overcoming impossibility results in composable security
play

Overcoming Impossibility Results in Composable Security using - PowerPoint PPT Presentation

Oct 03, 2023 •769 likes •1.25k views

Overcoming Impossibility Results in Composable Security using Interval-Wise Guarantees Daniel Jost Ueli Maurer ETH Zurich Crypto 2020, August 17-21, 2020 Motivation: how to best define security? Aug 17, 2020 2 Daniel Jost Defining Security

  1. Overcoming Impossibility Results in Composable Security using Interval-Wise Guarantees Daniel Jost Ueli Maurer ETH Zurich Crypto 2020, August 17-21, 2020

  2. Motivation: how to best define security? Aug 17, 2020 2 Daniel Jost

  3. Defining Security Game-based security: • Simple and minimal • no direct link to real-world executions • many games • no composition Aug 17, 2020 3 Daniel Jost

  4. Defining Security Game-based security: Composable security: • Guarantees linked to real-world application • Simple and minimal • Modularization • Composition • • More complicated proofs no direct link to real-world executions • Less efficient schemes • many games • Impossibility results • no composition Aug 17, 2020 4 Daniel Jost

  5. Defining Security Game-based security: Composable security: • Guarantees linked to real-world application • Simple and minimal • Modularization • Composition • • More complicated proofs no direct link to real-world executions • Less efficient schemes • many games • Impossibility results • no composition Simulator-commitment problem Aug 17, 2020 5 Daniel Jost

  6. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) Key π A π B sim Aug 17, 2020 6 Daniel Jost

  7. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) (Leakable) key Secure channel Key π A π B sim Authenticated channel Aug 17, 2020 7 Daniel Jost

  8. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) ? Key ≈ π A π B sim Aug 17, 2020 8 Daniel Jost

  9. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) 1 Key m m π A π B sim Aug 17, 2020 9 Daniel Jost

  10. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) 1 Key m m π A π B |m| sim c c 2 without m → committed Aug 17, 2020 10 Daniel Jost

  11. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) 1 Key m m π A π B |m| m sim c k c 2 3 Aug 17, 2020 11 Daniel Jost

  12. The Commitment Problem • Example : − encrypting a message to protect confidentiality − where adversaries that can (adaptively) learn parties ’ state (including keys) 1 Key m m π A π B |m| m sim c k c Cannot come 2 3 up with k that explains c Aug 17, 2020 12 Daniel Jost

  13. The Commitment Problem Observation: • Example : • Leaking only the messages length (and the simulator creating a fake ciphertext) is − encrypting a message to protect confidentiality used to formalize that the message remains confidential until the key leaks − where adversaries that can (adaptively) learn parties ’ state (including keys) • But it causes problems to simulate after that event… 1 Key m m π A π B |m| m sim c k c Cannot come 2 3 up with k that explains c Aug 17, 2020 13 Daniel Jost

  14. The Commitment Problem • Existing solutions : − Allowing for superpolynomial simulators → Still needs stronger schemes / additional setup − Non-information oracles: embedding game-based notions → Lack of clear composition rules Aug 17, 2020 14 Daniel Jost

  15. Contributions Idea of this paper: Can we make to separate statements? • One up to the moment the key leaks (for confidentiality) • One after the key leaked (about the remaining guarantees) Goal: Non-goals: • Express security guarantees of • Requireing less efficient schemes / «regular» schemes composably additional setup • Fall back to game-based security Open question: How would such a notion fit within a composable framework? Aug 17, 2020 15 Daniel Jost

  16. Specifications: a fresh take on composable security Aug 17, 2020 16 Daniel Jost

  17. Rethinking Composable Security: Specifications a resource Aug 17, 2020 17 Daniel Jost

  18. Rethinking Composable Security: Specifications Subset of resources with the desired properties → specification Set of all resources Aug 17, 2020 18 Daniel Jost

  19. Rethinking Composable Security: Specifications ▪ General statement: specification abstraction ▪ Abstract assumed specification by constructed one ▪ Easier to understand Aug 17, 2020 19 Daniel Jost

  20. Rethinking Composable Security: Specifications ▪ General statement: specification abstraction ▪ Abstract assumed specification by constructed one ▪ Easier to understand Aug 17, 2020 20 Daniel Jost

