threshold and proactive pseudo-random permutations
DESCRIPTION
TRANSCRIPT
1
Threshold and Proactive Pseudo-Random
Permutations
Joint work with Yevgeniy Dodis and Moti Yung
Aleksandr Yampolskiy (Yale)
TCC 2006
2
Talk Outline
• Overview of our results• New tool - oblivious distributed
pseudo-random function• Distributed Luby-Rackoff
construction• Proof of security• Conclusions
3
What Is a Pseudo-Random Permutation?
x
ESK(x)
SK…
x
(x)
¼
• A PRP (¼ block cipher) transforms blocks of plaintext into blocks of ciphertext of the same size [LR88].
• Its output appears random to an outside observer lacking SK.
4
Distributed Block Ciphers
• Many distributed primitives: public-key encryption [Ped91, DJ01, Rab98], digital signatures [Des87, DF91, GJKR01], key generation [BF01], pseudo-random functions [Nie03, NPR99, CKPS01], …
• The only primitive still missing from this list is the pseudo-random permutation.
5
Efficiency
• Of course, we can use generic multi-party techniques to distribute PRP.
• Can evaluate any circuit C in O(1) rounds using O(|C|n) crypto ops [Damgård-Ishai ’05]
• Our threshold PRP protocol performs O((mn+mlog mn)B) crypto ops.
6
Original Luby-Rackoff Construction
• Luby and Rackoff showed how to construct a 2k-bit PRP from three (or four) k-bit PRFs [LR88].
• Intermediate LR values must be kept secret, so LR is evaluated by a trusted party, holding secret keys SKi to all PRFs
• If we use our PRF with LR construction, we get a PRP with “nice” properties.
L
R
S
T
R
T
V
FSK1
FSK2
FSK3
h1/
(R+SK1)
h1/
(S+SK2)
h1/(T+SK3)
S
7
Our Results
• We construct the first reasonably efficient threshold and proactive PRP– n servers, holding shares of SK, compute ESK(x)
– O(1) rounds, up to (n-1)/2 semi-honest servers
• Many protocols (using PRPs) such as CBC block cipher mode, authenticated encryption, etc. can now be made distributed.
8
Oblivious Distributed PRF
• (n,t) secret sharing [Shamir, Blakley]– Secret key SK is shared among n servers.– InputInput xx is is alsoalso sharedshared, which is useful in , which is useful in
some applications (some applications (oblivious distributed PRFoblivious distributed PRF). ). – Prior distributed PRFs Prior distributed PRFs [NPR99, CKPS01, Nie02][NPR99, CKPS01, Nie02]
• No coalition of up toNo coalition of up to t= t=bb(n-1)/2(n-1)/2cc servers servers can compute the PRF or distinguish it can compute the PRF or distinguish it from a random function.from a random function.
• Any Any (t+1)(t+1) servers can evaluate the PRF. servers can evaluate the PRF.
9
Naor-Reingold PRF
• The PRF isThe PRF is NRNRg,ag,a11,,…,a,,…,amm(x(x11…x…xnn) = g) = g{all a{all aii s.t. x s.t. xii=1}=1}
– x x = path on a binary tree= path on a binary tree– going left = do nothinggoing left = do nothing
– going right = raise to going right = raise to aaii
– Here, Here, g g G G and and aaiiZZqq are random (and are random (and secretsecret))
– Theorem [NR97]:Theorem [NR97]: NR is NR is a PRF if a PRF if DDH DDH is is hard hard in in GG..
k=6, x=011011
a1
a2
a3
a4
a5
a6
g
ga2
ga2a
3
ga2a
3a
5
ga2a
3
ga2a
3a
5a
6
g
NR(011011)NR(011011)
10
Distributing NR-PRF
• Idea: The if condition can be rewritten as hi(1-xi) + hi-1
aixi for xi2{0,1}
• Computing it • We can compute the PRF value
recursively. – Set h0 = ga
– For i=1,…,l, set hi = hi-1a if xi=1 and hi=hi-1 otherwise.
11
Dodis-Yampolskiy PRF
• The PRF isThe PRF is DYDYSKSK(x(x11…x…xnn) = g) = g1/(x+SK)1/(x+SK)..
• Theorem [DY05]:Theorem [DY05]: DY is a PRF for small inputs of length DY is a PRF for small inputs of length (log k)(log k) if if y-DDHIy-DDHI is is hardhard in in G G..• Decisional Diffie-Hellman Inversion Assumption (q-DDHI): given (g, gx, …, g(xq)), it is hard to distinguish g1/x from
random [BB04].
