[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Björn Tackmann University of California, San Diego Eurocrypt 2016, Vienna — May 11, 2016
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] WEAK RANDOMNESS bugs and bad implementations targeted attack(s) ECDSA randomness DUAL EC RSA Certificate Keys insufficient entropy coinciding prime factors [1] /dev/random … and more? insufficient entropy ... is not robust [2] [1; Heninger, Durumeric, Wustrow, Halderman, 2012; Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter, 2012] [2; Dodis, Pointcheval, Ruhault, Vergnaud, Wichs, 2013]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] PUBLIC-KEY ENCRYPTION 1. key generation private key PKE.kg public key 2. encryption public key ciphertext PKE.enc plaintext 3. decryption private key PKE.dec plaintext ciphertext [Goldwasser, Micali, 1984]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] PUBLIC-KEY ENCRYPTION 1. key generation private key PKE.kg public key 2. encryption public key ciphertext PKE.enc plaintext 3. decryption private key PKE.dec plaintext ciphertext [Goldwasser, Micali, 1984]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] PUBLIC-KEY ENCRYPTION 1. key generation private key PKE.kg randomness public key 2. encryption public key ciphertext PKE.enc plaintext randomness 3. decryption private key PKE.dec plaintext ciphertext [Goldwasser, Micali, 1984]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] USING PUBLIC-KEY ENCRYPTION alice bob pk ( sk , pk ) ← $ PKE.kg (authenticated) sk c ← $ PKE.enc( pk , m ) sk c m ← PKE.dec( sk , c ) m message c ciphertext pk public key sk secret key
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SYMMETRIC ENCRYPTION AND NONCES 1. encryption shared key SE.enc plaintext ciphertext 2. decryption shared key SE.dec ciphertext plaintext [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SYMMETRIC ENCRYPTION AND NONCES 1. encryption shared key SE.enc plaintext ciphertext randomness 2. decryption shared key SE.dec ciphertext plaintext [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SYMMETRIC ENCRYPTION AND NONCES 1. encryption shared key SE.enc plaintext ciphertext nonce 2. decryption shared key SE.dec ciphertext plaintext nonce [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] WHAT ABOUT NONCE-BASED PKE? public key NPE.enc plaintext ciphertext nonce all input values may be known to an attacker!
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE INTUITION 1. setup: generation of good random seed 2. keep state: sender stores seed but we hedge scheme against exposure 3. encryption: use seed along with nonce
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PKE 1a. receiver key generation as before 1b. sender key generation NPE.skg randomness seed 2. encryption public key seed NPE.enc ciphertext plaintext nonce 3. decryption as before
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] USING NONCE-BASED PKE alice bob seed ← $ NPE.skg ( sk , pk ) ← $ NPE.rkg seed pk sk (authenticated) seed c ← NPE.enc( pk , seed, m , nonce) sk c m message m ← NPE.dec( sk , c ) c ciphertext pk public key sk secret key
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] USING NONCE-BASED PKE alice bob the sender has to keep state, but … seed ← $ NPE.skg ( sk , pk ) ← $ NPE.rkg 1. same seed valid for multiple receivers seed pk sk 2. different seeds on, e.g., different devices (authenticated) 3. seeds can be updated at any time … and 4. … we are hedging against exposure of the seed seed c ← NPE.enc( pk , seed, m , nonce) sk c m message m ← NPE.dec( sk , c ) c ciphertext pk public key sk secret key
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SECURITY GUARANTEES security is guaranteed if either and (nonce, message) pairs sender seed secret unique or nonces secret and sender seed public and unpredictable. include in nonces, e.g., sender and receiver addresses, time, system RNG output
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] A RANDOM-ORACLE-BASED SCHEME NPE.enc public key seed randomness message || RO PKE.enc nonce ciphertext decryption remains unchanged
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] MAIN TOOL: HEDGED EXTRACTORS seed HE message randomness nonce (a) PRF if seed is secret (b) strong extractor if seed public but random
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] ADAPTING TO HEDGED-EXTRACTORS NPE.enc public key seed randomness HE message PKE.enc nonce ciphertext
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SECURITY 1: PSEUDO-RANDOMNESS b ← $ {0,1} x Oracle F (x): if b = 0 then y return (consistent) random value A else return F RO ( k , x ) v Oracle RO (v) w Adv prf (F, A ) = 2 Pr [ b’ ← $ A F , RO ; b = b’ ] - 1
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] (UNPREDICTABLE) NONCE GENERATORS state ← ⊥ Oracle GEN (aux): aux if exposed then return ⊥ aux nonce A ( n , state) ← NG(aux, state) return n NG state state Oracle EXPOSE : state return state Adv pred (NG, A ) = Pr [ n ← $ A GEN , EXPOSE ; n ∈ N or collision ]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] SECURITY 2: EXTRACTION seed b ← $ {0,1} ; seed ← $ SEEDS Oracle ROR ( m , aux): if exposed then return ⊥ generate nonce n ← $ NG(aux) m , aux if b = 0 then return random value A r else return HE RO (seed, ( m, n )) Oracle EXPOSE : state return state v w Oracle RO (v) Adv ror (HE, NG, A ) = 2 Pr [ b’ ← $ A ROR , EXPOSE , RO ; b = b’ ] - 1
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE RANDOM-ORACLE SCHEME HE seed RO || message randomness nonce Adv prf (HE, A ) ≤ q • 2 -k q RO queries Adv ror (HE, NG, A ) ≤ q • Adv pred (NG, B ) seed length k
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] RECALL: ALMOST-UNIVERSAL HASHING seed AUHF randomness (entropic) input Definition: F: K × X → Z is 𝜁 -AUHF if ∀ x ≠ y : Pr k [ F( k , x ) = F( k , y ) ] ≤ 𝜁 Leftover Hash Lemma: Let F be 𝜁 -AUHF, then k , z ≈ 𝜁 ’( k ) k , F( k , x ) with k ← $ K ; z ← $ Z ; x with min-entropy k [Impagliazzo, Levin, Luby, 1989]
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE STANDARD-MODEL SCHEME HE seed PRF message randomness nonce AUHF Adv prf (HE, A ) ≤ Adv prf (PRF, B ) Adv ror (HE, NG, A ) ≤ q • 𝜁 ’( k ) if Adv pred (NG, C ) ≤ 2 -k
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] THE STANDARD-MODEL SCHEME HE seed PRF message randomness nonce AUHF caveat: nonces must be independent of seed Adv prf (HE, A ) ≤ Adv prf (PRF, B ) Adv ror (HE, NG, A ) ≤ q • 𝜁 ’( k ) if Adv pred (NG, C ) ≤ 2 -k
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, ONE pk b ← $ {0,1} seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): if |m 0 | ≠ |m 1 | then return ⊥ m 0 , m 1 , aux generate nonce n ← $ NG(aux) if msg+nonce repeated then return ⊥ A c ← NPE.enc RO ( pk , seed, m b , n ) c return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp1 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, ONE pk b ← $ {0,1} seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): if |m 0 | ≠ |m 1 | then return ⊥ m 0 , m 1 , aux generate nonce n ← $ NG(aux) if msg+nonce repeated then return ⊥ A c ← NPE.enc RO ( pk , seed, m b , n ) c return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp1 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, TWO b ← $ {0,1} pk, seed seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): m 0 , m 1 , aux if |m 0 | ≠ |m 1 | then return ⊥ generate nonce n ← $ NG(aux) c c ← NPE.enc RO ( pk , seed, m b , n ) A return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp2 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED PRIVACY, TWO b ← $ {0,1} pk, seed seed ← $ SEEDS ; ( pk , sk ) ← $ NPE.kg Oracle ENC ( m 0 , m 1 , aux): m 0 , m 1 , aux if |m 0 | ≠ |m 1 | then return ⊥ generate nonce n ← $ NG(aux) c c ← NPE.enc RO ( pk , seed, m b , n ) A return c c’ Oracle DEC ( c’ ): m’ decrypt c’ v Oracle RO (v) w Adv nbp2 (NPE, A ) = 2 Pr [ b’ ← $ A ENC , DEC , RO ; b = b’ ] - 1
[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] BUILDING NONCE-BASED PUBLIC-KEY ENCRYPTION NPE.enc public key seed randomness HE message PKE.enc nonce ciphertext Adv nbp1 (NPE, A ) ≤ 2 • Adv prf (HE, B ) + Adv ind (PKE, C ) Adv nbp2 (NPE, A ) ≤ 2 • Adv ror (HE, B ) + Adv ind (PKE, C )
Recommend
More recommend