PKCS#5 β Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: β¦ πΏ ππ₯||ππππ H H H PB-Encrypt ( ππ₯, π ) Randomly chosen per KDF ππππ ο {0,1} π‘ evaluation πΏ ο H c ( ππ₯||ππππ ) π· ο ENC ( πΏ, π ) Return π·||ππππ Allows decryption Question: Does salting provably ensure multi- instance security amplification?
Iteration and salting in the real world No salting! No iteration!
Our results
Our results Question: Does salting provably ensure multi-instance security amplification?
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know!
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof!
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model!
Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model! Our contributions: 1) General definitional framework for multi-instance security of arbitrary cryptographic primitives. 2) Case study: Security analysis of PKCS#5 within our framework.
Outline 1. Multi-instance security 2. Security of PKCS#5 β A case study
Outline 1. Multi-instance security 2. Security of PKCS#5 β A case study
Single-instance security β PB-Encryption LOR-Security π β 0,1 ππ₯ β πππΈ
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π )
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πβ²
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πππ° lor π΅ = 2 Γ [Pr π = π β² β 1 2 ] πβ²
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πππ° lor π΅ = 2 Γ [Pr π = π β² β 1 2 ] πβ²
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πππ° lor π΅ = 2 Γ [Pr π = π β² β 1 2 ] πβ² PWR-Security ππ₯ β πππΈ
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πππ° lor π΅ = 2 Γ [Pr π = π β² β 1 2 ] πβ² PWR-Security π ππ₯ β πππΈ π ππ(ππ, π)
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πππ° lor π΅ = 2 Γ [Pr π = π β² β 1 2 ] πβ² PWR-Security π ππ₯ β πππΈ π ππ(ππ, π) ππβ²
Single-instance security β PB-Encryption LOR-Security π π , π π |π π | = |π π | π β 0,1 ππ₯ β πππΈ π ππ(ππ, π π ) πππ° lor π΅ = 2 Γ [Pr π = π β² β 1 2 ] πβ² PWR-Security π ππ₯ β πππΈ π ππ(ππ, π) πππ° pwr π΅ = Pr[ππβ² = ππ] ππβ²
The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: ο§ instances of the scheme concurrently . ο§ Corrupts up to π’ < π instances of the scheme (e.g., learns passwords). ο§ Wins if it breaks P for all uncorrupted instances.
The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: ο§ Attacks π instances of the scheme concurrently . ο§ Corrupts up to π’ < π instances of the scheme (e.g., learns passwords). ο§ Wins if it breaks P for all uncorrupted instances.
The multi-instance (mi) security vista < ππ instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: ο§ Attacks π instances of the scheme concurrently . ο§ Corrupts up to π’ < π instances of the scheme (e.g., learns passwords). ο§ Wins if it breaks P for all uncorrupted instances.
The multi-instance (mi) security vista < ππ instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: ο§ Attacks π instances of the scheme concurrently . ο§ Wins if it breaks P for all uncorrupted instances. ο§ Wins if it breaks P for all uncorrupted instances.
PWR security
PWR security ππ₯ 1 β πππΈ ππ₯ 2 β πππΈ ππ₯ 3 β πππΈ
PWR security ππ₯ 1 β πππΈ ππ₯ 2 β πππΈ ππ₯ 3 β πππΈ
PWR security ππ₯ 1 β πππΈ ππ₯ 2 β πππΈ ππ₯ 3 β πππΈ
PWR security ππ₯ 1 β πππΈ ππ₯ 2 β πππΈ ππ₯ 3 β πππΈ
PWR security β² , ππ π β² , ππ π β² ) (ππ π ππ₯ 1 β πππΈ ππ₯ 2 β πππΈ ππ₯ 3 β πππΈ
PWR security β² , ππ π β² , ππ π β² ) (ππ π ππ₯ 1 β πππΈ ππ₯ 2 β πππΈ ππ₯ 3 β πππΈ πππ° π§βπͺπ±π¬ π΅ = Pr[ππ 1 β² = ππ π , β¦ , ππ π β² = ππ π ]
LOR security π 1 β 0,1 ππ₯ 1 β πππΈ π 2 β 0,1 ππ₯ 2 β πππΈ π 3 β 0,1 ππ₯ 3 β πππΈ
LOR security π 1 β 0,1 ππ₯ 1 β πππΈ π 2 β 0,1 ππ₯ 2 β πππΈ π 3 β 0,1 ππ₯ 3 β πππΈ
LOR security π 1 β 0,1 ππ₯ 1 β πππΈ π 2 β 0,1 ππ₯ 2 β πππΈ π 3 β 0,1 ππ₯ 3 β πππΈ
LOR security π 1 β 0,1 ππ₯ 1 β πππΈ π 2 β 0,1 ππ₯ 2 β πππΈ π 3 β 0,1 ππ₯ 3 β πππΈ πππ° π§βπ¦π©π¬ π΅ = ?
