Forward-Security in the Limited Communication Model

Stefan Dziembowski

Warsaw University

and

CNR Pisa

This talk

Brief introduction to the

Limited Communication Model.

The talk mostly is based on the following papers:

[D06a] S. Dziembowski Intrusion-Resilience via the Bounded-Storage Model, TCC 2006

[D06b] S. Dziembowski On Forward-Secure Storage, accepted to CRYPTO 2006

Idea of the Limited Communication Model

Main idea:

Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen.

(details follow)

Plan

1. Motivation and Introduction2. Protocols for

session-key generation entity authentication secure storage

3. Connections to the other areas

Disclaimer

New area, work in progress!!!

Setup:

K

K authenticates with K

installs a virus

the user

can impersonate the user!

the bank

Question

Can cryptography prevent such an attack?

Can we prevent this attack?

If we have a trusted hardware then this attack is preventable.

This hardware can be e.g.: a token a list of one-time passwords

Note that the human-memorized passwords don’t help (because the virus can record the key-strokes).

Assume there is no trusted hardware

(trusted hardware costs and is not easy to use)

Can we have any security in this case?

Looks quite hopeless...

(If the adversary can take control over our machine, than he can do whatever he wants.)

The contribution of [D06a]

We propose a cheap method that makes the task of the adversary significantly harder

Idea: Make the secret key K so large that the

adversary cannot retrieve it.

We consider entity-authentication session-key generation

We assume that

the secret key K is stored on a machine which can be infected by a virus

the virus can perform an arbitrary computation on K, but the output of this computation U is shorter than K:

she can retrieve U.

The model (1/3)

The model (2/3)

As long as the machine is infected, the virus has a full controll over it.

We want to have security in the periods when the virus is not controlling the machine:

This is called: intrusion resilience.

We assume that the virus cannot modify the data on the machine.

The model (3/3)

What else can the adversary do?

She can perform active attacks: eavesdrop, substitute and fabricate messages.

A tool: Bounded Storage Model

It turns out that this is related to the Bounded Storage Model (BSM) [Maurer 1992]

In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store.

The computing power of the adversary may be unlimited!

Some cryptographic tools

Symmetric encryption

Key generation algorithm

AliceBob

secret key K

message M

ciphertext C = Encr(K,M)

message M = Decr(K,C)

M ?

secret key K

Eve

Indistinguishability

What does it mean that Eve has no information about M?

To say: “She cannot guess M” is not enough...Consider the following game:

A selects messages M0,M1

and sends them to the oracle

selects a random bit b and

a random key K, and sendsC = E(K,Mb) to the adversary

b?

One-time pad encryption

Disdvantage: the key is as long as the message!

[Shannon 1949]: this is optimal unless we limitthe power of the adversary in some way.

Message Authentication Codes

Observation: encryption does not guarantee integrity of a message (example: one-time pad)

To ensure the integrity one has to use MACs (message authentication codes).

message M

M,MAC(K,M)

verifies the MACand accepts only M

K K

Eve can modify the transmited messages

Public key encryption

Key generation algorithm

AliceBob

Bob’s public key e

Bob’s secret key d

message M

ciphertext C = Encr(e,M)

message M = Decr(d,C)

M ?

How to limit the power of the adversary

Classical cryptographylimit the adversary to the poly-timedisadvantage: we don’t know how to prove any security here

Information-theoretic cryptographyassume: quantum communication, bounded-storage, noisy channels

advantage: provable security!

The Bounded-Storage Model (BSM)

can perform any computationon R, but the result U=h(R) has to be much smaller than R

shortinitialkey Y

X = f(R,Y)

000110100111010010011010111001110111111010011101010101010010010100111100001001111111100010101001000101010010001010010100101011010101001010010101

randomizer R:

knows:U=h(R)

randomizer disappears

X ?

Eve shouldn’t be able to distinguish X from random

Power of the adversary

Note:The only resource that we bound is

memory.

The computing power is unlimited!

BSM – previous results

Several key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04].

Of course their security depends on the bound on the memory of the adversary.

We call a function s-secure if it is secure against an adversary that has memory of a size s.

