on the circular security of bit encryption
play

On the Circular Security of Bit Encryption Ron Rothblum Weizmann - PowerPoint PPT Presentation

May 30, 2023 •201 likes •545 views

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security Circular Security Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09] ) yes but in general No! Circular

  1. On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute

  2. Circular Security

  3. Circular Security Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09] ) yes but in general No!

  4. Circular Security

  5. Public Key Example Public Key Example

  6. Circular Security of Bit Encryption Since general case is false, focus on interesting special case of bit-encryption . Why bit-encryption? 1. Most candidate FHE are bit-encryption whose semantic-security relies on their circular security (which is not understood). 2. Seems most natural way to foil the previous counterexample and get circular security for “free”.

  7. Bit-Encryption Conjecture Conjecture: [Folklore] Every semantically-secure bit-encryption scheme is circular secure. Focus of this work is showing obstacles to proving the conjecture.

  8. Our Results 1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.

  9. Our Results 1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.

  10. Our Assumption An extension of an assumption made on groups with bilinear maps to groups with multilinear maps.

  11. Multilinear Maps

  12. Multilinear Maps There exist trivial multilinear maps unconditionally but for crypto, need computational problems such as discrete-log to be hard. Do there exist multilinear groups on which discrete-log (and friends) are hard? [BS03]

  13. (Silly) Example (Silly) Example

  14. SXDH Assumption [BGMM05, ACHM05] c

  16. Theorem

  17. El-Gamal Variant Key Generation: Decrypt(c,d):

  18. Our Scheme Key Generation:

  19. Our Scheme Key Generation:

  20. Circular Security Attack … … … … … … …

  21. Circular Security Attack …. …

  22. Circular Security Attack …. …

  23. Circular Security Attack …. …

  24. Circular Security Attack With overwhelming probability

  25. Our Results 1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.

  26. Blackbox Impossibility Result No blackbox reduction from circular-security of bit-encryption scheme to semantic-security (or even CCA security) of the same scheme. Blackbox access to encryption-scheme and adversary. Incomparable to [HH09] KDM blackbox separation.

  27. [HH09] KDM Blackbox Impossibility [HH09] KDM Blackbox Impossibility

  28. A Blackbox Reduction A Blackbox Reduction Encryption Circular Security Circular Security Scheme Scheme Adversary Challenger Challenger Reduction (Semantic Security (Semantic Security Adversary)

  29. Our Results 1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.

  30. Circular Security Definitions

  31. Equivalence Result

  32. Open Problems

  33. Thank you!

Recommend

Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1

1.07k views • 89 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular encryption (E, D) a symmetric cipher. k 1 , k 2 two keys. Which of the following is safe to publish? c E k 1 (k

573 views • 13 slides
Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski,

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski,

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan Identity-Based Encryption [Sha84, BF03, Coc01] Identity-Based Encryption [Sha84, BF03, Coc01]

1.01k views • 64 slides
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA CRYPTO 2009 Learning Noisy Linear

352 views • 33 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should not reveal the persons height Shafi Goldwasser and Silvio Micali, 1982 1 Design of Encryption Algorithms Encryption algorithms are

421 views • 7 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals are *NOT* At rest encryption Best practices for web/HTTP going to encryption How perfectly and good we are- we made

529 views • 18 slides
Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at rest and communication channels Security of Computation on Sensitive Inputs Secure multiparty computation (MPC) Differential privacy methods

595 views • 43 slides
Circular Food Systems for Nutrition Security A Transformative Research Agenda as Next GRA Flagship

Circular Food Systems for Nutrition Security A Transformative Research Agenda as Next GRA Flagship

Circular Food Systems for Nutrition Security A Transformative Research Agenda as Next GRA Flagship Martin C. Th. Scholten August 29, 2017 @mcthscholten A Global Flagship Proposal Food Production in Biobased Society From Linear to Circular, no

90 views • 7 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0 Slide F - 1 Outline Data Encryption Standard Algorithm Advanced Encryption Standard Background mathematics Algorithm Computer

499 views • 31 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

1.45k views • 98 slides
Encryption and Network Security Cryptography is widely used to protect networks Relies on

Encryption and Network Security Cryptography is widely used to protect networks Relies on

Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols discussed previously Can be applied at different places in the network stack With different effects and

525 views • 21 slides
Mariana Raykova Yale, Google Data Security: Encryption and Digital Signatures Beyond security

Mariana Raykova Yale, Google Data Security: Encryption and Digital Signatures Beyond security

Mariana Raykova Yale, Google Data Security: Encryption and Digital Signatures Beyond security of data at rest and communication channels Security of Computation on Sensitive Inputs Secure multiparty computation (MPC) Differential

848 views • 26 slides
The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the twenty-first century: the advanced encryption standard. In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS)

477 views • 24 slides
The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the twenty-first century: the advanced encryption standard. In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS)

160 views • 15 slides
Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM Research Zurich Motivation | Outsourced Storage Data owner stores encrypted data at (untrusted) data host symmetric encryption Proactive

763 views • 24 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
The Multi-User Security of Double Encryption Viet Tung Hoang Stefano Tessaro Florida State

The Multi-User Security of Double Encryption Viet Tung Hoang Stefano Tessaro Florida State

The Multi-User Security of Double Encryption Viet Tung Hoang Stefano Tessaro Florida State University UC Santa Barbara EUROCRYPT 2017 May 3, 2017 1 Double Encryption Single Encryption: trivial E J key-recovery in O(2 k ) time. Double

1.25k views • 51 slides

More recommend