170 likes | 251 Views
On the (Im)Possibility of Key Dependent Encryption. Iftach Haitner Microsoft Research. Thomas Holenstein Princeton University. August 04, 2009. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. outline.
E N D
Onthe (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research Thomas Holenstein Princeton University August 04, 2009 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA
outline • Define Key Dependent Message (KDM) secure encryption scheme • Two (impossibility) results • On fully-black-box reductions from KDM security to TDP • On strongly-black-box reductions from KDM security to “any” hardness assumption
Weak Key Dependant Message Security What class of query functions (e.g., h) should be considered? In most settings, we should consider any (efficient) function An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A Challenger Challenger A A kÃ{0,1}n kÃ{0,1}n ¼C h1:{0,1}n{0,1}m h1:{0,1}n{0,1}m Enck(h2(k)) Enck(Um) Enck(Um) Enck(h1(k)) h2 h2 A cannot find k … …
Feasibility Results • Limited output length functions: • [Hofheinz-Unruh ‘08] based on any PKE • Family of affine functions: • [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH • [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE • Efficient functions • [Gentry ‘09] based on the self reference security of [Gentry ‘09] • Any function • [Black-Rogway-Shrimpton ‘02] based on Random Oracle
Our Impossibility Results (informal) It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against • the family of poly-wise independent hash functions, based on OWF • extends to TDP • any function, based on “any assumption” • We focus on the private key setting • Hold also for the “many PK keys” setting
outline • Define Key Dependent Message (KDM) secure encryption scheme • Our (impossibility) results • On fully black-box reductions from KDM security to TDP • On strongly black-box reduction from KDM security to “any” hardness assumption
Black-box construction Black-box proof of security Adversary for breaking KDM)Inverter for breaking OWF Fully-Black-Box Reduction from KDM security to OWF (Enc,Dec) Adversary for KDM OWF OWF Inverter for OWF
Black-box proof of security Y Ã {0,1}n Breaks the KDM security of (Enc¼,Dec¼) A R OWF ¼ x 2¼-1(y)
Impossibility Result for OWF Based Schemes There exists no fully-black-box reduction from KDM-secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions More formally: Let (Enc(),Dec()) be a OWF based encryption scheme, and let v(n) = |Enc()(M)|, for M2{0,1}2n. Then (Enc(),Dec()) cannot be proved (in a black-box way) to be KDM-secure against Hv(n)+n– a family of (v(n)+n)-independent hash functions from{0,1}n to{0,1}2n
Our adversary 1) Select h ÃHv(n)+n 2) On input C, output (the first) ks.t. Deck(C) = h(k) Y Ã {0,1}n A R OWF ¼ … h 1n c k x2¼-1(y) A breaks the (weak) KDM security of (Enc¼,Dec¼) ¼ is hard to invert in the presence of A.Proof: a la’ [Simon ‘98] /[Gennaro-Trevisan ‘01, H-Hoch-Reingold- Segev ‘07]
outline • Define Key Dependent Message (KDM) secure encryption scheme • Our (impossibility) results • On fully black-box reductions from KDM security to TDP • On strongly black-box reductions from KDM security to “any” hardness assumption
Let ¡ be a cryptographic assumption (e.g., factoring is hard) Arbitrary construction Black-box proof of security. The query function h is treated as a black box Strongly Black-Box Reduction from KDM security to ¡ Adversary for KDM Adversary for¡
Strongly Black-box proof of security A break the KDM security of (Enc,Dec) A Factoring is hard ¡ R for breaking ¡ … h n = pq 1n c k p,q h is only accessed via its input/output interface Access to h is not given to a “third party”
Impossibility Result for Strongly Black-Box Reductions Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against On– the family of random functions from {0,1}n to{0,1}2n. Then ¡ can be broken unconditionally
Our Adversary 1) Select h ÃOn 2) On query C, output (the first) k s.t. Dekk(C) = h(k) Breaks the KDM security of (Enc,Dec) A ¡ R A breaks the (weak) KDM security of (Enc,Dec) RA,¡can be efficiently emulated
The Emulation A ¡ R h … hÃOn c k 1n x1 x2 h(x1) h(x2) Answer to h(xi) with a random yi2{0,1}2n (while keeping consistency) On query C, return(the first) xis.tDecxi(C) = yi Proof Idea: the probability that h(k)= Deck(C) for non-queried k, is 2-2n
Further Issues • Both bounds hold for 1-1 PRF Open questions • Prove feasibility result against larger class of functions • Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)