leakage resilient cryptography from puncturable
play

Leakage-Resilient Cryptography from Puncturable Primitives and - PowerPoint PPT Presentation

Mar 09, 2024 •117 likes •1.29k views

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

  1. Weak Puncturable PRF R wPPRF Theorem: sPPRF R 16 / 55 R β ← − { 0 , 1 } β =? ( pp, k ) ← Gen ( λ ) x ∗ ← − X pp, x ∗ , k x ∗ , y ∗ β k x ∗ ← Punc ( k, x ∗ ) y ∗ 0 ← F ( k, x ∗ ) y ∗ ← − Y 1

  2. Weak Puncturable PRF R R R 16 / 55 β ← − { 0 , 1 } β =? ( pp, k ) ← Gen ( λ ) x ∗ ← − X pp, x ∗ , k x ∗ , y ∗ β k x ∗ ← Punc ( k, x ∗ ) y ∗ 0 ← F ( k, x ∗ ) y ∗ ← − Y 1 Theorem: sPPRF ⇔ wPPRF

  3. Preserving Functionality: , Pr Indistinguishability of Obfuscation PPT adversaries , a negl. function : Pr Pr Pr 17 / 55 Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if:

  4. Indistinguishability of Obfuscation PPT adversaries , a negl. function : Pr Pr Pr 17 / 55 Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if: Preserving Functionality: ∀ C ∈ C λ , ∀ x ∈ { 0 , 1 } ∗ Pr [ C ′ ( x ) = C ( x ) : C ′ ← i O ( C )] = 1 C 0 i O i O ( C 0 )

  5. 17 / 55 Indistinguishability of Obfuscation Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if: Preserving Functionality: ∀ C ∈ C λ , ∀ x ∈ { 0 , 1 } ∗ Pr [ C ′ ( x ) = C ( x ) : C ′ ← i O ( C )] = 1 ∀ PPT adversaries ( S , D ) , ∃ a negl. function α : Pr [ ∀ x, C 0 ( x ) = C 1 ( x ) : ( C 0 , C 1 , aux ) ← S ( λ )] ≥ 1 − α ( λ ) ⇒ | Pr [ D ( aux, i O ( C 0 )) = 1] − Pr [ D ( aux, i O ( C 1 )) = 1] | ≤ α ( λ ) ≡ C 0 C 1 i O i O ≈ c i O ( C 0 ) i O ( C 1 )

  6. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 18 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  7. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 55 R F sk

  8. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 55 R F sk

  9. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 55 R F sk

  10. Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox Typically does not know since the challenge instance is embedded in it 19 / 55 R f F sk f ( sk ) In order to answer arbitrary leakage queries, it seems R must know sk

  11. Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox 19 / 55 R f F sk f ( sk ) In order to answer arbitrary leakage queries, it seems R must know sk Typically R does not know sk since the challenge instance is embedded in it

  12. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK LR SIG lossy even in the presence of leakage Regev PKE is LR 20 / 55 R F sk

  13. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK LR SIG lossy even in the presence of leakage Regev PKE is LR 20 / 55 R f F sk

  14. Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK Akavia et al. [AGV09]: normal Approach I Regev PKE is LR leakage even in the presence of lossy LR SIG 20 / 55 Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the leakage-resilient Assumptions presence of partial leakage of secret R f F sk f ( sk )

  15. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient lossy even in the presence of leakage Regev PKE is LR 20 / 55 R f F sk f ( sk ) Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK ⇒ LR SIG

  16. Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient 20 / 55 R f F sk f ( sk ) Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK ⇒ LR SIG Akavia et al. [AGV09]: normal pk ≈ c lossy pk even in the presence of sk leakage ⇒ Regev PKE is LR

  17. Dodis et al. [DGK 10]: DDH Approach II Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; leftover hash lemma (leakage-resilient fact) detached strategy + leakage-resilient assumptions/facts Ext ; Naor and Segev [NS09]: SMP F Assumptions 21 / 55 F sk c

  18. Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; Ext detached strategy + leakage-resilient assumptions/facts ; Naor and Segev [NS09]: SMP Assumptions 21 / 55 F sk c ≈ c F sk ˆ c

  19. Naor and Segev [NS09]: SMP Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; ; Ext detached strategy + leakage-resilient assumptions/facts Assumptions 21 / 55 F sk c f ≈ c f ( sk ) F sk ˆ c

  20. Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; 21 / 55 Assumptions detached strategy + leakage-resilient assumptions/facts F sk c f ≈ c f ( sk ) F sk ˆ c Naor and Segev [NS09]: SMP ⇒ c ≈ c ˆ c ; k ← Ext ( sk, ˆ c )

