1 / 53

Public-Key Encryption with Lazy Parties

Public-Key Encryption with Lazy Parties. Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN 2012. IMI Crypto Seminar 2012.12.17. One day in a class,. ・・・. Student 1. Student 2. Student 3. ・・・. Alice. One day in a class,.

elliot
Download Presentation

Public-Key Encryption with Lazy Parties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-Key Encryption withLazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN 2012 IMI Crypto Seminar 2012.12.17

  2. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice

  3. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice The class “Introduction to Cryptography”

  4. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice The class “Introduction to Cryptography” The final exam has finished.

  5. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice Do you understand public-key encryption ?

  6. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice Yes ! Yes ! Do you understand public-key encryption ? Yes !

  7. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice Good ! So, I’ll send your grades by PKE.

  8. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice Good ! So, I’ll send your grades by PKE. Please send me your public keys. All right ?

  9. One day in a class, ・・・ Student 1 Student 2 Student 3 ・・・ Alice Yes ! Yes ! Good ! So, I’ll send your grades by PKE. Yes ! Please send me your public keys. All right ?

  10. One day in a class, Alice

  11. One day in a class, Alice Although I said so, it is troublesome to encrypt all the grades.

  12. One day in a class, Alice Although I said so, it is troublesome to encrypt all the grades. But, since I promised to use PKE, I have to do…

  13. One day in a class, Alice Although I said so, it is troublesome to encrypt all the grades. But, since I promised to use PKE, I have to do… What happened ?

  14. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, …

  15. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・

  16. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, …

  17. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … It’s troublesome to encrypt honestly…

  18. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … It’s troublesome to encrypt honestly… Wait !

  19. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … The grades are personal information for students.Their security is not my concern.

  20. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … The grades are personal information for students.Their security is not my concern. Want to cut corners…

  21. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, …

  22. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … Encrypt by using all-zero string as randomness CTs: c1, c2, c3, …

  23. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … Encrypt by using all-zero string as randomness c1 c2 c3 CTs: c1, c2, c3, … ・・・

  24. What happened is … ・・・ Student 1 Student 2 Student 3 ・・・ Alice Grades: m1, m2, m3, … pk1 pk2 pk3 ・・・ PKs: pk1, pk2, pk3, … Encrypt by using all-zero string as randomness c1 c2 c3 CTs: c1, c2, c3, … ・・・ Grades were not sent securely !

  25. The lesson from this example

  26. The lesson from this example • If some party in cryptographic protocols (PKE) • is not concerned about the security • is not willing to do a costly task (generating randomness)  The security can be compromised

  27. The lesson from this example • If some party in cryptographic protocols (PKE) • is not concerned about the security • is not willing to do a costly task (generating randomness)  The security can be compromised • The reason is that Alice is “lazy”

  28. The lesson from this example • If some party in cryptographic protocols (PKE) • is not concerned about the security • is not willing to do a costly task (generating randomness)  The security can be compromised • The reason is that Alice is “lazy” • Traditional crypto did not consider lazy parties

  29. The lesson from this example • If some party in cryptographic protocols (PKE) • is not concerned about the security • is not willing to do a costly task (generating randomness)  The security can be compromised • The reason is that Alice is “lazy” • Traditional crypto did not consider lazy parties • Many people tend to be lazy in the real life… Need secure protocols even for lazy parties

  30. Our results • Define the security of PKE for lazy parties • Lazy parties as rational players • Construct secure PKEs for lazy parties

  31. Lazy parties in PKE • Sender (S) and Receiver (R) are lazy • Lazy S (and R) (1) wants to securely transmit msgs in MS (and MR) (2) doesn’t want to generate costly randomness • Choose(a) Costly true randomness (Good randomness) or(b) Zero-cost fixed string (Bad randomness) • Define a game between S, R, and an adversary (Adv) • A variant of usual CPA game • Lazy parties behave to maximize their payoffs • The goal is to design PKE secure for m ∈ MS∪MR

  32. CPA Game 4-b. If S chose B rR A 1-b. If R chose B, rR A(1k) 2. (m0, m1)  A(pk) m0, m1 3. bR {0,1} 5. Output b’ A(c) Challenge Dealer Adv. mb c mb pk 4. G/B 1. G/B pk GenDealer EncDealer pk, sk c 4-a. If S chose G, rS  Samp(Enc) 1-a. If R chose G, rR  Samp(Gen) c Sender Receiver c  Encpk(mb; rS) • (pk, sk) • Gen(1k; rR)

  33. Remarks on CPA Game • We define the game more generally • Sender may run Gen algorithm • Encryption may be interactive • Output of the Game:Out = (Win, ValS, ValR, NumS, NumR) • Win = 1 if b = b’, 0 otherwise • Valw = 1 if m ∈ Mw , 0 otherwise • Numw : #{ G output by w : w ∈ {S, R} }