  21. Rethinking Composable Security: Specifications ▪ General statement: specification abstraction ▪ Abstract assumed specification by constructed one ▪ Easier to understand Aug 17, 2020 21 Daniel Jost

  22. Rethinking Composable Security: Specifications ▪ General statement: specification abstraction ▪ Abstract assumed specification by constructed one ▪ Easier to understand Introduced in Mau- Ren’16 Aug 17, 2020 22 Daniel Jost

  23. Rethinking Composable Security: Specifications ▪ General statement: specification abstraction ▪ Abstract assumed specification by constructed one ▪ Easier to understand ▪ While traditional composable framework have a single type of statement, specifications give us flexibility : ▪ Basic properties and compositional guarantees fixed ▪ But not the types of specifications! Aug 17, 2020 23 Daniel Jost

  24. Rethinking Composable Security: Specifications ▪ Advantages: ▪ Absolute statement: no «forgotten» attacks ▪ Composition: transitivity of subset relation ▪ Intersection Aug 17, 2020 24 Daniel Jost

  25. Rethinking Composable Security: Specifications ▪ Advantages: ▪ Absolute statement: no «forgotten» attacks ▪ Composition: transitivity of subset relation ▪ Intersection ∧ Aug 17, 2020 25 Daniel Jost

  26. Rethinking Composable Security: Specifications ▪ Advantages: ▪ Absolute statement: no «forgotten» attacks ▪ Composition: transitivity of subset relation ▪ Intersection Guarantee 2 Guarantee 1 (e.g confidentiality) (e.g authenticity) Aug 17, 2020 26 Daniel Jost

  27. Simulation-based Security ▪ The standard «simulation-based» notion can be expressed as a special case of specification abstraction: Key ≈ π A π B sim Aug 17, 2020 27 Daniel Jost

  28. Simulation-based Security ▪ The standard «simulation-based» notion can be expressed as a special case of specification abstraction: Key ≈ π A π B sim Aug 17, 2020 28 Daniel Jost

  29. Simulation-based Security ▪ The standard «simulation-based» notion can be expressed as a special case of specification abstraction: Key ≈ π A π B Easy to see what Eve can do sim Aug 17, 2020 29 Daniel Jost

  30. Simulation-based Security ▪ The standard «simulation-based» notion can be expressed as a special case of specification abstraction: Key ≈ π A π B sim Aug 17, 2020 30 Daniel Jost

  31. Simulation-based Security ▪ The standard «simulation-based» notion can be expressed as a special case of specification abstraction: Key ≈ π A π B sim ⊆ Aug 17, 2020 31 Daniel Jost

  32. Simulation-based Security ▪ The standard «simulation-based» notion can be expressed as a special case of specification abstraction: Key ≈ ε -relaxation: π A π B the set of all resources that are computationally indistinguishable to one of the original (green) specification. sim ⊆ Aug 17, 2020 32 Daniel Jost

  33. Simulation-based Security ▪ The ε -relaxation has two important properties: 1. Commutes with protocol application 𝜌 ℛ 𝜗 ⊆ 𝜌ℛ 𝜗 2. Monotonicity: ℛ ⊆ 𝒯 ⟹ ℛ 𝜗 ⊆ 𝑇 𝜗 Aug 17, 2020 33 Daniel Jost

  34. Simulation-based Security ▪ The ε -relaxation has two important properties: 1. Commutes with protocol application 𝜌 ℛ 𝜗 ⊆ 𝜌ℛ 𝜗 • The «standard» composition rule can be recovered as a syntactic derivation rule • In particular simulator and ε -relaxation can be ignored in further construction step 2. Monotonicity: ➔ Having structured specifications is crucial for true modularity! ℛ ⊆ 𝒯 ⟹ ℛ 𝜗 ⊆ 𝑇 𝜗 Aug 17, 2020 34 Daniel Jost

  35. Interval-wise Relaxations Aug 17, 2020 35 Daniel Jost

  36. Interval-wise Guarantees We use this specification based view this to overcome commitment problem! • Recall: cannot simulate across exposure of key Key m 1 π A π B • Solution: we formalize the guarantees before and after 3 2 c k the key exposure as separate specifications: m 1. Confidentiality until the key is exposed |m| m 2. Remaining guarantees afterwards sim c Aug 17, 2020 36 Daniel Jost

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation Abishek Kumarasubramanian Secure Computation [Yao,GMW] Security guarantee only Corrupted party learns no when protocol runs

369 views • 16 slides
Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove. ASIACRYPT 2018 J. P. Degabriele M. Fischlin 1 What this talk is about We propose and explore new security definitions for symmetric encryption

819 views • 24 slides
Concurrently Composable Security With Shielded Super-polynomial Simulators B. Broadnax, N.

