Plaintext Awareness via Key Registration

Similar documents
Plaintext Awareness via Key Registration

CS 395T. Formal Model for Secure Key Exchange

Secure Multiparty Computation

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Lecture 18 - Chosen Ciphertext Security

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Multi-Theorem Preprocessing NIZKs from Lattices

Securely Combining Public-Key Cryptosystems

Lecture 10, Zero Knowledge Proofs, Secure Computation

Refining Computationally Sound Mech. Proofs for Kerberos

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Ref:

Chosen-Ciphertext Security (II)

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Security of Cryptosystems

Encryption. INST 346, Section 0201 April 3, 2018

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

CSC 774 Network Security

Secure Multiparty Computation

1 Identification protocols

Introduction to Cryptography Lecture 7

Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications

Kurose & Ross, Chapters (5 th ed.)

Lecture 2 Applied Cryptography (Part 2)

Computer Security CS 526

CS Computer Networks 1: Authentication

Applied Cryptography and Computer Security CSE 664 Spring 2018

2 Secure Communication in Private Key Setting

Security. Communication security. System Security

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Security Protections for Mobile Agents

On the Security of a Certificateless Public-Key Encryption

@ Massachusetts Institute of Technology All rights reserved.

Cryptographic Concepts

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Lecture 5: Zero Knowledge for all of NP

Lecture 8 - Message Authentication Codes

Crypto Background & Concepts SGX Software Attestation

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Cryptographic protocols

Message Authentication ( 消息认证 )

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Cryptography (Overview)

An Exploration of Group and Ring Signatures

Notes for Lecture 24

Efficient and Secure Multi-Party Computation with Faulty Majority and Complete Fairness

CSC/ECE 774 Advanced Network Security

The Simplest Protocol for Oblivious Transfer

Formal Methods and Cryptography

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens

Proofs for Key Establishment Protocols

Definitions and Notations

Application to More Efficient Obfuscation

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Computational Soundness of Symbolic Zero Knowledge Proofs

Cryptography. Lecture 12. Arpita Patra

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Random Oracles - OAEP

Universally Composable Protocols with Relaxed Set-up Assumptions

One-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich

CSE 127: Computer Security Cryptography. Kirill Levchenko

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

Encryption from the Diffie-Hellman assumption. Eike Kiltz

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

IND-CCA2 secure cryptosystems, Dan Bogdanov

On Symbolic Analysis of Cryptographic Protocols. Akshay Patil

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Public-Key Cryptography

Adaptively Secure Computation with Partial Erasures

Introduction to Cryptography Lecture 7

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

1 A Tale of Two Lovers

Information Security CS526

Secure Multi-Party Computation. Lecture 13

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

PROTECTING CONVERSATIONS

Private Web Search with Malicious Adversaries

Inductive Trace Properties for Computational Security

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Deniable Ring Authentication

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Public Key Algorithms

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

CSC 580 Cryptography and Computer Security

CSC 474/574 Information Systems Security

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Transcription:

Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38

Context of this work Originates from work on Dolev-Yao (DY) model Symbolic approach to cryptography From formal methods community In particular, previous work: 1. Extracted a computational interpretation of Dolev-Yao assumptions, and 2. Showed these assumptions to be satisfied by plaintext-aware (PA) encryption Led to interest in plaintext-aware (PA) encryption Plaintext Awareness via Key Registration p.2/38

Other results Thesis also contains direct extensions of DY work: Strictly stronger interpretation of DY model Proof that stronger interpretation satisfied by chosen-ciphertext security Computationally sound extensions (Diffie-Hellman) Plaintext Awareness via Key Registration p.3/38

Overview This talk: self-contained work on plaintext awareness Strongest known security definition for public-key encryption However, current definition is problematic This work: removing problems in definition, keeping strength [With Moses Liskov and Silvio Micali, CRYPTO 2003] Plaintext Awareness via Key Registration p.4/38

Plaintext awareness A public-key encryption scheme consists of G: key-generation algorithm E: encryption algorithm, and D: decryption algorithm An encryption scheme is PA if 1. It keeps the plaintext secret, and 2. Adversary knows plaintext to any ciphertext it creates But what do we actually mean? Plaintext Awareness via Key Registration p.5/38

