bits, Mb, Gb…).Accommodate any leakage threshold by increasing key size flexibly.No other loss of efficiency!
sk
leak
f(sk)
90% of |sk|
[AGV09, NS09,…]
[Dzi06, CLW06,…]
Slide3
Why have schemes in the BRM?
Security against viruses:Virus downloads arbitrary information from local storage and sends it to a remote attacker.In practice, virus cannot download too much (< 10 GB).Bandwidth too low, Cost too high, System security may detect.Security against side-channel attacks:Adversary gets some “physical output” of computation.May be unreasonable to learn “too much” info, even after many physical readings.How much is “too much” depends on physical implementation (few Kb - few Mb).
Slide4
Prior Work
Leakage Resilience (
No BRM
):
Symmetric-Key Authenticated Encryption [DKL09]
Public-Key
Encryption
[AGV09, NS09, KV09]
Signatures [ADW09, Katz09]
Bounded Retrieval Model:
Secret Sharing [DP07]
Symmetric-Key Identification and Authenticated Key Agreement [Dzi06,CDD
+
07]
Public-Key
ID schemes
,
Signatures
,
Authenticated Key Agreement [ADW09]
Now:
Public-Key
Encryption in
the BRM.
Slide5
Public-Key Encryption in the BRM
Goal: PKE parameterized by security parameter
s
(e.g. 256 bits) and leakage bound
L
(e.g. 256 bits - 10GB).
Secret Key size is flexible: |
sk
| = (1 +
ε
)
L.
Public Keys and
Ciphertexts
are short, only depend on
s
.
Decryption is local. Number of bits accessed is proportional to
s
.
Naïve Attempt : “Take any leakage-resilient PKE tolerating
l
(|
sk
|) leakage. Increase security parameter
s
until
l
(|
sk
|) >
L
.”
Problem:
Public-key/
Ciphertext
size depends on L. May be huge.
Problem:
Decryption is not local.
Problem:
Computation over groups with 10 GB description length.
Positive:
Very Secure!
Slide6
PKE in the BRM via Composition of PKE
Attempt #1: “Compose n copies of Leakage-Resilient PKE”Generate n pairs (pk1,sk1),…, (pkn, skn). Set PK = (pk1,…, pkn), SK = (sk1,…, skn).To encrypt m: Compute shares (s1,…, sn) such that m = s1 + …+ sn. Set c1=Enc(pk1, s1),…, cn=Enc(pkn, sn). Ciphertext is C = (c1 ,…, cn).Hope: Composed scheme amplifies leakage from l to L = n l bits without unnecessary increase in security parameter.Intuition: To break the composed scheme, must leak l bits about each of (sk1,…, skn).Unfortunately ciphertext size, public key size and locality are still large.
Can intuition be formalized? Stay tuned…
pk
1
pk
2
…
pk
n
PK
SK
sk
1
sk2
…
skn
Slide7
PKE in the BRM via Composition of IBE
Attempt #2: Use Leakage-Resilient IBE to Reduce Public-Key Size.Generate a master-key pair (MPK, MSK) for an IBE. Use MSK to generate keys sk1,…, skn for identities 1,…,n. Set PK = MPK, SK = (sk1,…, skn). Delete MSK.To encrypt m: Compute shares (s1,…, st) such that m = s1 + …+ st. Choose t random identities IDi ∊ [n].Set c1=Enc(ID1, s1),…, cn=Enc(IDt, st).Ciphertext is C = (ID1 ,…, IDt , c1 ,…, ct).Good news: Ciphertext, Public-Key, Locality is proportional to security parameter.Need leakage resilient IBE. (Of Independent Interest)Is the composition secure?
MPK
SK
sk
1
sk
2
…
sk
n
ID=1
ID=2
ID=n
Random Subset of [n]
Slide8
Does Composition Amplify Leakage Resilience?
Composition of Leakage-Resilient PKE (Attempt 1):
Intuition
does not
formalize into a reduction.
Problem:
cannot simulate
L
bits leakage on SK = (sk
1
,…,
sk
n
) by leaking only
l
< L
bits of sk
i
.
Do not know of an counterexample (even artificial).
but black-box reductions won’t work…
Composition using Leakage-Resilient IBE (Attempt 2):
Have an (artificial)
counterexample
.
Idea: secret keys of identities 1,…,n contain secret-sharing of master secret key.
Good news
: composition amplifies leakage resilience for PKE/IBE of
special form.
Based on hash-proof-systems [CS02, NS09].
Slide9
Leakage Resilience from Hash-Proof Systems
Earlier today: construction of Leakage-Resilient PKE from Hash-Proof Systems [NS09].
R= {(
pk,sk
) pairs}.
Many valid
sk
for each
pk
.
