Upload
ramiro-mayo
View
216
Download
1
Embed Size (px)
Citation preview
1
Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption
Ananth Raghunathan
(joint work with Gil Segev and Salil Vadhan)
Public-Key Encryption
3
m
Alice Bob
c
Learns nothing!
Semantic Security [Goldwasser-Micali ‘82]Encpk(m0) and Encpk(m1) are computationally indistinguishable for any m0 and m1
Encryption must be randomized
m
5
Randomness is difficult• Weak sources in practice (keystrokes, timing)• Incorrect implementations – [Heninger et al. ‘12, Lenstra et al. ‘12] on RSA public
keys– Sony PS3 master signing key broken due to reuse of
randomness across different EC-DSA key pairs• Weak randomization attacks against RSA-OAEP
[Brown ’05]• many many more …
7
Deterministic Public-Key Encryption“Theory meets practice”• Efficiently searchable encryption– Encrypted keyword search– Deduplication over encrypted data
• Can get short ciphertexts– Easier to use in legacy systems
Can we formalize and realize meaningful notions of security for deterministic public key
encryption?
BBO ’07BFO ’08
BFOR ’08BBNRSSY ’09
BS ’11MPRS ’12FOR ’12
…3 B’s, 3 F’s, 2 S’s
9
Security of Det. PKE (attempt 1)
m0 , m1 b {0,1}
Guess b
pk
c = Encpk(mb)
• What happens if Enc is deterministic?
Is c = Encpk(m0) ?If so, guess b=0Else, guess b=1
Security cannot hold if adversary
knows (or can predict) m0 or m1!
10
Security of Det. PKE (attempt 2)
M0 , M1 m0 M0
m1 M1
b {0,1}Guess b c = Encpk(mb)
* H∞(Mb) is not too small: no message is very likely to occur
*
• Is this restriction sufficient?
M0: sample a random message m such that c = Encpk(m) starts with a 0
M1: sample a random message m such that c = Encpk(m) starts with a 1
If M allowed to depend on pk and arbitrary then the
encryption has subliminal channels
NO
pk
11
Security of Det. PKE [BBO ’07]
M0 , M1 m0 M0
m1 M1
b {0,1}Guess b c = Encpk(mb)
*pk
• Not realistic assumption in practice– malicious adversary will use the pk in his attack– does not model what information will be leaked when
there are accidental dependencies on the public key
Question: Realistic security notions that allow the adversary to choose M after seeing pk
14
Our Work• Formalize notions of adaptive security – Attackers given access to pk– Extensions
• Generic constructions in the random-oracle model– Based on any off-the-shelf (randomized) PKE
• Constructions in the standard model– Connection to deterministic randomness extractors– New techniques to deterministically extract via a “high-
moment crooked” leftover hash lemma– New cryptographic tools (R-lossy trapdoor functions)
15
Dec(sk,.)Defining Adaptive Det. PKE
M0 , M1
m0 M0
m1 M1Guess bc = Encpk(mb)
*
Set of distributions X of size 2p
X is fixed apriori
Fix random b {0,1}
• Adversary can choose M adaptively based on pk and on answers c as long as M remains in set X.
• General notion– p=0 : independent of pk– p=O(s.log(s)) : all circuits of size s
• “Multi-shot”• Easily extends to CCA (chosen ciphertext-
attack) security
(what a surprise!)
Security notion only depends on p.
Holds for all X of size 2p
pk
17
domain
f
f-1
• Injective• Efficiently
invertible(trapdoor)
Two families of functions: injective and lossy
range
• Lossy• Cannot be
inverted(informationtheoretically)
g
Security
The descriptions of f and g are “computationally indistinguishable”
Much smaller than domain
Tool: Lossy Trapdoor Functions [PW08]
18
f( ) π( )
Our Basic Scheme
Let f be an injective member of a LTDF familyLet π be a “sufficiently independent” random permutation *
pk = f , π sk = f-1
=Enc:
=Dec: π-1( ) f-1( )* π chosen randomly from a t-wise δ-dependent family of
permutations [KNR09]
19
Proof (by pictures)
f π
f π
g π
g π
f π g π
g πf π
security of
LTDFs
M0
M1
security of
LTDFs
Basic scheme is adaptively secure
f ≈ g
High-moment Crooked Leftover Hash Lemma: Extracting randomness even if M0 and M1 can depend on (g, π)
20
Extracting randomness (LHL)
Original LHLf is universal, X is independent of f
( f, f(X) ) ≈ ( f, U )
Crooked LHLf is lossy, π is pairwise
independent, X is independent of f( f, π, f(π(X)) ) ≈ ( f, π, f(U) )
High-Moment LHLf is t-wise independent,
X can depend on f but bounded( f, f(X) ) ≈ ( f, f(U) )
High-Moment Crooked LHLf is lossy, π is t-wise independent, X can depend on f
( f, π, f(π(X)) ) ≈ ( f, π, f(U) )
[DS05] [TV00]
Set of distributions of
size 2p
g π g π g π g π≈
21
High-Moment Crooked LHL• Generalizes the Leftover Hash Lemma [HILL89] and
its “crooked” variant [DS05]• Lemma– Let f:{0,1}n {0,1}n such that |Im(f)|≤2n-ℓ
– Let X be a set of sources such that for each X in X,
H∞(X) ≥ (n-ℓ) + 3log(log(|X|)) + 2log(1/ϵ) + θ(1)
– Let Π is a family of t-wise independent permutations with
t ≈ log(|X|) + (n-ℓ)
– Then, with probability 1-ϵ over the choice of π in Π for
every X in X we have SD(f(π(X)), f(U)) < ϵ
• Choice of X can depend on f and π
Conclusions
• This work– Defining adaptive deterministic PKE– Constructions secure in the random oracle and standard model– New tools for deterministic extraction
• Going forward: New directions for research (a.k.a. help me write papers!)– Shorter public keys?
• In general, public-key needs to be longer than p• In our paper: short public-key only for s-circuit size distributions in
the random-oracle model– Technical questions related to extraction (work-in-progress)– Other paradigms to construct deterministic PKE schemes
22
24
Thank you!
Any questions?