The scheme of [DM02]

0 1 11 00100 0

0 11 10

1

00 0

1 00 0 0 11 10

0 1 1 11 0000 0

0 11 10 0100 0

1 00

01 0 1 0

0 10

1 00

1 00

1101 10 00 0 0 1 00

0 0

00 11

1

0 1

00

10 00

01 10

10

10

0

XOR10 00The derived key X

End of the introduction to cryptography

How is BSM related to our model?

Seems that the assumptions are oposite:

transmission storage

BSM cheap expensive

LCM expensive cheap

Entity authentication – the problem

Alice knows thepublic key of the bank

the bank

the user can verify the authenticity of the bank

the bank cannot verify the authenticity of the user

How can the bank verify the authenticity of the user?

We solve the following problem:

C

Entity authentication – the solution

random Y

key K = R:000110100111010010011010111001110111111010011101010101010010010100111100001001111111100010101001000101010010001010010100101011010101001010010101

X = f(R,Y)

verifies

The communication is done via the channel C.

Security of the entity authentication protocol (1/3)

Clearly as long as the adversary is controlling Alice’s machine, she can impersonate her.

But what happens when the adversary looses control on the user’s machine?

Security of the entity authentication protocol (2/3)

Security of the entity authentication protocol (3/3)

What about the active attacks?

Since the communication is done via the channel C, the only thing that the adversary can do is to “act as a wire”.

Session-key generation

The entity authentication protocols without key generation are often not very useful.

It is much more practical to have a session-key generation protocol.

The session-key generation

AliceBob

long-term keyK

...

Intrusion-resilient session-key generation

Clearly leaks to the adversary.

compromised sessions non-compromised sessions

compromised sessions – when adversary installed a virus on the machine of at least one of the users

We want the keys generated in non-compromised sessions to remain secret!

time

Intrusion resilience = backward + forward security

Forward-secure session-key generation (standard method)

long term key: key K for a MAC

(Encr,Decr) – a public key encryption scheme

generates a randomkey (e,d) for the public key encryption

e,MAC(K,e)

generates a randomkey Z

C = Encr(e,Z),MAC(K,C)

decrypts Z from C

Zerases d

Our protocol

Outline: We achieve forward security in a

standard way. Only the backward security is

novel.

Challenge: How to generate the key K (for

authentication) in a backward-secure way?

A (slightly wrong) idea

Security

Security – proof attempt (1/2)

Security – a proof attempt (2/2)

How the adversary can influence the outcome of the protocol

0 1 11 00100 0

0 11 10

1

00 0

1 00 0 0 11 10

0 1 1 11 0000 0

0 11 10 0100 0

1 00

01 0 1 0

0 10

1 00

1 00

1101 10 00 0 0 1 00

Repairing the protocol

How to repair the protocol?Our idea: add hashing

The Random Oracle Model

We model the hash function as a random oracle containing a truly random function.

The oracle can be queried by the the honest users and by the adversary.

Finalizing the proof

So the adversary has no information about Ka and Kb.

If Ka=Kb - we are done! Otherwise Ka and Kb are

independent.Alice and Bob will detect it when they use Ka and Kb in a MAC scheme.

Improvements

The Random Oracle Assumption was removed in Cash et al. [Cryptology ePrint Archive: Report 2005/409].

They also introduce the name Limited Communication Model.

Independent Work

Giovanni Di Crescenzo, Richard Lipton and Shabsi Walfish Perfectly Secure Password Protocols in the Bounded Retrieval Model, TCC 2006

Main difference: the adversary can retrieve only individual bits.

Example

The function f of [DM02] was proven secure when the memory of the adversary has a size of around 8% of the length of the randomizer.

In our case the players need to store 2 randomizers, so the protocol is secure if the adversary cannot retrieve 4% of the key.

Example:if |K| = 5 GB, then we can allow her to retrieve 200 MB.

This can probably be improved significantly...

Practicality?

Note: the trusted server can generate the key pseudo-randomly and just store the seed.

The contribution of [D06b] : Forward-Secure Storage (FSS)

C = Encr(K,M)M

secret key K

C

Eve can compute any value U = h(C)with |U| << |C|

U

K M ?

M = Decr(K,C)

How realistic is this scenario that the key K leaks?

The encryption scheme can be broken.

We model this by granting to the adversary an unlimitted computing power.

This is called an information-theoretic model.