Three algorithms
(
Encap
,
BadEncap
,
Decap
)
Good encapsulation:
(e, k) =
Encap
(
pk
).
Bad encapsulation:
e =
BadEncap
(
pk
).
Decapsulation
:
k =
Decap
(e,
sk
).
Can’t distinguish if
e
is good or
bad
(even given
sk
).
For fixed
pk
, bad
e
:
Decap
(
e
,sk
)
is statistically uniform.
Encryption/Decryption: use
k
as a one-time-pad.
Encrypt(m,
pk
) = (e,
k+m
)
where
(
e,k
) =
Encap
(
pk
).
Slide10
Composition of Hash Proof Systems
Let PK = (pk
1
,…, pk
n
), SK = (sk
1
,…, sk
n
).
Encrypt(m,pk) = (E, K+m) where
E = (e
1
,…, e
n
, r) for (e
i
, k
i
) = Encap(pk
i
)
K = Extract(k
1
,…, k
n
; r)
Slide11
Theorem: Composition of Hash-Proof Systems Amplifies Leakage
Show that: E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r) Where (ei ,ki ) = Encap(pki) E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r) Where ei = Encap(pki), ki = Decap(ei , ski) E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r) Where ei = BadEncap(pki), ki = Decap(ei , ski) E = [(e1,…, en), r], Leak(SK), Uniform
|Uniform| = n|ki | - |Leak(SK)| - O(S)
INDISTINGUISHABLE
Slide12
How to get PKE in BRM?
Recap: “Attempt 1” scheme can be fixed using Hash-Proof Systems.Long ciphertexts, public-keys, and no locality.How to fix “Attempt 2” scheme based on IBE?Need “Identity Based Hash-Proof System” (IB-HPS).Formalized this new notion.Result 1: IB-HPS gives us Leakage-Resilient IBE.Result 2: IB-HPS gives us efficient PKE in BRM.Resulting IBE is used to instantiate “Attempt 2” scheme.Constructions?
Download this presentation
DownloadNote - The PPT/PDF document "Public-Key Encryption in the Bounded-Ret..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs
Earlier Today:
Yevgeniy
covered
ID schemes, Signatures, Interactive Encryption/Authentication/AKA
Slide2Leakage Resilience and the BRM
Leakage Resilience: Cryptographic schemes that remain secure even if adversary learns partial information about sk.Goal: High relative leakage.Bounded Retrieval Model: Absolute size of leakage can be arbitrarily large (bits, Mb, Gb…).Accommodate any leakage threshold by increasing key size flexibly.No other loss of efficiency!
sk
leak
f(sk)
90% of |sk|
[AGV09, NS09,…]
[Dzi06, CLW06,…]
Slide3Why have schemes in the BRM?
Security against viruses:Virus downloads arbitrary information from local storage and sends it to a remote attacker.In practice, virus cannot download too much (< 10 GB).Bandwidth too low, Cost too high, System security may detect.Security against side-channel attacks:Adversary gets some “physical output” of computation.May be unreasonable to learn “too much” info, even after many physical readings.How much is “too much” depends on physical implementation (few Kb - few Mb).
Slide4Prior Work
Leakage Resilience (
No BRM
):
Symmetric-Key Authenticated Encryption [DKL09]
Public-Key
Encryption
[AGV09, NS09, KV09]
Signatures [ADW09, Katz09]
Bounded Retrieval Model:
Secret Sharing [DP07]
Symmetric-Key Identification and Authenticated Key Agreement [Dzi06,CDD
+
07]
Public-Key
ID schemes
,
Signatures
,
Authenticated Key Agreement [ADW09]
Now:
Public-Key
Encryption in
the BRM.
Slide5Public-Key Encryption in the BRM
Goal: PKE parameterized by security parameter
s
(e.g. 256 bits) and leakage bound
L
(e.g. 256 bits - 10GB).
Secret Key size is flexible: |
sk
| = (1 +
ε
)
L.
Public Keys and
Ciphertexts
are short, only depend on
s
.
Decryption is local. Number of bits accessed is proportional to
s
.
Naïve Attempt : “Take any leakage-resilient PKE tolerating
l
(|
sk
|) leakage. Increase security parameter
s
until
l
(|
sk
|) >
L
.”
Problem:
Public-key/
Ciphertext
size depends on L. May be huge.
Problem:
Decryption is not local.
Problem:
Computation over groups with 10 GB description length.
Positive:
Very Secure!
