Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi Mu, Guomin Yang , Willy Susilo, Fuchun Guo and Mingwu Zhang Asiacrypt 2016, Hanoi
Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work
Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work
Background q Edward Snowden Revelations q Massive surveillance by intelligence agencies q Undermining security mechanisms q subverting cryptographic protocols q deploying security weakness in implementations
Background q Edward Snowden Revelations q Massive surveillance by intelligence agencies q Undermining security mechanisms q subverting cryptographic protocols q deploying security weakness in implementations q Post-Snowden Cryptography q How to achieve meaningful security for cryptographic protocols in the presence of an adversary that may arbitrarily tamper with the victimβs machine?
IACR Statement On Mass Surveillance The membership of the IACR repudiates mass surveillance and the undermining of cryptographic solutions and standards οΌ Population-wide surveillance threatens democracy and human dignity. We call for expediting research and deployment of effective techniques to protect personal privacy against governmental and corporate overreach. -- Copenhagen, Eurocrypt 2014
Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work
Cryptographic Reverse Firewall [MS15] p A stateful algorithm π³ p Input: current state π and message π p Output: updated state πΜ and message π % p A βcomposedβ party π³ β P π³ is applied to the incoming and outgoing messages of p party P p the state of π³ is initialized to the public parameters π³ is called a reverse firewall for P p p βactive routerβ between P βs private network and the outside π 1 π 1 * β¦ β¦ π π * π π P π³
Cryptographic Reverse Firewall [MS15] p Stackable reverse firewalls p composition of multiple reverse firewalls π³ β π³ β β― β π³ β P p Transparent to legitimate traffic p does not break functionality ( Functionality-maintaining ) p π³ shares no secret with P p we do not trust the firewall ( Security-preserving ) p No corrupted implementation of P can leak information through π³ ( Exfiltration-resistant ) π 1 π 1 * β¦ β¦ π π * π π P π³
Property I: Functionality-Maintaining p Underlying protocol has some functionality π 1 β¦ π π y A y B p Protocol with π³ has the same functionality π 1 π 1 * β¦ β¦ π π * π π y A y B
Property II: Security-Preserving p Underlying protocol satisfies some security notions π 1 β¦ π π p Protocol with π³ satisfies the same security notions π 1 π 1 * β¦ β¦ π π * π π
Property II: Security-Preserving p Corrupted implementation may break the security π 1 β¦ π π p Corrupted protocol with π³ remains secure π 1 π 1 * β¦ β¦ π π * π π Strong vs Weak Security-Preserving Eavesdropper vs Peer Party
Property III: Exfiltration-Resistant p Corrupted implementation of P cannot leak any information to an eavesdropping attacker π 1 π 1 * β¦ β¦ π π * π π β π« π 1 π 1 * β¦ β¦ π π * π π Strong vs Weak Exfiltration-Resistance Eavesdropper vs Peer Party
Research Goal The βholy grailβ would be a full characterization of functionalities and security properties for which reverse firewall exists. -- By Mironov and Stephens-Davidowitz Eurocrypt 2015 This work: a general approach for designing CRFs for functionalities that are realizable by Smooth Projective Hash Functions
Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work
