Public-Key Encryption in the Bounded-Retrieval Model

PUBLIC-KEY ENCRYPTION IN

THE BOUNDED-

RETRIEVAL MODELJoël Alwen, Yevgeniy Dodis, Moni Naor,

Gil Segev, Shabsi Walfish, Daniel Wichs

Speaker: Daniel Wichs

Motivation: Leakage-Resilient Crypto

Security proofs in crypto assume idealized adversarial model. e.g. adversary sees public-keys, ciphertexts but not secret-

keys.

Reality: schemes broken using “key-leakage attacks”. Side-channels: timing, power consumption, heat, acoustics,

radiation. The cold-boot attack. Hackers, Malware, Viruses.

Usual Crypto Response: Not our problem. Blame the Electrical Engineers, OS programmers…

Leakage-Resilient Crypto: Let’s try to help. Primitives that provably allow some leakage of secret key. Assume leakage is arbitrary but incomplete.

f(sk)

Models of Leakage Resilience

Adversary can learn any efficiently computable function f : {0,1}* {0,1}L of the secret key. L = Leakage Bound.

Relative Leakage Model [AGV09, DKL09, NS09,…].

“Standard” cryptosystem with small keys (e.g. 1,024 bits).

Leakage L is a large portion of key size. (e.g. 50% of key size).

Bounded Retrieval Model [Dzi06,…,ADW09]: Leakage L is a parameter. Can be large.

(e.g. few bits or many Gigabytes).

Increase sk size to allow L bits of leakage. System must remain efficient as L grows:

Public keys, ciphertexts, encryption/decryption times should be small, independent of L.

sk

leak

Why design schemes for the BRM?

Security against Hackers/Malware/Viruses: Attacker can download arbitrary info from compromised

system. Leakage is large, but still bounded (e.g. < 10 GB).

Bandwidth too low, Cost too high, System security may detect. Protect against such attacks by making secret key large.

OK since storage is cheap. Everything else needs to remain efficient!

Security against side-channel attacks: After many physical measurements, overall leakage may

be large. Still may be reasonable that it is bounded on absolute scale. How “bounded” is it? Varies! (few Kb – few Mb).

Prior Work on Leakage Resilience

Restricted classes of leakage functions. Individual bits of memory [CDH+00, DSS01,KZ03]. Individual wires of

comp [ISW03] “Only Computation Leaks Information” [MR04, DP08, Pie09] Low Complexity functions [FRT09]

Does not seem applicable to e.g. hacking/malware attacks. Relative Leakage Model.

Symmetric-Key Authenticated Encryption [DKL09] Public-Key ID, Signatures, AKA [ADW09, KV09] Public-Key Encryption [AGV09, NS09]

Bounded Retrieval Model. Symmetric-Key Identification, Authenticated Key Agreement

[Dzi06,CDD+07] Public-Key ID, “Entropic” Sigs, AKA [ADW09]

This work: Public-Key Encryption (and IBE) in the BRM.

Definition of Leakage-Resilient PKE in BRM

Relative Leakage: 9 L = L(s) for which scheme secure. L should be “relatively large”: maximize ratio of L to|sk|.

BRM: Secure 8 polynomial L = L(s). KeyGen depends on L. Efficiency: 9 polynomial p(s) 8 polynomial L(s):

{pk size, cipher text size, encryption/decryption times} ≤ p(s) Relative Leakage: also maximize ratio of L to |sk|.

Adversary

Challenger(pk,sk) Ã

KeyGen(1s ) pk

f : {0,1}* ! {0,1}L

f(sk)

m0, m1

bÃ {0,1} cÃEncrypt(mb,pk)

cOutput b’

, L

|Pr[b = b’]- ½| is negligible

Outline of Talk

A template for constructing BRM schemes in 3 easy steps. Explains connection of Public-Key Encryption in BRM to IBE. Highlights main ideas, but is incomplete.

Define Hash Proof Systems (HPS) and Identity-Based HPS. HPS ) leakage-resilient PKE in relative-leakage model [NS09]. IB-HPS ) leakage-resilient IBE in relative-leakage model.

