Notes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange

Similar documents
Notes for Lecture 14

1 Identification protocols

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

1 Achieving IND-CPA security

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Notes for Lecture 10

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Homework 3: Solution

PROGRAM obfuscation is the process of making it unintelligible

Lecture 15: Public Key Encryption: I

Foundations of Cryptography CS Shweta Agrawal

Key Exchange. Secure Software Systems

CPSC 467: Cryptography and Computer Security

CS 395T. Formal Model for Secure Key Exchange

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Tools for Computing on Encrypted Data

Diffie-Hellman. Part 1 Cryptography 136

Lecture 07: Private-key Encryption. Private-key Encryption

Auth. Key Exchange. Dan Boneh

Cryptography III Want to make a billion dollars? Just factor this one number!

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Somewhat Homomorphic Encryption

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Secure Multiparty Computation

CS 161 Computer Security

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

DC Networks The Protocol. Immanuel Scholz

CPSC 467b: Cryptography and Computer Security

Encryption 2. Tom Chothia Computer Security: Lecture 3

Group Key Establishment Protocols

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

An IBE Scheme to Exchange Authenticated Secret Keys

ECEN 5022 Cryptography

Algorithms (III) Yijia Chen Shanghai Jiaotong University

CS 161 Computer Security

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Lecture 7.1: Private-key Encryption. Lecture 7.1: Private-key Encryption

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Unit 9: Cryptography. Dave Abel. April 15th, 2016

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to Cryptography Lecture 7

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

1 One-Time Pad. 1.1 One-Time Pad Definition

CS 161 Computer Security

Notes for Lecture 24

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

On Robust Combiners for Oblivious Transfer and other Primitives

Obfuscation (IND-CPA Security Circular Security)

Lecture 18 - Chosen Ciphertext Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Cryptographic Systems

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 5: Zero Knowledge for all of NP

Lecture 1: Perfect Security

CS408 Cryptography & Internet Security

Cryptographic Hash Functions

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu

Lecture 8: Cryptography in the presence of local/public randomness

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Lecture 10, Zero Knowledge Proofs, Secure Computation

On the Security of a Certificateless Public-Key Encryption

1 A Tale of Two Lovers

The Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)

Strong Password Protocols

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Senior Math Circles Cryptography and Number Theory Week 1

21 Software Obfuscation

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Online Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh

CS 161 Computer Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography. Lecture 12. Arpita Patra

ISA 562: Information Security, Theory and Practice. Lecture 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 6 - Cryptography

Introduction to Cryptography Lecture 7

CSC 774 Advanced Network Security

Cryptography 2017 Lecture 3

Lecture 7 - Applied Cryptography

Provable Partial Key Escrow

P2_L8 - Hashes Page 1

Brief Introduction to Provable Security

Uzzah and the Ark of the Covenant

Lecture 8 - Message Authentication Codes

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Introduction to Cryptography. Lecture 6

Symmetric Encryption 2: Integrity

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Attribute-Based Encryption. Allison Lewko, Microsoft Research

Introduction to Cryptography. Lecture 3

Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

On the Security of Group-based Proxy Re-encryption Scheme

Transcription:

COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public key encryption (PKE) from indistinguishability obfuscation (io) and one way functions (OWF). At the end, we looked at multiparty non-interactive key exchange (NIKE). Today, we ll continue looking at multiparty NIKE. 2 Non-interactive vs. Interactive Key Exchange We first consider the two person case. In this setting, Alice and Bob have a channel through which they can communicate over many rounds. The goal is for Alice and Bob to agree on a shared key k that an eavesdropper (who can see every round of communication) is unable to deduce anything about. We can solve this using public key encryption, as follows. Alice generates (ek, dk) Gen() and then sends ek to Bob. Bob picks a random key k {0, 1} λ and sends back c Enc(ek, k). So Bob has k and Alice can learn k by just decrypting k = Dec(dk, c). In 2-party NIKE, Alice and Bob both post to a public bulletin board at the same time and establish a shared key k. It s non-interactive because they don t wait to see each other s messages. Why is non-interactive key exchange particularly interesting? 1. It is interesting to see if we can compress communication to just a single, noninteractive round. 2. The messages/public values can be reused. The fact that this procedure is noninteractive means that Alice and Bob can post their public values to establish a shared key, and later, if Charlie wants to establish a shared key with just Bob, Bob doesn t have to post any new messages. Charlie just runs his half of the protocol, and posts his public value. Then Bob can compute the shared key k BC right away. Re-use of messages means we can use less communication overall. Suppose we have N users and each pair of users wants to establish a shared key. This just takes N 1

