everybody s a target scalability in public key encryption
play

Everybodys a Target: Scalability in Public-Key Encryption Benedikt - PowerPoint PPT Presentation

May 19, 2023 •425 likes •894 views

Everybodys a Target: Scalability in Public-Key Encryption Benedikt Auerbach 1 Federico Giacon 2 Eike Kiltz 3 1 IST Austria, Klosterneuburg, Austria 2 Gnosis Service GmbH, Berlin, Germany 3 Horst Grtz Institut fr IT-Sicherheit,

  1. Everybody’s a Target: Scalability in Public-Key Encryption Benedikt Auerbach 1 Federico Giacon 2 Eike Kiltz 3 1 IST Austria, Klosterneuburg, Austria 2 Gnosis Service GmbH, Berlin, Germany 3 Horst Görtz Institut für IT-Sicherheit, Ruhr-Universität Bochum, Germany May 04, 2020

  2. Agenda ◮ multi-instance security and the scaling factor ◮ the scaling behavior of Hashed-ElGamal key encapsulation ◮ generic group lower bounds for multi-instance CDH-type problems 2 / 24

  3. Multi-instance security ◮ usual security definition for cryptographic schemes ◮ adversary unable to compromise a single user This work: Scaling of security in the number of users How much more computational effort does it take to compromise n users compared to compromising one? 3 / 24

  4. Multi-instance security ◮ usual security definition for cryptographic schemes ◮ adversary unable to compromise a single user This work: Scaling of security in the number of users How much more computational effort does it take to compromise n users compared to compromising one? 3 / 24

  5. Multi-instance security ◮ usual security definition for cryptographic schemes ◮ adversary unable to compromise a single user ◮ this work: scaling of security in the number of users ◮ how much more computational effort does it take to compromise all of n users compared to compromising one? 3 / 24

  6. Scaling behavior of cryptographic schemes effort x t compromised users 1 4 / 24

  7. Scaling behavior of cryptographic schemes effort best case nt worst case x t n compromised users 1 4 / 24

  8. Scaling behavior of cryptographic schemes effort best case nt actual behavior? worst case x t n compromised users 1 4 / 24

  9. Background ◮ theory: parameters of schemes chosen such that even breaking a single instance is infeasible ◮ in particular impossible to break many instances ◮ practice: use of outdated parameters widespread ◮ breaking of single instance within reach ◮ bad scaling behavior could enable large-scale attack 5 / 24

  10. Logjam attack ◮ bad scaling-behavior exploited in Logjam attack [ADGG+15] ◮ attacked TLS in the finite-field setting for primes of length 512 ◮ effort to break 2 20 instances only doubles compared to breaking one 6 / 24

  11. Logjam attack Scaling behavior of ElGamal for subgroups of F ∗ p , p prime of length 512 effort Logjam attack x t 1 compromised users Effort to break 2 20 instances only doubles compared to breaking one 7 / 24

  12. Our contributions ◮ scaling behavior; theoretical perspective ◮ adapt multi-instance security to key-encapsulation mechanisms ◮ define the scaling factor of schemes ◮ scaling behavior; application to Hashed-ElGamal (HEG) key encapsulation ◮ consider HEG for different parameter settings ◮ compute scaling factor in idealized models 8 / 24

  13. Multi-Instance Security and the Scaling Factor 9 / 24

  14. Reminder: key-encapsulation mechanisms ◮ Key-encapsulation mechanism KEM consists of algorithms $ ← Par par $ ( pk , sk ) ← Gen( par ) $ ( K , C ) ← Enc( par , pk ) K ← Dec( par , sk , C ) 10 / 24

  15. Security notions for KEMs CCA: single-instance setting CCA A $ ← { 0 , 1 } b $ par ← Par $ ( pk , sk ) ← Gen( par ) $ par , pk , K ∗ , C ∗ ( K ∗ , C ∗ ) ← Enc( par , pk ) if b = 0: K ∗ ← $ C Dec( par , sk , C ) win ← [ b = b ′ ] b ′ Advantage: Adv CCA KEM (A) = Pr[ win ] − 1 / 2 11 / 24

  16. Security notions for KEMs n -CCA: multi-instance setting [BelRisTes12] n -CCA A � $ ← { 0 , 1 } n b $ par ← Par for i ∈ { 1 , .. , n } : $ ( pk i , sk i ) ← Gen( par ) par , � pk , � K ∗ , � C ∗ $ ( K ∗ i , C ∗ i ) ← Enc( par , pk i ) if b i = 0: K ∗ i ← $ C , i Dec( par , sk i , C ) win ← [ � n i =1 b i = b ′ ] b ′ Advantage: Adv n -CCA KEM (A) = Pr[ win ] − 1 / 2 11 / 24

  17. Scaling factor ◮ how does the security of a key-encapsulation mechanism (KEM) scale in the number of users? ◮ we define the scaling factor of KEM SF ( n ) = MinTime ( n ) MinTime (1) ◮ MinTime ( n ): running time of fastest adversary breaking n -CCA security users with success probability 1 12 / 24