Brief overview of IB-HPS constructions and parameters.

Show how IB-HPS naturally extends to the BRM. Get PKE and IBE schemes in the BRM.

Assume: Have scheme resilient to L’ bits of leakage. Given L, construct scheme resilient to L bits of leakage.

Answer 1: Inflate the security parameter s until L’(s) > L. Answer 2: Parallel-Repetition. Take n copies of the scheme.

Choose n pairs (pk1,sk1),…,(pkn,skn). Set PK = (pk1,…,pkn ) , SK = (sk1,…,skn)

To encrypt under PK: n-out-of-n “secret-share” message: SS(m) = (m1,…,mn). Encrypt each share mi separately ci = Enc(mi, pki). Send C = (c1,…,cn).

Intuition: Scheme should tolerate L = nL’ bits of leakage. If leakage on SK is < L = nL’ bits then leakage on some ski is < L’

bits.

• Wait! That’s not how leakage works!• Learning f(sk’) with L = nL’ bit output NOT the same as learning gi(ski) with L’ bit output.

• Q: Does parallel-repetition amplify leakage-resilience?• A1: No general black-box reduction is possible.• A2: Works if original PKE has extra properties.

• What about efficiency? Does not satisfy BRM.

Template for BRM Schemes:1. Leakage Amplification (via Parallel-Repetition)

Template for BRM Schemes:2. Efficiency via Random-Subset Selection

Encryption Decryption

sk1

sk2

sk3

skn

…

SKPKpk1

pk2

pk3

pkn

…

sk4

sk5

pk4

pk5

n-out-of-n “secret-share” message: SS(m) = (m1,…,mn).Encrypt each share mi under pki.

c1 = Enc(m1, pk1)

cn = Enc(mn, pkn)

c2 = Enc(m2, pk2)c3 = Enc(m3, pk3)c4 = Enc(m4, pk4)c5 = Enc(m5, pk5)

Scheme from last slide



sk1

sk2

sk3

skn

…

SKPKpk1

pk2

pk3

pkn

…

sk4

sk5

pk4

pk5

Choose t random key-pairs and only use these to encrypt.

keys={2,4,…,n}



sk1

sk2

sk3

skn

…

SKPKpk1

pk2

pk3

pkn

…

sk4

sk5

pk4

pk5

ct = Enc(mt, pkn)

c1 = Enc(m1, pk2)

c2 = Enc(m2, pk4)

Choose t random key-pairs and only use these to encrypt.

t-out-of-t “secret-share” message: SS(m) = (m1,…,mt).Encrypt each share mi under the i th chosen public-key.

Hope: t can be much smaller than n, only proportional to s.Leakage < εL’n means only ε fraction of secret-keys “badly compromised”.

keys={2,4,…,n}

…


sk1

sk2

sk3

skn

…

SKPK = MPK

sk4

sk5

ct = Enc(mt, ID = n)

c1 = Enc(m1, ID=1)

c2 = Enc(m2, ID=4)

keys={2,4,…,n}

…

Template for BRM Schemes:3. Adding a Master Public Key.

• Use Identity-Based Encryption (IBE).• The component secret keys ski correspond to secret-keys for identities i.• The master-secret-key msk of the IBE is only used to generate SK.


sk1

sk2

sk3

skn

…

SKPK = MPK

sk4

sk5

keys={2,4,…,n}

…

Template for BRM Schemes:3. Adding a Master Public Key.

• Scheme meets the efficiency requirements of the BRM.

• Security?• Does not amplify leakage-resilience in general

(counterexample).• Rest of talk: making it work with “special” IBE

constructions.

ct = Enc(mt, ID = n)

c1 = Enc(m1, ID=1)

c2 = Enc(m2, ID=4)

A template for constructing BRM schemes in 3 easy steps. Highlights main ideas, but is incomplete. Explains connection of Public-Key Encryption in BRM to IBE.



Show how IB-HPS naturally extends to the BRM. Use IB-HPS to get PKE and IBE schemes in the BRM.

