forward-security in the limited communication model
DESCRIPTION
Forward-Security in the Limited Communication Model. Stefan Dziembowski. Warsaw University and CNR Pisa. This talk. Brief introduction to the Limited Communication Model . The talk mostly is based on the following papers: - PowerPoint PPT PresentationTRANSCRIPT
Forward-Security in the Limited Communication Model
Stefan Dziembowski
Warsaw University
and
CNR Pisa
This talk
Brief introduction to the
Limited Communication Model.
The talk mostly is based on the following papers:
[D06a] S. Dziembowski Intrusion-Resilience via the Bounded-Storage Model, TCC 2006
[D06b] S. Dziembowski On Forward-Secure Storage, accepted to CRYPTO 2006
Idea of the Limited Communication Model
Main idea:
Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen.
(details follow)
Plan
1. Motivation and Introduction2. Protocols for
session-key generation entity authentication secure storage
3. Connections to the other areas
Disclaimer
New area, work in progress!!!
Setup:
K
K authenticates with K
installs a virus
the user
can impersonate the user!
the bank
Question
Can cryptography prevent such an attack?
Can we prevent this attack?
If we have a trusted hardware then this attack is preventable.
This hardware can be e.g.: a token a list of one-time passwords
Note that the human-memorized passwords don’t help (because the virus can record the key-strokes).
Assume there is no trusted hardware
(trusted hardware costs and is not easy to use)
Can we have any security in this case?
Looks quite hopeless...
(If the adversary can take control over our machine, than he can do whatever he wants.)
The contribution of [D06a]
We propose a cheap method that makes the task of the adversary significantly harder
Idea: Make the secret key K so large that the
adversary cannot retrieve it.
We consider entity-authentication session-key generation
We assume that
the secret key K is stored on a machine which can be infected by a virus
the virus can perform an arbitrary computation on K, but the output of this computation U is shorter than K:
she can retrieve U.
The model (1/3)
The model (2/3)
As long as the machine is infected, the virus has a full controll over it.
We want to have security in the periods when the virus is not controlling the machine:
This is called: intrusion resilience.
We assume that the virus cannot modify the data on the machine.
The model (3/3)
What else can the adversary do?
She can perform active attacks: eavesdrop, substitute and fabricate messages.
A tool: Bounded Storage Model
It turns out that this is related to the Bounded Storage Model (BSM) [Maurer 1992]
In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store.
The computing power of the adversary may be unlimited!
Some cryptographic tools
Symmetric encryption
Key generation algorithm
AliceBob
secret key K
message M
ciphertext C = Encr(K,M)
message M = Decr(K,C)
M ?
secret key K
Eve
Indistinguishability
What does it mean that Eve has no information about M?
To say: “She cannot guess M” is not enough...Consider the following game:
A selects messages M0,M1
and sends them to the oracle
selects a random bit b and
a random key K, and sendsC = E(K,Mb) to the adversary
b?
One-time pad encryption
Disdvantage: the key is as long as the message!
[Shannon 1949]: this is optimal unless we limitthe power of the adversary in some way.
Message Authentication Codes
Observation: encryption does not guarantee integrity of a message (example: one-time pad)
To ensure the integrity one has to use MACs (message authentication codes).
message M
M,MAC(K,M)
verifies the MACand accepts only M
K K
Eve can modify the transmited messages
Public key encryption
Key generation algorithm
AliceBob
Bob’s public key e
Bob’s secret key d
message M
ciphertext C = Encr(e,M)
message M = Decr(d,C)
M ?
How to limit the power of the adversary
Classical cryptographylimit the adversary to the poly-timedisadvantage: we don’t know how to prove any security here
Information-theoretic cryptographyassume: quantum communication, bounded-storage, noisy channels
advantage: provable security!
The Bounded-Storage Model (BSM)
can perform any computationon R, but the result U=h(R) has to be much smaller than R
shortinitialkey Y
X = f(R,Y)
000110100111010010011010111001110111111010011101010101010010010100111100001001111111100010101001000101010010001010010100101011010101001010010101
randomizer R:
knows:U=h(R)
randomizer disappears
X ?
Eve shouldn’t be able to distinguish X from random
Power of the adversary
Note:The only resource that we bound is
memory.
The computing power is unlimited!
BSM – previous results
Several key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04].
