Selective-opening security in the presence of randomness failures Viet Tung Hoang1, Jonathan Katz2, Adam O’Neill3, and Mohammad Zaheri4 1 Dept. of Computer Science, Florida State University 2 Dept. of Computer Science, University of Maryland 3 Dept. of Computer Science, Georgetown University 4 Dept. of Computer Science, Georgetown University

Outline of Talk Background and motivation Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

Outline of Talk Background and motivation Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

The motivating scenario pk Enc m1 c1 I want to know m1, m2, m3 … sk pk Enc m2 c2 pk Enc m3 c3 .

What can the adversary do? Subvert senders’ pseudorandom number generator (PRNG) pk Enc m1 c1 Break-in to senders’ machines Notice the adversary may recover the senders’ randomness in this case. The goal is to protect the unrecovered messages

How to protect against this? Use deterministic [BBO’07], hedged [BBNRSSY’09], or nonce-based [BT’16] PKE to protect against PRNG subversion Use selective-opening (SOA) secure [BHY’09…] PKE to protect against (the after-effects of) break- ins This work: we want to protect against both types of attacks simultaneously!

Main theme and results Can we define and build schemes that protect against both PRNG subversion and break-ins? Yes! We define and build selective-opening secure deterministic, hedged, and nonce-based PKE In fact we define hedged nonce-based PKE, subsuming all these primitives (and we define and achieve selective-opening security for it)

Outline of Talk Background and motivation Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

Nonce-based PKE [BT’16] Each sender chooses a seed and encryption does not use randomness but rather the seed and a nonce Security holds if either the seed is secret and nonces are unique, or if the seed is revealed but nonces have high entropy Kg (pk,sk) Enc pk xk N m c Dec c sk m Sg xk

SOA security for nonce-based PKE A message sampler M outputs a vector of messages. We further define (μ,d)-entropic message samplers, where each message has min-entropy μ conditioned on any d others Conditionally resampleable message samplers, where any subset of messages can be efficiently resampled conditioned on the others Intuition: We test whether the adversary can compute a function of the real messages better than a function of the messages after conditional resampling

SOA security for nonce-based PKE Fix a nonce-based PKE NE = (Kg,Sg,Enc,Dec), conditionally resampleable message sampler M, high entropy nonce generator Ng, and function f pk (pk,sk)←Kg; xk1,…,xkn ←Sg m1,…,mn ←M J Nj←Ng for 𝑗∈ J ci←Enc(pk,xki,Ni,mi) If M is (μ,d)-entropic then require |I| at most d c1,…,cn Challenger Adversary I NE is N-SO-CPA if g=f(m1,…,mn) with about the same probability as g=f(m’1,…,m’n) where m’j = mj for and the remaining messages are conditionally resampled g

Construction NE1 [BT’16]: Encrypt with an underlying randomized PKE scheme using “synthetic” coins H(xk,N,m) where H is a hash function Our construction NE1: Use the same approach as [BT’16], but with an underlying randomized encryption scheme based on lossy trapdoor functions [PW’08].

Lossy trapdoor functions [PW’08] A trapdoor function LTDF = (K,K’,Eval,Inv) with two key generation modes such that K outputs (ek,td) such that Eval(ek,.) is injective and Inv(td,.) is its inverse K’ outputs ek’ such that Eval(ek,.) is many-to-one In particular, RSA and Rabin are lossy under appropriate assumptions [KOS’10,S’14]

Construction NE1 Uses LTDF = (K,K’,Eval,Inv) and hash functions H1,H2. Define NE1=(Kg,Sg,Enc,Dec) via Kg: (ek,td) ←K Return (ek,td) Sg: xk ←{0,1}k Return xk Enc(xk,N,m): r ← H1(xk,N,m) y ← Eval(r) c ← m + H2(r) Return (y,c) Dec(td,(y,c)): r ← Inv(y) m ← H2(r) + c Return m

Construction NE1 Theorem. NE1 is N-SO-CPA secure in the non- programmable random oracle model. Proof intuition: Switch to lossy key generation, then it’s unlikely the adversary will query any r value underlying the ciphertexts, thus “corrupted” indices I will be independent of the messages.

Outline of Talk Background and motivation Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

Hedging nonce-based PKE We would like to guarantee security as long as the sender’s seed, nonce, and message jointly have high entropy This strengthens the security provided by nonce- based PKE even in the non-SOA setting.

Generic transform To achieve the resulting notion HN-SO-CPA we give generic transform that composes a nonce-based PKE scheme with a deterministic PKE scheme So we need to define SOA security for the latter

SOA security for deterministic encryption Fix a deterministic PKE DE= (Kg,Enc,Dec), conditionally resampleable message sampler M, and function f (pk,sk)←Kg; m1,…,mn ←M ci←Enc(pk,mi) for i=1 to n pk, c1,…,cn I g Challenger Adversary DE is D-SO-CPA if g=f(m1,…,mn) with about the same probability as g=f(m’1,…,m’n) where m’j = mj for and the remaining messages are conditionally resampled

Construction DE1 To achieve D-SO-CPA security, we use a de- randomized version of NE1 we call DE1 Kg: (ek,td) ←K Return (ek,td) Enc(ek,m): r ← H1(m) y ← Eval(r) c ← m + H2(r) Return (y,c) Dec(td,(y,c)): r ← Inv(y) m ← H2(r) + c Return m

Construction DE1 Theorem. DE1 is D-SO-CPA in the non- programmable random oracle model. Proof involves subtleties related to the fact that “corrupted” set I can depend on the public key and is given to the resampling algorithm

Nonce-then-deterministic transform To encrypt a message m under key (pk1,pk2) with seed xk and nonce N: NE DE pk1 xk N m c pk2 Theorem. The composed scheme is HN-SO-CPA secure if DE is D-SO-CPA and NE is N-SO-CPA and "entropy preserving."

Outline of Talk Background and motivation Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

Conclusion We treated selective-opening security of schemes designed to be robust to randomness failures SOA security is natural to consider in tandem with randomness failures since an adversary can target senders via multiple means

Open problems Standard-model (vs. NPROM) schemes achieving our notions NPROM schemes achieving a simulation-based notion of SOA security for nonce-based PKE, or a proof that this is impossible

Thank you!