Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

Published byRamiro Mayo Modified over 10 years ago

Similar presentations

Presentation on theme: "1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)"— Presentation transcript:

1 1

2 Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

3 Public-Key Encryption 3 m Alice Bob c Learns nothing! Semantic Security [Goldwasser-Micali ‘82] Enc pk (m 0 ) and Enc pk (m 1 ) are computationally indistinguishable for any m 0 and m 1 Encryption must be randomized m

4 Randomness is a Liability 4

5 Randomness is difficult Weak sources in practice (keystrokes, timing) Incorrect implementations – [Heninger et al. ‘12, Lenstra et al. ‘12] on RSA public keys – Sony PS3 master signing key broken due to reuse of randomness across different EC-DSA key pairs Weak randomization attacks against RSA-OAEP [Brown ’05] many many more … 5

6 Deterministic Public-Key Encryption Encryption algorithm is deterministic 6 En c always! Why study deterministic encryption? Hedging against weak sources Can get short ciphertexts –E–Each pk therefore may define a permutation Efficiently searchable encryption –E–Encrypted keyword search [BS11] –D–Deduplication over encrypted data Can we formalize and realize meaningful notions of security for deterministic encryption? BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 …

7 Deterministic Public-Key Encryption 7 “Theory meets practice” Efficiently searchable encryption – Encrypted keyword search – Deduplication over encrypted data Can get short ciphertexts – Easier to use in legacy systems Can we formalize and realize meaningful notions of security for deterministic public key encryption? BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … BBO ’07 BFO ’08 BFOR ’08 BBNRSSY ’09 BS ’11 MPRS ’12 FOR ’12 … 3 B’s, 3 F’s, 2 S’s

8 Deterministic Encryption Security – Restricted to high-entropy messages – Nevertheless useful for key encapsulation – Key encapsulation mechanisms [BS11] 8 3 different B’s 3 different F’s 2 different S’s 3 different B’s 3 different F’s 2 different S’s BBO07, BFO08, BFOR08, BBNRSSY09, BS11, MPRS12, FOR12

9 Security of Det. PKE ( attempt 1 ) 9 m 0, m 1 b  {0,1} Guess b pk c = Enc pk (m b ) What happens if Enc is deterministic? Is c = Enc pk (m 0 ) ? If so, guess b=0 Else, guess b=1 Security cannot hold if adversary knows (or can predict) m 0 or m 1 !

10 Security of Det. PKE ( attempt 2 ) 10 M 0, M 1 m 0  M 0 m 1  M 1 b  {0,1} Guess b c = Enc pk (m b ) * H ∞ (M b ) is not too small: no message is very likely to occur * Is this restriction sufficient? M 0 : sample a random message m such that c = Enc pk (m) starts with a 0 M 1 : sample a random message m such that c = Enc pk (m) starts with a 1 If M allowed to depend on pk and arbitrary then the encryption has subliminal channels NO pk

11 Security of Det. PKE [ BBO ’07 ] 11 M 0, M 1 m 0  M 0 m 1  M 1 b  {0,1} Guess b c = Enc pk (m b ) * pk Not realistic assumption in practice – malicious adversary will use the pk in his attack – does not model what information will be leaked when there are accidental dependencies on the public key Question: Realistic security notions that allow the adversary to choose M after seeing pk

12 Security of Det. PKE [ BBO ’07 ] 12 M 0, M 1 m 0  M 0 m 1  M 1 b  {0,1} Guess b, pk c = Enc pk (m b ) * Not realistic assumption in practice – malicious adversary will use the pk in his attack – does not model what information will be leaked when there are accidental dependencies on the public key Question: Realistic security notions that allow the adversary to choose M after seeing pk

13 Defining Deterministic Encryption If M is independent of pk then only “single shot” definition 13 M *M * pk, Enc pk (m b ) m 0  M m 1  U b  {0,1} Guess b * H ∞ (M) is sufficiently large: “hard to guess” any single message M : choose random m. If Enc pk (m)=0…… output m, else repeat pk Enc pk (m b ) What happens if pk is given before choosing M b ? In [BBNRSSY09] authors consider “multi shot” definition so long as scheme satisfies anonymity

14 Our Work Formalize notions of adaptive security – Attackers given access to pk – Extensions Generic constructions in the random-oracle model – Based on any off-the-shelf (randomized) PKE Constructions in the standard model – Connection to deterministic randomness extractors – New techniques to deterministically extract via a “high- moment crooked” leftover hash lemma – New cryptographic tools (R-lossy trapdoor functions) 14

15 Dec(sk,.) Defining Adaptive Det. PKE 15 M 0, M 1 m 0  M 0 m 1  M 1 Guess b c = Enc pk (m b ) * Set of distributions X of size 2 p X is fixed apriori Set of distributions X of size 2 p X is fixed apriori Fix random b  {0,1} Adversary can choose M adaptively based on pk and on answers c as long as M remains in set X. General notion – p=0 : independent of pk – p=O(s.log(s)) : all circuits of size s “Multi-shot” Easily extends to CCA (chosen ciphertext- attack) security (what a surprise!) Security notion only depends on p. Holds for all X of size 2 p Security notion only depends on p. Holds for all X of size 2 p pk

16 Adaptive det. encryption 16 “Real-or-random” oracle RoR(mode,pk,M) – Real: choose m  M and output Enc pk (m) – Random: choose u  U and output Enc pk (u) RoR(real, pk,.) pk M c ≈p≈p RoR(rand, pk,.) pk M c Set of distributions X of size 2 p Can choose adaptively based on pk and on answers c by RoR from the set X General notion p=0 : [BBO07] p=O(s.log(s)) : all circuits of size s Dec(sk,.)

17 domain f f -1 Injective Efficiently invertible (trapdoor) Two families of functions: injective and lossy range Lossy Cannot be inverted (information theoretically) g Security The descriptions of f and g are “computationally indistinguishable” Much smaller than domain Tool: Lossy Trapdoor Functions [PW08] 17

18 f( ) π( ) Our Basic Scheme 18 Let f be an injective member of a LTDF family Let π be a “sufficiently independent” random permutation * pk = f, π sk = f -1 = Enc: = Dec: π -1 ( ) f -1 ( ) * π chosen randomly from a t-wise δ-dependent family of permutations [KNR09]

19 Proof (by pictures) 19 f f π π f f π π g g π π g g π π f πg πg π g πg π security of LTDFs M0M0 M1M1 security of LTDFs Basic scheme is adaptively secure f ≈ g High-moment Crooked Leftover Hash Lemma: Extracting randomness even if M 0 and M 1 can depend on (g, π)

20 Extracting randomness (LHL) 20 Original LHL f is universal, X is independent of f ( f, f(X) ) ≈ ( f, U ) Crooked LHL f is lossy, π is pairwise independent, X is independent of f ( f, π, f(π(X)) ) ≈ ( f, π, f(U) ) High-Moment LHL f is t-wise independent, X can depend on f but bounded ( f, f(X) ) ≈ ( f, f(U) ) High-Moment Crooked LHL f is lossy, π is t-wise independent, X can depend on f ( f, π, f(π(X)) ) ≈ ( f, π, f(U) ) [DS05] [TV00] Set of distributions of size 2 p g g π π g g π π g πg π g πg π ≈

21 High-Moment Crooked LHL 21 Generalizes the Leftover Hash Lemma [HILL89] and its “crooked” variant [DS05] Lemma – Let f:{0,1} n  {0,1} n such that |Im(f)|≤2 n-ℓ – Let X be a set of sources such that for each X in X, H ∞ (X) ≥ (n-ℓ) + 3log(log(|X|)) + 2log(1/ϵ) + θ(1) – Let Π is a family of t-wise independent permutations with t ≈ log(|X|) + (n-ℓ) – Then, with probability 1-ϵ over the choice of π in Π for every X in X we have SD ( f(π(X)), f(U) ) < ϵ Choice of X can depend on f and π

22 Conclusions This work – Defining adaptive deterministic PKE – Constructions secure in the random oracle and standard model – New tools for deterministic extraction Going forward: New directions for research (a.k.a. help me write papers!) – Shorter public keys? In general, public-key needs to be longer than p In our paper: short public-key only for s-circuit size distributions in the random-oracle model – Technical questions related to extraction (work-in-progress) – Other paradigms to construct deterministic PKE schemes 22

23 Other Projects Secure Deduplication (joint work with M. Abadi, D. Boneh, I. Mironov, G. Segev) – Adversary model and security notions – Constructing secure deduplication schemes with strongest security notions – Lead to new and interesting questions about modeling and constructing encryption schemes that leak functionality Authenticated Differential Privacy (joint work with I. Mironov, G. Segev) – Explored differential privacy in the context of outsourced databases with untrusted clients and servers – Generic constructions from cryptographic hammers – Interesting motivation to develop efficient succinct non- interactive arguments that are useful in practice 23

24 Thank you! Any questions? 24

Download ppt "1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)"

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
RSA.

RSA.
Public Key Cryptosystem

Public Key Cryptosystem
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Lets play bingo!!. Calculate: MEAN 4 7 5 8 6 Calculate: MEDIAN 9 4 6 1 5.

Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN
Addition 1’s to 20.

Addition 1’s to 20.
25 seconds left…...

25 seconds left…...
Week 1.

Week 1.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
We will resume in: 25 Minutes.

We will resume in: 25 Minutes.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Similar presentations

Ads by Google