anonymous ibe leakage resilience and circular security
play

Anonymous IBE, Leakage Resilience and Circular Security from New - PowerPoint PPT Presentation

Apr 10, 2024 •355 likes •1.01k views

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan Identity-Based Encryption [Sha84, BF03, Coc01] Identity-Based Encryption [Sha84, BF03, Coc01]

  1. Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan

  2. Identity-Based Encryption [Sha84, BF03, Coc01]

  3. Identity-Based Encryption [Sha84, BF03, Coc01]

  4. Identity-Based Encryption [Sha84, BF03, Coc01] To Bob:

  5. Identity-Based Encryption [Sha84, BF03, Coc01] Ciphertext may reveal Bob’s identity To Bob:

  6. Anonymous Identity-Based Encryption [BCOP04] To Bob:

  7. Constructions of IBE Reference Assumption RO? Anonymous? Boneh-Franklin Bilinear Maps Yes Yes Cocks QR Yes No Boneh-Gentry- QR Yes Yes Hamburg + Crescenzo-Saraswat Boneh-Boyen Bilinear Maps No No Boyen-Waters Bilinear Maps No Yes + Gentry Gentry-Peikert- LWE Yes Yes Vaikuntanathan Cash-Hofheinz-Kiltz- LWE No Yes Peikert + Agrawal-Boneh- Boyen

  8. A “Postmodern” Construction of IBE

  9. A “Postmodern” Construction of IBE • [DG17a] Non-black-box construction of IBE from CDH (implied by both DDH and Factoring) • New primitive: Chameleon Encryption

  10. A “Postmodern” Construction of IBE • [DG17a] Non-black-box construction of IBE from CDH (implied by both DDH and Factoring) • New primitive: Chameleon Encryption Questions

  11. A “Postmodern” Construction of IBE • [DG17a] Non-black-box construction of IBE from CDH (implied by both DDH and Factoring) • New primitive: Chameleon Encryption Questions • What about anonymity? [DG] is not anonymous. • IBE from more assumptions? Generic assumptions?

  12. This Work

  13. This Work • Notions/Tools • Compactness of IBE (“weak IBE” full IBE) • Batch Encryption (from which we construct “weak IBE”) • Blindness (to help obtain Anonymous IBE)

  14. This Work • Notions/Tools • Compactness of IBE (“weak IBE” full IBE) • Batch Encryption (from which we construct “weak IBE”) • Blindness (to help obtain Anonymous IBE) • More from CDH : Anonymous IBE from CDH

  15. This Work • Notions/Tools • Compactness of IBE (“weak IBE” full IBE) • Batch Encryption (from which we construct “weak IBE”) • Blindness (to help obtain Anonymous IBE) • More from CDH : Anonymous IBE from CDH • IBE from More : IBE from a variant of the LPN assumption

  16. This Work • Notions/Tools • Compactness of IBE (“weak IBE” full IBE) • Batch Encryption (from which we construct “weak IBE”) • Blindness (to help obtain Anonymous IBE) • More from CDH : Anonymous IBE from CDH • IBE from More : IBE from a variant of the LPN assumption • Leakage-Resilient and KDM secure public key encryption from CDH and LPN

  17. This Work • Notions/Tools • Compactness of IBE (“weak IBE” full IBE) * • Batch Encryption (from which we construct “weak IBE”) • Blindness (to help obtain Anonymous IBE) • More from CDH : Anonymous IBE from CDH * • IBE from More : IBE from a variant of the LPN assumption • Leakage-Resilient and KDM secure public key encryption from CDH and LPN * Also in concurrent work [DGHM18]

  18. Outline • A blueprint for constructing IBE • Batch Encryption • Blindness and Anonymous IBE

  19. A Blueprint for Constructing IBE

  20. A Blueprint for Constructing IBE “IBE” Schemes (supporting T identities) Primitive |mpk| |ct| |sk| Full IBE

  21. A Blueprint for Constructing IBE “IBE” Schemes (supporting T identities) Primitive |mpk| |ct| |sk| Trivial IBE Full IBE

  22. A Blueprint for Constructing IBE “IBE” Schemes (supporting T identities) Primitive |mpk| |ct| |sk| Trivial IBE Weakly Compact IBE Full IBE

  23. A Blueprint for Constructing IBE “IBE” Schemes (supporting T identities) Primitive |mpk| |ct| |sk| Trivial IBE Weakly Compact IBE Full IBE • Theorem: Weakly Compact IBE IBE

  24. A Blueprint for Constructing IBE “IBE” Schemes (supporting T identities) Primitive |mpk| |ct| |sk| Trivial IBE Weakly Compact IBE Full IBE • Theorem: Weakly Compact IBE IBE • Uses ideas from [DG17b] (which obtained adaptively secure IBE from selectively secure IBE)

  25. A Blueprint for Constructing IBE “IBE” Schemes (supporting T identities) Primitive |mpk| |ct| |sk| Trivial IBE Weakly Compact IBE Full IBE • Theorem: Weakly Compact IBE IBE • Uses ideas from [DG17b] (which obtained adaptively secure IBE from selectively secure IBE) • Theorem: “ Batch Encryption” can compress a Trivial IBE scheme into a Weakly Compact IBE scheme