Concurrently Composable Security With Shielded Super-polynomial Simulators B. Broadnax, N.

Concurrently Composable Security With Shielded Super-polynomial Simulators B. Broadnax, N. Dttling, G. Hartung, J. Mller-Quade, and M. Nagel Faculty of Computer Science Institute for Theoretical Informatics Research Group for

643 views • 60 slides
EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE &

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE &

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE & EXTENSIBLE REST API REST API Thierry Delprat td@nuxeo.com https://github.com/tiry/ AGENDA AGENDA Quick introduction provide some context API design

1.37k views • 75 slides
Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an important building block for fault-tolerant computing Universal: any deterministic fault-tolerant service can be implemented on top of it

349 views • 12 slides
Point-Set Topology for Impossibility Results in Distributed Computing Thomas Nowak Overview

Point-Set Topology for Impossibility Results in Distributed Computing Thomas Nowak Overview

Point-Set Topology for Impossibility Results in Distributed Computing Thomas Nowak Overview Introduction Safety vs. Liveness First Example: Wait-Free Shared Memory Message Omission Model Execution Trees Three Classical

845 views • 40 slides
A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo

A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo

A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo e H ebant Ecole Normale Sup erieure February 22, 2018 Chlo e H ebant (ENS) Working Group: SUC Security February 22, 2018 1 / 18

898 views • 42 slides
Control of Networks Algorithms, Fundamental Limitations, Impossibility Results Alex Olshevsky

Control of Networks Algorithms, Fundamental Limitations, Impossibility Results Alex Olshevsky

Control of Networks Algorithms, Fundamental Limitations, Impossibility Results Alex Olshevsky Department of Electrical and Computer Engineering Boston University Linear control theory The study of the linear differential equation x ( t )

881 views • 87 slides
Impossibility Results for Distributed Transactional Memory Paper Reading Group Costas Bunsch

Impossibility Results for Distributed Transactional Memory Paper Reading Group Costas Bunsch

Impossibility Results for Distributed Transactional Memory Paper Reading Group Costas Bunsch Maurice Herlihy Miroslav Popovic Gokarna Sharma Presents: Maksym Planeta 12.11.2015 Table of Contents Introduction Table of Contents

640 views • 22 slides
E R I S A A p p e a l s Overcoming the FAKE Appeal Process What is ERISA

E R I S A A p p e a l s Overcoming the FAKE Appeal Process What is ERISA

AppealTraining.com Webinar Series E R I S A A p p e a l s Overcoming the FAKE Appeal Process What is ERISA Employee Retirement Income Security Act federal law governing employer-sponsored benefit plans. Claim impact:

579 views • 26 slides
The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice

The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice

The Author Setting, Definitions and Conditions Sen s Impossibility Theorem and Proof Critique and Ways Out Conclusion The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice Theory Institute

1.98k views • 15 slides
On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schge Ruhr-University Bochum EUROCRYPT 2016 1 Tight Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A

835 views • 48 slides
An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June

An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June

An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June 19, 2018 Contents Motivation Definitions The Impossibility Theorem Centroid-Based Clustering and Consistency Relaxing the Properties Table of

1.08k views • 96 slides
Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins

Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins

Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins 1 / 39 class Adam: def __init__(self): self.work = PacketFabric("Sr. Software Engineer") self.oss = Sanic("Core Maintainer")

719 views • 50 slides
REBUILDING THE MONOLITH WITH COMPOSABLE APPS

REBUILDING THE MONOLITH WITH COMPOSABLE APPS

REBUILDING THE MONOLITH WITH COMPOSABLE APPS https://www.quora.com/Why-are-front-end-developers-so-high-in-demand-at-startups-if-front-end-development-is-relatively-easier-than-other-fields-of-engineering 2013

