Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David Derler ‡ , Tibor Jager � , Daniel Slamanig § , Christoph Striecks § May 3, 2018—E urocrypt 2018, Tel Aviv, Israel ‡ � §
Key Establishment with TLS SYN SYN-ACK ACK ClientHello , ClientKeyShare ServerHello , ServerKeyShare Server Client Cert , Signature , Finished Finished � Payload 1
Key Establishment with TLS SYN 1 -RTT SYN-ACK ACK ClientHello , ClientKeyShare ServerHello , ServerKeyShare Server Client 1 -RTT Cert , Signature , Finished Finished � Payload � 2-RTTs before first payload message ? Is this necessary 1
Key Establishment with TLS SYN 1 -RTT SYN-ACK ACK TCP � UDP ClientHello , ClientKeyShare ServerHello , ServerKeyShare Server Client 1 -RTT Cert , Signature , Finished Finished � Payload � 2-RTTs before first payload message ? Is this necessary 1
Send cryptographically protected payload in first message (0-RTT KE)? 1
Trivial Protocol ( � , � ) c ← Enc � ( k ) p ← SymEnc k ( Payload ) Server Client Major deficiencies: • No forward secrecy • Vulnerable to replay attacks 2
Existing Approaches 0-RTT in TLS1.3/QUIC • First session 1-RTT, session resumption 0-RTT � Replay protection ? Forward secrecy for most transmitted data 3
Existing Approaches 0-RTT in TLS1.3/QUIC • First session 1-RTT, session resumption 0-RTT � Replay protection ? Forward secrecy for most transmitted data Full forward secrecy, replay protection, and 0-RTT? • A priori not even clear if possible � G¨ unther, Hale, Jager, and Lauer at Eurocrypt’17 � Using puncturable encryption (Green, Miers at S&P 2015) 3
Puncturable Encryption Conventional encryption scheme: • ( KeyGen, Enc, Dec ) + Additional algorithm � ′ ← Punc ( � , C ) Properties • � ′ no longer useful to decrypt C • � ′ still useful to decrypt other ciphertexts • Repeated puncturing possible 4
Puncturable Encryption Conventional encryption scheme: • ( KeyGen, Enc, Dec ) + Additional algorithm � ′ ← Punc ( � , C ) Properties • � ′ no longer useful to decrypt C • � ′ still useful to decrypt other ciphertexts • Repeated puncturing possible fs 0-RTT KE via puncturable encryption • Client encrypts message under public key � • Server decrypts using secret key � ′ • Server punctures � ′ on C 4
Our Approach Downsides of existing approaches • Puncturing and/or decryption expensive (experiments by authors of [GHJL17]: 30s - several minutes) 5
Our Approach Downsides of existing approaches • Puncturing and/or decryption expensive (experiments by authors of [GHJL17]: 30s - several minutes) Observation • Can accept somewhat larger (secret) keys • Can accept non-negligible correctness error • For example, 1 in 1000 sessions fail � Can fall back to 1 -RTT in this case 5
Bloom Filters 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 m • Initial state T := 0 m • k universal hash functions ( H j ) j ∈ [ k ] • H j : U → [ m ] • Throughout this talk, let k = 3 6
Bloom Filters { x , y , z } 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 m • Initial state T := 0 m • k universal hash functions ( H j ) j ∈ [ k ] • H j : U → [ m ] • Throughout this talk, let k = 3 6
Bloom Filters { x , y , z } H 1 ( x ) H 2 ( x ) H 3 ( x ) 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 m 6
Bloom Filters { x , y , z } H 1 ( y ) H 2 ( y ) H 3 ( y ) 0 1 0 0 1 1 0 1 0 0 1 0 0 0 0 1 0 0 0 1 m 6
Bloom Filters { x , y , z } H 1 ( z ) H 3 ( z ) H 2 ( z ) 0 1 0 1 1 1 0 1 0 0 1 0 0 0 0 1 0 0 1 1 m Properties • No false negatives 6
Bloom Filters { x , y , z } 0 1 0 1 1 1 0 1 0 0 1 0 0 0 0 1 0 0 1 1 m H 1 ( w ) H 2 ( w ) H 3 ( w ) Properties • No false negatives w ? 6
Bloom Filters { x , y , z } 0 1 0 1 1 1 0 1 0 0 1 0 0 0 0 1 0 0 1 1 m H 1 ( v ) H 2 ( v ) H 3 ( v ) Properties • No false negatives v ? • False positives possible 6