Secrecy Weakest standard definition of secrecy is semantic security [GM84]: No adversary can do better than random in when trying to distinguish encryptions of m 0 from encryptions of m 1 (under a randomly chosen key) even if it gets to pick m 0 and m 1 itself. Show same formalization twice: graphically and in standard (GMR) notation Plaintext Awareness via Key Registration p.6/38

Semantic security A PPT A Plaintext Awareness via Key Registration p.7/38

Semantic security k A PPT s. l. k T A Plaintext Awareness via Key Registration p.7/38

Semantic security k k e, d G A PPT s. l. k (e,d) G(1 k ); T A Plaintext Awareness via Key Registration p.7/38

Semantic security k k G e, d e m 0, m 1 A PPT s. l. k (e,d) G(1 k ); m 0,m 1 A(1 k,e); T A Plaintext Awareness via Key Registration p.7/38

Semantic security k T k G e, d e m 0, m 1 b B A A PPT s. l. k (e,d) G(1 k ); m 0,m 1 A(1 k,e); b CoinFlip(0,1); Plaintext Awareness via Key Registration p.7/38

Semantic security k T k G e, d e m 0, m 1 b m b, e c B E A A PPT s. l. k (e,d) G(1 k ); m 0,m 1 A(1 k,e); b CoinFlip(0,1); c E(m b,e); Plaintext Awareness via Key Registration p.7/38

Semantic security k T k G e, d e m 0, m 1 b m b, e c c g B E A A PPT s. l. k (e,d) G(1 k ); m 0,m 1 A(1 k,e); b CoinFlip(0,1); c E(m b,e); g A(c) : (A keeps state) Plaintext Awareness via Key Registration p.7/38

Semantic security k T k G e, d e m 0, m 1 b m b, e c c g B E A A PPT s. l. k (e,d) G(1 k ); m 0,m 1 A(1 k,e); b CoinFlip(0,1); c E(m b,e); g A(c) : b = g b = g? Plaintext Awareness via Key Registration p.7/38

Semantic security k T k G e, d e m 0, m 1 b m b, e c c g B E A A PPT s. l. k Pr[ (e,d) G(1 k ); m 0,m 1 A(1 k,e); b CoinFlip(0,1); c E(m b,e); g A(c) : b = g] 1 2 + neg(k) b = g? Require: Pr[b = g] = 1 2 Plaintext Awareness via Key Registration p.7/38

Strengthening semantic security Semantic security not strong enough for many applications Cannot be used in protocols Honest participants might provide to adversary services not captured by definition Two ways to strengthen: 1. Chosen-ciphertext attack 2. Plaintext awareness Plaintext Awareness via Key Registration p.8/38

Security against the chosen-ciphertext attack T G B E A A PPT Pr[ (e,d) G(1 k ); m 0,m 1 A (1 k,e); b CoinFlip(0,1); c E(m b,e); g A (c) : b = g] 1 2 + neg(k) Plaintext Awareness via Key Registration p.9/38

Security against the chosen-ciphertext attack T G B E A c m c c D A PPT Pr[ (e,d) G(1 k ); m 0,m 1 A D(,d) (1 k,e); b CoinFlip(0,1); c E(m b,e); g A D( =c,d) (c) : b = g] 1 2 + neg(k) m Plaintext Awareness via Key Registration p.9/38

Plaintext awareness Another notion: plaintext awareness Intuition: adversary knows plaintext to any ciphertext it creates Algorithm knowledge is what can be calculated Adversary A knows x if A + another algorithm (called extractor) can compute x Plaintext awareness: there exists an extractor that can produce the plaintext to adversary s ciphertext Plaintext Awareness via Key Registration p.10/38

Plaintext awareness Ext A PPT Plaintext Awareness via Key Registration p.11/38

Plaintext awareness k e G d Ext A PPT (e,d) G(1 k ); Plaintext Awareness via Key Registration p.11/38

Plaintext awareness k A e G d Ext A PPT (e,d) G(1 k ); c A(1 k,e); c Plaintext Awareness via Key Registration p.11/38

Plaintext awareness k e A c G d Ext A PPT (e,d) G(1 k ); c A(1 k,e); p Ext(1 k,e,c); Ext p Plaintext Awareness via Key Registration p.11/38

