SLIDE 1
Multi-Instance Security and its Application to Password- Based - - PowerPoint PPT Presentation
Multi-Instance Security and its Application to Password- Based - - PowerPoint PPT Presentation
Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT Joint work with Mihir Bellare (UC San Diego) Thomas Ristenpart (Univ. of Wisconsin) Scenario: File encryption Want to store data in encrypted
SLIDE 2
SLIDE 3
Scenario: File encryption
- Keys need to be securely stored for later decryption
Want to store data in encrypted form using symmetric encryption.
SLIDE 4
Scenario: File encryption
- Keys need to be securely stored for later decryption
Want to store data in encrypted form using symmetric encryption. Alternative solution: Password-based cryptography.
SLIDE 5
Password-based encryption
SLIDE 6
Password-based encryption Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), β¦
SLIDE 7
Password-based encryption
π³ = ππππππππ β¦ β¦ β¦ . . ππππππππππ
KDF
q1w2e3
Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), β¦
Key-derivation function
SLIDE 8
Password-based encryption
π³ = ππππππππ β¦ β¦ β¦ . . ππππππππππ
KDF
q1w2e3
Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), β¦
PB-Encrypt(ππ₯, π) πΏ ο KDF(ππ₯) π· ο ENC(πΏ, π) Return π·
Key-derivation function
SLIDE 9
Password-based encryption
ENC(π³, π)
π³ = ππππππππ β¦ β¦ β¦ . . ππππππππππ
KDF
q1w2e3
Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), β¦
PB-Encrypt(ππ₯, π) πΏ ο KDF(ππ₯) π· ο ENC(πΏ, π) Return π·
Key-derivation function
SLIDE 10
Problem: Weak passwords are unavoidable
SLIDE 11
Problem: Weak passwords are unavoidable
SLIDE 12
Problem: Weak passwords are unavoidable
SLIDE 13
Mitigating dictionary attacks via iteration KDF = Hc
SLIDE 14
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H KDF = Hc
SLIDE 15
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) KDF = Hc
SLIDE 16
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H
PB-Encrypt(ππ₯, π) πΏ ο Hc(ππ₯) π· ο ENC(πΏ, π) Return π·
H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) KDF = Hc
SLIDE 17
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H
PB-Encrypt(ππ₯, π) πΏ ο Hc(ππ₯) π· ο ENC(πΏ, π) Return π·
H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) Expectation: Work πΆ to guess ππ₯ ο Work π Γ πΆ to break PB-Encrypt KDF = Hc
SLIDE 18
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H
PB-Encrypt(ππ₯, π) πΏ ο Hc(ππ₯) π· ο ENC(πΏ, π) Return π·
H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) Expectation: Work πΆ to guess ππ₯ ο Work π Γ πΆ to break PB-Encrypt
π = 232
KDF = Hc
SLIDE 19
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H
PB-Encrypt(ππ₯, π) πΏ ο Hc(ππ₯) π· ο ENC(πΏ, π) Return π·
H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) Expectation: Work πΆ to guess ππ₯ ο Work π Γ πΆ to break PB-Encrypt
π = 232 π Γ π = 232 Γ 220 = 252
KDF = Hc
SLIDE 20
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H
PB-Encrypt(ππ₯, π) πΏ ο Hc(ππ₯) π· ο ENC(πΏ, π) Return π·
H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) Expectation: Work πΆ to guess ππ₯ ο Work π Γ πΆ to break PB-Encrypt
π = 232 π Γ π = 232 Γ 220 = 252
KDF = Hc
SLIDE 21
Mitigating dictionary attacks via iteration
β¦
ππ₯
πΏ
c times H H H
PB-Encrypt(ππ₯, π) πΏ ο Hc(ππ₯) π· ο ENC(πΏ, π) Return π·
H βΆ {0,1}ββ {0,1}π is cryptographic hash function (e.g., SHA-256) Expectation: Work πΆ to guess ππ₯ ο Work π Γ πΆ to break PB-Encrypt
π = 232 π Γ π = 232 Γ 220 = 252
KDF = Hc
SLIDE 22
PB-Encryption in the multi-user setting Real world has multiple users:
SLIDE 23
PB-Encryption in the multi-user setting
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
Real world has multiple users:
SLIDE 24
PB-Encryption in the multi-user setting
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
Real world has multiple users:
SLIDE 25
PB-Encryption in the multi-user setting
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
Real world has multiple users:
SLIDE 26
PB-Encryption in the multi-user setting Work π Γ πΆ to retrieve π1
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
π1
Real world has multiple users:
SLIDE 27
PB-Encryption in the multi-user setting Work π Γ πΆ to retrieve π1
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
π1
Real world has multiple users:
SLIDE 28
PB-Encryption in the multi-user setting Work π Γ πΆ to retrieve π1
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
π1 π2
Additional work to retrieve π2? Real world has multiple users:
SLIDE 29
PB-Encryption in the multi-user setting Work π Γ πΆ to retrieve π1
π·1 β PBβEncrypt(ππ₯1, π1) π·2 β PBβEncrypt(ππ₯2, π2) π·3 β PBβEncrypt(ππ₯3, π3)
π1 π2
Additional work to retrieve π2? Ideally: Work π Γ π Γ πΆ to retrieve π plaintexts! Real world has multiple users:
SLIDE 30
Multi-instance security amplification Not true in general:
SLIDE 31
Multi-instance security amplification Not true in general:
SLIDE 32
Multi-instance security amplification c times
β¦
H H H ππ₯1 πΏ1 Not true in general:
SLIDE 33
Multi-instance security amplification c times
β¦
H H H ππ₯1 πΏ1
β¦
H H H ππ₯π πΏπ
β¦
Not true in general:
SLIDE 34
Multi-instance security amplification c times
β¦
H H H ππ₯1 πΏ1
β¦
H H H ππ₯π πΏπ
β¦
Work πΆ Γ π + Work πΆ / ciphertext = πΆ Γ π + π vs πΆ Γ π Γ π Not true in general:
SLIDE 35
Multi-instance security amplification c times
β¦
H H H ππ₯1 πΏ1
β¦
H H H ππ₯π πΏπ
β¦
Work πΆ Γ π + Work πΆ / ciphertext = πΆ Γ π + π vs πΆ Γ π Γ π Not true in general: New design goal: Multi-instance security amplification βHardness of breaking multiple instances must increase linearly in the number of instances.β
SLIDE 36
PKCS#5 β Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack
SLIDE 37
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 38
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H Randomly chosen per KDF evaluation Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 39
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H
PB-Encrypt(ππ₯, π) ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Randomly chosen per KDF evaluation Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 40
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H
PB-Encrypt(ππ₯, π) ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Randomly chosen per KDF evaluation Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 41
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H
PB-Encrypt(ππ₯, π) ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Randomly chosen per KDF evaluation Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 42
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H
PB-Encrypt(ππ₯, π) ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Randomly chosen per KDF evaluation Allows decryption Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 43
PKCS#5 β Password-based cryptography standard
β¦
ππ₯||ππππ
πΏ
H H H
PB-Encrypt(ππ₯, π) ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Randomly chosen per KDF evaluation Allows decryption
Question: Does salting provably ensure multi- instance security amplification?
Salting as suggested in PKCS#5 prevents attack KDF1:
SLIDE 44
Iteration and salting in the real world No salting! No iteration!
SLIDE 45
Our results
SLIDE 46
Our results Question: Does salting provably ensure multi-instance security amplification?
SLIDE 47
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know!
SLIDE 48
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof!
SLIDE 49
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model!
SLIDE 50
Our results Our contributions: 1) General definitional framework for multi-instance security of arbitrary cryptographic primitives. 2) Case study: Security analysis of PKCS#5 within our framework. Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model!
SLIDE 51
Outline
- 1. Multi-instance security
- 2. Security of PKCS#5 β A case study
SLIDE 52
Outline
- 1. Multi-instance security
- 2. Security of PKCS#5 β A case study
SLIDE 53
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ LOR-Security
SLIDE 54
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| LOR-Security
SLIDE 55
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| LOR-Security
SLIDE 56
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| πππ°lor π΅ = 2 Γ [Pr π = πβ² β 1 2 ] LOR-Security
SLIDE 57
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| πππ°lor π΅ = 2 Γ [Pr π = πβ² β 1 2 ] LOR-Security
SLIDE 58
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| πππ°lor π΅ = 2 Γ [Pr π = πβ² β 1 2 ] LOR-Security ππ₯ β πππΈ PWR-Security
SLIDE 59
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| πππ°lor π΅ = 2 Γ [Pr π = πβ² β 1 2 ] π ππ(ππ, π) π LOR-Security ππ₯ β πππΈ PWR-Security
SLIDE 60
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| πππ°lor π΅ = 2 Γ [Pr π = πβ² β 1 2 ] ππβ² π ππ(ππ, π) π LOR-Security ππ₯ β πππΈ PWR-Security
SLIDE 61
Single-instance security β PB-Encryption π β 0,1 ππ₯ β πππΈ πβ² π ππ(ππ, ππ) ππ, ππ |ππ| = |ππ| πππ°lor π΅ = 2 Γ [Pr π = πβ² β 1 2 ] ππβ² π ππ(ππ, π) π LOR-Security ππ₯ β πππΈ PWR-Security πππ°pwr π΅ = Pr[ππβ² = ππ]
SLIDE 62
The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:
- instances of the scheme concurrently.
- Corrupts up to π’ < π instances of the scheme (e.g.,
learns passwords).
- Wins if it breaks P for all uncorrupted instances.
SLIDE 63
The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:
- Attacks π instances of the scheme concurrently.
- Corrupts up to π’ < π instances of the scheme (e.g.,
learns passwords).
- Wins if it breaks P for all uncorrupted instances.
SLIDE 64
The multi-instance (mi) security vista < ππ instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:
- Attacks π instances of the scheme concurrently.
- Corrupts up to π’ < π instances of the scheme (e.g.,
learns passwords).
- Wins if it breaks P for all uncorrupted instances.
SLIDE 65
The multi-instance (mi) security vista < ππ instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:
- Attacks π instances of the scheme concurrently.
- Wins if it breaks P for all uncorrupted instances.
- Wins if it breaks P for all uncorrupted instances.
SLIDE 66
PWR security
SLIDE 67
PWR security ππ₯3 β πππΈ ππ₯1 β πππΈ ππ₯2 β πππΈ
SLIDE 68
PWR security ππ₯3 β πππΈ ππ₯1 β πππΈ ππ₯2 β πππΈ
SLIDE 69
PWR security ππ₯3 β πππΈ ππ₯1 β πππΈ ππ₯2 β πππΈ
SLIDE 70
PWR security ππ₯3 β πππΈ ππ₯1 β πππΈ ππ₯2 β πππΈ
SLIDE 71
PWR security ππ₯3 β πππΈ ππ₯1 β πππΈ ππ₯2 β πππΈ (πππ
β² , πππ β² , πππ β² )
SLIDE 72
PWR security ππ₯3 β πππΈ ππ₯1 β πππΈ ππ₯2 β πππΈ (πππ
β² , πππ β² , πππ β² )
πππ°π§βπͺπ±π¬ π΅ = Pr[ππ1
β² = πππ, β¦ , πππ β² = πππ]
SLIDE 73
π3 β 0,1 ππ₯3 β πππΈ LOR security π1 β 0,1 ππ₯1 β πππΈ π2 β 0,1 ππ₯2 β πππΈ
SLIDE 74
π3 β 0,1 ππ₯3 β πππΈ LOR security π1 β 0,1 ππ₯1 β πππΈ π2 β 0,1 ππ₯2 β πππΈ
SLIDE 75
π3 β 0,1 ππ₯3 β πππΈ LOR security π1 β 0,1 ππ₯1 β πππΈ π2 β 0,1 ππ₯2 β πππΈ
SLIDE 76
π3 β 0,1 ππ₯3 β πππΈ LOR security π1 β 0,1 ππ₯1 β πππΈ π2 β 0,1 ππ₯2 β πππΈ πππ°π§βπ¦π©π¬ π΅ =?
SLIDE 77
Defining mi security for encryption Attempt #1: AND-advantage
SLIDE 78
Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Advantage: πππ°π§βπ¦π©π¬π π΅ = ππ¬[ ππ, β¦ , ππ = ππ
β² , β¦ , ππ β²
] Output: ππ
β² , β¦ , ππ β²
SLIDE 79
Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Advantage: πππ°π§βπ¦π©π¬π π΅ = ππ¬[ ππ, β¦ , ππ = ππ
β² , β¦ , ππ β²
] Output: ππ
β² , β¦ , ππ β²
Problem: Does not measure hardness of winning all uncorrupted instances.
SLIDE 80
Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Advantage: πππ°π§βπ¦π©π¬π π΅ = ππ¬[ ππ, β¦ , ππ = ππ
β² , β¦ , ππ β²
] Output: ππ
β² , β¦ , ππ β²
Problem: Does not measure hardness of winning all uncorrupted instances.
Reason: If β adversary with ππ¬[ππ = ππ
β² ] > 3/4
Then β adversary guessing second bit at random, with ππ¬ ππ, ππ = ππ
β² , ππ β²
> 3 4 Γ 1 2 = 3/8
SLIDE 81
Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Advantage: πππ°π§βπ¦π©π¬π π΅ = ππ¬[ ππ, β¦ , ππ = ππ
β² , β¦ , ππ β²
] Output: ππ
β² , β¦ , ππ β²
Problem: Does not measure hardness of winning all uncorrupted instances.
Reason: If β adversary with ππ¬[ππ = ππ
β² ] > 3/4
Then β adversary guessing second bit at random, with ππ¬ ππ, ππ = ππ
β² , ππ β²
> 3 4 Γ 1 2 = 3/8
SLIDE 82
Defining mi security for encryption Attempt #2: XOR-advantage
SLIDE 83
Defining mi security for encryption Attempt #2: XOR-advantage LORX-security: Advantage: πππ°π§βπ¦π©π¬π π΅ = 2 Γ ππ¬ πβ² = ππ β β― β ππ β 1/2 Output: πβ²
SLIDE 84
Defining mi security for encryption Attempt #2: XOR-advantage LORX-security: Advantage: πππ°π§βπ¦π©π¬π π΅ = 2 Γ ππ¬ πβ² = ππ β β― β ππ β 1/2 Output: πβ² Reason: If β adversary with ππ¬ πβ² = ππ > 1 + π 2 Then: Adversary guessing second bit has no advantage ππ¬ πβ² = ππ β ππ = 1 2
SLIDE 85
Mi security notions β Relations m-LORX m-LORA m-PWR
SLIDE 86
Mi security notions β Relations m-LORX m-LORA m-PWR (1)
SLIDE 87
Mi security notions β Relations m-LORX m-LORA m-PWR (1)
SLIDE 88
Mi security notions β Relations m-LORX m-LORA m-PWR (1) 1) Holds in most cases β proof relies on probabilistic lemma from [U09].
SLIDE 89
Mi security notions β Relations m-LORX m-LORA m-PWR (1) (2) 1) Holds in most cases β proof relies on probabilistic lemma from [U09].
SLIDE 90
Mi security notions β Relations m-LORX m-LORA m-PWR (1) (2) 1) Holds in most cases β proof relies on probabilistic lemma from [U09]. 2) Very loose asymptotic implication β based on Goldreich- Levin Theorem [GL89]
SLIDE 91
Relations β LOR vs ROR πβ²
ENC(ππ, ππ)
π β 0,1 ππ₯ β πππΈ ππ, ππ LOR-Security ROR-Security πβ²
ENC(ππ, ππ)
π β 0,1 π1 β π ππ₯ β πππΈ ππ
SLIDE 92
Relations β LOR vs ROR
SLIDE 93
Relations β LOR vs ROR
Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
SLIDE 94
Relations β LOR vs ROR
Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Hybrid argument
SLIDE 95
Relations β LOR vs ROR
Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Hybrid argument L R L $ $ R + β€
SLIDE 96
Relations β LOR vs ROR
Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Hybrid argument
Mi setting with m instances:
πππ°mβrorx π β€ πππ°mβlorx π β€ ππ Γ πππ°mβrorx π
L R L $ $ R + β€
SLIDE 97
Relations β LOR vs ROR
Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Hybrid argument
Mi setting with m instances:
πππ°mβrorx π β€ πππ°mβlorx π β€ ππ Γ πππ°mβrorx π
L R L $ $ R + β€
L
R L $ $ R + β€ L R L $ L $ $ R $ R + L $ $ R +
SLIDE 98
Relations β LOR vs ROR
Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Hybrid argument
Mi setting with m instances:
πππ°mβrorx π β€ πππ°mβlorx π β€ ππ Γ πππ°mβrorx π
L R L $ $ R + β€
L
R L $ $ R + β€ L R L $ L $ $ R $ R + L $ $ R + Tight!
