1 / 32

On Forward-Secure Storage

On Forward-Secure Storage. Stefan Dziembowski Warsaw University and University of Rome La Sapienza. The m ain idea. Limited Communication Model : Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen . D.

samira
Download Presentation

On Forward-Secure Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Forward-Secure Storage Stefan Dziembowski Warsaw University and University of Rome La Sapienza

  2. The main idea Limited Communication Model: Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen. D. Intrusion-Resilience via the Bounded-Storage Model TCC 2006 D. Cash, Y. Z. Ding, Y. Dodis, W. Lee, R. Lipton and S. Walfish Intrusion-Resilient Authentication in the Limited Communication Model (There it was used to construct intrusion-resilient protocols for authentication and session-key generation.)

  3. The problem that we consider • One of the following happens:  • The key Kleaks to theadversary • or • The adversary breaks thescheme key K message M C = E(K,M) installs a virus C retrieves C The adversary can compute M

  4. Our idea Design an encryption scheme such that the ciphertext C is so large that the adversarycannot retrieve it completely message M ciphertext C=Encr(K,M) We call it a Forward-Secure Storage (FSS)

  5. Practicality?

  6. Forward-Secure Storage We allow the adversary to compute an arbitrary function h of C. length t ciphertext C=Encr(K,M) function h retrieved value U=h(C) length s << t K M ?

  7. Computational power of the adversary We consider the following variants: • computational: the adversary is limited to poly-time • information-theoretic: the adversary is infinitely-powerful • hybrid: the adversary gains infinite powerafterhe computed the function h.This models the fact that the in the future the current cryptosystems may be broken!

  8. Our Contribution • Formal definition of FSS • Constructions of FSS schemes: • IT-secure • computationally-secure • a scheme with a conjectured hybrid security • Connections with the theory of Harnik and Naor

  9. A tool: theBounded Storage Model It turns out that this is related to the BoundedStorage Model (BSM) [Maurer 1992] In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store. The computing power of the adversary may be unlimited!

  10. randomizer R: 000110100111010010011010111001110111 111010011101010101010010010100111100 001001111111100010101001000101010010 001010010100101011010101001010010101 can perform any computation on R, but the resultU=h(R) has to be much smaller than R X = f(K,R) The Bounded-Storage Model (BSM) –an introduction short initial keyK randomizer disappears knows: U=h(R) Eve shouldn’t be able to distinguishXfrom random X ?

  11. BSM – previous results Several key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04]. Of course their security depends on the bound on the memory of the adversary. We call a function s-secureif it is secure against an adversary that has memory of a size s.

  12. How is BSM related to our model? Seems that the assumptions are oposite:

  13. BSM vs. LCM Bounded-Storage Model: R comes from a satellite stored value U Limitted-Communication Model: Cis stored on a computer retrieved value U

  14. Information-theoretic solution – a wrong idea f– s-secure in the BSM key f( , ) K R = X message M xor Y ciphertextin the BSMencryption ciphertext (R,Y) Shannon theorem this cannot work!

  15. What exactly goes wrong? Suppose the adversary has some information about M. He can see (R, f(K,R) xor M ). So, he can solve (for K) the equation W = f(K,R) xor M. If he has enough information about M and K is short, he will succed! Idea: “Blind” the message M! denote itW

  16. A better idea key is a pair (K,Z) f( , ) K R = X Z message M xor Y ciphertext (R,Y)

  17. Why does it work? Intuition The adversary can compute any function h of:  Y is of no use for him, since it is xor-ed with a random string Z!  So if this FSS scheme can be broken then also the BSM function f can be broken  (by an adversary using the same amount of memory). R Y = f(K,R) xor M xor Z

  18. Problem with the information-theoretic scheme The secret key needs to be larger than the message! What if we want the key to be shorter? We need to switch to the computational settings...

  19. Computational FSS (with a short key) (Encr,Decr) – an IT-secure FSS (E,D) – a standard encryption scheme Encr1( )= , K M Encr( , ) large K K’ E( ) , small K’ M K’ is a random key for the standard encryption scheme Intuition: when the adversary learns K he has no idea about K’and therefore no idea about M.

  20. Hybrid security What about the hybrid security? Recall the scenario: ciphertext C=Encr(K,M) h retrieved value U=h(C) M ?

  21. Is this scheme secure in the hybrid model? The adversary retrives only the second part!  Later, when she gets infinite computing  power, she can recover the message M!  Thus, the scheme is not secure in the  hybrid model! Encr( , ) K K’ E( ) , K’ M

  22. A scheme (Encr2,Decr2) Does there exist an FSS scheme with hybrid security (and a short key)? Idea: Generate Kpseudorandomly! (Encr,Decr) – an IT-secure FSS G– a cryptographic PRG )= Encr2( , K M Encr( ) , G(K) M

  23. Is the scheme from the previous slide secure? It cannot be IT-secure, but is it • computationally-secure? • secure in the hybrid model? We leave it as an open problem. Looks secure... We can show the following: Very informally, it is secure if one-way functions cannot be used to construct Oblivious Transfer.

  24. Computational security of Encr2 (1/2) there exists an adversary A that breaks the (Encr2,Decr2) scheme We show that if then one can construct an Oblivious Transfer protocol with: • an unconditional privacy of the Sender • privacy of the Receiver based on the security of the PRG G.

  25. Computational security of Encr2 (2/2) Simplification: assume that |M| = 1 and the adversary can guess it with probability 1. We construct an honest-but-curiousRabin OT. sender input: M receiver X = G(K) with prob.0.5 Xis random with prob. 0.5 A computationally-limited sender cannot distinguish these cases! K Encr(X,M) U - memory of the adversary If X = G(K) then the adversary outputs M. If X is random then the receiver learns nothing about M (this follows from the IT-security of Encr)! M

  26. How to interpret this result? Which PRGs Gare safe to use in this protocol? In some sense: “those that cannot be used to construct OT”. But maybe there exist “wrong” PRGs... (see: S. Dziembowski and U. Maurer On Generating the Initial Key in the Bounded-Storage Model, EUROCRYPT '04)

  27. Hybrid security of Encr2 • The argument for the hybrid security is slightly weaker. • We can construct only an OT-protocol with a computationally-unbounded algorithm for the Receiver... • This is because the receiver has to simulate an unbounded adversary. receiver

  28. Summary

  29. A complexity-theoretic view Suppose the adversary wants to know if a given C is a ciphertext of some message M. NP-language: L = {C : there exists K such that C = Encr(K,M)}. standard encryption FSS Can we compress Cto someU, s.t. |U| << |C| so that later we can decide if C is inLbasing on U, and using infinite computing power? is C in L?

  30. The theory of Harnik and Naor This question was recently studied in: Danny Harnik, Moni Naor On the Compressibility of NP Instances and Cryptographic Applications FOCS 2006 See also: Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient Sampling STOC 2006

  31. Compressibility of NP Instances Informally, an NP language L is compressible if there exists an efficient algorithm that compresses every string X to a shorter string U, in such a way that an infinitely-powerful solver can decide if X is inL basing only on U. Proving that some language is incompressible (from standard assumptions) is an open problem. . This is why showing an FSS scheme provably-secure in the hybrid model may be hard!

  32. Questions? ?

More Related