  21. Approach II detached strategy + leakage-resilient assumptions/facts Goldreich-Levin theorem (leakage-resilient assumption) model) leftover hash lemma (leakage-resilient fact) 21 / 55 Assumptions F sk c f ≈ c f ( sk ) F sk ˆ c Naor and Segev [NS09]: SMP ⇒ c ≈ c ˆ c ; k ← Ext ( sk, ˆ c ) Dodis et al. [DGK + 10]: DDH ⇒ c ≈ c ˆ c ; k ← hc ˆ c ( sk ) w.r.t. f (auxliary-input

  22. A common theme of the two above main approaches queries with real secret key. design with specifjc structure. It is interesting to investigate the possibility of simulate leakage oracle computationally , i.e., answering leakage queries with simulated leakage This might lend new techniques to address the unsolved problems in LRC. 22 / 55 R always try to simulate leakage oracle perfectly , i.e., answering leakage To do so, we have to either rely on LR assumptions or resort to sophisticated

  23. 23 / 55 Dachman-Soled et al. [DGL + 16] discovered powerful applications of i O to LRC Sahai-Waters PKE � leakage resilient

  24. Background: Sahai-Waters KEM R Encaps 24 / 55 Ingredients: i O , PRG G : { 0 , 1 } λ → { 0 , 1 } 2 λ , weak puncturable PRF F : SK × { 0 , 1 } 2 λ → Y Gen ( λ ) : pick sk ← − SK , pk ← i O ( Encaps ) Encaps ( pk ; r ) : ( c, k ) ← pk ( r ) Decaps ( sk, c ) : k ← F ( sk, c ) Constants: PPRF key sk Input: randomness r ∈ { 0 , 1 } λ 1 compute x ← G ( r ) ; output c = x , k ← F ( sk, x )

  25. Dachman-Soled et al. [DGL 16] made Sahai-Waters KEM leakage-resilient by Why Sahai-Waters is not Leakage-Resilient? , and thus may not be random anymore in twice. using to handle arbitrary leakage queries. , and thus unable only knows Proof perspective: in some hybrid game, ’s view. queries on The proof uses “punctured programs” technique and security is reduced to the could be leaked via leakage Construction perspective: the information of The sources for non-leakage-resilient R weak pseudorandomness of punctured PRF 25 / 55 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ←

  26. Dachman-Soled et al. [DGL 16] made Sahai-Waters KEM leakage-resilient by Why Sahai-Waters is not Leakage-Resilient? The proof uses “punctured programs” technique and security is reduced to the twice. using to handle arbitrary leakage queries. The sources for non-leakage-resilient weak pseudorandomness of punctured PRF R 25 / 55 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ← Construction perspective: the information of y ∗ could be leaked via leakage queries on sk , and thus may not be random anymore in A ’s view. Proof perspective: in some hybrid game, R only knows sk x ∗ , and thus unable

  27. Why Sahai-Waters is not Leakage-Resilient? The proof uses “punctured programs” technique and security is reduced to the weak pseudorandomness of punctured PRF R The sources for non-leakage-resilient to handle arbitrary leakage queries. 25 / 55 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ← Construction perspective: the information of y ∗ could be leaked via leakage queries on sk , and thus may not be random anymore in A ’s view. Proof perspective: in some hybrid game, R only knows sk x ∗ , and thus unable Dachman-Soled et al. [DGL + 16] made Sahai-Waters KEM leakage-resilient by using i O twice.

  28. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 26 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  29. Abstract and Generalize the Core Idea ? , is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 55 sk R

  30. Abstract and Generalize the Core Idea ? is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 55 sk R sk x ∗ , y ∗

  31. Abstract and Generalize the Core Idea ? is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 55 sk C ≡ R sk x ∗ , y ∗ C ′

  32. Abstract and Generalize the Core Idea is effjcient simulate leakage in a computationally indistinguishable manner lemma compostion 27 / 55 ? i O ( C ) sk C i O ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) C ′

  33. Abstract and Generalize the Core Idea compostion simulate leakage in a computationally indistinguishable manner lemma 27 / 55 ? i O ( C ) f ( i O ( C )) sk C f is effjcient i O ≈ c ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) f ( i O ( C ′ )) C ′

  34. Abstract and Generalize the Core Idea compostion simulate leakage in a computationally indistinguishable manner lemma 27 / 55 ? i O ( C ) f ( i O ( C )) sk C f is effjcient i O ≈ c ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) f ( i O ( C ′ )) C ′

