provably secure key assignment schemes from factoring · eduarda s. v. freire and kenneth g....
Post on 03-Jul-2020
1 Views
Preview:
TRANSCRIPT
Eduarda S. V. Freire and Kenneth G. Paterson
Information Security Group Royal Holloway, University of London
Provably Secure Key Assignment Schemes from Factoring
Outline of the Talk Ø Hierarchical Key Assignment Schemes
§ Definition of Security Notions § Some Previous Work § Cryptographic Assumptions
§ The Factoring Assumption § Security of BBS Generator
§ Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes
Hierarchical Key Assignment Schemes
§ Method for implementing access control policies where some users have more access rights than others
§ These schemes can be useful for: § Content distribution § Management of databases containing sensitive
information § Government communications § Broadcast services (such as cable TV)
Hierarchical Key Assignment Schemes
An access control policy can be represented by a directed graph G=(V,E), also called poset
c
a
b
f e d
u
v
V: Set of disjoint classes, called security classes
Edge (u,v) E: Users in class u have access
to data in class v, represented by v ≤ u.
∈v ≤ u
Any class should be able to access secret data of all its successor in the hierarchy.
Any set of classes should NOT be able to access data of any class that is not a successor of any class in the set.
Hierarchical Key Assignment Schemes
Solution: Assign an encryption key and some private information to each class in the graph (hierarchy) , as well as some public information.
c
a
b
f e d
ka,Sa Pub
kb,Sb kc,Sc
kd,Sd ke,Se kf,Sf
Private information + public info will be used to generate
encryption keys
Hierarchical Key Assignment Schemes
A key assignment scheme is a pair of algorithms Gen, Derive: (S,k,pub) ßGen(1ρ,G) § S is the set of private information § k is the set of keys § pub is the public information kv ßDerive(1ρ,G,pub,u,v,Su) for each class v V such that v ≤ u, where
∈
Su is the private information assigned to class u and kv is the key assigned to class v.
Outline of the Talk ü Hierarchical Key Assignment Schemes
Ø Definition of Security Notions § Some Previous Work § Cryptographic Assumptions
§ The factoring Assumption § Security of BBS Generator
§ Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes
Definition of Security Notions
§ Types of Adversaries § Static Adversary § Dynamic Adversary
§ Security Goals [Atallah et al.] § Key Recovery § Key Indistinguishability
The adversary first chooses a class u V to attack and then is allowed
to access the private information assigned to all classes v V, such that u ≤ v .
Types of Adversaries Static Adversary
u
a
b
f e d
∈∈
Astat
I want to attack u
Types of Adversaries Static Adversary
The adversary first chooses a class u V to attack and then is allowed
to access the private information assigned to all classes v V, such that u ≤ v .
u
a
b
f e d
∈∈
Astat
I want to attack u
Now I want Sb, Sd, Se, Sf
Types of Adversaries Dynamic Adversary
The adversary first gets access to all public information and
adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still
allowed to corrupt class of its choice subject to u ≤ v.
u
a
b
f e d
∈
Adyn
Pub
Types of Adversaries Dynamic Adversary
The adversary first gets access to all public information and
adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still
allowed to corrupt class of its choice subject to u ≤ v.
u
a
b
f e d
∈
Adyn
I want Sb, Sd, Se
Types of Adversaries Dynamic Adversary
The adversary first gets access to all public information and
adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still
allowed to corrupt class of its choice subject to u ≤ v.
u
a
b
f e d
∈
Adyn
I want Sb, Sd, Se
Now I want to attack u
Types of Adversaries Dynamic Adversary
The adversary first gets access to all public information and
adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still
allowed to corrupt class of its choice subject to u ≤ v.
u
a
b
f e d
∈
Adyn
I want Sb, Sd, Se
Now I want to attack u
Now I want Sf
Types of Adversaries Dynamic Adversary
The adversary first gets access to all public information and
adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still
allowed to corrupt class of its choice subject to u ≤ v.
u
a
b
f e d
∈
Adyn
I want Sb, Sd, Se
Now I want to attack u
Now I want Sf
Ateniese et al.: static and dynamic adv
are polynomially equivalent
§ Security w.r.t. Key Recovery (KR) An adversary is not able to compute a key to which it should not have access.
