Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. - - PowerPoint PPT Presentation

Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London

Provably Secure Key Assignment Schemes from Factoring

Outline of the Talk

Ø Hierarchical Key Assignment Schemes § Definition of Security Notions § Some Previous Work § Cryptographic Assumptions

§ The Factoring Assumption § Security of BBS Generator

§ Provably Secure KAS under the Factoring

Assumption

§ A KR-secure Scheme § KI-secure Schemes

Hierarchical Key Assignment Schemes

§ Method for implementing access control policies

where some users have more access rights than

• thers

§ These schemes can be useful for:

§ Content distribution § Management of databases containing sensitive information § Government communications § Broadcast services (such as cable TV)

Hierarchical Key Assignment Schemes

An access control policy can be represented by a directed graph G=(V,E), also called poset

c a b f e d u v

V: Set of disjoint classes, called security classes Edge (u,v) E: Users in class u have access to data in class v, represented by v ≤ u.

∈

v ≤ u Any class should be able to access secret data of all its successor in the hierarchy. Any set of classes should NOT be able to access data of any class that is not a successor of any class in the set.

Hierarchical Key Assignment Schemes

Solution: Assign an encryption key and some private information to each class in the graph (hierarchy) , as well as some public information.

c a b f e d

ka,Sa Pub kb,Sb kc,Sc kd,Sd ke,Se kf,Sf Private information + public info will be used to generate encryption keys

Hierarchical Key Assignment Schemes

A key assignment scheme is a pair of algorithms Gen, Derive: (S,k,pub) ßGen(1ρ,G)

§ S is the set of private information § k is the set of keys § pub is the public information

kv ßDerive(1ρ,G,pub,u,v,Su) for each class v V such that v ≤ u, where

∈

Su is the private information assigned to class u and kv is the key assigned to class v.

Outline of the Talk

ü Hierarchical Key Assignment Schemes Ø Definition of Security Notions § Some Previous Work § Cryptographic Assumptions

§ The factoring Assumption § Security of BBS Generator

§ Provably Secure KAS under the Factoring

Assumption

§ A KR-secure Scheme § KI-secure Schemes

Definition of Security Notions

§ Types of Adversaries

§ Static Adversary § Dynamic Adversary

§ Security Goals [Atallah et al.]

§ Key Recovery § Key Indistinguishability

The adversary first chooses a class u V to attack and then is allowed to access the private information assigned to all classes v V, such that u ≤ v .

Types of Adversaries

Static Adversary

u a b f e d

∈ ∈

Astat I want to attack u

Types of Adversaries

Static Adversary

The adversary first chooses a class u V to attack and then is allowed to access the private information assigned to all classes v V, such that u ≤ v .

u a b f e d

∈ ∈

Astat I want to attack u Now I want Sb, Sd, Se, Sf

Types of Adversaries

Dynamic Adversary

The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still allowed to corrupt class of its choice subject to u ≤ v.

u a b f e d

∈

Adyn Pub

Types of Adversaries

Dynamic Adversary

The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still allowed to corrupt class of its choice subject to u ≤ v.

u a b f e d

∈

Adyn I want Sb, Sd, Se

Types of Adversaries

Dynamic Adversary

The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still allowed to corrupt class of its choice subject to u ≤ v.

u a b f e d

∈

Adyn I want Sb, Sd, Se Now I want to attack u

Types of Adversaries

Dynamic Adversary

The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still allowed to corrupt class of its choice subject to u ≤ v.

u a b f e d

∈

Adyn I want Sb, Sd, Se Now I want to attack u Now I want Sf

Types of Adversaries

Dynamic Adversary

The adversary first gets access to all public information and adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still allowed to corrupt class of its choice subject to u ≤ v.

u a b f e d

∈

Adyn I want Sb, Sd, Se Now I want to attack u Now I want Sf Ateniese et al.: static and dynamic adv are polynomially equivalent

§ Security w.r.t. Key Recovery (KR) An adversary is not able to compute a key to which it should not have access. § Security w.r.t. Key Indistinguishability (KI) An adversary is not able to distinguish between a real key that it should not have access to and a random string of the same length.

Security Goals

by Atallah et al.

The advantage of A is defined to be . The scheme is said to be secure if is negligible.

Security Goals

Key Recovery (KR-ST)

AdvKR-ST(1ρ,G)

A

AdvKR-ST(1ρ,G) = Pr[k’u = ku]

A

Experiment ExpKR-ST(1ρ,G):

A

u ßA (1ρ,G) (S,k,pub) ßGen (1ρ,G) corr ß{Sv: u ≤ v} k’u ßA (1ρ,G,pub,corr) return k’u

The advantage of A is defined to be The scheme is said to be secure if is negligible.

