somewhat non committing encryption and efficient
play

Somewhat Non-Committing Encryption and Efficient Adaptively Secure - PowerPoint PPT Presentation

Mar 21, 2024 •412 likes •789 views

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng Zhou University of Connecticut Joint work with Juan Garay (AT&T) and Daniel Wichs (NYU) CRYPTO 2009 Outline Background New Approach

  1. Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng Zhou University of Connecticut Joint work with Juan Garay (AT&T) and Daniel Wichs (NYU) CRYPTO 2009

  2. Outline � Background � New Approach to Adaptive Security � Application: Efficient and Adaptively Secure Oblivious Transfer 2 Garay, Wichs and Zhou

  3. Our Mission: “Strong” Security � Protocols that withstand wide variety of adversarial attacks � The simulation paradigm [GMW’87]; arbitrary environments (Universal Composability [Canetti’01]) � Static vs. Adaptive security • Corruptions before computation starts vs. on-the-fly • Adaptive security models: Erasure vs. Non-Erasure 3 Garay, Wichs and Zhou

  4. Our Mission: “Strong” Security � Protocols that withstand wide variety of adversarial attacks � The simulation paradigm [GMW’87]; arbitrary environments (Universal Composability [Canetti’01]) � Static vs. Adaptive security • Corruptions before computation starts vs. on-the-fly • Adaptive security models: Erasure vs. Non-Erasure 4 Garay, Wichs and Zhou

  5. “Strong” Security: Partial History � Feasibility results: Possible to design adaptively secure UC protocols for almost any task, assuming some trusted setup (e.g., CRS) [CLOS’02] � Alternative efficient approaches by sacrificing some aspect of security [DN’03, KO’04, GMY’04, DI’05, JS’07, LP’07, Lindell’09, …] • static UC security • adaptive UC security in the erasure model • adaptive UC security for honest majority • …. 5 Garay, Wichs and Zhou

  6. “Strong” Security: Partial History ( cont’d ) � Adaptive UC security can be achieved efficiently, given an efficient adaptively secure string-OT protocol [IPS’08] 6 Garay, Wichs and Zhou

  7. Our Results � Efficient (constant-round, constant public-key op’s per bit) adaptively UC secure bit- and string-OT protocols based on standard number-theoretic assumptions � “Semi-Adaptive” security for two-party tasks • Not allowed: Both parties start out honest and then become corrupted � Compilers: Semi-Adaptive security ⇨ Adaptive security � Secure channels (“fully equivocal;” non-committing encryption) � “Somewhat equivocal” channels � Somewhat Non-Committing Encryption • Limited “equivocation,” much more efficient! 7 Garay, Wichs and Zhou

  8. Simulation Paradigm: UC Security [Canetti’01]: Universal Composition ≈ Alice Bob Alice Bob Alice Bob Alice Bob REAL IDEAL Definition: protocol is a secure realization of task if: For every real-world adversary There exists an ideal-world adversary (simulator) Two worlds indistinguishable to all environments 8 Garay, Wichs and Zhou

  9. Why is adaptive security hard? � No constant round adaptively secure general 2-PC or MPC protocol is known � Adaptive security hard even for basic tasks like “secure channels” � Basic public-key encryption is not enough. 9 Garay, Wichs and Zhou

  10. Why is adaptive security hard? Example: Secure Channel pk m m m m C sender receiver sender receiver sender receiver sender receiver Compute Generate key C = Enc pk (m) pair (pk,sk) REAL IDEAL Uh oh… I’m busted! Compute How do I explain C as an m = Dec sk (C) encryption of m? Static security can be achieved based on Encryption 10 Garay, Wichs and Zhou

  11. Why is adaptive security hard? � No constant round adaptively secure general 2-PC or MPC protocol is known � Adaptive security hard even for basic tasks like “secure channels” � Basic public-key encryption is not enough. � Extend encryption to Non-Committing Encryption [CFGN’96] � Simulator can run a “fake” encryption protocol to produce a ciphertext, and later explain the ciphertext as an encryption of some arbitrarily chosen plaintext � Done bit by bit [Beaver’97, DN’00] � Very expensive for encrypting long message: O (1) public key operations per bit of message 11 Garay, Wichs and Zhou

  12. Outline � Background � New Approach to Adaptive Security � Application: Efficient and Adaptively Secure Oblivious Transfer 12 Garay, Wichs and Zhou

