On the (Im)Possibility of Key Dependent Encryption

Iftach HaitnerMicrosoft Research

August 04, 2009

Thomas HolensteinPrinceton University

outline

Define Key Dependent Message (KDM) secure encryption scheme

Two (impossibility) results

– On fully-black-box reductions from KDM security to TDP

– On strongly-black-box reductions from KDM security to “any” hardness assumption

Weak Key Dependant Message Security

An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A

A

h1:{0,1}n {0,1}m

Enck(h1(k))

h2

Enck(h2(k))

…

¼C

kÃ{0,1}n

Challenger…

A

h1:{0,1}n {0,1}m

Enck(Um)

h2

Enck(Um)

kÃ{0,1}n

Challenger

A cannot find k

What class of query functions (e.g., h) should be considered?

In most settings, we should consider any (efficient) function

Feasibility Results

Limited output length functions:– [Hofheinz-Unruh ‘08] based on any PKE

Family of affine functions:– [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH– [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE

Efficient functions ???

Any function– [Black-Rogway-Shrimpton ‘02] based on Random Oracle

Our Impossibility Results (informal)

It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against

the family of poly-wise independent hash functions, based on OWF– extends to TDP

any function, based on “any assumption”

• We focus on the private key setting

• Hold also for the “many PK keys” setting

outline

Define Key Dependent Message (KDM) secure encryption scheme

Our (impossibility) results

– On fully black-box reductions from KDM security to TDP

– On strongly black-box reduction from KDM security to “any” hardness assumption

Black-box construction

Black-box proof of security

Adversary for breaking KDM ) Inverter for breaking OWF

Fully-Black-Box Reduction from KDM security to OWF

Adversaryfor KDM

Inverterfor OWF

OWF

(Enc,Dec)

OWF

Black-box proof of security

A

ROWF

¼

Y Ã {0,1}n

x 2 ¼-1(y)

Breaks the KDM security of (Enc¼,Dec¼)

Impossibility Result for OWF Based Schemes

There exists no fully-black-box reduction from KDM-secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions

More formally:

Let (Enc(),Dec()) be a OWF based encryption scheme, and let v(n) = |Enc()(M)|, for M2{0,1}2n. Then (Enc(),Dec()) cannot be proved (in a black-box way) to be KDM-secure against Hv(n)+n – a family of (v(n)+n)-independent hash functions from {0,1}n to {0,1}2n

Our adversary

A

ROWF

¼

Y Ã {0,1}n

x2 ¼-1(y)

1. A breaks the (weak) KDM security of (Enc¼,Dec¼) 2. ¼ is hard to invert in the presence of A.

Proof: a la’ [Simon ‘98] /[Gennaro-Trevisan ‘01, H-Hoch-Reingold- Segev ‘07]

1n

hck

…

1) Select h à Hv(n)+n 2) On input C, output (the first) k

s.t. Deck(C) = h(k)

outline

Define Key Dependent Message (KDM) secure encryption scheme

Our (impossibility) results

– On fully black-box reductions from KDM security to TDP

– On strongly black-box reductions from KDM security to “any” hardness assumption

Let ¡ be a cryptographic assumption (e.g., factoring is hard)

Arbitrary construction

Black-box proof of security.

The query function h is treated as a black box

Strongly Black-Box Reduction from KDM security to ¡

Adversaryfor KDM

Adversaryfor ¡

Strongly Black-box proof of security

AR for breaking

¡¡

A break the KDM security of (Enc,Dec)

Factoring is hard

n = pq

p,q

1n

hck

…

1. h is only accessed via its input/output interface 2. Access to h is not given to a “third party”

Impossibility Result for Strongly Black-Box Reductions

Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against On – the family of random functions from {0,1}n to {0,1}2n. Then ¡ can be broken unconditionally

Our Adversary

A

R¡

Breaks the KDM security of (Enc,Dec)

1) Select h à On 2) On query C, output (the first) k

s.t. Dekk(C) = h(k)

1. A breaks the (weak) KDM security of (Enc,Dec) 2. RA,¡ can be efficiently emulated

The Emulation

R¡

hÃOn

h(x1)

x1

h(x2)

x2

…

1. Answer to h(xi) with a random yi2{0,1}2n (while keeping consistency)

2. On query C, return (the first) xi s.t Decxi(C) = yi

Proof Idea: the probability that h(k)= Deck(C) for non-queried k, is 2-2n

c

k

A1n

h

Further Issues

Both bounds hold for 1-1 PRF

Open questions

Prove feasibility result against larger class of functions

Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)