Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University of Tokyo 2. RCIS, AIST

Detailed analysis of Chaffing-and- Winnowing (C&W) under multiple-use setting More efficient Chaffing-and-Winnowing –C&W for n-time use from n-spoofing secure A-code –practical C&W from A-code with a specific property Overview of This Work 2 We show:

Contents Overview Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 3

Overview –Chaffing and Winnowing –Previous Work –Our Contribution Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 4

Chaffing-and-Winnowing (C&W) A technique to achieve confidentiality without using encryption when sending data over an insecure channel. Proposed by R. Rivest “Chaffing and winnowing: confidentiality without encryption”

Basic Idea Send plaintext directly No encryption is performed Send dummies with the plaintext. chaff Only one of the plaintext is authentic, the other ones are dummies Receiver can distinguish plaintext (wheat) from dummies (chaff). winnow Being able to distinguish plaintext from dummies would require an adversary to know the secret key.

7 Chaffing-and-Winnowing Example –Authentication code (A-code) : A k (M) –Plaintext: “Hi Bob” A 1 =A k (“Hi Bob”) A 2 =A k’ (“Hi Larry”) (“Hi Bob”,A 1 ),(“Hi Larry”,A 2 ) Compute A k (“Hi Bob”) and A k (“Hi Larry”) Compare A k (“Hi Bob”) and A 1, A k (“Hi Larry”) and A 2 “Hi Bob”

Previous Work Bellare and Boldyreva, ASIACRYPT 2000 –Showed the security of C&W in the computationally secure setting Hanaoka et al., AAECC 2006 (HHHWI06) –Showed the security of C&W in the unconditinally secure setting 8

Main Result of HHHWI06 9 Impersonation- secure A-code Perfectly secure and Non-Malleable encryption Impersonation- and substitution- secure A-code Perfectly secure encryption Theorem 1 Theorem 2 C&W We can achieve:

Related Work Stinson, manuscript, 2006 –“Unconditionally secure chaffing and winnowing with short authentication tags” –construct C&W from short authentication tags 10 Impersonation- secure A-code with short tag Perfectly secure encryption C&W

Our Contribution Our work is extension of HHHWI06 –HHHWI06 only consider the case in one-time use Then, we extend for multiple use –In other words, to generalize the HHHWI06 –Detailed analysis of C&W under multiple-use setting construct unconditionally secure C&W for multiple use show C&W with one authentication tag 11

One-time/Multiple Use 12 One-time use Multiple use

Overview Unconditionally Secure C&W for Multiple Use –Security Notions –Our Result –Construction and Comparison C&W with one authentication tag Future Work and Conclusion 13

Security on A-code 14 n-Spoofing ImpersonationSubstitution

Perfect Security 15 n-Perfect Security (n-PS) Perfect Security

Non-Malleability (1/2) An adversary is given n ciphertexts Corresponding plaintexts are Non-Malleability: –inability to generate a ciphertext whose plaintext is related to for example –Definition 16

Non-Malleability (2/2) 17 n-Non-Malleability (n-NM) Non-Malleability

Our Results (1/3) Construct unconditionally secure C&W for multiple use –from n-spoofing secure A-code to n-perfectly secure (n-PS) encryption –from (n+1)-spoofing secure A-code to n-perfectly secure (n-PS) and n-Non-Malleable (n-NM) encryption 18

Our Results (2/3) 19 n-spoofing secure A-code n-PS and n-NM encryption (n+1)-spoofing secure A-code n-PS encryption C&W

Our Results (3/3) 20 Imp A-code PS and NM encryption Imp and Sub A-code PS encryption C&W n-spoofing secure A-code n-PS and n-NM encryption (n+1)-spoofing secure A-code n-PS encryption C&W HHHWI06 Our Result

Construction 21

Comparison 22 Construction Key Size [bits] Ciphertext Size [bits] Our proposal n copies of HHHWI06

Overview Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 23

Overview (1/2) C&W with one authentication tag –If the underlying A-code has a specific property, we can construct C&W with one authentication tag 24 n-Spf A-code with a specific property n-PS and n-NM encryption with one tag (n+1)-Spf A-code with a specific property n-PS encryption with one tag C&W

Overview (2/2) From this result, we can see that these A-codes can be seen as conventional encryptions –we prove that to send one tag corresponding to the message is secure 25 AuthenticationEncryption Can be seen as

The specific property “For all a, there exists at least one k such that, for all m, A k (m)=a” There exists an example of an A-code which is n-Spoofing secure and has this property 26 For example:

Construction 27

Comparison 28 ConstructionKey Size [bits] Ciphertext Size [bits] Need specific A-codes? Our proposal (previous) No Our proposal (with one tag) Yes n copies of HHHWI06 No The construction with one tag is practical

Overview Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 29

Future Work Remove the restriction that (like Stinson’s work) –In [Stinson’06], C&W is constructed from A- code with short tags (more weak A-code) –[Stinson’06] D.R. Stinson, “Unconditionally secure chaffing and winnowing with short authentication tags,” Cryptology ePrint Archive, Report 2006/189,

Conclusion Detailed analysis of C&W under multiple-use setting –from n-Spf secure A-code to n-PS encryption –from (n+1)-Spf secure A-code to n-PS and n-NM encryption More efficient Chaffing-and-Winnowing –C&W for n-time use from n-spoofing secure A- code –practical C&W from A-code with a specific property provide same function as conventional encryption 31