randomness dependent randomness dependent message
play

Randomness Dependent Randomness Dependent Message Security g y - PowerPoint PPT Presentation

May 15, 2023 •223 likes •638 views

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai Min Chung Rafael Pass Sidharth Telang Public key Encryption Public key Encryption Goal: l (pk,sk) Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m

  1. Randomness ‐ Dependent Randomness ‐ Dependent Message Security g y Eleanor Birrell Kai ‐ Min Chung Rafael Pass Sidharth Telang

  2. Public key Encryption Public key Encryption • Goal: l (pk,sk) ← Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m Encryption scheme (Gen Enc Dec) Encryption scheme (Gen, Enc, Dec) Formal security: CPA/CCA

  3. CPA security CPA security pk m m 1 m m 0 ≈ Enc pk (m 0 ;r) Enc pk (m 1 ;r)

  4. CPA security CPA security m 0 m 1 do not m 0 , m 1 do not depend on sk or r pk m m 1 m m 0 ≈ Enc pk (m 0 ;r) Enc pk (m 1 ;r)

  5. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some

  6. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! sk m secure

  7. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! sk m secure • but key dependent messages (KDM) are useful! but key dependent messages (KDM) are useful! practically and theoretically ABBC, CKVW10, G09, BRS02,CL01, BPS08, BHHO08 etc. BRS02,CL01, BPS08, BHHO08 etc. • Intensely studied, lots of work…

  8. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! m secure • randomness dependent messages (RDM) randomness dependent messages (RDM) • implicit in MS09, HLW12, BBNRSSY09 • explicit in HO10 explicit in HO10 • much less studied

  9. Why RDM? Why RDM? 1) RDM happens! (involuntary attack) r 1 r 2 1 2 correlated! HDWH12 HDWH12

  10. Why RDM? Why RDM? 1) RDM happens! (involuntary attack) r 1 r 2 1 2 correlated! m Enc

  11. Why RDM? Why RDM? 2) RDM is useful! (voluntary attack) e.g. • MS09, HLW12: 1 ‐ bit CCA2 => many ‐ bit CCA2 • HO10: lossy encryption => inj OW TDF HO10: lossy encryption => inj. OW. TDF.

  12. RDM security [HO10] RDM security [HO10] security against any RDM function pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

  13. “weak” RDM security weak RDM security f f 0 and f 1 do not d f d t depend on pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r) Hedged Encryption [BBNRSSY09] => weak RDM security

  14. RDM security RDM security our focus: f 0 and f f d pk f 1 depend on pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

  15. 2 circular RDM security 2 ‐ circular RDM security pk f g:circuits f, g:circuits c 1 = Enc pk (f(r 2 );r 1 ) c 2 = Enc pk (g(r 1, c 1 );r 2 )

  16. k circular RDM security k ‐ circular RDM security k=2 k=2 pk f g:circuits f, g:circuits c 1 = Enc pk (f(r 2 );r 1 ) c 1 = Enc pk (0;r 1 ) ≈ c 2 = Enc pk (g(r 1, c 1 );r 2 ) c 2 = Enc pk (0;r 2 )

  17. k circular RDM security k ‐ circular RDM security pk f f 0 , g 0 :circuits g :circuits f f 1 , g 1 :circuits i it this work: k ‐ circular RDM security => k i l RDM i c 1 = Enc pk (f 0 (r b );r a ) c 1 = Enc pk (f 1 (r b );r 1 ) RDM security RDM security c 2 = Enc pk (g(r 1, c 1 );r 2 ) c 2 = Enc pk (0;r 2 )

  18. Question: Can we get circular RDM, or Q i C i l RDM even RDM security even RDM security i.e. security against any RDM function?

  19. Our results Our results “Full” RDM security i.e. security against any RDM function • Impossible in standard model p • => circular RDM impossible too

  20. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

  21. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 0 (r) = b’ such that f 1 (r) = b’ such that Enc (b’;r) “signals” 0 Enc pk (b ;r) signals 0 Enc (b’;r) “signals” 1 Enc pk (b ;r) signals 1

  22. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 0 (r) = b’ such that f 1 (r) = b’ such that Enc (b’;r)’s 1 st bit is 0 Enc pk (b ;r) s 1 st bit is 0 Enc (b’;r)’s 1 st bit is 1 Enc pk (b ;r) s 1 st bit is 1

  23. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 1 (r) = b’ such that f 0 (r) = b’ such that Enc (b’;r)’s 1 st bit is 1 Enc pk (b ;r) s 1 st bit is 1 Enc (b’;r)’s 1 st bit is 0 Enc pk (b ;r) s 1 st bit is 0 Use randomness extractor to get signal bit

  24. Question: Can we get bounded RDM Question: Can we get bounded R M security? i.e. security against a priori bounded size RDM functions? size RDM functions?

  25. Our results Bounded circular RDM security • Theorem 1 : for any poly s, exists transformation s.t. circular secure circular secure any CPA against size s secure Enc RDM functions RDM functions transformation: Enc(m ; preprocess(r) ) transformation: Enc(m ; preprocess(r) ) r needs to be “long” r needs to be long • • We also show : black ‐ box barriers for proving RDM security if r is shorter than m proving RDM security if r is shorter than m

  26. Our results Bounded circular RDM security with “short” Bounded circular RDM security with short randomness Theorem 2 : For any poly s Theorem 2 : For any poly s, • • exists scheme that is circular secure against size s RDM functions RDM functions with arbitrary message and randomness length assuming lossy trapdoor function [PW08] assuming lossy trapdoor function [PW08]

  27. Thm1: Bounded circular RDM security from Thm1: Bounded circular RDM security from CPA/CCA

  28. Thm1: Bounded circular RDM security from Thm1: Bounded circular RDM security from CPA/CCA • View RDM as indirect randomness leakage View RDM as indirect randomness leakage • Idea: use CPA secure (Gen,Enc,Dec) and r “long” enough use CPA secure (Gen,Enc,Dec) and r long enough Enc pk (m ; preprocess(r) ) preprocess: randomness extraction

  29. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(seed,r) ) • Seeded extractors don’t work Seeded extractors don t work require seed and source independence! pk, seed f b

  30. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(r) ) • need deterministic extraction that works for need deterministic extraction that works for all s ‐ bounded leaked sources pk, extr f b

  31. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(r) ) • need deterministic extraction that works for need deterministic extraction that works for all s ‐ bounded leaked sources We show: Deterministic extraction Lemma for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded leaked sources with high min ‐ entropy f b (r),h(r) ≈ f b (r),U

  32. We show: Deterministic extraction Lemma for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded leaked sources with high min ‐ entropy f b (r),h(r) ≈ f b (r),U TV00: Deterministic extraction Lemma for bounded samplable sources bounded samplable sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded samplable sources X with for all s bounded samplable sources X with high min ‐ entropy h(X) ≈ U h(X) ≈ U

  33. Bounded circular RDM security • For any poly s y p y circular secure circular secure any CPA against size s secure Enc RDM functions RDM functions Enc(m ; hash t wise indep (r) ) Enc(m ; hash t ‐ wise indep (r) ) ‐ In paper : black ‐ box barriers for In paper : black box barriers for proving RDM security on a falsifiable assumption if r is shorter than m is shorter than m

  34. Bounded circular RDM security with “short” randomness?

  35. Thm2: Bounded circular RDM security with arbitrary message and randomness length with arbitrary message and randomness length from lossy trapdoor function (LTDF)

  36. Hedged Encryption [BBNRSSY09] g yp [ ] secure w.r.t. RDM functions don’t depend on pk ‐ from lossy trapdoor functions (LTDF) from lossy trapdoor functions (LTDF) crooked LHL [DS08] k d LHL [DS08] f b r pk For all sources X with high min ‐ entropy with high min entropy Enc and functions with invertible small range f small range f pairwise f(h(X)) ≈ f(U) independent p permutation works only when h X and h are X and h are independent

  37. We show: Crooked det. ext. for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, h h ← t i i d h h for all bounded leaked sources X with high min ‐ entropy and functions with small range f d f ti ith ll f f(h(X)) ≈ f(U) f b r pk Enc t ‐ wise independent p h

  38. f f b r r pk pk Enc Enc t ‐ wise independent p h permutation ? p Invertible? open problem open problem Almost t ‐ wise doesn’t suffice

  39. f f b r r pk pk E Enc’ ’ t ‐ wise independent h Instead we modify scheme so that we don’t need permutation => can use standard polynomial construction, invert with Berlekamp algorithm

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and why? Key-dependent message (KDM) security As IND, but with special encryption oracle Real game: O(F) = ENC SK ( F(SK) ) Random

272 views • 4 slides
Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems Andr e Nies CCC 2015, Kochel am See 1/1 Di ff erentiability Di ff erentiability of a function f at a real z means that the rate of change

1.19k views • 108 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and Probability Theory Review April 4th, 2017 Randomness and the Universe Randomness and the Universe Does the universe have true randomness?

693 views • 52 slides
Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Quick Guide to the Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit will help us comply with regulatory requirements and control costs by confirming that only eligible dependents receive coverage

506 views • 6 slides
Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying polynomial identities Probability Amplification Probability Review Sofya Raskhodnikova 1/21/2020 Sofya Raskhodnikova;Randomness in Computing

348 views • 21 slides
Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &

Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &

Pre-processing and non-randomness Baroni & Evert Pre-Processing Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni & Stefan Evert M alaga, 11 August 2006 Outline Pre-processing and

879 views • 55 slides
Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi MIT/UC Berkeley University of Michigan Presented in QIP14 as plenary talk (joint with [MS14]) 1 Randomness Randomness is a vital resource

391 views • 17 slides
Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Beyond arithmetic Higher randomness ITTM and randomness Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr eteil 5 May 2017 Algorithmic randomness Beyond arithmetic Higher

771 views • 64 slides
CDLG PATHS The notion of REGULAR SOLUTION for a path dependent PDE (1) needs to deal with

