Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Statistical Zero-Knowledge Arguments from One

advertisement 
On the (Im)Possibility of
Key Dependent Encryption
Iftach Haitner
Thomas Holenstein
Microsoft Research
Princeton University
August 04, 2009
outline
 Define Key Dependent Message (KDM) secure
encryption scheme
 Two (impossibility) results
– On fully-black-box reductions from KDM security to TDP
– On strongly-black-box reductions from KDM security to
“any” hardness assumption
WhatKey
classDependant
of query functionsMessage
(e.g., h) should
be
Weak
Security
considered?
An encryption
scheme
(Enc,Dec)
is
KDM
secure,
if
In most settings, we should consider any (efficient)
for any function
efficient A
Challenger
Challenger
h1:{0,1}n  {0,1}m
h1:{0,1}n  {0,1}m
Enck(h1(k))
h2
kÃ{0,1}n
A
kÃ{0,1}n
A
¼C
Enck(Um)
h2
A cannot find k
Enck(h2(k))
Enck(Um)
…
…
Feasibility Results
 Limited output length functions:
– [Hofheinz-Unruh ‘08] based on any PKE
 Family of affine functions:
– [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH
– [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE
 Efficient functions
– [Gentry ‘09] based on the self reference security of
[Gentry ‘09]
 Any function
– [Black-Rogway-Shrimpton ‘02] based on Random Oracle
Our Impossibility Results (informal)
It is impossible to construct (via black-box
techniques) KDM encryption scheme that is
secure against
 the family of poly-wise independent hash
functions, based on OWF
– extends to TDP
 any function, based on “any assumption”
• We focus on the private key setting
• Hold also for the “many PK keys” setting
outline
 Define Key Dependent Message (KDM) secure
encryption scheme
 Our (impossibility) results
– On fully black-box reductions from KDM security to TDP
– On strongly black-box reduction from KDM security to
“any” hardness assumption
Fully-Black-Box Reduction from
KDM security to OWF
Black-box construction
(Enc,Dec)
OWF
Black-box proof of security
Adversary for breaking KDM
) Inverter for breaking OWF
Inverter
for OWF
Adversary
for KDM
OWF
Black-box proof of security
Breaks the KDM security
of (Enc¼,Dec¼)
Y Ã {0,1}n
A
OWF ¼
R
x 2 ¼-1(y)
Impossibility Result for
OWF Based Schemes
There exists no fully-black-box reduction from KDMsecure encryption scheme to OWF, which is secure
against the family of poly(n)-wise independent hash
functions
More formally:
Let (Enc(),Dec()) be a OWF based encryption scheme,
and let v(n) = |Enc()(M)|, for M2{0,1}2n.
Then (Enc(),Dec()) cannot be proved (in a black-box
way) to be KDM-secure against Hv(n)+n –
a family of (v(n)+n)-independent hash functions from
{0,1}n to {0,1}2n
Our adversary
1) Select h à Hv(n)+n
2) On input C, output (the first) k
Y Ã {0,1}n
s.t. Deck(C) = h(k)
A
1n
h
c
k
OWF ¼
R
…
x2 ¼-1(y)
1. A breaks the (weak) KDM security of (Enc¼,Dec¼)
2. ¼ is hard to invert in the presence of A.
Proof: a la’ [Simon ‘98] /[Gennaro-Trevisan ‘01, H-Hoch-Reingold- Segev ‘07]
outline
 Define Key Dependent Message (KDM) secure
encryption scheme
 Our (impossibility) results
– On fully black-box reductions from KDM security to TDP
– On strongly black-box reductions from KDM security to
“any” hardness assumption
Strongly Black-Box Reduction from
KDM security to ¡
Let ¡ be a cryptographic assumption (e.g., factoring
is hard)
Arbitrary construction
Black-box proof of security.
 The query function h is treated
as a black box
Adversary
for ¡
Adversary
for KDM
Strongly Black-box proof of security
A break the KDM
security of (Enc,Dec)
A
1n
h
c
k
R for breaking
¡
…
p,q
1. h is only accessed via its input/output interface
2. Access to h is not given to a “third party”
n = pq
Factoring is
¡hard
Impossibility Result for
Strongly Black-Box Reductions
Assume that there exists a strongly-black-box
reduction from KDM encryption scheme to ¡,
which is secure against On – the family of
random functions from {0,1}n to {0,1}2n.
Then ¡ can be broken unconditionally
Our Adversary
1) Select h à On
2) On query C, output (the first) k
Breakss.t.
theDek
KDM(C) = h(k)
k
security of (Enc,Dec)
A
¡
R
1. A breaks the (weak) KDM security of (Enc,Dec)
2. RA,¡ can be efficiently emulated
The Emulation
1n
hÃOn
A
x1
h
h(x1)
x2
¡
R
h(x2)
…
c
k
1. Answer to h(xi) with a random yi2{0,1}2n (while keeping
consistency)
2. On query C, return (the first) xi s.t Decx (C) = yi
i
Proof Idea: the probability that h(k)= Deck(C) for non-queried k, is 2-2n
Further Issues
 Both bounds hold for 1-1 PRF
Open questions
 Prove feasibility result against larger class of
functions
 Extend the first impossibility result to other
assumptions (e.g., “Generic Groups”)
Related documents
Glossary Digitisation
Glossary Digitisation
Monimer-Excimer Equilibrium
Monimer-Excimer Equilibrium
Lectures 1 and 2
Lectures 1 and 2
Quantum Mechanics: What`s It Good For?
Quantum Mechanics: What`s It Good For?
ENC1102: Argument and Persuasion (LMS)
ENC1102: Argument and Persuasion (LMS)
Technical specifications
Technical specifications
Technical specifications for digital screenings (Digital Cinema
Technical specifications for digital screenings (Digital Cinema
Modeling
Modeling
Health Science - Chipola College
Health Science - Chipola College
Black-box circular-secure encryption beyond affine functions Please share
Black-box circular-secure encryption beyond affine functions Please share
Document11850742 11850742
Document11850742 11850742
Download
advertisement