  35. Key Observation Can we push the idea to extreme? Punc-PRF into Punc-“publicly evaluable” PRF These two results suggest: 28 / 55 Dachman-Soled et al. [DGL + 16]: Sahai-Waters KEM can be made LR by setting sk as an obfuscated program Chen et al. [CZ14]: the essence of Sahai-Waters KEM – i O bootstraps i O ( Punc-PEPRF ) � LR PEPRF

  36. Punc (Puncturable) Publicly Evaluable PRF 29 / 55 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  37. (Puncturable) Publicly Evaluable PRF 29 / 55 sk x ∗ ← Punc ( sk, x ∗ ) ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  38. Security of (Puncturable) Publicly Evaluable PRF Gen Samp Punc R R , , Pr negl 30 / 55

  39. Security of (Puncturable) Publicly Evaluable PRF Samp Punc R R , , Pr negl 30 / 55 ( pk, sk ) ← Gen ( λ ) pk

  40. Security of (Puncturable) Publicly Evaluable PRF R negl Pr R 30 / 55 ← − { 0 , 1 } β ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗

  41. Security of (Puncturable) Publicly Evaluable PRF R negl Pr R 30 / 55 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′

  42. Security of (Puncturable) Publicly Evaluable PRF R R 30 / 55 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′ | Pr [ β = β ′ ] − 1/2 | ≤ negl ( λ )

  43. Security of (Puncturable) Publicly Evaluable PRF R R 30 / 55 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) f i y ∗ 0 ← F ( sk, x ∗ ) f i ( sk ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′ | Pr [ β = β ′ ] − 1/2 | ≤ negl ( λ )

  44. LR-PEPRF from Punc-PEPRF 1 : Ext to from LR PEPRF Ext output Input: Idea: Obfuscate-and-Extract Constants: Punc-PEPRF secret key Priv Ext Pub Priv Samp Gen 31 / 55

  45. LR-PEPRF from Punc-PEPRF Priv : Ext to from LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Ext 31 / 55 Idea: Obfuscate-and-Extract ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  46. LR-PEPRF from Punc-PEPRF Priv : Ext to from LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Ext Idea: Obfuscate-and-Extract 31 / 55 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W S

  47. LR-PEPRF from Punc-PEPRF Idea: Obfuscate-and-Extract LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Priv Ext 31 / 55 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Z Pub ( pk, x, w ) W S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  48. LR-PEPRF from Punc-PEPRF Ext LR PEPRF 1 Priv Idea: Obfuscate-and-Extract 31 / 55 i O Constants: Punc-PEPRF secret key sk ( pk, sk ) ← Gen ( λ ) ˆ sk Input: ˆ x = ( x, s ) output z ← Ext ( F ( sk, x ) , s ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Z Pub ( pk, x, w ) W S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  49. 32 / 55 R setting. Theorem: The above PEPRF ˆ F is leakage-resilient under appropriate parameter Game 0. (the original game) ˆ sk ← i O ( Priv ) sk ← i O ( Priv ∗ ) , where y ∗ ← F ( sk, x ∗ ) Game 1. ˆ Priv ∗ Constants: Punc-PEPRF punctured key sk x ∗ , x ∗ and y ∗ Input: ˆ x = ( x, s ) 1 If x = x ∗ , output Ext ( y ∗ , s ) . Else, output Ext ( F ( sk x ∗ , x ) , s ) . Game 2. y ∗ ← − Y Priv ≡ Priv ∗ + i O ⇒ Game 0 ≈ c Game 1 punc-PEPRF ⇒ Game 1 ≈ c Game 2 randomness extractor ⇒ z ∗ ← Ext ( y ∗ , s ∗ ) ≈ s U Z

  50. Constructions of Punc-PEPRF How to construct Punc-PEPRF? clarify and encompass Dachman-Soled et al’s construction instantiated succinctly “derivable” is a mild property that satisfjed by all the known realizations of 33 / 55 i O ( Punc-PEPRF ) ⇝ LR-PEPRF ⇒ LR-KEM wPPRF+PRG+ i O (a slight modifjcation of SW KEM) Punc-TDF ⇐ correlated-product TDF [RS09] PTDF can be viewed as a special type of adaptive TDF – O inv can be Punc-EHPS ⇐ derivable EHPS EHPS [Wee10]

  51. Signifjcance Matsuda and Hanaoka [MH15]: Punc-KEM – capture a common pattern towards CCA security CCA security obtained via punctured road can be converted to Leakage-Resilience PKE via CP-TDF PKE via EHPS 34 / 55 Punc-PEPRF ⇒ Punc-KEM with perfect punctured decapsulation soundness in a non-black-box manner via i O

