Circular Encryption Dan Boneh Shai Halevi Mike Hamburg - PowerPoint PPT Presentation

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky

Circular encryption (E, D) a symmetric cipher. k 1 , k 2 two keys. � Which of the following is “safe” to publish? � � c ← E k 1 (k 2 ) 1. � c ← E k 1 (k 1 ) 2. � c 1 ← E k 1 (k 2 ) , c 2 ← E k 2 (k 1 ) 3. � (2-circular encryption) �

More generally, KDM � Key Dependent Messages: E k ( f(k) ) � Why is KDM a problem? A simple example [GM’84] : output c ← k ∧ if m=k E k ( m ) = output c ← E k (m) otherwise ∧ � Fact: E (sem) secure ⇒ E (sem) secure ∧ … but publishing E k (k) breaks the system ! ⇒ something is wrong with our definitions of security

KDM in practice � Encrypted backup systems: E k ( ⋅ ) volume backup backup app k � P2P file storage: [BDET’00] � Goal: file enc is independent of who created it � Method: file-key ← hash( file-contents ) ⇒ dependence between message and key

KDM in practice � Collaboration: E PK B (SK A ) E PK A (SK B ) PK B / SK B PK A / SK A � Volume encryption with multiboot: (clique-encryption) Partition 1 Partition 2 Partition 3 E k1 (k2) E k2 (k1) E k3 (k1) E k1 (k3) E k2 (k3) E k3 (k2) OS1 OS2 OS3

A Circular-Encryption Application [CL’01] � A user has n credentials signed by CA: secret … SK 1 SK 2 SK n public and … PK 1 PK 2 PK n signed by CA US citizen I am � User should not “lend” any of his credentials to a friend � Solution [CL’01] : CA forces user to publish E PK1 [SK 2 ] , E PK2 [SK 3 ] , … , E PKn [SK 1 ]

KDM security: known results � New security model [BRS’02] b ∈ {0,1} challenger adversary rand k 1 ,…k n ( i, F( ⋅ , …, ⋅ ) ∈ C ) y ← F(k 1 ,…,k n ) E ki (y) if b=0 c ← E ki (0 |y| ) if b=1 b’ ∈ {0,1} if | Pr[b=b’] – 1/2 | Cipher is C -KDM secure is “negligible”

KDM security: known results � Selector functions sufficient for circular security F i ( x 1 , … , x n ) = x i for i=1,…,n for all 1 ≤ i, j i, j ≤ n adversary obtains E k i (k j ) � Open problem: KDM-secure system for non-trivial set C � KDM-security in the random-oracle model [BRS’02, CL01] r ← random in {0,1} κ E k (m) = c ← [ r, H(k,r) ⊕ m ]

Is ElGamal circular secure? � Let G be a group of order q , 1 ≠ g ∈ G x ← {1,…,q} ; SK ← (x) ; PK ← (h=g x ) � KeyGen: r ← random in {1,…, q} � Encryption: E PK (m) = c ← [ g r , m ⋅ h r ] � Is ElGamal 1-circular secure ?? [ h=g x , g r , x ⋅ h r [ h=g x , g r , 1 ⋅ h r indistin. ] ] from � Cannot reduce this to any standard hard problem …

New Results [BHHO’08] � A variant of ElGamal with: KDM-security for all affine functions and based on the Decision Diffie-Hellman problem choose random g 1 , … , g t ← G � KeyGen: ← {0,1} choose random s 1 , … , s t PK = [ g 1 , …, g t , h= (g 1 ) s1 … (g n ) sn ] SK = [ (g 1 ) s1 , … , (g t ) st ] � Encryption: E PK (m) = [ (g 1 ) r , … , (g t ) r , m ⋅ h r ]

Proof idea: circular security � Step 1: prove 1-circular security: inditin. E PK (SK) E PK (1) from � Step 2: 1-circular security ⇒ n-circular security � Use “secret-key homomorphism” PK 1 , E(PK 1 , m) , Δ ∈ {0,1} t ⇒ PK 2 , E(PK 2 , m) SK 2 = SK 1 ⊕ Δ SK 1 � Building an n-wise encryption clique: E(PK 1 , SK 1 ) ⇒ E(PK 2 , SK 1 ) , … , E(PK n , SK 1 )

Summary � Encrypting key-dependent messages can be risky � often can and should be avoided � Circular counter-examples illustrate the problem: � easy: 1-circular counter-example � harder: 2-circular counter-example [BHHO’08] � counter-example for weakly-secure systems � Constructions: � In the random oracle model [BRS’02, CL’01] � First construction based on DDH [BHHO’08]

THE END