on the (im)possibility of key dependent encryption iftach haitner microsoft research texpoint fonts...
Post on 19-Dec-2015
214 views
TRANSCRIPT
On the (Im)Possibility of Key Dependent Encryption
Iftach HaitnerMicrosoft Research
August 04, 2009
Thomas HolensteinPrinceton University
outline
Define Key Dependent Message (KDM) secure encryption scheme
Two (impossibility) results
– On fully-black-box reductions from KDM security to TDP
– On strongly-black-box reductions from KDM security to “any” hardness assumption
Weak Key Dependant Message Security
An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A
A
h1:{0,1}n {0,1}m
Enck(h1(k))
h2
Enck(h2(k))
…
¼C
kÃ{0,1}n
Challenger…
A
h1:{0,1}n {0,1}m
Enck(Um)
h2
Enck(Um)
kÃ{0,1}n
Challenger
A cannot find k
What class of query functions (e.g., h) should be considered?
In most settings, we should consider any (efficient) function
Feasibility Results
Limited output length functions:– [Hofheinz-Unruh ‘08] based on any PKE
Family of affine functions:– [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH– [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE
Efficient functions ???
Any function– [Black-Rogway-Shrimpton ‘02] based on Random Oracle
Our Impossibility Results (informal)
It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against
the family of poly-wise independent hash functions, based on OWF– extends to TDP
any function, based on “any assumption”
• We focus on the private key setting
• Hold also for the “many PK keys” setting
outline
Define Key Dependent Message (KDM) secure encryption scheme
Our (impossibility) results
– On fully black-box reductions from KDM security to TDP
– On strongly black-box reduction from KDM security to “any” hardness assumption
Black-box construction
Black-box proof of security
Adversary for breaking KDM ) Inverter for breaking OWF
Fully-Black-Box Reduction from KDM security to OWF
Adversaryfor KDM
Inverterfor OWF
OWF
(Enc,Dec)
OWF
Black-box proof of security
A
ROWF
¼
Y Ã {0,1}n
x 2 ¼-1(y)
Breaks the KDM security of (Enc¼,Dec¼)
Impossibility Result for OWF Based Schemes
There exists no fully-black-box reduction from KDM-secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions
More formally:
Let (Enc(),Dec()) be a OWF based encryption scheme, and let v(n) = |Enc()(M)|, for M2{0,1}2n. Then (Enc(),Dec()) cannot be proved (in a black-box way) to be KDM-secure against Hv(n)+n – a family of (v(n)+n)-independent hash functions from {0,1}n to {0,1}2n
Our adversary
A
ROWF
¼
Y Ã {0,1}n
x2 ¼-1(y)
1. A breaks the (weak) KDM security of (Enc¼,Dec¼) 2. ¼ is hard to invert in the presence of A.
Proof: a la’ [Simon ‘98] /[Gennaro-Trevisan ‘01, H-Hoch-Reingold- Segev ‘07]
1n
hck
…
1) Select h à Hv(n)+n 2) On input C, output (the first) k
s.t. Deck(C) = h(k)
outline
Define Key Dependent Message (KDM) secure encryption scheme
Our (impossibility) results
– On fully black-box reductions from KDM security to TDP
– On strongly black-box reductions from KDM security to “any” hardness assumption
Let ¡ be a cryptographic assumption (e.g., factoring is hard)
Arbitrary construction
Black-box proof of security.
The query function h is treated as a black box
Strongly Black-Box Reduction from KDM security to ¡
Adversaryfor KDM
Adversaryfor ¡
Strongly Black-box proof of security
AR for breaking
¡¡
A break the KDM security of (Enc,Dec)
Factoring is hard
n = pq
p,q
1n
hck
…
1. h is only accessed via its input/output interface 2. Access to h is not given to a “third party”
Impossibility Result for Strongly Black-Box Reductions
Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against On – the family of random functions from {0,1}n to {0,1}2n. Then ¡ can be broken unconditionally
Our Adversary
A
R¡
Breaks the KDM security of (Enc,Dec)
1) Select h à On 2) On query C, output (the first) k
s.t. Dekk(C) = h(k)
1. A breaks the (weak) KDM security of (Enc,Dec) 2. RA,¡ can be efficiently emulated
The Emulation
R¡
hÃOn
h(x1)
x1
h(x2)
x2
…
1. Answer to h(xi) with a random yi2{0,1}2n (while keeping consistency)
2. On query C, return (the first) xi s.t Decxi(C) = yi
Proof Idea: the probability that h(k)= Deck(C) for non-queried k, is 2-2n
c
k
A1n
h
Further Issues
Both bounds hold for 1-1 PRF
Open questions
Prove feasibility result against larger class of functions
Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)