12
• Problem: There is a mismatch between input length ((log k)) and output length (poly(k)).
• Solution:– shrink inputs using a CHRF– use a generic tree construction [MRV99]
13
Extending the input length
• If we assume subexponential hardness of y-DDHI, we can support inputs of size ¼ k1/3.
• Preprocess input with an -universal hash function.
• Evaluate the PRF on truncated input.
• Finally, use a deterministic extractor to convert a group element into a bit string.
k bits
k bits
a¼ k1/3 bits
log P bits
14
Distributing DY-PRF
• [x] Ã i=0m-1 2i[xi+1]
• [r] Ã MUL([i], [x])• Chop off all but m1/3 bits using bit
conversion protocol [DFT+06].• Use Bar-Ilan-Beaver inversion
protocol to compute shares of 1/(x+SK) from shares ([x]+[SK])
• Return EXP(g, [t])
15Distributing DY PRFProtocol for server Pj:
Input: shares of input’s bits [x1],…,[xm] and of the secret key ([i], [SK])
1. [x]Ã i=0m-1 2i[xi+1]
2. [r] Ã MUL([i], [x])3. Use bit conversion protocol [DFT+06] to chop off
all but m1/3 bits of r and call the result [y].4. Run inversion protocol [BB89] on share ([y]+
[SK]).5. Finally, use distributed exponentiation EXP(g,
[t])Running time is dominated by bit conversion protocol, using O((mn+mlog m)¢B) bit ops.
16
Let’s Recap!
• Our main tool is a distributed Luby-Rackoff construction.
• 1st idea: we share both the secret keys and the input
• 2nd idea: we use a PRF by Dodis-Yampolskiy, which can be evaluated in O(1) rounds.
17Distributing Feistel Permutation
Problem: Given shares of (L,R) and SK, we want to compute shares of (R,L©FSK(R)).
Solution:1.1. Our oblivious DPRF allows to compute Our oblivious DPRF allows to compute
sharesshares [y] [y] of of y=Fy=FSKSK(R)(R) from shares from shares [SK] [SK] and and [R][R]..
2.2. Run distributed exponentiation protocol on Run distributed exponentiation protocol on [y][y] and and (P+1)/4(P+1)/4..
3.3. Using bit conversion protocol [DFTUsing bit conversion protocol [DFT++06], we 06], we can compute shares of bits of can compute shares of bits of yy and and LL..
4.4. For For i=1,…,m i=1,…,m (in parallel):(in parallel):– [z[zii] ] ÃÃ [y [yii] + [L] + [Lii] mod P ] mod P – MUL([zMUL([zii], 2-[z], 2-[zii] mod P)] mod P)
18
Proof of Security
• We prove semi-honest security in UC framework by Canetti.
• Thm [Can01]: Privacy is preserved under non-concurrent modular composition of protocols.
19
Secure threshold PRP if Pr[b=b’] ½
virtual environment A
B
20
Proactive Security• Problem:Problem: Our threshold PRP tolerates Our threshold PRP tolerates
– tt compromises over compromises over lifetime lifetime (may be very long!)(may be very long!)versusversus– t t compromises in a compromises in a window of vulnerabilitywindow of vulnerability
• Solution:Solution: Servers periodically refresh their Servers periodically refresh their shares of input and secret key:shares of input and secret key:– [x][x]jj ÃÃ [x] [x]jj + [0] + [0]jj
– [SK][SK]jj ÃÃ [SK] [SK]jj + [0] + [0]jj
X X X X X X X X
window
21
Practical Application : Distributed Authenticated Encryption
• Authenticated encryption (AE) provides privacy and authenticity. – AEs(m) = (r, gs(mkr)), where r is a
nonce.
– ADs(r’, y) computes (r, m)=gs-1(y) and
checks that r=r’.– It is used in many Internet protocols
(e.g., SSL, SSH, …)
22
Conclusions
• We constructed the first reasonably efficient threshold and proactive PRP.– O(1) rounds, up to (n-1)/2 semi-honest servers
• We showed how to obliviously evaluate several well-known PRFs [NR97, DY05] in a distributed setting.
• Our techniques allow making distributed many protocols (using PRPs) such as CBC block cipher mode, authenticated encryption, etc.
• Open: Secure our protocol against Byzantine servers.
• Open: Can we replace XOR by * in our distributed LR construction and forego using the expensive bit conversion protocol [DFT+06]?
23
Thank You! Any Questions?