cryptographic reverse firewall via malleable smooth
play

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash - PowerPoint PPT Presentation

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi Mu, Guomin Yang , Willy Susilo, Fuchun Guo and Mingwu Zhang Asiacrypt 2016, Hanoi Outline n Background n Cryptographic Reverse Firewall n Part


  1. Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi Mu, Guomin Yang , Willy Susilo, Fuchun Guo and Mingwu Zhang Asiacrypt 2016, Hanoi

  2. Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work

  3. Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work

  4. Background q Edward Snowden Revelations q Massive surveillance by intelligence agencies q Undermining security mechanisms q subverting cryptographic protocols q deploying security weakness in implementations

  5. Background q Edward Snowden Revelations q Massive surveillance by intelligence agencies q Undermining security mechanisms q subverting cryptographic protocols q deploying security weakness in implementations q Post-Snowden Cryptography q How to achieve meaningful security for cryptographic protocols in the presence of an adversary that may arbitrarily tamper with the victim’s machine?

  6. IACR Statement On Mass Surveillance The membership of the IACR repudiates mass surveillance and the undermining of cryptographic solutions and standards , Population-wide surveillance threatens democracy and human dignity. We call for expediting research and deployment of effective techniques to protect personal privacy against governmental and corporate overreach. -- Copenhagen, Eurocrypt 2014

  7. Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work

  8. Cryptographic Reverse Firewall [MS15] p A stateful algorithm 𝒳 p Input: current state 𝜐 and message 𝑛 p Output: updated state πœΜƒ and message 𝑛 % p A β€œcomposed” party 𝒳 ∘ P 𝒳 is applied to the incoming and outgoing messages of p party P p the state of 𝒳 is initialized to the public parameters 𝒳 is called a reverse firewall for P p p β€œactive router” between P ’s private network and the outside 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ P 𝒳

  9. Cryptographic Reverse Firewall [MS15] p Stackable reverse firewalls p composition of multiple reverse firewalls 𝒳 ∘ 𝒳 ∘ β‹― ∘ 𝒳 ∘ P p Transparent to legitimate traffic p does not break functionality ( Functionality-maintaining ) p 𝒳 shares no secret with P p we do not trust the firewall ( Security-preserving ) p No corrupted implementation of P can leak information through 𝒳 ( Exfiltration-resistant ) 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ P 𝒳

  10. Property I: Functionality-Maintaining p Underlying protocol has some functionality 𝑛 1 … 𝑛 π‘œ y A y B p Protocol with 𝒳 has the same functionality 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ y A y B

  11. Property II: Security-Preserving p Underlying protocol satisfies some security notions 𝑛 1 … 𝑛 π‘œ p Protocol with 𝒳 satisfies the same security notions 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ

  12. Property II: Security-Preserving p Corrupted implementation may break the security 𝑛 1 … 𝑛 π‘œ p Corrupted protocol with 𝒳 remains secure 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ Strong vs Weak Security-Preserving Eavesdropper vs Peer Party

  13. Property III: Exfiltration-Resistant p Corrupted implementation of P cannot leak any information to an eavesdropping attacker 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ β‰ˆ 𝑫 𝑛 1 𝑛 1 * … … 𝑛 π‘œ * 𝑛 π‘œ Strong vs Weak Exfiltration-Resistance Eavesdropper vs Peer Party

  14. Research Goal The β€œholy grail” would be a full characterization of functionalities and security properties for which reverse firewall exists. -- By Mironov and Stephens-Davidowitz Eurocrypt 2015 This work: a general approach for designing CRFs for functionalities that are realizable by Smooth Projective Hash Functions

  15. Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work

  16. Smooth Projective Hash Function [CS02] SPHFSetup ( 1 π‘š )=pp; HashKG (pp)=hk ; ProjKG (pp,hk)=hp Hash (pp,hk, C ) L ( C, w ) ProjHash (pp,hp, C , w ) … X Y C’ V’ Hash (pp,hk, C’ ) X/L … … p Correctness : Hash (pp,hk, C ) = ProjHash (pp,hp, C , w ); $ Y ; p Smoothness : V’ β‰ˆ S R p Hard Subset Membership : L β‰ˆ 𝐷 X/L

  17. Our Extension: Malleable SPHF p Randomness Sampling p SampR (pp) ⟢ 𝑠 % SampW (pp) ⟢ w * p p Projection Key Updating 8 MaulK (pp,hp, 𝑠 % ) ⟢ hp p 8 MaulH (pp,hp, 𝑠 % , C ) ⟢ hv p p Element Re-randomization 8 ReranE (pp, C , π‘₯ * ) ⟢ 𝐷 p 8 ReranH (pp,hp, C , π‘₯ * ) ⟢ hv p

  18. Our Extension: Malleable SPHF p Property I: Projection Key Malleability hp if exists hk w C Hash ProjHash = hv’ hv

  19. Our Extension: Malleable SPHF p Property I: Projection Key Malleability hp hk C Hash hv

  20. Our Extension: Malleable SPHF p Property I: Projection Key Malleability 8 β‰ˆ 𝐷 hp 1 8 β‘  hp 0 8 hp hp MaulK 𝑠 % SampR hk C Hash hv 8 = h β‘‘ hv βˆ— hv

  21. Our Extension: Malleable SPHF p Property I: Projection Key Malleability 8 β‰ˆ 𝐷 hp 1 8 β‘  hp 0 8 hp hp MaulK 𝑠 % SampR hk 8 C hk Hash Hash hv hv’ 8 = h β‘‘ hv βˆ— hv

