Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, - - PowerPoint PPT Presentation

Key-Robustness for Cryptographic Primitives

R˘ azvan Ros ¸ie1

1ENS, CNRS, INRIA & PSL Research University, Paris, France

ECRYPT-NET Summer School, Crete, Greece

12th October 2017

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 1 / 40

Key-Robustness in a Nutshell

Robustness: ciphertext can’t be decrypted under two different keys.

TCC10: robustness introduced for PKE & IBE by Abdalla et al. AC10: Mohassel extends robustness to Hybrid Encryption. PKC13: robustness for PKE & IBE revisited by Farshim et al.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 2 / 40

Key-Robustness in a Nutshell

Robustness: ciphertext can’t be decrypted under two different keys.

Alice Bob

Dec =⊥ Dec =⊥

C Vulnerable channel

Key-Robustness in a Nutshell

Robustness: ciphertext can’t be decrypted under two different keys.

Alice Bob

Dec =⊥ Dec =⊥

C Vulnerable channel Eve K1 K2 C

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 3 / 40

Motivating Key-Robustness - Example 1

Digital Signatures from Symmetric Encryption: sk ← (K, s) pk ← Enc(K, s) — contains the Symm. Enc. of s. σ ← (PRF(s, M), π) — PRF evaluation + ZK proof for correctness. Is the scheme unforgeable?

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 4 / 40

Motivating Key-Robustness - Example 1

Digital Signatures from Symmetric Encryption: sk ← (K, s) pk ← Enc(K, s) — contains the Symm. Enc. of s. σ ← (PRF(s, M), π) — PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? Enc(K, s) = Enc(K ′, s′) = ⇒ FORGE

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 4 / 40

Motivating Key Robustness - Example 2

CBC-MAC: mt−1 EK T · · · · · · m2 EK m1 EK m0 EK

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 5 / 40

Motivating Key Robustness - Example 2

CBC-MAC: (mt−1, m′

t−1)

EK ′ T · · · · · · (m2, m′

2)

EK ′ (m1, m′

1)

EK ′ (m0, m′

0)

EK ′ MAC(K, M) = MAC(K ′, M′) = T

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 6 / 40

Definitional Landscape

Complete Robustness (CROB): adversarially generated K1, K2. Goal: find C decryptable under K1, K2. CROB security:

• 1. (C, K1 = K2) ← A
• 2. Dec(K1, C) =⊥
• 3. Dec(K2, C) =⊥

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 7 / 40

Definitional Landscape

Strong Robustness (SROB): honestly generated K1, K2. Goal: find C decryptable under K1, K2.

CROB SROB

• 1. (C, K1 = K2) ← A

↓

• 1. C ← AEnc,Dec

↓

• 2. Dec(K1, C) =⊥
• 3. Dec(K2, C) =⊥

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 8 / 40

Definitional Landscape

CROB SROB

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 9 / 40

Definitional Landscape

AE-secure scheme = ⇒ SROB-secure.

CROB SROB AE

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 10 / 40

Definitional Landscape

AE-secure scheme

• =

⇒ CROB-secure.

CROB SROB AE

• R˘

azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 11 / 40

Definitional Landscape - MACs

CROB SROB

• 1. (T, M1, M2, K1 = K2) ← A

↓

• 1. (T, M1, M2) ← ATag,Ver

↓

• 2. Ver(K1, M1, T) = 1
• 3. Ver(K2, M2, T) = 1

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 12 / 40

Definitional Landscape - MACs

SUF-secure MAC scheme = ⇒ SROB-secure.

CROB SROB SUF

• R˘

azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 13 / 40

The Big Picture

KROB XROB FROB SROB SFROB CROB

• R˘

azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 14 / 40

Generic Composition

Same Keys: Enc is CROB OR MAC is CROB ⇒    Enc-Then-MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB Different Keys: Enc is CROB AND MAC is CROB ⇒    Enc-Then-MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 15 / 40

Generic Composition

Proof intuition (Enc-Then-Mac):

A outputs a CROB winning tuple (C||T, Ke1||Km1, Ke2||Km2). M1 Enc MAC

Ke1 Km1

M2 Enc MAC

Ke2 Km2

Case Ke1 = Ke2: (C, Ke1, Ke2) wins CROB against Enc. Case Km1 = Km2: (T, Km1, C, Km2, C) wins CROB against MAC.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 16 / 40

Generic Composition

Proof intuition.

A outputs a CROB winning tuple (C||T, Ke1||Km1, Ke2||Km2). C MAC

Km1

C MAC

Km2

Case Ke1 = Ke2: (C, Ke1, Ke2) wins CROB against Enc. Case Km1 = Km2: (T, Km1, C, Km2, C) wins CROB against MAC.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 17 / 40

CROB AE in the RO Model

Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 18 / 40

CROB AE in the RO Model

Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. Different-Keys: authenticate the encryption key.

Enc((Ke||Km), M): C ← ← Enc(Ke, M) T ← RO(Km, (C||Ke)) return (C, T) AE-security CROB

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 18 / 40

CROB AE in the Standard Model

Idea: construct a CROB secure MAC in the Standard Model. First attempt:

Enc((Ke||Km), M): C ← ← Enc(Ke, M) T ← MAC(Km, (C||Ke)) return (C, T)

Issue: pseudorandomness for MAC.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 19 / 40

CROB AE in the Standard Model

Idea: construct a CR-PRF in the Standard Model. Second attempt:

Enc((Ke||Km), M): C ← ← Enc(Ke, M) T ← PRF(Km, (C||Ke)) return (C, T)

Issue: ensure the PRF is Collision-Resistant.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 20 / 40

Collision-Resistant PRFs in the Standard Model

Collision-Resistant PRF: PRF(K1, M1) = PRF(K2, M2) = ⇒ (K1, M1) = (K2, M2) Key-Injective PRF: PRF(K1, M) = PRF(K2, M) ⇒ K1 = K2 Right-Injective PRG: PRGRHS(K1) = PRGRHS(K2) ⇒ K1 = K2

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 21 / 40

Collision-Resistant PRFs in the Standard Model

Construction for Collision-Resistant PRF:

PRF(K, M): (K1||K2) ← PRG(K) C1 ← PRP(K1, M) C2 ← PRF(K2, C1) return (C1||C2)

Collision-Resistant PRF: PRF(K, M) = PRF(K ′, M′) = ⇒ (K, M) = (K ′, M′)

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 22 / 40

Collision-Resistant PRFs in the Standard Model

Construction for Collision-Resistant PRF:

PRF(K, M): (K1||K2) ← PRG(K) C1 ← PRP(K1, M) C2 ← PRF(K2, C1) return (C1||C2)

Proof intuition:

Step 1 - Key-Injective PRF: PRF(K2, C1) = PRF(K ′

2, C1) ⇒ K2 = K ′ 2

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 23 / 40

Collision-Resistant PRFs in the Standard Model

Construction for Collision-Resistant PRF:

PRF(K, M): (K1||K2) ← PRG(K) C1 ← PRP(K1, M) C2 ← PRF(K2, C1) return (C1||C2)

Proof intuition:

Step 2 - Right-Injective PRG: PRGRHS(K) = PRGRHS(K ′) ⇒ K = K ′

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 24 / 40

Collision-Resistant PRFs in the Standard Model

Construction for Collision-Resistant PRF:

PRF(K, M): (K1||K2) ← PRG(K) C1 ← PRP(K1, M) C2 ← PRF(K2, C1) return (C1||C2)

Proof intuition:

Step 3 - Permutation: PRP(K1, M) = PRP(K1, M′) ⇒ M = M′

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 25 / 40

Right-Injective PRGs

Building-block 1: a right injective PRG. Use the construction by Yao: PRG(x) := HC(x)||HC(π(x))|| . . . ||HC(π|x|−1(x))

• Left Part

|| π|x|(x)

Right Part

π is a pseudorandom permutation. HC is a hardcore predicate.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 26 / 40

Key-Injective PRFs

Building-block 2: a Key-Injective PRF via the GGM construction. Open problems: more efficient constructions from weaker assumptions.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 27 / 40

Left/Right Collision-Resistant PRGs

Building-block 3: length doubling Left/Right Collision-Resistant PRGs. PRGLHalf(K) = PRGLHalf(K ′) ⇒ K = K ′ AND PRGRHalf(K) = PRGRHalf(K ′) ⇒ K = K ′ Example: G(x1, x2, x3) :=

• (gx1, gx1x2, gx2x3), (gx2, gx1x3, gx3)
• R˘

azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 28 / 40

CROB transforms in the Standard Model

Analogue of the ABN transform in the symmetric setting: MAC key is generated “on the fly”. MAC is collision-resistant.

Definition

Enc(Ke, M): Km ← ← Genm(1λ) (K 1

e ||K 2 e ) ← PRG(Ke)

C ← ← Enc(K 1

e , (M||Km))

T ← ← Tag(Km, (C||K 2

e ))

return (C||T)

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 29 / 40

Summary - Symmmetric Primitives

Robustness: AE: ciphertext can’t be decrypted wrt. different keys. MAC: tag can’t be validated under two different keys.

1

What goes wrong if the keys are adversarially generated.

2

Level of robustness achieved by AE/MAC schemes.

3

Generic transforms of AE schemes into CROB AE schemes.

4

How to construct collision-resistant PRFs

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 30 / 40

Robustness - Covered Primitives

FSE17: robustness for symmetric primitives. AC10: Mohassel extends robustness to Hybrid Encryption. TCC10, PKC13: robustness introduced for PKE & IBE. NEW: Generalize robustness to Functional Encryption.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 31 / 40

Robust Functional Encryption

Functional Encryption - What we expect

Alice Bob

= f1(M) = f2(M)

C Vulnerable channel Eve skf 1 skf 2 C

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 32 / 40

Robust Functional Encryption

Functional Encryption - Defining robustness

Alice Bob

Dec =⊥ Dec =⊥

C Vulnerable channel Eve skf 1 skf 2 C

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 33 / 40

Robust Functional Encryption

Functional Encryption - Defining robustness

Alice Bob

Dec =⊥ Dec =⊥

C Vulnerable channel Eve skf 1 skf 2 C

Issue: Trivially Satisfied by a Generic FE Scheme.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 33 / 40

Robust Functional Encryption

What is the intuition of robustness for FE? Why are we defining this notion? Any real attacks?

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 34 / 40

Robust Functional Encryption

What is the intuition of robustness for FE? Why are we defining this notion? Any real attacks? msk ← ← s mpk ← ← g

s

C

x ←

←(g−r, gr·

s+ x)

sk

y ←

s⊤ · y Dec(C

x, sk y) =

x⊤ · y

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 34 / 40

Robust Functional Encryption

What is the intuition of robustness for FE? Why are we defining this notion? Any real attacks? msk ← ← s mpk ← ← g

s

C

x ←

←(g−r, gr·

s+ x)

sk

y ←

s⊤ · y Dec(C

x, sk y) =

x⊤ · y msk ← ← s′ mpk ← ← g

s′

C

x ←

←(g−r, gr·

s′+ x′)

sk

y ←

s′⊤ · y Dec(C

x, sk y) =

x′⊤ · y Issue: same ciphertext decrypts to different values!

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 34 / 40

Robust Functional Encryption

A possible definition: Robustness: ciphertext can’t be decrypted under two different keys

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 35 / 40

Robust Functional Encryption

A possible definition: Robustness: ciphertext can’t be decrypted under two different keys For FE: keys are issued via different master secret keys.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 35 / 40

Robust Functional Encryption

Generic Constructions: From commitment schemes. From collision-resistant PRFs. More definitions to be considered Allowing only encryption queries. Allowing only decryption queries.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 36 / 40

Summary - Robust FE

FE: ciphertext can’t be decrypted w.r.t. keys issued by different msk

1

A more interesting view on FE constructions where keys are adversarially generated.

2

∃ constructions relying on collision-resistant PRFs.

3

CROB: harder to achieve for symmetric-key FE.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 37 / 40

Summary - Robust FE

FE: ciphertext can’t be decrypted w.r.t. keys issued by different msk

1

A more interesting view on FE constructions where keys are adversarially generated.

2

∃ constructions relying on collision-resistant PRFs.

3

CROB: harder to achieve for symmetric-key FE.

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 37 / 40

Motivating Key-Robustness - Example 3

Oblivious-Transfer protocol: OT2 x1 = (K2, K3) x2 = (K1, K3) x3 = (K1, K2) i xi OT1 C1 = Enc(K1, M1) C2 = Enc(K2, M2) C3 = Enc(K3, M3) j Cj

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 38 / 40

Motivating Key-Robustness - Example 3

Oblivious-Transfer protocol: Malicious sender OT2 x1 = (K2, K ∗) x2 = (K1, K3) x3 = (K1, K2) i = 1 xi OT1 C1 = Enc(K1, M1) C2 = Enc(K2, M2) C3 = Enc(K3, M3) j = 3 Cj Dec(K ∗, C3) = M∗

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 39 / 40

Motivating Key-Robustness - Example 3

Oblivious-Transfer protocol: Malicious sender OT2 x1 = (K2, K ∗) x2 = (K1, K3) x3 = (K1, K2) i = 2 xi OT1 C1 = Enc(K1, M1) C2 = Enc(K2, M2) C3 = Enc(K3, M3) j = 3 Cj Dec(K3, C3) = M3

R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 40 / 40