LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana - PowerPoint PPT Presentation

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U ( pk , sk 0 ) ← $ K pk pk ⇥ ⇤ f f ( sk 0 ) Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk f Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk f REPEATS f ( sk i , r i ) Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk f REPEATS f ( sk i , r i ) ( m 0 , m 1 ) Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk b ← $ { 0 , 1 } f c ← $ E ( pk , m b ) REPEATS f ( sk i , r i ) ( m 0 , m 1 ) Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk b ← $ { 0 , 1 } f c ← $ E ( pk , m b ) REPEATS f ( sk i , r i ) ( m 0 , m 1 ) c Adversary Challenger

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk b ← $ { 0 , 1 } f c ← $ E ( pk , m b ) REPEATS f ( sk i , r i ) ( m 0 , m 1 ) c Adversary E Challenger b 0

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk b ← $ { 0 , 1 } f c ← $ E ( pk , m b ) REPEATS f ( sk i , r i ) ( m 0 , m 1 ) c Adversary E Challenger b 0 Return ( b = b 0 )

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk b ← $ { 0 , 1 } f c ← $ E ( pk , m b ) REPEATS f ( sk i , r i ) ( m 0 , m 1 ) c Adversary E Challenger b 0 Return ( b = b 0 ) ← E Require is negligible. ⇥ b = b 0 ⇤ 2 · Pr − 1

L EAKAGE ON KEY - UPDATE FOR PKE [BKKV’10,LLW’11] Fix a public-key encryption scheme “with key update” ( K , E , D , U ) i.e. where update algorithm computes . sk 0 ← $ U ( sk ) U sk i ← $ U ( sk i � 1 ; r i ) pk pk b ← $ { 0 , 1 } f c ← $ E ( pk , m b ) REPEATS Must be bounded length! f ( sk i , r i ) ( m 0 , m 1 ) c Adversary E Challenger b 0 Return ( b = b 0 ) ← E Require is negligible. ⇥ b = b 0 ⇤ 2 · Pr − 1

O UTLINE OF T ALK Leakage Models for PKE — Bounded, Continual, and Continual w/ Leakage on Key Update Results in Continual Model: A Generic Compiler to Achieve Leakage on Key Update Results in Bounded Model: A New Approach to Optimal Leakage Rate Conclusion and Open Problems

C OMPILER INTUITION Suppose we start with a PKE scheme secure in the continual leakage model.

C OMPILER INTUITION Suppose we start with a PKE scheme secure in the continual leakage model. For leakage on key updates, simulator needs to be able to provide “honest-looking” output of function on the update randomness that it doesn’t know.

C OMPILER INTUITION Suppose we start with a PKE scheme secure in the continual leakage model. For leakage on key updates, simulator needs to be able to provide “honest-looking” output of function on the update randomness that it doesn’t know. Main idea: Make it possible to publicly compute some “honest-looking” update randomness.

C OMPILER INTUITION Suppose we start with a PKE scheme secure in the continual leakage model. For leakage on key updates, simulator needs to be able to provide “honest-looking” output of function on the update randomness that it doesn’t know. Main idea: Make it possible to publicly compute some “honest-looking” update randomness. This is very similar to deniable encryption as recently achieved by Sahai and Waters [SW’14].

T HE COMPILER present this version here. Let be a PKE scheme with key update. Let PKE = ( Gen , Enc , Dec , Update ) be nature scheme with algorithms