Security Goals

Key Indistinguishability (KI-ST)

AdvKI-ST(1ρ,G) = |Pr[ExpKI-ST-1(1ρ,G) = 1] - Pr[ExpKI-ST-0(1ρ,G) = 1]|.

A

Experiment ExpKI-ST-1(1ρ,G):

A

u ßA (1ρ,G) (S,k,pub) ßGen (1ρ,G) corr ß {Sv: u ≤ v} return b’ Experiment ExpKI-ST-0(1ρ,G):

A

u ßA (1ρ,G) (S,k,pub) ßGen (1ρ,G) corr ß {Sv: u ≤ v} r ß{0,1}ρ return b’ k’u ßA (1ρ,G,pub,corr,ku) k’u ßA (1ρ,G,pub,corr,r) AdvKI-ST(1ρ,G)

A A A

Outline of the Talk

ü Hierarchical Key Assignment Schemes ü Definition of Security Notions Ø Some Previous Work § Cryptographic Assumptions

§ The factoring Assumption § Security of BBS Generator

§ Provably Secure KAS under the Factoring

Assumption

§ A KR-secure Scheme § KI-secure Schemes

Some Previous Work

§ [Atallah et al. ‘06]

§ KR-secure schemes based on pseudorandom functions; § KI-secure schemes based on any CCA-secure symmetric encryption;

§ [Ateniese et al. ‘06]

§ KI-secure schemes under the BDDH assumption; § KI-secure schemes based on the OW-CPA security of a symmetric encryption scheme;

Some Previous Work

§ [D’ Arco et al. ’10]

§ Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be KR-secure under the RSA assumption; § Construction yielding KI-secure schemes using as components KR- secure schemes and the Goldreich-Levin hard-core bit (GL-bit).

Some Previous Work

§ [D’ Arco et al. ’10]

§ Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be KR-secure under the RSA assumption; § Construction yielding KI-secure schemes using as components KR- secure schemes and the Goldreich-Levin hard-core bit (GL-bit).

§ [Crampton et al. ’10]

§ New approach to constructing KAS for arbitrary posets using chain

• partitions. This idea was instantiated using two different

cryptographic bases: collision-resistant hash functions and the RSA

• primitive. Unfortunately, none of these come with a formal security

analysis.

In This Work

§ We propose

§ A KR-secure scheme under the factoring assumption for totally ordered hierarchies; § The first construction which directly yields schemes provably secure in the sense of KI-ST under the factoring assumption for general posets.

Outline of the Talk

ü Hierarchical Key Assignment Schemes ü Definition of Security Notions ü Some Previous Work Ø Cryptographic Assumptions

§ The factoring Assumption § Security of BBS Generator

§ Provably Secure KAS under the Factoring

Assumption

§ A KR-secure Scheme § KI-secure Schemes

Let (N,p,q)ß GenF(1ρ), where N=pq, and p and q are ρ-bit primes. For an algorithm AF, its factoring advantage is defined to be The factoring assumption (with respect to GenF) states that is negligible. We will consider two instances of GenF:

Cryptographic Assumptions

The factoring assumption

Advfac (1ρ) = Pr[(N,p,q)ßGenF(1ρ): AF(N)={p,q}].

GenF,AF

Advfac (1ρ)

GenF,AF

GenBlum(1ρ) : p= 3 mod 4, q = 3 mod 4 GenS(1ρ) : p= 1 mod 2n, q = 3 mod 4

Let N be a Blum integer, that is: N=pq, where p = q = 3 mod 4. Let x be a quadratic residue mod N The BBS pseudorandom generator applied to x and modulus N is defined to have output where LSBN(x) denotes the least significant bit of x.

Cryptographic Assumptions

The BBS pseudorandom generator

BBSN(x) = (LSBN(x), LSBN(x2), …, LSBN(x2l-1)) є {0,1}l,

Let D be a distinguisher The advantage of D is defined to be The BBS generator is secure if is negligible for any PPT D.

Cryptographic Assumptions

Security of BBS generator

AdvBBS(1ρ) = |Pr[ExpBBS-1(1ρ) = 1] - Pr[ExpBBS-0(1ρ) = 1]|.

D

Experiment ExpBBS-1(1ρ):

D

x,N ßGen (1ρ) d ßD(N,z=x2lmodN,BBSN(x)) return b’ Experiment ExpBBS-0(1ρ):

D

x,N ßGen (1ρ) r ß{0,1} l return b’ AdvBBS(1ρ)

D

d ßD(N,z=x2lmodN,r)

D D

BBS distinguisher è factoring algorithm

Let D be a distinguisher The advantage of D is defined to be The BBS generator is secure if is negligible for any PPT D.

Cryptographic Assumptions

Security of BBS generator

AdvBBS(1ρ) = |Pr[ExpBBS-1(1ρ) = 1] - Pr[ExpBBS-0(1ρ) = 1]|.

