Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University.

Published byNigel Berry Modified over 9 years ago

Similar presentations

Presentation on theme: "Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University."— Presentation transcript:

1 Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University of Tokyo 2. RCIS, AIST

2 Detailed analysis of Chaffing-and- Winnowing (C&W) under multiple-use setting More efficient Chaffing-and-Winnowing –C&W for n-time use from n-spoofing secure A-code –practical C&W from A-code with a specific property Overview of This Work 2 We show:

3 Contents Overview Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 3

4 Overview –Chaffing and Winnowing –Previous Work –Our Contribution Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 4

5 Chaffing-and-Winnowing (C&W) A technique to achieve confidentiality without using encryption when sending data over an insecure channel. Proposed by R. Rivest “Chaffing and winnowing: confidentiality without encryption” http://theory.lcs.mit.edu/~rivest/publications.html

6 Basic Idea Send plaintext directly No encryption is performed Send dummies with the plaintext. chaff Only one of the plaintext is authentic, the other ones are dummies Receiver can distinguish plaintext (wheat) from dummies (chaff). winnow Being able to distinguish plaintext from dummies would require an adversary to know the secret key.

7 7 Chaffing-and-Winnowing Example –Authentication code (A-code) : A k (M) –Plaintext: “Hi Bob” A 1 =A k (“Hi Bob”) A 2 =A k’ (“Hi Larry”) (“Hi Bob”,A 1 ),(“Hi Larry”,A 2 ) Compute A k (“Hi Bob”) and A k (“Hi Larry”) Compare A k (“Hi Bob”) and A 1, A k (“Hi Larry”) and A 2 “Hi Bob”

8 Previous Work Bellare and Boldyreva, ASIACRYPT 2000 –Showed the security of C&W in the computationally secure setting Hanaoka et al., AAECC 2006 (HHHWI06) –Showed the security of C&W in the unconditinally secure setting 8

9 Main Result of HHHWI06 9 Impersonation- secure A-code Perfectly secure and Non-Malleable encryption Impersonation- and substitution- secure A-code Perfectly secure encryption Theorem 1 Theorem 2 C&W We can achieve:

10 Related Work Stinson, manuscript, 2006 –“Unconditionally secure chaffing and winnowing with short authentication tags” –construct C&W from short authentication tags 10 Impersonation- secure A-code with short tag Perfectly secure encryption C&W

11 Our Contribution Our work is extension of HHHWI06 –HHHWI06 only consider the case in one-time use Then, we extend for multiple use –In other words, to generalize the HHHWI06 –Detailed analysis of C&W under multiple-use setting construct unconditionally secure C&W for multiple use show C&W with one authentication tag 11

12 One-time/Multiple Use 12 One-time use Multiple use

13 Overview Unconditionally Secure C&W for Multiple Use –Security Notions –Our Result –Construction and Comparison C&W with one authentication tag Future Work and Conclusion 13

14 Security on A-code 14 n-Spoofing ImpersonationSubstitution

15 Perfect Security 15 n-Perfect Security (n-PS) Perfect Security

16 Non-Malleability (1/2) An adversary is given n ciphertexts Corresponding plaintexts are Non-Malleability: –inability to generate a ciphertext whose plaintext is related to for example –Definition 16

17 Non-Malleability (2/2) 17 n-Non-Malleability (n-NM) Non-Malleability

18 Our Results (1/3) Construct unconditionally secure C&W for multiple use –from n-spoofing secure A-code to n-perfectly secure (n-PS) encryption –from (n+1)-spoofing secure A-code to n-perfectly secure (n-PS) and n-Non-Malleable (n-NM) encryption 18

19 Our Results (2/3) 19 n-spoofing secure A-code n-PS and n-NM encryption (n+1)-spoofing secure A-code n-PS encryption C&W

20 Our Results (3/3) 20 Imp A-code PS and NM encryption Imp and Sub A-code PS encryption C&W n-spoofing secure A-code n-PS and n-NM encryption (n+1)-spoofing secure A-code n-PS encryption C&W HHHWI06 Our Result

21 Construction 21

22 Comparison 22 Construction Key Size [bits] Ciphertext Size [bits] Our proposal n copies of HHHWI06

23 Overview Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 23

24 Overview (1/2) C&W with one authentication tag –If the underlying A-code has a specific property, we can construct C&W with one authentication tag 24 n-Spf A-code with a specific property n-PS and n-NM encryption with one tag (n+1)-Spf A-code with a specific property n-PS encryption with one tag C&W

25 Overview (2/2) From this result, we can see that these A-codes can be seen as conventional encryptions –we prove that to send one tag corresponding to the message is secure 25 AuthenticationEncryption Can be seen as

26 The specific property “For all a, there exists at least one k such that, for all m, A k (m)=a” There exists an example of an A-code which is n-Spoofing secure and has this property 26 For example:

27 Construction 27

28 Comparison 28 ConstructionKey Size [bits] Ciphertext Size [bits] Need specific A-codes? Our proposal (previous) No Our proposal (with one tag) Yes n copies of HHHWI06 No The construction with one tag is practical

29 Overview Unconditionally Secure C&W for Multiple Use C&W with one authentication tag Future Work and Conclusion 29

30 Future Work Remove the restriction that (like Stinson’s work) –In [Stinson’06], C&W is constructed from A- code with short tags (more weak A-code) –[Stinson’06] D.R. Stinson, “Unconditionally secure chaffing and winnowing with short authentication tags,” Cryptology ePrint Archive, Report 2006/189, 2006. 30

31 Conclusion Detailed analysis of C&W under multiple-use setting –from n-Spf secure A-code to n-PS encryption –from (n+1)-Spf secure A-code to n-PS and n-NM encryption More efficient Chaffing-and-Winnowing –C&W for n-time use from n-spoofing secure A- code –practical C&W from A-code with a specific property provide same function as conventional encryption 31

Download ppt "Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Symmetric Message Authentication Codes Prof. Ravi Sandhu.

Symmetric Message Authentication Codes Prof. Ravi Sandhu.
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06.

1 Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.

CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Public Encryption: RSA

Public Encryption: RSA
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google