symmetric encryption via keyrings and ecc
play

Symmetric Encryption via Keyrings and ECC Ronald L. Rivest - PowerPoint PPT Presentation

Symmetric Encryption via Keyrings and ECC Ronald L. Rivest Institute Professor MIT, Cambridge, MA ArcticCrypt 2016-07-18 Outline MotivationSimplifying Crypto Key Updates Keyring (Bag of Words) Model Incremental Key Updates Keyring


  1. Keyword Matching Game ( ≡ RSV with n = 1) ◮ Alice and Bob agree on a strategy. ◮ Alice is given an arbitrary keyring A . ◮ Bob is given an arbitrary keyring B . ◮ They are told sizes of A , B , A ∩ B , A ∪ B , U . ◮ They are given the same random nonce N . ◮ Alice and Bob separately each pick one element from their keyrings.

  2. Keyword Matching Game ( ≡ RSV with n = 1) ◮ Alice and Bob agree on a strategy. ◮ Alice is given an arbitrary keyring A . ◮ Bob is given an arbitrary keyring B . ◮ They are told sizes of A , B , A ∩ B , A ∪ B , U . ◮ They are given the same random nonce N . ◮ Alice and Bob separately each pick one element from their keyrings. ◮ What is the maximum probability that they pick the same element, using optimal strategy?

  3. Simplest interesting example | A | = 2 | A ∩ B | = 1 | B | = 2 |U| = 3 CAT DOG RAT

  4. Simplest interesting example Alice sees: | A | = 2 | A ∩ B | = 1 | B | = 2 |U| = 3 CAT DOG RAT N = 3762134912 Should Alice pick CAT or DOG ?

  5. Simplest interesting example Bob sees: | A | = 2 | A ∩ B | = 1 | B | = 2 |U| = 3 CAT DOG RAT N = 3762134912 Should Bob pick DOG or RAT ?

  6. Simplest interesting example | A | = 2 | A ∩ B | = 1 | B | = 2 |U| = 3 CAT DOG RAT N = 3762134912 Should Alice pick CAT or DOG ? Should Bob pick DOG or RAT ?

  7. Simplest interesting example | A | = 2 | A ∩ B | = 1 | B | = 2 |U| = 3 CAT DOG RAT N = 3762134912 Should Alice pick CAT or DOG ? Should Bob pick DOG or RAT ? Agree with prob 1/4? 1/3? 1/2?...

  8. Keyword Matching Game – Random Strategy ◮ If Alice and Bob make their choices independently at random , then they match with probability | A ∩ B | / | A | | B | .

  9. Keyword Matching Game – Random Strategy ◮ If Alice and Bob make their choices independently at random , then they match with probability | A ∩ B | / | A | | B | . ◮ (Pretty small, especially when A and B are large.)

  10. Keyword Matching Game for | A ∩ B | = 1 Brute-force searches for optimal strategies (surprisingly) suggested the following Theorem When | A ∩ B | = 1 and A ∪ B = U the optimum match probability is at least 1 / max ( | A | , | B | ) .

  11. Keyword Matching Game for | A ∩ B | = 1 Brute-force searches for optimal strategies (surprisingly) suggested the following Theorem When | A ∩ B | = 1 and A ∪ B = U the optimum match probability is at least 1 / max ( | A | , | B | ) . Proof: (at end). �

  12. Keyword Matching Game for | A ∩ B | = 1 Brute-force searches for optimal strategies (surprisingly) suggested the following Theorem When | A ∩ B | = 1 and A ∪ B = U the optimum match probability is at least 1 / max ( | A | , | B | ) . Proof: (at end). � Exercise: Find such an optimal strategy for our example that matches with probability 1 / 2.

