On Forward-Secure Storage
description
Transcript of On Forward-Secure Storage
![Page 1: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/1.jpg)
On Forward-Secure Storage
Stefan Dziembowski
Warsaw University
and
University of Rome La Sapienza
![Page 2: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/2.jpg)
The main idea
Limited Communication Model:
Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen.
D.Intrusion-Resilience via the Bounded-Storage ModelTCC 2006
D. Cash, Y. Z. Ding, Y. Dodis, W. Lee, R. Lipton and S. Walfish Intrusion-Resilient Authentication in the Limited Communication
Model
(There it was used to construct intrusion-resilient protocols for authentication and session-key generation.)
![Page 3: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/3.jpg)
The problem that we consider
key K
message M
C = E(K,M)
Cinstalls a virus
retrieves C
One of the following happens:
• The key K leaks to the adversary or
• The adversary breaks the scheme
The adversary can compute M
![Page 4: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/4.jpg)
Our idea
Design an encryption scheme such that the ciphertext C is so large that the
adversary cannot retrieve it completely
message M
ciphertext C=Encr(K,M)
We call it a
Forward-Secure Storage (FSS)
![Page 5: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/5.jpg)
Practicality?
![Page 6: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/6.jpg)
Forward-Secure Storage
We allow the adversary to compute an arbitrary function h of C.
ciphertext C=Encr(K,M)
function h
retrieved value U=h(C)
length t
length s << t
K M ?
![Page 7: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/7.jpg)
Computational power of the adversary
We consider the following variants:
computational: the adversary is limited to poly-time
information-theoretic: the adversary is infinitely-powerful
hybrid: the adversary gains infinite power after he computed the function h.
This models the fact that the in the future the current cryptosystems may be broken!
![Page 8: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/8.jpg)
Our Contribution
Formal definition of FSS
Constructions of FSS schemes:
IT-secure computationally-secure a scheme with a conjectured hybrid security
Connections with the theory of Harnik and Naor
![Page 9: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/9.jpg)
A tool: the Bounded Storage Model
It turns out that this is related to the Bounded Storage Model (BSM) [Maurer 1992]
In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store.
The computing power of the adversary may be unlimited!
![Page 10: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/10.jpg)
The Bounded-Storage Model (BSM) –an introduction
can perform any computationon R, but the result U=h(R) has to be much smaller than R
shortinitialkey K
X = f(K,R)
000110100111010010011010111001110111111010011101010101010010010100111100001001111111100010101001000101010010001010010100101011010101001010010101
randomizer R:
knows:U=h(R)
randomizer disappears
X ?
Eve shouldn’t be able to distinguish X from random
![Page 11: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/11.jpg)
BSM – previous results
Several key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04].
Of course their security depends on the bound on the memory of the adversary.
We call a function s-secure if it is secure against an adversary that has memory of a size s.
![Page 12: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/12.jpg)
How is BSM related to our model?
Seems that the assumptions are oposite:
transmission storage
BSM cheap expensive
LCM expensive cheap
![Page 13: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/13.jpg)
BSM vs. LCM
Bounded-Storage Model:
Limitted-Communication Model:
R comes from a satellite
stored value U
C is stored on a computer
retrieved value U
![Page 14: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/14.jpg)
Information-theoretic solution – a wrong idea
K R
X
M
Y
f( ),
=message
key
ciphertextin the BSMencryption
f – s-secure in the BSM
xor
ciphertext(R,Y)
Shannon theorem this cannot work!
![Page 15: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/15.jpg)
What exactly goes wrong?
Suppose the adversary has some information about M.
He can see(R, f(K,R) xor M ).
So, he can solve (for K) the equation W = f(K,R) xor M.
If he has enough information about M and K is short, he will succed!
Idea: “Blind” the message M!
denote it W
![Page 16: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/16.jpg)
A better idea
K R
X
M
Y
f( ),
=
message
key is a pair (K,Z)
ciphertext(R,Y)
Z
xor
![Page 17: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/17.jpg)
Why does it work?
IntuitionThe adversary can compute any function h of:
Y is of no use for him, since it is xor-ed with a random string Z!
So if this FSS scheme can be broken then also the BSM function f can be broken
(by an adversary using the same amount of memory).
R Y = f(K,R) xor M xor Z
![Page 18: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/18.jpg)
Problem with the information-theoretic scheme
The secret key needs to be larger than the message!
What if we want the key to be shorter?
