public-key encryption in the b ounded- r etrieval m odel
DESCRIPTION
Public-Key Encryption in the B ounded- R etrieval M odel. Speaker: Daniel Wichs. Joël Alwen, Yevgeniy Dodis , Moni Naor , Gil Segev , Shabsi Walfish , Daniel Wichs. Eurocrypt 2010. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
PUBLIC-KEY ENCRYPTION IN THE
BOUNDED-RETRIEVAL MODEL
Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish,
Daniel Wichs Speaker: Daniel WichsEurocrypt 2010
Motivation
Cryptographic security analyzed in formal “attack model”. Do our attack models capture reality?
In reality, extra information about secret-keys can leak. Side-channels attacks: timing, power, heat, EM radiation,
acoustics... Cold-boot attack [HSH+ 08] Viruses
Leakage-Resilient Crypto: Add key-leakage to the attack model. Build primitives that provably allow leakage of secret key.
Bounded Retrieval Model [Dzi06,…,ADW09]:
Grow secret-key to allow for more leakage. Even many Gigabytes.
Efficiency does not degrade as |sk| grows. {Public key, ciphertext, computation time}
f(sk)
Model of Leakage: Memory Attacks Adversary can learn any efficiently computable function
f : {0,1}* {0,1}L of the secret key. L = Leakage Bound.
Relative-Leakage Model[AGV09, DKL09,NS09,…].
Maximize ratio of L to |sk| (e.g. 90% of the key can leak).
sk
leak
[Akavia-Goldwasser-Vaikuntanathan 09]
Why design schemes for the BRM?
Security against Viruses: Upper bound how much attacker can download (e.g. 10
GB). Bandwidth too low, cost too high, system security may
detect. OK if secret key is large. Not OK if efficiency degrades.
Security against side-channel attacks: Leakage amount depends on the complexity of
computation. Leakage-resilient schemes might be less secure:
+ Leakage-resilience ) + Complexity ) + Leakage. BRM efficiency breaks the cycle.
Prior Work on Leakage Resilience
Memory Attacks Relative-Leakage: Symmetric and Public-Key Encryption
and Authentication/Signatures. [AGV09,DKL09,ADW09, KV09,NS09,…].
Bounded Retrieval Model: Symmetric and Public Key “Authenticated key Agreement.” Requires interaction. [Dzi06,CDD+07, ADW09].
This work: Public-Key Encryption in the Bounded Retrieval Model.
Restricted types of leakage functions. [CDH+00, DSS01,KZ03, ISW03 , MR04, DP08, Pie09, FKPR10, GR10, FRR+10, JV10]Does not seem applicable to e.g. virus attacks.
Definition of PKE in BRM
Key generation gets L as input. Adversary learns L bit leakage.
Efficiency: pk size, ciphertext size, encryption/decryption times are all bounded by some fixed polynomials, independent of L.
Adversary
Challenger(pk,sk) Ã
KeyGen(1s ) pk
f : {0,1}* ! {0,1}L
f(sk) m0, m1
bà {0,1} cÃEncrypt(mb,pk)
cOutput b’
, L
Pr[b’ = b] · ½ + negl(s)
A “high-level” template for constructing BRM schemes.
“Identity Based Hash Proof System” (IB-HPS)
Overview of IB-HPS constructions and parameters.
Outline of Talk
Start with: Scheme resilient to L’ bits of leakage.
Construct: Scheme resilient to L >> L’ bits of leakage.
Idea: Leakage Amplification via Parallel Repetition.
Template for BRM Schemes:1. Leakage Amplification (via Parallel-Repetition)
Template for BRM Schemes:1. Parallel-Repetition
Encryption Decryption
sk1 sk2 sk3 skn…SK=PK=
pk1 pk2 pk3 pkn…
To encrypt under PK. Secret-share message m into n shares m1,
…,mn. Encrypt each share mi separately under pki.
c1, c2, …, cn
ci = Enc(mi, pki)
Theorem (?): n-wise parallel repetition amplifies leakage-resilience by a factor of n.
Hope: Need to leak L’ bits on each of n keys to break the ‘repetition scheme’. … but maybe not a different L’ bits on each key.
So is the theorem true? Not in general. Recent counterexample by [Lewko-
Waters 10]! Yes in special cases (“hash proof systems”). Stay
tuned.