Of course their security depends on the bound on the memory of the adversary.
We call a function s-secure if it is secure against an adversary that has memory of a size s.
The scheme of [DM02]
0 1 11 00100 0
0 11 10
1
00 0
1 00 0 0 11 10
0 1 1 11 0000 0
0 11 10 0100 0
1 00
01 0 1 0
0 10
1 00
1 00
1101 10 00 0 0 1 00
0 0
00 11
1
0 1
00
10 00
01 10
10
10
0
XOR10 00The derived key X
End of the introduction to cryptography
How is BSM related to our model?
Seems that the assumptions are oposite:
transmission storage
BSM cheap expensive
LCM expensive cheap
Entity authentication – the problem
Alice knows thepublic key of the bank
the bank
the user can verify the authenticity of the bank
the bank cannot verify the authenticity of the user
How can the bank verify the authenticity of the user?
We solve the following problem:
C
Entity authentication – the solution
random Y
key K = R:000110100111010010011010111001110111111010011101010101010010010100111100001001111111100010101001000101010010001010010100101011010101001010010101
X = f(R,Y)
verifies
The communication is done via the channel C.
Security of the entity authentication protocol (1/3)
Clearly as long as the adversary is controlling Alice’s machine, she can impersonate her.
But what happens when the adversary looses control on the user’s machine?
Security of the entity authentication protocol (2/3)
Security of the entity authentication protocol (3/3)
What about the active attacks?
Since the communication is done via the channel C, the only thing that the adversary can do is to “act as a wire”.
Session-key generation
The entity authentication protocols without key generation are often not very useful.
It is much more practical to have a session-key generation protocol.
The session-key generation
AliceBob
long-term keyK
...
Intrusion-resilient session-key generation
Clearly leaks to the adversary.
compromised sessions non-compromised sessions
compromised sessions – when adversary installed a virus on the machine of at least one of the users
We want the keys generated in non-compromised sessions to remain secret!
time
Intrusion resilience = backward + forward security
Forward-secure session-key generation (standard method)
long term key: key K for a MAC
(Encr,Decr) – a public key encryption scheme
generates a randomkey (e,d) for the public key encryption
e,MAC(K,e)
generates a randomkey Z
C = Encr(e,Z),MAC(K,C)
decrypts Z from C
Zerases d
Our protocol
Outline: We achieve forward security in a
standard way. Only the backward security is
novel.
Challenge: How to generate the key K (for
authentication) in a backward-secure way?
A (slightly wrong) idea
Security
Security – proof attempt (1/2)
Security – a proof attempt (2/2)
How the adversary can influence the outcome of the protocol
0 1 11 00100 0
0 11 10
1
00 0
1 00 0 0 11 10
0 1 1 11 0000 0
0 11 10 0100 0
1 00
01 0 1 0
0 10
1 00
1 00
1101 10 00 0 0 1 00
Repairing the protocol
How to repair the protocol?Our idea: add hashing
The Random Oracle Model
We model the hash function as a random oracle containing a truly random function.
The oracle can be queried by the the honest users and by the adversary.
Finalizing the proof
So the adversary has no information about Ka and Kb.
If Ka=Kb - we are done! Otherwise Ka and Kb are
independent.Alice and Bob will detect it when they use Ka and Kb in a MAC scheme.
Improvements
The Random Oracle Assumption was removed in Cash et al. [Cryptology ePrint Archive: Report 2005/409].
They also introduce the name Limited Communication Model.
Independent Work
Giovanni Di Crescenzo, Richard Lipton and Shabsi Walfish Perfectly Secure Password Protocols in the Bounded Retrieval Model, TCC 2006
Main difference: the adversary can retrieve only individual bits.
Example
The function f of [DM02] was proven secure when the memory of the adversary has a size of around 8% of the length of the randomizer.
In our case the players need to store 2 randomizers, so the protocol is secure if the adversary cannot retrieve 4% of the key.
Example:if |K| = 5 GB, then we can allow her to retrieve 200 MB.
This can probably be improved significantly...
Practicality?
Note: the trusted server can generate the key pseudo-randomly and just store the seed.
The contribution of [D06b] : Forward-Secure Storage (FSS)
C = Encr(K,M)M
secret key K
C
Eve can compute any value U = h(C)with |U| << |C|
U
K M ?