Plaintext awareness k e A c Ext G c d D Ext A PPT (e,d) G(1 k ); c A(1 k,e); p Ext(1 k,e,c); p D(c,d); p p Plaintext Awareness via Key Registration p.11/38

Plaintext awareness k e A c Ext G c d D Ext A PPT Pr[ (e,d) G(1 k ); c A(1 k,e); p Ext(1 k,e,c); p D(c,d); p = p ] 1 neg(k) p = p Plaintext Awareness via Key Registration p.11/38

Plaintext awareness k e A c Ext G c d D Ext A PPT Pr[ (e,d) G(1 k ); c A(1 k,e); p Ext(1 k,e,c); p D(c,d); p = p ] 1 neg(k) p = p Do we want this? Plaintext Awareness via Key Registration p.11/38

Extractor requirements Note: extractor makes decryption oracle redundant Also violates semantic security Takes in ciphertext, produces plaintext Solution: limit extractor to adversary s ciphertexts Make extractor use additional information from adversary Ensure same information not available from honest participants Existing definition uses random oracle: Oracle O that provides random function Plaintext Awareness via Key Registration p.12/38

Plaintext awareness and the random oracle k e G d Ext A PPT Pr[ (e,d) G(1 k ); A c Ext c D c A (1 k,e); p Ext(1 k,e,c, ); p D (c,d); p = p ] 1 neg(k) p = p Plaintext Awareness via Key Registration p.13/38

Plaintext awareness and the random oracle Encryption, decryption now use oracle k e G d Ext A PPT Pr[ (e,d) G(1 k ); A c Ext c D O c A (1 k,e); p Ext(1 k,e,c, ); p D O( ) (c,d); p = p ] 1 neg(k) p = p Plaintext Awareness via Key Registration p.13/38

Plaintext awareness and the random oracle Encryption, decryption now use oracle Adversary gets access to oracle k e G d Ext A PPT Pr[ (e,d) G(1 k ); O A c Ext c D O c A O( ) (1 k,e); p Ext(1 k,e,c, ); p D O( ) (c,d); p = p ] 1 neg(k) p = p Plaintext Awareness via Key Registration p.13/38

Plaintext awareness and the random oracle Encryption, decryption now use oracle Adversary gets access to oracle Extractor given oracle queries made by adversary k e G d Ext A PPT Pr[ (e,d) G(1 k ); O Q A c Ext c D O c A O( ) (1 k,e); p Ext(1 k,e,c,q); p D O( ) (c,d); p = p ] 1 neg(k) p = p Plaintext Awareness via Key Registration p.13/38

Previous work This is original definition of PA [BR95] Current definition is slight refinement [BDPR98] Encryption scheme might be used in protocol Provides adversary with source of externally-generated ciphertexts Adversary wants to create ciphertext with unknown plaintext Source of such ciphertexts might help Challenge ciphertext must be new Known: PA CC-security [ibid] (CC-security still strongest possible without trusted third party) However, PA considered suspect, not widely used Due to use of random oracle Plaintext Awareness via Key Registration p.14/38

Necessity of the Random Oracle Sometimes possible to replace oracle with algorithm Abstraction of MD5, SHA-1 Not possible in general [CGH98,GT03] Not possible in this case Interface with oracle gives extractor a window into adversary s state Lost if oracle replaced with internal algorithm Plaintext Awareness via Key Registration p.15/38

Objections to the random oracle Plaintext Awareness via Key Registration p.16/38

Objections to the random oracle 1. Network overhead E, D now use oracle also Communication required for every operation Plaintext Awareness via Key Registration p.16/38

Objections to the random oracle 1. Network overhead E, D now use oracle also Communication required for every operation 2. Single global point of failure Security depends on secrecy of queries If the adversary gets queries, can run extractor to produce plaintext Random oracle knows every message Pray it s not corrupted! Plaintext Awareness via Key Registration p.16/38

Original Definition (concluded) Original definition of PA Used extended model of public-key encryption Added unrealistic third party (oracle) Required communication with oracle for every encryption/decryption Trusts oracle with every message Alternately, dubious replacement MD5 random oracle Plaintext Awareness via Key Registration p.17/38

Our Contribution Remove random oracle from PA Propose a more natural change to the model Add a third party already used in practice Use that party only once At key generation Trust that party with as little as possible Fail-safes to CC-security when party corrupted Also show an general-assumption implementation Plaintext Awareness via Key Registration p.18/38