  13. Previous Approach to Adaptive Security [CLOS’02] for multi-party tasks [CDMW’09] for oblivious transfer Adaptive Malicious Compiler Semi-Honest Static How? Use expensive generic zero-knowledge proofs or cut-and-choose techniques 13 Garay, Wichs and Zhou

  14. New Approach to Adaptive Security This work: two-party tasks Adaptive Malicious New compiler Semi-Adaptive Semi-Honest Static 1, Introduce Semi-Adaptive Security 2, Develop a new compiler 14 Garay, Wichs and Zhou

  15. Semi-Adaptive Security for 2-Party Tasks Adversary Case 1: If no party is corrupted at the very beginning, then the adversary can’t corrupt any parties. Case 2: If there is a party corrupted at the very beginning, then the other party can be corrupted adaptively. Missing case: If no party is corrupted at the very beginning, either party (or both) can be corrupted during the protocol execution. Simulator (Ideal World Adversary) Trusted setup can be simulated without knowing which party is corrupted. Take care of the corruptions in Cases 1 and 2. 15 Garay, Wichs and Zhou

  16. Semi-Adaptive Security: Simulator Case 2 : If there is a party corrupted at the beginning, then the other party can be corrupted adaptively. Alice Bob Alice Bob Alice Bob Alice Bob 16 Garay, Wichs and Zhou

  17. Semi-Adaptive Security: Simulator Case 2 : If there is a party corrupted at the beginning, then the other party can be corrupted adaptively. Alice Bob Alice Bob Alice Bob Alice Bob 17 Garay, Wichs and Zhou

  18. Compiler #1 � Conceptually simple: Use secure channels to protect communication transcripts between parties. � Theorem : A semi-adaptively secure two-party protocol with communication protected by secure channels is fully adaptively secure. 18 Garay, Wichs and Zhou

  19. Proof Idea Alice Bob Alice Bob Alice Bob Alice Bob 19 Garay, Wichs and Zhou

  20. -Equivocal Channel: Much Cheaper! An -equivocal A secure channel leaks channel leaks much more info very little info 20 Garay, Wichs and Zhou

  21. Compiler #2 � New compiler: Use -equivocal channels to protect protocol communication � Theorem : A semi-adaptively secure protocol for function with communication protected by -equivocal channels is fully adaptively secure. Here � Very efficient with small input/output sizes (e.g., bit-OT) � Proof idea: Communication between honest parties can be explained as any one of the possible “protocol executions” that may have occurred. 21 Garay, Wichs and Zhou

  22. Proof Idea Alice Bob Alice Bob Alice Bob Alice Bob 22 Garay, Wichs and Zhou

  23. -Equivocal Channel: Implementation 23 Garay, Wichs and Zhou

  24. Outline � Background � New Approach to Adaptive Security � Application: Efficient and Adaptively Secure Oblivious Transfer 24 Garay, Wichs and Zhou

  25. 1-out-of-2 Oblivious Transfer [Rabin’81, EGL’85,Crepau’87] is x 0 chosen? what is x 1 ‐ σ ? or x 1 ? input bit input bits input bit input bits σ (x 0 ,x 1 ) σ (x 0 ,x 1 ) sender receiver sender receiver output bit x σ output bit x σ 25 Garay, Wichs and Zhou

  26. Why OT? � OT is the cornerstone of secure computation [Yao’82,GMW’87,...,CLOS’02,...] � OT is complete [Kilian’88] � Founding secure computation on OT efficiently [IPS’08] � No efficient adaptively UC-secure OT until recently (comparison later) 26 Garay, Wichs and Zhou

  27. PVW OT (Malicious+Static Adversary) [PVW’08] � Underlying building block: Dual Mode Encryption � First truly efficient OT against malicious and static adversaries in the UC framework � How to defend against adaptive adversaries? 27 Garay, Wichs and Zhou

  28. Our Approach to Adaptively Secure OT � Step 1: Make PVW OT Semi-Adaptively Secure � Extend Dual Mode Encryption to support adaptive security: Enhanced Dual Mode Encryption � Change the CRS setup to be simulated without knowing which party is corrupted � Coin-tossing protocol 28 Garay, Wichs and Zhou

  29. Use Enhanced Dual Mode Encryption 29 Garay, Wichs and Zhou

  30. Use coin-tossing protocol to obtain the CRS for enhanced PVW 30 Garay, Wichs and Zhou

  31. Such coin tossing protocol is based on a CRS which can be simulated without knowing which party is corrupted 31 Garay, Wichs and Zhou

