Your SlideShare is downloading. ×
0
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Public-Key Encryption in the Bounded-Retrieval Model

341

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
341
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Public-Key Encryption in the Bounded-Retrieval Model
    Earlier Today:
    Yevgeniy covered
    ID schemes, Signatures, Interactive Encryption/Authentication/AKA
    Joël Alwen, YevgeniyDodis, MoniNaor,
    Gil Segev, ShabsiWalfish, Daniel Wichs
  • 2. Leakage Resilience and the BRM
    • Leakage Resilience: Cryptographic schemes that remain secure even if adversary learns partial information about sk.
    • 3. Goal: High relative leakage.
    • 4. Bounded Retrieval Model: Absolute size of leakage can be arbitrarily large (bits, Mb, Gb…).
    • 5. Accommodate any leakage threshold by increasing key size flexibly.
    • 6. No other loss of efficiency!
    [AGV09, NS09,…]
    sk
    f(sk)
    leak
    [Dzi06, CLW06,…]
    90% of |sk|
  • 7. Why have schemes in the BRM?
    • Security against viruses:
    • 8. Virus downloads arbitrary information from local storage and sends it to a remote attacker.
    • 9. In practice, virus cannot download too much (< 10 GB).
    • 10. Bandwidth too low, Cost too high, System security may detect.
    • 11. Security against side-channel attacks:
    • 12. Adversary gets some “physical output” of computation.
    • 13. May be unreasonable to learn “too much” info, even after many physical readings.
    • 14. How much is “too much” depends on physical implementation (few Kb - few Mb).
  • Prior Work
    • Leakage Resilience (No BRM):
    • 15. Symmetric-Key Authenticated Encryption [DKL09]
    • 16. Public-KeyEncryption [AGV09, NS09, KV09]
    • 17. Signatures [ADW09, Katz09]
    • 18. Bounded Retrieval Model:
    • 19. Secret Sharing [DP07]
    • 20. Symmetric-Key Identification and Authenticated Key Agreement [Dzi06,CDD+07]
    • 21. Public-Key ID schemes, Signatures, Authenticated Key Agreement [ADW09]
    • 22. Now: Public-KeyEncryption in the BRM.
  • Public-Key Encryption in the BRM
    • Goal: PKE parameterized by security parameter s (e.g. 256 bits) and leakage bound L (e.g. 256 bits - 10GB).
    • 23. Secret Key size is flexible: |sk| = (1 + ε)L.
    • 24. Public Keys and Ciphertexts are short, only depend on s.
    • 25. Decryption is local. Number of bits accessed is proportional to s.
    • 26. Naïve Attempt : “Take any leakage-resilient PKE tolerating l(|sk|) leakage. Increase security parameter s until l(|sk|) > L.”
    • 27. Problem: Public-key/Ciphertext size depends on L. May be huge.
    • 28. Problem: Decryption is not local.
    • 29. Problem: Computation over groups with 10 GB description length.
    • 30. Positive: Very Secure!
  • PKE in the BRM via Composition of PKE
    • Attempt #1: “Compose n copies of Leakage-Resilient PKE”
    • 31. Generate n pairs (pk1,sk1),…, (pkn, skn). Set PK = (pk1,…, pkn), SK = (sk1,…, skn).
    • 32. To encrypt m:
    • 33. Compute shares (s1,…, sn) such that m = s1 + …+ sn.
    • 34. Set c1=Enc(pk1, s1),…, cn=Enc(pkn, sn).
    • 35. Ciphertext is C = (c1 ,…, cn).
    • 36. Hope: Composed scheme amplifies leakage from lto L = n lbitswithout unnecessary increase in security parameter.
    • 37. Intuition: To break the composed scheme, must leak l bits about each of (sk1,…, skn).
    • 38. Unfortunately ciphertext size, public key size and locality are still large.
    PK
    SK
    pk1
    sk1
    pk2
    sk2


