Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rishab Goyal Venkata Koppula Brent Waters

Published byPierce Gregory Modified over 6 years ago

Similar presentations

Presentation on theme: "Rishab Goyal Venkata Koppula Brent Waters"— Presentation transcript:

1 Rishab Goyal Venkata Koppula Brent Waters
Separating IND-CPA and Circular Security for Unbounded Length Key Cycles Rishab Goyal Venkata Koppula Brent Waters

2 Key Dependent Message Security [BlackRogawayShrimpton02]
Plaintexts dependent on secret key Encrypted Storage Systems (e.g., BitLocker) Anonymous Credential Systems [CamenischLysyanskaya01] Gentry’s Bootstrapping [Gentry09] .... Semantic (IND-CPA) security might not be sufficient Let’s start by talking about …

3 n-Circular Encryption [CamenischLysyanskya01]
All-or-Nothing Sharing Credentials PK1 PK2 . . . PKn Secret SK1 SK2 . . . SKn The most common example where we see key dependent messages in practice is … “A user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. “ EncPK1(SK2) . . . EncPKn-1(SKn) EncPKn(SK1)

4 n-Circular Security BDDH [BonehHamburgHaleviOstrovysky08]
PK1 PK1 . . . . . . +ve Results PKn BDDH [BonehHamburgHaleviOstrovysky08] LWE [ApplebaumCashPeikertSahai09] Extensions [BG10, BHHI10, BGK11, App11, MTY11, BV11, AP12] PKn EncPK1(SK2) EncPK1(0) . . . . . . EncPKn(SK1) EncPKn(0)

5 Does IND-CPA imply n-Circular Security?

6 Negative Results n = 2 Bilinear Groups [AcarBelenkiyBellareCash10, CashGreenHohenberger12] LWE [BishopHohenbergerWaters15] n ≥ 3 Obfuscation [KoppulaRamchenWaters15, MarcedoneOrlandi16] LWE [KoppulaWaters16, AlamatiPeikert16] So, what does this suggest?

7 A Closer Look … iO [KRW15] LWE [AP16, KW16] Theorem. ∀ n, ∃ IND-CPA secure encryption scheme E that is not n-circular secure. For every scheme E, does there exist a parameter n such that it is n-circular secure? So, what does this suggest? These are contrived schemes. This leaves door open for each scheme to have a cycle length property such that it is circular secure for that length. This would mean that every scheme is circular secure for some parameter.

8 A Closer Look … Assuming iO New Theorem. ∃ IND-CPA secure encryption scheme E such that ∀ n, it is not n-circular secure. For every scheme E, does there exist a parameter n such that it is n-circular secure? So, what does this suggest? These are contrived schemes. This leaves door open for each scheme to have a cycle length property such that it is circular secure for that length. This would mean that every scheme is circular secure for some parameter.

9 Indistinguishability Obfuscation [BarakGoldreichImpagliazzoRudichSahaiVadhanYang01]
Compiling functionally equivalent programs to indistinguishable programs P0 P1 O O O(P0) O(P1)

10 } KRW Counterexample ……… Choose key pair = obfuscation of
Decrypt ct1 as Decrypt ct2 as Decrypt ctn as If sk1 = m, output ‘Cycle’. } ……… Inputs

11 } Extending KRW ……… Decrypt ct1 as Decrypt ct2 as … Decrypt ctn as
Inputs Decrypt ct1 as Decrypt ct2 as Decrypt ctn as If sk1 = m, output ‘Cycle’. Want this to work for all cycle lengths. Cycle length not a-priori known or fixed. (Q- How to defend from iO for TMs?) At first thought, it might seem iO for TMs. But it needs leveraging and input size fixed. Cycle length fixed!

12 An Iterative Approach …… …… EncPKn(SK1) 1 EncPK1(SK2) n 2
EncPKn-1(SKn) n - 1 EncPK2(SK3) 3 EncPKn-2(SKn-1) …… …… EncPK3(SK4)

13 An Iterative Approach …… …… EncPKn(SK1) 1 n EncPKn-1(SKn) EncPK1(SK3)

14 An Iterative Approach …… …… EncPKn(SK1) 1 n EncPKn-1(SKn) EncPK1(SK4)

15 An Iterative Approach 1 EncPK1(SK1) At a high level, …

16 Main Idea … Use FHE for cycle reduction Create a 1-cycle tester … … 1
2 n - 1 n 3 1 n - 1 n 3 1

17 Cycle Reduction: FHE Correctness :

18 Cycle Reduction: FHE ………… …………

19 1-Cycle Tester: First Attempt
Choose key pair Compute = obfuscation of Output

20 1-Cycle Tester: First Attempt
Choose key pair Compute = obfuscation of Output Intuitively secure, but how to prove under iO? IND-CPA security provable if VBB obfuscation.

21 1-Cycle Tester: KRW Technique
Choose key pair , string s Compute = obfuscation of Output KRW trick. IND-CPA security provable under iO.

22 1-Cycle Tester: Proof Idea
Choose key pair , string s Compute = obfuscation of Output

23 Putting Together … Needs Fully Homomorphic Encryption!!
Use FHE for cycle reduction Create a 1-cycle tester Needs Fully Homomorphic Encryption!! Leveled HE not sufficient! 1 2 n - 1 n 3 1 n - 1 n 3 1 Not known from standard assumption or even iO.

24 An Alternative Approach
1 EncPKn(SK1) EncPK1(SK2) n 2 EncPKn-1(SKn) n - 1 EncPK2(SK3) 3 EncPKn-2(SKn-1) …… …… EncPK3(SK4)

25 An Alternative Approach
1 EncPK1(SK2) 2 EncPKn-1(SK1) n - 1 EncPK2(SK3) 3 EncPKn-2(SKn-1) …… …… EncPK3(SK4)

26 An Alternative Approach
1 EncPK1(SK2) 2 EncPKn-2(SK1) EncPK2(SK3) 3 …… …… EncPK3(SK4)

27 An Alternative Approach
1 EncPK1(SK1) At a high level, …

28 Summarizing … Use FHE for cycle reduction Create a 1-cycle tester
2 n - 1 n 3 1 2 n - 1 3 1 Not known from standard assumption or even iO. Leveled HE

29 Conclusions and Open Problems
Stronger circular security counterexample. Assume existence of iO. Can it be based on more standard assumptions? Say why stronger. That is, it says IND-CPA schemes may not be circular secure for any length parameter.

30 Conclusions and Open Problems
Stronger circular security counterexample. Assume existence of iO. Can it be based on more standard assumptions? Yes! Normally a talk ends here. But very recently, we were able to solve this problem under LWE.

31 Lockable Obfuscation [GKoppulaWaters17]
Correctness:

32 Lockable Obfuscation [GKoppulaWaters17]
Security:

33 Our Result [GKoppulaWaters17]
Lockable Obfuscation All poly sized circuits* Secure under LWE Applications Attribute-Based Encryption  Predicate Encryption Circular Security Separations (Bit Encryption, Unbounded, …) Random Oracle Uninstantiability (Fujisaki-Okamoto, …) Rejecting Indistinguishability Obfuscator (riO) ePrint: 2017/274

34 Thank you! Questions?

35

Download ppt "Rishab Goyal Venkata Koppula Brent Waters"

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Simons Institute, Cryptography Boot Camp

Simons Institute, Cryptography Boot Camp
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.

Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski www.dziembowski.net MIM UW 14.12.12ver 1.0.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Similar presentations

Ads by Google