Smooth Projective Hash Function [CS02] SPHFSetup ( 1 π )=pp; HashKG (pp)=hk ; ProjKG (pp,hk)=hp Hash (pp,hk, C ) L ( C, w ) ProjHash (pp,hp, C , w ) β¦ X Y Cβ Vβ Hash (pp,hk, Cβ ) X/L β¦ β¦ p Correctness : Hash (pp,hk, C ) = ProjHash (pp,hp, C , w ); $ Y ; p Smoothness : Vβ β S R p Hard Subset Membership : L β π· X/L
Our Extension: Malleable SPHF p Randomness Sampling p SampR (pp) βΆ π % SampW (pp) βΆ w * p p Projection Key Updating 8 MaulK (pp,hp, π % ) βΆ hp p 8 MaulH (pp,hp, π % , C ) βΆ hv p p Element Re-randomization 8 ReranE (pp, C , π₯ * ) βΆ π· p 8 ReranH (pp,hp, C , π₯ * ) βΆ hv p
Our Extension: Malleable SPHF p Property I: Projection Key Malleability hp if exists hk w C Hash ProjHash = hvβ hv
Our Extension: Malleable SPHF p Property I: Projection Key Malleability hp hk C Hash hv
Our Extension: Malleable SPHF p Property I: Projection Key Malleability 8 β π· hp 1 8 β hp 0 8 hp hp MaulK π % SampR hk C Hash hv 8 = h β‘ hv β hv
Our Extension: Malleable SPHF p Property I: Projection Key Malleability 8 β π· hp 1 8 β hp 0 8 hp hp MaulK π % SampR hk 8 C hk Hash Hash hv hvβ 8 = h β‘ hv β hv
Our Extension: Malleable SPHF p Property I: Projection Key Malleability 8 β π· hp 1 8 β hp 0 8 hp hp MaulK π % SampR hk 8 C hk Hash Hash MaulH 8 hv hv hvβ 8 = hvβ β‘ hv β hv
Our Extension: Malleable SPHF p Property II: Element Re-randomizability C hk Hash hv
Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β π· π· 1 8 β π· 0 > C ReranE π· π₯ % SampW hk Hash hv 8 = h β‘ hv β βπ€
Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β π· π· 1 8 β π· 0 > C ReranE π· π₯ % SampW hp hk hk Hash Hash hv hvβ
Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β π· π· 1 8 β π· 0 > C ReranE π· π₯ % SampW hp hk hk Hash Hash ReranH 8 hv hv hvβ 8 = hvβ β‘ hv β hv
Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β π· π· 1 8 β π· 0 > C ReranE π· π₯ % SampW > β L iff β’ π· C β L hp hk hk Hash Hash ReranH 8 hv hv hvβ 8 = hvβ β‘ hv β hv
A Generic Construction of Malleable SPHF p Graded Rings [BCC+13] p common formalization of cyclic groups, bilinear groups, and multilinear groups p β π, π β π¬ π , πβ¨π = π + π, πβ¨π = π L π PQ οΌ β π β π¬ π , p β π£ 1 , π€ 1 β πΏ, π£ 1 β¨π€ 1 = π£ 1 L π€ 1 , π£ 1 β π€ 1 = π£ 1 L π€ 1 πβ¨π£ 1 = π£ 1 π p β π£ 1 , π€ 1 β πΏ, π£ 1 β¨π€ 1 = π π£ 1 , π€ 1 β πΏ π (π: πΏΓπΏ βΆ πΏ π ) p Generic SPHF via Graded Rings [BCC+13] π₯: π΄ βΌ πΏ [Γ\ , πͺ: π΄ βΌ πΏ QΓ\ p QΓ[ s. t. , πͺ π· = πβ¨π₯ π· p π· β β βΊ βπ β π¬ π hk : = π· = (π½ 1 , β¦ , π½ π ) Ξ€ $ \ , hp βΆ= πΏ π· = π₯ π· β¨π· β πΏ π p β π¬ π p Hash (pp,hk, C ) βΆ= πͺ π· β¨π· , ProjHash (pp,hp, C ,w) βΆ= πβ¨ πΏ π· πͺ π· β¨π· = πβ¨π₯ π· β¨π· = πβ¨ πΏ π·
A Generic Construction of Malleable SPHF p Generic Malleable SPHF via Graded Rings 8 = πΏ π· β¨π₯ π· β¨ π p MaulK (pp,hp= πΏ π· , π * ) οΌ hp * 8 = πͺ π· β¨ π p MaulH (pp,hp, π * , C ) οΌ hv * 8β¨π₯ π· 8 = πͺ π· β¨ π p ReranK (pp, C , π₯ * ) οΌ π· 8 = π 8 β¨ πΏ π· p ReranH (pp,hp, C , π₯ * ) οΌ hv Theorem The above construction is a malleable SPHF if the follows hold: πͺ: π΄ βΌ πΏ QΓ\ is an identity function; β’ π₯: π΄ βΌ πΏ [Γ\ is a constant function; β’ β’ The hard subset membership holds. p Instantiation from the k -linear assumption
Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work
Message Transmission Protocol with CRFs p Message Transmission Protocol Input: pp, M Input: pp $ β HashKG (pp) hk hp β ProjKG (pp,hk) op $ β SampYes (pp) ( C , w ) V = ProjHash (pp,hp, C,w ) CT = V β¨ M q, qr Mβ = CT β Hash (pp,hk, C ) Mβ = M Hash (pp,hk, C ) = ProjHash (pp,hp, C,w )
Recommend
More recommend