messages in the non-interactive setting, but requires Ω(N 2 ) messages in the interactive setting. 3 History Before we move onto a construction of multiparty NIKE, we ll briefly survey the history of this problem. In 1976, Diffie and Hellman came up with a 2-party NIKE scheme using a computational problem involving finite fields [DH76]. In the 1990 s, people realized this could be extended to elliptic curves, which gives certain advantages that we won t discuss in this class. In the 1990 s and 2000 s, people came up with an extension to lattices. In 2004, Joux came up with 3 party NIKE using pairings on elliptic curves [Jou04]. In 2012, Garg, Gentry, and Helevi came up with an N-party scheme using multilinear maps [GGH13]. It turns out this scheme is broken. 4 Multiparty NIKE from io We define a multiparty NIKE scheme to consist of the following PPT algorithms Setup(λ, N) params Publish(params, i) (sv i, pv i ) KeyGen(params, {pv i } i=1,...,n, sv j ) k Here we re allowing a trusted setup to occur first. Think of this as Facebook publishing parameters to a public bulletin board, and then the Facebook users running a multiparty NIKE scheme afterwards. It s still non-interactive, but there is an additional step in the beginning. Correctness is straightforward; for all j, everyone gets the same key. The scheme is secure if no polynomial time adversary can distinguish between the following two cases. Case 1. The adversary receives k, params, {pv i } i=1,...,n where params Setup(λ, N), i (pv i, sv i ) Publish(params, i), and key k KeyGen(params, {pv i } i=1,...,n, sv 1 ). 2

Case 2. The adversary receives R, params, {pv i } i=1,...,n. This is generated the same way as it was in case 1, except R is a totally random string R {0, 1} λ. params Gen(λ). We first give a broken protocol to build intuition. We consider the situation where all users have access to some black box F. We claim that for each user, their public value should be the result of a one way function applied to their secret value. If this isn t the case for some user, then the adversary can potentially learn things about this user s secret value. The (broken) protocol works as follows. Say the users are A, B, C. Everybody posts their public value. F has the secret key k P RF for some PRF in its head. F just returns P RF (k P RF, (pv A, pv B, pv C )), and the users agree on this as the shared key. Obviously this doesn t work since this key relies solely on public information. The adversary could just submit pv A, pv B, pv C to the black box and know the shared key. So to make the scheme work, we modify the black box to only give back the key if the user has supplied their secret value first. We start by defining Setup(λ, N) to work as follows. First, sample a totally random key k P RF {0, 1} λ. Define the program P kp RF,λ,N(pv 1,..., pv N, i, sv i ) to have the following behavior. Check if pv i = OW F (sv i ). If not, abort and output. If so, set k P RF (k P RF, (pv 1,..., pv N ) and output k. Setup(λ, N) will output params where params io(p kp RF,λ,N). If we had black box obfuscation, this would be good enough. But to make a proof of security work with just io, we need to make a few changes. We turn the one way function into a PRG, and the PRF into a puncturable PRF. The PRG will be length doubling: {0, 1} λ {0, 1} 2λ. So the working protocol we give is: Setup(λ, N) samples a totally random k P RF {0, 1} λ, and outputs io(p kp RF,λ,N), where P kp RF,λ,N is as defined above (with the given modifications). Publish( ˆP ) sets sv {0, 1} λ, pv P RG(sv), and then outputs pv, sv. KeyGen( ˆP, {pv i } i=1,...,n, i, sv i ) outputs ˆP ({pv i }, i, sv i ). Theorem 1. The above protocol is secure. Proof. We use a series of hybrids to prove security. Hybrid 0 will correspond to the first case of the security experiment, and Hybrid 5 will correspond to the second case. 3

