Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza...
-
Upload
eustace-carpenter -
Category
Documents
-
view
223 -
download
0
description
Transcript of Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza...
![Page 1: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/1.jpg)
Introduction to the Bounded-Retrieval Model
Stefan Dziembowski
University of Rome La Sapienza
Warsaw University
![Page 2: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/2.jpg)
The main ideaBounded-Retrieval Model:
Construct cryptographic protocols where the secrets are so large that they cannot be efficiently stolen.
D. Dagon, W. Lee, R. J. LiptonProtecting Secret Data from Insider Attacks. Financial Cryptography 2005
G. Di Crescenzo, R. Lipton and S. Walfish Perfectly Secure Password Protocols in the Bounded Retrieval ModelTCC 2006
S. Dziembowski Intrusion-Resilience via the Bounded-Storage ModelTCC 2006
Perfectly Secure Password Protocols in the Bounded Retrieval ModelD. Cash, Y. Z. Ding, Y. Dodis, W. Lee, R. Lipton and S. Walfish Intrusion-Resilient Authenticated Key Exchange in the Bounded Retrieval Model without Random OraclesTCC 2007
S. DziembowskiOn Forward-Secure StorageCRYPTO 2006
![Page 3: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/3.jpg)
Plan
Introduction to the Bounded Retrieval Model
Motivation An entity-authentication protocol Connections to the BSM
Forward-Secure Storage
![Page 4: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/4.jpg)
The problem
Computers can be infected by mallware!
installs a virus
The virus can: take control over the machine, steal some secrets stored on the machine.
Can we run any crypto on such machines?
retrieves some data
![Page 5: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/5.jpg)
Is there any remedy?
If
the virus can download all the data stored on the machine
then
Assume that he cannot do it!
the situation looks hopeless.
Idea:
![Page 6: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/6.jpg)
The general model
installs a virus
retrieves some data
installs a virus
retrieves some data
no virus
no virus
no virus
The total amount of retrieved data is bounded!
![Page 7: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/7.jpg)
Our goal
Try to preserve as much security as possible (assuming the scenario from the previous slide).
Of courseas long as the virus is controlling the machine
nothing can be done.
Therefore
we care about the periods when the machine is free of viruses.
![Page 8: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/8.jpg)
Two variants
How does the virus decide what the retrieve?
Variant 2 [CLW06,…]He can only access some individual bits on the
victim’s machine (“slow memory”)
Variant 1 [D06a,D06b,CDDLLW07]He can compute whatever he wants on the
victim’s machine.
![Page 9: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/9.jpg)
Practicality?
![Page 10: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/10.jpg)
An example: entity authentication
the bank
How can the bank verify the authenticity of the user?
We solve the following problem:
the user
![Page 11: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/11.jpg)
example of f:Y={y1,…,ym} is a set of indices in R f(Y,(R1,…,Rt)) = (Ry1,…,Rym)
Entity authentication – the solution
random Y
key R 00011010011101001001101011100111011111101001110101010101001001010011110000100111111110001010
X = f(Y,R)verifies
00011010011101001001101011100111011111101001110101010101001001010011110000100111111110001010
y1 y2 ym
11 . . . 0
…
![Page 12: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/12.jpg)
Security of the authentication protocol
Theorem [D06,CDDLLW07]
The adversary that “retrieved” a constant fraction of R does is not able to impersonate the user.
(This of course holds in the periods when the virus is not on the machine.)
![Page 13: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/13.jpg)
A related concept: the Bounded Storage Model
This is related to the Bounded Storage Model (BSM) [Maurer 1992]
In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store.
In the BSM the computing power of the adversary may be unlimited.
![Page 14: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/14.jpg)
The Bounded-Storage Model (BSM) –an introduction
can perform any computationon R, but the result U=h(R) has to be much smaller than R
shortinitialkey K
X = f(K,R)
000110100111010010011010111001110111111010011101010101010010010100111100001001111111100010101001000101010010001010010100101011010101001010010101
randomizer R:
knows:U=h(R)
randomizer disappears
X ?