Outline of Talk

Hash Proof Systems

Simplified presentation as a key-encapsulation scheme: (pk, sk)ÃKeyGen(1s) (c, k)ÃEncap(pk) k’ Ã Decap(c, sk)

Correctness: k = k’ (with overwhelming prob). KEM Security: (pk, c, k) ¼c (pk, c, $)

HPS is a special way to prove KEM security.

Hash Proof Systems

Simplified presentation as a key-encapsulation scheme: (pk, sk)ÃKeyGen(1s) (c, k)ÃEncap(pk) (valid encapsulation) c* Ã Encap*(pk) (invalid encapsulation) k’ Ã Decap(c, sk)

Correctness: k = k’ (with overwhelming prob). KEM Security: (pk, c, k) ¼c (pk, c, $)

HPS is a special way to prove KEM security.

Hash Proof Systems Simplified presentation as a key-encapsulation scheme:

(pk, sk)ÃKeyGen(1s) (c, k)ÃEncap(pk) (valid encapsulation) c* Ã Encap*(pk) (invalid encapsulation) k’ Ã Decap(c, sk)

Correctness: k = k’ (with overwhelming prob). Valid/invalid indistinguishability given sk: (pk, sk, c) ≈c (pk, sk, c*) Decapsulation of an invalid ciphertext c* has statistical entropy:

(m, ½)-Universality: Conditioned on fixed value of pk: H1(sk) ¸ m. 8 sk sk’ Prc*[Decap(c*, sk) = Decap(c*, sk’)] · ½.

Smoothness: for fixed pk, (c*, k*) ¼s (c*, $) where k* Ã Decap(c*, sk). L-Leakage-smoothness: (c*, k*, f(sk)) ¼s (c*, $, f(sk)) where |f(sk)|=L.

Hash Proof Systems

Simplified presentation as a key-encapsulation scheme: (pk,sk)ÃKeyGen(1s) (c, k)ÃEncap(pk) (valid encapsulation) c* Ã Encap*(pk) (invalid encapsulation) k’ Ã Decap(c, sk)

Correctness: k = k’ (with overwhelming prob). Valid/invalid indistinguishability given sk: (pk, sk, c) ≈c (pk, sk,

c*) Decapsulation of an invalid ciphertext c* has statistical entropy:

(m, ½)-Universality: Conditioned on fixed value of pk: H1(sk) ¸ m. 8 sk sk’ Prc*[Decap(c*, sk) = Decap(c*, sk’)] · ½.

Smoothness: for fixed pk, (c*, k*) ¼s (c*, $) where k* Ã Decap(c*, sk). L-Leakage-smoothness: (c*, k*, f(sk)) ¼s (c*, $, f(sk)) where |f(sk)|=L.

Relationship Between Universality/Smoothness/Leakage

• An (m, ½)-Universal HPS with k 2 {0,1}v is “L-Leakage smooth” when L < m – v – (s) , ½ < (1/2v)(1 + negl(s)).

• Any “smooth” HPS with k 2 {0,1}v can be composed with an extractor to get “L-leakage smooth” HPS with L = v - (s).

HPS ) Leakage-Resilient PKE [NS09]

Theorem : A smooth HPS is a good KEM (standard). A L-leakage-smooth HPS is a L-leakage-resilient KEM:

(pk, f(sk), c, k) ¼c (pk, f(sk), c, $) where (c, k) Ã Encap(pk)

Proof:(pk, f(sk), c, k) ¼s (pk, f(sk), c, k’) where (c, k) Ã Encap(pk)

k’ Ã Decap(c, sk) ¼c (pk, f(sk), c*, k’) where c* Ã Encap*(pk)

k’ Ã Decap(c*, sk)

¼s (pk, f(sk), c*, $)

¼c (pk, f(sk), c, $)

Correctness

Valid/Invalid Indistinguishability

Valid/Invalid Indistinguishability

L-Leakage-Smoothness

Example Based on DDH

Params: prime p, group G of order p, generators (g, h)

KeyGen: sk = (a, b) pk = ga hb

Encap(pk): c = (gx, hx) k = (pk)x = gaxhbx

Decap(c, sk): Parse c = (u,v) k’ = uavb Encap*(pk): c* = (gx, hy)

Correctness: If u=gx, v=hx then k’ = (gx)a(hx)b = k. Valid/Invalid indistinguishability follows from DDH. (m,½)-universal for m= log(p), ½ = 1/p. Also smooth.