Slide6PKE in the BRM via Composition of PKE
Attempt #1: “Compose n copies of Leakage-Resilient PKE”Generate n pairs (pk1,sk1),…, (pkn, skn). Set PK = (pk1,…, pkn), SK = (sk1,…, skn).To encrypt m: Compute shares (s1,…, sn) such that m = s1 + …+ sn. Set c1=Enc(pk1, s1),…, cn=Enc(pkn, sn). Ciphertext is C = (c1 ,…, cn).Hope: Composed scheme amplifies leakage from l to L = n l bits without unnecessary increase in security parameter.Intuition: To break the composed scheme, must leak l bits about each of (sk1,…, skn).Unfortunately ciphertext size, public key size and locality are still large.
Can intuition be formalized? Stay tuned…
pk
1
pk
2
…
pk
n
PK
SK
sk
1
sk2
…
skn
Slide7PKE in the BRM via Composition of IBE
Attempt #2: Use Leakage-Resilient IBE to Reduce Public-Key Size.Generate a master-key pair (MPK, MSK) for an IBE. Use MSK to generate keys sk1,…, skn for identities 1,…,n. Set PK = MPK, SK = (sk1,…, skn). Delete MSK.To encrypt m: Compute shares (s1,…, st) such that m = s1 + …+ st. Choose t random identities IDi ∊ [n].Set c1=Enc(ID1, s1),…, cn=Enc(IDt, st).Ciphertext is C = (ID1 ,…, IDt , c1 ,…, ct).Good news: Ciphertext, Public-Key, Locality is proportional to security parameter.Need leakage resilient IBE. (Of Independent Interest)Is the composition secure?
MPK
SK
sk
1
sk
2
…
sk
n
ID=1
ID=2
ID=n
Random Subset of [n]
Slide8Does Composition Amplify Leakage Resilience?
Composition of Leakage-Resilient PKE (Attempt 1):
Intuition
does not
formalize into a reduction.
Problem:
cannot simulate
L
bits leakage on SK = (sk
1
,…,
sk
n
) by leaking only
l
< L
bits of sk
i
.
Do not know of an counterexample (even artificial).
but black-box reductions won’t work…
Composition using Leakage-Resilient IBE (Attempt 2):
Have an (artificial)
counterexample
.
Idea: secret keys of identities 1,…,n contain secret-sharing of master secret key.
Good news
: composition amplifies leakage resilience for PKE/IBE of
special form.
Based on hash-proof-systems [CS02, NS09].
Slide9Leakage Resilience from Hash-Proof Systems
Earlier today: construction of Leakage-Resilient PKE from Hash-Proof Systems [NS09].
R= {(
pk,sk
) pairs}.
Many valid
sk
for each
pk
.
Three algorithms
(
Encap
,
BadEncap
,
Decap
)
Good encapsulation:
(e, k) =
Encap
(
pk
).
Bad encapsulation:
e =
BadEncap
(
pk
).
Decapsulation
:
k =
Decap
(e,
sk
).
Can’t distinguish if
e
is good or
bad
(even given
sk
).
For fixed
pk
, bad
e
:
Decap
(
e
,sk
)
is statistically uniform.
Encryption/Decryption: use
k
as a one-time-pad.
Encrypt(m,
pk
) = (e,
k+m
)
where
(
e,k
) =
Encap
(
pk
).
Slide10Composition of Hash Proof Systems
Let PK = (pk
1
,…, pk
n
), SK = (sk
1
,…, sk
n
).
Encrypt(m,pk) = (E, K+m) where
E = (e
1
,…, e
n
, r) for (e
i
, k
i
) = Encap(pk
i
)
K = Extract(k
1
,…, k
n
; r)
Slide11Theorem: Composition of Hash-Proof Systems Amplifies Leakage
Show that: E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r) Where (ei ,ki ) = Encap(pki) E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r) Where ei = Encap(pki), ki = Decap(ei , ski) E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r) Where ei = BadEncap(pki), ki = Decap(ei , ski) E = [(e1,…, en), r], Leak(SK), Uniform
|Uniform| = n|ki | - |Leak(SK)| - O(S)
INDISTINGUISHABLE
Slide12How to get PKE in BRM?
Recap: “Attempt 1” scheme can be fixed using Hash-Proof Systems.Long ciphertexts, public-keys, and no locality.How to fix “Attempt 2” scheme based on IBE?Need “Identity Based Hash-Proof System” (IB-HPS).Formalized this new notion.Result 1: IB-HPS gives us Leakage-Resilient IBE.Result 2: IB-HPS gives us efficient PKE in BRM.Resulting IBE is used to instantiate “Attempt 2” scheme.Constructions?
Slide13Constructing IB-HPS
Construction based on the [Gentry06] IBE .
Based on “q-ABDHA” (pairing stuff....)
Allows leakage of (½ -
ε
) of secret key.
Construction based on [GPV08] IBE.
Based on “LWE” (lattice stuff + RO)
Proven as leakage-resilient IBE by [AGV09].
Allows leakage of (1 -
ε
) of secret key.
Slide14Slide15Slide16