Status Previous definition Our model Our definition Our implementation Plaintext Awareness via Key Registration p.19/38

Our model Two kinds of key-pairs: Receiver (e r, d r ) Sender (e s, d s ) Sender keys signature keys Encryption, decryption require both public keys Encryption requires sender s private key Decryption requires receiver s private key Public sending key registered with Registration Authority (RA) Plaintext Awareness via Key Registration p.20/38

Registration Authority Plays same role as certification authority Validates, publishes new public keys. Sender key generation and registration represented by protocol User RA User outputs public, private keys RA outputs (publishes) public key only Can think of RA issuing certificate for public key Implicitly assuming public-key infrastructure (PKI) Bind key to names, vice-versa Note: sender needs binding also For our purposes: RA validation ensures sender key has extractor Plaintext Awareness via Key Registration p.21/38

Status Previous definition Our model Our definition Our implementation Plaintext Awareness via Key Registration p.22/38

A two-part definition A scheme is plaintext-aware via key registration if: 1. Honest RA plaintext awareness There exists an extractor such that, if the adversary creates a ciphertext relative to a registered key, then the extractor can re-create the plaintext As before, extractor needs additional information Our definition: history of adversary s internal state 2. Chosen-ciphertext security Even if RA is corrupt (Best possible without trusted third party) Plaintext Awareness via Key Registration p.23/38

Chosen-ciphertext security CC-security even if RA is corrupted: oracle-calling adversaries A Pr[ (d r,e r ) G(1 k ); m 0,m 1 A D(,d r, ) (e r,e s ); b {0,1} ; c E(m b,e r,d s ); g A D( =c,d r, ) (c) : b = g] 1 2 + neg(k) Plaintext Awareness via Key Registration p.24/38

Chosen-ciphertext security CC-security even if RA is corrupted: oracle-calling adversaries A Pr[ (d r,e r ) G(1 k ); (e s,d s ) User (User A) ; m 0,m 1 A D(,d r, ) (e r,e s ); b {0,1} ; c E(m b,e r,d s ); g A D( =c,d r, ) (c) : b = g] 1 2 + neg(k) Plaintext Awareness via Key Registration p.24/38

Plaintext Awareness (1) There exists an extractor such that if the adversary creates a ciphertext with a registered key, then the extractor can re-create the plaintext. Who registers the key? User or adversary? Above should hold on both cases adversaries A, Pr[ (e r,d r ) G(1 k ); efficient algorithm Ext X c A(e X,e r ) : p Ext X (c,e r,e X ); p D(c,d r,e X ) : p = p ] 1 neg(k) Plaintext Awareness via Key Registration p.25/38

Plaintext Awareness (1) There exists an extractor such that if the adversary creates a ciphertext with a registered key, then the extractor can re-create the plaintext. Who registers the key? User or adversary? Above should hold on both cases adversaries A, X {A,User} efficient algorithm Ext X Pr[ (e r,d r ) G(1 k ); X (e X,d X ) (X RA) ; c A(e X,e r ) : p Ext X (c,e r,e X ); p D(c,d r,e X ) : p = p ] 1 neg(k) Plaintext Awareness via Key Registration p.25/38

Plaintext awareness (2) As in standard definition, extractor needs more than ciphertext We use internal history of adversary Contains all inputs, randomness, state transitions (Explicitly excluding erasure) adversaries A, X {A,User}, efficient algorithm Ext X Pr[ (e r,d r ) G(1 k ); (e X,d X ) OUT X,RA (X)e r, 1 k, ; c A(e X,e r ) : Ext X (,c,e r,e X ) = D(c,d r,e X ) ] 1 neg(k) Plaintext Awareness via Key Registration p.26/38

Plaintext awareness (2) As in standard definition, extractor needs more than ciphertext We use internal history of adversary Contains all inputs, randomness, state transitions (Explicitly excluding erasure) adversaries A, X {A,User}, efficient algorithm Ext X Pr[ (e r,d r ) G(1 k ); (e X,d X ) OUT X,RA (X)e r, 1 k, ; h H A; c A(e X,e r ) : Ext X (h,c,e r,e X ) = D(c,d r,e X ) ] 1 neg(k) Plaintext Awareness via Key Registration p.26/38

