Key-Dependent Message Security in the Standard Model Dennis - - PowerPoint PPT Presentation

key dependent message security in the standard model
SMART_READER_LITE
LIVE PREVIEW

Key-Dependent Message Security in the Standard Model Dennis - - PowerPoint PPT Presentation

Sep 09, 2023 226 likes •273 views

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and why? Key-dependent message (KDM) security As IND, but with special encryption oracle Real game: O(F) = ENC SK ( F(SK) ) Random

slide-1
SLIDE 1

Key-Dependent Message Security in the Standard Model

Dennis Hofheinz (CWI, Amsterdam)

slide-2
SLIDE 2

What and why?

  • Key-dependent message (KDM) security
  • As IND, but with special encryption oracle

– Real game: O(F) = ENCSK( F(SK) ) – Random game: O(F) = ENCSK( random )

  • Security: no adv. can distinguish real/rand
  • Useful: formal link, encrypt your hard drive
  • Our focus: symmetric setting and CPA
slide-3
SLIDE 3

What is known?

  • Black, Shrimpton, Rogaway 2002:

ENCSK( M ) = ( R, H( SK||R ) + M )

  • KDM-CPA in RO model, but RO essential
  • Only* provable construction known!

* except for straightforward but uninteresting solutions:

– schemes with secret key longer than total volume of messages ever encrypted (then privacy amplification techniques work) – “hey, look how easy the proof now is”-style interactive non-standard computational assumptions beyond intuition

slide-4
SLIDE 4

What do we have?

  • Stateful encryption assuming PRNG only

ENCSKi( M ) : 1.) pick UHF h 2.) cond := h( SKi ) 3.) (SKi+1, pad) := PRNG( cond ) 4.) C := (h, pad + M)

  • Weak stateful KDM-CPA (i.e., M=M(SKi))