Key-Robustness for Cryptographic Primitives ¸ie 1 R˘ azvan Ros 1 ENS, CNRS, INRIA & PSL Research University, Paris, France ECRYPT-NET Summer School, Crete, Greece 12 th October 2017 R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 1 / 40
Key-Robustness in a Nutshell Robustness: ciphertext can’t be decrypted under two different keys. PKC13: robustness for PKE & IBE revisited by Farshim et al. AC10: Mohassel extends robustness to Hybrid Encryption. TCC10: robustness introduced for PKE & IBE by Abdalla et al. R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 2 / 40
Key-Robustness in a Nutshell Robustness: ciphertext can’t be decrypted under two different keys. Vulnerable channel Dec � = ⊥ C Dec � = ⊥ Alice Bob
Key-Robustness in a Nutshell Robustness: ciphertext can’t be decrypted under two different keys. Vulnerable channel Dec � = ⊥ C Dec � = ⊥ C Alice Bob K 1 K 2 Eve R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 3 / 40
Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk ← ( K , s ) pk ← Enc ( K , s ) — contains the Symm. Enc. of s . σ ← ( PRF ( s , M ) , π ) — PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 4 / 40
Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk ← ( K , s ) pk ← Enc ( K , s ) — contains the Symm. Enc. of s . σ ← ( PRF ( s , M ) , π ) — PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? Enc ( K , s ) = Enc ( K ′ , s ′ ) = ⇒ FORGE R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 4 / 40
Motivating Key Robustness - Example 2 CBC-MAC: m t − 1 m 0 m 1 m 2 0 E K E K E K · · · · · · E K T R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 5 / 40
Motivating Key Robustness - Example 2 CBC-MAC: ( m t − 1 , m ′ ( m 0 , m ′ ( m 1 , m ′ ( m 2 , m ′ 0 ) 1 ) 2 ) t − 1 ) 0 E K ′ E K ′ E K ′ · · · · · · E K ′ T MAC ( K , M ) = MAC ( K ′ , M ′ ) = T R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 6 / 40
Definitional Landscape Complete Robustness (CROB): adversarially generated K 1 , K 2 . Goal: find C decryptable under K 1 , K 2 . CROB security: 1. ( C , K 1 � = K 2 ) ← A 2. Dec ( K 1 , C ) � = ⊥ 3. Dec ( K 2 , C ) � = ⊥ R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 7 / 40
Definitional Landscape Strong Robustness (SROB): honestly generated K 1 , K 2 . Goal: find C decryptable under K 1 , K 2 . CROB SROB 1. ( C , K 1 � = K 2 ) ← A 1. C ← A Enc , Dec ↓ ↓ 2. Dec ( K 1 , C ) � = ⊥ 3. Dec ( K 2 , C ) � = ⊥ R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 8 / 40
Definitional Landscape CROB SROB R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 9 / 40
Definitional Landscape AE-secure scheme = ⇒ SROB-secure. CROB SROB AE R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 10 / 40
� � Definitional Landscape AE-secure scheme = ⇒ CROB-secure. CROB SROB AE R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 11 / 40
Definitional Landscape - MACs CROB SROB 1. ( T , M 1 , M 2 ) ← A Tag , Ver 1. ( T , M 1 , M 2 , K 1 � = K 2 ) ← A ↓ ↓ 2. Ver ( K 1 , M 1 , T ) = 1 3. Ver ( K 2 , M 2 , T ) = 1 R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 12 / 40
� Definitional Landscape - MACs SUF-secure MAC scheme = ⇒ SROB-secure. CROB SROB SUF R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 13 / 40
� � � The Big Picture FROB CROB XROB SFROB KROB SROB R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 14 / 40
Generic Composition Same Keys: Enc -Then- MAC is CROB Enc is CROB OR MAC is CROB ⇒ Enc -And- MAC is CROB MAC -Then- Enc is CROB Different Keys: Enc -Then- MAC is CROB Enc is CROB AND MAC is CROB ⇒ Enc -And- MAC is CROB MAC -Then- Enc is CROB R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 15 / 40
Generic Composition Proof intuition (Enc-Then-Mac): A outputs a CROB winning tuple ( C || T , K e 1 || K m 1 , K e 2 || K m 2 ) . K m 1 K m 2 K e 1 K e 2 M 1 M 2 Enc MAC Enc MAC Case K e 1 � = K e 2 : ( C , K e 1 , K e 2 ) wins CROB against Enc . Case K m 1 � = K m 2 : ( T , K m 1 , C , K m 2 , C ) wins CROB against MAC . R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 16 / 40
Generic Composition Proof intuition. A outputs a CROB winning tuple ( C || T , K e 1 || K m 1 , K e 2 || K m 2 ) . K m 1 K m 2 C MAC C MAC Case K e 1 � = K e 2 : ( C , K e 1 , K e 2 ) wins CROB against Enc . Case K m 1 � = K m 2 : ( T , K m 1 , C , K m 2 , C ) wins CROB against MAC . R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 17 / 40
CROB AE in the RO Model Instantiate a CROB MAC: MAC ( K , M ) := RO ( K , M ) . Same-Key: Enc-Then-Mac via a CROB MAC . R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 18 / 40
CROB AE in the RO Model Instantiate a CROB MAC: MAC ( K , M ) := RO ( K , M ) . Same-Key: Enc-Then-Mac via a CROB MAC . Different-Keys: authenticate the encryption key. Enc (( K e || K m ) , M ) : AE-security C ← ← Enc ( K e , M ) T ← RO ( K m , ( C || K e )) CROB return ( C , T ) R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 18 / 40
CROB AE in the Standard Model Idea: construct a CROB secure MAC in the Standard Model. First attempt: Enc (( K e || K m ) , M ) : C ← ← Enc ( K e , M ) T ← MAC ( K m , ( C || K e )) return ( C , T ) Issue: pseudorandomness for MAC . R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 19 / 40
CROB AE in the Standard Model Idea: construct a CR-PRF in the Standard Model. Second attempt: Enc (( K e || K m ) , M ) : C ← ← Enc ( K e , M ) T ← PRF ( K m , ( C || K e )) return ( C , T ) Issue: ensure the PRF is Collision-Resistant. R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 20 / 40
Collision-Resistant PRFs in the Standard Model Collision-Resistant PRF: PRF ( K 1 , M 1 ) = PRF ( K 2 , M 2 ) = ⇒ ( K 1 , M 1 ) = ( K 2 , M 2 ) Key-Injective PRF: PRF ( K 1 , M ) = PRF ( K 2 , M ) ⇒ K 1 = K 2 Right-Injective PRG: PRG RHS ( K 1 ) = PRG RHS ( K 2 ) ⇒ K 1 = K 2 R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 21 / 40
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF ( K , M ) : ( K 1 || K 2 ) ← PRG ( K ) C 1 ← PRP ( K 1 , M ) C 2 ← PRF ( K 2 , C 1 ) return ( C 1 || C 2 ) Collision-Resistant PRF: PRF ( K , M ) = PRF ( K ′ , M ′ ) = ⇒ ( K , M ) = ( K ′ , M ′ ) R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 22 / 40
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF ( K , M ) : ( K 1 || K 2 ) ← PRG ( K ) C 1 ← PRP ( K 1 , M ) C 2 ← PRF ( K 2 , C 1 ) return ( C 1 || C 2 ) Proof intuition: Step 1 - Key-Injective PRF: PRF ( K 2 , C 1 ) = PRF ( K ′ 2 , C 1 ) ⇒ K 2 = K ′ 2 R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 23 / 40
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF ( K , M ) : ( K 1 || K 2 ) ← PRG ( K ) C 1 ← PRP ( K 1 , M ) C 2 ← PRF ( K 2 , C 1 ) return ( C 1 || C 2 ) Proof intuition: Step 2 - Right-Injective PRG: PRG RHS ( K ) = PRG RHS ( K ′ ) ⇒ K = K ′ R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 24 / 40
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF ( K , M ) : ( K 1 || K 2 ) ← PRG ( K ) C 1 ← PRP ( K 1 , M ) C 2 ← PRF ( K 2 , C 1 ) return ( C 1 || C 2 ) Proof intuition: Step 3 - Permutation: PRP ( K 1 , M ) = PRP ( K 1 , M ′ ) ⇒ M = M ′ R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 25 / 40
Right-Injective PRGs Building-block 1: a right injective PRG. Use the construction by Yao: PRG ( x ) := HC ( x ) || HC ( π ( x )) || . . . || HC ( π | x |− 1 ( x )) || π | x | ( x ) � �� � � �� � Left Part Right Part π is a pseudorandom permutation. HC is a hardcore predicate. R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 26 / 40
Key-Injective PRFs Building-block 2: a Key-Injective PRF via the GGM construction. Open problems: more efficient constructions from weaker assumptions. R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 27 / 40
Left/Right Collision-Resistant PRGs Building-block 3: length doubling Left/Right Collision-Resistant PRGs. PRG LHalf ( K ) = PRG LHalf ( K ′ ) ⇒ K = K ′ AND PRG RHalf ( K ) = PRG RHalf ( K ′ ) ⇒ K = K ′ Example: � � ( g x 1 , g x 1 x 2 , g x 2 x 3 ) , ( g x 2 , g x 1 x 3 , g x 3 ) G ( x 1 , x 2 , x 3 ) := R˘ azvan Ros ¸ie Key-Robustness for Cryptographic Primitives 28 / 40
Recommend
More recommend