Defining mi security for encryption Attempt #1: AND-advantage
Defining mi security for encryption Attempt #1: AND-advantage β² , β¦ , π π β² Output: π π LORA-security: Advantage: πππ° π§βπ¦π©π¬π π΅ = ππ¬[ π π , β¦ , π π = π π β² , β¦ , π π β² ]
Defining mi security for encryption Attempt #1: AND-advantage β² , β¦ , π π β² Output: π π LORA-security: Advantage: πππ° π§βπ¦π©π¬π π΅ = ππ¬[ π π , β¦ , π π = π π β² , β¦ , π π β² ] Problem: Does not measure hardness of winning all uncorrupted instances.
Defining mi security for encryption Attempt #1: AND-advantage β² , β¦ , π π β² Output: π π LORA-security: Advantage: πππ° π§βπ¦π©π¬π π΅ = ππ¬[ π π , β¦ , π π = π π β² , β¦ , π π β² ] Problem: Does not measure hardness of winning all uncorrupted instances. Reason: If β adversary with β² ] > 3/4 ππ¬[π π = π π Then β adversary guessing second bit at random, with β² , π π β² Γ 1 2 ππ¬ π π , π π = π π > 3 4 = 3/8
Defining mi security for encryption Attempt #1: AND-advantage β² , β¦ , π π β² Output: π π LORA-security: Advantage: πππ° π§βπ¦π©π¬π π΅ = ππ¬[ π π , β¦ , π π = π π β² , β¦ , π π β² ] Problem: Does not measure hardness of winning all uncorrupted instances. Reason: If β adversary with β² ] > 3/4 ππ¬[π π = π π Then β adversary guessing second bit at random, with β² , π π β² Γ 1 2 ππ¬ π π , π π = π π > 3 4 = 3/8
Defining mi security for encryption Attempt #2: XOR-advantage
Defining mi security for encryption Attempt #2: XOR-advantage Output: πβ² LORX-security: Advantage: πππ° π§βπ¦π©π¬π π΅ = 2 Γ ππ¬ π β² = π π β β― β π π β 1/2
Defining mi security for encryption Attempt #2: XOR-advantage Output: πβ² LORX-security: Advantage: πππ° π§βπ¦π©π¬π π΅ = 2 Γ ππ¬ π β² = π π β β― β π π β 1/2 Reason: If β adversary with ππ¬ π β² = π π > 1 + π 2 Then: Adversary guessing second bit has no advantage ππ¬ π β² = π π β π π = 1 2
Mi security notions β Relations m-LORA m-LORX m-PWR
Mi security notions β Relations (1) m-LORA m-LORX m-PWR
Mi security notions β Relations (1) m-LORA m-LORX m-PWR
Mi security notions β Relations (1) m-LORA m-LORX m-PWR 1) Holds in most cases β proof relies on probabilistic lemma from [U09].
Mi security notions β Relations (1) m-LORA m-LORX (2) m-PWR 1) Holds in most cases β proof relies on probabilistic lemma from [U09].
Mi security notions β Relations (1) m-LORA m-LORX (2) m-PWR 1) Holds in most cases β proof relies on probabilistic lemma from [U09]. 2) Very loose asymptotic implication β based on Goldreich- Levin Theorem [GL89]
Relations β LOR vs ROR LOR-Security π π , π π π β 0,1 ππ₯ β πππΈ ENC (ππ, π π ) πβ² ROR-Security π π π β 0,1 π 1 β π ππ₯ β πππΈ ENC (ππ, π π ) πβ²
Relations β LOR vs ROR
Relations β LOR vs ROR Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Relations β LOR vs ROR Hybrid argument Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π
Relations β LOR vs ROR Hybrid argument Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π β€ + L R L $ $ R
Relations β LOR vs ROR Hybrid argument Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π β€ + L R L $ $ R Mi setting with m instances: πππ°mβrorx π β€ πππ°mβlorx π β€ π π Γ πππ°mβrorx π
Relations β LOR vs ROR Hybrid argument Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π β€ + L R L $ $ R Mi setting with m instances: πππ°mβrorx π β€ πππ°mβlorx π β€ π π Γ πππ°mβrorx π $ R R $ $ L L R L $ + + β€ + $ L R $ R L R L $ $
Relations β LOR vs ROR Hybrid argument Classical textbook theorem. πππ°ror π β€ πππ°lor π β€ π Γ πππ°ror π β€ + L R L $ $ R Tight! Mi setting with m instances: πππ°mβrorx π β€ πππ°mβlorx π β€ π π Γ πππ°mβrorx π $ R R $ $ L L R L $ + + β€ + $ L R $ R L R L $ $
Outline 1. Multi-instance security 2. Security of PKCS#5 β A case study
Outline 1. Multi-instance security 2. Security of PKCS#5 β A case study
Recommend
More recommend