CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

Transcription

1 CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group

2 Continuous Leakage Resilience (CLR): A Brief History Initial results [BKKV10]: Show feasibility of CLR signatures. Under non-standard, non-black-box assumption on hash functions. Uses PCP (short CS proofs). Not practical. This Work: First constructions of CLR primitives (Signatures, ID schemes, Key Agreement) under standard assumptions. Linear assumption in bilinear groups. Efficient/practical schemes. Leakage up to ½ of the secret key. Follow-up results of [BKKV10]: CLR Encryption, IBE. Same assumption as our work. Also leads to alternate const. of signatures (slightly worse leakage).

3 This Talk Basic Primitive: CLR One-Way Relation. Signatures/ID schemes/aka follow from the techniques of prior works [KV09, ADW09, DHLW10].

4 Main Technical Problem: CLR One-Way Relation sk KeyGen() generates (pk, sk) pairs. Relation R tests if (pk, sk) are valid. pk (pk, sk) Ã KeyGen() R(pk, sk)=1 Basic One-Wayness: Given pk, can t find sk* s.t. R(pk, sk*) = 1.

5 Main Technical Problem: CLR One-Way Relation sk Rerand(sk) pk KeyGen() generates (pk, sk) pairs. Relation R tests if (pk, sk) are valid. Rerand(sk) refreshes the secret key. Can refresh arbitrarily many times. Rerand R(pk, sk)=1

6 Main Technical Problem: CLR One-Way Relation sk Rerand(sk) pk KeyGen() generates (pk, sk) pairs. Relation R tests if (pk, sk) are valid. Rerand(sk) refreshes the secret key. Can refresh arbitrarily many times. Rerand Rerand Rerand

7 Main Technical Problem: CLR One-Way Relation sk Security Adversary gets pk. Can ask for up to L bits of information about sk. What s the first L bit of SHA-1(sk)? pk

8 Main Technical Problem: CLR One-Way Relation sk Security Adversary gets pk. Can ask for up to L bits of information about sk. Key is refreshed. pk

9 Main Technical Problem: CLR One-Way Relation pk Security Adversary gets pk. Can ask for up to L bits of information about sk. Key is refreshed. Wins if R(pk, sk*) = 1. sk* =

10 Difficulty of Constructing CLR-OWR In a reduction, need to know many valid secret-keys in full. Nevertheless, need to solve some hard problem given a valid forgery by the adversary. Hope: forgery of different type then secret-keys we know. Adversary gets unbounded amount of information in total. Why can t it learn the type?

11 Outline of Construction 1. General strategy to handle continuous leakage. Reduce continuous leakage to overall-bounded leakage. 2. Construction from (special) PKE/NIZK. 3. Instantiate components based on linear assumption.

12 Strategy for CLR-OWR All possible sk bad Valid for pk good For each public-key pk: Valid: { sk : R(pk, sk) = 1}. Good ½ Valid Bad = Valid \ Good Can sample pk along with: samg : Samples sk 2 Good. samb : Samples sk 2 Bad. dk : isgood(sk, dk) = 0/1. Re-randomize inside Good. Rerand(sk) ¼ Sample(samG) conditioned on pk, samg, sk.

13 Strategy for CLR-OWR good bad Security Hardness of Good Keys: Given pk, samb, find sk* s.t. isgood(sk*, dk) = 1. Hardness of Bad Keys: Given pk, samg, find sk* s.t. isgood(sk*, dk) = 0. L-Leakage-Indistinguishability: Adv. gets pk, samg, samb. Challenger randomly chooses {good, bad} key sk. Adv. gets L bits of leakage on sk. Wins if produces sk* in the same category as sk. (Cannot correlate category of sk* with sk.)

14 Strategy for CLR-OWR Leakage Indistinguishable Relation (LIR) good bad Hardness of Good Keys: Security Leakage is not continuous! Given pk, samb, find sk* s.t. isgood(sk*, dk) = 1. Hardness of Bad Keys: Given pk, samg, find sk* s.t. isgood(sk*, dk) = 0. L-Leakage-Indistinguishability: Adv. gets pk, samg, samb. Challenger randomly chooses {good, bad} key sk. Adv. gets L bits of leakage on sk. Wins if produces sk* in the same category as sk. (Cannot correlate category of sk* with sk.)

15 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.

16 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.

17 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.

18 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.

19 Outline of Construction 1. General strategy to handle continuous leakage. Reduce continuous leakage to one-time leakage. 2. Construction from (special) PKE/NIZK. 3. Instantiate components based on DDH/K-Linear.

20 Constructing LIR Let E 1, E 2 be two PKE and be a NIZK argument-system. The LIR scheme samples: pk = (CRS, pk 1, pk 2, c 1 ) where c 1 = Enc pk1 (m;r) for rand m. Secret-keys have form sk = (c 2, ¼). Valid sk: ¼ proves that (c 1, c 2 ) encrypt same message. Good sk: (c 1, c 2 ) actually encrypt the same message. Sample good keys with samg = (m, r). Sample bad keys with samb = TD (simulation trap-door). Distinguish good/bad with dk = (sk 1, sk 2 )

21 Constructing LIR Re-randomization. Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability.

22 Constructing LIR (Hardness) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). samg = (m, r), samb = TD, dk = (sk 1, sk 2 ) Valid sk: ¼ proves that (c 1, c 2 ) encrypt same message. Good sk: (c 1, c 2 ) actually encrypt same message. Hardness of Good Keys. Follows if E 1 is Semantically-Secure (or even one-way). Hardness of Bad Keys. Follows by the soundness of the NIZK.

23 Constructing LIR Re-randomization. Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability.

24 Constructing LIR (Re-randomization) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). To re-randomize sk = (c 2, ¼) need to: Re-randomize the ciphertext c 2. (same message, fresh rand.) Update the NIZK proof ¼ (new statement, fresh rand).

25 Constructing LIR (Re-randomization) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). Assume E 1, E 2, are homomorphic over some groups. Hom. Encryption: Enc(m; r) + Enc(m ; r ) = Enc(m + m ; r + r ). Hom. Language: x 2 L, x 2 L ) x + x 2 L. Hom. NIZK for Hom. Language. If ¼, ¼ are proofs of x, x then ¼ + ¼ is a proof of x+x. Notion of re-randomizable/malleable proofs defined by [BCC+09]. Language (c 1, c 2 ) encrypt the same message is homomorphic. Notice (c 1, c 2 + Enc(0;r)) = (c 1, c 2 ) + (Enc(0;0), Enc(0;r) ).

26 Constructing LIR Re-randomization. (If E 1, E 2, are homomorphic ) Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability.

27 Constructing LIR (Leakage Ind.) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). To get L-leakage-indistinguishability, need security for E 2. L-Leakage-of-Ciphertext Non-Malleability (L-LoC-NM): Given L bits of leakage on ctext c can t produce related ctext c*. Adversary gets pk. Chooses m 0, m 1. Challenger chooses b à {0,1}. Sets c = Enc(m b ). Adversary gets L bits of leakage on ciphertext c. Adversary makes 1 decryption query on any c*. Wins if guesses b. LoC-NM security is weaker the non-malleability (L = m ) and stronger than semantic-security. But we need LoC-NM + homomoprhic schemes! Is it possible?

28 Constructing LIR Re-randomization. (If E 1, E 2, are homomorphic ) Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability. (If E 2 is L-LoC-NM)

29 Outline of Construction 1. General strategy to handle continuous leakage. Reduce continuous leakage to one-time leakage. 2. Construction from (special) PKE/NIZK. 3. Instantiate components based on DDH/K-Linear.

30 Homomorphic NIZKs Groth-Sahai NIZKs are homomorphic for systems of equations over prime-order groups (with a pairing). Influenced by work of [BCC+09] on re-randomizable proofs. Secure under K-linear assumptions for any K 1. 1-linear = DDH. Can only hold for asymmetric pairings (two base groups are different). 2-linear can hold for symmetric and asymmetric pairings. K-linear assumption gets weaker as K grows.

31 Homomorphic Encryption For E 1, use ElGamal (generalized to K-linear). For E 2, use Cramer-Shoup-Lite Encryption (generalized). Cramer-Shoup-Lite: Only CCA-1 secure. Is homomorphic. Enc(m;r) = (g r, h r, (f 0 ) r m, (f 1 ) r ) In general, CCA-1 security does not imply L-LoC-NM. But proof technique extends to show L-LoC-NM for L ¼ ¼ c. Can generalize scheme to get L-LoC-NM for L ¼ (1-²) c. Enc(m;r) = (g r, h r, (f 0 ) r m, (f 1 ) r, (f 2 ) r, (f 3 ) r, ).

32 Summary of CLR-OWR Construct L-CLR-OWR based on the K-linear assumption. Practical Efficiency : Constant number of group elements, group operations. Relative leakage L/ sk ¼ 1/(K+1). 1/2 for DDH, 1/3 for 2-linear. Leads to Signatures with same leakage/efficiency. [BKKV10]: CLR OWR/Sigs/Enc with L/ sk ¼ 1/(2K). Recently improved by [DW10] to 1/K (e.g. ¼ 1 for DDH).

33 Thank you! eprint Report 2010/196 (many extensions)