Eve shouldn’t be able to distinguish X from random
s
![Page 15: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/15.jpg)
How is BSM related to our model?
Seems that the assumptions are oposite:
transmission storage
BSM cheap expensive
LCM expensive cheap
![Page 16: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/16.jpg)
BSM vs. BRMBounded-Storage Model:
Bounded-Retrieval Model
R comes from a satellite
stored value U
R is stored on a computer
retrieved value U
![Page 17: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/17.jpg)
Consider again the authentication protocol
Observation
In the authentication protocol one could use a BSM-secure function f.
random Y
X = f(Y,R)verifies
![Page 18: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/18.jpg)
Overview of the results
An entity authentication protocol
A session-key exchange protocol in the Random Oracle Model [D06a] in the plain model [CDDLLW07]
Forward Secure Storage [D06b] – “an encryption scheme secure in the BRM”
![Page 19: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/19.jpg)
Plan
Forward-Secure Storage
IT-secure computationally-secure a scheme with a conjectured hybrid security
Connections with the theory of Harnik and Naor
![Page 20: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/20.jpg)
Forward Secure Storage (FSS) - the motivation
key K
message M
C = E(K,M)
Cinstalls a virus
retrieves C
One of the following happens:
• The key K leaks to the adversary or
• The adversary breaks the scheme
The adversary can compute M
![Page 21: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/21.jpg)
The idea
Design an encryption scheme such that the ciphertext C is so large that the
adversary cannot retrieve it completely
message M
ciphertext C=Encr(K,M)
![Page 22: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/22.jpg)
Forward-Secure Storage – a more detailed view
The adversary to compute an arbitrary function h of C.
ciphertext C=Encr(K,M)
function h
retrieved value U=h(C)
length t
length s << t
K M ?
![Page 23: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/23.jpg)
Computational power of the adversary
We consider the following variants:
computational: the adversary is limited to poly-time
information-theoretic: the adversary is infinitely-powerful
hybrid: the adversary gains infinite power after he computed the function h.
This models the fact that the in the future the current cryptosystems may be broken!
![Page 24: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/24.jpg)
Information-theoretic solution – a wrong idea
K R
X
M
Y
f( ),
=message
key
ciphertextin the BSMencryption
f – secure in the BSM
xor
ciphertext(R,Y)
Shannon theorem this cannot work!
![Page 25: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/25.jpg)
What exactly goes wrong?
Suppose the adversary has some information about M.
He can see(R, f(K,R) xor M ).
So, he can solve (for K) the equation W = f(K,R) xor M.
If he has enough information about M, and K is short, he will succed!
Idea: “Blind” the message M!
denote it W
![Page 26: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/26.jpg)
A better idea
K R
X
M
Y
f( ),
=
message
key is a pair (K,Z)
ciphertext(R,Y)
Z
xor
![Page 27: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/27.jpg)
Why does it work?
IntuitionThe adversary can compute any function h of:
Y is of no use for him, since it is xor-ed with a random string Z!
So if this FSS scheme can be broken then also the BSM function f can be broken
(by an adversary that uses the same amount of memory).
R Y = f(K,R) xor M xor Z
![Page 28: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/28.jpg)
Problem with the information-theoretic scheme
The secret key needs to be larger than the message!
What if we want the key to be shorter?
We need to switch to the computational setting...
![Page 29: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/29.jpg)
Computational FSS (with a short key)
(Encr,Decr) – an IT-secure FSS(E,D) – a standard encryption scheme
Encr1(
Encr(
E(
)
)
)=
,
,
,
K
K K’
K’
M
K’ is a random key for the standard encryption scheme
M
Intuition: when the adversary learns K he has no idea about K’ and therefore no idea about M.
large
small
![Page 30: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/30.jpg)
Hybrid security
What about the hybrid security?
