cliptography clipping the power of kleptographic attacks
play

Cliptography: Clipping The Power Of Kleptographic Attacks Qiang - PowerPoint PPT Presentation

Cliptography: Clipping The Power Of Kleptographic Attacks Qiang Tang New Jersey Institute of Technology Joint work with Alexander Russell(UConn), Moti Yung(Snapchat & Columbia), and Hong-Sheng Zhou(VCU) Modern Crypto Modern Crypto


  1. Subvertible OWPs: i, y = f i ( x ) Gen Adversary can win this game…and…

  2. Subvertible OWPs SPEC Gen Gen Two index distributions are indistinguishable

  3. Subvertible OWPs SPEC Gen Gen Two index distributions are indistinguishable OK to ignore Eval as it is deterministic with a public input distribution

  4. Random Padding is Dangerous Index • SPEC: Outputs random i,k; here {g i } is a TDOWP . • IMPL: (i,d) from a TDOWP , and k=SEnc(z,d); here d is the trapdoor.

  5. Mitigating Subliminal Channel Key Generation must be randomized

  6. Conventional Wisdom

  7. Conventional Wisdom Nothing up my sleeve numbers

  8. Conventional Wisdom π = 3.1415926535897932384626432832795..…. some bits of it were • used as constants in some hash function (BLAKE), block cipher (Blowfish) and more Nothing up my sleeve numbers

  9. Conventional Wisdom π = 3.1415926535897932384626432832795..…. some bits of it were • used as constants in some hash function (BLAKE), block cipher (Blowfish) and more e = 2.7182818284590452353602874713527……some bits of it were • used as constants in an AES candidate block cipher (RC5) and more Nothing up my sleeve numbers

  10. Mitigating Subverted KG Nothing up my sleeve parameters/keys

  11. Mitigating Subverted KG Nothing up my sleeve parameters/keys Gen Hash

  12. Mitigating Subverted KG: Intuition z

  13. Mitigating Subverted KG: Intuition z Any backdoor can be used to invert a sparse subset of functions, otherwise SPEC is insecure

  14. Mitigating Subverted KG: Intuition H z z Any backdoor can be used to invert a sparse subset of functions, otherwise SPEC is insecure

  15. Mitigating Subverted KG: Intuition H z z Any backdoor can be used to invert a sparse “Dispersing” the index to subset of functions, otherwise SPEC is insecure a “safe” place

  16. Mitigating Subverted KG Gen Hash Theorem: {g i } is a family of subversion resistant OWPs.

  17. Mitigating Subverted KG Gen Hash Theorem: {g i } is a family of subversion resistant OWPs. Assuming the SPEC of h is RO, and index domain is “simple”

  18. Further Implications

  19. Further Implications • Similarly salvage Duel_EC PRNG: it was shown to be impossible to sanitize the output.

  20. Further Implications • Similarly salvage Duel_EC PRNG: it was shown to be impossible to sanitize the output. • Similarly salvage trapdoor OWP , then further save the KG of the full domain hash digital signature scheme

  21. Further Results

  22. Further Results • Reduction of FDH does not go through, modification needed

  23. Further Results • Reduction of FDH does not go through, modification needed • Reduction from clipto-secure OWP to PRG preserves

  24. Conventional FDH Proof Embed the TDOWP challenge to one RO query answer: Reduction A

  25. Conventional FDH Proof Embed the TDOWP challenge to one RO query answer: Reduction i, y = f i ( x ) A

  26. Conventional FDH Proof Embed the TDOWP challenge to one RO query answer: Reduction i, y = f i ( x ) A

  27. Conventional FDH Proof Embed the TDOWP challenge to one RO query answer: Reduction i, y = f i ( x ) A

  28. FDH in the Clipto Setting Reduction i, y = f i ( x ) A

  29. FDH in the Clipto Setting Reduction i, y = f i ( x ) A y now generated by Eval implementation

  30. FDH in the Clipto Setting Reduction i, y = f i ( x ) A y now generated RO queries can be by Eval made during implementation manufacturing

  31. FDH in the Clipto Setting No way to embed TDOWP challenge Reduction i, y = f i ( x ) A y now generated RO queries can be by Eval made during implementation manufacturing

  32. Revised FDH

Recommend


More recommend