Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter

Size: px

Start display at page:

Download "Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter"

Garry Preston
5 years ago
Views:

1 Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India

2 Why We Consider Secrets Leak? THEORY Ideal setting Private internal secret state secret state REAL LIFE Physical implementation leaks information e.g.: secret key/ randomness secret state

state radiation time secret state Side channel attacks sound

3 Why We Consider Secrets Leak? THEORY Ideal setting electromagnetic Private internal secret state radiation time secret state Side channel attacks sound REAL LIFE Physical implementation leaks information e.g.: secret key/ randomness secret state

4 Why We Consider Secrets Leak? THEORY Ideal setting electromagnetic Private internal secret state radiation time secret state Side channel attacks REAL LIFE Physical implementation leaks information e.g.: secret key/ randomness secret state sound Only computation leaks information [Micali and Reyzin 04]

5 Bounded Leakage Model Inspired by cold-boot attack/memory attack [Halderman et al.08] Not only computation leaks information Model: leakage oracle Leakage rate: secret key: SK

6 Public-Key Encryption Semantic security against key leakage and CCA [NS09] Adversary Decryption queries Leakage queries

7 Public-Key Encryption Semantic security against key leakage and CCA [NS09] Adversary Decryption queries Leakage queries The adversary succeeds if b=b Advantage: Pr[b=b ]-1/2

8 Previous Works High leakage-rate (e.g. 1-o(1), using NIZK) but either no efficient instantiations [NS09] or over a pairing-friendly group (efficient, but the ciphertext size is a little bit large) [Dodis et al.10, Galindo et al.12]

9 Previous Works High leakage-rate (e.g. 1-o(1), using NIZK) but either no efficient instantiations [NS09] or over a pairing-friendly group (efficient, but the ciphertext size is a little bit large) [Dodis et al.10, Galindo et al.12] Low leakage rate (e.g. 1/4-o(1)), but very practical construction via hash proof system [NS09,Li et al.12, Liu et al.13] has short ciphertext size (for reasonable leakage rate) Instantiations under DDH, DCR etc. (without pairing)

10 Question From [Dodis et al. Asiacrypt 2010], it seems that the hash proof system approach to building CCA encryption is inherently limited to leakage-rates below 1/2: this is because the secret-key consists of two components (one for verifying that the ciphertext is well-formed and one for decrypting it) and the proofs break down if either of the components is individually leaked in its entirety. However, no HPS-based PKEs are known achieving leakagerate 1/2-o(1), especially under DDH or DCR assumptions. Question: can we find a new way to construct LR-CCA secure PKEs which are as practical as HPS with reasonable high leakage-rates, like 1/2-o(1)?

11 Hash Proof System[CS02] Family of projective hash functions Subset membership problem: (valid/invalid)

12 Hash Proof System[CS02] Family of projective hash functions Subset membership problem: (valid/invalid) SK space PK space

13 Hash Proof System[CS02] Family of projective hash functions Subset membership problem: (valid/invalid) SK space Public evaluation Private evaluation PK space

14 Hash Proof System[CS02] Family of projective hash functions Subset membership problem: (valid/invalid) SK space Public evaluation High entropy Private evaluation PK space universal/universal 2 smooth

15 HPS-based Approach (language) additional input Mask message Prove

16 HPS-based Approach (language) additional input Mask message Prove

17 HPS-based Approach (language) additional input Mask message Prove Leakage amount is at most: In fact smaller than

18 HPS-based Approach (language) additional input Leakage-rate: Mask message Prove Leakage amount is at most: In fact smaller than

19 HPS-based Approach (language) additional input Leakage-rate: Best result: 1/4 o(1) Mask under DDH assumption Prove message Leakage amount is at most: In fact smaller than

20 Our Approach (language) additional input Mask message Prove

21 Our Approach (language) additional input Mask message Prove

22 Our Approach (language) additional input Mask message Prove

23 Our Approach (language) additional input Mask message Prove

24 Our Approach (language) additional input Mask message Prove

25 Our Approach (language) additional input Leakage-rate: Our result: 1/2 o(1) under Mask DDH /DCR Prove message

26 Our Approach (language) additional input Leakage-rate: Our result: 1/2 o(1) under Mask DDH /DCR Prove message One-Time Lossy Filter

29 One-Time Lossy Filter Similar to (chameleon) all-but-one lossy trapdoor functions [PW08,LDL11] not require efficient inversion. Simplified version of lossy algebraic filter (for CIRC-CCA security) [Hof13] not require any algebraic property, but require that lossy function reveals constant information of its input even for larger domain (by adapting some public parameters). Tag space: auxiliary input part core tag part lossy tags injective tags

30 Properties lossiness/ indistinguishability/evasiveness Domain Domain possible values Injective Lossy

31 Properties Lossy tag is generated via a trapdoor Ftd. For any auxiliary input t a, it is easy to compute a core tag t c, such that (t a,t c ) is a lossy tag via the trapdoor. Without the trapdoor, it is hard to generate a new non-injective tag even seen one lossy tag.

33 Construction Idea One entropy source used in two purposes. Mask the plaintext (applying an extractor) Verify the well-formedness of the ciphertext (applying a special injective function: one-time lossy filter) k-entropy source Injective map k-entropy

34 The PKE Scheme Encryption Decryption Ciphertext:

35 The PKE Scheme Encryption Decryption Ciphertext:

36 Proof Idea: challenge ciphertext Public evaluation Private evaluation High entropy

37 Proof Idea: challenge ciphertext Public evaluation Private evaluation High entropy Injective Lossy reveal bits info.

38 Proof Idea: challenge ciphertext Public evaluation Private evaluation High entropy Shorter random bits to hide plaintext Reveal limited amount of information about K*

39 Proof Idea: challenge ciphertext Public evaluation Private evaluation High entropy constant remainder entropy (to leak) well-formedness check Shorter random bits to hide plaintext Reveal limited amount of information about K*

40 Proof Idea: decryption query Public evaluation High entropy Injective Shorter random bits to hide plaintext Must know all entropy of K

41 Proof Idea: decryption query Public evaluation High entropy Injective Shorter random bits to hide plaintext Must know all entropy of K

42 Proof Summary OT-LF OT-LF HPS HPS Encryption query valid Decryption queries valid invalid injective lossy invalid injective lossy

44 Instantiation: <q, G, g> n-fold parallelization of [CS02] construction. OT-LF, similar to DDH-based lossy trapdoor function: Domain:, image values: Chameleon hash

45 Efficiency Comparison Advantages: Achieve 1/2-o(1) under DDH/DCR shorter ciphertext overhead (when leakage rate better than HPS-based construction [28,25] Disadvantages: below 1/2.

46 Conclusion and Further Work A new primitive: one-time lossy filter A generic construction of LR-CCA-secure PKE Efficient instantiations under DDH and DCR assumptions (with better leakage-rate 1/2-o(1)) Further work: Improve the leakage-rate to [1/2, 1) without loss the practicality. Leakage-flexible CCA-secure PKE without pairing.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History