dise distributed symmetric key encrytion
play

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman - PowerPoint PPT Presentation

Dec 28, 2023 •28 likes •338 views

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

  1. DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal

  2. Threshold Cryto • Has focused on public-key crypto • Symmetric-key encryption got less attention • Symmetric keys don’t stay around long • Secure communication over internet (TLS) • Signing keys are long-term • Encryption keys change with every session

  3. Symmetric-key Encryption (SKE) • Encrypt data at rest • AWS, MS Azure, Google Cloud provide client-side, server-side, disk encryption • Keys managed by cloud service or client • Authentication on web, enterprises, ... • JSON web tokens,TGT in Kerberos, etc. • Securing PIN in credit/debit transactions

  4. Threshold SKE • Threshold PRFs [MS95, NPR99, Nie02, Dod03, DY05, DYY06, BLMR13] • MPC: Evaluate AES-GCM [DK10, GRRSS16, RSS17] • Good: Backward-compability, standard schemes • Bad: • Communication complexity linear in circuit size, number of parties • All parties interact with each other

  5. Build a threshold SKE that works well in practice: - Fast encryption/decryption - Requires minimal interactivity - Provides strong security guarantees

  6. Our Contributions • Formally study threshold SKE • Message privacy & ciphertext integrity in the distributed setting • Simple and light-weight protocols • Initiator sends one message, gets one message (challenge-response style) • Support arbitrary threshold t • Contact t-1 other parties • Resilient to t-1 corruption • Implement & evaluate • A million enc/dec per second, sub millisecond latency with upto 18 parties

  7. Outline • Security properties • DiSE: main protocol • Implementation • Future work

  8. Threshold SKE

  9. Notation & Model • n – total number of parties • Initiator: Party who initiates an enc/dec session • t – threshold • Attack model • Corrupt t-1 parties maliciously • Static model • Communication model: Point-to-point secure channels

  10. Traditional vs Modern • Inspired by traditional game-based notions [BN00, KY01, RS06] • More advanced notions studied for non-threshold [Rog02, RS06, FFL12, PW12 Rog13, GL15, HRRV15, HKR15, BT16, BHT18] • Extending traditional notions to threshold already non-trivial

  11. Protocols • Setup (n, t) • (sk 1 , sk 2 , ..., sk n ), pp • DistEnc (j, msg, S) • ctxt • Parties involved don’t learn ciphertext • DistDec (j, ctxt, S) • msg • Parties involved don’t learn message • Consistency (all parties honest): • DistEnc (j, msg, S) • ctxt • DistDec (j*, ctxt, S*) • msg

  12. Correctness • DistEnc session fails even if initiated by honest party • DistEnc succeeds but DistDec fails • Basic : if DistEnc (msg) • ctxt ≠ ⟂ , then DistDec (ctxt) • msg or ⟂ • Strong : if DistEnc (msg) • ctxt ≠ ⟂ , then DistDec (ctxt) • msg if parties honest

  13. Security Games • Message privacy & ciphertext integrity • Games between Challenger Chal and Adversary Adv Challenger sk 3 sk 1 sk 4 sk 2 sk 5

  14. Message Privacy • Ciphertexts do not reveal message • Non-threshold: Enc(m 0 ) ≈ Enc (m 1 ) • Adv is allowed to: • Encryption : Initiated by corrupt/honest party • Decryption : Initiated by honest party • Challenge :Adv outputs (j, m 0 , m 1 , S)

  15. Ciphertext Integrity (Authenticity) • New valid ciphertexts cannot be generated • Non-threshold: Can keep track of ciphertexts • C – set of corrupt parties • g = t - |C| • cnt – count #messages Adv sends to honest parties • L – list of ciphertexts

  16. Ciphertext Integrity (Authenticity) • Variables: C, g, cnt, L • Adv allowed to: • ( Encryption , j, msg, S) • j is corrupt: increment cnt by #honest parties in S • j is honest: add ctxt to L Counter incremented • ( Decryption , j, ctxt, S) • j is corrupt: increment cnt by #honest parties in S • ( Targeted Decryption , j, k, S) with j honest Decryption!! • Maximum ciphertexts: cnt / g (rounded down)

  17. Ciphertext Integrity (Authenticity) • Forgery :Adv outputs (j 1 , S 1 , ctxt 1 ), (j 2 , S 2 , ctxt 2 ), ... ,(j k , S k , ctxt k ) • Adv wins if: • k > cnt / g • Dec sessions output valid messages • Basic : Dec sessions are honest • Strong : Corrupt parties can misbehave