The user can loose the key, esp. if she uses it for a longer period.

In this case we assume that the computing power is limited (polynomial).

This is called a computational model.(weaker model but allows more efficient solutions)

Formal security definition of the FSS (1/2)

Consider the following game between an adversary A and an oracle :

A selects two messages M0,M1 and sends them to the oracle

A stores an arbitrary U = h(C) (with |U| << |C|)

selects a random bit b and a random key K, computes C = Encr(K,Mb) and send it to the adversary

sends K to the adversaryb?

A

Formal security definition of the FSS (2/2)

We require that that the adversary has no chances of guessing b correctly with a probability significantly better than 0.5.

(In the computational case we will also assume that the adversary is performing only poly-time computations.)

Information-theoretic solution – a wrong idea

Can it work?

From the Shannon theorem it cannot be correct!

Why?

Because the key is shorter than the message...

So it can be broken even without an assumption that the key leaks

A better idea

R f(Y,R) M Z

Y MZ

key: message:

|Z| = |M|

Security proof (1/4)Suppose:A – an adversary that breaks the FSS scheme, i.e.

wins the distinguishing game with probability 0.5 + , for some non-negligible .

We construct an adversary B that breaks the function f in the following sense:

B will get a string X equal to

and will guess if (0) or (1) occured.

The adversary B will do it by simulating the adversary A.

(0) a random string with prob. 0.5

(1) f(K,R) with prob. 0.5

Security proof (2/4)

B

A R

M0,M1

select a random string W

send (R,W) to A

store the internal state of A

X

Kselect a random bit bset Z := X Mb

send (K,Z) to A

if A guesses b correctly then output“X = f(Y,R)’’, otherwise output“X is random”.

(again

st BSM

)

(again

st FSS)

Observation 2 If X is random then the adversary A guesses b correctly with probability exactly 0.5.

ProofFrom the point of view of the adversary the random

variables: (K,Z = X Mb) bare independent! qed

Security proof (3/4)

Observation 1 If X = f(Y,R) then the adversary A guesses b correctly with probability at least 0.5 +

Security proof (4/4)

X = f(Y,R) X is random

prob. 0.5 prob. 0.5

prob. 0.5 + prob. 0.5 - prob. 0.5 prob. 0.5

A is right A is rightA is wrong

B is right in these cases

probability: 0.5 (0.5 + ) + 0.25 = 0.5 + /2

A is wrong

Problem with the information-theoretic scheme

The secret key needs to be larger than the message!

What if we want the key to be shorter?

Computational FSS (with a short key) – idea 1

key K

Idea 1: Use a short secret key K’ and expand it pseudorandomly to a longer key K.

key K’

key K

cryptographic pseudorandom generator

Encr(K, )message M

Encr(K, )message M

(Encr,Decr) – IT-secureFSS

(A tool: cryptographic PRG)

A cryptographic pseudorandom generator is a function that expands a short seed s into a much longer string x, in such a way that

x cannot be distinguished from a random string (in poly-time)

(assuming that s was chosen uniformly at random)

Idea 1 – intuition

Idea 1 should work because:

“from the point of view of the adversary K is indistinguishable from uniform”

Turns out that this intuition is wrong...

(although probably most of PRGs work well here)

Example (1/3)

Suppose that we stored on a computer:

a long string R=(R1,...,Rt) of length t

an encrypted index i = 1,...,t:E(K,i)

(where E is some encryption scheme)

An adversary gets access to this computer and can retrieve t/2 bits.Later, she learns K. Can she now compute Ri ?

With probability 0.5 – trivial.

Turns out: can be done with probability 1 !!!(for a very weird encryption function E)

A Tool – Private Information Retrieval

userdatabase

an index i = 1,...,t a string R=(R1,...,Rt)

query Q(N,i)

answer A(Q(N,i),R)

Ri

1. the database doesn’t learn i

2. |A(Q(N,i),R)| << t

generates and stores some secret N

A(Q(N,i),R)N

PIR – implementation

See e.g.:

Eyal Kushilevitz and Rafail Ostrovsky, Replication Is Not Needed: Single Database, Computationally-Private Information Retrieval, FOCS’97

PIR of [KO97]

Quadratic Residues

ZN* - a group of numbers {1,…,N}, relatively prime with N

A number a is a quadratic residue modulo N (denote: QR(N)) if there exits b, such that

a = b2 mod NSuppose N=pq, where p and q – large primes

ZN

*

QR(N) ZN+QNR(N)

Facts about QR

Given the factorization p,q of n it is easy to 1. generate random elements of QR(N) and

QNR(N),2. decide membership in QR(N) and QNR(N).