  52. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 35 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  53. Extension to the Symmetric Setting Ext LR wPRF 1 Priv 36 / 55 i O ( weak-Punc-PRF ) ⇝ LR-weak-PRF ⇒ LR-SKE i O Constants: wPPRF secret key sk ( pp, sk ) ← Gen ( λ ) ˆ sk Input: ˆ x = ( x, s ) output z ← Ext ( F ( sk, x ) , s ) F ( sk, x ) X Y Z S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  54. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 37 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  55. Review of Sahai-Waters Signature R Verify 38 / 55 Essence of Sahai-Waters Signature: i O makes PRF-based MAC publicly verifjable Gen ( λ ) : pick k ← − K for sPPRF F : K × M → Y , pick a OWF g : Y → Z ; set sk ← k , vk ← i O ( Verify ) . Sign ( sk, m ) : output σ ← F ( k, m ) . Verify ( vk, m, σ ) : output vk ( m, σ ) . Constants: sPPRF key k Input: message m and signature σ 1 output g ( σ ) =? g ( F ( k, m )) .

  56. Proof of Selective Security Theorem: Sahai-Waters signature is selectively secure. 39 / 55 Game 0. (original game) vk ← i O ( Verify ) . Game 1. vk ← i O ( Verify ∗ ) , here z ∗ ← g ( σ ∗ ) , σ ∗ ← F ( k, m ∗ ) . Verify ∗ Constants: punctured sPPRF key k m ∗ and z ∗ Input: message m and signature σ 1 If m = m ∗ , output g ( σ ) =? z ∗ . 2 Else, output g ( σ ) =? g ( F ( k m ∗ , m )) . Game 2. σ ∗ ← Y . Verify ≡ Verify ∗ + i O ⇒ Game 0 ≈ c Game 1 sPPRF ⇒ Game 1 ≈ c Game 2 OWF ⇒ σ ∗ is unpredictable in Game 2

  57. How to make Sahai-Waters’s signature Leakage-Resilient? unable to reduce unforgeability to one-wayness of . those on can translate leakage queries on secret key to In the fjnal security game, Our solution: using LR OWF instead of standard OWF does not know Proof perspective: ) preimage of (the Construction perspective: leakage queries leak the information of Problems 40 / 55 Technical hurdle: how to handle leakage queries? 1 express signing algorithm as a program and obfuscate the program as sk 2 simulate leakage queries with function-equivalent key – an obfuscation of a program build from k m ∗ and σ ∗

  58. How to make Sahai-Waters’s signature Leakage-Resilient? Problems Our solution: using LR OWF instead of standard OWF In the fjnal security game, can translate leakage queries on secret key to those on . 40 / 55 Technical hurdle: how to handle leakage queries? 1 express signing algorithm as a program and obfuscate the program as sk 2 simulate leakage queries with function-equivalent key – an obfuscation of a program build from k m ∗ and σ ∗ Construction perspective: leakage queries leak the information of σ ∗ (the preimage of z ∗ ) ⇒ unable to reduce unforgeability to one-wayness of g Proof perspective: R does not know σ ∗

  59. How to make Sahai-Waters’s signature Leakage-Resilient? Problems Our solution: using LR OWF instead of standard OWF 40 / 55 Technical hurdle: how to handle leakage queries? 1 express signing algorithm as a program and obfuscate the program as sk 2 simulate leakage queries with function-equivalent key – an obfuscation of a program build from k m ∗ and σ ∗ Construction perspective: leakage queries leak the information of σ ∗ (the preimage of z ∗ ) ⇒ unable to reduce unforgeability to one-wayness of g Proof perspective: R does not know σ ∗ In the fjnal security game, R can translate leakage queries on secret key to those on σ ∗ .

  60. How to achieve adaptive security? Using Extremely Lossy Function [Zha16] hash the message before signing: deterministic but relying on exponential hardness assumption Applying “prefjx-guessing technique” [RW14]: randomized but public-coin So far the best solution to the open problem posed by Boyle et al. [BSW11] (Eurocrypt’ 11) 41 / 55 LR OWF + sPPRF + i O ⇒ deterministic LR SIG (selective)

  61. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 42 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  62. How to achieve optimal leakage rate? The leakage rate of our basic constructions is low Can we achieve optimal leakage rate? 43 / 55 secret key is an obfuscated program � large size the maximum leakage amount ≤ log 2 | Y |

  63. Dachman-Soled et al. ’s Approach Secret key – a secret obfuscated program (like a gun that must be kept secretly) Decompose the secret obfuscated program make the logic part public set a trigger device inside the public program and use trigger as the secret key 44 / 55

