multi instance security and its
play

Multi-Instance Security and its Application to Password- Based - PowerPoint PPT Presentation

Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT Joint work with Mihir Bellare (UC San Diego) Thomas Ristenpart (Univ. of Wisconsin) Scenario: File encryption Want to store data in encrypted


  1. PKCS#5 – Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: … 𝐿 π‘žπ‘₯||π’•π’ƒπ’Žπ’– H H H PB-Encrypt ( π‘žπ‘₯, 𝑁 ) Randomly chosen per KDF π’•π’ƒπ’Žπ’– οƒŸ {0,1} 𝑑 evaluation 𝐿 οƒŸ H c ( π‘žπ‘₯||π’•π’ƒπ’Žπ’– ) 𝐷 οƒŸ ENC ( 𝐿, 𝑁 ) Return 𝐷||π’•π’ƒπ’Žπ’– Allows decryption Question: Does salting provably ensure multi- instance security amplification?

  2. Iteration and salting in the real world No salting! No iteration!

  3. Our results

  4. Our results Question: Does salting provably ensure multi-instance security amplification?

  5. Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know!

  6. Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof!

  7. Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model!

  8. Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model! Our contributions: 1) General definitional framework for multi-instance security of arbitrary cryptographic primitives. 2) Case study: Security analysis of PKCS#5 within our framework.

  9. Outline 1. Multi-instance security 2. Security of PKCS#5 – A case study

  10. Outline 1. Multi-instance security 2. Security of PKCS#5 – A case study

  11. Single-instance security – PB-Encryption LOR-Security 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸

  12. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 )

  13. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝒄′

  14. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝐁𝐞𝐰 lor 𝐡 = 2 Γ— [Pr 𝒄 = 𝒄 β€² βˆ’ 1 2 ] 𝒄′

  15. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝐁𝐞𝐰 lor 𝐡 = 2 Γ— [Pr 𝒄 = 𝒄 β€² βˆ’ 1 2 ] 𝒄′

  16. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝐁𝐞𝐰 lor 𝐡 = 2 Γ— [Pr 𝒄 = 𝒄 β€² βˆ’ 1 2 ] 𝒄′ PWR-Security π‘žπ‘₯ ← 𝑄𝑋𝐸

  17. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝐁𝐞𝐰 lor 𝐡 = 2 Γ— [Pr 𝒄 = 𝒄 β€² βˆ’ 1 2 ] 𝒄′ PWR-Security 𝒏 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏)

  18. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝐁𝐞𝐰 lor 𝐡 = 2 Γ— [Pr 𝒄 = 𝒄 β€² βˆ’ 1 2 ] 𝒄′ PWR-Security 𝒏 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏) 𝒒𝒙′

  19. Single-instance security – PB-Encryption LOR-Security 𝒏 𝟏 , 𝒏 𝟐 |𝒏 𝟏 | = |𝒏 𝟐 | 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏 𝒄 ) 𝐁𝐞𝐰 lor 𝐡 = 2 Γ— [Pr 𝒄 = 𝒄 β€² βˆ’ 1 2 ] 𝒄′ PWR-Security 𝒏 π‘žπ‘₯ ← 𝑄𝑋𝐸 π…πŽπƒ(𝒒𝒙, 𝒏) 𝐁𝐞𝐰 pwr 𝐡 = Pr[𝒒𝒙′ = 𝒒𝒙] 𝒒𝒙′

  20. The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:  instances of the scheme concurrently .  Corrupts up to 𝑒 < 𝑛 instances of the scheme (e.g., learns passwords).  Wins if it breaks P for all uncorrupted instances.

  21. The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:  Attacks 𝑛 instances of the scheme concurrently .  Corrupts up to 𝑒 < 𝑛 instances of the scheme (e.g., learns passwords).  Wins if it breaks P for all uncorrupted instances.

  22. The multi-instance (mi) security vista < 𝑛𝑛 instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:  Attacks 𝑛 instances of the scheme concurrently .  Corrupts up to 𝑒 < 𝑛 instances of the scheme (e.g., learns passwords).  Wins if it breaks P for all uncorrupted instances.

  23. The multi-instance (mi) security vista < 𝑛𝑛 instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that:  Attacks 𝑛 instances of the scheme concurrently .  Wins if it breaks P for all uncorrupted instances.  Wins if it breaks P for all uncorrupted instances.