  13. Keyword Matching Game for | A ∩ B | = 1 Brute-force searches for optimal strategies (surprisingly) suggested the following Theorem When | A ∩ B | = 1 and A ∪ B = U the optimum match probability is at least 1 / max ( | A | , | B | ) . Proof: (at end). � Exercise: Find such an optimal strategy for our example that matches with probability 1 / 2. But | A ∩ B | = 1 and A ∪ B = U are unrealistic...

  14. Jaccard Index of Similarity ◮ The Jaccard similarity coefficient J ( A , B ) measures the similarity of two sets A and B : J ( A , B ) = | A ∩ B | | A ∪ B | .

  15. Jaccard Index of Similarity ◮ The Jaccard similarity coefficient J ( A , B ) measures the similarity of two sets A and B : J ( A , B ) = | A ∩ B | | A ∪ B | . ◮ It can be estimated using the MinHash method (Broder 1997): Construct n random hash functions mapping elements to real values. Compute the fraction f of them having the same minimum in A as in B . Then E ( f ) = J ( A , B ) .

  16. Keyword Matching Game via MinHash Theorem Alice and Bob can always win with probability at least p = J ( A , B ) = | A ∩ B | / | A ∪ B | .

  17. Keyword Matching Game via MinHash Theorem Alice and Bob can always win with probability at least p = J ( A , B ) = | A ∩ B | / | A ∪ B | . Proof. ◮ Initially, Alice and Bob agree on a random hash function h . ◮ They each pick their keyword with minimum hash-value. ◮ They win if one of their shared keywords has the smallest hash value in both sets.

  18. Keyword Matching Game via MinHash Theorem Alice and Bob can always win with probability at least p = J ( A , B ) = | A ∩ B | / | A ∪ B | . Proof. ◮ Initially, Alice and Bob agree on a random hash function h . ◮ They each pick their keyword with minimum hash-value. ◮ They win if one of their shared keywords has the smallest hash value in both sets. Conjecture: The MinHash strategy is optimal for | A ∩ B | > 1.

  19. Resilient Set Vectorization (RSV) Alice iterates the MinHash method (with n random hash functions), to create a keyword vector W = φ ( A , n , N ) = ( W 1 , W 2 , . . . , W n ) of some desired length n .

  20. Resilient Set Vectorization (RSV) Alice iterates the MinHash method (with n random hash functions), to create a keyword vector W = φ ( A , n , N ) = ( W 1 , W 2 , . . . , W n ) of some desired length n . Bob (using same hashes) similarly creates a keyword vector W ′ .

  21. Resilient Set Vectorization (RSV) Alice iterates the MinHash method (with n random hash functions), to create a keyword vector W = φ ( A , n , N ) = ( W 1 , W 2 , . . . , W n ) of some desired length n . Bob (using same hashes) similarly creates a keyword vector W ′ . Let z denote the number of positions in which W and W ′ agree, and let p = J ( A , B ) . Then (under ROM) z ∼ Bin ( n , p ) , � so E ( z ) = np and σ ( z ) = np ( 1 − p ) .

  22. Security Analysis Setup Suppose we can arrange things so that Bob can always decrypt Alice’s ciphertext if z ≥ 3 n / 4 .

  23. Security Analysis Setup Suppose we can arrange things so that Bob can always decrypt Alice’s ciphertext if z ≥ 3 n / 4 . Suppose further we can arrange things so that the Adversary can’t decrypt Alice’s ciphertext if the number z ′ of positions of W it knows (or guesses) correctly satisfies z ′ < n / 2 .

  24. Analysis–for the good guys ◮ Suppose Alice and Bob have p = J ( A , B ) = 0 . 90 .

  25. Analysis–for the good guys ◮ Suppose Alice and Bob have p = J ( A , B ) = 0 . 90 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key, where n = 256.

  26. Analysis–for the good guys ◮ Suppose Alice and Bob have p = J ( A , B ) = 0 . 90 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key, where n = 256. ◮ Bob’s vector φ ( B , n , N ) agrees with φ ( A , n , N ) in z positions.

  27. Analysis–for the good guys ◮ Suppose Alice and Bob have p = J ( A , B ) = 0 . 90 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key, where n = 256. ◮ Bob’s vector φ ( B , n , N ) agrees with φ ( A , n , N ) in z positions. ◮ If z ≥ 192, Bob can decrypt the message.

  28. Analysis–for the good guys ◮ Suppose Alice and Bob have p = J ( A , B ) = 0 . 90 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key, where n = 256. ◮ Bob’s vector φ ( B , n , N ) agrees with φ ( A , n , N ) in z positions. ◮ If z ≥ 192, Bob can decrypt the message. ◮ Bob fails to decrypt with near-zero probability: Prob ( z < 192 ) = 1 . 5 × 10 − 12 .

  29. Analysis–for the Adversary ◮ Suppose Adversary knows (or guesses) Q , a set of 1 / 4 of Alice’s keyring A , so p ′ = J ( A , Q ) = 0 . 25 .

  30. Analysis–for the Adversary ◮ Suppose Adversary knows (or guesses) Q , a set of 1 / 4 of Alice’s keyring A , so p ′ = J ( A , Q ) = 0 . 25 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key; Adversary overhears ciphertext.

  31. Analysis–for the Adversary ◮ Suppose Adversary knows (or guesses) Q , a set of 1 / 4 of Alice’s keyring A , so p ′ = J ( A , Q ) = 0 . 25 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key; Adversary overhears ciphertext. ◮ Adversary’s vector φ ( Q , n , N ) agrees with Alice’s in z ′ positions.

  32. Analysis–for the Adversary ◮ Suppose Adversary knows (or guesses) Q , a set of 1 / 4 of Alice’s keyring A , so p ′ = J ( A , Q ) = 0 . 25 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key; Adversary overhears ciphertext. ◮ Adversary’s vector φ ( Q , n , N ) agrees with Alice’s in z ′ positions. ◮ If z ′ ≥ 128, Adversary can decrypt message.

  33. Analysis–for the Adversary ◮ Suppose Adversary knows (or guesses) Q , a set of 1 / 4 of Alice’s keyring A , so p ′ = J ( A , Q ) = 0 . 25 . ◮ Alice encrypts a message to Bob using φ ( A , n , N ) as a key; Adversary overhears ciphertext. ◮ Adversary’s vector φ ( Q , n , N ) agrees with Alice’s in z ′ positions. ◮ If z ′ ≥ 128, Adversary can decrypt message. ◮ But Adversary fails almost certainly, since Prob ( z ′ ≥ 128 ) = 7 . 5 × 10 − 18 .

  34. Error Correction ◮ An ( n , k ) Reed-Solomon code has k information symbols and codewords of length n . k n − k

  35. Error Correction ◮ An ( n , k ) Reed-Solomon code has k information symbols and codewords of length n . ◮ Bob can efficiently correct up to ( n − k ) / 2 errors and always obtain a unique decoding . k n − k

  36. Error Correction ◮ An ( n , k ) Reed-Solomon code has k information symbols and codewords of length n . ◮ Bob can efficiently correct up to ( n − k ) / 2 errors and always obtain a unique decoding . ◮ With list decoding Adversary can efficiently correct up to ( n − k ) errors (and obtain a small number of possible decodings). k n − k

  37. Keyring proposal for encrypting M with keyring A M A

  38. Keyring proposal for encrypting M with keyring A K 1 K k M A

  39. Keyring proposal for encrypting M with keyring A K 1 K k M A AE C T Alice sends C , and T .

  40. Keyring proposal for encrypting M with keyring A K 1 K k M A AE N 3 C T Alice sends ( N 3 ) , C , and T .

  41. Keyring proposal for encrypting M with keyring A K 1 K k M A AE N 3 RSV C T W 1 W n Alice sends ( N 3 ) , C , and T .

  42. Keyring proposal for encrypting M with keyring A K 1 K k M A AE N 3 RSV N 1 C T W 1 W n Alice sends ( N 1 , N 3 ) , C , and T .