  18. Scaling factor ◮ how does the security of a key-encapsulation mechanism (KEM) scale in the number of users? ◮ we define the scaling factor of KEM SF ( n ) = MinTime ( n ) MinTime (1) ◮ MinTime ( n ): running time of fastest adversary breaking n -CCA security users with success probability 1 Lemma 1 ≤ SF ( n ) ≤ n 12 / 24

  19. The Scaling Behavior of Hashed-ElGamal 13 / 24

  20. Overview on our results ◮ considered KEM: Hashed-ElGamal ◮ consider variants with different shared parameters (granularity) ◮ elliptic-curve setting ◮ bounds in generic-group model and random-oracle model ◮ G group of prime order p generated by g Granularity par sk pk SF HEG ( n ) Θ( √ n ) g x high ( G , p , g ) x Θ( √ n ) ( g , g x ) medium ( G , p ) ( g , x ) (( G , p , g ) , g x ) low ⊥ (( G , p , g ) , x ) Θ( n ) 14 / 24

  21. Overview on our results ◮ goal: bound SF HEG ( n ) = MinTime ( n ) MinTime (1) 15 / 24

  22. Overview on our results ◮ goal: bound SF HEG ( n ) = MinTime ( n ) MinTime (1) ◮ upper bound ◮ known generic algorithms: � O ( √ np ) high/med. granularity MinTime ( n ) = O ( n √ p ) low granularity ◮ known generic bound: MinTime (1) = Ω( √ p ) 15 / 24

  23. Overview on our results ◮ goal: bound SF HEG ( n ) = MinTime ( n ) MinTime (1) ◮ upper bound ◮ known generic algorithms: � O ( √ np ) high/med. granularity MinTime ( n ) = O ( n √ p ) low granularity ◮ known generic bound: MinTime (1) = Ω( √ p ) ◮ lower bound ◮ known generic algorithm: MinTime (1) = O ( √ p ) ◮ this work: generic-group bounds � Ω( √ np ) high/med. granularity MinTime ( n ) = Ω( n √ p ) low granularity 15 / 24

  24. Generic-group lower bound on MinTime HEG ( n ) Overview GGM = = = = ⇒ n -CCA HEG ROM ∼ random-oracle model n -gapCDH ∼ multi-instance gap Diffie-Hellman problem AGM ∼ algebraic-group model [FKL18] n -gapDL ∼ multi-instance gap discrete-logarithm problem GGM ∼ generic-group model 16 / 24

  25. Generic-group lower bound on MinTime HEG ( n ) Overview GGM ROM = = = = ⇒ n -gapCDH = = = = ⇒ n -CCA HEG ROM ∼ random-oracle model n -gapCDH ∼ multi-instance gap Diffie-Hellman problem AGM ∼ algebraic-group model [FKL18] n -gapDL ∼ multi-instance gap discrete-logarithm problem GGM ∼ generic-group model 16 / 24

  26. Generic-group lower bound on MinTime HEG ( n ) Overview GGM AGM ROM = = = = ⇒ n -gapDL = = = = ⇒ n -gapCDH = = = = ⇒ n -CCA HEG ROM ∼ random-oracle model n -gapCDH ∼ multi-instance gap Diffie-Hellman problem AGM ∼ algebraic-group model [FKL18] n -gapDL ∼ multi-instance gap discrete-logarithm problem GGM ∼ generic-group model 16 / 24

  27. Generic-group lower bound on MinTime HEG ( n ) Overview (AGM) GGM GGM ROM = = = = = = = = ⇒ ⇒ n -gapDL = = = = = ⇒ n -gapCDH = = = = ⇒ n -CCA HEG ROM ∼ random-oracle model n -gapCDH ∼ multi-instance gap Diffie-Hellman problem AGM ∼ algebraic-group model [FKL18] n -gapDL ∼ multi-instance gap discrete-logarithm problem GGM ∼ generic-group model 16 / 24

  28. Generic-Group Lower Bounds for Multi-Instance CDH-Type Problems 17 / 24

  29. Multi-instance CDH-type problems Multi-instance discrete logarithm problem, G = ( G , p , g ) n -DL A for i ∈ { 1 , .. , n } : $ G , � x i ← Z p X X i ← g x i win ← [ ∀ i : z i = x i ] � z Advantage: Adv n -DL (A) = Pr[ win ] 18 / 24

  30. Multi-instance CDH-type problems Multi-instance gap discrete logarithm problem, G = ( G , p , g ) n -gapDL A for i ∈ { 1 , .. , n } : $ G , � x i ← Z p X X i ← g x i X , ˜ ˜ Y , ˜ Z � y = ˜ if g ˜ x ˜ 1 Z d ← d 0 else win ← [ ∀ i : z i = x i ] � z Advantage: Adv n -gapDL (A) = Pr[ win ] 18 / 24