  26. How to construct IBE CDH (LWE) LPN

  27. How to construct IBE Batch Encryption [DG17] (CDH) Step 1 [this work] (LPN) CDH (LWE) LPN

  28. How to construct IBE wIBE Step 2 [this work] Batch Encryption [DG17] (CDH) Step 1 [this work] (LPN) CDH (LWE) LPN

  29. How to construct IBE IBE Step 3 [this work] wIBE Step 2 [this work] Batch Encryption [DG17] (CDH) Step 1 [this work] (LPN) CDH (LWE) LPN

  30. Batch Encryption (taking the “chameleon” out of Chameleon Encryption)

  31. Batch Encryption (taking the “chameleon” out of Chameleon Encryption)

  32. Batch Encryption (taking the “chameleon” out of Chameleon Encryption) • Correctness: for all i . • Security: computationally hidden from Bob.

  33. Batch Encryption (taking the “chameleon” out of Chameleon Encryption) • This is Laconic OT [CDGGMP17] without receiver privacy

  34. Batch Encryption (taking the “chameleon” out of Chameleon Encryption) • This is Laconic OT [CDGGMP17] without receiver privacy • Why is this notion powerful?

  35. Batch Encryption (taking the “chameleon” out of Chameleon Encryption) • This is Laconic OT [CDGGMP17] without receiver privacy • Why is this notion powerful?

  36. Batch Encryption (taking the “chameleon” out of Chameleon Encryption) • Simple black box construction of Leakage-Resilient and KDM secure PKE from Batch Encryption

  37. Constructing Batch Encryption • CDH/Factoring [DG17]. • Hash function is the standard discrete log CRHF. • Encryption is essentially El-Gamal • LWE • Hash function is the standard SIS CRHF. • Encryption is essentially Dual Regev • LPN • CRHF constructed by [BLVW18, YZWGL17] • Encryption is “an LPN analogue to Dual Regev” • Requires noise rate (only quasipolynomially secure)

  38. wIBE from Batch Encryption

  39. wIBE from Batch Encryption • Question: How do you encrypt without the public key? (can’t store T public keys)

  40. wIBE from Batch Encryption • Question: How do you encrypt without the public key? (can’t store T public keys) • Answer: garble the encryption circuit + Batch Encrypt the labels (“Deferred Encryption Paradigm”)

  41. wIBE from Batch Encryption • Question: How do you encrypt without the public key? (can’t store T public keys) • Answer: garble the encryption circuit + Batch Encrypt the labels (“Deferred Encryption Paradigm”)

  42. wIBE from Batch Encryption • Question: How do you encrypt without the public key? (can’t store T public keys) • Answer: garble the encryption circuit + Batch Encrypt the labels (“Deferred Encryption Paradigm”)

  43. How to construct IBE IBE (non-black-box) [this work] wIBE [this work] + Garbled PKE Batch Encryption [DG17] (CDH) [this work] (LPN) CDH LPN

  44. How to construct Anonymous IBE? AnonIBE wAnonIBE “Anonymous” Batch Encryption CDH LPN

  45. How to construct Anonymous IBE? AnonIBE NO wAnonIBE “Anonymous” Batch Encryption CDH LPN

  46. Attack on Anonymity What is the problem? In some intermediate decryption steps, Adversary has the correct secret keys.

  47. Attack on Anonymity What is the problem? In some intermediate decryption steps, Adversary has the correct secret keys.

  48. Attack on Anonymity What is the problem? In some intermediate decryption steps, Adversary has the correct secret keys.

  49. Attack on Anonymity Learns the first two bits of id What is the problem? In some intermediate decryption steps, Adversary has the correct secret keys.

  50. Attack on Anonymity Learns the first two bits of id What is the problem? In some intermediate decryption steps, Adversary has the correct secret keys. We need a notion of wIBE security that holds even against authorized users.

  51. Blind IBE A notion of security that holds even against authorized users. To Bob:

  52. Blind IBE A notion of security that holds even against authorized users. • Semantic Security, and To Bob:

  53. Blind IBE A notion of security that holds even against authorized users. • Semantic Security, and

  54. Blind IBE A notion of security that holds even against authorized users. • Semantic Security, and For random m • * *We actually allow a relaxation of this definition

  55. Blind IBE A notion of security that holds even against authorized users. • Semantic Security, and For random m • * • We build Blind IBE from Blind Batch Encryption • Reminiscent of weak attribute hiding vs. strong attribute hiding for PE *We actually allow a relaxation of this definition

Recommend

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security Circular Security Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09] ) yes but in general No! Circular

545 views • 33 slides
On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

547 views • 30 slides
BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION Mr. S pea k e r , wish to dedicate this sectoral presentation to the hardworking, devoted and uncompromising I members of Jamaicas security

478 views • 21 slides
SAME Resilience Webinar Dedicated to National Security Since 1920 JETC Resilience Program Wed, 23