In Hybrid 0, the adversary gets a properly generated key k P RF (k P RF, {pv i }) and params, {pv i }. Here pv i = P RG(sv i ). The bar in pv, sv is simply to distinguish these original values. Hybrid 1 is the same as Hybrid 0, except we change the public values to be truly random, so i pv i {0, 1} 2λ. Security of the PRG allows us to replace all the public values with truly random values. Hybrid 2 is the same as Hybrid 1, except now we set params = io(p ), where P z,k{z}p RF,λ,N (pv 1,..., pv N, i, sv i ) has the following behavior (for shorthand, we are now setting z = {pv i }). Check that pv i = P RG(sv i ). Check that z {pv i }. If either check fails, output. Otherwise, set k P RF (k P RF {z}, pv 1,..., pv N ), and output k. To get from P to P, we changed the PRF to a punctured PRF, and we added a new line to check if z {pv i }. We claim this hasn t changed the function. For the second check to fail in a case where the first check wouldn t already fail, the input must be pv 1,..., pv N, i, sv i where P RG(sv i ) = pv i. This last equality is overwhelmingly unlikely to be satisfied, since pv i is randomly drawn from a set 2 2λ and sv i is drawn from a set of size 2 λ. Since these programs are equivalent w.h.p., io tells us that this is indistinguishable from Hybrid 1. Hybrid 3 is the same as Hybrid 2, except we set k to be a randomly drawn value k {0, 1} λ. In Hybrid 2, k was the value of a punctured PRF at the punctured point. Now we re changing it to be totally random, which by punctured security is impossible to distinguish. So this is indistinguishable from Hybrid 2. In each of the remaining hybrids, we undo the changes above by applying the same arguments. In Hybrid 4, we set params = io(p kp RF,λ,N). In Hybrid 5, we set pv i = P RG(sv i ). We are back to where we started, but now there is true randomness in the key. We can modify this protocol to get rid of Setup, which is undesirable since the authority can learn k. What if Alice just generates the parameters? Alice can publish ˆP along with pv A. Alice can do this since none of the users need to see ˆP in order to generate their own public values. 4

This protocol has some weaknesses. Multiparty NIKE was motivated by reusability of messages, but here if David wants to join and compute a shared key with a set of users not including Alice, they can t use the same ˆP. The proper way to do it is that each person submits their own ˆP and the users can use the lexicographically first program. Another issue is that once Alice publishes her program, it won t allow more than N users. 5 Stronger Security Models for NIKE The original model we proved security in assumes that the users establish a key in a vacuum. But the whole point of multiparty NIKE is that there is reusability. So the model should take this into consideration. Let s suppose an adversary joins the protocol. Moreover, let s say that the adversary obfuscates the following program (instead of the intended program) P (pv 1,..., pv N, i, sv i ) = sv i. After running the protocol, Bob (for example) will think his secret value is the shared group key. The adversary will get messages from Bob where he encrypts with his secret key, and can potentially learn Bob s secret value. Then the adversary can use this to learn other shared keys in the future. There are stronger security models that capture this use case. The strongest is adaptive security, but we only do not yet know how to achieve this from just io and OWF. References [DH76] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644 654, Nov 1976. 2 [GGH13] Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate Multilinear Maps from Ideal Lattices, pages 1 17. Springer Berlin Heidelberg, Berlin, Heidelberg, 2013. 2 [Jou04] Antoine Joux. A one round protocol for tripartite diffie hellman. Journal of Cryptology, 17(4):263 276, 2004. 2 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback