1 / 24

Public-Key Encryption in the B ounded- R etrieval M odel

Public-Key Encryption in the B ounded- R etrieval M odel. Speaker: Daniel Wichs. Joël Alwen, Yevgeniy Dodis , Moni Naor , Gil Segev , Shabsi Walfish , Daniel Wichs. Eurocrypt 2010. Motivation.

franz
Download Presentation

Public-Key Encryption in the B ounded- R etrieval M odel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-Key Encryption in the Bounded-Retrieval Model Speaker: Daniel Wichs Joël Alwen, YevgeniyDodis, MoniNaor, Gil Segev, ShabsiWalfish, Daniel Wichs Eurocrypt 2010

  2. Motivation • Cryptographic security analyzed in formal “attack model”. Do our attack models capture reality? • In reality, extra information about secret-keys can leak. • Side-channels attacks: timing, power, heat, EM radiation, acoustics... • Cold-boot attack [HSH+ 08] • Viruses • Leakage-Resilient Crypto: • Add key-leakage to the attack model. • Build primitives that provably allowleakageof secret key.

  3. Model of Leakage: Memory Attacks • Adversary can learn any efficiently computable functionf : {0,1}*  {0,1}Lof the secret key. L = Leakage Bound. • Bounded Retrieval Model • [Dzi06,…,ADW09]: • Grow secret-key to allow for more leakage. Evenmany Gigabytes. • Efficiency does not degrade as |sk| grows. {Public key, ciphertext, computation time} [Akavia-Goldwasser-Vaikuntanathan 09] sk • Relative-LeakageModel • [AGV09, DKL09,NS09,…]. • Maximize ratio of L to |sk| (e.g. 90% of the key can leak). f(sk) leak

  4. Why design schemes for the BRM? • Security against Viruses: • Upper bound how much attacker can download (e.g. 10 GB). • Bandwidth too low, cost too high, system security may detect. • OK if secret key is large. Not OK if efficiency degrades. • Security against side-channel attacks: • Leakage amount depends on the complexity of computation. • Leakage-resilient schemes might be less secure: • + Leakage-resilience ) + Complexity ) + Leakage. • BRM efficiency breaks the cycle.

  5. Prior Work on Leakage Resilience Memory Attacks • Relative-Leakage:Symmetric and Public-Key Encryption and Authentication/Signatures.[AGV09,DKL09,ADW09, KV09,NS09,…]. • Bounded Retrieval Model:Symmetric and Public Key “Authenticated key Agreement.” Requiresinteraction. [Dzi06,CDD+07, ADW09]. • This work:Public-Key Encryption in the Bounded Retrieval Model. Restricted types of leakage functions. [CDH+00, DSS01,KZ03, ISW03 , MR04, DP08, Pie09, FKPR10, GR10, FRR+10, JV10] Does not seem applicable to e.g. virus attacks.

  6. Definition of PKE in BRM Adversary Challenger pk (pk,sk) à KeyGen(1s ) , L • Key generation gets L as input. Adversary learns L bit leakage. • Efficiency: pk size, ciphertext size, encryption/decryption times are all bounded by some fixed polynomials, independent of L. f : {0,1}*! {0,1}L f(sk) m0, m1 c bà {0,1} cÃEncrypt(mb,pk) Output b’ Pr[b’ = b] · ½ + negl(s)

  7. Outline of Talk • A “high-level” template for constructing BRM schemes. • “Identity Based Hash Proof System” (IB-HPS) • Overview of IB-HPS constructions and parameters.

  8. Template for BRM Schemes:1. Leakage Amplification (via Parallel-Repetition) • Start with: Scheme resilient to L’ bits of leakage. • Construct: Scheme resilient to L >> L’bits of leakage. • Idea: Leakage Amplification via Parallel Repetition.

  9. Template for BRM Schemes:1. Parallel-Repetition Encryption Decryption c1, c2, …, cn ci = Enc(mi, pki) PK= SK= pk1 pk2 pk3 … pkn sk1 sk2 sk3 … skn • To encrypt under PK. • Secret-share message m into n shares m1,…,mn. • Encrypt each share mi separately under pki.

  10. Template for BRM Schemes:1. Security of Parallel-Repetition? • Theorem (?):n-wise parallel repetition amplifies leakage-resilience by a factor of n. • Hope: Need to leak L’ bits on each of n keys to break the ‘repetition scheme’. • … but maybe not a differentL’ bits on each key. • So is the theorem true? • Not in general. Recent counterexample by [Lewko-Waters 10]! • Yes in special cases (“hash proof systems”). Stay tuned.

  11. Template for BRM Schemes:1. Efficiency of Parallel-Repetition? Encryption Decryption c1, c2, …, cn ci = Enc(mi, pki) PK= SK= pk1 pk2 pk3 … pkn sk1 sk2 sk3 … skn • Problem 1: Ciphertext-size, computation proportional to n. • Problem 2: Public-key size proportional to n.

  12. Template for BRM Schemes:2. Small random subsets. Encryption Decryption (idx1, c1)…,(idxt, ct) ci = Enc(mi, pkidxi) PK= SK= pk1 pk2 pk3 … pkn sk1 sk2 sk3 … skn • Encryptor chooses small random subset of t << n indices. • Encrypts t shares under the corresponding t public-keys. • Hope: to break scheme, need to have leaked L’ bits on almost all indices (all of the ones that are later chosen).

  13. Template for BRM Schemes:3. Adding a Master Public Key. Encryption Decryption (idx1, c1)…,(idxt, ct) ci = Enc(mi, idxi) PK= SK= MPK sk1 sk2 sk3 … skn • Use Identity-Based Encryption (IBE) • PK is master-public-key of IBE. • SK consists of keys ski for identities i=1,…,n.

  14. Template for BRM Schemes:3. Adding a Master Public Key. Encryption Decryption (idx1, c1)…,(idxt, ct) ci = Enc(mi, idxi) PK= SK= MPK sk1 sk2 sk3 … skn • Scheme meets efficiency requirements of the BRM. • Security? • Does not amplify leakage-resilience in general. • Rest of talk: make it work with special IBE.

  15. Outline of Talk • A “high-level” template for constructing BRM schemes. • “Identity Based Hash Proof System” (IB-HPS) • IB-HPS constructions and parameters.

  16. Key Encapsulation Mechanism (KEM) • A KEM can be used to encrypt a random message m. (pk, sk)ÃKeyGen(1s) (c, m)ÃEncap(pk) m à Dec(c, sk)

  17. Hash Proof System (HPS): A Special KEM SKpk • For each pk, many possible sk. KeyGen outputs skÃSKpk. • Correctness: if (c, m)ÃEncap(pk) then Dec(c, sk) = m for all sk. • Bad Encapsulation: c* Ã Encap*(pk). • Dec(c*, sk) is different for each sk. • Can’t distinguish c* from c (even given sk). Dec(c, SKpk) Dec(c*, SKpk)

  18. HPS and Leakage Resilient KEM • Theorem[Naor-Segev 09]: A HPS is a Leakage-Resilient KEM. L ¼ log(|SKpk |). • Proof: Show: Looks random Can’t distinguish ‘bad’ ciphertext skÃSKpk Dec(c, sk) Dec (c*, sk) m still has entropy given view of adv. Use extractors. If leakage < log(|SKpk |) adv still has uncertainty about sk.

  19. Parallel-Repetition of HPS • Theorem: Parallel repetition of a HPS amplifies leakage-resilience. • Leakage of HPS is L¼log(|SKpk |) • n-wise parallel repetition results in new HPS with SK’pk= SKpkx SKpkx …xSKpk • Can show that “random subset selection” also works. n times

  20. Identity-Based Hash Proof System (IB-HPS) • Global ‘master’ parameters: (MPK, MSK). • For each identity, the secret-key skID comes from a large set. • Can efficiently sample from any SKIDonly if given MSK. • Encapsulation targets a specific identity: • Good (c, m) ÃEncap(ID, MPK) • Bad c* ÃEncap*(ID, MPK). SKID2 SKID1 …

  21. Applications of IB-HPS • Directly gives leakage-resilient IBE in relative-leakage model. • Can be used to instantiate our framework. Leakage-amplification works! ) Get PKE/IBE in the Bounded Retrieval Model.

  22. Outline of Talk • A “high-level” template for constructing BRM schemes. • “Identity Based Hash Proof System” (IB-HPS) • IB-HPS constructions and parameters.

  23. Constructions

  24. Thank You! Questions?

More Related