Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail...
-
Upload
aldous-weaver -
Category
Documents
-
view
224 -
download
0
Transcript of Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail...
![Page 1: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/1.jpg)
Circular-Secure Encryption from Decision Diffie-Hellman
Dan BonehShai Halevi
Mike HamburgRafail Ostrovsky
![Page 2: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/2.jpg)
Key Dependent Messages
• Message may depend on key– Encrypted swap– Encrypted backups
• Security in this setting does not follow from semantic security– Trivial, pathological counterexamples– Or…
![Page 3: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/3.jpg)
Secure Self-Encryption [BRS’02]
H(n||k)
H
k
Ek(m) = (r, H(r||k) m)
m
r←R
![Page 4: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/4.jpg)
Insecure Self-Encryption [HK’07]
Encryptr←R H(r||k)
E’k(k) = ( r, Er(k) )
Hk
Er(k)
![Page 5: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/5.jpg)
KDM in practice
• Collaboration:
PKA / SKAPKB / SKB
EPKB(SKA)
EPKA(SKB)
![Page 6: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/6.jpg)
Circular Encryption [CL’01]
• A user has n credentials signed by CA:
• User should not “lend” any of his credentials to a friend
• Solution [CL’01] :
SK1 SK2 SKn
PK1 PK2 PKn
…
…
secret
public andsigned by CA
EPK1[SK2] , EPK2
[SK3] , … , EPKn[SK1]
NY driver license
I am Shai
![Page 7: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/7.jpg)
Clique Security
Eki(kj) for all i,j
![Page 8: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/8.jpg)
(C,n)-KDM security [BRS’02]Challenger Adversary
(PK1,…,PKn)
(F∈C, i∈{1,…,n})
EPKi[F(SK1,…,SKn)]or random
b*
![Page 9: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/9.jpg)
Is ElGamal self-referential secure?
• Maybe, maybe not
• Need (g, gx, gr, grxx) indist from random
Requires a funny assumption!
• Clique security? Need an even funnier assumption…
• Our goal: use a standard assumption ( DDH )
![Page 10: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/10.jpg)
Notation
• Let G be a group of prime order p
• Using additive notation for G1-dim vector space over Zp
• Perform dot products etc. normally
(x1, x2, x3) (g1, g2, g3) = x1g1 + x2g2 + x3g3
gi ∈ G, xi ∈ Zp
aka g1
x1 g2x2 g3
x3
![Page 11: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/11.jpg)
The Result
• n-Clique Secure for any [poly] n– CPA only– Bounds indpendent of n– More generally, (Affine,n)-Clique Secure
• Security rests on DDH– Standard model– Weaker assumptions possible, eg D-linear
![Page 12: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/12.jpg)
The System
r v + 0 0 0 0 0 m×Encrypt:
Secret Key: s∈{0,1}ℓ 1
Public Key: v∈Gℓ -v s
s 1 s 1Decrypt:
s1, s2, …, sℓ
g1, g2, …, gℓ h = 1/(g1s1…gℓ
sℓ)
g1r, g2
r, …, gℓr hr·m
m=(g1r)s1…(gℓ
r)sℓ · (hr·m)
=0 =m
![Page 13: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/13.jpg)
Theorem
Breaking (Affine,n)-Clique-Secure breaks DDH
Let’s prove self-referential
![Page 14: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/14.jpg)
Intuition
1
101
01
1
always decrypts to the secret key
“ciphertext vectors”
(g,1,1,…,1)
(1,g,1,…,1)
(1,1,1,…,g)
Easy to generate “encryption of the secret key”
![Page 15: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/15.jpg)
The Proof
r + 0 0 0 0 0 m×
Game 0: CPA game
![Page 16: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/16.jpg)
The Proof
R Rank 1 +×
Indistinguishable: identical ciphertext distrbution
Game 1
0 0 0 0 0 m
r (g1,…,gℓ,h) ~ r1 a1(g1,…,gℓ,h) + … + rt at(g1,…,gℓ,h)
![Page 17: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/17.jpg)
The Proof
R Rank ℓ-1 +×
Game 2
0 0 0 0 0 m
Indistinguishable by DDH
1 ab ab
1 ab c
vs.
![Page 18: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/18.jpg)
The Proof
R Rank ℓ-1 + 0 0 0× 1 0 0
Game 3
i-th row of identity mat.
Indistinguishable: identical ciphertext distrbution
![Page 19: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/19.jpg)
The Proof
R Rank 1 +×
Game 4
0 0 0 1 0 0
Random subset-sum of columns
Indistinguishable by DDH
![Page 20: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/20.jpg)
The Proof
R Rank 1 +×
Statistically indistinguishable (using LOHL)
Game 5
0 0 0 1 0 0
![Page 21: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/21.jpg)
The Proof
R Rank ℓ +×
Indistinguishable by DDH
Game 6
0 0 0 1 0 0
![Page 22: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/22.jpg)
The Proof
Indistinguishable: identical ciphertext distrbution
Game 7
![Page 23: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/23.jpg)
Follow-up work
• Camenisch-Chandran-Shoup 2009:CCA security– Apply Naor-Yung/Sahai – For DDH-based scheme, can do it efficiently
• Applebaum, Cash, Peikert, Sahai 2009: Circular security from LPN/LWE
![Page 24: Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky.](https://reader035.fdocuments.us/reader035/viewer/2022062321/56649d9c5503460f94a84854/html5/thumbnails/24.jpg)
Questions?