Plaintext awareness (3) Might as well allow adversary access to decryption oracle Encryption oracle? Now necessary: encryption uses private keys However, not general enough As before, adversary might be in protocol Access to externally-generated ciphertexts Represent this as arbitrary ally oracle L Looks at history of adversary Performs some computation, produces plaintext Encrypted, ciphertext given to adversary Encryption oracle functionality as special case Adversary s challenge ciphertext not from ally Plaintext Awareness via Key Registration p.27/38

Plaintext Awareness (4) adversaries A, X {A,User}, efficient algorithm Ext X, PPT allies L, Pr[ (e r,d r ) G(1 k ); (e X,d X ) OUT X,RA (X) e r, 1 k, ; h H A; c A L d X ( ),D(,d r, ) (e X,e r ) : Ext X (h,c,e r,e X ) = D(c,d r,e X ) given that c not from L ] 1 neg(k) Plaintext Awareness via Key Registration p.28/38

Status Previous definition Our model Our definition Our implementation Plaintext Awareness via Key Registration p.29/38

NM-NIZK: a useful tool Implementation will use non-malleable non-interactive zero-knowledge proofs [S99] Assume a fixed language L N P Exists a long random string σ Prover knows x L, witness Produces a proof π of x relative to σ Verifier checks proof against σ Plaintext Awareness via Key Registration p.30/38

NM-NIZK: a useful tool (2) Require four properties 1. (Completeness) If prover has x L and witness, then verifier accepts π. 2. (Soundness) If x L, no (malicious) prover can make verifier accept 3. (Zero-Knowledge) Proof π reveals nothing about witness 4. (Non-Malleability) A proof π for theorem x cannot be changed into a proof π for a theorem x Plaintext Awareness via Key Registration p.31/38

Sahai s Encryption Scheme Will build upon previous scheme [S99] Recipient key contains: Public portions of two (semantically-secure) key pairs Long random string σ Sender encrypts m by: Encrypting m in each key Proving (relative to σ) that ciphertexts contain same plaintext plaintext consistency Receiver decrypts by Checking proof against σ, and If valid, decrypting either ciphertext Shown to be secure against chosen-ciphertext attack Plaintext Awareness via Key Registration p.32/38

ZK proofs of knowledge We also need proof of knowledge [BG92] Slight variant to NIZK Typically interactive, but still zero-knowledge Proves both x L and prover knows witness Exists extractor that can produce witness Additional information: access to prover Plaintext Awareness via Key Registration p.33/38

The HLM Scheme Receiver key generated as in Sahai s scheme Sender public key contains 1. Semantically-secure encryption key 2. Signature key Sender proves knowledge (in ZK) of decryption key to RA RA issues certificate binding together encryption, signature keys To encrypt m, sender: Encrypt in all three keys Receiver s two and his own Prove plaintext consistency Signs ciphertexts, proof Decryption as before, plus signature verification Plaintext Awareness via Key Registration p.34/38

Proofs of security Theorem: The HLM scheme is plaintext-aware via key-registration Chosen-ciphertext security follows from Sahai s proof Need slightly stronger non-malleability properties of the NIZK proof system Plaintext awareness: adversary tries to create a new ciphertext relative to key registered by X Two cases: X is honest: extractor simply outputs Any other result from D means adversary forged signature Plaintext Awareness via Key Registration p.35/38

Proofs of security (2) X corrupted (key registered by adversary): Registration requires proof of knowledge for secret key Ciphertext contains proof of plaintext consistency Extractor Runs extractor from proof of knowledge system, gets private key Decrypts component ciphertext Technicality: adversary may create new ciphertext by changing signature on externally-generated ciphertext Modify definition of new ciphertext, or Use scheme with unique signatures (specific assumptions) Plaintext Awareness via Key Registration p.36/38

Conclusion Proposed a new definition of plaintext-awareness Uses a more natural model of public-key cryptography Utilizes existing third parties Grants them least possible trust No new network overhead Implemented under general assumptions Plaintext Awareness via Key Registration p.37/38

Future work Efficiency General-purpose proof systems inefficient Replace with faster (specific) implementations Anonymity Blind sender key? Plaintext Awareness via Key Registration p.38/38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback