Presentation is loading. Please wait.

Presentation is loading. Please wait.

Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.

Published byAldous Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky."— Presentation transcript:

1 Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky

2 Key Dependent Messages Message may depend on key –Encrypted swap –Encrypted backups Security in this setting does not follow from semantic security –Trivial, pathological counterexamples –Or…

3 Secure Self-Encryption [BRS’02] H(n||k) H k E k (m) = ( r, H(r||k)  m ) m r←R

4 Insecure Self-Encryption [HK’07] Encrypt r←R H(r||k) E’ k (k) = ( r, E r (k) ) H k E r (k)

5 KDM in practice Collaboration: PK A / SK A PK B / SK B E PK B (SK A ) E PK A (SK B )

6 Circular Encryption [CL’01] A user has n credentials signed by CA: User should not “lend” any of his credentials to a friend Solution [CL’01] : SK 1 SK 2 SK n PK 1 PK 2 PK n … … secret public and signed by CA E PK 1 [SK 2 ], E PK 2 [SK 3 ], …, E PK n [SK 1 ] NY driver license I am Shai

7 Clique Security E ki (k j ) for all i,j

8 (C,n)-KDM security [BRS’02] ChallengerAdversary (PK 1,…,PK n ) (F ∈ C, i ∈ {1,…,n}) E PKi [ F(SK 1,…,SK n ) ] or random b*b*

9 Is ElGamal self-referential secure? Maybe, maybe not Need (g, g x, g r, g rx  x) indist from random Requires a funny assumption! Clique security? Need an even funnier assumption… Our goal: use a standard assumption ( DDH )

10 Notation Let G be a group of prime order p Using additive notation for G 1-dim vector space over Z p Perform dot products etc. normally (x 1, x 2, x 3 )  (g 1, g 2, g 3 ) = x 1 g 1 + x 2 g 2 + x 3 g 3 g i ∈ G, x i ∈ Z p aka g 1 x1 g 2 x2 g 3 x3

11 The Result n-Clique Secure for any [poly] n –CPA only –Bounds indpendent of n –More generally, (Affine,n)-Clique Secure Security rests on DDH –Standard model –Weaker assumptions possible, eg D-linear

12 The System rv + 0 0 0 0 0m × Encrypt: Secret Key: s ∈ {0,1} ℓ 1 Public Key: v∈Gℓv∈Gℓ -v  s s1s1 Decrypt:  s 1, s 2, …, s ℓ g 1, g 2, …, g ℓ h = 1/(g 1 s1 …g ℓ s ℓ ) g 1 r, g 2 r, …, g ℓ r h r ·m m=(g 1 r ) s1 …(g ℓ r ) sℓ · (h r ·m) =0=m

13 Theorem Breaking (Affine,n)-Clique-Secure breaks DDH Let’s prove self-referential

14 Intuition 1 1 0 1 0 1 1 always decrypts to the secret key “ciphertext vectors” (g,1,1,…,1) (1,g,1,…,1) (1,1,1,…,g) Easy to generate “encryption of the secret key”

15 The Proof r + 0 0 0 0 0m × Game 0: CPA game

16 The Proof R Rank 1 + × Indistinguishable: identical ciphertext distrbution Game 1 0 0 0 0 0m r (g 1,…,g ℓ,h) ~ r 1 a 1 (g 1,…,g ℓ,h) + … + r t a t (g 1,…,g ℓ,h)

17 The Proof R Rank ℓ-1 + × Game 2 0 0 0 0 0m Indistinguishable by DDH 1 a b ab 1 a b c vs.

18 The Proof R Rank ℓ-1 + 0 0 0 × 10 Game 3 i-th row of identity mat. Indistinguishable: identical ciphertext distrbution

19 The Proof R Rank 1 + × Game 4 0 0 010 Random subset-sum of columns Indistinguishable by DDH

20 The Proof R Rank 1 + × Statistically indistinguishable (using LOHL) Game 5 0 0 010

21 The Proof R Rank ℓ + × Indistinguishable by DDH Game 6 0 0 010

22 The Proof Indistinguishable: identical ciphertext distrbution Game 7

23 Follow-up work Camenisch-Chandran-Shoup 2009: CCA security –Apply Naor-Yung/Sahai –For DDH-based scheme, can do it efficiently Applebaum, Cash, Peikert, Sahai 2009: Circular security from LPN/LWE

24 Questions?

Download ppt "Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
7. Asymmetric encryption-

7. Asymmetric encryption-
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

Similar presentations

Ads by Google