SAME Resilience Webinar Dedicated to National Security Since 1920 JETC Resilience Program Wed, 23

SAME Resilience Webinar Dedicated to National Security Since 1920 JETC Resilience Program Wed, 23 May Government Panel on Priority Resilience Issues Cyber Resiliency of Mission Critical Automation Systems Thr, 24 May Resilience

564 views • 27 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides
Tamper and Leakage Resilience in the Split State Model Feng-Hao Liu Anna Lysyanskaya

Tamper and Leakage Resilience in the Split State Model Feng-Hao Liu Anna Lysyanskaya

Tamper and Leakage Resilience in the Split State Model Feng-Hao Liu Anna Lysyanskaya Brown University I/O Access to a Device Secret s x x D s (x) D s (x) Device for D s ( ) User

683 views • 24 slides
Climate resilience, resource efficiency and circular economy Support to SMEs in international

Climate resilience, resource efficiency and circular economy Support to SMEs in international

Climate resilience, resource efficiency and circular economy Support to SMEs in international value chains By Annegret Brauss 11 June, 2019 2 ITC helps businesses do good trade ITC is dedicated to support the competitiveness and

434 views • 16 slides
Security and Resilience Juan Torres, SNL April 21, 2016 Overview The "Security and

Security and Resilience Juan Torres, SNL April 21, 2016 Overview The "Security and

Security and Resilience Juan Torres, SNL April 21, 2016 Overview The "Security and Resilience" focus area has five main activities, based on the NIST cybersecurity framework, but expanded to all- hazards. Improve the Ability to

647 views • 6 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Leakage Resilience from Lattices Marco Martinoli ( ESR10 ) Supervised by Prof. Elisabeth Oswald

Leakage Resilience from Lattices Marco Martinoli ( ESR10 ) Supervised by Prof. Elisabeth Oswald

11 th October 2017 Leakage Resilience from Lattices Marco Martinoli ( ESR10 ) Supervised by Prof. Elisabeth Oswald and Dr. Martijn Stam University of Bristol Leaky Lattices 11 th October 2017 HIGHLIGHTS 09/16 09/17 I went to NXP for my

424 views • 25 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1

Efficient Public-Key Cryptography with Bounded Leakage and Tamper Resilience Antonio Faonio 1 Daniele Venturi 2 Department of Computer Science, Aarhus University, Aarhus, Denmark Department of Information Engineering and Computer Science,

763 views • 34 slides
Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1

1.07k views • 89 slides
Anonymous Communication and Internet Freedom CS 161: Computer Security Prof. David Wagner May 2,

Anonymous Communication and Internet Freedom CS 161: Computer Security Prof. David Wagner May 2,

Anonymous Communication and Internet Freedom CS 161: Computer Security Prof. David Wagner May 2, 2013 oday Goals For T State-sponsored adversaries Anonymous communication Internet censorship State-Sponsored Adversaries Anonymous

974 views • 58 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

240 views • 12 slides
Circular Food Systems for Nutrition Security A Transformative Research Agenda as Next GRA Flagship

Circular Food Systems for Nutrition Security A Transformative Research Agenda as Next GRA Flagship

Circular Food Systems for Nutrition Security A Transformative Research Agenda as Next GRA Flagship Martin C. Th. Scholten August 29, 2017 @mcthscholten A Global Flagship Proposal Food Production in Biobased Society From Linear to Circular, no

90 views • 7 slides
ANDaNA: Onion Routing for NDN Steve DiBenedetto Colorado State University ANDaNA: Anonymous

ANDaNA: Onion Routing for NDN Steve DiBenedetto Colorado State University ANDaNA: Anonymous

ANDaNA: Onion Routing for NDN Steve DiBenedetto Colorado State University ANDaNA: Anonymous Named Data Networking Application NDSS 12 Steven DiBenedetto, Paolo Gasti, Gene Tsudik, Ersin Uzun Information Linkage & Leakage I:

820 views • 52 slides
CSCI E-170 Lecture 02: Physical Security and Information Leakage Simson L. Garfinkel Center for

CSCI E-170 Lecture 02: Physical Security and Information Leakage Simson L. Garfinkel Center for

CSCI E-170 Lecture 02: Physical Security and Information Leakage Simson L. Garfinkel Center for Research on Computation and Society Harvard University September 26, 2005 1 Todays Outline: 1. LiveJournal 2. HW1 and HW2 3. Readings 4.

1.36k views • 113 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Distributed File Systems Security: Anonymous access all files available to all users 14B.

Distributed File Systems Security: Anonymous access all files available to all users 14B.

6/6/2017 Distributed File Systems Security: Anonymous access all files available to all users 14B. Remote Data: Security no authentication required may be limited to read-only access 14C. Remote Data: Reliability & Robustness

89 views • 8 slides
Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous,

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous,

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous, Censorship-Resistant Networks Dennis Kgler Federal Office for Information Security, Germany Dennis.Kuegler@bsi.bund.de 1 Anonymous,

488 views • 16 slides

More recommend