Need an extractor to get L-leakage-smoothness for L ¼ log(p), L/|sk| ¼ ½.

Generalizes to t generators: m = (t-1)log(p), ½ = 1/p. No extractor! Construction is L-Leakage-smooth for L ¼ (t-2)log(p),

L/|sk| ¼ (1- 2/t) ¼ (1- ²).

Identity-Based HPS (IB-HPS) (mpk, msk) Ã ParamGen(1s) skID Ã KeyGen(ID, msk) (c, k)ÃEncap(ID, mpk) (valid encapsulation) c* Ã Encap*(ID, mpk) (invalid encapsulation) k’ Ã Decap(c, skID)

Valid/Invalid indistinguishability holds for all ID, even if adversary sees “all” identity-secret keys skID (but not msk).

Decapsulation of an invalid ciphertext c* has statistical entropy: (m, ½)-Universality:

Conditioned on fixed value of mpk, msk, ID: H1(skID) ¸ m.

8 skID skID’ Prc*[Decap(c*, skID) = Decap(c*, skID’)] · ½.

L-leakage smoothness: for fixed mpk, msk, ID (f(skID), c*, k*) ¼s (f(skID), c*, $) if |f(sk)|=L.

IB-HPS: Valid/Invalid Indistinguishability

(mpk, msk) Ã ParamGen(1s )

skID

bÃ {0,1} If b=0, c Ã Encap(ID)else c Ã Encap*(ID)

c

Output b’

mpk

ID

Challenge ID

skID

ID

|Pr[b = b’]- ½| is negligible

Identity-Based HPS (IB-HPS)

(mpk, msk) Ã ParamGen(1s) skID Ã KeyGen(ID, msk) (c, k)ÃEncap(ID, mpk) (valid encapsulation) c* Ã Encap*(ID, mpk) (invalid encapsulation) k’ Ã Decap(c, skID)

Valid/Invalid indistinguishability holds for all ID, even if adversary sees the identity-secret keys skID (but not msk).

Decapsulation of an invalid ciphertext c* has statistical entropy: (m, ½)-Universality:

Conditioned on fixed value of mpk, msk, ID: H1(skID) ¸ m.

8 skID skID’ Prc*[Decap(c*, skID) = Decap(c*, skID’)] · ½.

L-leakage smoothness: for fixed mpk, msk, ID (f(skID), c*, k*) ¼s (f(skID), c*, $) if |f(sk)|=L.

IB-HPS ) Leakage-Resilient IBE

Theorem: A “smooth” IB-HPS is a IB-KEM. A “L-leakage-smooth” IB-HPS is a “L-leakage-resilient” IB-KEM.

Allows leakage from secret-keys of all identities, but not the master secret key.

Allows us to construct leakage-resilient IBE.

Proof is analogous to the non-identity-based setting.




Show how IB-HPS naturally extends to the BRM. Get PKE and IBE schemes in the BRM.

Outline of Talk

Constructions

Three constructions of IB-HPS based on prior IBE schemes. [Gen06]: Using “bilinear groups.

Based on the “q-TABDHE” assumption in the standard model. Leakage-resilient IBE with relative-leakage ¼ ½.

[BGH07]: Based on “quadratic residuosity”. Requires Random Oracles or an “interactive assumption”. Only 1 bit of entropy in identity-secret-key. No leakage in IBE. Fixed with BRM transformation (stay tuned).

[GPV08]: Based on lattices and the LWE problem. Requires Random Oracles or an “interactive assumption”. Leakage-resilient IBE with relative-leakage ¼ (1-²). [AGV09]

All schemes are “smooth” and (m,½)-universal for m¸ 1, ½ · ½.




