Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage.

Slides:



Advertisements
Similar presentations
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Advertisements

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
8. Data Integrity Techniques
Cryptography Lecture 8 Stefan Dziembowski
CIS 5371 Cryptography Introduction.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Cryptography Lecture 9 Stefan Dziembowski
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Copyright (c) 2012 NTT Secure Platform Labs. Group to Group Commitments Do Not Shrink Masayuki ABE Kristiyan Haralambiev Miyako Ohkubo 1.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Cryptography Resilient to Continual Memory Leakage Zvika Brakerski Weizmann Institute Yael Tauman Kalai Microsoft Jonathan Katz University of Maryland.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
On the Size of Pairing-based Non-interactive Arguments
Cryptography Lecture 12.
Cryptography Lecture 6.
Cryptography Lecture 10.
Cryptography Lecture 25.
Fiat-Shamir for Highly Sound Protocols is Instantiable
Leakage-resilient Signatures
Cryptography Lecture 9.
The power of Pairings towards standard model security
Cryptography Lecture 21.
Cryptography Lecture 23.
Presentation transcript:

Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs New York University Efficient Public-Key Cryptography in the Presence of Leakage

Background Traditionally, security proofs in crypto assume an idealized model.  Adversary sees public keys, but NOT secret keys PK SK

Background In reality: schemes broken using “key-leakage” attacks  Side Channels: timing, power consumption, heat, acoustics, radiation.  The Cold-Boot Attack  Hackers, malware, viruses SKSK PK

Leakage-Resilient Cryptography Usual response from cryptographers:  Not our problem!  Blame the engineers, the OS programmers, … Leakage-Resilient Crypto: Let’s try to help!  Primitives that remain provably secure even if adversary sees some leakage of secret key.

Leakage Models Restricted vs. Memory  Restricted: physical bits, AC0 circuits, OCLI, …  Memory: any efficiently computable function of SK One-time vs. Continuous  One-time: Number of bits adversary learns is bounded by leakage parameter L.  Continuous:  SK updated periodically.  Number of bits bounded by L in between updates but NOT overall. Our techniques can be applied in both one-time and continuous models (also see DHLW’10 - FOCS). Today will focus on One-Time

3 Desirable Properties Strong Security  Satisfy strongest notion of security, even with leakage (e.g. CCA encryption, EU-CMA signatures) Leakage Flexibility  Can set relative leakage L/|SK| to be arbitrarily close to 1. Efficiency  Construction may be generic, but must have efficient instantiation  Think Cramer-Shoup vs. Naor-Yung  Based on standard assumptions  Without random oracles

Prior Work - Signatures ReferencesSecurityModelLeakage*Efficient? ADW’09ExistentialRandom Oracle½Yes ADW’09EntropicRandom Oracle1Yes KV’09ExistentialStandard1No This WorkExistentialStandard1Yes * All entries should have “- o(1)”.

Prior Work - Encryption ReferencesSecurityModelLeakage*Efficient? AGV’09, NS’09CPA-SecureStandard1Yes NS’09CCA-SecureStandard1/6Yes NS’09 CCA-Secure Standard1No This WorkCCA-SecureStandard1Yes * All entries should have “- o(1)”.

Our Results Construct LR Encryption and LR Signatures  CCA-Secure Encryption and EU-CMA Signatures  Relative leakage up to (1 – o(1))  Schemes are efficient  Assumptions:  Decision Linear (DLIN), or  DDH in bilinear groups (SXDH) Construct LR ID Schemes and LR Authenticated Key Agreement (AKA) – see paper for details. New Conceptual Contributions  Techniques that apply beyond leakage resilience

Techniques of Prior Work 1. Construct a weaker primitive  Known how to do it efficiently, with high relative leakage. 2. Apply a weak-to-strong transformation that preserves leakage resilience. E.g. LR-OWR, LR CPA Encryption E.g. LR-OWR, LR CPA Encryption E.g. LR Signatures, LR CCA Encryption E.g. LR Signatures, LR CCA Encryption Look at transformation. Forget about leakage for now!

Techniques of Prior Work (LR) CPA Encryption “ZK Proof” (LR) CCA Encryption NY’90 NS’09 Weak Primitive “ZK Proof” Strong Primitive KV’09 (LR) OWF + Encryption (LR) Signatures “ZK Proof” Gro’06

Case Study: Naor-Yung Paradigm “c 1 and c 2 encrypt the same message” C 1 = Enc K1 (m) C 2 = Enc K2 (m) π C = Enc (m) CPA CCA

ZK POK “I know the message encrypted in c 1 ” Our Abstraction C 1 = Enc K1 (m) C 2 = Enc K2 (m) π C = Enc (m) CPA CCA ϕ

What do we need? We need the following properties from ϕ :  Non-interactive  Proof is part of ciphertext  Proof of Knowledge  Need to extract from proof to answer decryption queries  Zero Knowledge  Challenge ciphertext will use a fake proof Subtlety: “simulation-extractability”  Need to make sure that ϕ is still proof of knowledge, even after adversary sees fake proof. Gro’06 CPA CCA ϕ

Solution in Prior Work C = Enc (m) C 1 = Enc K1 (m) C 2 = Enc K2 (m) π CPA CCA Simulation-Sound NIZK:  Soundness holds even if adversary sees many fake proofs.  Fake proofs can be of either true or false statements. Simulation- Sound NIZK Sah’01

Problems and an Observation From a theoretical perspective, simulation-soundness is non-trivial.  Most known NIZK schemes are not simulation-sound. From a practical perspective, simulation-soundness seems to be expensive to achieve.  Known simulation-sound NIZKs are significantly less efficient than standard NIZKs. Key Observation: Our fake proof is of a true statement.  Simulation-soundness is stronger than we need! Efficiency is lost with transformation!

True-Simulation Extractability True-Simulation Extractability (tSE): Can extract witness, even after adversary has seen fake proofs of true statements. Don’t need simulation soundness to construct tSE. Weaker than CPA + SS-NIZK construction but allows for efficient instantiation. C 2 = Enc K2 (m) π CCA NIZK Can construct both CCA and NIZK efficiently!

Some Intuition C 2 = Enc K2 (m) π CCA NIZK Adversary sees fake proofs ϕ i of arbitrary true statements. Produces proof ϕ * Want: Extract valid witness m* from ϕ * Need statement to be true! Change Enc(o) to Enc(m) one by one.  Need CCA because need to extract m* and check it’s valid. Change all Sim-π to Real-π. Use soundness of Π. Fake ϕ proofs : Enc(0) + Sim-π Fake ϕ proofs : Enc(0) + Sim-π Real ϕ proofs: Enc(m) + Real-π Real ϕ proofs: Enc(m) + Real-π Hybrid ϕ proofs: Enc(m) + Sim-π Hybrid ϕ proofs: Enc(m) + Sim-π

But Wait… Need CCA to get CCA ?! C 1 = Enc K1 (m) C 2 = Enc K2 (m) π C = Enc (m) CPA CCA NIZK

Back to Leakage Resilience C 1 = Enc K1 (m) C 2 = Enc K2 (m) π C = Enc (m) LR CPA CCA LR CCA NIZK

Summary of Case Study New, more intuitive view of the Naor-Yung paradigm (following intuition of RS’91). Yields clean “weak-to-strong” transformation that conserves: C 1 = Enc K1 (m) C = Enc (m) CPA CCA C 2 = Enc K2 (m) π CPA ϕ “I know the message encrypted in c 1 ” Leakage Efficiency!

Putting it all Together Still a lot of work to do to “glue” everything together. 2 instantiations, under DLIN and SXDH.  NIZK: Groth-Sahai system  LR CPA: schemes in the style of ElGamal.  CCA: Linear Cramer-Shoup C 1 = Enc K1 (m) C 2 = Enc K2 (m) π C = Enc (m) LR CPA CCA LR CCA NIZK

Another Application - Signatures f(x) = y σ = Sign (m) LR OWF LR EU-CMA Signatures LR EU-CMA Signatures 2 instantiations, under DLIN and SXDH:  NIZK: Groth-Sahai system  LR OWR: from new Second-Preimage relations.  CCA: Linear Cramer-Shoup C 2 = Enc K2 (m) π CPA ϕ “I know x with label m” C = Enc K (x||m) π CCA NIZK

Our Results Construct LR Encryption and LR Signatures  CCA-Secure Encryption and EU-CMA Signatures  Relative leakage up to (1 – o(1))  Schemes are efficient  Assumptions:  Decision Linear (DLIN)  DDH in bilinear groups (SXDH) Construct LR ID Schemes and LR Authenticated Key Agreement (AKA)  New deniable AKA scheme. New Conceptual Contributions  Techniques that apply beyond leakage resilience

Thank You!

Motivation: Leakage-Resilient Cryptography

How to model leakage attacks? Adversary gets access to leakage oracle. Can specify function f: {0,1}*  {0,1} and learns f(SK). Need to restrict “leakage functions” so that Adversary doesn’t see SK in full. E.g. Bound number of queries f f(SK) PK SK

Prior Work – ID Schemes ReferencesSecurityModelLeakage*Efficient? ADW’09 Pre- Impersonatio n Standard1Yes ADW’09AnytimeStandard ½ Yes KV’09 (implicit) AnytimeStandard1No This WorkAnytimeStandard1Yes * All entries should have “- o(1)”.