T HE COMPILER present this version here. Let be a PKE scheme with key update. Let PKE = ( Gen , Enc , Dec , Update ) be nature scheme with algorithms Define a new scheme whose public-key additionally contains obfuscations of two programs: Internal (hardcoded) state: Public key pk , keys K 1 , K 2 , and h . On input secret key sk 1 ; randomness u = ( u 1 , u 2 ) . ( sk 2 , r 0 ) for (proper length) strings sk 2 , r 0 and u 1 – If F 2 ( K 2 , u 1 ) ⊕ u 2 = = h ( sk 1 , sk 2 , r 0 ) , then output sk 2 . – Else let x = F 1 ( K 1 , ( sk 1 , u )) . Output sk 2 = PKE . Update ( pk , sk 1 ; x ) . Fig. 1. Program Update Internal (hardcoded) state: key K 2 . On input secret keys sk 1 , sk 2 ; randomness r ∈ { 0 , 1 } κ – Set u 1 = h ( sk 1 , sk 2 , r ) . Set u 2 = F 2 ( K 2 , u 1 ) ⊕ ( sk 2 , r ) . Output e = ( u 1 , u 2 ) . Fig. 2. Program Explain

A NALYSIS 1 Main Idea: Simulator uses obfuscated Explain to produce “honest-looking” randomness.

A NALYSIS 1 Main Idea: Simulator uses obfuscated Explain to produce “honest-looking” randomness. But this requires the simulator to access two consecutive keys simultaneously!

A NALYSIS 1 Main Idea: Simulator uses obfuscated Explain to produce “honest-looking” randomness. But this requires the simulator to access two consecutive keys simultaneously! We thus need to define a new notion of consecutive continual leakage-resilience where the adversary can ask for leakage functions on consecutive keys.

A NALYSIS 2 Theorem (informal). The compiled scheme is secure with leakage on key-updates if the original scheme is consecutive continual leakage resilient and the obfuscator is a “public-coin” differing- inputs [IPS’15] obfuscator.

A NALYSIS 2 Theorem (informal). The compiled scheme is secure with leakage on key-updates if the original scheme is consecutive continual leakage resilient and the obfuscator is a “public-coin” differing- inputs [IPS’15] obfuscator. Note: Worse leakage rate achievable only using indistinguishability obfuscation.

A CHIEVING CONSECUTIVE CONTINUAL LEAKAGE - RESILIENCE We show that existing continual leakage-resilient PKE schemes [BKKV’10,DHLW’10] can be upgraded to consecutive continual leakage without changing the underlying assumptions.

A CHIEVING CONSECUTIVE CONTINUAL LEAKAGE - RESILIENCE We show that existing continual leakage-resilient PKE schemes [BKKV’10,DHLW’10] can be upgraded to consecutive continual leakage without changing the underlying assumptions. Via our compiler we get PKE with leakage on key- updates with optimal leakage rate under bilinear map assumptions + public-coin differing-inputs obfuscation [IPS’15].

C OMPARISON TO PRIOR WORK [LLW’11] achieves continual leakage resilience with leakage on key updates from bilinear map assumptions but worse leakage rate.

B ACKGROUND : SW-PKE [SW’13] Key-Generation: Choose a key K and output K as the secret key and the obfuscation of a program Encrypt that on inputs x , r outputs F ( K , r ) + x.

B ACKGROUND : SW-PKE [SW’13] Key-Generation: Choose a key K and output K as the secret key and the obfuscation of a program Encrypt that on inputs x , r outputs F ( K , r ) + x. Encryption: To encrypt x choose random r and compute y = Encrypt( x , r ); output ( r , y ).

B ACKGROUND : SW-PKE [SW’13] Key-Generation: Choose a key K and output K as the secret key and the obfuscation of a program Encrypt that on inputs x , r outputs F ( K , r ) + x. Encryption: To encrypt x choose random r and compute y = Encrypt( x , r ); output ( r , y ). SW’13 shows (a modification of) this scheme is IND- CPA using indistinguishability obfuscation.

M AKING IT LEAKAGE - RESILIENT To make the scheme bounded leakage-resilient, we modify it in two ways:

M AKING IT LEAKAGE - RESILIENT To make the scheme bounded leakage-resilient, we modify it in two ways: 1. Assume that F is not just a PRF but also a randomness extractor.

M AKING IT LEAKAGE - RESILIENT To make the scheme bounded leakage-resilient, we modify it in two ways: 1. Assume that F is not just a PRF but also a randomness extractor. 2. Make the secret decryption key not K but obfuscation of program Decrypt that on input y , r outputs F( K , r )+ y.

