On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A August 04, 2009 Thomas Holenstein Princeton University
outline Define Key Dependent Message (KDM) secure encryption scheme Two (impossibility) results – On fully-black-box reductions from KDM security to TDP – On strongly-black-box reductions from KDM security to “any” hardness assumption
Weak Key Dependant Message Security An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A A h 1 :{0,1} n {0,1} m Enc k (h 1 (k)) h 2 Enc k (h 2 (k)) … ¼C¼C k à {0,1} n Challenger … A h 1 :{0,1} n {0,1} m Enc k (U m ) h 2 Enc k (U m ) k à {0,1} n Challenger A cannot find k What class of query functions (e.g., h) should be considered? In most settings, we should consider any (efficient) function
Feasibility Results Limited output length functions: – [Hofheinz-Unruh ‘08] based on any PKE Family of affine functions: – [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH – [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE Efficient functions ??? Any function – [Black-Rogway-Shrimpton ‘02] based on Random Oracle
Our Impossibility Results (informal) It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against the family of poly-wise independent hash functions, based on OWF – extends to TDP any function, based on “any assumption” We focus on the private key setting Hold also for the “many PK keys” setting
outline Define Key Dependent Message (KDM) secure encryption scheme Our (impossibility) results – On fully black-box reductions from KDM security to TDP – On strongly black-box reduction from KDM security to “any” hardness assumption
Black-box construction Black-box proof of security Adversary for breaking KDM ) Inverter for breaking OWF Fully-Black-Box Reduction from KDM security to OWF Adversary for KDM Inverter for OWF OWF (Enc,Dec) OWF
Black-box proof of security A R OWF ¼ Y Ã {0,1} n x 2 ¼ - 1 (y) Breaks the KDM security of (Enc ¼,Dec ¼ )
Impossibility Result for OWF Based Schemes There exists no fully-black-box reduction from KDM- secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions More formally: Let (Enc (),Dec () ) be a OWF based encryption scheme, and let v(n) = |Enc () (M)|, for M 2 {0,1} 2n. Then (Enc (),Dec () ) cannot be proved (in a black-box way) to be KDM-secure against H v(n)+n – a family of (v(n)+n)-independent hash functions from {0,1} n to {0,1} 2n
Our adversary A R OWF ¼ Y à {0,1} n x 2 ¼ - 1 (y) 1.A breaks the (weak) KDM security of (Enc ¼,Dec ¼ ) 2. ¼ is hard to invert in the presence of A. Proof: a la ’ [Simon ‘98] / [Gennaro-Trevisan ‘ 01, H-Hoch-Reingold- Segev ‘07 ] 1n1n h c k … 1) Select h à H v(n)+n 2) On input C, output (the first) k s.t. Dec k (C) = h(k)
outline Define Key Dependent Message (KDM) secure encryption scheme Our (impossibility) results – On fully black-box reductions from KDM security to TDP – On strongly black-box reductions from KDM security to “any” hardness assumption
Let ¡ be a cryptographic assumption (e.g., factoring is hard) Arbitrary construction Black-box proof of security. The query function h is treated as a black box Strongly Black-Box Reduction from KDM security to ¡ Adversary for KDM Adversary for ¡
Strongly Black-box proof of security A R for breaking ¡ ¡ A break the KDM security of (Enc,Dec) Factoring is hard n = pq p,q 1n1n h c k … 1.h is only accessed via its input/output interface 2.Access to h is not given to a “third party”
Impossibility Result for Strongly Black-Box Reductions Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against O n – the family of random functions from {0,1} n to {0,1} 2n. Then ¡ can be broken unconditionally
Our Adversary A R ¡ Breaks the KDM security of (Enc,Dec) 1) Select h à O n 2) On query C, output (the first) k s.t. Dek k (C) = h(k) 1.A breaks the (weak) KDM security of (Enc,Dec) 2. R A, ¡ can be efficiently emulated
The Emulation R ¡ hÃOnhÃOn h(x 1 ) x1x1 h(x 2 ) x2x2 … 1.Answer to h(x i ) with a random y i 2 { 0,1} 2n (while keeping consistency) 2. On query C, return (the first) x i s.t Dec x i (C) = y i Proof Idea: the probability that h(k)= Dec k (C ) for non-queried k, is 2 -2n c k A 1n1n h
Further Issues Both bounds hold for 1-1 PRF Open questions Prove feasibility result against larger class of functions Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)