Security of Symmetric Primitives under Incorrect Usage of Keys

Similar documents
Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Block Ciphers/Pseudorandom Permutations

2 Message authentication codes (MACs)

Solution of Exercise Sheet 7

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Post-quantum security models for authenticated encryption

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

1 Number Theory Basics

Doubly half-injective PRGs for incompressible white-box cryptography

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPA-Security. Definition: A private-key encryption scheme

A New Approach to Practical Active-Secure Two-Party Computation

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Lecture 9 - Symmetric Encryption

Robust Password- Protected Secret Sharing

Digital Signatures. Adam O Neill based on

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

March 19: Zero-Knowledge (cont.) and Signatures

Oblivious Transfer (OT) and OT Extension

Lecture 7: CPA Security, MACs, OWFs

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Historical cryptography. cryptography encryption main applications: military and diplomacy

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

A survey on quantum-secure cryptographic systems

Perfectly-Crafted Swiss Army Knives in Theory

Lecture 5, CPA Secure Encryption from PRFs

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

ECS 189A Final Cryptography Spring 2011

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Extending Oblivious Transfers Efficiently

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

On the CCA1-Security of Elgamal and Damgård s Elgamal

Authentication. Chapter Message Authentication

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

BEYOND POST QUANTUM CRYPTOGRAPHY

Lecture 17: Constructions of Public-Key Encryption

Introduction to Cybersecurity Cryptography (Part 4)

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Lecture 18: Message Authentication Codes & Digital Signa

1 Basic Number Theory

A Posteriori Openable Public Key Encryption *

Digital Signatures. p1.

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Stronger Security Variants of GCM-SIV

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

CTR mode of operation

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Notes for Lecture 9. 1 Combining Encryption and Authentication

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Leakage-Resilient Public-Key Encryption from Obfuscation

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

ASYMMETRIC ENCRYPTION

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Design Paradigms for Building Multi-Property Hash Functions

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Cryptographic Security of Macaroon Authorization Credentials

4-3 A Survey on Oblivious Transfer Protocols

Smooth Projective Hash Function and Its Applications

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Pattern Matching Encryption, Strategic Equivalence of Range Voting and Approval Voting, and Statistical Robustness of Voting Rules.

Random Oracles in a Quantum World

Leftover Hash Lemma, Revisited

Lecture 10 - MAC s continued, hash & MAC

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Minimal Design for Decentralized Wallet. Omer Shlomovits

Notes for Lecture 16

Chosen Plaintext Attacks (CPA)

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Chosen-Ciphertext Security (I)

Transcription:

Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus, Denmark FSE 2017, Tokyo, Japan 8 th March 2017 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 1 / 33

Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. PKC13: robustness for PKE & IBE revisited by Farshim et al. AC10: Mohassel extends robustness to Hybrid Encryption. TCC10: robustness introduced for PKE & IBE by Abdalla et al. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 2 / 33

Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. Dec Vulnerable channel C Dec Alice Bob

Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. Dec Vulnerable channel C Dec Alice C Bob K 1 K 2 Eve P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 3 / 33

Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk (K, s) pk Enc(K, s) contains the Symm. Enc. of s. σ (PRF(s, M), π) PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 4 / 33

Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk (K, s) pk Enc(K, s) contains the Symm. Enc. of s. σ (PRF(s, M), π) PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? Enc(K, s) = Enc(K, s ) = FORGE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 4 / 33

Motivating Key Robustness - Example 2 CBC-MAC: m 0 m 1 m 2 m t 1 0 E K E K E K E K T P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 5 / 33

Motivating Key Robustness - Example 2 CBC-MAC: (m 0, m 0 ) (m 1, m 1 ) (m 2, m 2 ) (m t 1, m t 1 ) 0 E K E K E K E K T MAC(K, M) = MAC(K, M ) = T P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 6 / 33

Definitional Landscape Complete Robustness (CROB): adversarially generated K 1, K 2. Goal: find C decryptable under K 1, K 2. CROB security: 1. (C, K 1 K 2 ) A 2. Dec(K 1, C) 3. Dec(K 2, C) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 7 / 33

Definitional Landscape Strong Robustness (SROB): honestly generated K 1, K 2. Goal: find C decryptable under K 1, K 2. CROB SROB 1. (C, K 1 K 2 ) A 1. C A Enc,Dec 2. Dec(K 1, C) 3. Dec(K 2, C) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 8 / 33

Definitional Landscape CROB SROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 9 / 33

Definitional Landscape AE-secure scheme = SROB-secure. CROB SROB AE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 10 / 33

Definitional Landscape AE-secure scheme CROB-secure. CROB SROB AE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 11 / 33

Definitional Landscape - MACs CROB SROB 1. (T, M 1, M 2, K 1 K 2 ) A 1. (T, M 1, M 2 ) A Tag,Ver 2. Ver(K 1, M 1, T ) = 1 3. Ver(K 2, M 2, T ) = 1 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 12 / 33

Definitional Landscape - MACs SUF-secure MAC scheme = SROB-secure. CROB SROB SUF P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 13 / 33

The Big Picture FROB CROB XROB SFROB KROB SROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 14 / 33