Bloom Filters { x , y , z } 0 1 0 1 1 1 0 1 0 0 1 0 0 0 0 1 0 0 1 1 m H 1 ( v ) H 2 ( v ) H 3 ( v ) Properties • No false negatives v ? • False positives possible • Probability determined by k , m , and # inserted elements 6
Bloom Filter Encryption 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 KeyGen • Set up BF 7
Bloom Filter Encryption 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m KeyGen • Set up BF • Associate key pair to each bit 7
Bloom Filter Encryption 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 = � � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m = � KeyGen • Set up BF • Associate key pair to each bit • Compose BFE key pair ( � , � ) 7
Bloom Filter Encryption 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Encrypt message M • Randomly choose tag τ 7
Bloom Filter Encryption τ H 1 ( τ ) H 2 ( τ ) H 3 ( τ ) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Encrypt message M • Randomly choose tag τ • Determine indexes from τ 7
Bloom Filter Encryption τ H 1 ( τ ) H 2 ( τ ) H 3 ( τ ) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Encrypt message M • Randomly choose tag τ • Determine indexes from τ • C τ ← Enc � 6 ∨ � 11 ∨ � m − 3 ( M ) 7
Bloom Filter Encryption τ ′ H 1 ( τ ′ ) H 2 ( τ ′ ) H 3 ( τ ′ ) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Puncture ciphertext C τ ′ • Determine BF indexes from τ ′ 7
Bloom Filter Encryption � Secret key no longer useful to decrypt C τ ′ with associated tag τ ′ τ ′ H 1 ( τ ′ ) H 2 ( τ ′ ) H 3 ( τ ′ ) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Puncture ciphertext C τ ′ • Determine BF indexes from τ ′ • Delete associated keys 7
Bloom Filter Encryption � Secret key no longer useful to decrypt C τ ′ with associated tag τ ′ τ ′ H 1 ( τ ′ ) H 2 ( τ ′ ) H 3 ( τ ′ ) 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Puncture ciphertext C τ ′ • Determine BF indexes from τ ′ • Delete associated keys • Update BF state 7
Bloom Filter Encryption τ H 1 ( τ ) H 2 ( τ ) H 3 ( τ ) 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Decrypt ciphertext C τ • Determine BF indexes from τ 7
Bloom Filter Encryption τ H 1 ( τ ) 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Decrypt ciphertext C τ • Determine BF indexes from τ • Let i lowest index w. BF [ i ] = 0 7
Bloom Filter Encryption τ H 1 ( τ ) 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 � 1 � 2 � 3 � 5 � 6 � m − 3 � 8 � 11 � m � 1 � 2 � 3 � 5 � 6 � 8 � 11 � m − 3 � m Decrypt ciphertext C τ • Determine BF indexes from τ • Let i lowest index w. BF [ i ] = 0 • M ← Dec � 6 ( C τ ) 7
Example BF Parameters We let • Maximum # of elements in BF: 2 20 ≈ 2 12 puncturings/day for full year • False positive probability: 10 − 3 Then we get • BF size m = n ln p / (ln 2 ) 2 ≈ 2 MB • # hash functions k = ⌈ m / n ln 2 ⌉ = 10 8
Instantiations Three instantiations with different trade-offs � Identity-based encryption (IBE) � Attribute-based encryption (ABE) NEW Identity-based broadcast encryption (IBBE) 1 1 Construction by Kai Gellert in extended version (ePrint 2018/199) 9
Instantiations Three instantiations with different trade-offs � Identity-based encryption (IBE) � Attribute-based encryption (ABE) NEW Identity-based broadcast encryption (IBBE) 1 Construction | C | Dec Punc | � | | � | IBE [Crypto’01] O ( 1 ) O ( m ) O ( k ) O ( k ) O ( k ) O ( m 2 ) ABE [CT-RSA’13, AC’15] O ( m ) O ( 1 ) O ( k ) O ( k ) IBBE [AC’07] O ( k ) O ( m ) O ( 1 ) O ( k ) O ( k ) 1 Construction by Kai Gellert in extended version (ePrint 2018/199) 9
Instantiations (IBE) Based on Boneh-Franklin (BF) IBE • Constant size public key (400 bit at 120 bit security) • Secret key: include one IBE- � per bit of BF (=identity) 10
Recommend
More recommend
![I great potential for representing a set in main memory [13] in NFORMATION representation and](https://c.sambuz.com/475484/i-s.jpg)