1.17k views • 87 slides
Disjoint-Access Parallelism: Impossibility, Possibility, and Cost of

Disjoint-Access Parallelism: Impossibility, Possibility, and Cost of

Disjoint-Access Parallelism: Impossibility, Possibility, and Cost of Transactional Memory Implementations Sebastiano Peluso 1 , Roberto Palmieri 1 , Paolo Romano 2 , Binoy Ravindran 1 and Francesco Quaglia 3 3 1 2

412 views • 26 slides
Social Science Librarians Boot Camp 2019 Brittany Andersen PhD Candidate at Boston University /

Social Science Librarians Boot Camp 2019 Brittany Andersen PhD Candidate at Boston University /

Social Science Librarians Boot Camp 2019 Brittany Andersen PhD Candidate at Boston University / UX Researcher at Ancestry 1. Introduction to Social Networks 2. Data Collection Methods and Limitations 3. Overview of Social Listening 4. Live

792 views • 19 slides
From Rutgers PhD to Medical Affairs Professional Dharm Patel, PhD Medical Strategy &

From Rutgers PhD to Medical Affairs Professional Dharm Patel, PhD Medical Strategy &

From Rutgers PhD to Medical Affairs Professional Dharm Patel, PhD Medical Strategy & Scientific Affairs Manager LEO Pharma Inc. My Academic Career BS: Monmouth University, Molecular Biology 8 year BS/MD Program with

473 views • 10 slides
Life After Your PhD Keyi Chen & Jamie Nelson What are your plans? Do you want to ... 1.

Life After Your PhD Keyi Chen & Jamie Nelson What are your plans? Do you want to ... 1.

Life After Your PhD Keyi Chen & Jamie Nelson What are your plans? Do you want to ... 1. Become a professor 2. Go into industry 3. Not sure yet 4. Other?... Industry or Academia? Can you name some key difgerence between the two? 8

444 views • 26 slides
Innovation and Collaboration: The Transdisciplinary Obesity Prevention (TOP) Graduate Certificate

Innovation and Collaboration: The Transdisciplinary Obesity Prevention (TOP) Graduate Certificate

Innovation and Collaboration: The Transdisciplinary Obesity Prevention (TOP) Graduate Certificate Program Jessica Meendering, PhD, EP-C Associate Professor of Exercise Science Department of Health and Nutritional Sciences South Dakota State

292 views • 11 slides
SunyoungKim,PhD Todays agenda Evaluation Expert evaluation o Cognitive

SunyoungKim,PhD Todays agenda Evaluation Expert evaluation o Cognitive

Human-Computer Interaction 22. Evaluating User Interface: Expert Evaluation SunyoungKim,PhD Todays agenda Evaluation Expert evaluation o Cognitive Walkthrough o Heuristic Evaluation Design process (Koberg & Bagnall) Why

865 views • 54 slides
29/7/19 The rationale: why do this? Writing a PhD proposal o Needs to be a contribution to

29/7/19 The rationale: why do this? Writing a PhD proposal o Needs to be a contribution to

29/7/19 The rationale: why do this? Writing a PhD proposal o Needs to be a contribution to knowledge in the field o Be brave and tackle important problems that you, and other people, care about. o If possible consider topics that have both

298 views • 4 slides
Interpreting Complex Images Using Appearance Models Chris Taylor Imaging Science and Biomedical

Interpreting Complex Images Using Appearance Models Chris Taylor Imaging Science and Biomedical

Interpreting Complex Images Using Appearance Models Chris Taylor Imaging Science and Biomedical Engineering University of Manchester Acknowlegments Tim Cootes Gareth Edwards Christine Beeston Rhodri Davies (IPMI 2003 and PhD

509 views • 29 slides
Tips on Applying for Scholarships & Fellowships (SSHRC Doctoral and CGS-M) Award Values,

Tips on Applying for Scholarships & Fellowships (SSHRC Doctoral and CGS-M) Award Values,

Tips on Applying for Scholarships & Fellowships (SSHRC Doctoral and CGS-M) Award Values, Duration, Tenure SSHRC CGS-M: $17,500 for one year; tenable only at Canadian Universities SSHRC Doctoral Fellowship: $20,000 per year, variable

824 views • 21 slides

More recommend