leakage resilient cryptography from puncturable
play

Leakage-Resilient Cryptography from Puncturable Primitives and - PowerPoint PPT Presentation

Feb 09, 2024 •145 likes •1.2k views

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 51 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

  1. Weak Puncturable PRF R wPPRF Theorem: sPPRF R 16 / 51 R β ← − { 0 , 1 } β =? ( pp, k ) ← Gen ( λ ) x ∗ ← − X pp, x ∗ , k x ∗ , y ∗ β k x ∗ ← Punc ( k, x ∗ ) y ∗ 0 ← F ( k, x ∗ ) y ∗ ← − Y 1

  2. Weak Puncturable PRF R R R 16 / 51 β ← − { 0 , 1 } β =? ( pp, k ) ← Gen ( λ ) x ∗ ← − X pp, x ∗ , k x ∗ , y ∗ β k x ∗ ← Punc ( k, x ∗ ) y ∗ 0 ← F ( k, x ∗ ) y ∗ ← − Y 1 Theorem: sPPRF ⇔ wPPRF

  3. Preserving Functionality: , Pr Indistinguishability of Obfuscation PPT adversaries , a negl. function : Pr Pr Pr 17 / 51 Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if:

  4. Indistinguishability of Obfuscation PPT adversaries , a negl. function : Pr Pr Pr 17 / 51 Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if: Preserving Functionality: ∀ C ∈ C λ , ∀ x ∈ { 0 , 1 } ∗ Pr [ C ′ ( x ) = C ( x ) : C ′ ← i O ( C )] = 1 C 0 i O i O ( C 0 )

  5. 17 / 51 Indistinguishability of Obfuscation Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if: Preserving Functionality: ∀ C ∈ C λ , ∀ x ∈ { 0 , 1 } ∗ Pr [ C ′ ( x ) = C ( x ) : C ′ ← i O ( C )] = 1 ∀ PPT adversaries ( S , D ) , ∃ a negl. function α : Pr [ ∀ x, C 0 ( x ) = C 1 ( x ) : ( C 0 , C 1 , aux ) ← S ( λ )] ≥ 1 − α ( λ ) ⇒ | Pr [ D ( aux, i O ( C 0 )) = 1] − Pr [ D ( aux, i O ( C 1 )) = 1] | ≤ α ( λ ) ≡ C 0 C 1 i O i O ≈ c i O ( C 0 ) i O ( C 1 )

  6. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 18 / 51 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  7. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 51 R F sk

  8. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 51 R F sk

  9. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 51 R F sk

  10. Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox Typically does not know since the challenge instance is embedded in it 19 / 51 R f F sk f ( sk ) In order to answer arbitrary leakage queries, it seems R must know sk

  11. Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox 19 / 51 R f F sk f ( sk ) In order to answer arbitrary leakage queries, it seems R must know sk Typically R does not know sk since the challenge instance is embedded in it

  12. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK LR SIG lossy even in the presence of leakage Regev PKE is LR 20 / 51 R F sk

  13. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK LR SIG lossy even in the presence of leakage Regev PKE is LR 20 / 51 R f F sk

  14. Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK Akavia et al. [AGV09]: normal Approach I Regev PKE is LR leakage even in the presence of lossy LR SIG 20 / 51 Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the leakage-resilient Assumptions presence of partial leakage of secret R f F sk f ( sk )

  15. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient lossy even in the presence of leakage Regev PKE is LR 20 / 51 R f F sk f ( sk ) Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK ⇒ LR SIG

  16. Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient 20 / 51 R f F sk f ( sk ) Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK ⇒ LR SIG Akavia et al. [AGV09]: normal pk ≈ c lossy pk even in the presence of sk leakage ⇒ Regev PKE is LR

  17. Dodis et al. [DGK 10]: DDH Approach II Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; leftover hash lemma (leakage-resilient fact) detached strategy + leakage-resilient assumptions/facts Ext ; Naor and Segev [NS09]: SMP F Assumptions 21 / 51 F sk c

  18. Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; Ext detached strategy + leakage-resilient assumptions/facts ; Naor and Segev [NS09]: SMP Assumptions 21 / 51 F sk c ≈ c F sk ˆ c

  19. Naor and Segev [NS09]: SMP Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; ; Ext detached strategy + leakage-resilient assumptions/facts Assumptions 21 / 51 F sk c f ≈ c f ( sk ) F sk ˆ c

  20. Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; 21 / 51 Assumptions detached strategy + leakage-resilient assumptions/facts F sk c f ≈ c f ( sk ) F sk ˆ c Naor and Segev [NS09]: SMP ⇒ c ≈ c ˆ c ; k ← Ext ( sk, ˆ c )

  21. Approach II detached strategy + leakage-resilient assumptions/facts Goldreich-Levin theorem (leakage-resilient assumption) model) leftover hash lemma (leakage-resilient fact) 21 / 51 Assumptions F sk c f ≈ c f ( sk ) F sk ˆ c Naor and Segev [NS09]: SMP ⇒ c ≈ c ˆ c ; k ← Ext ( sk, ˆ c ) Dodis et al. [DGK + 10]: DDH ⇒ c ≈ c ˆ c ; k ← hc ˆ c ( sk ) w.r.t. f (auxliary-input

  22. A common theme of the two above main approaches queries with real secret key. design with specifjc structure. It is interesting to investigate the possibility of simulate leakage oracle computationally , i.e., answering leakage queries with simulated leakage This might lend new techniques to address the unsolved problems in LRC. 22 / 51 R always try to simulate leakage oracle perfectly , i.e., answering leakage To do so, we have to either rely on LR assumptions or resort to sophisticated

  23. 23 / 51 Dachman-Soled et al. [DGL + 16] discovered powerful applications of i O to LRC Sahai-Waters PKE � leakage resilient

  24. Background: Sahai-Waters KEM R Encaps 24 / 51 Ingredients: i O , PRG G : { 0 , 1 } λ → { 0 , 1 } 2 λ , weak puncturable PRF F : SK × { 0 , 1 } 2 λ → Y Gen ( λ ) : pick sk ← − SK , pk ← i O ( Encaps ) Encaps ( pk ; r ) : ( c, k ) ← pk ( r ) Decaps ( sk, c ) : k ← F ( sk, c ) Constants: PPRF key sk Input: randomness r ∈ { 0 , 1 } λ 1 compute x ← G ( r ) ; output c = x , k ← F ( sk, x )

  25. Dachman-Soled et al. [DGL 16] made Sahai-Waters KEM leakage-resilient by Why Sahai-Waters is not Leakage-Resilient? , and thus may not be random anymore in twice. using to handle arbitrary leakage queries. , and thus unable only knows Proof perspective: in some hybrid game, ’s view. queries on The proof uses “punctured programs” technique and security is reduced to the could be leaked via leakage Construction perspective: the information of The sources for non-leakage-resilient R weak pseudorandomness of punctured PRF 25 / 51 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ←

  26. Dachman-Soled et al. [DGL 16] made Sahai-Waters KEM leakage-resilient by Why Sahai-Waters is not Leakage-Resilient? The proof uses “punctured programs” technique and security is reduced to the twice. using to handle arbitrary leakage queries. The sources for non-leakage-resilient weak pseudorandomness of punctured PRF R 25 / 51 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ← Construction perspective: the information of y ∗ could be leaked via leakage queries on sk , and thus may not be random anymore in A ’s view. Proof perspective: in some hybrid game, R only knows sk x ∗ , and thus unable

  27. Why Sahai-Waters is not Leakage-Resilient? The proof uses “punctured programs” technique and security is reduced to the weak pseudorandomness of punctured PRF R The sources for non-leakage-resilient to handle arbitrary leakage queries. 25 / 51 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ← Construction perspective: the information of y ∗ could be leaked via leakage queries on sk , and thus may not be random anymore in A ’s view. Proof perspective: in some hybrid game, R only knows sk x ∗ , and thus unable Dachman-Soled et al. [DGL + 16] made Sahai-Waters KEM leakage-resilient by using i O twice.

