randomness dependent randomness dependent message
play

Randomness Dependent Randomness Dependent Message Security g y - PowerPoint PPT Presentation

May 15, 2023 •223 likes •638 views

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai Min Chung Rafael Pass Sidharth Telang Public key Encryption Public key Encryption Goal: l (pk,sk) Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m

  1. Randomness ‐ Dependent Randomness ‐ Dependent Message Security g y Eleanor Birrell Kai ‐ Min Chung Rafael Pass Sidharth Telang

  2. Public key Encryption Public key Encryption • Goal: l (pk,sk) ← Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m Encryption scheme (Gen Enc Dec) Encryption scheme (Gen, Enc, Dec) Formal security: CPA/CCA

  3. CPA security CPA security pk m m 1 m m 0 ≈ Enc pk (m 0 ;r) Enc pk (m 1 ;r)

  4. CPA security CPA security m 0 m 1 do not m 0 , m 1 do not depend on sk or r pk m m 1 m m 0 ≈ Enc pk (m 0 ;r) Enc pk (m 1 ;r)

  5. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some

  6. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! sk m secure

  7. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! sk m secure • but key dependent messages (KDM) are useful! but key dependent messages (KDM) are useful! practically and theoretically ABBC, CKVW10, G09, BRS02,CL01, BPS08, BHHO08 etc. BRS02,CL01, BPS08, BHHO08 etc. • Intensely studied, lots of work…

  8. m m 0 , m 1 do not m do not Good for many settings depend on sk or r Not good for some r Enc: CPA All bets are off! m secure • randomness dependent messages (RDM) randomness dependent messages (RDM) • implicit in MS09, HLW12, BBNRSSY09 • explicit in HO10 explicit in HO10 • much less studied

  9. Why RDM? Why RDM? 1) RDM happens! (involuntary attack) r 1 r 2 1 2 correlated! HDWH12 HDWH12

  10. Why RDM? Why RDM? 1) RDM happens! (involuntary attack) r 1 r 2 1 2 correlated! m Enc

  11. Why RDM? Why RDM? 2) RDM is useful! (voluntary attack) e.g. • MS09, HLW12: 1 ‐ bit CCA2 => many ‐ bit CCA2 • HO10: lossy encryption => inj OW TDF HO10: lossy encryption => inj. OW. TDF.

  12. RDM security [HO10] RDM security [HO10] security against any RDM function pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

  13. “weak” RDM security weak RDM security f f 0 and f 1 do not d f d t depend on pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r) Hedged Encryption [BBNRSSY09] => weak RDM security

  14. RDM security RDM security our focus: f 0 and f f d pk f 1 depend on pk f :circuit f 0 :circuit f :circuit f 1 :circuit ≈ Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

  15. 2 circular RDM security 2 ‐ circular RDM security pk f g:circuits f, g:circuits c 1 = Enc pk (f(r 2 );r 1 ) c 2 = Enc pk (g(r 1, c 1 );r 2 )

  16. k circular RDM security k ‐ circular RDM security k=2 k=2 pk f g:circuits f, g:circuits c 1 = Enc pk (f(r 2 );r 1 ) c 1 = Enc pk (0;r 1 ) ≈ c 2 = Enc pk (g(r 1, c 1 );r 2 ) c 2 = Enc pk (0;r 2 )

  17. k circular RDM security k ‐ circular RDM security pk f f 0 , g 0 :circuits g :circuits f f 1 , g 1 :circuits i it this work: k ‐ circular RDM security => k i l RDM i c 1 = Enc pk (f 0 (r b );r a ) c 1 = Enc pk (f 1 (r b );r 1 ) RDM security RDM security c 2 = Enc pk (g(r 1, c 1 );r 2 ) c 2 = Enc pk (0;r 2 )

  18. Question: Can we get circular RDM, or Q i C i l RDM even RDM security even RDM security i.e. security against any RDM function?

  19. Our results Our results “Full” RDM security i.e. security against any RDM function • Impossible in standard model p • => circular RDM impossible too

  20. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit Enc pk (f 0 (r);r) Enc pk (f 1 (r);r)

  21. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 0 (r) = b’ such that f 1 (r) = b’ such that Enc (b’;r) “signals” 0 Enc pk (b ;r) signals 0 Enc (b’;r) “signals” 1 Enc pk (b ;r) signals 1

  22. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 0 (r) = b’ such that f 1 (r) = b’ such that Enc (b’;r)’s 1 st bit is 0 Enc pk (b ;r) s 1 st bit is 0 Enc (b’;r)’s 1 st bit is 1 Enc pk (b ;r) s 1 st bit is 1

  23. “Full” RDM is impossible Full RDM is impossible pk f :circuit f 0 :circuit f :circuit f 1 :circuit f 1 (r) = b’ such that f 0 (r) = b’ such that Enc (b’;r)’s 1 st bit is 1 Enc pk (b ;r) s 1 st bit is 1 Enc (b’;r)’s 1 st bit is 0 Enc pk (b ;r) s 1 st bit is 0 Use randomness extractor to get signal bit

  24. Question: Can we get bounded RDM Question: Can we get bounded R M security? i.e. security against a priori bounded size RDM functions? size RDM functions?

