1 / 17

On the ( Im )Possibility of Key Dependent Encryption

On the ( Im )Possibility of Key Dependent Encryption. Iftach Haitner Microsoft Research. Thomas Holenstein Princeton University. August 04, 2009. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. outline.

tibor
Download Presentation

On the ( Im )Possibility of Key Dependent Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Onthe (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research Thomas Holenstein Princeton University August 04, 2009 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

  2. outline • Define Key Dependent Message (KDM) secure encryption scheme • Two (impossibility) results • On fully-black-box reductions from KDM security to TDP • On strongly-black-box reductions from KDM security to “any” hardness assumption

  3. Weak Key Dependant Message Security What class of query functions (e.g., h) should be considered? In most settings, we should consider any(efficient) function An encryption scheme (Enc,Dec) is KDM secure, if for any efficient A Challenger Challenger A A kÃ{0,1}n kÃ{0,1}n ¼C h1:{0,1}n{0,1}m h1:{0,1}n{0,1}m Enck(Um) Enck(h2(k)) Enck(Um) Enck(h1(k)) h2 h2 A cannot find k … …

  4. Feasibility Results • Limited output length functions: • [Hofheinz-Unruh ‘08] based on any PKE • Family of affine functions: • [Bonhe-Halevi-Hamburg-Ostrovsky ‘08] based on DDH • [Applabaum-Cash-Peikert-Sahai ‘09] based on LPN/LWE • Efficient functions ??? • Any function • [Black-Rogway-Shrimpton ‘02] based on Random Oracle

  5. Our Impossibility Results (informal) It is impossible to construct (via black-box techniques) KDM encryption scheme that is secure against • the family of poly-wise independent hash functions, based on OWF • extends to TDP • any function, based on “any assumption” • We focus on the private key setting • Hold also for the “many PK keys” setting

  6. outline • Define Key Dependent Message (KDM) secure encryption scheme • Our (impossibility) results • On fully black-box reductions from KDM security to TDP • On strongly black-box reduction from KDM security to “any” hardness assumption

  7. Black-box construction Black-box proof of security Adversary for breaking KDM)Inverter for breaking OWF Fully-Black-Box Reduction from KDM security to OWF (Enc,Dec) Adversary forKDM OWF OWF Inverter forOWF

  8. Black-box proof of security Y Ã {0,1}n Breaks the KDM security of (Enc¼,Dec¼) A R OWF ¼ x 2¼-1(y)

  9. Impossibility Result for OWF Based Schemes There exists no fully-black-box reduction from KDM-secure encryption scheme to OWF, which is secure against the family of poly(n)-wise independent hash functions More formally: Let (Enc(),Dec()) be a OWF based encryption scheme, and let v(n) = |Enc()(M)|, for M2{0,1}2n. Then (Enc(),Dec()) cannot be proved (in a black-box way) to be KDM-secure against Hv(n)+n– a family of (v(n)+n)-independent hash functions from{0,1}n to{0,1}2n

  10. Our adversary 1) Select h ÃHv(n)+n 2) On input C, output (the first) ks.t. Deck(C) = h(k) Y Ã {0,1}n A R OWF ¼ … h 1n c k x2¼-1(y) A breaks the (weak) KDM security of (Enc¼,Dec¼) ¼ is hard to invert in the presence of A.Proof: a la’ [Simon ‘98] /[Gennaro-Trevisan ‘01, H-Hoch-Reingold- Segev ‘07]

  11. outline • Define Key Dependent Message (KDM) secure encryption scheme • Our (impossibility) results • On fully black-box reductions from KDM security to TDP • On strongly black-box reductions from KDM security to “any” hardness assumption

  12. Let ¡ be a cryptographic assumption (e.g., factoring is hard) Arbitrary construction Black-box proof of security. The query function h is treated as a black box Strongly Black-Box Reduction from KDM security to ¡ Adversary forKDM Adversary for¡

  13. Strongly Black-box proof of security A break the KDM security of (Enc,Dec) A Factoring is hard ¡ R for breaking ¡ … h n = pq 1n c k p,q h is only accessed via its input/output interface Access to h is not given to a “third party”

  14. Impossibility Result for Strongly Black-Box Reductions Assume that there exists a strongly-black-box reduction from KDM encryption scheme to ¡, which is secure against On– the family of random functions from {0,1}n to{0,1}2n. Then ¡ can be broken unconditionally

  15. Our Adversary 1) Select h ÃOn 2) On query C, output (the first) k s.t. Dekk(C) = h(k) Breaks the KDM security of (Enc,Dec) A ¡ R A breaks the (weak) KDM security of (Enc,Dec) RA,¡can be efficiently emulated

  16. The Emulation A ¡ R h … hÃOn c k 1n x1 x2 h(x1) h(x2) Answer to h(xi) with a random yi2{0,1}2n (while keeping consistency) On query C, return(the first) xis.tDecxi(C) = yi Proof Idea: the probability that h(k)= Deck(C) for non-queried k, is 2-2n

  17. Further Issues • Both bounds hold for 1-1 PRF Open questions • Prove feasibility result against larger class of functions • Extend the first impossibility result to other assumptions (e.g., “Generic Groups”)

More Related