§ Security w.r.t. Key Indistinguishability (KI) An adversary is not able to distinguish between a real key that it should not have access to and a random string of the same length.
Security Goals by Atallah et al.
The advantage of A is defined to be . The scheme is said to be secure if is negligible.
Security Goals Key Recovery (KR-ST)
AdvKR-ST(1ρ,G)
A
AdvKR-ST(1ρ,G) = Pr[k’u = ku]
A
Experiment ExpKR-ST(1ρ,G):
A u ßA (1ρ,G)
(S,k,pub) ßGen (1ρ,G) corr ß{Sv: u ≤ v} k’u ßA (1ρ,G,pub,corr) return k’u
The advantage of A is defined to be The scheme is said to be secure if is negligible.
Security Goals Key Indistinguishability (KI-ST)
AdvKI-ST(1ρ,G) = |Pr[ExpKI-ST-1(1ρ,G) = 1] - Pr[ExpKI-ST-0(1ρ,G) = 1]|.
A
Experiment ExpKI-ST-1(1ρ,G):
A u ßA (1ρ,G)
(S,k,pub) ßGen (1ρ,G) corr ß {Sv: u ≤ v}
return b’
Experiment ExpKI-ST-0(1ρ,G):
A u ßA (1ρ,G)
(S,k,pub) ßGen (1ρ,G) corr ß {Sv: u ≤ v} r ß{0,1}ρ
return b’
k’u ßA (1ρ,G,pub,corr,ku)
k’u ßA (1ρ,G,pub,corr,r)
AdvKI-ST(1ρ,G)
A
A A
Outline of the Talk ü Hierarchical Key Assignment Schemes
ü Definition of Security Notions Ø Some Previous Work § Cryptographic Assumptions
§ The factoring Assumption § Security of BBS Generator
§ Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes
Some Previous Work
§ [Atallah et al. ‘06]
§ KR-secure schemes based on pseudorandom functions; § KI-secure schemes based on any CCA-secure symmetric encryption;
§ [Ateniese et al. ‘06] § KI-secure schemes under the BDDH assumption; § KI-secure schemes based on the OW-CPA security of a symmetric
encryption scheme;
Some Previous Work
§ [D’ Arco et al. ’10] § Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be
KR-secure under the RSA assumption; § Construction yielding KI-secure schemes using as components KR-
secure schemes and the Goldreich-Levin hard-core bit (GL-bit).
Some Previous Work
§ [D’ Arco et al. ’10] § Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be
KR-secure under the RSA assumption; § Construction yielding KI-secure schemes using as components KR-
secure schemes and the Goldreich-Levin hard-core bit (GL-bit).
§ [Crampton et al. ’10] § New approach to constructing KAS for arbitrary posets using chain
partitions. This idea was instantiated using two different cryptographic bases: collision-resistant hash functions and the RSA primitive. Unfortunately, none of these come with a formal security analysis.
In This Work
§ We propose
§ A KR-secure scheme under the factoring assumption for totally ordered hierarchies;
§ The first construction which directly yields schemes provably secure in the sense of KI-ST under the factoring assumption for general posets.