  18. Summary • Correctness: Basic & Strong • Message privacy • Ciphertext integrity: Basic & Strong

  19. DiSE:Threshold SKE Scheme

  20. Distributed PRF (DPRF) • Introduced by Naor et al. [NPR99] • Several constructions/variations [Nie02, Dod03, DY05, DYY06, BLMR13] • Setup (n, t) • (sk 1 , sk 2 , ..., sk n ) • Eval (sk j , x) • y j • Combine (y 1 , y 2 , ...) • y • Consistency : Same output irrespective of the set Secure • Pseudorandomness : Final output should be pseudorandom Strongly secure • Correctness : Final output either correct or ⟂

  21. DiSE Small communication Cheap operations * + = ,-./ (01 + , ") " = $%! (!; () " sk 2 ! * + " sk 1 * 4 = ,-./ (01 4 , ") * 3 * 3 = ,-./ (01 3 , ") * = $%!5 678 * 4 , * + , * 3 sk 3 8 = 9:; * ⊕ ! () =>"> = (", 8) sk 4

  22. Security • If DPRF is (strongly) secure, then DiSE satisfies • (strong) correctness • message-privacy • (strong) ciphertext-integrity

  23. DPRF instantiations [MS95, NPR99] • DDH assumption (ROM) • Setup (n, t) • (sk 1 , sk 2 , ..., sk n ) • Eval (sk j , x) • Hash(x) skj • DPRF (x) = Hash(x) sk • Any PRF like AES • Setup • Exponential number of keys • DPRF (x) = PRF k1 (x) ⊕ PRF k2 (x) ⊕ PRF k3 (x) ⊕ ...

  24. Compare DDH PRF Choice of n, t Arbitrary n C t should be small T ype of operations Expensive public-key Cheap symmetric-key Strong security Easy Difficult Change of n, t Master key unaffected Master key affected

  25. Implementation & Evaluation

  26. Implementation • Three instantiations: PRF, DDH, DDH-NIZK • Tested on many values of n, but n = 18 here • Tested on both LAN,WAN, but only LAN here • Choices: • Hash function: Blake2 • PRF/PRG:AES • ECC curve: p256k1 • Benchmarking on a single server with two 18-core Intel Xeon CPUs @2.3 GHz, 256GB RAM • LAN: 10 Gbps bandwidth, 0.1 ms latency

  27. Performance Throughput (Enc/sec) Threshold PRF DDH DDH-NIZK (T) Enc/sec Mbps Enc/sec Mbps Enc/sec Mbps 2 1,037,703 253 553 0.14 226 0.28 6 45,434 55 297 0.77 64 0.40 9 10,194 20 231 0.45 42 0.50 16 524,109 1919 135 0.49 23 0.43 Latency (ms/Enc) Threshold (T) PRF DDH DDH-NIZK 2 0.1 4.6 9.6 6 0.6 5.4 21.5 9 1.1 8.0 31.3 16 2.2 12.6 55.2

  28. Conclusion & Future Directions

  29. Conclusion • SKE widely used, secret keys need protection (MPC expensive) • Formalization of threshold SKE • New very efficient scheme • Promising performance

  30. Future Directions • DiSE lacks concrete security treatment • Ciphertext integrity definition counts decryption towards encryption • ParaDiSE :Addresses these issues – and more

  31. THANK YOU! QUESTIONS...

Recommend

T his months column presents the second half of dise a material income-producing factor.

T his months column presents the second half of dise a material income-producing factor.

CBTM March text 2002 #2 2/13/02 11:28 AM Page 27 C O R P O R A T E B U S I N E S S T A X A T I O N M O N T H L Y Tax Accounting BY JAMES E. SALLES T his months column presents the second half of dise a

354 views • 7 slides
Distributed Systems CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Spring

Distributed Systems CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Spring

Distributed Systems CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Spring 2015 Outline Goals and vision of distributed computing Basic architectures Symmetric multiprocessors Single system image distributed

