nonce based cryptography
play

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS - PowerPoint PPT Presentation

Jan 09, 2023 •141 likes •521 views

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

  1. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Björn Tackmann University of California, San Diego Eurocrypt 2016, Vienna — May 11, 2016

  2. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] WEAK RANDOMNESS bugs and bad implementations targeted attack(s) ECDSA randomness DUAL EC RSA Certificate Keys insufficient entropy coinciding prime factors [1] /dev/random … and more? insufficient entropy ... is not robust [2] [1; Heninger, Durumeric, Wustrow, Halderman, 2012; Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter, 2012] [2; Dodis, Pointcheval, Ruhault, Vergnaud, Wichs, 2013]

  3. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] PUBLIC-KEY ENCRYPTION 1. key generation private key PKE.kg public key 2. encryption public key ciphertext PKE.enc plaintext 3. decryption private key PKE.dec plaintext ciphertext [Goldwasser, Micali, 1984]

  4. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] PUBLIC-KEY ENCRYPTION 1. key generation private key PKE.kg public key 2. encryption public key ciphertext PKE.enc plaintext 3. decryption private key PKE.dec plaintext ciphertext [Goldwasser, Micali, 1984]

  5. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] PUBLIC-KEY ENCRYPTION 1. key generation private key PKE.kg randomness public key 2. encryption public key ciphertext PKE.enc plaintext randomness 3. decryption private key PKE.dec plaintext ciphertext [Goldwasser, Micali, 1984]

  6. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] USING PUBLIC-KEY ENCRYPTION alice bob pk ( sk , pk ) ← $ PKE.kg (authenticated) sk c ← $ PKE.enc( pk , m ) sk c m ← PKE.dec( sk , c ) m message c ciphertext pk public key sk secret key

  7. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SYMMETRIC ENCRYPTION AND NONCES 1. encryption shared key SE.enc plaintext ciphertext 2. decryption shared key SE.dec ciphertext plaintext [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004]

  8. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SYMMETRIC ENCRYPTION AND NONCES 1. encryption shared key SE.enc plaintext ciphertext randomness 2. decryption shared key SE.dec ciphertext plaintext [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004]

  9. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SYMMETRIC ENCRYPTION AND NONCES 1. encryption shared key SE.enc plaintext ciphertext nonce 2. decryption shared key SE.dec ciphertext plaintext nonce [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004]

  10. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] WHAT ABOUT NONCE-BASED PKE? public key NPE.enc plaintext ciphertext nonce all input values may be known to an attacker!

  11. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE INTUITION 1. setup: generation of good random seed 2. keep state: sender stores seed 
 but we hedge scheme against exposure 3. encryption: use seed along with nonce

  12. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PKE 1a. receiver key generation as before 1b. sender key generation NPE.skg randomness seed 2. encryption public key seed NPE.enc ciphertext plaintext nonce 3. decryption as before

  13. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] USING NONCE-BASED PKE alice bob seed ← $ NPE.skg ( sk , pk ) ← $ NPE.rkg seed pk sk (authenticated) seed c ← NPE.enc( pk , seed, m , nonce) sk c m message m ← NPE.dec( sk , c ) c ciphertext pk public key sk secret key

  14. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] USING NONCE-BASED PKE alice bob the sender has to keep state, but … seed ← $ NPE.skg ( sk , pk ) ← $ NPE.rkg 1. same seed valid for multiple receivers seed pk sk 2. different seeds on, e.g., different devices (authenticated) 3. seeds can be updated at any time … and 4. … we are hedging against exposure of the seed seed c ← NPE.enc( pk , seed, m , nonce) sk c m message m ← NPE.dec( sk , c ) c ciphertext pk public key sk secret key

  15. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SECURITY GUARANTEES security is guaranteed if either and (nonce, message) pairs sender seed secret unique or nonces secret and sender seed public and unpredictable. include in nonces, e.g., sender and receiver addresses, time, system RNG output

  16. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] A RANDOM-ORACLE-BASED SCHEME NPE.enc public key seed randomness message || RO PKE.enc nonce ciphertext decryption remains unchanged

  17. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] MAIN TOOL: HEDGED EXTRACTORS seed HE message randomness nonce (a) PRF if seed is secret (b) strong extractor if seed public but random

  18. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] ADAPTING TO HEDGED-EXTRACTORS NPE.enc public key seed randomness HE message PKE.enc nonce ciphertext

  19. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SECURITY 1: PSEUDO-RANDOMNESS b ← $ {0,1} x Oracle F (x): if b = 0 then y return (consistent) random value A else return F RO ( k , x ) v Oracle RO (v) w Adv prf (F, A ) = 2 Pr [ b’ ← $ A F , RO ; b = b’ ] - 1

  20. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] (UNPREDICTABLE) NONCE GENERATORS state ← ⊥ Oracle GEN (aux): aux if exposed then return ⊥ aux nonce A ( n , state) ← NG(aux, state) return n NG state state Oracle EXPOSE : state return state Adv pred (NG, A ) = Pr [ n ← $ A GEN , EXPOSE ; n ∈ N or collision ]

  21. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SECURITY 2: EXTRACTION seed b ← $ {0,1} ; seed ← $ SEEDS Oracle ROR ( m , aux): if exposed then return ⊥ generate nonce n ← $ NG(aux) m , aux if b = 0 then return random value A r else return HE RO (seed, ( m, n )) Oracle EXPOSE : state return state v w Oracle RO (v) Adv ror (HE, NG, A ) = 2 Pr [ b’ ← $ A ROR , EXPOSE , RO ; b = b’ ] - 1

  22. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE RANDOM-ORACLE SCHEME HE seed RO || message randomness nonce Adv prf (HE, A ) ≤ q • 2 -k q RO queries Adv ror (HE, NG, A ) ≤ q • Adv pred (NG, B ) seed length k

  23. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] RECALL: ALMOST-UNIVERSAL HASHING seed AUHF randomness (entropic) input Definition: F: K × X → Z is 𝜁 -AUHF if ∀ x ≠ y : Pr k [ F( k , x ) = F( k , y ) ] ≤ 𝜁 Leftover Hash Lemma: Let F be 𝜁 -AUHF, then k , z ≈ 𝜁 ’( k ) k , F( k , x ) with k ← $ K ; z ← $ Z ; x with min-entropy k [Impagliazzo, Levin, Luby, 1989]

  24. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE STANDARD-MODEL SCHEME HE seed PRF message randomness nonce AUHF Adv prf (HE, A ) ≤ Adv prf (PRF, B ) Adv ror (HE, NG, A ) ≤ q • 𝜁 ’( k ) if Adv pred (NG, C ) ≤ 2 -k

  25. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE STANDARD-MODEL SCHEME HE seed PRF message randomness nonce AUHF caveat: nonces must be independent of seed Adv prf (HE, A ) ≤ Adv prf (PRF, B ) Adv ror (HE, NG, A ) ≤ q • 𝜁 ’( k ) if Adv pred (NG, C ) ≤ 2 -k

  26. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, ONE pk b ← $ {0,1} seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): if |m 0 | ≠ |m 1 | then return ⊥ m 0 , m 1 , aux generate nonce n ← $ NG(aux) if msg+nonce repeated then return ⊥ A c ← NPE.enc RO ( pk , seed, m b , n ) c return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp1 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1

  27. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, ONE pk b ← $ {0,1} seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): if |m 0 | ≠ |m 1 | then return ⊥ m 0 , m 1 , aux generate nonce n ← $ NG(aux) if msg+nonce repeated then return ⊥ A c ← NPE.enc RO ( pk , seed, m b , n ) c return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp1 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1

  28. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, TWO b ← $ {0,1} pk, seed seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): m 0 , m 1 , aux if |m 0 | ≠ |m 1 | then return ⊥ generate nonce n ← $ NG(aux) c c ← NPE.enc RO ( pk , seed, m b , n ) A return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp2 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1

  29. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, TWO b ← $ {0,1} pk, seed seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): m 0 , m 1 , aux if |m 0 | ≠ |m 1 | then return ⊥ generate nonce n ← $ NG(aux) c c ← NPE.enc RO ( pk , seed, m b , n ) A return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp2 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1

  30. [Bellare-Tackmann, EC 2016, Nonce-based Cryptography] BUILDING NONCE-BASED PUBLIC-KEY ENCRYPTION NPE.enc public key seed randomness HE message PKE.enc nonce ciphertext Adv nbp1 (NPE, A ) ≤ 2 • Adv prf (HE, B ) + Adv ind (PKE, C ) Adv nbp2 (NPE, A ) ≤ 2 • Adv ror (HE, B ) + Adv ind (PKE, C )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT

580 views • 45 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring

Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring

Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring Laura M. Roberts Princeton University / Akamai Technologies David Plonka Akamai Technologies NPS/CAIDA 2020 Virtual IPv6 Workshop June 17, 2020

624 views • 40 slides
Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER EPRINT.IACR.ORG/2014/794 BY DUCAS, LYUBASHEVSKY, AND PREST 2016-09-21, Royal Holloway, Egham OFFICIAL Public Key Cryptography (PKC) Also called

403 views • 26 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size & speed

1.39k views • 97 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice outwits Eve, by Samuel Lomonaco Jr. and Quantum Computing by Andr Bertiaume. The Classical World - Bits either 0 or 1. - Bits can be copied.

639 views • 11 slides
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded

Smaller Keys for Code based Cryptography: QC MDPC McEliece Implementations on Embedded Devices 4 th Code based Cryptography Workshop 2013, Rocquencourt, France Stefan Heyse, Ingo von Maurich and Tim Gneysu Horst Grtz Institute for

500 views • 39 slides
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos

The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos ( joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based Cryptography Workshop Technical

301 views • 17 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p.

391 views • 36 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

762 views • 59 slides
All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

Lecture 4 All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash power) on consensus Who are the miners? Lecture 4.1: The

1.16k views • 99 slides
Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and

Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and

Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and Implementa9on December 12, 2016 Agenda Webinar Instruc5ons (5 minutes) Overview of Requirements (70 minutes) Exports Imports Health

836 views • 55 slides
CCM4350 Security Architecture and Engineering Lecture 2 Security Design Principles 15.10.2012

CCM4350 Security Architecture and Engineering Lecture 2 Security Design Principles 15.10.2012

CCM4350 Security Architecture and Engineering Lecture 2 Security Design Principles 15.10.2012 1 Content of Todays Lecture Summary and Wrap up on Security Terminology The Fundamental Dilemma of Security Five Design Principles

801 views • 25 slides
Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

553 views • 39 slides
MAFTIA: FTI Dependability: Basic Concepts and Terminology a European project for [Laprie 1992]

MAFTIA: FTI Dependability: Basic Concepts and Terminology a European project for [Laprie 1992]

Fundamental Concepts of Dependability [Avizienis, Laprie & Randell 2001] MAFTIA: FTI Dependability: Basic Concepts and Terminology a European project for [Laprie 1992] Intrusion-tolerant data processing dependable Internet applications

484 views • 11 slides

More recommend