We need to switch to the computational settings...
![Page 19: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/19.jpg)
Computational FSS (with a short key)
(Encr,Decr) – an IT-secure FSS(E,D) – a standard encryption scheme
Encr1(
Encr(
E(
)
)
)=
,
,
,
K
K K’
K’
M
K’ is a random key for the standard encryption scheme
M
Intuition: when the adversary learns K he has no idea about K’ and therefore no idea about M.
large
small
![Page 20: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/20.jpg)
Hybrid security
What about the hybrid security?
Recall the scenario:
ciphertext C=Encr(K,M)
h
retrieved value
U=h(C)
M ?
![Page 21: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/21.jpg)
Is this scheme secure in the hybrid model?
The adversary retrives only the second part!
Later, when she gets infinite computing power, she can recover the message M!
Thus, the scheme is not secure in the hybrid model!
Encr(
E(
)
)
,
,
K K’
K’ M
![Page 22: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/22.jpg)
A scheme (Encr2,Decr2)
Does there exist an FSS scheme with hybrid security (and a short key)?
Idea: Generate K pseudorandomly!
(Encr,Decr) – an IT-secure FSSG – a cryptographic PRG
Encr2( )=,K M
Encr( ),G(K) M
![Page 23: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/23.jpg)
Is the scheme from the previous slide secure?It cannot be IT-secure, but is it
computationally-secure? secure in the hybrid model? We leave it as an open problem. Looks secure...
We can show the following:
Very informally,
it is secure if one-way functions cannot be used to construct Oblivious Transfer.
![Page 24: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/24.jpg)
Computational security of Encr2 (1/2)
there exists an adversary Athat breaks the (Encr2,Decr2) scheme
We show that if
then
one can construct an Oblivious Transfer protocol with:
an unconditional privacy of the Sender privacy of the Receiver based on the security of the
PRG G.
![Page 25: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/25.jpg)
Computational security of Encr2 (2/2)
Simplification: assume that |M| = 1 and the adversary can guess it with probability 1.
We construct an honest-but-curious Rabin OT.
receiver senderinput: M
X = G(K) with prob. 0.5X is random with prob. 0.5
Encr(X,M)K
If X = G(K) then the adversary outputs M.
M
U - memory of the adversary
A computationally-limited sendercannot distinguish these cases!
If X is random then the receiver learns nothing about M (this follows from the IT-security of Encr)!
![Page 26: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/26.jpg)
How to interpret this result?
Which PRGs G are safe to use in this protocol?
In some sense: “those that cannot be used to construct OT”.
But maybe there exist “wrong” PRGs...
(see: S. Dziembowski and U. MaurerOn Generating the Initial Key in the Bounded-
Storage Model, EUROCRYPT '04)
![Page 27: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/27.jpg)
Hybrid security of Encr2
The argument for the hybrid security is slightly weaker.
We can construct only an OT-protocol with a computationally-unbounded algorithm for the Receiver...
This is because the receiver has to simulate an unbounded adversary.
receiver
![Page 28: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/28.jpg)
Summary
ITsecurity
hybrid security
comp. security
the first scheme
secure secure secure
the second scheme
notsecure
notsecure
secure
the third scheme
notsecure
maybesecure
maybesecure
![Page 29: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/29.jpg)
A complexity-theoretic view
Suppose the adversary wants to know if a given C is a ciphertext of some message M.
NP-language:L = {C : there exists K such that C = Encr(K,M)}.
standard encryption FSS
is C in L?Can we compress C to some U, s.t. |U| << |C| so that later we can decide if C is in L basing on U, and using infinite computing power?
![Page 30: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/30.jpg)
The theory of Harnik and Naor
This question was recently studied in:Danny Harnik, Moni Naor On the Compressibility of NP Instances andCryptographic Applications FOCS 2006
See also:Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient SamplingSTOC 2006
![Page 31: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/31.jpg)
Compressibility of NP Instances
Informally, an NP language L is compressible if there exists an efficient algorithm that
compresses every string X to a shorter string U,
in such a way that an infinitely-powerful solver can decideif X is in L basing only on U.
Proving that some language is incompressible(from standard assumptions)
is an open problem..
This is why showing an FSS scheme provably-secure in the hybrid model may be hard!
![Page 32: On Forward-Secure Storage](https://reader035.fdocuments.net/reader035/viewer/2022062301/56814953550346895db6a496/html5/thumbnails/32.jpg)
Questions?
?