Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. - PowerPoint PPT Presentation

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London

Outline of the Talk Ø Hierarchical Key Assignment Schemes § Definition of Security Notions § Some Previous Work § Cryptographic Assumptions § The Factoring Assumption § Security of BBS Generator § Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes

Hierarchical Key Assignment Schemes § Method for implementing access control policies where some users have more access rights than others § These schemes can be useful for: § Content distribution § Management of databases containing sensitive information § Government communications § Broadcast services (such as cable TV)

Hierarchical Key Assignment Schemes An access control policy can be represented by a directed graph G=(V,E), also called poset V: Set of disjoint classes, a called security classes u v ≤ u b c Edge (u,v) E: ∈ v Users in class u have access to data in class v, d e f represented by v ≤ u . Any class should be able to access secret data of all its successor in the hierarchy. Any set of classes should NOT be able to access data of any class that is not a successor of any class in the set.

Hierarchical Key Assignment Schemes Solution: Assign an encryption key and some private information to each class in the graph (hierarchy) , as well as some public information. k a ,S a a Pub Private information + public info k b ,S b k c ,S c will be used to generate b c encryption keys d e f k d ,S d k e ,S e k f ,S f

Hierarchical Key Assignment Schemes A key assignment scheme is a pair of algorithms Gen, Derive: (S,k,pub) ß Gen(1 ρ ,G) § S is the set of private information § k is the set of keys § pub is the public information k v ß Derive(1 ρ ,G,pub,u,v,S u ) for each class v V such ∈ that v ≤ u, where S u is the private information assigned to class u and k v is the key assigned to class v.

Outline of the Talk ü Hierarchical Key Assignment Schemes Ø Definition of Security Notions § Some Previous Work § Cryptographic Assumptions § The factoring Assumption § Security of BBS Generator § Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes

Definition of Security Notions § Types of Adversaries § Static Adversary § Dynamic Adversary § Security Goals [Atallah et al. ] § Key Recovery § Key Indistinguishability

Types of Adversaries Static Adversary I want to attack u a b u d e f A stat The adversary first chooses a class u V to attack and then is allowed ∈ to access the private information assigned to all classes v V, such ∈ that u ≤ v .

Types of Adversaries Static Adversary I want to attack u a Now I want S b , S d , S e , S f b u d e f A stat The adversary first chooses a class u V to attack and then is allowed ∈ to access the private information assigned to all classes v V, such ∈ that u ≤ v .

Types of Adversaries Dynamic Adversary a Pub b u d e f A dyn The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still ∈ allowed to corrupt class of its choice subject to u ≤ v.

Types of Adversaries Dynamic Adversary I want S b , S d , S e a b u d e f A dyn The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still ∈ allowed to corrupt class of its choice subject to u ≤ v.

Types of Adversaries Dynamic Adversary I want S b , S d , S e a Now I want to attack u b u d e f A dyn The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still ∈ allowed to corrupt class of its choice subject to u ≤ v.

Types of Adversaries Dynamic Adversary I want S b , S d , S e a Now I want to attack u b u Now I want S f d e f A dyn The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still ∈ allowed to corrupt class of its choice subject to u ≤ v.

Types of Adversaries Dynamic Adversary Ateniese et al.: I want static and dynamic adv S b , S d , S e are polynomially equivalent a Now I want to attack u b u Now I want S f d e f A dyn The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still ∈ allowed to corrupt class of its choice subject to u ≤ v.

Security Goals by Atallah et al. § Security w.r.t. Key Recovery (KR) An adversary is not able to compute a key to which it should not have access. § Security w.r.t. Key Indistinguishability (KI) An adversary is not able to distinguish between a real key that it should not have access to and a random string of the same length.