925 views • 79 slides
PREDICTING PREDIC ING T THE DISE HE DISEASE O SE OF A F ALZ LZHEIMER

PREDICTING PREDIC ING T THE DISE HE DISEASE O SE OF A F ALZ LZHEIMER

PREDICTING PREDIC ING T THE DISE HE DISEASE O SE OF A F ALZ LZHEIMER HEIMER WIT WITH SNP BIOMA H SNP BIOMARK RKER ERS A S AND CLINICA ND CLINICAL D L DATA USING D USING

747 views • 33 slides
Distributed Systems CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Fall 2015

Distributed Systems CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Fall 2015

Distributed Systems CS 111 Operating Systems Peter Reiher Lecture 16 CS 111 Page 1 Fall 2015 Outline Goals and vision of distributed computing Basic architectures Symmetric multiprocessors Single system image distributed

707 views • 60 slides
Clima te c ha ng e e ffe c ts o n the e pide mio lo g y o f infe c tio us dise a se s a nd the

Clima te c ha ng e e ffe c ts o n the e pide mio lo g y o f infe c tio us dise a se s a nd the

Clima te c ha ng e e ffe c ts o n the e pide mio lo g y o f infe c tio us dise a se s a nd the impa c ts o n No rthe rn so c ie tie s Pho to s: Ca rl-Jo ha n Utsi Wha t do we wa nt? Ob je c tive s: T o c la rify the impa c t o f c lima

441 views • 10 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
E duc ational Pr ogr amme for Childr e n with Onc ohae matologic al Dise ase s thr ough VE

E duc ational Pr ogr amme for Childr e n with Onc ohae matologic al Dise ase s thr ough VE

E duc ational Pr ogr amme for Childr e n with Onc ohae matologic al Dise ase s thr ough VE DAMO Vir tual L e ar ning E nvir onme nt Pr oznanie JSC We are focused on developing of innovative solutions for distance learning

450 views • 18 slides
0 4 1 3 2 No deterministic symmetric dining solution [RL81] Probabilistic symmetric

0 4 1 3 2 No deterministic symmetric dining solution [RL81] Probabilistic symmetric

Once up on a time ... [Dij71] 0 4 1 3 2 No deterministic symmetric dining solution [RL81] Probabilistic symmetric solution T raditional non-symmetric: Left-Righ t solution Generalized dining philosophers [Lyn81] . . .

625 views • 20 slides
Omega ga-3 f fatty a acids a s and car ardiovasc ascular d dise sease se: a con conti

Omega ga-3 f fatty a acids a s and car ardiovasc ascular d dise sease se: a con conti

Omega ga-3 f fatty a acids a s and car ardiovasc ascular d dise sease se: a con conti tinuum o of n nutri riti tion on a and medicine Ann C. Skulas-Ray, PhD Food, Bioactives, & Health Lab Department of Nutritional Sciences

714 views • 24 slides
6. The Symmetric Eigenvalue Problem A must for engineers . . . 6. The Symmetric Eigenvalue

6. The Symmetric Eigenvalue Problem A must for engineers . . . 6. The Symmetric Eigenvalue

Motivation Condition Vector Iteration QR Iteration Reduction Algorithms 6. The Symmetric Eigenvalue Problem A must for engineers . . . 6. The Symmetric Eigenvalue Problem Numerical Programming I (for CSE), Hans-Joachim Bungartz page 1

430 views • 28 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Inequalities for Symmetric Polynomials Curtis Greene October 24, 2009 Inequalities for Symmetric

Inequalities for Symmetric Polynomials Curtis Greene October 24, 2009 Inequalities for Symmetric

Inequalities for Symmetric Polynomials Inequalities for Symmetric Polynomials Curtis Greene October 24, 2009 Inequalities for Symmetric Polynomials Co-authors This talk is based on Inequalities for Symmetric Means, with Allison

951 views • 50 slides
The Strong Symmetric Genus of Almost All D -type Generalized Symmetric Groups Michael A. Jackson

The Strong Symmetric Genus of Almost All D -type Generalized Symmetric Groups Michael A. Jackson

Introduction Generalized Symmetric and D -type groups Process Results The Strong Symmetric Genus of Almost All D -type Generalized Symmetric Groups Michael A. Jackson Department of Mathematics - Grove City College majackson@gcc.edu Groups St.