  28. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 26 / 51 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  29. Abstract and Generalize the Core Idea ? , is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 51 sk R

  30. Abstract and Generalize the Core Idea ? is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 51 sk R sk x ∗ , y ∗

  31. Abstract and Generalize the Core Idea ? is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 51 sk C ≡ R sk x ∗ , y ∗ C ′

  32. Abstract and Generalize the Core Idea is effjcient simulate leakage in a computationally indistinguishable manner lemma compostion 27 / 51 ? i O ( C ) sk C i O ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) C ′

  33. Abstract and Generalize the Core Idea compostion simulate leakage in a computationally indistinguishable manner lemma 27 / 51 ? i O ( C ) f ( i O ( C )) sk C f is effjcient i O ≈ c ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) f ( i O ( C ′ )) C ′

  34. Abstract and Generalize the Core Idea compostion simulate leakage in a computationally indistinguishable manner lemma 27 / 51 ? i O ( C ) f ( i O ( C )) sk C f is effjcient i O ≈ c ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) f ( i O ( C ′ )) C ′

  35. Key Observation Can we push the idea to extreme? Punc-PRF into Punc-“publicly evaluable” PRF These two results suggest: 28 / 51 Dachman-Soled et al. [DGL + 16]: Sahai-Waters KEM can be made LR by setting sk as an obfuscated program Chen et al. [CZ14]: the essence of Sahai-Waters KEM – i O bootstraps i O ( Punc-PEPRF ) � LR PEPRF

  36. Punc (Puncturable) Publicly Evaluable PRF 29 / 51 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  37. (Puncturable) Publicly Evaluable PRF 29 / 51 sk x ∗ ← Punc ( sk, x ∗ ) ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  38. Security of (Puncturable) Publicly Evaluable PRF Gen Samp Punc R R , , Pr negl 30 / 51

  39. Security of (Puncturable) Publicly Evaluable PRF Samp Punc R R , , Pr negl 30 / 51 ( pk, sk ) ← Gen ( λ ) pk

  40. Security of (Puncturable) Publicly Evaluable PRF R negl Pr R 30 / 51 ← − { 0 , 1 } β ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗

  41. Security of (Puncturable) Publicly Evaluable PRF R negl Pr R 30 / 51 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′

  42. Security of (Puncturable) Publicly Evaluable PRF R R 30 / 51 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′ | Pr [ β = β ′ ] − 1/2 | ≤ negl ( λ )

  43. Security of (Puncturable) Publicly Evaluable PRF R R 30 / 51 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) f i y ∗ 0 ← F ( sk, x ∗ ) f i ( sk ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′ | Pr [ β = β ′ ] − 1/2 | ≤ negl ( λ )

  44. LR-PEPRF from Punc-PEPRF 1 : Ext to from LR PEPRF Ext output Input: Idea: Obfuscate-and-Extract Constants: Punc-PEPRF secret key Priv Ext Pub Priv Samp Gen 31 / 51

  45. LR-PEPRF from Punc-PEPRF Priv : Ext to from LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Ext 31 / 51 Idea: Obfuscate-and-Extract ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  46. LR-PEPRF from Punc-PEPRF Priv : Ext to from LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Ext Idea: Obfuscate-and-Extract 31 / 51 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W S

  47. LR-PEPRF from Punc-PEPRF Idea: Obfuscate-and-Extract LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Priv Ext 31 / 51 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Z Pub ( pk, x, w ) W S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  48. LR-PEPRF from Punc-PEPRF Ext LR PEPRF 1 Priv Idea: Obfuscate-and-Extract 31 / 51 i O Constants: Punc-PEPRF secret key sk ( pk, sk ) ← Gen ( λ ) ˆ sk Input: ˆ x = ( x, s ) output z ← Ext ( F ( sk, x ) , s ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Z Pub ( pk, x, w ) W S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  49. 32 / 51 R setting. Theorem: The above PEPRF ˆ F is leakage-resilient under appropriate parameter Game 0. (the original game) ˆ sk ← i O ( Priv ) sk ← i O ( Priv ∗ ) , where y ∗ ← F ( sk, x ∗ ) Game 1. ˆ Priv ∗ Constants: Punc-PEPRF punctured key sk x ∗ , x ∗ and y ∗ Input: ˆ x = ( x, s ) 1 If x = x ∗ , output Ext ( y ∗ , s ) . Else, output Ext ( F ( sk x ∗ , x ) , s ) . Game 2. y ∗ ← − Y Priv ≡ Priv ∗ + i O ⇒ Game 0 ≈ c Game 1 punc-PEPRF ⇒ Game 1 ≈ c Game 2 randomness extractor ⇒ z ∗ ← Ext ( y ∗ , s ∗ ) ≈ s U Z

  50. Constructions of Punc-PEPRF How to construct Punc-PEPRF? clarify and encompass Dachman-Soled et al’s construction instantiated succinctly “derivable” is a mild property that satisfjed by all the known realizations of 33 / 51 i O ( Punc-PEPRF ) ⇝ LR-PEPRF ⇒ LR-KEM wPPRF+PRG+ i O (a slight modifjcation of SW KEM) Punc-TDF ⇐ correlated-product TDF [RS09] PTDF can be viewed as a special type of adaptive TDF – O inv can be Punc-EHPS ⇐ derivable EHPS EHPS [Wee10]

  51. Signifjcance Matsuda and Hanaoka [MH15]: Punc-KEM – capture a common pattern towards CCA security CCA security obtained via punctured road can be converted to Leakage-Resilience PKE via CP-TDF PKE via EHPS 34 / 51 Punc-PEPRF ⇒ Punc-KEM with perfect punctured decapsulation soundness in a non-black-box manner via i O

  52. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 35 / 51 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  53. Extension to the Symmetric Setting Ext LR wPRF 1 Priv 36 / 51 i O ( weak-Punc-PRF ) ⇝ LR-weak-PRF ⇒ LR-SKE i O Constants: wPPRF secret key sk ( pp, sk ) ← Gen ( λ ) ˆ sk Input: ˆ x = ( x, s ) output z ← Ext ( F ( sk, x ) , s ) F ( sk, x ) X Y Z S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  54. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 37 / 51 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  55. Extenstion to Signature set the signing key as obfuscated program develop leakage translation mechanism This solves the open problem posed by Boyle et al. [BSW11] (Eurocrypt’ 11) 38 / 51 Starting Point – Sahai-Waters Signature (from PRG, sPPRF, and i O ) LR OWF + sPPRF + i O ⇒ public-coin LR SIG

  56. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 39 / 51 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  57. How to achieve optimal leakage rate? The leakage rate of our basic constructions is low Can we achieve optimal leakage rate? 40 / 51 secret key is an obfuscated program � large size the maximum leakage amount ≤ log 2 | Y |

  58. Dachman-Soled et al. ’s Approach Secret key – a secret obfuscated program (like a gun that must be kept secretly) Decompose the secret obfuscated program make the logic part public set a trigger device inside the public program and use trigger as the secret key 41 / 51

  59. Dachman-Soled et al. ’s Approach Secret key – a secret obfuscated program (like a gun that must be kept secretly) Decompose the secret obfuscated program make the logic part public set a trigger device inside the public program and use trigger as the secret key 41 / 51

  60. The Case of LR-PEPRF from Punc-PEPRF Priv Priv 42 / 51 Constants: Punc-PEPRF secret key sk Input: ˆ x = ( x, s ) 1 Output z ← Ext ( F ( sk, x ) , s ) Modifjcation: ct ∗ ← Enc ( k e , 0 n ) , n = log | Y | ; pick a CRHF h , set h ( ct ∗ ) = t ∗ ct ∗ is set as secret key, obfuscated program is made public. Constants: Punc-PEPRF secret key sk , t ∗ Input: ct , ˆ x = ( x, s ) 1 If h ( ct ) ̸ = t ∗ , output ⊥ . Else, output z ← Ext ( F ( sk, x ) , s ) . greatly shrink the size of secret key: an obfuscated program � a ciphertext