Prior Work - AKA ReferencesModelLeakage*Deniable?Efficient? ADW’09Random Oracle1NoYes ADW’09, KV’09 (implicit) Standard1No This WorkStandard1No/Yes**Yes * All entries should have “- o(1)”. ** Our first AKA protocol is not deniable, our second is.

Conceptual Contributions

Our Conceptual Contributions Abstract this technique into a new primitive: true- simulation extractable (tSE) NIZKs. Similar to ssNIZK POK with one subtle (but important!) difference: adversary has oracle access only to proofs of true statements. 2 constructions of tSE NIZK:  CPA-encryption + ss-NIZK (NY’90, KV’09, NS’09)  CCA-encryption + regular NIZK (This Work) Given state-of-the-art, second construction is more efficient

Importance of tSE tSE is precisely the right notion Can be used to prove security of previous LR constructions Gives alternative view of the Naor-Yung “double- encryption” paradigm:  Traditional view: “CPA-encrypting message m under 2 keys and proving plaintext equality”  Simulation-extractability view: “CPA-encrypting message m and proving one knows the plaintext” More intuitive way to see CPA-to-CCA transformation (following intuition of RS’91) 2 nd tSE construction allows for efficient instantiation

tSE NIZK NIZK with extra property:  Setup also generates extraction key EK  Adversary sees many fake proofs ϕ i of true statements x i of his choice.  If adversary produces valid proof π* for a new statement x*, then can obtain (using EK) a valid witness w* for x* (ie. R(x*,w*) = 1). ϕ2ϕ2 ϕ1ϕ1 ϕ3ϕ3 ϕqϕq … x*, π* Ver(x*, π*) =1 EK w* R(x*, w*) = 1 CCA-encryption + (regular) NIZK  tSE

Variations of tSE Strong SE  Adversary is required to provide a new statement/proof pair (x*, π*) instead of a new statement x* Any-SE (aSE)  Adversary can see proofs for false statements, as well as true.  Similar to notion of simulation-sound extractability of Gro’06.  Implicitly used in KV’09, NS’09 and in Naor-Yung paradigm  Stronger than tSE but NOT needed for leakage-resilient constructions! one-time signature + (regular) tSE  strong tSE CPA-encryption + ss-NIZK  aSE

Our Results LR-OWR tSE LR signatures LR-CPA encryption Strong tSE LR-CCA encryption CPA encryption aSE CCA encryption

Instantiations

LR Signatures LR-OWR tSE LR Signatures CCA Encryption NIZK

LR Signatures CCA-Secure Encryption  DLIN and SXDH: (Linear) Cramer-Shoup [CS’98, Sha’07] NIZK  DLIN and SXDH: Groth-Sahai proof system [GS’08] LR-OWR from SPR  Public parameters: g 1, …, g n, h 1, …, h n, ĝ, g  SXDH: witness x = (x 1, …, x n ), statement y, such that e(g 1, x 1 ) … e(g n, x n ) = e(y, ĝ)  DLIN: witness x = (x 1, …, x n ), statement y = (y 1, y 2 ), such that e(g 1, x 1 ) … e(g n, x n ) = e(y 1, g) e(h 1, x 1 ) … e(h n, x n ) = e(y 2, ĝ)

LR CCA-Secure Encryption LR-CPA encryption Strong tSE LR-CCA encryption CCA Encryption NIZK OT Signature

LR CCA-Secure Encryption CPA-Secure Encryption  DLIN and SXDH: (Linear) Cramer-Shoup [CS’98, Sha’07] NIZK  DLIN and SXDH: Groth-Sahai proof system [GS’08] LR-CPA-Secure Encryption  DLIN and SXDH: In style of ElGamal  Similar to ones used in CCS’09, NS’09 but more efficient One-Time Signature  DLIN and SXDH: OT-signature of Gro’06  Any OT signature secure under DLIN or SXDH works (choose Gro’06 because of small size).

How Efficient? SXDHDLIN Group elements (2/ε) (2 + λ/ log q) + 15 (3/ε) (3 + λ/ log q) + 34 Z q elements 22 SXDHDLIN Group elements (9/ε) (1 + ω(log λ)/ log q) + 24 (19/ε) (2 + ω(log λ)/ log q) + 70 Z q elements 2 Signatures CCA-Secure Encryption For L=1 – ε and groups of order q

Our Contributions Conceptual Contributions  Definition of new primitive: true-simulation extractable NIZKs  New, more intuitive, view of Naor-Yung “double-decryption” paradigm  Unified view of prior leakage-resilient constructions Technical Contributions  First signature, encryption, ID, and AKA schemes that simultaneously satisfy:  Efficiency  Strong Security  Leakage Flexibility