Recall the scenario:
ciphertext C=Encr(K,M)
h
retrieved value
U=h(C)
M ?
![Page 31: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/31.jpg)
Is this scheme secure in the hybrid model?
The adversary retrives only the second part!
Later, when she gets infinite computing power, she can recover the message M!
Thus, the scheme is not secure in the hybrid model!
Encr(
E(
)
)
,
,
K K’
K’ M
![Page 32: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/32.jpg)
A scheme (Encr2,Decr2)
Does there exist an FSS scheme with hybrid security (and a short key)?
Idea: Generate K pseudorandomly!
(Encr,Decr) – an IT-secure FSSG – a cryptographic PRG
Encr2( )=,K M
Encr( ),G(K) M
![Page 33: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/33.jpg)
Is the scheme from the previous slide secure?It cannot be IT-secure, but is it
computationally-secure? secure in the hybrid model? We leave it as an open problem. Looks secure...
We can show the following:
Very informally,
it is secure if one-way functions cannot be used to construct Oblivious Transfer.
![Page 34: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/34.jpg)
Computational security of Encr2 (1/2)
there exists an adversary Athat breaks the (Encr2,Decr2) scheme
We show that if
then
one can construct an Oblivious Transfer protocol with:
an unconditional privacy of the Sender privacy of the Receiver based on the security of the
PRG G.
![Page 35: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/35.jpg)
Computational security of Encr2 (2/2)
Simplification: assume that |M| = 1 and the adversary can guess it with probability 1.
We construct an honest-but-curious Rabin OT.
receiver
Encr(X,M)K
M
U - memory of the adversary
A computationally-limited sendercannot distinguish these cases!
If X is random then the receiver learns nothing about M (this follows from the IT-security of Encr)!
If then the adversary outputs M.
if if then thenX := G(K) X random
senderinput: M
![Page 36: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/36.jpg)
How to interpret this result?
Which PRGs G are safe to use in this protocol?
In some sense: “those that cannot be used to construct OT”.
But maybe there exist “wrong” PRGs...
(see: S. Dziembowski and U. MaurerOn Generating the Initial Key in the Bounded-
Storage Model, EUROCRYPT '04)
![Page 37: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/37.jpg)
Hybrid security of Encr2
The argument for the hybrid security is slightly weaker.
We can construct only an OT-protocol with a computationally-unbounded algorithm for the Receiver...
This is because the receiver has to simulate an unbounded adversary.
receiver
![Page 38: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/38.jpg)
Summary
ITsecurity
hybrid security
comp. security
the first scheme secure secure secure
the second scheme
notsecure
notsecure secure
the third scheme
notsecure
maybesecure
maybesecure
![Page 39: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/39.jpg)
A complexity-theoretic view
Suppose the adversary wants to know if a given C is a ciphertext of some message M.
NP-language:L = {C : there exists K such that C = Encr(K,M)}.
standard encryption FSS
is C in L?Can we compress C to some U, s.t. |U| << |C| so that later we can decide if C is in L basing on U, and using infinite computing power?
![Page 40: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/40.jpg)
The theory of Harnik and Naor
This question was recently studied in:Danny Harnik, Moni Naor On the Compressibility of NP Instances andCryptographic Applications FOCS 2006
See also:Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient SamplingSTOC 2006
![Page 41: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/41.jpg)
Compressibility of NP Instances
Informally, an NP language L is compressible if there exists an efficient algorithm that
compresses every string X to a shorter string U,
in such a way that an infinitely-powerful solver can decideif X is in L basing only on U.
Proving that some language is incompressible(from standard assumptions)
is an open problem..
This is why showing an FSS scheme provably-secure in the hybrid model may be hard!
![Page 42: Introduction to the Bounded- Retrieval Model Stefan Dziembowski University of Rome La Sapienza Warsaw University.](https://reader035.fdocuments.us/reader035/viewer/2022062311/5a4d1b097f8b9ab059989992/html5/thumbnails/42.jpg)
Thanks!