    Can intuition be formalized? Stay tuned…
    pkn
    skn
  • 39. PKE in the BRM via Composition of IBE
    • Attempt #2: Use Leakage-Resilient IBE to Reduce Public-Key Size.
    • 40. Generate a master-key pair (MPK, MSK) for an IBE.
    • 41. Use MSK to generate keys sk1,…, sknfor identities 1,…,n.
    • 42. Set PK = MPK, SK = (sk1,…, skn). Delete MSK.
    • 43. To encrypt m:
    • 44. Compute shares (s1,…, st) such that m = s1 + …+ st.
    • 45. Choose t random identities IDi∊ [n].
    • 46. Set c1=Enc(ID1, s1),…, cn=Enc(IDt, st).
    • 47. Ciphertext is C = (ID1 ,…, IDt , c1 ,…, ct).
    • 48. Good news: Ciphertext, Public-Key, Locality is proportional to security parameter.
    • 49. Need leakage resilient IBE. (Of Independent Interest)
    • 50. Is the composition secure?
    SK
    MPK
    sk1
    ID=1
    ID=2
    sk2

    Random Subset of [n]
    skn
    ID=n
  • 51. Does Composition Amplify Leakage Resilience?
    • Composition of Leakage-Resilient PKE (Attempt 1):
    • 52. Intuition does not formalize into a reduction.
    • 53. Problem: cannot simulate L bits leakage on SK = (sk1,…, skn) by leaking only l < L bits of ski.
    • 54. Do not know of an counterexample (even artificial).
    • 55. but black-box reductions won’t work…
    • 56. Composition using Leakage-Resilient IBE (Attempt 2):
    • 57. Have an (artificial) counterexample.
    Idea: secret keys of identities 1,…,n contain secret-sharing of master secret key.
    • Good news: composition amplifies leakage resilience for PKE/IBE of special form.
    • 58. Based on hash-proof-systems [CS02, NS09].
  • Leakage Resilience from Hash-Proof Systems
    • Earlier today: construction of Leakage-Resilient PKE from Hash-Proof Systems [NS09].
    • 59. R= {(pk,sk) pairs}. Many valid sk for each pk.
    • 60. Three algorithms (Encap, BadEncap, Decap)
    • 61. Good encapsulation: (e, k) = Encap(pk).
    • 62. Bad encapsulation: e = BadEncap(pk).
    • 63. Decapsulation: k = Decap(e, sk).
    • 64. Can’t distinguish if e is good or bad (even given sk).
    • 65. For fixed pk, bad e: Decap(e,sk) is statistically uniform.
    • 66. Encryption/Decryption: use k as a one-time-pad.
    • 67. Encrypt(m, pk) = (e, k+m) where (e,k) = Encap(pk).
  • Composition of Hash Proof Systems
    Let PK = (pk1,…, pkn), SK = (sk1,…, skn).
    Encrypt(m,pk) = (E, K+m) where
    E = (e1,…, en, r) for (ei , ki ) = Encap(pki)
    K = Extract(k1,…, kn; r)
  • 68. Theorem: Composition of Hash-Proof Systems Amplifies Leakage
    • Show that:
    E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r)
    Where (ei,ki ) = Encap(pki)
    E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r)
    Where ei = Encap(pki), ki = Decap(ei, ski)
    E = [e1,…, en, r], Leak(SK), K = Extract(k1,…, kn; r)
    Where ei = BadEncap(pki), ki = Decap(ei, ski)
    E = [(e1,…, en), r], Leak(SK), Uniform
    INDISTINGUISHABLE
    |Uniform| = n|ki | - |Leak(SK)| - O(S)
  • 69. How to get PKE in BRM?
    • Recap: “Attempt 1” scheme can be fixed using Hash-Proof Systems.
    • 70. Long ciphertexts, public-keys, and no locality.
    • 71. How to fix “Attempt 2” scheme based on IBE?
    • 72. Need “Identity Based Hash-Proof System” (IB-HPS).
    • 73. Formalized this new notion.
    • 74. Result 1: IB-HPS gives us Leakage-Resilient IBE.
    • 75. Result 2: IB-HPS gives us efficient PKE in BRM.
    • 76. Resulting IBE is used to instantiate “Attempt 2” scheme.
    • 77. Constructions?
  • Constructing IB-HPS
    Construction based on the [Gentry06] IBE .
    Based on “q-ABDHA” (pairing stuff....)
    Allows leakage of (½ - ε ) of secret key.
    Construction based on [GPV08] IBE.
    Based on “LWE” (lattice stuff + RO)
    Proven as leakage-resilient IBE by [AGV09].
    Allows leakage of (1 - ε ) of secret key.

×