726 views • 48 slides
Symmetric Circuits with Non-Symmetric Gates Anuj Dawar Department of Computer Science and

Symmetric Circuits with Non-Symmetric Gates Anuj Dawar Department of Computer Science and

Symmetric Circuits with Non-Symmetric Gates Anuj Dawar Department of Computer Science and Technology, University of Cambridge based on joint work with Gregory Wilsenach HellaFest, Murikanranta, 5 July 2018 Lauri Hella and Generalized

387 views • 22 slides
Ra RaDa DaR R Ra Rare re Re Rena nal l Di Dise sease ase Re Regi gistry stry Me

Ra RaDa DaR R Ra Rare re Re Rena nal l Di Dise sease ase Re Regi gistry stry Me

Ra RaDa DaR R Ra Rare re Re Rena nal l Di Dise sease ase Re Regi gistry stry Me Melanie nie Dillon RaDaR Project ject Facilitator tator Ba Backgrou ckground nd The Nat Nationa ional Regi Regist stry ry of of Ra

656 views • 13 slides
2014-15 SECONDARY EDUCATION IN INDIA CONTENTS Acknowledgments Disclaimer Figure 1 Number of

2014-15 SECONDARY EDUCATION IN INDIA CONTENTS Acknowledgments Disclaimer Figure 1 Number of

National University of Educational Planning and Administration 17-B, Sri Aurobindo Marg, New Delhi 110016 (INDIA) SECONDARY EDUCATION IN INDIA (Based on U-DISE Data) A GRAPHIC PRESENTATION (Based on U-DISE Data) A GRAPHIC PRESENTATION 2014-15

1k views • 66 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
EA EARLY DI Y DIAG AGNOSI SIS S OF F BR BRAI AIN DISE SEAS ASES ES via liquid id biops

EA EARLY DI Y DIAG AGNOSI SIS S OF F BR BRAI AIN DISE SEAS ASES ES via liquid id biops

EA EARLY DI Y DIAG AGNOSI SIS S OF F BR BRAI AIN DISE SEAS ASES ES via liquid id biops psy, base sed d on miRNA NA patter erns ns in micr crogli glial al micr crovesic vesicles les Fabio Bianco, CEO fbianco@braindtech.com

128 views • 9 slides
Dise Disease Man anag agement to t to Prom omote te Blood Blood Pressu sure C Con ontr

Dise Disease Man anag agement to t to Prom omote te Blood Blood Pressu sure C Con ontr

Dise Disease Man anag agement to t to Prom omote te Blood Blood Pressu sure C Con ontr trol ol A Amon mong African an A Ame mericans Fishbow s Fishbowl l Ren A. Vega Aetna Scaling and Spreading Innovation Strategies to

491 views • 8 slides
Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Symmetric cryptography Both parties

860 views • 60 slides
Symmetric Cauchy stresses do not imply symmetric Biot strains in weak formulations of isotropic

Symmetric Cauchy stresses do not imply symmetric Biot strains in weak formulations of isotropic

Symmetric Cauchy stresses do not imply symmetric Biot strains in weak formulations of isotropic hyperelasticity with rotational degrees of freedom. Andreas Fischle , Patrizio Neff and Ingo Mnch Universitt Duisburg-Essen ,

515 views • 38 slides
An Introduction to Symmetric Functions Ira M. Gessel Department of Mathematics Brandeis

An Introduction to Symmetric Functions Ira M. Gessel Department of Mathematics Brandeis

An Introduction to Symmetric Functions Ira M. Gessel Department of Mathematics Brandeis University Brandeis Combinatorics Seminar November 1, 2016 What are symmetric functions? Symmetric functions are not functions. What are symmetric

778 views • 75 slides
2014 / 10 / 21 R2 VS Introduction Drug Drug- -induced sleep

2014 / 10 / 21 R2 VS Introduction Drug Drug- -induced sleep

2014 / 10 / 21 R2 VS Introduction Drug Drug- -induced sleep endoscopy (DISE induced sleep endoscopy (DISE ) ) uses sedative-hypnotics to induce moderate obstruction to facilitate anatomic differentiation of

1.48k views • 23 slides
Symmetric Gro up pe rmutatio ns o f 3 o bje c ts Gro up elements c an be written in this

Symmetric Gro up pe rmutatio ns o f 3 o bje c ts Gro up elements c an be written in this

Symmetric Gro up pe rmutatio ns o f 3 o bje c ts Gro up elements c an be written in this fo rmat: Symmetric Gro up No te Symmetric group Product operation Is the group elements {e,a,b,ab,b,b^2} isomorphic to the above

347 views • 23 slides

More recommend