D

Experiment ExpBBS-1(1ρ):

D

x,N ßGen (1ρ) d ßD(N,z=x2lmodN,BBSN(x)) return b’ Experiment ExpBBS-0(1ρ):

D

x,N ßGen (1ρ) r ß{0,1} l return b’ AdvBBS(1ρ)

D

d ßD(N,z=x2lmodN,r)

D D

BBS distinguisher è factoring algorithm

Outline of the Talk

ü Hierarchical Key Assignment Schemes ü Definition of Security Notions ü Some Previous Work ü Cryptographic Assumptions

ü The factoring Assumption ü Security of BBS Generator

Ø Provably Secure KAS under the Factoring

Assumption

§ A KR-secure Scheme § KI-secure Schemes

Algorithm Gen(1ρ,G):

• 1. Run GenS(1ρ) to obtain two ρ-bit primes p=1 mod 2n

and q=3 mod 4 and compute N=pq

• 2. Let pub=N be the public information
• 3. Randomly choose a secret value γ from ZN
• 4. For each class ui є V, set kui=Sui=γ2i mod N
• 5. Let S and k be the sets of private info and keys
• 6. Output (S,k,pub)

Let G=(V,E) be a directed graph, where V={u0, …, un-1} and ui+1 < ui for all i.

Provably Secure KAS

A Basic Scheme

Algorithm Derive (G,pub,ui,uj,kui):

• 1. For j > i, compute kuj=(kui)2j-i mod N
• 2. Output kuj

*

u0 ku0=γ mod N

ku1=γ2 mod N ku2=γ22 mod N kui=γ2i mod N kui+1=γ2i+1 mod N kun-2=γ2n-2 mod N

u1 u2 ui ui+1 un-2 un-1 kun-1=γ2n-1 mod N

Provably Secure KAS

KR-Security of the Basic Scheme

u0 Su0=ku0=γ mod N

Su1= ku1=γ2 mod N Su2= ku2=γ22 mod N Sui= kui=γ2i mod N Sui+1= kui+1=γ2i+1 mod N Sun-2= kun-2=γ2n-2 mod N

u1 u2 ui ui+1 un-2 un-1 Sun-1= kun-1=γ2n-1 mod N

Astat I want to attack ui

Provably Secure KAS

KR-Security of the Basic Scheme

u0 Su0=ku0=γ mod N

Su1= ku1=γ2 mod N Su2= ku2=γ22 mod N Sui= kui=γ2i mod N Sui+1= kui+1=γ2i+1 mod N Sun-2= kun-2=γ2n-2 mod N

u1 u2 ui ui+1 un-2 un-1 Sun-1= kun-1=γ2n-1 mod N

Astat I want to attack ui Now I want Sui+1, …, Sun-1

Provably Secure KAS

KR-Security of the Basic Scheme

Theorem: Assume the factoring assumption relative to GenS holds. Then our basic scheme is KR-ST secure.

u0 Su0=ku0=γ mod N

Su1= ku1=γ2 mod N Su2= ku2=γ22 mod N Sui= kui=γ2i mod N Sui+1= kui+1=γ2i+1 mod N Sun-2= kun-2=γ2n-2 mod N

u1 u2 ui ui+1 un-2 un-1 Sun-1= kun-1=γ2n-1 mod N

Astat I want to attack ui Now I want Sui+1, …, Sun-1 I output k’ui AdvKR-ST(1ρ,G) = Advfac (1ρ)

Astat GenS,AF

Provably Secure KAS

KR-Security of the Basic Scheme

àTight reduction to factoring in the KR-ST security model

Why p = 1 mod 2n and q = 3 mod 4? p ≠ 1 mod 2n and q = 3 mod 4?

à Reduction from the higher quadratic residuosity assumption

p =3 mod 4 and q = 3 mod 4?

à Reduction from the standard quadratic residuosity assumption

Provably Secure KAS

The FP Scheme (1 chain)

p=q=3 mod 4 ß GenBlum(1ρ) γßQRN Sui=γ2il mod N

u0 u1 u2 un-1

ku0=BBSN(γ) = (LSBN(γ), LSBN(γ2), …, LSBN(γ2l-1)) ku1=BBSN(γ2l ) ku2=BBSN(γ22l ) kun-1=BBSN(γ2(n-1)l )

kui= BBSN(Sui)

Let P=(V,E) be a directed graph and consider a security parameter ρ. Algorithm Gen(1ρ,P):

• 1. p=q=3 mod4ß GenBlum(1ρ)
• 2. Select a chain partition of V into w chains C0, …, Cw-1, where Ci has

length li.