  24. PWR security

  25. PWR security π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  26. PWR security π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  27. PWR security π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  28. PWR security π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  29. PWR security β€² , 𝒒𝒙 πŸ‘ β€² , 𝒒𝒙 πŸ’ β€² ) (𝒒𝒙 𝟐 π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  30. PWR security β€² , 𝒒𝒙 πŸ‘ β€² , 𝒒𝒙 πŸ’ β€² ) (𝒒𝒙 𝟐 π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸 𝐁𝐞𝐰 π§βˆ’πͺ𝐱𝐬 𝐡 = Pr[𝒒𝒙 1 β€² = 𝒒𝒙 𝟐 , … , 𝒒𝒙 𝑛 β€² = 𝒒𝒙 𝒏 ]

  31. LOR security 𝑐 1 ← 0,1 π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 𝑐 2 ← 0,1 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 𝑐 3 ← 0,1 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  32. LOR security 𝑐 1 ← 0,1 π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 𝑐 2 ← 0,1 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 𝑐 3 ← 0,1 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  33. LOR security 𝑐 1 ← 0,1 π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 𝑐 2 ← 0,1 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 𝑐 3 ← 0,1 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸

  34. LOR security 𝑐 1 ← 0,1 π‘žπ‘₯ 1 ← 𝑄𝑋𝐸 𝑐 2 ← 0,1 π‘žπ‘₯ 2 ← 𝑄𝑋𝐸 𝑐 3 ← 0,1 π‘žπ‘₯ 3 ← 𝑄𝑋𝐸 𝐁𝐞𝐰 π§βˆ’π¦π©π¬ 𝐡 = ?

  35. Defining mi security for encryption Attempt #1: AND-advantage

  36. Defining mi security for encryption Attempt #1: AND-advantage β€² , … , 𝒄 𝒏 β€² Output: 𝒄 𝟐 LORA-security: Advantage: 𝐁𝐞𝐰 π§βˆ’π¦π©π¬π› 𝐡 = 𝐐𝐬[ 𝒄 𝟐 , … , 𝒄 𝒏 = 𝒄 𝟐 β€² , … , 𝒄 𝒏 β€² ]

  37. Defining mi security for encryption Attempt #1: AND-advantage β€² , … , 𝒄 𝒏 β€² Output: 𝒄 𝟐 LORA-security: Advantage: 𝐁𝐞𝐰 π§βˆ’π¦π©π¬π› 𝐡 = 𝐐𝐬[ 𝒄 𝟐 , … , 𝒄 𝒏 = 𝒄 𝟐 β€² , … , 𝒄 𝒏 β€² ] Problem: Does not measure hardness of winning all uncorrupted instances.

  38. Defining mi security for encryption Attempt #1: AND-advantage β€² , … , 𝒄 𝒏 β€² Output: 𝒄 𝟐 LORA-security: Advantage: 𝐁𝐞𝐰 π§βˆ’π¦π©π¬π› 𝐡 = 𝐐𝐬[ 𝒄 𝟐 , … , 𝒄 𝒏 = 𝒄 𝟐 β€² , … , 𝒄 𝒏 β€² ] Problem: Does not measure hardness of winning all uncorrupted instances. Reason: If βˆƒ adversary with β€² ] > 3/4 𝐐𝐬[𝒄 𝟐 = 𝒄 𝟐 Then βˆƒ adversary guessing second bit at random, with β€² , 𝒄 πŸ‘ β€² Γ— 1 2 𝐐𝐬 𝒄 𝟐 , 𝒄 πŸ‘ = 𝒄 𝟐 > 3 4 = 3/8

  39. Defining mi security for encryption Attempt #1: AND-advantage β€² , … , 𝒄 𝒏 β€² Output: 𝒄 𝟐 LORA-security: Advantage: 𝐁𝐞𝐰 π§βˆ’π¦π©π¬π› 𝐡 = 𝐐𝐬[ 𝒄 𝟐 , … , 𝒄 𝒏 = 𝒄 𝟐 β€² , … , 𝒄 𝒏 β€² ] Problem: Does not measure hardness of winning all uncorrupted instances. Reason: If βˆƒ adversary with β€² ] > 3/4 𝐐𝐬[𝒄 𝟐 = 𝒄 𝟐 Then βˆƒ adversary guessing second bit at random, with β€² , 𝒄 πŸ‘ β€² Γ— 1 2 𝐐𝐬 𝒄 𝟐 , 𝒄 πŸ‘ = 𝒄 𝟐 > 3 4 = 3/8

  40. Defining mi security for encryption Attempt #2: XOR-advantage

  41. Defining mi security for encryption Attempt #2: XOR-advantage Output: 𝒄′ LORX-security: Advantage: 𝐁𝐞𝐰 π§βˆ’π¦π©π¬π’š 𝐡 = 2 Γ— 𝐐𝐬 𝒄 β€² = 𝒄 𝟐 βŠ• β‹― βŠ• 𝒄 𝒏 βˆ’ 1/2

  42. Defining mi security for encryption Attempt #2: XOR-advantage Output: 𝒄′ LORX-security: Advantage: 𝐁𝐞𝐰 π§βˆ’π¦π©π¬π’š 𝐡 = 2 Γ— 𝐐𝐬 𝒄 β€² = 𝒄 𝟐 βŠ• β‹― βŠ• 𝒄 𝒏 βˆ’ 1/2 Reason: If βˆƒ adversary with 𝐐𝐬 𝒄 β€² = 𝒄 𝟐 > 1 + 𝜁 2 Then: Adversary guessing second bit has no advantage 𝐐𝐬 𝒄 β€² = 𝒄 𝟐 βŠ• 𝒄 πŸ‘ = 1 2

  43. Mi security notions – Relations m-LORA m-LORX m-PWR

  44. Mi security notions – Relations (1) m-LORA m-LORX m-PWR

  45. Mi security notions – Relations (1) m-LORA m-LORX m-PWR

  46. Mi security notions – Relations (1) m-LORA m-LORX m-PWR 1) Holds in most cases – proof relies on probabilistic lemma from [U09].

  47. Mi security notions – Relations (1) m-LORA m-LORX (2) m-PWR 1) Holds in most cases – proof relies on probabilistic lemma from [U09].

  48. Mi security notions – Relations (1) m-LORA m-LORX (2) m-PWR 1) Holds in most cases – proof relies on probabilistic lemma from [U09]. 2) Very loose asymptotic implication – based on Goldreich- Levin Theorem [GL89]

  49. Relations – LOR vs ROR LOR-Security 𝒏 𝟏 , 𝒏 𝟐 𝑐 ← 0,1 π‘žπ‘₯ ← 𝑄𝑋𝐸 ENC (𝒒𝒙, 𝒏 𝒄 ) 𝒄′ ROR-Security 𝒏 𝟏 𝑐 ← 0,1 𝑛 1 ← 𝑁 π‘žπ‘₯ ← 𝑄𝑋𝐸 ENC (𝒒𝒙, 𝒏 𝒄 ) 𝒄′

  50. Relations – LOR vs ROR

  51. Relations – LOR vs ROR Classical textbook theorem. 𝐁𝐞𝐰ror 𝒖 ≀ 𝐁𝐞𝐰lor 𝒖 ≀ πŸ‘ Γ— 𝐁𝐞𝐰ror 𝒖

  52. Relations – LOR vs ROR Hybrid argument Classical textbook theorem. 𝐁𝐞𝐰ror 𝒖 ≀ 𝐁𝐞𝐰lor 𝒖 ≀ πŸ‘ Γ— 𝐁𝐞𝐰ror 𝒖

  53. Relations – LOR vs ROR Hybrid argument Classical textbook theorem. 𝐁𝐞𝐰ror 𝒖 ≀ 𝐁𝐞𝐰lor 𝒖 ≀ πŸ‘ Γ— 𝐁𝐞𝐰ror 𝒖 ≀ + L R L $ $ R

  54. Relations – LOR vs ROR Hybrid argument Classical textbook theorem. 𝐁𝐞𝐰ror 𝒖 ≀ 𝐁𝐞𝐰lor 𝒖 ≀ πŸ‘ Γ— 𝐁𝐞𝐰ror 𝒖 ≀ + L R L $ $ R Mi setting with m instances: 𝐁𝐞𝐰mβˆ’rorx 𝒖 ≀ 𝐁𝐞𝐰mβˆ’lorx 𝒖 ≀ πŸ‘ 𝒏 Γ— 𝐁𝐞𝐰mβˆ’rorx 𝒖

  55. Relations – LOR vs ROR Hybrid argument Classical textbook theorem. 𝐁𝐞𝐰ror 𝒖 ≀ 𝐁𝐞𝐰lor 𝒖 ≀ πŸ‘ Γ— 𝐁𝐞𝐰ror 𝒖 ≀ + L R L $ $ R Mi setting with m instances: 𝐁𝐞𝐰mβˆ’rorx 𝒖 ≀ 𝐁𝐞𝐰mβˆ’lorx 𝒖 ≀ πŸ‘ 𝒏 Γ— 𝐁𝐞𝐰mβˆ’rorx 𝒖 $ R R $ $ L L R L $ + + ≀ + $ L R $ R L R L $ $

  56. Relations – LOR vs ROR Hybrid argument Classical textbook theorem. 𝐁𝐞𝐰ror 𝒖 ≀ 𝐁𝐞𝐰lor 𝒖 ≀ πŸ‘ Γ— 𝐁𝐞𝐰ror 𝒖 ≀ + L R L $ $ R Tight! Mi setting with m instances: 𝐁𝐞𝐰mβˆ’rorx 𝒖 ≀ 𝐁𝐞𝐰mβˆ’lorx 𝒖 ≀ πŸ‘ 𝒏 Γ— 𝐁𝐞𝐰mβˆ’rorx 𝒖 $ R R $ $ L L R L $ + + ≀ + $ L R $ R L R L $ $

  57. Outline 1. Multi-instance security 2. Security of PKCS#5 – A case study

  58. Outline 1. Multi-instance security 2. Security of PKCS#5 – A case study

Recommend


More recommend