  # Randomness Dependent Randomness Dependent Message Security g y - PowerPoint PPT Presentation

## Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai Min Chung Rafael Pass Sidharth Telang Public key Encryption Public key Encryption Goal: l (pk,sk) Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m

1. Randomness ‐ Dependent Randomness ‐ Dependent Message Security g y Eleanor Birrell Kai ‐ Min Chung Rafael Pass Sidharth Telang

2. Public key Encryption Public key Encryption • Goal: l (pk,sk) ← Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m Encryption scheme (Gen Enc Dec) Encryption scheme (Gen, Enc, Dec) Formal security: CPA/CCA

3. CPA security CPA security pk m m 1 m m 0 ≈ Enc pk (m 0 ;r) Enc pk (m 1 ;r)

4. CPA security CPA security m 0 m 1 do not m 0 , m 1 do not depend on sk or r pk m m 1 m m 0 ≈ Enc pk (m 0 ;r) Enc pk (m 1 ;r)

5. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some

6. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! sk m secure

7. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! sk m secure • but key dependent messages (KDM) are useful! but key dependent messages (KDM) are useful! practically and theoretically ABBC, CKVW10, G09, BRS02,CL01, BPS08, BHHO08 etc. BRS02,CL01, BPS08, BHHO08 etc. • Intensely studied, lots of work…

8. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! m secure • randomness dependent messages (RDM) randomness dependent messages (RDM) • implicit in MS09, HLW12, BBNRSSY09 • explicit in HO10 explicit in HO10 • much less studied

9. Why RDM? Why RDM? 1) RDM happens! (involuntary attack) r 1 r 2 1 2 correlated! HDWH12 HDWH12

10. Why RDM? Why RDM? 1) RDM happens! (involuntary attack) r 1 r 2 1 2 correlated! m Enc

11. Why RDM? Why RDM? 2) RDM is useful! (voluntary attack) e.g. • MS09, HLW12: 1 ‐ bit CCA2 => many ‐ bit CCA2 • HO10: lossy encryption => inj OW TDF HO10: lossy encryption => inj. OW. TDF.

12. RDM security [HO10] RDM security [HO10] security against any RDM function pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

13. “weak” RDM security weak RDM security f f 0 and f 1 do not d f d t depend on pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r) Hedged Encryption [BBNRSSY09] => weak RDM security

14. RDM security RDM security our focus: f 0 and f f d pk f 1 depend on pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

15. 2 circular RDM security 2 ‐ circular RDM security pk f g:circuits f, g:circuits c 1 = Enc pk (f(r 2 );r 1 ) c 2 = Enc pk (g(r 1, c 1 );r 2 )

16. k circular RDM security k ‐ circular RDM security k=2 k=2 pk f g:circuits f, g:circuits c 1 = Enc pk (f(r 2 );r 1 ) c 1 = Enc pk (0;r 1 ) ≈ c 2 = Enc pk (g(r 1, c 1 );r 2 ) c 2 = Enc pk (0;r 2 )

17. k circular RDM security k ‐ circular RDM security pk f f 0 , g 0 :circuits g :circuits f f 1 , g 1 :circuits i it this work: k ‐ circular RDM security => k i l RDM i c 1 = Enc pk (f 0 (r b );r a ) c 1 = Enc pk (f 1 (r b );r 1 ) RDM security RDM security c 2 = Enc pk (g(r 1, c 1 );r 2 ) c 2 = Enc pk (0;r 2 )

18. Question: Can we get circular RDM, or Q i C i l RDM even RDM security even RDM security i.e. security against any RDM function?

19. Our results Our results “Full” RDM security i.e. security against any RDM function • Impossible in standard model p • => circular RDM impossible too

20. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

21. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 0 (r) = b’ such that f 1 (r) = b’ such that Enc (b’;r) “signals” 0 Enc pk (b ;r) signals 0 Enc (b’;r) “signals” 1 Enc pk (b ;r) signals 1

22. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 0 (r) = b’ such that f 1 (r) = b’ such that Enc (b’;r)’s 1 st bit is 0 Enc pk (b ;r) s 1 st bit is 0 Enc (b’;r)’s 1 st bit is 1 Enc pk (b ;r) s 1 st bit is 1

23. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 1 (r) = b’ such that f 0 (r) = b’ such that Enc (b’;r)’s 1 st bit is 1 Enc pk (b ;r) s 1 st bit is 1 Enc (b’;r)’s 1 st bit is 0 Enc pk (b ;r) s 1 st bit is 0 Use randomness extractor to get signal bit

24. Question: Can we get bounded RDM Question: Can we get bounded R M security? i.e. security against a priori bounded size RDM functions? size RDM functions?