A NALYSIS Theorem (informal). The modified scheme is bounded leakage-resilient using indistinguishability obfuscation.

A NALYSIS Theorem (informal). The modified scheme is bounded leakage-resilient using indistinguishability obfuscation. Intuition: Following [SW’13] we use a puncturable PRF and switch F( K , r ) used in the challenge ciphertext to a truly random, hardcoded value.

A NALYSIS Theorem (informal). The modified scheme is bounded leakage-resilient using indistinguishability obfuscation. Intuition: Following [SW’13] we use a puncturable PRF and switch F( K , r ) used in the challenge ciphertext to a truly random, hardcoded value. But note we can now leak on this hardcoded value since encryption uses a randomness extractor.

I MPROVING THE LEAKAGE RATE This initial idea does not give optimal leakage rate because the secret key is large (contains the obfuscated decryption program).

I MPROVING THE LEAKAGE RATE This initial idea does not give optimal leakage rate because the secret key is large (contains the obfuscated decryption program). Can we just make this obfuscated program public? Of course not! Then anyone could decrypt.

I MPROVING THE LEAKAGE RATE This initial idea does not give optimal leakage rate because the secret key is large (contains the obfuscated decryption program). Can we just make this obfuscated program public? Of course not! Then anyone could decrypt. Solution: Make the program take an additional short signed input to run, this short signed input then becomes the new secret key.

C OMPARISON TO PRIOR WORK [HLWW’13] showed that any PKE scheme can be made bounded leakage resilient generically but with a suboptimal leakage rate.

C OMPARISON TO PRIOR WORK [HLWW’13] showed that any PKE scheme can be made bounded leakage resilient generically but with a suboptimal leakage rate. Our result can be viewed as showed that obfuscation + OWF is sufficient for optimal leakage rate.

C OMPARISON TO PRIOR WORK [HLWW’13] showed that any PKE scheme can be made bounded leakage resilient generically but with a suboptimal leakage rate. Our result can be viewed as showed that obfuscation + OWF is sufficient for optimal leakage rate. Optimal leakage rate is also known from other specific assumptions, e.g. DDH [NS’09].

S UMMARY We gave two main results:

S UMMARY We gave two main results: 1. Compiler from (consecutive) continual leakage-resilience to leak on key-updates.

S UMMARY We gave two main results: 1. Compiler from (consecutive) continual leakage-resilience to leak on key-updates. 2. Modification of [SW’13] to achieve bounded leakage with optimal leakage rate.

O PEN QUESTIONS Can we achieve leakage on key-updates with optimal leakage rate?

O PEN QUESTIONS Can we achieve leakage on key-updates with optimal leakage rate? Can we achieve optimal leakage rate in the bounded leakage model from indistinguishability (not differing-inputs) obfuscation?

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana - PowerPoint PPT Presentation

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec.

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Weizmann Institute of

Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai Leakage-Resilient

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Implementation and Evaluation of a Leakage-Resilient ElGamal KEM David Galindo 1 , 2 , Johann

Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure

Leakage-Resilient Cryptography with Key Derived from Sensitive Data Konrad Durnoga, Stefan

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Generic component-based middleware for a peer-to-peer flexible robot architecture What is MT

modeling formalisms - results from the MULTIFORM project Martin Hfner, Christian Sonntag,

The Missing Models: A Data-driven Approach to Learning How Networks Grow Carl Kingsford Professor

The New Frontier of Robotics Sren Tranberg Hansen Agenda What defjnes a robot Why look

Lecture Slides - Part 4 Bengt Holmstrom MIT February 2, 2016. Bengt Holmstrom (MIT) Lecture

Towards a theory of multivariate generating functions Mark C. Wilson University of Auckland

Automating Second Language Acquisition Research: Integrating Information Visualisation and

Decision aid methodologies in transportation Lecture 6 (part-2): Container terminal management