Provably Secure KAS

The FP Scheme (General Posets)

a c b e f i h k j l d g u0 u0 u1 u1 u0 u1 u0 u1 u3 u2 u2 u2

C0 C1 C3 C2 A partition of V A set V

1 1 1 2 3 1 2 3 3

We build on ideas from Crampton et al. to construct our FP scheme

Dilworth’s theorem: Every poset (V,≤) can be partitioned into w chains, where w is the width of V.

Algorithm Gen(1ρ,P):

• 3. Select w values γ0, …, γw-1 at random from QRN
• 4. For each uj є V, 0 ≤ j < li, compute Tuj=γi

2jl mod N

Provably Secure KAS

The FP Scheme (General Posets)

u0 u0 u1 u1 u0 u1 u0 u1 u3 u2 u2 u2

C0 C1 C3 C2 A partition of V A set V

1

γ0

1 1 2 3 1 2 3 3

γ1 γ2 γ3

i i a c b e f i h k j l d g

Algorithm Gen(1ρ,P):

• 5. For each u є V, define the private information Su to be

{Tui , 0≤ i ≤ w-1} , where ui is the maximal class in u Ci, and the encryption key ku to be BBSN(Tu).

Provably Secure KAS

The FP Scheme (General Posets)

A set V

^

Te =Tu1=γ1

2l mod N

1

Tu0=γ3 mod N

3

Se={Tu1, Tu0}

1 3

↓ 

^

ke=BBSN(Te)

a c b e f i h k j l d g u1 u0 u0 u1 u0 u1 u0 u1 u3 u2 u2 u2

C0 C1 C3 C2 A partition of V

1 1 1 2 3 1 2 3 3

Algorithm Gen(1ρ,P):

• 5. For each u є V, define the private information Su to be

{Tui , 0≤ i ≤ w-1} , where ui is the maximal class in u Ci, and the encryption key ku to be BBSN(Tu).

Provably Secure KAS

The FP Scheme (General Posets)

u1 u0 u0 u1 u0 u1 u0 u1 u3 u2 u2 u2

C0 C1 C3 C2 A partition of V A set V

1 1 1 2 3 1 2 3 3

^

Te =Tu1=γ1

2l mod N

1

Th=Tu0=γ3 mod N

3

↓ 

^

ke=BBSN(Te)

a c b e f i h k j l d g

Se={Te, Th}

Algorithm Derive :

Provably Secure KAS

The FP Scheme (General Posets)

u0 u1 u1 u0 u1 u0 u1 u3 u2 u2 u2 u0

C0 C1 C3 C2

1 1 2 3 1 2 3 3 1

Su1={Tu1, Tu0}

1 1 3

ku2=BBSN(Tu2) Tu2=(Tu0)22l mod N

3 3 3 3

Algorithm Derive :

Provably Secure KAS

The FP Scheme (General Posets)

u0 u1 u1 u0 u1 u0 u1 u3 u2 u2 u2 u0

C0 C1 C3 C2

1 1 2 3 1 2 3 3 1

Su1={Tu1, Tu0}

1 1 3

ku2=BBSN(Tu2) Tu2=(Tu0)22l mod N

3 3 3 3

Algorithm Derive :

Provably Secure KAS

The FP Scheme (General Posets)

u0 u1 u1 u0 u1 u0 u1 u3 u2 u2 u2 u0

C0 C1 C3 C2

1 1 2 3 1 2 3 3 1

Su1={Tu1, Tu0}

1 1 3

ku2=BBSN(Tu2) Tu2=(Tu0)22l mod N

3 3 3 3

Provably Secure KAS

KI-Security of the FP Scheme

Astat I want to attack e

a b e f i h k j l d g

C0 C1 C3 C2

c

Provably Secure KAS

KI-Security of the FP Scheme

Astat I want to attack e Now I want Sd, Sg, Sh, Sf, Si…

a b e f i h k j l d g

C0 C1 C3 C2

c

Provably Secure KAS

KI-Security of the FP Scheme

Astat I want to attack e Now I want Sd, Sg, Sh, Sf, Si… I receive a value V

a b e f i h k j l d g

C0 C1 C3 C2 Challenger picks b: b=0 àV = ke b=1 àV = random value

c

Provably Secure KAS

KI-Security of the FP Scheme

Assuming the factoring assumption relative to GenBlum holds, the FP scheme is KI-ST secure. Astat I want to attack e Now I want Sd, Sg, Sh, Sf, Si… I receive a value V AdvKI-ST (1ρ,P) = AdvBBS(1ρ)

D Astat

a b e f i h k j l d g

C0 C1 C3 C2 BBS distinguisher è factoring algorithm Challenger picks b: b=0 àV = ke b=1 àV = random value

c

I output b’

Final Remarks

§ Characteristics of the FP scheme:

§ Direct construction; § Small public info; § At most w private values per node; § Efficient derivation: repeated squarings modulo N.

THANKS!