  32. Garay, Wichs and Zhou 32

  33. Our Approach to Adaptively Secure OT � Step 1: Improve PVW OT to be Semi-Adaptively Secure � Step 2: � Use an equivocal channel to protect the communication. Equivocality parameter is 33 Garay, Wichs and Zhou

  34. Garay, Wichs and Zhou 8-equivocal channel 34

  35. Comparison with [CDMW’09] Assumptions: [CDMW’09]: general Ours: DDH and DCR Efficiency: No. of public-key string-OT ( n bits ) bit-OT operations [CDMW’09] Ours: based on Secure Channel Ours: based on Equivocal Channel 35 Garay, Wichs and Zhou

  36. Somewhat full version available at eprint.iacr.org/2008/534 Thanks! 36 Garay, Wichs and Zhou

Recommend

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy

Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy

Short Overview Ring-LWE Encryption Scheme Our Implementation Implementation Results Conclusion . Efficient Ring-LWE Encryption on 8-bit AVR Processors . Zhe Liu 1 Hwajeong Seo 2 Sujoy Sinha Roy 3 adl 1 Howon Kim 2 Ingrid Verbauwhede 3

1.4k views • 102 slides
Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu,

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu, and Lin Lyu 1. Shanghai Jiao Tong University 2. State Key Laboratory of Cryptology 3. Westone Cryptologic Research Center Asiacrypt 2016, Hanoi,

950 views • 73 slides
Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and

929 views • 38 slides
Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee Chonbuk National University, Republic of Korea June 14, 2019@ Workshop on Modern Trends in Cryptography Table of contents 1. Introduction 2.

537 views • 25 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David Derler , Tibor Jager , Daniel Slamanig , Christoph Striecks May 3, 2018E urocrypt 2018, Tel Aviv, Israel Key Establishment

1k views • 46 slides
An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay anjay Madr adria ia Prof ofes essor or and and Sit ite e Dir irect ector or for or NS NSF F I/UC UCRC Cent enter er on on Net

634 views • 30 slides
Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

838 views • 46 slides
Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos

Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos

Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos David Kp Etemad Papamanthou Evans Efficient Dynamic Searchable Encryption with Forward Privacy Etemad, Kp , Papamanthou, Evans, PETS

1.57k views • 90 slides
BatchCrypt: Efficient Homomorphic Encryption for Cross-Silo Federated Learning Chengliang Zhang

BatchCrypt: Efficient Homomorphic Encryption for Cross-Silo Federated Learning Chengliang Zhang

BatchCrypt: Efficient Homomorphic Encryption for Cross-Silo Federated Learning Chengliang Zhang , Suyi Li, Junzhe Xia, Wei Wang, Feng Yan, Yang Liu* Hong Kong University of Science and Technology University of Nevada, Reno

744 views • 26 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
sRDMA Efficient NICbased Authentication and Encryption for Remote Direct Memory Access

sRDMA Efficient NICbased Authentication and Encryption for Remote Direct Memory Access

spcl.inf.ethz.ch @spcl_eth Konstantin Taranov, Benjamin Rothenberger, Adrian Perrig, Torsten Hoefler sRDMA Efficient NICbased Authentication and Encryption for Remote Direct Memory Access spcl.inf.ethz.ch @spcl_eth RDMA networking is

2.47k views • 30 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

843 views • 26 slides
Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non

Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non

Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non Committing Encryption Chunhua Su*, Tadashi Araragi $ , Takashi Nishide *, Kouichi Sakurai* *Department of Computer Science and Communication

260 views • 6 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
SELF-COMMITTING IN SPP MARKETS OVERVIEW, IMPACTS, AND RECOMMENDATIONS Helping our members work

SELF-COMMITTING IN SPP MARKETS OVERVIEW, IMPACTS, AND RECOMMENDATIONS Helping our members work

SELF-COMMITTING IN SPP MARKETS OVERVIEW, IMPACTS, AND RECOMMENDATIONS Helping our members work together to keep SPPorg southwest-power-pool SouthwestPowerPool the lights on... today and in the future. OUTLINE Opening remarks

483 views • 21 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Addressing some of the feedback from investors around their key issues Committing to regular

Addressing some of the feedback from investors around their key issues Committing to regular

Based on the initial findings of ongoing review of operations Addressing some of the feedback from investors around their key issues Committing to regular updates on progress not a static process. Today: Initial findings Focus on

1.36k views • 98 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides

More recommend