The second point is hard without the knowledge of the factorization of N.

A product of a and b is a quadratic residue iff

exactly one of a,b is a quadratic residue

PIR of [KO97] - actions of the user

1 2 3 …

i

t

Basic idea: arrange the string R into a square s x s – matrix, where s = √t

a1 a2 ac as The user on input i:

1. generates a random Nwe will work in ZN

+

2. produces a1,…,as,such that:only ac is QNR

3. sends N,a1,…,as, to thedatabase

row d

PIR of [KO97] - actions of the database

0 1 1 0 1 0

1 0 0 0 1 1

0 1 1 1 0 0

a1 a2 a3 a4 a5 a6

R:

a1 a22 a3

2 a4 a52 a6

b1 := a1a22a3

2a4a52a6

b2 := a12a2a3a4a5

2a62

b3 := a1a22a3

2a42a5a6

…

it is a QR iff

Ri=1

The database sendsb1,…,bs

to the user

PIR of [KO97] – final remarks

The user just looks at bd and decides that

Ri = 1 if bd is a QR

Ri = 0, otherwise.

Security follows from the fact that the database cannot distinguish QR from QNR

PIR of [KO97] – the end

Example (2/3)

a long string R=(R1,...,Rt) of length t

an encrypted index i = 1,...,t:E(K,i)

We construct the encryption scheme (E,D).ingridients:• (E’,D’) - some encryption scheme with a key K’.• PIR

(E,D): key K: user’ secret N K’

E(K,i): Q(N,i) E’(K’,i)

this is secure...

Example (3/3)

a long string R=(R1,...,Rt) of length t

Q(N,i) E’(K,i)

user’s secret N K’

The adversary simulates the user and stores A(Q(N,i),R)

A(Q(N,i),R)

Ri

Idea 2

Recall the Idea 1:

message M’

use message Mas a key forencryption (E,D)

key K’

key K

cryptographic pseudorandom generator

Encr(K, )message Ma random message M

E(M, message M’ )

(E,D) --- some encryption scheme

Idea 2 – security proof (sketch)

message M’

Encr(K, )a random message M

E(M, )

Suppose we have an adversary A that breaks the scheme

E(L,

Consider a modified scheme

a random message L

message M’

From the security of (E,D):A cannot break the modfied scheme.

Hence we can constructan adversary that breaksthe original scheme!

Complexity-theoretic view on encryption

C

The adversary knows C and she knows that M = M0 or M = M1 and wants to decide if

there exists K such thatC = Encr(K,M0)

this is an NP – language!Observe that if |M| >> |K| then the probability that

for random M0 and M1

and a random K0 there exists K1 such that Encr(K0,M0) = Encr(K1,M1)

is negligible

keys

messages

C0

C0

C0

C0

C0

C0

M0 M1

K0

Complexity-theoretic view

FSS exists

P ≠NP=>

=>

In case of FSS the adversary1. stores some information about C

(“compresses it”)2. later obtains the witness K

P ≠NPand there exist NP problems

that are “incompressible”

classical encryptionexists

Compressibility of NP-instances

This notion was recently studied in:Danny Harnik, Moni Naor On the Compressibility of NP Instances andCryptographic Applications ECCC Report TR06-022, 2006

See also:Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient SamplingSTOC 2006

The contribution of [HN06]

They describe a hierarchy of incompressible NP-languages.

The show several implications for cryptography and complexity of the assumption that certain languages are incompressible.

The idea of [HN06]

Def. An NP-language L is compressible to L’ if there exists an poly-time algorithm Z such that:

Z(x) L’ <=> x L the length of Z(x) is polynomial in x and in

log w, where w is the witness of x

Compression is witness-retrievable if one can compute (in poly-time) the witness for Z(x) from w and Z(x).

(Observe that we need the witness-retrievability in our case!)

The end

Questions ?