Template for BRM Schemes:1. Security of Parallel-Repetition?
Template for BRM Schemes:1. Efficiency of Parallel-Repetition?
Encryption Decryption
sk1 sk2 sk3 skn…SK=PK=
pk1 pk2 pk3 pkn…
Problem 1: Ciphertext-size, computation proportional to n.
Problem 2: Public-key size proportional to n.
c1, c2, …, cn
ci = Enc(mi, pki)
Template for BRM Schemes:2. Small random subsets.
Encryption Decryption
sk1 sk2 sk3 skn…SK=PK=
pk1 pk2 pk3 pkn…
Encryptor chooses small random subset of t << n indices. Encrypts t shares under the corresponding t public-keys.
Hope: to break scheme, need to have leaked L’ bits on almost all indices (all of the ones that are later chosen).
(idx1, c1)…,(idxt, ct)ci = Enc(mi, pkidxi
)
Template for BRM Schemes:3. Adding a Master Public Key.
Encryption Decryption
sk1 sk2 sk3 skn…SK=PK=
Use Identity-Based Encryption (IBE) PK is master-public-key of IBE. SK consists of keys ski for identities i=1,…,n.
(idx1, c1)…,(idxt, ct)ci = Enc(mi, idxi)
MPK
Template for BRM Schemes:3. Adding a Master Public Key.
Encryption Decryption
sk1 sk2 sk3 skn…SK=PK=
Scheme meets efficiency requirements of the BRM. Security?
Does not amplify leakage-resilience in general. Rest of talk: make it work with special IBE.
(idx1, c1)…,(idxt, ct)ci = Enc(mi, idxi)
MPK
A “high-level” template for constructing BRM schemes.
“Identity Based Hash Proof System” (IB-HPS)
IB-HPS constructions and parameters.
Outline of Talk
A KEM can be used to encrypt a random message m.
(pk, sk)ÃKeyGen(1s)(c, m)ÃEncap(pk)
m à Dec(c, sk)
Key Encapsulation Mechanism (KEM)
Hash Proof System (HPS): A Special KEM
For each pk, many possible sk. KeyGen outputs skÃSKpk . Correctness: if (c, m)ÃEncap(pk) then Dec(c, sk) = m for
all sk. Bad Encapsulation: c* Ã Encap*(pk).
Dec(c*, sk) is different for each sk. Can’t distinguish c* from c (even given sk).
SKpk
Dec(c, SKpk)Dec(c*, SKpk)
HPS and Leakage Resilient KEM
Theorem [Naor-Segev 09]: A HPS is a Leakage-Resilient KEM. L ¼ log(|SKpk |).
Proof: skÃSKpk
Dec(c, sk)
Show: Looks
random
Can’t distinguish
‘bad’ ciphertext
m still has entropy given view of adv.
Use extractors.
If leakage < log(|SKpk |) adv still has
uncertainty about sk.
Dec (c*, sk)
Parallel-Repetition of HPS Theorem: Parallel repetition of a HPS
amplifies leakage-resilience.
Leakage of HPS is L ¼ log(|SKpk |) n-wise parallel repetition results in new HPS with
SK’pk = SKpk x SKpk x … x SKpk
Can show that “random subset selection” also works.
n times
Identity-Based Hash Proof System (IB-HPS)
Global ‘master’ parameters: (MPK, MSK). For each identity, the secret-key skID comes from a large set.
Can efficiently sample from any SKID only if given MSK. Encapsulation targets a specific identity:
Good (c, m) Ã Encap(ID, MPK) Bad c* Ã Encap*(ID, MPK).
SKID1 SKID2
…
Applications of IB-HPS
Directly gives leakage-resilient IBE in relative-leakage model.
Can be used to instantiate our framework. Leakage-amplification works!
) Get PKE/IBE in the Bounded Retrieval Model.
A “high-level” template for constructing BRM schemes.
“Identity Based Hash Proof System” (IB-HPS)
IB-HPS constructions and parameters.
Outline of Talk
ConstructionsScheme Assumption Relative
LeakageBilinear Groups[Gen06]
ABDHEStandard
Model
1/2
Quadratic Residuosity
[BGH07]
QR RO Model
1/O(s)
Lattices[GPV08]
LWERO Model
(1-²)
Thank You!
Questions?