Post on 19-Dec-2015
On the (Im)Possibility of Key Dependent Encryption
Iftach HaitnerMicrosoft Research
August 04, 2009
Thomas HolensteinPrinceton University
outline
Define Key Dependent Message (KDM) secure encryption scheme
Two (impossibility) results
– On fully-black-box reductions from KDM security to TDP
– On strongly-black-box reductions from KDM security to “any” hardness assumption
Weak Key Dependant Message Security
An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A
A
h1:{0,1}n {0,1}m
Enck(h1(k))
h2
Enck(h2(k))
…
¼C
kÃ{0,1}n
Challenger…
A
h1:{0,1}n {0,1}m
Enck(Um)
h2
Enck(Um)
kÃ{0,1}n
Challenger
A cannot find k
What class of query functions (e.g., h) should be considered?
In most settings, we should consider any (efficient) function
Feasibility Results
Limited output length functions:– [Hofheinz-Unruh ‘08] based on any PKE
Family of affine functions:– [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH– [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE
Efficient functions ???
Any function– [Black-Rogway-Shrimpton ‘02] based on Random Oracle
Our Impossibility Results (informal)
It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against
the family of poly-wise independent hash functions, based on OWF– extends to TDP
any function, based on “any assumption”
• We focus on the private key setting
• Hold also for the “many PK keys” setting
outline
Define Key Dependent Message (KDM) secure encryption scheme
Our (impossibility) results
– On fully black-box reductions from KDM security to TDP
– On strongly black-box reduction from KDM security to “any” hardness assumption
Black-box construction
Black-box proof of security
Adversary for breaking KDM ) Inverter for breaking OWF
Fully-Black-Box Reduction from KDM security to OWF
Adversaryfor KDM
Inverterfor OWF
OWF
(Enc,Dec)
OWF
Black-box proof of security
A
ROWF
¼
Y Ã {0,1}n
x 2 ¼-1(y)
Breaks the KDM security of (Enc¼,Dec¼)
Impossibility Result for OWF Based Schemes
There exists no fully-black-box reduction from KDM-secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions
More formally:
Let (Enc(),Dec()) be a OWF based encryption scheme, and let v(n) = |Enc()(M)|, for M2{0,1}2n. Then (Enc(),Dec()) cannot be proved (in a black-box way) to be KDM-secure against Hv(n)+n – a family of (v(n)+n)-independent hash functions from {0,1}n to {0,1}2n
Our adversary
A
ROWF
¼
Y Ã {0,1}n
x2 ¼-1(y)
1. A breaks the (weak) KDM security of (Enc¼,Dec¼) 2. ¼ is hard to invert in the presence of A.
Proof: a la’ [Simon ‘98] /[Gennaro-Trevisan ‘01, H-Hoch-Reingold- Segev ‘07]
1n
hck
…
1) Select h à Hv(n)+n 2) On input C, output (the first) k
s.t. Deck(C) = h(k)
outline
Define Key Dependent Message (KDM) secure encryption scheme
Our (impossibility) results
– On fully black-box reductions from KDM security to TDP
– On strongly black-box reductions from KDM security to “any” hardness assumption
Let ¡ be a cryptographic assumption (e.g., factoring is hard)
Arbitrary construction
Black-box proof of security.
The query function h is treated as a black box
Strongly Black-Box Reduction from KDM security to ¡
Adversaryfor KDM
Adversaryfor ¡
Strongly Black-box proof of security
AR for breaking
¡¡
A break the KDM security of (Enc,Dec)
Factoring is hard
n = pq
p,q
1n
hck
…
1. h is only accessed via its input/output interface 2. Access to h is not given to a “third party”
Impossibility Result for Strongly Black-Box Reductions
Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against On – the family of random functions from {0,1}n to {0,1}2n. Then ¡ can be broken unconditionally
Our Adversary
A
R¡
Breaks the KDM security of (Enc,Dec)
1) Select h à On 2) On query C, output (the first) k
s.t. Dekk(C) = h(k)
1. A breaks the (weak) KDM security of (Enc,Dec) 2. RA,¡ can be efficiently emulated
The Emulation
R¡
hÃOn
h(x1)
x1
h(x2)
x2
…
1. Answer to h(xi) with a random yi2{0,1}2n (while keeping consistency)
2. On query C, return (the first) xi s.t Decxi(C) = yi
Proof Idea: the probability that h(k)= Deck(C) for non-queried k, is 2-2n
c
k
A1n
h
Further Issues
Both bounds hold for 1-1 PRF
Open questions
Prove feasibility result against larger class of functions
Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)