M = Decr(K,C)
How realistic is this scenario that the key K leaks?
The encryption scheme can be broken.
We model this by granting to the adversary an unlimitted computing power.
This is called an information-theoretic model.
The user can loose the key, esp. if she uses it for a longer period.
In this case we assume that the computing power is limited (polynomial).
This is called a computational model.(weaker model but allows more efficient solutions)
Formal security definition of the FSS (1/2)
Consider the following game between an adversary A and an oracle :
A selects two messages M0,M1 and sends them to the oracle
A stores an arbitrary U = h(C) (with |U| << |C|)
selects a random bit b and a random key K, computes C = Encr(K,Mb) and send it to the adversary
sends K to the adversaryb?
A
Formal security definition of the FSS (2/2)
We require that that the adversary has no chances of guessing b correctly with a probability significantly better than 0.5.
(In the computational case we will also assume that the adversary is performing only poly-time computations.)
Information-theoretic solution – a wrong idea
Can it work?
From the Shannon theorem it cannot be correct!
Why?
Because the key is shorter than the message...
So it can be broken even without an assumption that the key leaks
A better idea
R f(Y,R) M Z
Y MZ
key: message:
|Z| = |M|
Security proof (1/4)Suppose:A – an adversary that breaks the FSS scheme, i.e.
wins the distinguishing game with probability 0.5 + , for some non-negligible .
We construct an adversary B that breaks the function f in the following sense:
B will get a string X equal to
and will guess if (0) or (1) occured.
The adversary B will do it by simulating the adversary A.
(0) a random string with prob. 0.5
(1) f(K,R) with prob. 0.5
Security proof (2/4)
B
A R
M0,M1
select a random string W
send (R,W) to A
store the internal state of A
X
Kselect a random bit bset Z := X Mb
send (K,Z) to A
if A guesses b correctly then output“X = f(Y,R)’’, otherwise output“X is random”.
(again
st BSM
)
(again
st FSS)
Observation 2 If X is random then the adversary A guesses b correctly with probability exactly 0.5.
ProofFrom the point of view of the adversary the random
variables: (K,Z = X Mb) bare independent! qed
Security proof (3/4)
Observation 1 If X = f(Y,R) then the adversary A guesses b correctly with probability at least 0.5 +
Security proof (4/4)
X = f(Y,R) X is random
prob. 0.5 prob. 0.5
prob. 0.5 + prob. 0.5 - prob. 0.5 prob. 0.5
A is right A is rightA is wrong
B is right in these cases
probability: 0.5 (0.5 + ) + 0.25 = 0.5 + /2
A is wrong
Problem with the information-theoretic scheme
The secret key needs to be larger than the message!
What if we want the key to be shorter?
Computational FSS (with a short key) – idea 1
key K
Idea 1: Use a short secret key K’ and expand it pseudorandomly to a longer key K.
key K’
key K
cryptographic pseudorandom generator
Encr(K, )message M
Encr(K, )message M
(Encr,Decr) – IT-secureFSS
(A tool: cryptographic PRG)
A cryptographic pseudorandom generator is a function that expands a short seed s into a much longer string x, in such a way that
x cannot be distinguished from a random string (in poly-time)
(assuming that s was chosen uniformly at random)
Idea 1 – intuition
Idea 1 should work because:
“from the point of view of the adversary K is indistinguishable from uniform”
Turns out that this intuition is wrong...
(although probably most of PRGs work well here)
Example (1/3)
Suppose that we stored on a computer:
a long string R=(R1,...,Rt) of length t
an encrypted index i = 1,...,t:E(K,i)
(where E is some encryption scheme)
An adversary gets access to this computer and can retrieve t/2 bits.Later, she learns K. Can she now compute Ri ?
With probability 0.5 – trivial.
Turns out: can be done with probability 1 !!!(for a very weird encryption function E)
A Tool – Private Information Retrieval
userdatabase
an index i = 1,...,t a string R=(R1,...,Rt)
query Q(N,i)
answer A(Q(N,i),R)
Ri
1. the database doesn’t learn i
2. |A(Q(N,i),R)| << t
generates and stores some secret N
A(Q(N,i),R)N
PIR – implementation
See e.g.:
Eyal Kushilevitz and Rafail Ostrovsky, Replication Is Not Needed: Single Database, Computationally-Private Information Retrieval, FOCS’97
PIR of [KO97]
Quadratic Residues
ZN* - a group of numbers {1,…,N}, relatively prime with N
A number a is a quadratic residue modulo N (denote: QR(N)) if there exits b, such that
a = b2 mod NSuppose N=pq, where p and q – large primes
ZN
*
QR(N) ZN+QNR(N)
Facts about QR
Given the factorization p,q of n it is easy to 1. generate random elements of QR(N) and
QNR(N),2. decide membership in QR(N) and QNR(N).
The second point is hard without the knowledge of the factorization of N.
A product of a and b is a quadratic residue iff
exactly one of a,b is a quadratic residue
PIR of [KO97] - actions of the user
1 2 3 …
i
t
Basic idea: arrange the string R into a square s x s – matrix, where s = √t
a1 a2 ac as The user on input i:
1. generates a random Nwe will work in ZN
+
2. produces a1,…,as,such that:only ac is QNR
3. sends N,a1,…,as, to thedatabase
row d
PIR of [KO97] - actions of the database
0 1 1 0 1 0
1 0 0 0 1 1
0 1 1 1 0 0
a1 a2 a3 a4 a5 a6
R:
a1 a22 a3
2 a4 a52 a6
b1 := a1a22a3
2a4a52a6
b2 := a12a2a3a4a5
2a62
b3 := a1a22a3
2a42a5a6
…
it is a QR iff
Ri=1
The database sendsb1,…,bs
to the user
PIR of [KO97] – final remarks
The user just looks at bd and decides that
Ri = 1 if bd is a QR
Ri = 0, otherwise.
Security follows from the fact that the database cannot distinguish QR from QNR
PIR of [KO97] – the end
Example (2/3)
a long string R=(R1,...,Rt) of length t
an encrypted index i = 1,...,t:E(K,i)
We construct the encryption scheme (E,D).ingridients:• (E’,D’) - some encryption scheme with a key K’.• PIR
(E,D): key K: user’ secret N K’
E(K,i): Q(N,i) E’(K’,i)
this is secure...
Example (3/3)
a long string R=(R1,...,Rt) of length t
Q(N,i) E’(K,i)
user’s secret N K’
The adversary simulates the user and stores A(Q(N,i),R)
A(Q(N,i),R)
Ri
Idea 2
Recall the Idea 1:
message M’
use message Mas a key forencryption (E,D)
key K’
key K
cryptographic pseudorandom generator
Encr(K, )message Ma random message M
E(M, message M’ )
(E,D) --- some encryption scheme
Idea 2 – security proof (sketch)
message M’
Encr(K, )a random message M
E(M, )
Suppose we have an adversary A that breaks the scheme
E(L,
Consider a modified scheme
a random message L
message M’
From the security of (E,D):A cannot break the modfied scheme.
Hence we can constructan adversary that breaksthe original scheme!
Complexity-theoretic view on encryption
C
The adversary knows C and she knows that M = M0 or M = M1 and wants to decide if
there exists K such thatC = Encr(K,M0)
this is an NP – language!Observe that if |M| >> |K| then the probability that
for random M0 and M1
and a random K0 there exists K1 such that Encr(K0,M0) = Encr(K1,M1)
is negligible
keys
messages
C0
C0
C0
C0
C0
C0
M0 M1
K0
Complexity-theoretic view
FSS exists
P ≠NP=>
=>
In case of FSS the adversary1. stores some information about C
(“compresses it”)2. later obtains the witness K
P ≠NPand there exist NP problems
that are “incompressible”
classical encryptionexists
Compressibility of NP-instances
This notion was recently studied in:Danny Harnik, Moni Naor On the Compressibility of NP Instances andCryptographic Applications ECCC Report TR06-022, 2006
See also:Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient SamplingSTOC 2006
The contribution of [HN06]
They describe a hierarchy of incompressible NP-languages.
The show several implications for cryptography and complexity of the assumption that certain languages are incompressible.
The idea of [HN06]
Def. An NP-language L is compressible to L’ if there exists an poly-time algorithm Z such that:
Z(x) L’ <=> x L the length of Z(x) is polynomial in x and in
log w, where w is the witness of x
Compression is witness-retrievable if one can compute (in poly-time) the witness for Z(x) from w and Z(x).
(Observe that we need the witness-retrievability in our case!)
The end
Questions ?