Outline of the Talk ü Hierarchical Key Assignment Schemes
ü Definition of Security Notions ü Some Previous Work Ø Cryptographic Assumptions
§ The factoring Assumption § Security of BBS Generator
§ Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes
Let (N,p,q)ß GenF(1ρ), where N=pq, and p and q are ρ-bit primes. For an algorithm AF, its factoring advantage is defined to be The factoring assumption (with respect to GenF) states that is negligible. We will consider two instances of GenF:
Cryptographic Assumptions The factoring assumption
Advfac (1ρ) = Pr[(N,p,q)ßGenF(1ρ): AF(N)={p,q}]. GenF,AF
Advfac (1ρ) GenF,AF
GenBlum(1ρ) : p= 3 mod 4, q = 3 mod 4 GenS(1ρ) : p= 1 mod 2n, q = 3 mod 4
Let N be a Blum integer, that is: N=pq, where p = q = 3 mod 4. Let x be a quadratic residue mod N The BBS pseudorandom generator applied to x and modulus N is defined to have output where LSBN(x) denotes the least significant bit of x.
Cryptographic Assumptions The BBS pseudorandom generator
BBSN(x) = (LSBN(x), LSBN(x2), …, LSBN(x2l-1)) є {0,1}l,
Let D be a distinguisher The advantage of D is defined to be The BBS generator is secure if is negligible for any PPT D.
Cryptographic Assumptions Security of BBS generator
AdvBBS(1ρ) = |Pr[ExpBBS-1(1ρ) = 1] - Pr[ExpBBS-0(1ρ) = 1]|.
D
Experiment ExpBBS-1(1ρ):
D
x,N ßGen (1ρ)
d ßD(N,z=x2lmodN,BBSN(x))
return b’
Experiment ExpBBS-0(1ρ):
D
x,N ßGen (1ρ) r ß{0,1} l
return b’
AdvBBS(1ρ)
D
d ßD(N,z=x2lmodN,r)
D D
BBS distinguisher è factoring algorithm
Let D be a distinguisher The advantage of D is defined to be The BBS generator is secure if is negligible for any PPT D.
Cryptographic Assumptions Security of BBS generator
AdvBBS(1ρ) = |Pr[ExpBBS-1(1ρ) = 1] - Pr[ExpBBS-0(1ρ) = 1]|.
D
Experiment ExpBBS-1(1ρ):
D
x,N ßGen (1ρ)
d ßD(N,z=x2lmodN,BBSN(x))
return b’
Experiment ExpBBS-0(1ρ):
D
x,N ßGen (1ρ) r ß{0,1} l
return b’
AdvBBS(1ρ)
D
d ßD(N,z=x2lmodN,r)
D D
BBS distinguisher è factoring algorithm
Outline of the Talk ü Hierarchical Key Assignment Schemes
ü Definition of Security Notions ü Some Previous Work ü Cryptographic Assumptions
ü The factoring Assumption ü Security of BBS Generator
Ø Provably Secure KAS under the Factoring Assumption § A KR-secure Scheme § KI-secure Schemes
Algorithm Gen(1ρ,G):
1. Run GenS(1ρ) to obtain two ρ-bit primes p=1 mod 2n and q=3 mod 4 and compute N=pq
2. Let pub=N be the public information 3. Randomly choose a secret value γ from ZN 4. For each class ui є V, set kui=Sui=γ2i mod N 5. Let S and k be the sets of private info and keys 6. Output (S,k,pub)
Let G=(V,E) be a directed graph, where V={u0, …, un-1} and ui+1 < ui for all i.
Provably Secure KAS A Basic Scheme
Algorithm Derive (G,pub,ui,uj,kui):
1. For j > i, compute kuj=(kui)2j-i mod N 2. Output kuj
*
u0 ku0=γ mod N
ku1=γ2 mod N
ku2=γ22 mod N
kui=γ2i mod N
kui+1=γ2i+1 mod N
kun-2=γ2n-2 mod N
u1
u2
ui
ui+1
un-2
un-1 kun-1=γ2n-1 mod N
Provably Secure KAS KR-Security of the Basic Scheme
u0 Su0=ku0=γ mod N
Su1= ku1=γ2 mod N
Su2= ku2=γ22 mod N
Sui= kui=γ2i mod N
Sui+1= kui+1=γ2i+1 mod N
Sun-2= kun-2=γ2n-2 mod N
u1
u2
ui
ui+1
un-2
un-1 Sun-1= kun-1=γ2n-1 mod N
Astat
I want to attack ui
Provably Secure KAS KR-Security of the Basic Scheme
u0 Su0=ku0=γ mod N
Su1= ku1=γ2 mod N
Su2= ku2=γ22 mod N
Sui= kui=γ2i mod N
Sui+1= kui+1=γ2i+1 mod N
Sun-2= kun-2=γ2n-2 mod N
u1
u2
ui
ui+1
un-2
un-1 Sun-1= kun-1=γ2n-1 mod N
Astat
I want to attack ui Now I want
Sui+1, …, Sun-1
Provably Secure KAS KR-Security of the Basic Scheme
Theorem: Assume the factoring assumption relative to GenS holds. Then our basic scheme is KR-ST secure.
u0 Su0=ku0=γ mod N
Su1= ku1=γ2 mod N
Su2= ku2=γ22 mod N
Sui= kui=γ2i mod N
Sui+1= kui+1=γ2i+1 mod N
Sun-2= kun-2=γ2n-2 mod N
u1
u2
ui
ui+1
un-2
un-1 Sun-1= kun-1=γ2n-1 mod N
Astat
I want to attack ui Now I want
Sui+1, …, Sun-1
I output k’ui
AdvKR-ST(1ρ,G) = Advfac (1ρ) Astat GenS,AF
Provably Secure KAS KR-Security of the Basic Scheme
àTight reduction to factoring in the KR-ST security model
Why p = 1 mod 2n and q = 3 mod 4?
p ≠ 1 mod 2n and q = 3 mod 4? à Reduction from the higher quadratic residuosity assumption
p =3 mod 4 and q = 3 mod 4? à Reduction from the standard quadratic residuosity assumption
Provably Secure KAS The FP Scheme (1 chain)
p=q=3 mod 4 ß GenBlum(1ρ)
γßQRN
Sui=γ2il mod N
u0
u1
u2
un-1
ku0=BBSN(γ) = (LSBN(γ), LSBN(γ2), …, LSBN(γ2l-1))
ku1=BBSN(γ2l )
ku2=BBSN(γ22l )
kun-1=BBSN(γ2(n-1)l )
kui= BBSN(Sui)
Let P=(V,E) be a directed graph and consider a security parameter ρ. Algorithm Gen(1ρ,P): 1. p=q=3 mod4ß GenBlum(1ρ) 2. Select a chain partition of V into w chains C0, …, Cw-1, where Ci has
length li.
Provably Secure KAS The FP Scheme (General Posets)
a
c b
e f
i h
k j
l
d
g
u0
u0 u1
u1 u0
u1 u0
u1 u3
u2
u2
u2
C0
C1
C3
C2
A partition of V A set V 1
0
0
0 1
1
2
3
1
2
3
3 We build on ideas from
Crampton et al. to construct our FP scheme
Dilworth’s theorem: Every poset (V,≤) can be partitioned into w chains, where w is the width of V.
Algorithm Gen(1ρ,P): 3. Select w values γ0, …, γw-1 at random from QRN
4. For each uj є V, 0 ≤ j < li, compute Tuj=γi2jl mod N
Provably Secure KAS The FP Scheme (General Posets)
u0
u0 u1
u1 u0
u1 u0
u1 u3
u2
u2
u2
C0
C1
C3
C2
A partition of V A set V
1
γ0 0
0
0 1
1
2
3
1
2
3
3
γ1
γ2
γ3
i i
a
c b
e f
i h
k j
l
d
g
Algorithm Gen(1ρ,P): 5. For each u є V, define the private information Su to be {Tui
, 0≤ i ≤ w-1} , where ui is the maximal class in u Ci, and the encryption key ku to be BBSN(Tu).
Provably Secure KAS The FP Scheme (General Posets)
A set V
Te =Tu1=γ12l mod N
1
Tu0=γ3 mod N 3
Se={Tu1, Tu0} 1 3
↓
ke=BBSN(Te)
a
c b
e f
i h
k j
l
d
g
u1
u0
u0 u1 u0
u1 u0
u1 u3
u2
u2
u2
C0
C1
C3
C2
A partition of V
1
1
0
0
0
1
2
3
1
2
3
3
Algorithm Gen(1ρ,P): 5. For each u є V, define the private information Su to be {Tui
, 0≤ i ≤ w-1} , where ui is the maximal class in u Ci, and the encryption key ku to be BBSN(Tu).
Provably Secure KAS The FP Scheme (General Posets)
u1
u0
u0 u1 u0
u1 u0
u1 u3
u2
u2
u2
C0
C1
C3
C2
A partition of V A set V
1
1
0
0
0
1
2
3
1
2
3
3
Te =Tu1=γ12l mod N
1
Th=Tu0=γ3 mod N 3
↓
ke=BBSN(Te)
a
c b
e f
i h
k j
l
d
g
Se={Te, Th}
Algorithm Derive :
Provably Secure KAS The FP Scheme (General Posets)
u0
u1
u1 u0
u1 u0
u1 u3
u2
u2
u2
u0
C0
C1
C3
C2
0
0
0 1
1
2
3
1
2
3
3
1
Su1={Tu1, Tu0} 1 1 3
ku2=BBSN(Tu2)
Tu2=(Tu0)22l mod N 3 3
3 3
Algorithm Derive :
Provably Secure KAS The FP Scheme (General Posets)
u0
u1
u1 u0
u1 u0
u1 u3
u2
u2
u2
u0
C0
C1
C3
C2
0
0
0 1
1
2
3
1
2
3
3
1
Su1={Tu1, Tu0} 1 1 3
ku2=BBSN(Tu2)
Tu2=(Tu0)22l mod N 3 3
3 3
Algorithm Derive :
Provably Secure KAS The FP Scheme (General Posets)
u0
u1
u1 u0
u1 u0
u1 u3
u2
u2
u2
u0
C0
C1
C3
C2
0
0
0 1
1
2
3
1
2
3
3
1
Su1={Tu1, Tu0} 1 1 3
ku2=BBSN(Tu2)
Tu2=(Tu0)22l mod N 3 3
3 3
Provably Secure KAS KI-Security of the FP Scheme
Astat
I want to attack e
a
b
e f
i h
k j
l
d
g
C0
C1
C3
C2
c
Provably Secure KAS KI-Security of the FP Scheme
Astat
I want to attack e
Now I want Sd, Sg, Sh,
Sf, Si…
a
b
e f
i h
k j
l
d
g
C0
C1
C3
C2
c
Provably Secure KAS KI-Security of the FP Scheme
Astat
I want to attack e
Now I want Sd, Sg, Sh,
Sf, Si…
I receive a value
V
a
b
e f
i h
k j
l
d
g
C0
C1
C3
C2
Challenger picks b: b=0 àV = ke b=1 àV = random value
c
Provably Secure KAS KI-Security of the FP Scheme
Assuming the factoring assumption relative to GenBlum holds, the FP scheme is KI-ST secure.
Astat
I want to attack e
Now I want Sd, Sg, Sh,
Sf, Si…
I receive a value
V
AdvKI-ST (1ρ,P) = AdvBBS(1ρ) D Astat
a
b
e f
i h
k j
l
d
g
C0
C1
C3
C2
BBS distinguisher è factoring algorithm
Challenger picks b: b=0 àV = ke b=1 àV = random value
c
I output b’
Final Remarks § Characteristics of the FP scheme:
§ Direct construction; § Small public info; § At most w private values per node; § Efficient derivation: repeated squarings modulo N.
THANKS!
top related