  34. Payoff function • Payoff when the output of CPA game isOut = (Win, ValS, ValR, NumS, NumR) uw(Out) = (-αw)•Win•Valw +(-βw)•Numw • αw, βw > 0 are real numbers • αw /2 > qw• βw is assumed.qw : Maximum of Numw • Costly good randomness is worth for achieving the security • Payoff when following the pair of strategies (σS, σR) Uw(σS, σR) = min E[uw(Out)] • min is taken over all Advs, message spaces MS, MR

  35. Security of PKE for lazy parties • For PKE scheme Π, strategies(σS, σR), (Π, σS, σR) is CPA secure with(strict) Nash equilibrium • If players follow (σS, σR), thenfor any adversary, message spaces MS, MR,Pr[Win•(ValS + ValR) ≠ 0] ≤ 1/2 + negl(k) • (σS, σR) is a (strict) Nash equilibrium

  36. Solution concepts • (σS, σR) isaNash equilibrium: • For anyw ∈ {S, R} and σw’,Uw(σS*, σR*) ≤ Uw(σS, σR) + negl(k)where (σS*, σR*) = (σS’, σR) if w = S (σS, σR’) otherwise • (σS, σR) is astrict Nash equilibrium: • (σS, σR) is a Nash equilibrium • For any w ∈ {S, R} and σw’ ≠ σw,Uw(σS*, σR*) ≤ Uw(σS, σR) – 1/kcwhere c is a constant

  37. First observation (Impossibility results) • Sender must generate a secret key • A game for distinguishing m0, m1 ∈ MR \ MS  S uses Bad randomness  Adv can correctly distinguish since Adv knows all the inputs to S except mb • Encryption must be interactive • A game for distinguishing (m0, m0) and (m0, m1)for m0, m1 ∈ MR \ MS  S uses Bad randomness  Adv can correctly distinguish if two msgs were encrypted by same randomness

  38. Secure PKE for lazy parties(1. Basic setting) • Two-round PKE Πtwo • Idea: R generates randomness for encryptionR follows since doesn’t know whether m ∈ MR Receiver Sender Key Generation pkS (pkS, skS)  Gen(1k; r1S) r2R R U Encryption c1 c1Enc(pkS, r2R; r3R) r2R Dec(skS, c1) c2 c2= m r2R m = c2r2R

  39. Secure PKE for lazy parties(1. Basic setting) • A problem of Πtwo: If R knows that m ∈ MR, R uses Bad randomness ( m ∈ MS \ MR is not sent securely )

  40. Secure PKE for lazy parties(2. R knows additional information) • R may know whether m ∈ MR

  41. Secure PKE for lazy parties(2. R knows additional information) • R may know whether m ∈ MR • Three-round PKE Πthree Idea: • Key agreement to share randomness • Shared randomness is Good if S or R uses Good • Use the shared randomness for encryption

  42. Three-round PKE Πthree Receiver Sender pkR Key Generation (pkR, skR)  Gen(1k; r1R) pkS (pkS, skS)  Gen(1k; r1S) Encryption r2R R U c1 r2R Dec(skS, c1) c1Enc(pkS, r2R; r3R) r2SR U c2, c3 r2S Dec(skR, c2) r = r2R r2S (= rL◦ rR) r = r2R r2S (= rL◦ rR) c2Enc(pkR, r2S; r3S) m  Dec(skR, c3) c3Enc(pkR, m; rL) c4 c4Enc(pkS, m; rR)

  43. Non-interactive PKE for lazy parties

  44. Non-interactive PKE for lazy parties • Additional assumption:Players don’t want to reveal their secret keys

  45. Non-interactive PKE for lazy parties • Additional assumption:Players don’t want to reveal their secret keys • Singcryption scheme is secure for lazy partiesif signing key (secret key) can be computed from ciphertext and randomness  S uses Good to avoid revealing secret key

  46. Conclusions • “Lazy parties” may compromise the security • An example of protocols that may not workif players behave in their own interests • Our results • Define the security of PKE for lazy parties • Construct secure PKEs for lazy parties

  47. Conclusions • “Lazy parties” may compromise the security • An example of protocols that may not workif players behave in their own interests • Our results • Define the security of PKE for lazy parties • Construct secure PKEs for lazy parties Thank you

  48. Lazy parties (1) They are not concerned about the security in a certain situation (2) They are unwilling to do a costly task, although they behave in an honest-looking way • Costly task: Ex. random generation (computation is costly) increasing # rounds to finish (time is costly) • Honest-looking behavior: Ex. using all-zero string as randomness

  49. Aproblem of Πthree • If both S and R knows that m ∈ MS ∩ MR,it’s difficult to determine which of S/R uses Good • Exits two different (strict) Nash strategies

  50. Aproblem of Πthree • If both S and R knows that m ∈ MS ∩ MR,it’s difficult to determine which of S/R uses Good • Exits two different (strict) Nash strategies • Solution:R uses the all-zero string as randomness in Encif R knows m ∈ MS ∩ MR • All-zero string is a signal to R

More Related