Show how IB-HPS naturally extends to the BRM. Use IB-HPS to get PKE and IBE schemes in the BRM.

Outline of Talk

Leakage Amplification of IB-HPS

IB-HPS with small leakage ) IB-HPS with BIG leakage. Map n “identities” in small scheme to single identity in BIG

scheme. Secret-keys in BIG scheme consists of n “components” small

keys. To encapsulate: select random “t-out-of-n” small identities.

Encapsulate to each one separately. Apply a “universal-hash-function” g to symmetric-keys k1,…, kt.

ID = “Bob”ID = “Bob_1”sk1

sk2

sk3

skn

…

sk4

sk5

ID = “Bob_2”

ID = “Bob_n”

SK for Bob

Encap: S=(S1,…,St) 2 [n]t

(ci, ki) Ã Encap(“Bob_”Si)g: universal hashC = (S, c1,…,ct, g) K = g(k1,…,kt)

Leakage Amplification of IB-HPS

Assume: we start with (m, ½)-universal IB-HPS, for constant ½ < 1.

Theorem: For any constant ² >0, there exists a t = O(s) such that construction is L-leakage smooth for L = (1-²)nm – s.

Proof: Identity-secret-keys in construction have H1(SK) = nm.

Universal? No! If keys differ in a single component thenPrc*[Decap(C*, skID) = Decap(C*, skID’)] is high.


sk2

sk3

skn

…

sk4

sk5

ID = “Bob_2”

ID = “Bob_n”

SK for Bob



“Approximate” Leftover-Hash Lemma

New notion: “approximately universal” hashing. Any two values that are “far enough” in Hamming distance

are unlikely to collide. “Approximate” Leftover-Hash Lemma generalizes LHL.

Need extra log (volume of Hamming ball) entropy over LHL. Easy to show: construction is “approximately universal”.


sk2

sk3

skn

…

sk4

sk5

ID = “Bob_2”

ID = “Bob_n”

SK for Bob



Putting it all together…

Theorem: Assume there exist (m,½)-universal IB-HPS with m¸ 1 and ½ < 1. Then there exists PKE (and IBE) schemes in the BRM.

For any ² > 0: Secret-key size can be made as small as |SK| = (1+ ²)(|sk|/m)L Relative leakage as large as L/|SK| = (1- ²)m/|sk|.

No matter what the leakage bound L is: Public-key size |PK| is the same as |mpk|. Ciphertext size, encryption/decryption times differ by an O(s)

factor from those of the small scheme.

Extensions

Smaller ciphertexts in BRM. Anonymous encapsulation (property of QR, Lattice schemes):

Sample ciphertext c and “witness” w independently of ID. Using witness w, can compute symmetric-key k for any ID.

Gives us anonymous IBE. In BRM construction, only need to send one ciphertext c.

We get different “approximately universal” parameters. Only good for QR scheme.

CCA security. Generic Naor-Yung paradigm preserves leakage [NS09] and

BRM efficiency. Efficient CCA secure leakage-resilient IBE based on [Gen06].

Relative leakage is (1/6 - ²).

Parameters

Scheme Assumption

Relative

Leakage

CT Expansi

on

Locality

BilinearGroups[Gen06]

ABDHE 1/2 O(s) O(s)

QuadraticResidu

osity[BGH07]

QR + RO

1/O(s) O(1) O(s)

Lattices[GPV08]

LWE + RO

(1-²) O(s) O(s)

Open Questions

Does PKE in BRM require IBE? Or at least some simplified version of it?

Is there a counterexample to parallel-repetition amplifying leakage-resilience of PKE? (no random-subsets, IBE).

More constructions of IB-HPS. Can we get best of all worlds? No RO, (1- ²)-relative-leakage, anonymous encapsulation.

Efficient CCA secure PKE in BRM without RO and large relative-leakage.

Thank You!

Questions?

Documents

Public-Key Encryption in the Bounded-Retrieval Model