  61. Security Proof R 43 / 51 Game 0. C eval ← i O ( Priv ) as part of pk , ct ∗ ← SKE . Enc ( k e , 0 n ) as sk . Game 1. ct ∗ ← SKE . Enc ( k e , y ∗ ) , where y ∗ ← F ( sk, x ∗ ) Game 2. C eval ← i O ( Priv ∗ ) Game 3. y ∗ ← − Y Priv ∗ Constants: Punc-PEPRF punctured secret key sk x ∗ , k e , t ∗ Input: ct , ˆ x = ( x, s ) 1 If h ( ct ) ̸ = t ∗ , output ⊥ . 2 Else if x = x ∗ , set y ∗ ← SKE . Dec ( k e , ct ) , output z ← Ext ( y ∗ , s ) . 3 Otherwise, output z ← Ext ( F ( sk, x ) , s ) . | t ∗ | + ℓ ≤ | Y | , | Y | ≤ | ct ∗ | and ρ = ℓ / | ct ∗ |

  62. Analysis To achieve optimal leakage rate The choice may make the programs in Game 1 and Game 2 have difgering-inputs 44 / 51 h must be compressing to decrease | t ∗ | , otherwise t ∗ (hardwired in public program) will reveal too much information of y ∗ ← F ( sk, x ∗ ) a collision: ct ′ ̸ = ct ∗ but h ( ct ′ ) = t ∗ = h ( ct ∗ ) where ct ′ decrypts to y ′ ̸ = y ∗ � one have to resort to difgering-input obfuscation, which is highly suspicious.

  63. This trick might be instructive elsewhere for avoiding difgering-input obfuscation Our Technique 45 / 51 Idea: replace CRHF with lossy function Injective mode: ensure Priv and Priv ∗ are equivalent � safely use i O Lossy mode: switch to lossy mode to greatly reduce | t ∗ | � t ∗ only leaks very little information of y ∗ , By appropriate parameter choice, ρ = 1 − o (1) This settles the open problem posed by Dachman-Soled et al. [DGL + 16]: achieving optimal leakage ratio without resorting to di O

  64. Conclusion We develop a framework for building leakage-resilient cryptography in BLM from Major insight: various punc-PRFs can achieve LR on an obfuscated street as a building block of independent interest, we realize punc-PEPRF from newly introduced punc-objects such as PTDFs and PEHPS. solve the open problem posed by Boyle et al. (Eurocrypt 2011) optimal leakage rate – not known to be achievable for wPRF, PEPRF and public-coin Sig before. solve the open problem posed by Dachman-Soled et al. (PKC 2016, JOC 2018) 46 / 51 punc-primitives and i O . 1 wPPRF+ i O ⇝ LR wPRF ⇒ LR-SKE 2 punc-PEPRF+ i O ⇝ LR PEPRF ⇒ LR-PKE 3 sPPRF+ LR-OWF + i O ⇒ the fjrst LR-public-coin Sig 4 By further assuming lossy functions, all the above constructions achieve

  65. Thanks for Your Attention! Any Questions? https://eprint.iacr.org/2018/781 47 / 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth

1.29k views • 116 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient Cryptography Traditional Cryptography: adv has only black-box access to a cryptosystem I O LR-Cryptography: open the black-box more

279 views • 25 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan Dziembowski, Tomasz Kazana, Micha Zaj c , Maciej Zdanowicz Estonian Computer Science Theory Days Jekla 2-4.10.2015 Computers can be

542 views • 32 slides
Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on

Challenges in Leakage-Resilient Symmetric Cryptography Krzysztof Pietrzak ECRYPT II Workshop on Physical Attacks, Graz, November 28, 2012 Krzysztof Pietrzak Challenges in Leakage-ResilientSymmetric Cryptography Krzysztof Pietrzak Challenges

994 views • 96 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of Science Israel Foundations of Cryptography Rigorous analysis of the security of cryptographic schemes Adversarial model Notion of security

428 views • 20 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography

Leakage Resilient Masking Schemes Sebastian Faust Ruhr University Bochum 1 Modern cryptography Until 1970s: Design crypto algorithm secure against one attack Find attack C Find attack B Crypto Crypto algorithm A algorithm B secure against