  22. Our Extension: Malleable SPHF p Property I: Projection Key Malleability 8 β‰ˆ 𝐷 hp 1 8 β‘  hp 0 8 hp hp MaulK 𝑠 % SampR hk 8 C hk Hash Hash MaulH 8 hv hv hv’ 8 = hv’ β‘‘ hv βˆ— hv

  23. Our Extension: Malleable SPHF p Property II: Element Re-randomizability C hk Hash hv

  24. Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β‰ˆ 𝐷 𝐷 1 8 β‘  𝐷 0 > C ReranE 𝐷 π‘₯ % SampW hk Hash hv 8 = h β‘‘ hv βˆ— β„Žπ‘€

  25. Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β‰ˆ 𝐷 𝐷 1 8 β‘  𝐷 0 > C ReranE 𝐷 π‘₯ % SampW hp hk hk Hash Hash hv hv’

  26. Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β‰ˆ 𝐷 𝐷 1 8 β‘  𝐷 0 > C ReranE 𝐷 π‘₯ % SampW hp hk hk Hash Hash ReranH 8 hv hv hv’ 8 = hv’ β‘‘ hv βˆ— hv

  27. Our Extension: Malleable SPHF p Property II: Element Re-randomizability 8 β‰ˆ 𝐷 𝐷 1 8 β‘  𝐷 0 > C ReranE 𝐷 π‘₯ % SampW > ∈ L iff β‘’ 𝐷 C ∈ L hp hk hk Hash Hash ReranH 8 hv hv hv’ 8 = hv’ β‘‘ hv βˆ— hv

  28. A Generic Construction of Malleable SPHF p Graded Rings [BCC+13] p common formalization of cyclic groups, bilinear groups, and multilinear groups p βˆ€ 𝑏, 𝑐 ∈ 𝕬 π‘ž , 𝑏⨁𝑐 = 𝑏 + 𝑐, 𝑏⨀𝑐 = 𝑏 L 𝑐 PQ οΌ› βˆ€ 𝑑 ∈ 𝕬 π‘ž , p βˆ€ 𝑣 1 , 𝑀 1 ∈ 𝔿, 𝑣 1 ⨁𝑀 1 = 𝑣 1 L 𝑀 1 , 𝑣 1 βŠ– 𝑀 1 = 𝑣 1 L 𝑀 1 𝑑⨀𝑣 1 = 𝑣 1 𝑑 p βˆ€ 𝑣 1 , 𝑀 1 ∈ 𝔿, 𝑣 1 ⨀𝑀 1 = 𝑓 𝑣 1 , 𝑀 1 ∈ 𝔿 π‘ˆ (𝑓: 𝔿×𝔿 ⟢ 𝔿 π‘ˆ ) p Generic SPHF via Graded Rings [BCC+13] π›₯: 𝒴 ⟼ 𝔿 [Γ—\ , π›ͺ: 𝒴 ⟼ 𝔿 QΓ—\ p QΓ—[ s. t. , π›ͺ 𝐷 = 𝛍⨀π›₯ 𝐷 p 𝐷 ∈ β„’ ⟺ βˆƒπ› ∈ 𝕬 π‘ž hk : = 𝜷 = (𝛽 1 , … , 𝛽 π‘œ ) Ξ€ $ \ , hp ∢= 𝛿 𝐷 = π›₯ 𝐷 β¨€πœ· ∈ 𝔿 𝑙 p ← 𝕬 π‘ž p Hash (pp,hk, C ) ∢= π›ͺ 𝐷 β¨€πœ· , ProjHash (pp,hp, C ,w) ∢= 𝛍⨀ 𝛿 𝐷 π›ͺ 𝐷 β¨€πœ· = 𝛍⨀π›₯ 𝐷 β¨€πœ· = 𝛍⨀ 𝛿 𝐷

  29. A Generic Construction of Malleable SPHF p Generic Malleable SPHF via Graded Rings 8 = 𝛿 𝐷 ⨁π›₯ 𝐷 ⨀ 𝒔 p MaulK (pp,hp= 𝛿 𝐷 , 𝒔 * ) : hp * 8 = π›ͺ 𝐷 ⨀ 𝒔 p MaulH (pp,hp, 𝒔 * , C ) : hv * 8⨀π›₯ 𝐷 8 = π›ͺ 𝐷 ⨁ 𝛍 p ReranK (pp, C , π‘₯ * ) : 𝐷 8 = 𝛍 8 ⨀ 𝛿 𝐷 p ReranH (pp,hp, C , π‘₯ * ) : hv Theorem The above construction is a malleable SPHF if the follows hold: π›ͺ: 𝒴 ⟼ 𝔿 QΓ—\ is an identity function; β€’ π›₯: 𝒴 ⟼ 𝔿 [Γ—\ is a constant function; β€’ β€’ The hard subset membership holds. p Instantiation from the k -linear assumption

  30. Outline n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol n Conclusions and Future Work

  31. Message Transmission Protocol with CRFs p Message Transmission Protocol Input: pp, M Input: pp $ ← HashKG (pp) hk hp ← ProjKG (pp,hk) op $ ← SampYes (pp) ( C , w ) V = ProjHash (pp,hp, C,w ) CT = V ⨁ M q, qr M’ = CT ⊝ Hash (pp,hk, C ) M’ = M Hash (pp,hk, C ) = ProjHash (pp,hp, C,w )

Recommend


More recommend