  31. Multi-instance CDH-type problems Multi-instance gap computational Diffie-Hellman problem, G = ( G , p , g ) n -gapCDH A for i ∈ { 1 , .. , n } : $ $ G , � X , � x i ← Z p ; y i ← Z p Y X i ← g x i ; Y i ← g y i X , ˜ ˜ Y , ˜ Z � y = ˜ if g ˜ x ˜ 1 Z d ← d 0 else win ← [ ∀ i : Z i = g x i y i ] � Z Advantage: Adv n -gapCDH (A) = Pr[ win ] 18 / 24

  32. Multi-instance generic-group lower bounds Overview problem granularity MinTime Ω( √ np ) n -DL high [Yun15] Ω( √ np ) n -DL low [GDJY13] Generic-group bounds for multi-instance Diffie-Hellman-type problems ◮ G of prime order p ◮ n instances 19 / 24

  33. Multi-instance generic-group lower bounds Overview problem granularity MinTime Ω( √ np ) n -DL high [Yun15] Ω( √ np ) n -DL low [GDJY13] this work Ω( √ np ) n -gapDL high/med. Ω( √ np ) n -gapCDH high/med. Ω( n √ p ) n -gapDL low Ω( n √ p ) n -gapCDH low Generic-group bounds for multi-instance Diffie-Hellman-type problems ◮ G of prime order p ◮ n instances 19 / 24

  34. Multi-instance generic-group lower bounds Overview problem granularity MinTime Ω( √ np ) n -DL high [Yun15] Ω( √ np ) n -DL low [GDJY13] this work Ω( √ np ) n -gapDL high/med. Ω( √ np ) n -gapCDH high/med. Ω( n √ p ) n -gapDL low Ω( n √ p ) n -gapCDH low � n -polyDL d high Ω( np / d ) Generic-group bounds for multi-instance Diffie-Hellman-type problems ◮ G of prime order p ◮ n instances 19 / 24

Recommend

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key PKE scheme Encryption (a.k.a. private-key encryption) a.k.a. asymmetric-key encryption PKE SKE: Syntax Syntax KeyGen outputs KeyGen

366 views • 13 slides
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP RECALL Diffie-Hellman Key-exchange Secure if (g x ,g y ,g xy ) (g x ,g y ,g r ) Random x {0,..,|G|-1} Random y

173 views • 13 slides
Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key Cryptography Lecture 8 Public-Key Encryption Diffie-Hellman Key-Exchange PKE scheme PKE scheme SKE: Syntax KeyGen outputs K K Enc: M K R

1.18k views • 104 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] pk sk Public Key Encryption Public Key Encryption

296 views • 25 slides
Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability

Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability

Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability Ideal world Linear scalability Speedup Reality Ideal Bottlenecks For example: central coordinator When do we stop

938 views • 36 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) - p large prime - b base, primitive element, generator - x private exponent - x y public residue y b p ; mod = P Z * p =

272 views • 25 slides
gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

Identity-Based Encryption gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen sk M C M Enc Dec Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow to encrypt based

584 views • 10 slides
Bi-Deniable Public-Key Encryption Adam ONeill 1 , 2 Chris Peikert 1 Brent Waters 2 1 Georgia

Bi-Deniable Public-Key Encryption Adam ONeill 1 , 2 Chris Peikert 1 Brent Waters 2 1 Georgia

Bi-Deniable Public-Key Encryption Adam ONeill 1 , 2 Chris Peikert 1 Brent Waters 2 1 Georgia Tech 2 U Texas, Austin CRYPTO 2011 17 Aug 1 / 13 Deniable Encryption [CDNO97] c = Enc pk (surpriz prty 4 big bro!) (Images courtesy

694 views • 55 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
The Public Key Muddle How to manage transparent end-to-end encryption in organizations Dr.

The Public Key Muddle How to manage transparent end-to-end encryption in organizations Dr.

The Public Key Muddle How to manage transparent end-to-end encryption in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH Business Communication E-Mail Desktop (e.g. Outlook) Cloud (e.g. Office 365) More than 50% opened on

503 views • 29 slides
Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability

Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability

Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability questions What's important in order to build scalable web sites? High availability vs. load balancing Approaches to scaling

600 views • 26 slides
Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech

Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech

Overview Needed Theorems RSA Encryption Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science Public Key (RSA) Encryption Overview Needed Theorems RSA

1.62k views • 137 slides
Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research

Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research Weizmann Institute Silicon Valley Probabilistic Encryption Enc Semantic Security [GM82]: No

341 views • 14 slides
Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California, Berkeley and Microsoft Research September 3, 2015 Homomorphic Encryption Homomorphic Encryption Consider a public key cryptosystem, and operations

777 views • 35 slides
Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model Introduction Development of the model by TNO as part of the Root Scalability Study Team Why quantify? Scalability is a quantitative topic

674 views • 18 slides
Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long

Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long

Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long is the latency? Scalability: Do we get higher throughput if we add more resources? Performance and Scalability Performance: How long is the

210 views • 17 slides
GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography implementation. (Conforms to PGP and RFC 4880, not really just an alternative) Best used mostly for email encryption Uses Hybrid Encryption Install

531 views • 12 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides

More recommend