1 / 31

Unconditionally Secure Chaffing-and-Winnowing for Multiple Use

Unconditionally Secure Chaffing-and-Winnowing for Multiple Use. Wataru Kitada 1 , Goichiro Hanaoka 2 , Kanta Matsuura 1 , Hideki Imai 2 1. IIS, the University of Tokyo 2. RCIS, AIST. Overview of This Work. We show:.

kendra
Download Presentation

Unconditionally Secure Chaffing-and-Winnowing for Multiple Use

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada1, Goichiro Hanaoka2, Kanta Matsuura1, Hideki Imai2 1. IIS, the University of Tokyo2. RCIS, AIST

  2. Overview of This Work We show: • Detailed analysis of Chaffing-and-Winnowing (C&W) under multiple-use setting • More efficient Chaffing-and-Winnowing • C&W for n-time use from n-spoofing secure A-code • practical C&W from A-code with a specific property

  3. Contents • Overview • Unconditionally Secure C&W for Multiple Use • C&W with one authentication tag • Future Work and Conclusion

  4. Overview • Chaffing and Winnowing • Previous Work • Our Contribution • Unconditionally Secure C&W for Multiple Use • C&W with one authentication tag • Future Work and Conclusion

  5. Chaffing-and-Winnowing (C&W) • A technique to achieve confidentiality without using encryption when sending data over an insecure channel. • Proposed by R. Rivest “Chaffing and winnowing: confidentiality without encryption” http://theory.lcs.mit.edu/~rivest/publications.html

  6. Basic Idea • Send plaintext directly • No encryption is performed • Send dummies with the plaintext. chaff • Only one of the plaintext is authentic, the other ones are dummies • Receiver can distinguish plaintext (wheat) from dummies (chaff). winnow • Being able to distinguish plaintext from dummies would require an adversary to know the secret key.

  7. Chaffing-and-Winnowing • Example • Authentication code (A-code) : Ak(M) • Plaintext: “Hi Bob” “Hi Bob” (“Hi Bob”,A1),(“Hi Larry”,A2) ComputeAk(“Hi Bob”) and Ak(“Hi Larry”)CompareAk(“Hi Bob”) and A1,Ak(“Hi Larry”) and A2 A1=Ak(“Hi Bob”)A2=Ak’(“Hi Larry”)

  8. Previous Work • Bellare and Boldyreva, ASIACRYPT 2000 • Showed the security of C&W in the computationally secure setting • Hanaoka et al., AAECC 2006 (HHHWI06) • Showed the security of C&W in the unconditinally secure setting

  9. Main Result of HHHWI06 We can achieve: Theorem 1 Impersonation- secure A-code Perfectly secure encryption C&W Theorem 2 Impersonation- and substitution- secure A-code Perfectly secure andNon-Malleableencryption C&W

  10. Related Work • Stinson, manuscript, 2006 • “Unconditionally secure chaffing and winnowing with short authentication tags” • construct C&W from short authentication tags Impersonation- secureA-code with short tag Perfectly secure encryption C&W

  11. Our Contribution • Our work is extension of HHHWI06 • HHHWI06 only consider the case in one-time use • Then, we extend for multiple use • In other words, to generalize the HHHWI06 • Detailed analysis of C&W under multiple-use setting • construct unconditionally secure C&W for multiple use • show C&W with one authentication tag

  12. One-time/Multiple Use One-time use Multiple use

  13. Overview • Unconditionally Secure C&W for Multiple Use • Security Notions • Our Result • Construction and Comparison • C&W with one authentication tag • Future Work and Conclusion

  14. Security on A-code n-Spoofing Impersonation Substitution

  15. Perfect Security n-Perfect Security (n-PS) Perfect Security

  16. Non-Malleability (1/2) • An adversary is given n ciphertexts • Corresponding plaintexts are • Non-Malleability: • inability to generate a ciphertextwhose plaintext is related to • for example • Definition

  17. Non-Malleability (2/2) n-Non-Malleability (n-NM) Non-Malleability

  18. Our Results (1/3) • Construct unconditionally secure C&W for multiple use • from n-spoofing secure A-code to n-perfectly secure (n-PS) encryption • from (n+1)-spoofing secure A-code to n-perfectly secure (n-PS) and n-Non-Malleable (n-NM) encryption

  19. Our Results (2/3) n-spoofing secure A-code n-PS encryption C&W (n+1)-spoofing secure A-code n-PS andn-NM encryption C&W

  20. Our Results (3/3) HHHWI06 Imp A-code n-spoofing secure A-code PS encryption n-PS encryption C&W C&W Our Result Imp and Sub A-code (n+1)-spoofing secure A-code PS and NMencryption n-PS andn-NMencryption C&W C&W

  21. Construction

  22. Comparison

  23. Overview • Unconditionally Secure C&W for Multiple Use • C&W with one authentication tag • Future Work and Conclusion

  24. Overview (1/2) • C&W with one authentication tag • If the underlying A-code has a specific property, we can construct C&W with one authentication tag n-Spf A-code with a specific property n-PS encryption with one tag C&W (n+1)-Spf A-code with a specific property n-PS andn-NM encryption with one tag C&W

  25. Overview (2/2) • From this result, we can see that theseA-codes can be seen as conventional encryptions • we prove that to send one tag corresponding to the message is secure Authentication Encryption Can be seen as

  26. The specific property • “For all a, there exists at least one k such that, for all m, Ak(m)=a” • There exists an example of an A-code which is n-Spoofing secure and has this property For example:

  27. Construction

  28. Comparison The construction with one tag is practical

  29. Overview • Unconditionally Secure C&W for Multiple Use • C&W with one authentication tag • Future Work and Conclusion

  30. Future Work • Remove the restriction that(like Stinson’s work) • In [Stinson’06], C&W is constructed from A-code with short tags (more weak A-code) • [Stinson’06]D.R. Stinson, “Unconditionally secure chaffing and winnowing with short authentication tags,” Cryptology ePrint Archive, Report 2006/189, 2006.

  31. Conclusion • Detailed analysis of C&W under multiple-use setting • from n-Spf secure A-code to n-PS encryption • from (n+1)-Spf secure A-code to n-PS and n-NM encryption • More efficient Chaffing-and-Winnowing • C&W for n-time use from n-spoofing secure A-code • practical C&W from A-code with a specific property • provide same function as conventional encryption

More Related