Presentation is loading. Please wait.

Presentation is loading. Please wait.

Selective-opening security in the presence of randomness failures

Published byLorena Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Selective-opening security in the presence of randomness failures"— Presentation transcript:

1 Selective-opening security in the presence of randomness failures
Viet Tung Hoang1, Jonathan Katz2, Adam O’Neill3, and Mohammad Zaheri4 1 Dept. of Computer Science, Florida State University 2 Dept. of Computer Science, University of Maryland 3 Dept. of Computer Science, Georgetown University 4 Dept. of Computer Science, Georgetown University

2 Outline of Talk Background and motivation
Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

3 Outline of Talk Background and motivation
Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

4 The motivating scenario
pk Enc m1 c1 I want to know m1, m2, m3 … sk pk Enc m2 c2 pk Enc m3 c3 .

5 What can the adversary do?
Subvert senders’ pseudorandom number generator (PRNG) pk Enc m1 c1 Break-in to senders’ machines Notice the adversary may recover the senders’ randomness in this case. The goal is to protect the unrecovered messages

6 How to protect against this?
Use deterministic [BBO’07], hedged [BBNRSSY’09], or nonce-based [BT’16] PKE to protect against PRNG subversion Use selective-opening (SOA) secure [BHY’09…] PKE to protect against (the after-effects of) break- ins This work: we want to protect against both types of attacks simultaneously!

7 Main theme and results Can we define and build schemes that protect against both PRNG subversion and break-ins? Yes! We define and build selective-opening secure deterministic, hedged, and nonce-based PKE In fact we define hedged nonce-based PKE, subsuming all these primitives (and we define and achieve selective-opening security for it)

8 Outline of Talk Background and motivation
Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

9 Nonce-based PKE [BT’16] Each sender chooses a seed and encryption does not use randomness but rather the seed and a nonce Security holds if either the seed is secret and nonces are unique, or if the seed is revealed but nonces have high entropy Kg (pk,sk) Enc pk xk N m c Dec c sk m Sg xk

10 SOA security for nonce-based PKE
A message sampler M outputs a vector of messages. We further define (μ,d)-entropic message samplers, where each message has min-entropy μ conditioned on any d others Conditionally resampleable message samplers, where any subset of messages can be efficiently resampled conditioned on the others Intuition: We test whether the adversary can compute a function of the real messages better than a function of the messages after conditional resampling

11 SOA security for nonce-based PKE
Fix a nonce-based PKE NE = (Kg,Sg,Enc,Dec), conditionally resampleable message sampler M, high entropy nonce generator Ng, and function f pk (pk,sk)←Kg; xk1,…,xkn ←Sg m1,…,mn ←M J Nj←Ng for 𝑗∈ J ci←Enc(pk,xki,Ni,mi) If M is (μ,d)-entropic then require |I| at most d c1,…,cn Challenger Adversary I NE is N-SO-CPA if g=f(m1,…,mn) with about the same probability as g=f(m’1,…,m’n) where m’j = mj for and the remaining messages are conditionally resampled g

12 Construction NE1 [BT’16]: Encrypt with an underlying randomized PKE scheme using “synthetic” coins H(xk,N,m) where H is a hash function Our construction NE1: Use the same approach as [BT’16], but with an underlying randomized encryption scheme based on lossy trapdoor functions [PW’08].

13 Lossy trapdoor functions [PW’08]
A trapdoor function LTDF = (K,K’,Eval,Inv) with two key generation modes such that K outputs (ek,td) such that Eval(ek,.) is injective and Inv(td,.) is its inverse K’ outputs ek’ such that Eval(ek,.) is many-to-one In particular, RSA and Rabin are lossy under appropriate assumptions [KOS’10,S’14]

14 Construction NE1 Uses LTDF = (K,K’,Eval,Inv) and hash functions H1,H2. Define NE1=(Kg,Sg,Enc,Dec) via Kg: (ek,td) ←K Return (ek,td) Sg: xk ←{0,1}k Return xk Enc(xk,N,m): r ← H1(xk,N,m) y ← Eval(r) c ← m + H2(r) Return (y,c) Dec(td,(y,c)): r ← Inv(y) m ← H2(r) + c Return m

15 Construction NE1 Theorem. NE1 is N-SO-CPA secure in the non- programmable random oracle model. Proof intuition: Switch to lossy key generation, then it’s unlikely the adversary will query any r value underlying the ciphertexts, thus “corrupted” indices I will be independent of the messages.

16 Outline of Talk Background and motivation
Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

17 Hedging nonce-based PKE
We would like to guarantee security as long as the sender’s seed, nonce, and message jointly have high entropy This strengthens the security provided by nonce- based PKE even in the non-SOA setting.

18 Generic transform To achieve the resulting notion HN-SO-CPA we give generic transform that composes a nonce-based PKE scheme with a deterministic PKE scheme So we need to define SOA security for the latter

19 SOA security for deterministic encryption
Fix a deterministic PKE DE= (Kg,Enc,Dec), conditionally resampleable message sampler M, and function f (pk,sk)←Kg; m1,…,mn ←M ci←Enc(pk,mi) for i=1 to n pk, c1,…,cn I g Challenger Adversary DE is D-SO-CPA if g=f(m1,…,mn) with about the same probability as g=f(m’1,…,m’n) where m’j = mj for and the remaining messages are conditionally resampled

20 Construction DE1 To achieve D-SO-CPA security, we use a de- randomized version of NE1 we call DE1 Kg: (ek,td) ←K Return (ek,td) Enc(ek,m): r ← H1(m) y ← Eval(r) c ← m + H2(r) Return (y,c) Dec(td,(y,c)): r ← Inv(y) m ← H2(r) + c Return m

21 Construction DE1 Theorem. DE1 is D-SO-CPA in the non- programmable random oracle model. Proof involves subtleties related to the fact that “corrupted” set I can depend on the public key and is given to the resampling algorithm

22 Nonce-then-deterministic transform
To encrypt a message m under key (pk1,pk2) with seed xk and nonce N: NE DE pk1 xk N m c pk2 Theorem. The composed scheme is HN-SO-CPA secure if DE is D-SO-CPA and NE is N-SO-CPA and "entropy preserving."

23 Outline of Talk Background and motivation
Selective-opening secure nonce-based PKE Lifting the results to the “hedged” setting Conclusion and open problems

24 Conclusion We treated selective-opening security of schemes designed to be robust to randomness failures SOA security is natural to consider in tandem with randomness failures since an adversary can target senders via multiple means

25 Open problems Standard-model (vs. NPROM) schemes achieving our notions
NPROM schemes achieving a simulation-based notion of SOA security for nonce-based PKE, or a proof that this is impossible

26 Thank you!

Download ppt "Selective-opening security in the presence of randomness failures"

Similar presentations

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Hybrid Signcryption with Outsider Security

Hybrid Signcryption with Outsider Security
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.

1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.

Similar presentations

Ads by Google