  64. Dachman-Soled et al. ’s Approach Secret key – a secret obfuscated program (like a gun that must be kept secretly) Decompose the secret obfuscated program make the logic part public set a trigger device inside the public program and use trigger as the secret key 44 / 55

  65. The Case of LR-PEPRF from Punc-PEPRF Priv Priv 45 / 55 Constants: Punc-PEPRF secret key sk Input: ˆ x = ( x, s ) 1 Output z ← Ext ( F ( sk, x ) , s ) Modifjcation: ct ∗ ← Enc ( k e , 0 n ) , n = log | Y | ; pick a CRHF h , set h ( ct ∗ ) = t ∗ ct ∗ is set as secret key, obfuscated program is made public. Constants: Punc-PEPRF secret key sk , t ∗ Input: ct , ˆ x = ( x, s ) 1 If h ( ct ) ̸ = t ∗ , output ⊥ . Else, output z ← Ext ( F ( sk, x ) , s ) . greatly shrink the size of secret key: an obfuscated program � a ciphertext

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 51 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.2k views • 104 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient Cryptography Traditional Cryptography: adv has only black-box access to a cryptosystem I O LR-Cryptography: open the black-box more

279 views • 25 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan Dziembowski, Tomasz Kazana, Micha Zaj c , Maciej Zdanowicz Estonian Computer Science Theory Days Jekla 2-4.10.2015 Computers can be

542 views • 32 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of Science Israel Foundations of Cryptography Rigorous analysis of the security of cryptographic schemes Adversarial model Notion of security

428 views • 20 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography Until 1970s: Design crypto algorithm secure against one attack Find attack C Find attack B Crypto Crypto algorithm A algorithm B secure against

631 views • 51 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Groschdl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of

712 views • 33 slides
Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai MSR UCLA UCLA Leakage Resilient Cryptography [Rivest1997, Boyko1999, Canetti-Dodis-Halevi-Kushilevitz-Sahai2000, Ishai-Sahai-Wagner2003, Micali-

716 views • 14 slides
Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient in the random oracle

668 views • 27 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Related textbooks Jonathan Katz, Yehuda Lindell: Security II: Cryptography Introduction to

Related textbooks Jonathan Katz, Yehuda Lindell: Security II: Cryptography Introduction to

Related textbooks Jonathan Katz, Yehuda Lindell: Security II: Cryptography Introduction to Modern Cryptography Chapman & Hall/CRC, 2008 Christof Paar, Jan Pelzl: Markus Kuhn Understanding Cryptography Springer, 2010

470 views • 20 slides
Natural Language Steganography and an AI-complete Security Primitive by Richard Bergmair

Natural Language Steganography and an AI-complete Security Primitive by Richard Bergmair

Natural Language Steganography and an AI-complete Security Primitive by Richard Bergmair Oct-03 Apr-04 University of Derby in Austria Technische Universitt Mnchen conducted under the supervision of Stefan Katzenbeisser Natural

1.94k views • 182 slides
Merkles Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems , UMI Research

Merkles Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems , UMI Research

Merkles Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems , UMI Research press, 1982 Merkle, Secure Communications Over Insecure Channels , CACM, Vol. 21, No. 4, pp. 294-299, April 1978 Eli Biham - May 3, 2005 c 206

372 views • 14 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
Algorithmic Coalitional Game Theory Lecture 12: Anytime Coalition Structure Generation Oskar

Algorithmic Coalitional Game Theory Lecture 12: Anytime Coalition Structure Generation Oskar

Algorithmic Coalitional Game Theory Lecture 12: Anytime Coalition Structure Generation Oskar Skibski University of Warsaw 19.05.2020 Coalition Structure Generation Coalition Structure Generation Find a partition of players = { ! ,

310 views • 27 slides
Computational Linguistics II: Parsing Formal Languages: Overview & Regular Languages Frank

Computational Linguistics II: Parsing Formal Languages: Overview & Regular Languages Frank

Computational Linguistics II: Parsing Formal Languages: Overview & Regular Languages Frank Richter & Jan-Philipp S ohn fr@sfs.uni-tuebingen.de, jp.soehn@uni-tuebingen.de Computational Linguistics II: Parsing p.1 Origins of

211 views • 8 slides
Applications of Latent Entity Networks in Information Retrieval Andreas Spitz, Michael Gertz

Applications of Latent Entity Networks in Information Retrieval Andreas Spitz, Michael Gertz

Applications of Latent Entity Networks in Information Retrieval Andreas Spitz, Michael Gertz Heidelberg University, Institute of Computer Science Database Systems Research Group { spitz,gertz } @informatik.uni-heidelberg.de Workshop

576 views • 19 slides

More recommend