CDLG PATHS The notion of REGULAR SOLUTION for a path dependent PDE (1) needs to deal with

Introduction Path dependent second order PDEs Martingale problem for second order elliptic differential operators with path dependent coefficients Time consistent dynamic risk measures P ATH - PEPENDENT PARABOLIC PDE S AND P ATH - DEPENDENT F

832 views • 43 slides
Why Dependent Origination? So what is dependent origination? Dependent on ignorance, there

Why Dependent Origination? So what is dependent origination? Dependent on ignorance, there

Why Dependent Origination? So what is dependent origination? Dependent on ignorance, there are willed acts. Dependent on willed acts, there is consciousness. Dependent on consciousness, there are the mental aspects and form of a

650 views • 27 slides
Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1 Zeros of univariate random polynomials p : C C and potential theory; recent results of Bloom-Dauvergne 2 Random polynomials p : C 2 C and

585 views • 42 slides
CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

Administrativia and Syllabus Why Randomness? Randomness in Computer Science CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1. Introduction to Randomness CS 574: Randomized Algorithms

1.23k views • 61 slides
The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study Plan of the talk Computational complexity -- efficient algorithms, hard and easy problems, P vs. NP The power of randomness

284 views • 24 slides
Breakfast Seminar Series RESTRUCTURING YOUR ORGANIZATION: THE DEVIL IS IN THE DETAILS Paul

Breakfast Seminar Series RESTRUCTURING YOUR ORGANIZATION: THE DEVIL IS IN THE DETAILS Paul

Breakfast Seminar Series RESTRUCTURING YOUR ORGANIZATION: THE DEVIL IS IN THE DETAILS Paul Lalonde Steven Williams March 3, 2009 1 www.emondharnden.com Session Overview Restructuring Options for Non-unionized Employees (1)

367 views • 24 slides
Land A Acknowle ledgements Native-Land.CA Arapahoe Cheyenne Nu-agha-t v -p (Ute)

Land A Acknowle ledgements Native-Land.CA Arapahoe Cheyenne Nu-agha-t v -p (Ute)

Land A Acknowle ledgements Native-Land.CA Arapahoe Cheyenne Nu-agha-t v -p (Ute) Oeti akwi (Sioux ) A History of Coercion Mental Health in Modernity The Great Moralization Confinement Dark Secrets De-

676 views • 11 slides
Annexation Frayda Bluestein Annexation is a Hot Topic Why? 1 5/3/2016 Annexation Process

Annexation Frayda Bluestein Annexation is a Hot Topic Why? 1 5/3/2016 Annexation Process

5/3/2016 Annexation Frayda Bluestein Annexation is a Hot Topic Why? 1 5/3/2016 Annexation Process Before 2011 Four statutory methods: Voluntary contiguous (100% petition required) Voluntary satellite (100% petition required)

343 views • 15 slides
1 Collaboration overview Established in 2015, the Certification and Ratings Collaboration is

1 Collaboration overview Established in 2015, the Certification and Ratings Collaboration is

1 Collaboration overview Established in 2015, the Certification and Ratings Collaboration is an effort among five global seafood certification and ratings programs to coordinate our tools and increase our impact so that more seafood producers

421 views • 12 slides
the Assisted Decision Making Capacity Act 2015 Orla Keane, Head of Legal Services 20 November

the Assisted Decision Making Capacity Act 2015 Orla Keane, Head of Legal Services 20 November

Interaction between the Mental Health Act 2001 and the Assisted Decision Making Capacity Act 2015 Orla Keane, Head of Legal Services 20 November 2019 The Mental Health Commission One Le Legal Entity Two (2 (2) ) Acts Four (4 (4) ) Main

610 views • 21 slides
Why? 2 Liens, Specific and General Legal Terms [lis pendens, writ of attachment]

Why? 2 Liens, Specific and General Legal Terms [lis pendens, writ of attachment]

8/19/2019 Unit 3 Liens, easements & taxation oh my! page 51 1 Why? 2 Liens, Specific and General Legal Terms [lis pendens, writ of attachment] Restrictive Covenants Easements: Creation and Termination

578 views • 19 slides
Monetary Sanctions As a Permanent Punishment Alexes Harris, PhD Department of Sociology

Monetary Sanctions As a Permanent Punishment Alexes Harris, PhD Department of Sociology

Monetary Sanctions As a Permanent Punishment Alexes Harris, PhD Department of Sociology Presidential Term Professor U. of Washington I. Framing the Problem The Issue: Monetary Sanctions Legal Financial Obligations (LFOs) Costs associated

761 views • 22 slides
1 Identifying and Preventing Human Trafficking in Your County 2 Tips for viewing this webinar:

1 Identifying and Preventing Human Trafficking in Your County 2 Tips for viewing this webinar:

1 Identifying and Preventing Human Trafficking in Your County 2 Tips for viewing this webinar: The questions box and buttons are on the right side of the webinar window. This panel can collapse so that you can better view the

667 views • 45 slides

More recommend