25. Our results Bounded circular RDM security • Theorem 1 : for any poly s, exists transformation s.t. circular secure circular secure any CPA against size s secure Enc RDM functions RDM functions transformation: Enc(m ; preprocess(r) ) transformation: Enc(m ; preprocess(r) ) r needs to be “long” r needs to be long • • We also show : black ‐ box barriers for proving RDM security if r is shorter than m proving RDM security if r is shorter than m

26. Our results Bounded circular RDM security with “short” Bounded circular RDM security with short randomness Theorem 2 : For any poly s Theorem 2 : For any poly s, • • exists scheme that is circular secure against size s RDM functions RDM functions with arbitrary message and randomness length assuming lossy trapdoor function [PW08] assuming lossy trapdoor function [PW08]

27. Thm1: Bounded circular RDM security from Thm1: Bounded circular RDM security from CPA/CCA

28. Thm1: Bounded circular RDM security from Thm1: Bounded circular RDM security from CPA/CCA • View RDM as indirect randomness leakage View RDM as indirect randomness leakage • Idea: use CPA secure (Gen,Enc,Dec) and r “long” enough use CPA secure (Gen,Enc,Dec) and r long enough Enc pk (m ; preprocess(r) ) preprocess: randomness extraction

29. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(seed,r) ) • Seeded extractors don’t work Seeded extractors don t work require seed and source independence! pk, seed f b

30. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(r) ) • need deterministic extraction that works for need deterministic extraction that works for all s ‐ bounded leaked sources pk, extr f b

31. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(r) ) • need deterministic extraction that works for need deterministic extraction that works for all s ‐ bounded leaked sources We show: Deterministic extraction Lemma for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded leaked sources with high min ‐ entropy f b (r),h(r) ≈ f b (r),U

32. We show: Deterministic extraction Lemma for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded leaked sources with high min ‐ entropy f b (r),h(r) ≈ f b (r),U TV00: Deterministic extraction Lemma for bounded samplable sources bounded samplable sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded samplable sources X with for all s bounded samplable sources X with high min ‐ entropy h(X) ≈ U h(X) ≈ U

33. Bounded circular RDM security • For any poly s y p y circular secure circular secure any CPA against size s secure Enc RDM functions RDM functions Enc(m ; hash t wise indep (r) ) Enc(m ; hash t ‐ wise indep (r) ) ‐ In paper : black ‐ box barriers for In paper : black box barriers for proving RDM security on a falsifiable assumption if r is shorter than m is shorter than m

34. Bounded circular RDM security with “short” randomness?

35. Thm2: Bounded circular RDM security with arbitrary message and randomness length with arbitrary message and randomness length from lossy trapdoor function (LTDF)

36. Hedged Encryption [BBNRSSY09] g yp [ ] secure w.r.t. RDM functions don’t depend on pk ‐ from lossy trapdoor functions (LTDF) from lossy trapdoor functions (LTDF) crooked LHL [DS08] k d LHL [DS08] f b r pk For all sources X with high min ‐ entropy with high min entropy Enc and functions with invertible small range f small range f pairwise f(h(X)) ≈ f(U) independent p permutation works only when h X and h are X and h are independent

37. We show: Crooked det. ext. for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, h h ← t i i d h h for all bounded leaked sources X with high min ‐ entropy and functions with small range f d f ti ith ll f f(h(X)) ≈ f(U) f b r pk Enc t ‐ wise independent p h

38. f f b r r pk pk Enc Enc t ‐ wise independent p h permutation ? p Invertible? open problem open problem Almost t ‐ wise doesn’t suffice

39. f f b r r pk pk E Enc’ ’ t ‐ wise independent h Instead we modify scheme so that we don’t need permutation => can use standard polynomial construction, invert with Berlekamp algorithm

More recommend