  43. Keyring proposal for encrypting M with keyring A K 1 K k M A ECC AE N 3 RSV N 1 X 1 X n C T W 1 W n Alice sends ( N 1 , N 3 ) , C , and T .

  44. Keyring proposal for encrypting M with keyring A K 1 K k M A ECC AE N 3 RSV N 1 X 1 X n C T W 1 W n E E Y 1 Y n Alice sends ( N 1 , N 3 ) , Y , C , and T .

  45. Keyring proposal for encrypting M with keyring A K 1 K k M A ECC AE N 3 RSV N 1 X 1 X n C T W 1 W n W 1 W n E E Y 1 Y n Alice sends ( N 1 , N 3 ) , Y , C , and T .

  46. Keyring proposal for encrypting M with keyring A K 1 K k M A ECC AE N 3 RSV N 1 X 1 X n C T W 1 W n W 1 W n E E N 2 + 1 N 2 + n Y 1 Y n Alice sends ( N 1 , N 2 , N 3 ) , Y , C , and T .

  47. Compute nonces, K , C , T ◮ Choose random nonces N 1 , N 2 , N 3 .

  48. Compute nonces, K , C , T ◮ Choose random nonces N 1 , N 2 , N 3 . ◮ Choose n and k (e.g. n = 256 , k = 128) and byte size ( GF ( 2 8 ) ).

  49. Compute nonces, K , C , T ◮ Choose random nonces N 1 , N 2 , N 3 . ◮ Choose n and k (e.g. n = 256 , k = 128) and byte size ( GF ( 2 8 ) ). ◮ Choose random k -byte message key K 1 , . . . , K k (aka “vault contents”).

  50. Compute nonces, K , C , T ◮ Choose random nonces N 1 , N 2 , N 3 . ◮ Choose n and k (e.g. n = 256 , k = 128) and byte size ( GF ( 2 8 ) ). ◮ Choose random k -byte message key K 1 , . . . , K k (aka “vault contents”). ◮ Encrypt message M with key K and nonce N 3 using an authenticated encryption method to obtain ciphertext C and authentication tag T .

  51. Compute W , X , and Y ◮ Compute keyword vector W = φ ( A , n , N 1 ) .

  52. Compute W , X , and Y ◮ Compute keyword vector W = φ ( A , n , N 1 ) . ◮ Reed-Solomon-encode key to give n -byte encoded key X 1 , . . . , X n .

  53. Compute W , X , and Y ◮ Compute keyword vector W = φ ( A , n , N 1 ) . ◮ Reed-Solomon-encode key to give n -byte encoded key X 1 , . . . , X n . ◮ Use each keyword vector element W i as key to encrypt each encoded key byte X i : Y i = E ( W i , X i , N 2 + i ) use small-domain encryption tweakable encryption method like “swap-or-not” (Hoang-Morris-Rogaway14).

  54. Compute W , X , and Y ◮ Compute keyword vector W = φ ( A , n , N 1 ) . ◮ Reed-Solomon-encode key to give n -byte encoded key X 1 , . . . , X n . ◮ Use each keyword vector element W i as key to encrypt each encoded key byte X i : Y i = E ( W i , X i , N 2 + i ) use small-domain encryption tweakable encryption method like “swap-or-not” (Hoang-Morris-Rogaway14). ◮ Send ( N 1 , N 2 , N 3 ) , Y , C , T .

  55. Decrypting ( N 1 , N 2 , N 3 ) , Y , C , T with keyring B B C T Bob receives ( N 1 , N 2 , N 3 ) , Y , C , and T .

  56. Decrypting ( N 1 , N 2 , N 3 ) , Y , C , T with keyring B B RSV N 1 C T W ′ W ′ n 1 Bob receives ( N 1 , N 2 , N 3 ) , Y , C , and T .

Recommend


More recommend