  25. Our results Bounded circular RDM security • Theorem 1 : for any poly s, exists transformation s.t. circular secure circular secure any CPA against size s secure Enc RDM functions RDM functions transformation: Enc(m ; preprocess(r) ) transformation: Enc(m ; preprocess(r) ) r needs to be “long” r needs to be long • • We also show : black ‐ box barriers for proving RDM security if r is shorter than m proving RDM security if r is shorter than m

  26. Our results Bounded circular RDM security with “short” Bounded circular RDM security with short randomness Theorem 2 : For any poly s Theorem 2 : For any poly s, • • exists scheme that is circular secure against size s RDM functions RDM functions with arbitrary message and randomness length assuming lossy trapdoor function [PW08] assuming lossy trapdoor function [PW08]

  27. Thm1: Bounded circular RDM security from Thm1: Bounded circular RDM security from CPA/CCA

  28. Thm1: Bounded circular RDM security from Thm1: Bounded circular RDM security from CPA/CCA • View RDM as indirect randomness leakage View RDM as indirect randomness leakage • Idea: use CPA secure (Gen,Enc,Dec) and r “long” enough use CPA secure (Gen,Enc,Dec) and r long enough Enc pk (m ; preprocess(r) ) preprocess: randomness extraction

  29. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(seed,r) ) • Seeded extractors don’t work Seeded extractors don t work require seed and source independence! pk, seed f b

  30. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(r) ) • need deterministic extraction that works for need deterministic extraction that works for all s ‐ bounded leaked sources pk, extr f b

  31. f b : s ‐ bounded leakage function b s bou ded ea age u ct o r|f b (r): s ‐ “bounded leaked source” Enc pk (m ; extr(r) ) • need deterministic extraction that works for need deterministic extraction that works for all s ‐ bounded leaked sources We show: Deterministic extraction Lemma for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded leaked sources with high min ‐ entropy f b (r),h(r) ≈ f b (r),U

  32. We show: Deterministic extraction Lemma for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded leaked sources with high min ‐ entropy f b (r),h(r) ≈ f b (r),U TV00: Deterministic extraction Lemma for bounded samplable sources bounded samplable sources w.h.p h ← t ‐ wise ind. hash, for all s ‐ bounded samplable sources X with for all s bounded samplable sources X with high min ‐ entropy h(X) ≈ U h(X) ≈ U

  33. Bounded circular RDM security • For any poly s y p y circular secure circular secure any CPA against size s secure Enc RDM functions RDM functions Enc(m ; hash t wise indep (r) ) Enc(m ; hash t ‐ wise indep (r) ) ‐ In paper : black ‐ box barriers for In paper : black box barriers for proving RDM security on a falsifiable assumption if r is shorter than m is shorter than m

  34. Bounded circular RDM security with “short” randomness?

  35. Thm2: Bounded circular RDM security with arbitrary message and randomness length with arbitrary message and randomness length from lossy trapdoor function (LTDF)

  36. Hedged Encryption [BBNRSSY09] g yp [ ] secure w.r.t. RDM functions don’t depend on pk ‐ from lossy trapdoor functions (LTDF) from lossy trapdoor functions (LTDF) crooked LHL [DS08] k d LHL [DS08] f b r pk For all sources X with high min ‐ entropy with high min entropy Enc and functions with invertible small range f small range f pairwise f(h(X)) ≈ f(U) independent p permutation works only when h X and h are X and h are independent

  37. We show: Crooked det. ext. for bounded leaked sources w.h.p h ← t ‐ wise ind. hash, h h ← t i i d h h for all bounded leaked sources X with high min ‐ entropy and functions with small range f d f ti ith ll f f(h(X)) ≈ f(U) f b r pk Enc t ‐ wise independent p h

  38. f f b r r pk pk Enc Enc t ‐ wise independent p h permutation ? p Invertible? open problem open problem Almost t ‐ wise doesn’t suffice

  39. f f b r r pk pk E Enc’ ’ t ‐ wise independent h Instead we modify scheme so that we don’t need permutation => can use standard polynomial construction, invert with Berlekamp algorithm

Recommend

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and why? Key-dependent message (KDM) security As IND, but with special encryption oracle Real game: O(F) = ENC SK ( F(SK) ) Random

272 views • 4 slides
Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems Andr e Nies CCC 2015, Kochel am See 1/1 Di ff erentiability Di ff erentiability of a function f at a real z means that the rate of change

1.19k views • 108 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and Probability Theory Review April 4th, 2017 Randomness and the Universe Randomness and the Universe Does the universe have true randomness?

