Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete."— Presentation transcript:

1 On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A August 04, 2009 Thomas Holenstein Princeton University

2 outline  Define Key Dependent Message (KDM) secure encryption scheme  Two (impossibility) results – On fully-black-box reductions from KDM security to TDP – On strongly-black-box reductions from KDM security to “any” hardness assumption

3 Weak Key Dependant Message Security An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A A h 1 :{0,1} n  {0,1} m Enc k (h 1 (k)) h 2 Enc k (h 2 (k)) … ¼C¼C k à {0,1} n Challenger … A h 1 :{0,1} n  {0,1} m Enc k (U m ) h 2 Enc k (U m ) k à {0,1} n Challenger A cannot find k What class of query functions (e.g., h) should be considered? In most settings, we should consider any (efficient) function

4 Feasibility Results  Limited output length functions: – [Hofheinz-Unruh ‘08] based on any PKE  Family of affine functions: – [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH – [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE  Efficient functions ???  Any function – [Black-Rogway-Shrimpton ‘02] based on Random Oracle

5 Our Impossibility Results (informal) It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against  the family of poly-wise independent hash functions, based on OWF – extends to TDP  any function, based on “any assumption” We focus on the private key setting Hold also for the “many PK keys” setting

6 outline  Define Key Dependent Message (KDM) secure encryption scheme  Our (impossibility) results – On fully black-box reductions from KDM security to TDP – On strongly black-box reduction from KDM security to “any” hardness assumption

7 Black-box construction Black-box proof of security Adversary for breaking KDM ) Inverter for breaking OWF Fully-Black-Box Reduction from KDM security to OWF Adversary for KDM Inverter for OWF OWF (Enc,Dec) OWF

8 Black-box proof of security A R OWF ¼ Y Ã {0,1} n x 2 ¼ - 1 (y) Breaks the KDM security of (Enc ¼,Dec ¼ )

9 Impossibility Result for OWF Based Schemes There exists no fully-black-box reduction from KDM- secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions More formally: Let (Enc (),Dec () ) be a OWF based encryption scheme, and let v(n) = |Enc () (M)|, for M 2 {0,1} 2n. Then (Enc (),Dec () ) cannot be proved (in a black-box way) to be KDM-secure against H v(n)+n – a family of (v(n)+n)-independent hash functions from {0,1} n to {0,1} 2n

10 Our adversary A R OWF ¼ Y à {0,1} n x 2 ¼ - 1 (y) 1.A breaks the (weak) KDM security of (Enc ¼,Dec ¼ ) 2. ¼ is hard to invert in the presence of A. Proof: a la ’ [Simon ‘98] / [Gennaro-Trevisan ‘ 01, H-Hoch-Reingold- Segev ‘07 ] 1n1n h c k … 1) Select h à H v(n)+n 2) On input C, output (the first) k s.t. Dec k (C) = h(k)

11 outline  Define Key Dependent Message (KDM) secure encryption scheme  Our (impossibility) results – On fully black-box reductions from KDM security to TDP – On strongly black-box reductions from KDM security to “any” hardness assumption

12 Let ¡ be a cryptographic assumption (e.g., factoring is hard)  Arbitrary construction  Black-box proof of security.  The query function h is treated as a black box Strongly Black-Box Reduction from KDM security to ¡ Adversary for KDM Adversary for ¡

13 Strongly Black-box proof of security A R for breaking ¡ ¡ A break the KDM security of (Enc,Dec) Factoring is hard n = pq p,q 1n1n h c k … 1.h is only accessed via its input/output interface 2.Access to h is not given to a “third party”

14 Impossibility Result for Strongly Black-Box Reductions Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against O n – the family of random functions from {0,1} n to {0,1} 2n. Then ¡ can be broken unconditionally

15 Our Adversary A R ¡ Breaks the KDM security of (Enc,Dec) 1) Select h à O n 2) On query C, output (the first) k s.t. Dek k (C) = h(k) 1.A breaks the (weak) KDM security of (Enc,Dec) 2. R A, ¡ can be efficiently emulated

16 The Emulation R ¡ hÃOnhÃOn h(x 1 ) x1x1 h(x 2 ) x2x2 … 1.Answer to h(x i ) with a random y i 2 { 0,1} 2n (while keeping consistency) 2. On query C, return (the first) x i s.t Dec x i (C) = y i Proof Idea: the probability that h(k)= Dec k (C ) for non-queried k, is 2 -2n c k A 1n1n h

17 Further Issues  Both bounds hold for 1-1 PRF Open questions  Prove feasibility result against larger class of functions  Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)

Download ppt "On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.

A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1.

Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

Similar presentations

Ads by Google