SLIDE 99
Outline
- 1. Multi-instance security
- 2. Security of PKCS#5 β A case study
SLIDE 100
Outline
- 1. Multi-instance security
- 2. Security of PKCS#5 β A case study
SLIDE 101
PKCS#5 β Defining KDF Security
SLIDE 102
PKCS#5 β Defining KDF Security
Question: Does salting provably ensures multi- instance security amplification? YES!
SLIDE 103
PKCS#5 β Defining KDF Security
Question: Does salting provably ensures multi- instance security amplification? YES!
β¦
ππ₯||ππππ
πΏ
H H H
SLIDE 104
PKCS#5 β Defining KDF Security
Question: Does salting provably ensures multi- instance security amplification? YES!
β¦
ππ₯||ππππ
πΏ
H H H Main step: Security analysis of KDF1 for case H = RO.
SLIDE 105
KDF Security in the ROM
RO
KDF1
ππ₯1||π‘π1, β¦ , ππ₯π||π‘ππ πΏ1, β¦ , πΏπ
KDF satisfies indifferentiability-like poperty [MRH04]
0/1
Sim
Test
ππ₯1||π‘π1, β¦ , ππ₯π||π‘ππ πΏ1, β¦ , πΏπ 0/1
βSim β password distributions: Left β Right
SLIDE 106
KDF Security in the ROM
RO
KDF1
ππ₯1||π‘π1, β¦ , ππ₯π||π‘ππ πΏ1, β¦ , πΏπ
KDF satisfies indifferentiability-like poperty [MRH04]
0/1
Sim
Test
ππ₯1||π‘π1, β¦ , ππ₯π||π‘ππ πΏ1, β¦ , πΏπ 0/1 π queries π queries
βSim β password distributions: Left β Right
SLIDE 107
KDF Security in the ROM
RO
KDF1
ππ₯1||π‘π1, β¦ , ππ₯π||π‘ππ πΏ1, β¦ , πΏπ
KDF satisfies indifferentiability-like poperty [MRH04]
0/1
Sim
Test
ππ₯1||π‘π1, β¦ , ππ₯π||π‘ππ πΏ1, β¦ , πΏπ 0/1 π queries π queries
βSim β password distributions: Left β Right
SLIDE 108
Final result: Security of PB-Encrypt
Question: Does salting deliver multi-instance security amplification for PKCS#5? PB-Encrypt(ππ₯, π)
ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Theorem: βA making π RO queries, β B such that πππ°PBβEncrypt
π§βπ¬π©π¬π²
π΅ < π πππ + π β πππ°ENC
π¬π©π¬
πΆ + π2 2π
+
π2 2π‘
SLIDE 109
Final result: Security of PB-Encrypt
Question: Does salting deliver multi-instance security amplification for PKCS#5? PB-Encrypt(ππ₯, π)
ππππ ο {0,1}π‘ πΏ ο Hc(ππ₯||ππππ) π· ο ENC(πΏ, π) Return π·||ππππ
Theorem: βA making π RO queries, β B such that πππ°PBβEncrypt
π§βπ¬π©π¬π²
π΅ < π πππ + π β πππ°ENC
π¬π©π¬
πΆ + π2 2π
+
π2 2π‘
Work π Γ π Γ π to break encryption (RO queries)
SLIDE 110
Concluding Remarks Summary:
ο ο ο ο ο
SLIDE 111
Concluding Remarks Summary:
- The world has multiple users
ο ο ο ο
SLIDE 112
Concluding Remarks Summary:
- The world has multiple users
- Weak individual instances sometimes unavoidable
ο ο ο
SLIDE 113
Concluding Remarks Summary:
- The world has multiple users
- Weak individual instances sometimes unavoidable
- Mi security as a second line of defense
ο ο
SLIDE 114
Concluding Remarks Summary:
- The world has multiple users
- Weak individual instances sometimes unavoidable
- Mi security as a second line of defense
- Interesting technical questions
ο
SLIDE 115
Concluding Remarks Summary:
- The world has multiple users
- Weak individual instances sometimes unavoidable
- Mi security as a second line of defense
- Interesting technical questions
- First security analysis of PKCS#5 in the mi setting
SLIDE 116
Concluding Remarks Summary:
- The world has multiple users
- Weak individual instances sometimes unavoidable
- Mi security as a second line of defense
- Interesting technical questions
- First security analysis of PKCS#5 in the mi setting