693 views • 52 slides
Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Quick Guide to the Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit will help us comply with regulatory requirements and control costs by confirming that only eligible dependents receive coverage

506 views • 6 slides
Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying polynomial identities Probability Amplification Probability Review Sofya Raskhodnikova 1/21/2020 Sofya Raskhodnikova;Randomness in Computing

348 views • 21 slides
Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &

Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &

Pre-processing and non-randomness Baroni & Evert Pre-Processing Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni & Stefan Evert M alaga, 11 August 2006 Outline Pre-processing and

879 views • 55 slides
Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi MIT/UC Berkeley University of Michigan Presented in QIP14 as plenary talk (joint with [MS14]) 1 Randomness Randomness is a vital resource

391 views • 17 slides
Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Beyond arithmetic Higher randomness ITTM and randomness Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr eteil 5 May 2017 Algorithmic randomness Beyond arithmetic Higher

771 views • 64 slides
CDLG PATHS The notion of REGULAR SOLUTION for a path dependent PDE (1) needs to deal with

CDLG PATHS The notion of REGULAR SOLUTION for a path dependent PDE (1) needs to deal with

Introduction Path dependent second order PDEs Martingale problem for second order elliptic differential operators with path dependent coefficients Time consistent dynamic risk measures P ATH - PEPENDENT PARABOLIC PDE S AND P ATH - DEPENDENT F

832 views • 43 slides
Why Dependent Origination? So what is dependent origination? Dependent on ignorance, there

Why Dependent Origination? So what is dependent origination? Dependent on ignorance, there

Why Dependent Origination? So what is dependent origination? Dependent on ignorance, there are willed acts. Dependent on willed acts, there is consciousness. Dependent on consciousness, there are the mental aspects and form of a

650 views • 27 slides
Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1 Zeros of univariate random polynomials p : C C and potential theory; recent results of Bloom-Dauvergne 2 Random polynomials p : C 2 C and

585 views • 42 slides
CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

Administrativia and Syllabus Why Randomness? Randomness in Computer Science CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1. Introduction to Randomness CS 574: Randomized Algorithms

1.23k views • 61 slides
The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for

The power and weakness of randomness (when you are short on time) Avi Wigderson Institute for Advanced Study Plan of the talk Computational complexity -- efficient algorithms, hard and easy problems, P vs. NP The power of randomness

284 views • 24 slides
Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg Schaathun Hgskolen i lesund 14th February 2017 1 Randomness 1. What is randomness? 2 Randomness 1. What is randomness? 2. How do we

590 views • 22 slides
Randomness in Computing L ECTURE 24 Last time Probabilistic method Algorithmic LLL

Randomness in Computing L ECTURE 24 Last time Probabilistic method Algorithmic LLL

Randomness in Computing L ECTURE 24 Last time Probabilistic method Algorithmic LLL Applications of LLL Today Markov chains 4/21/2020 Sofya Raskhodnikova;Randomness in Computing; based on slides by Baranasuriya et al.

538 views • 24 slides
Randomness in Computing L ECTURE 27 Last time Stationary distributions Random walks on

Randomness in Computing L ECTURE 27 Last time Stationary distributions Random walks on

Randomness in Computing L ECTURE 27 Last time Stationary distributions Random walks on graphs Algorithm for - -PATH Today Sublinear algorithms Differential privacy 4/29/2020 Sofya Raskhodnikova;Randomness in

873 views • 34 slides
Computability, Complexity and Randomness 2016 Permutations of the integers do not induce

Computability, Complexity and Randomness 2016 Permutations of the integers do not induce

Computability, Complexity and Randomness 2016 Permutations of the integers do not induce nontrivial automorphisms of the Turing degrees Bjrn Kjos-Hanssen June 25, 2015 Computability, Complexity and Randomness , University of Heidelberg

770 views • 28 slides
Caract erisations de lal eatoire par les jeux: impr edictibilit e et stochasticit

Caract erisations de lal eatoire par les jeux: impr edictibilit e et stochasticit

Introduction The effective randomness zoo Randomness and complexity Randomness for computable measures Caract erisations de lal eatoire par les jeux: impr edictibilit e et stochasticit e. Laurent Bienvenu sous la direction

1.71k views • 138 slides
Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

@csunivie Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota, Michael Jensen, Sebastian Kristensen, Mathias Michno, Yvonne-Anne Pignolet, Rene Hansen, Stefan Schmid Randomness: An Important Tool of Our

394 views • 35 slides
Toward dependent choice: a classical sequent calculus with dependent types Hugo Herbelin 1 ,

Toward dependent choice: a classical sequent calculus with dependent types Hugo Herbelin 1 ,

Curry-Howard Axiom of Dependent Choice Sequent calculus State of the art Toward dependent choice: a classical sequent calculus with dependent types Hugo Herbelin 1 , Etienne Miquey 1,2 1 Team r 2 (INRIA), PPS, Universit e

404 views • 24 slides
Higher randomness Benoit Monin - LIAFA - University of Paris VII Victoria university - 16 April

Higher randomness Benoit Monin - LIAFA - University of Paris VII Victoria university - 16 April

Introduction Complexity of sets Algorithmic randomness Beyond arithmetic Higher randomness Topological differences Higher randomness Benoit Monin - LIAFA - University of Paris VII Victoria university - 16 April 2014 Introduction Complexity

767 views • 75 slides

More recommend