631 views • 51 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann Groschdl 3 , Zhe Liu 3 , Praveen K. Vadnala 3 , Srinivas Vivek 3 1 CNRS/Loria, France 2 SCYTL Secure Electronic Voting, Spain 3 University of

712 views • 33 slides
Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai MSR UCLA UCLA Leakage Resilient Cryptography [Rivest1997, Boyko1999, Canetti-Dodis-Halevi-Kushilevitz-Sahai2000, Ishai-Sahai-Wagner2003, Micali-

716 views • 14 slides
Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient in the random oracle

668 views • 27 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Structured Prediction Basics Graham Neubig Site https://phontron.com/class/nn4nlp2019/ A

Structured Prediction Basics Graham Neubig Site https://phontron.com/class/nn4nlp2019/ A

CS11-747 Neural Networks for NLP Structured Prediction Basics Graham Neubig Site https://phontron.com/class/nn4nlp2019/ A Prediction Problem very good good I hate this movie neutral bad very bad very good good I love this

426 views • 38 slides
Lecture 2 Diagnostics and Model Evaluation Colin Rundel 10/05/2018 1 Some more linear models

Lecture 2 Diagnostics and Model Evaluation Colin Rundel 10/05/2018 1 Some more linear models

Lecture 2 Diagnostics and Model Evaluation Colin Rundel 10/05/2018 1 Some more linear models Linear model and data ggplot (d, aes (x=x,y=y)) + 2 geom_smooth (method=lm, color=blue, se = FALSE) geom_line () + 7.5 5.0 2.5 y 0.0

1.02k views • 53 slides
Certified Global Optimization using Max-Plus based Templates Joint Work with B. Werner, S.

Certified Global Optimization using Max-Plus based Templates Joint Work with B. Werner, S.

Flyspeck-Like Global Optimization Classical Approach: Taylor + SOS Max-Plus Based Templates Certified Global Optimization with Certified Global Optimization using Max-Plus based Templates Joint Work with B. Werner, S. Gaubert and X. Allamigeon

854 views • 46 slides
CS525u Perceptual Quality Multimedia Computing Network Issues The Science (or

CS525u Perceptual Quality Multimedia Computing Network Issues The Science (or

Introduction Purpose Brief introduction to: Digital Audio Digital Video CS525u Perceptual Quality Multimedia Computing Network Issues The Science (or lack of) in Computer Science Get you ready for

350 views • 9 slides
Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel Aviv University Tel Aviv University. February 25, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 25, 2014 1 / 26 Part I

1.38k views • 76 slides
Supplemental NDA/BLA Submissions in Oncology Considerations for Summary Review of Supplemental

Supplemental NDA/BLA Submissions in Oncology Considerations for Summary Review of Supplemental

Considerations for Summary Review of Supplemental NDA/BLA Submissions in Oncology Considerations for Summary Review of Supplemental NDA/BLA Submissions in Oncology Rachel Sherman, MD Greenleaf Health LLC Speakers Rachel Sherman, MD,

987 views • 49 slides
Summarizing and mining inverse distributions on data streams via dynamic inverse sampling

Summarizing and mining inverse distributions on data streams via dynamic inverse sampling

Summarizing and mining inverse distributions on data streams via dynamic inverse sampling Presented by Graham Cormode cormode@bell-labs.com S. Muthukrishnan muthu@cs.rutgers.edu Irina Rozenbaum rozenbau@paul.rutgers.edu Outline Defining and

660 views • 22 slides
Communication Lower Bounds for Statistical Estimation Problems via a Distributed Data Processing

Communication Lower Bounds for Statistical Estimation Problems via a Distributed Data Processing

Communication Lower Bounds for Statistical Estimation Problems via a Distributed Data Processing Inequality Mark Braverman Ankit Garg Tengyu Ma Huy Nguyen David Woodruff DIMACS Workshop on Big Data through the Lens of Sublinear Algorithms

730 views • 34 slides

More recommend