Security Goals Key Recovery (KR-ST) Experiment Exp KR-ST (1 ρ ,G): A u ß A (1 ρ ,G) (S,k,pub) ß Gen (1 ρ ,G) corr ß {S v : u ≤ v} k ’ u ß A (1 ρ ,G,pub,corr) return k ’ u Adv KR-ST (1 ρ ,G) = Pr[k ’ u = k u ] The advantage of A is defined to be . A Adv KR-ST (1 ρ ,G) The scheme is said to be secure if is negligible. A

Security Goals Key Indistinguishability (KI-ST) Experiment Exp KI-ST-1 (1 ρ ,G): Experiment Exp KI-ST-0 (1 ρ ,G): A A u ß A (1 ρ ,G) u ß A (1 ρ ,G) (S,k,pub) ß Gen (1 ρ ,G) (S,k,pub) ß Gen (1 ρ ,G) corr ß {S v : u ≤ v} corr ß {S v : u ≤ v} r ß {0,1} ρ k ’ u ß A (1 ρ ,G,pub,corr,k u ) k ’ u ß A (1 ρ ,G,pub,corr,r) return b ’ return b ’ The advantage of A is defined to be Adv KI-ST (1 ρ ,G) = |Pr[Exp KI-ST-1 (1 ρ ,G) = 1] - Pr[Exp KI-ST-0 (1 ρ ,G) = 1]|. A A A Adv KI-ST (1 ρ ,G) The scheme is said to be secure if is negligible. A

Outline of the Talk ü Hierarchical Key Assignment Schemes ü Definition of Security Notions Ø Some Previous Work § Cryptographic Assumptions § The factoring Assumption § Security of BBS Generator § Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes

Some Previous Work § [Atallah et al. ‘ 06] § KR-secure schemes based on pseudorandom functions; § KI-secure schemes based on any CCA-secure symmetric encryption; § [Ateniese et al. ‘ 06] § KI-secure schemes under the BDDH assumption; § KI-secure schemes based on the OW-CPA security of a symmetric encryption scheme;

Some Previous Work § [D ’ Arco et al. ’ 10] § Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be KR-secure under the RSA assumption; § Construction yielding KI-secure schemes using as components KR- secure schemes and the Goldreich-Levin hard-core bit (GL-bit).

Some Previous Work § [D ’ Arco et al. ’ 10] § Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be KR-secure under the RSA assumption; § Construction yielding KI-secure schemes using as components KR- secure schemes and the Goldreich-Levin hard-core bit (GL-bit). § [Crampton et al. ’ 10] § New approach to constructing KAS for arbitrary posets using chain partitions. This idea was instantiated using two different cryptographic bases: collision-resistant hash functions and the RSA primitive. Unfortunately, none of these come with a formal security analysis.

In This Work § We propose § A KR-secure scheme under the factoring assumption for totally ordered hierarchies; § The first construction which directly yields schemes provably secure in the sense of KI-ST under the factoring assumption for general posets.

Outline of the Talk ü Hierarchical Key Assignment Schemes ü Definition of Security Notions ü Some Previous Work Ø Cryptographic Assumptions § The factoring Assumption § Security of BBS Generator § Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes

Cryptographic Assumptions The factoring assumption Let (N,p,q) ß Gen F (1 ρ ), where N=pq, and p and q are ρ -bit primes. For an algorithm A F , its factoring advantage is defined to be Adv fac (1 ρ ) = Pr[(N,p,q) ß Gen F (1 ρ ): A F (N)={p,q}]. GenF,AF The factoring assumption (with respect to Gen F ) states that Adv fac (1 ρ ) is negligible. GenF,AF We will consider two instances of Gen F : Gen Blum (1 ρ ) : p= 3 mod 4, q = 3 mod 4 Gen S (1 ρ ) : p= 1 mod 2 n , q = 3 mod 4

Cryptographic Assumptions The BBS pseudorandom generator Let N be a Blum integer, that is: N=pq, where p = q = 3 mod 4. Let x be a quadratic residue mod N The BBS pseudorandom generator applied to x and modulus N is defined to have output BBS N (x) = (LSB N (x), LSB N (x 2 ), …, LSB N (x 2 l -1 )) є {0,1} l , where LSB N (x) denotes the least significant bit of x.