Generic Composition Same Keys: Enc-Then-MAC is CROB Enc is CROB OR MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB Different Keys: Enc-Then-MAC is CROB Enc is CROB AND MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 15 / 33

Generic Composition Proof intuition (Enc-Then-Mac): A outputs a CROB winning tuple (C T, K e1 K m1, K e2 K m2 ). K e1 K m1 K e2 K m2 M 1 Enc MAC M 2 Enc MAC Case K e1 K e2 : (C, K e1, K e2 ) wins CROB against Enc. Case K m1 K m2 : (T, K m1, C, K m2, C) wins CROB against MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 16 / 33

Generic Composition Proof intuition. A outputs a CROB winning tuple (C T, K e1 K m1, K e2 K m2 ). K m1 K m2 C MAC C MAC Case K e1 K e2 : (C, K e1, K e2 ) wins CROB against Enc. Case K m1 K m2 : (T, K m1, C, K m2, C) wins CROB against MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 17 / 33

CROB AE in the RO Model Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 18 / 33

CROB AE in the RO Model Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. Different-Keys: authenticate the encryption key. Enc((K e K m ), M): C Enc(K e, M) T RO(K m, (C K e )) return (C, T ) AE-security CROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 18 / 33

CROB AE in the Standard Model Idea: construct a CROB secure MAC in the Standard Model. First attempt: Enc((K e K m ), M): C Enc(K e, M) T MAC(K m, (C K e )) return (C, T ) Issue: pseudorandomness for MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 19 / 33

CROB AE in the Standard Model Idea: construct a CR-PRF in the Standard Model. Second attempt: Enc((K e K m ), M): C Enc(K e, M) T PRF(K m, (C K e )) return (C, T ) Issue: ensure the PRF is Collision-Resistant. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 20 / 33

Collision-Resistant PRFs in the Standard Model Collision-Resistant PRF: PRF(K 1, M 1 ) = PRF(K 2, M 2 ) = (K 1, M 1 ) = (K 2, M 2 ) Key-Injective PRF: PRF(K 1, M) = PRF(K 2, M) K 1 = K 2 Right-Injective PRG: PRG RHS (K 1 ) = PRG RHS (K 2 ) K 1 = K 2 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 21 / 33

Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Collision-Resistant PRF: PRF(K, M) = PRF(K, M ) = (K, M) = (K, M ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 22 / 33

Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 1 - Key-Injective PRF: PRF(K 2, C 1 ) = PRF(K 2, C 1) K 2 = K 2 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 23 / 33

Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 2 - Right-Injective PRG: PRG RHS (K ) = PRG RHS (K ) K = K P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 24 / 33

Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 3 - Permutation: PRP(K 1, M) = PRP(K 1, M ) M = M P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 25 / 33

Right-Injective PRGs Building-block 1: a right injective PRG. Use the construction by Yao: PRG(x) := HC(x) HC(π(x))... HC(π x 1 (x)) π x (x) }{{}}{{} Left Part Right Part π is a pseudorandom permutation. HC is a hardcore predicate. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 26 / 33

Key-Injective PRFs Building-block 2: a Key-Injective PRF via the GGM construction. Open problems: more efficient constructions from weaker assumptions. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 27 / 33

Left/Right Collision-Resistant PRGs Building-block 3: length doubling Left/Right Collision-Resistant PRGs. PRG LHalf (K ) = PRG LHalf (K ) K = K AND PRG RHalf (K ) = PRG RHalf (K ) K = K Example: G(x 1, x 2, x 3 ) := ( (g x 1, g x 1x 2, g x 2x 3 ), (g x 2, g x 1x 3, g x 3) ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 28 / 33

CROB transforms in the Standard Model Analogue of the ABN transform in the symmetric setting: MAC key is generated on the fly. MAC is collision-resistant. Definition Enc(K e, M): K m Gen m (1 λ ) (K 1 e K 2 e ) PRG(K e ) C Enc(K 1 e, (M K m )) T Tag(K m, (C K 2 e )) return (C T ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 29 / 33

Summary Robustness: { AE: ciphertext can t be decrypted wrt. different keys. MAC: tag can t be validated under two different keys. 1 What goes wrong if the keys are adversarially generated. 2 Level of robustness achieved by AE/MAC schemes. 3 Generic transforms of AE schemes into CROB AE schemes. 4 How to construct collision-resistant PRFs P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 30 / 33

Summary Robustness: { AE: ciphertext can t be decrypted wrt. different keys. MAC: tag can t be validated under two different keys. 1 What goes wrong if the keys are adversarially generated. 2 Level of robustness achieved by AE/MAC schemes. 3 Generic transforms of AE schemes into CROB AE schemes. 4 How to construct collision-resistant PRFs P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 30 / 33

Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: x 1 = (K 2, K 3 ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 i x i C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 31 / 33

Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: Malicious sender i = 1 x 1 = (K 2, K ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 x i Dec(K, C 3 ) = M C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j = 3 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 32 / 33

Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: Malicious sender i = 2 x 1 = (K 2, K ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 x i Dec(K 3, C 3 ) = M 3 C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j = 3 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 33 / 33

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback