Loading in 2 Seconds...

On Everlasting Security in the Hybrid Bounded Storage Model

Loading in 2 Seconds...

82 Views

Download Presentation
##### On Everlasting Security in the Hybrid Bounded Storage Model

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**On Everlasting Security in the Hybrid Bounded Storage Model**Danny Harnik Moni Naor**Talk Overview**• The Bounded Storage Model and everlasting security. • The Hybrid Bounded Storage Model • Negative results for encryption • Positive results for encryption**The Bounded Storage Model**Alternative cryptographic setting: • “Mainstream Cryptography”: Assume parties are time bounded (run in polynomial time). • This model: Assume parties have bounded storage.**Alice**Bob Adversary Bounded Storage Model - the setting [Maurer 92] • A long random string R is transmitted. • Honest parties store small portions of R. • Adversary allowed to store almost all of R. • Random string is no longer available. • Bound is only at end of transmit stage. A long random string R of length r A long random string R of length N Stores ¾r bits (Arbitrary function of R)**Alice**Bob Eavesdropper Shared Key Encryption • Parties meet in advance and share a (short) secret key k. • When R is transmitted Alice and Bob store Sk, a small portion of R,determined by k. • Adversary does not know k and with overwhelming probability does not store all of Sk. • Use Sk to encrypt the message. A long random string R of length r Sk Sk k k ??**Shared Key Encryption - Properties**• Abundance of work on this setting: • [Mau92,CM97,AR99,ADR02,DR02,DM02,Lu02, Vad03]. • State of the art requires low storage from Alice and Bob: • |Sk| = log r + log 1/ε + m • |k| = log r + log 1/ε • Everlasting security [ADR]: Security guaranteed even if at a later stage the adversary learns the keykor gains more memory. • Security does not require any computational assumptions. • What if Alice & Bob don’t meet in advance???**Public Key Encryption in the BSM**• [CM97] show a method of constructing a Key Agreement protocol in the BSM. • Local storage requirements for Alice and Bob are very high. • Require r½+δ storage space. • Can one do better? • No, the solution is tight as shown by a lower bound of [DM04]. • Need to change the model…**Alice**Bob Eavesdropper The Hybrid BSM • Idea: use a computational Key Agreement protocol to agree on the shared key k • E.g. run the Diffie-Helman KA protocol. • Then use a standard shared key BSM scheme with everlasting security. • Even if the eavesdropper breaks the KA protocol and learns k, it will be after the broadcast, and too late. • The computational assumption is with a strict time limit: Cannot break the KA before the end of the transmission of R. • Assumption can be made with high level of confidence. KA k k A long random string R of length r Sk Sk ?? k**Previous works on the Hybrid BSM**Given a CNF formula Φwith m clauses over n variables (and m>>n), efficiently find a formula Ψof total length poly(n, log m) that is satisfiable iff Φwas satisfiable • Suggested in [ADR00]. • Revisited by Dziembowski & Maurer in [DM04]: show that the rationale of the hybrid BSM does not necessarily work: • Show a specific (non natural) KA protocol that when combined with a specific (standard) shared key BSM scheme can be fully broken. • Open question, what about a “natural” KA scheme? • In [HN05]: show that if a compression algorithm for SAT exists then the hybrid BSM model is no more powerful than the standard BSM model.**This Work**• A first rigorous study of the Hybrid BSM. • Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: • Indistinguishability of encryptions. • Semantic security. • Negative results: • Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. • Positive results: Show augmentations of the model that allows low memory everlasting security. • Hybrid BSM with a random oracle. • Bounded Accessibility Model (BAM) • Show a low memory hybrid BSM OT protocol in each of the augmented models.**Alice**Bob Eavesdropper time Definitions: The General Hybrid Scheme • divide time into two parts: • Until the end of the transmission of R. • After the transmission. • Everlasting security (indistinguishability): m1,m2 every adversary (C1,C2) cannot distinguish between encryptions of m1and m2 A1,B1 KAscheme combined with shared key BSM scheme C1 KA Basic Hybrid scheme of [DM04] • Poly time • Low memory • Poly time • Bounded storage • Output is bounded in length A long random string R of length r SC SA SB SA SB SC A2,B2 C2 SA m • Poly time • Low memory • Encryption A2(m, SA) • No time bound • No space bound**This Work**• A first rigorous study of the Hybrid BSM. • Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: • Indistinguishability of encryptions. • Semantic security. • Negative results: • Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. • Positive results: Show augmentations of the model that allows low memory everlasting security. • Hybrid BSM with a random oracle. • Bounded Accessibility Model (BAM) • Show a low memory hybrid BSM OT protocol in each of the augmented models.**Negative results – Big Picture**• [DM04]: Show a specific hybrid scheme is insecure. • [HN05] Conditional result: • If Compression of SAT exists then every Hybrid BSM scheme can be broken. • This result: • Cannot prove the security of a hybrid scheme using BB techniques • True even if the construction itself is non-BB**No Black-Box Proof**• We show an oracle “world” where: • Any low memory hybrid scheme can be broken. • Any computational key agreement remains secure. • Corollary: There is no Black-box proof of security of everlasting security of a hybrid scheme. • Proof (of corollary): • BB proof is an efficient procedure that breaks the KA scheme using BB calls to an adversary (C1,C2) of the hybrid scheme. • Such a proof relativizes to other worlds, including the world mentioned above. • Since in the world any hybrid scheme can be broken, a BB proof means that also any KA may be broken, which is a contradiction. • Same holds for any cryptographic primitive that is secure against a polynomial time adversary. • E,g, Oblivious transfer, trapdoor permutation… Any computational cryptographic primitive Note: Only calls to C1, since C2 is unbounded…**The OracleW**• Oracle W: • Input: An NP relation RL and an instance x and parameter m. • Output: A random witness w{0,1}m such that RL(x,w) = 1 • If no such witness exists then output Theorem: Let E be any hybrid BSM scheme where Alice and Bob use storage of size sA and sB, then any adversary with storage sA · sB and access to the oracle W can break E. • Proof uses a technical Lemma from [DM04]**2k**. . . . . . . . . . . . 2m The OracleZ • Table is useless to a polynomial time adversary !!! • Looks like a random table. • A hybrid adversary may store i and find π-1(i) after the transmission. • The world we present consists of a different oracle Z: • Input: RL, x and m. • Output: i = π(W(RL, x, m)) • Z also contains an inverting table for π. • The ithrow sums up toπ-1(i) • Otherwise random • Rather than giving out the answers to W the oracle gives an “encrypted” answer to W. • The “encryption” is a random permutation π. i = π-1(i)**This Work**• A first rigorous study of the Hybrid BSM. • Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: • Indistinguishability of encryptions. • Semantic security. • Negative results: • Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. • Positive results: Show augmentations of the model that allows low memory everlasting security. • Hybrid BSM with a random oracle. • Bounded Accessibility Model (BAM) • Show a low memory hybrid BSM OT protocol in each of the augmented models.**Alice**Bob Hybrid BSM with a Random Oracle • The broadcast string R: • Too long to store but possible to read • Disappears ! • Random Oracle RO: • Too long to read (in polynomial time) • Always present. • Theorem: Low memory hybrid BSM scheme with everlasting security in presence of RO. • Run KA to get computational key kKA • Use k = RO(kKA) as key to shared key BSM encryption scheme. • If compression of SAT [HN05] exists then this is an example of a task that is: • Simple with a random oracle. • Altogether impossible without it. KA kKA kKA k = RO(kKA) k = RO(kKA)**The Bounded Accessibility Model (BAM)**• Assume that the adversary cannot read all of the broadcast string R. • E.g. cannot store an XOR of all of the bits of R. • Theorem: Low memory hybrid BAM scheme with everlasting security. • The scheme is the basic scheme: • Use KA to agree on a shared key k. • Use a shared key BSM scheme. Note: The hybrid is necessary, since the lower bound of [DM04] holds in this model as well. • No low memory BAM encryption scheme.**Open problems**• Main open question: is there low memory hybrid BSM encryption? • Solution would require to resolve the issue of compressibility [HN05]. • Other reasonable models? • The BSM allows the adversary unreasonable power. • may compute using unlimited space. • Can run offline computations.