Transcript Slide 1

Forward-Security in the Limited
Communication Model
Stefan Dziembowski
Warsaw University
and
CNR Pisa
This talk
Brief introduction to the
Limited Communication Model.
The talk mostly is based on the following papers:
[D06a] S. Dziembowski Intrusion-Resilience via
the Bounded-Storage Model, TCC 2006
[D06b] S. Dziembowski On Forward-Secure
Storage, accepted to CRYPTO 2006
Idea of the Limited Communication
Model
Main idea:
Construct cryptographic protocols
where the secrets are so large
that cannot be efficiently stolen.
(details follow)
Plan
1.
2.
Motivation and Introduction
Protocols for



3.
session-key generation
entity authentication
secure storage
Connections to the other areas
Disclaimer
New area, work in progress!!!
Setup:
K
installs a virus
K
the user
can impersonate the user!
authenticates with K
the bank
Question
Can cryptography prevent such an
attack?
Can we prevent this attack?
If we have a trusted hardware then
this attack is preventable.
This hardware can be e.g.:
 a token
 a list of one-time passwords
Note that the human-memorized
passwords don’t help (because the
virus can record the key-strokes).
Assume there is no trusted hardware
(trusted hardware costs and is not easy to
use)
Can we have any security in this case?
Looks quite hopeless...
(If the adversary can take control over our
machine, than he can do whatever he
wants.)
The contribution of [D06a]
We propose a cheap method that makes
the task of the adversary significantly
harder
Idea:
Make the secret key K so large that the
adversary cannot retrieve it.
We consider

entity-authentication

session-key generation
The model (1/3)
We assume that



the secret key K is stored on a machine
which can be infected by a virus
the virus can perform an arbitrary
computation on K, but the output of this
computation U is shorter than K:
she can retrieve U.
The model (2/3)
As long as the machine is infected, the virus
has a full controll over it.
We want to have security in the periods
when the virus is not controlling the
machine:
This is called: intrusion resilience.
We assume that the virus cannot modify
the data on the machine.
The model (3/3)
What else can the adversary do?
She can perform active attacks: eavesdrop,
substitute and fabricate messages.
A tool: Bounded Storage Model
It turns out that this is related to the
Bounded Storage Model (BSM) [Maurer
1992]
In the BSM the security of the protocols is
based on the assumption that one can
broadcast more bits than the
adversary can store.
The computing power of the adversary
may be unlimited!
Some cryptographic tools
Symmetric encryption
Key generation algorithm
secret key K
Eve
secret key K
M?
Alice
ciphertext C = Encr(K,M)
message M
Bob
message M = Decr(K,C)
Indistinguishability
What does it mean that Eve has no information about
M?
To say: “She cannot guess M” is not enough...
Consider the following game:
A selects messages M0,M1
and sends them to the oracle
 selects a random bit b and
b?
a random key K, and sends
C = E(K,Mb) to the adversary

One-time pad encryption
Disdvantage: the key is as long as the message!
[Shannon 1949]: this is optimal unless we limit
the power of the adversary in some way.
Message Authentication Codes
Observation: encryption does not guarantee
integrity of a message (example: one-time
pad)
To ensure the integrity one has to use MACs
(message authentication codes).
K
K
Eve can modify
the transmited
messages
M,MAC(K,M)
message M
verifies the MAC
and accepts only M
Public key encryption
Key generation algorithm
Bob’s public key e
Bob’s secret key d
M?
Alice
ciphertext C = Encr(e,M)
message M
Bob
message M = Decr(d,C)
How to limit the power of the adversary


Classical cryptography
limit the adversary to the poly-time
disadvantage: we don’t know how to
prove any security here
Information-theoretic cryptography
assume:



quantum communication,
bounded-storage,
noisy channels
advantage: provable security!
The Bounded-Storage Model (BSM)
short
initial
key Y
randomizer R:
000110100111010010011010111001110111
111010011101010101010010010100111100
001001111111100010101001000101010010
001010010100101011010101001010010101
randomizer disappears
can perform any computation
on R, but the result U=h(R) has
to be much smaller than R
Eve shouldn’t be able to
distinguish X from random
X = f(R,Y)
X?
knows:
U=h(R)
Power of the adversary
Note:
The only resource that we bound is
memory.
The computing power is unlimited!
BSM – previous results
Several key-expansion functions f were
proven secure [DR02, DM04b, Lu04,
Vad04].
Of course their security depends on the
bound on the memory of the adversary.
We call a function s-secure if it is secure
against an adversary that has memory of
a size s.
The scheme of [DM02]
0
1
0
0
0
1
0
1
0
1
0
1
0
0
0
0
1
0
1
1
0
1
0
0
0
1
0
1
0
0
1
0
1
0
1
1
0
0
0
0
1
1
0
1
0
0
1
1
0
0
0
0
1
0
0
0
1
0
1
0
1
0
1
0
0
1
0
1
0
1
1
0
1
0
0
0
1
0
1
0
0
0
0
0
1
0
1
1
0
1
0
0
0
1
0
1
0
0
0
1
1
0
0
0
0
1
XOR
The derived key X
End of the introduction to cryptography
How is BSM related to our model?
Seems that the assumptions are oposite:
transmission
storage
BSM
cheap
expensive
LCM
expensive
cheap
Entity authentication – the problem
the user can verify the
authenticity of the bank
C
the bank cannot verify the
authenticity of the user
Alice knows the
public key of the bank
the bank
We solve the following problem:
How can the bank verify the authenticity of the user?
Entity authentication – the solution
key K = R:
000110100111010010011010111001110111
111010011101010101010010010100111100
001001111111100010101001000101010010
001010010100101011010101001010010101
random Y
X = f(R,Y)
verifies
The communication is done via the channel C.
Security of the entity authentication
protocol (1/3)
Clearly as long as the adversary is
controlling Alice’s machine, she
can impersonate her.
But what happens when the
adversary looses control on the
user’s machine?
Security of the entity authentication
protocol (2/3)
Security of the entity authentication
protocol (3/3)
What about the active attacks?
Since the communication is done via the channel C,
the only thing that the adversary can do is to
“act as a wire”.
Session-key generation
The entity authentication protocols
without key generation are often
not very useful.
It is much more practical to have a
session-key generation protocol.
The session-key generation
long-term key
K
Bob
Alice
...
Intrusion-resilient session-key
generation
compromised sessions – when adversary installed
a virus on the machine of at least one of the users
compromised sessions
non-compromised sessions
time
Clearly
leaks to the adversary.
We want the keys generated in non-compromised sessions to
remain secret!
Intrusion resilience = backward +
forward security
Forward-secure session-key generation
(standard method)
(Encr,Decr) – a public key encryption scheme
long term key: key K for a MAC
generates a random
key (e,d) for the
public key encryption
C = Encr(e,Z),
MAC(K,C)
generates a random
key Z
decrypts Z from C
erases d
e,MAC(K,e)
Z
Our protocol
Outline:
 We achieve forward security in a
standard way.
 Only the backward security is
novel.
Challenge:
How to generate the key K (for
authentication) in a backward-secure
way?
A (slightly wrong) idea
Security
Security – proof attempt (1/2)
Security – a proof attempt (2/2)
How the adversary can influence the
outcome of the protocol
0
1
0
0
0
1
0
1
0
1
0
1
0
0
1
1
0
1
0
0
0
1
0
1
0
0
1
1
0
0
0
0
1
1
0
1
0
0
1
0
1
0
0
0
1
0
1
0
1
0
1
0
0
1
1
0
1
0
0
0
1
0
1
0
0
0
1
1
0
1
0
0
0
1
0
1
0
0
Repairing the protocol
How to repair the protocol?
Our idea: add hashing
The Random Oracle Model
We model the hash function as a random
oracle containing a truly random
function.
The oracle can be queried by the the honest
users and by the adversary.
Finalizing the proof
So the adversary has no information
about Ka and Kb.


If Ka=Kb - we are done!
Otherwise Ka and Kb are
independent.
Alice and Bob will detect it when
they use Ka and Kb in a MAC
scheme.
Improvements
The Random Oracle Assumption was
removed in Cash et al. [Cryptology
ePrint Archive: Report 2005/409].
They also introduce the name Limited
Communication Model.
Independent Work
Giovanni Di Crescenzo, Richard Lipton and
Shabsi Walfish Perfectly Secure
Password Protocols in the Bounded
Retrieval Model, TCC 2006
Main difference: the adversary can retrieve
only individual bits.
Example
The function f of [DM02] was proven secure when
the memory of the adversary has a size of
around 8% of the length of the randomizer.
In our case the players need to store 2
randomizers, so the protocol is secure if the
adversary cannot retrieve 4% of the key.
Example:
if |K| = 5 GB, then we can allow her to retrieve
200 MB.
This can probably be improved significantly...
Practicality?
Note: the trusted server can generate the
key pseudo-randomly and just store the
seed.
The contribution of [D06b] : ForwardSecure Storage (FSS)
secret key K
M
C = Encr(K,M)
Eve can compute any
value U = h(C)
with |U| << |C|
C
M = Decr(K,C)
U
K
M?
How realistic is this scenario that the
key K leaks?

The encryption scheme can be broken.
We model this by granting to the adversary an
unlimitted computing power.
This is called an information-theoretic model.

The user can loose the key, esp. if she uses it for
a longer period.
In this case we assume that the computing power is
limited (polynomial).
This is called a computational model.
(weaker model but allows more efficient solutions)
Formal security definition of the FSS
(1/2)
Consider the following game between an adversary A
and an oracle  :
A selects two messages M0,M1 and
sends them to the oracle
A
 selects a random bit b and
a random key K, computes
C = Encr(K,Mb) and send it to the
adversary

A stores an arbitrary
U = h(C) (with |U| << |C|)
b?
 sends K to the adversary
Formal security definition of the FSS
(2/2)
We require that that the adversary
has no chances of guessing b
correctly with a probability
significantly better than 0.5.
(In the computational case we will
also assume that the adversary is
performing only poly-time
computations.)
Information-theoretic solution – a wrong
idea
Can it work?
From the Shannon theorem it cannot be
correct!
Why?
Because the key is shorter than the
message...
So it can be broken even without an
assumption that the key leaks
A better idea
message:
key:
Y
|Z| = |M|
Z
R
M
f(Y,R)
M
Z
Security proof (1/4)
Suppose:
A – an adversary that breaks the FSS scheme, i.e.
wins the distinguishing game with probability
0.5 + a, for some non-negligible a.
We construct an adversary B that breaks the
function f in the following sense:
B will get a string X equal to
(0)
(1)
a random string
f(K,R)
with prob. 0.5
with prob. 0.5
and will guess if (0) or (1) occured.
The adversary B will do it by simulating the
adversary A.
Security proof (2/4)
M0,M1
B
A
(against FSS)
(against BSM)
select a random string W
send (R,W) to A
store the internal state of A
select a random bit b
set Z := X Mb
send (K,Z) to A
if A guesses b correctly then output
“X = f(Y,R)’’, otherwise output
“X is random”.
R
K
X
Security proof (3/4)
Observation 1 If X = f(Y,R) then the adversary A guesses
b correctly with probability at least 0.5 + a.
Observation 2 If X is random then the adversary A
guesses b correctly with probability exactly 0.5.
Proof
From the point of view of the adversary the random
variables:
 (K,Z = X
Mb)
 b
are independent!
qed
Security proof (4/4)
prob. 0.5
prob. 0.5
X is random
X = f(Y,R)
prob. 0.5 + a
A is right
prob. 0.5 - a
A is wrong
prob. 0.5
A is right
prob. 0.5
A is wrong
B is right in these cases
probability: 0.5 (0.5 + a) + 0.25 = 0.5 + a/2
Problem with the information-theoretic
scheme
The secret key needs to be larger
than the message!
What if we want the key to be
shorter?
Computational FSS (with a short key) –
idea 1
(Encr,Decr) –
IT-secure
FSS
key K
Encr(K,
message M
Idea 1: Use a short secret key K’ and expand it
pseudorandomly to a longer key K.
key K’
cryptographic pseudorandom generator
key K
Encr(K,
message M
)
)
(A tool: cryptographic PRG)
A cryptographic pseudorandom
generator is a function that expands a
short seed s into a much longer string x,
in such a way that
x cannot be distinguished from a random
string (in poly-time)
(assuming that s was chosen uniformly at
random)
Idea 1 – intuition
Idea 1 should work because:
“from the point of view of the adversary K is
indistinguishable from uniform”
Turns out that this intuition is wrong...
(although probably most of PRGs work well
here)
Example (1/3)
Suppose that we stored on a computer:
a long string R=(R1,...,Rt) of length t
an encrypted index i = 1,...,t:
E(K,i)
(where E is some encryption scheme)
An adversary gets access to this computer and can
retrieve t/2 bits.
Later, she learns K. Can she now compute Ri ?
With probability 0.5 – trivial.
Turns out: can be done with probability 1 !!!
(for a very weird encryption function E)
A Tool – Private Information Retrieval
an index i = 1,...,t
generates and
stores some
secret N
query Q(N,i)
answer A(Q(N,i),R)
database
user
N
A(Q(N,i),R)
Ri
a string R=(R1,...,Rt)
1. the database doesn’t learn i
2. |A(Q(N,i),R)| << t
PIR – implementation
See e.g.:
Eyal Kushilevitz and Rafail Ostrovsky,
Replication Is Not Needed: Single
Database, Computationally-Private
Information Retrieval, FOCS’97
PIR of [KO97]
Quadratic Residues
ZN* - a group of numbers {1,…,N}, relatively prime
with N
A number a is a quadratic residue modulo N
(denote: QR(N)) if there exits b, such that
a = b2 mod N
Suppose N=pq, where p and q – large primes
ZN*
QNR(N)
QR(N)
ZN+
Facts about QR
Given the factorization p,q of n it is easy to
1.
generate random elements of QR(N) and
QNR(N),
2.
decide membership in QR(N) and QNR(N).
The second point is hard without the knowledge of
the factorization of N.
A product of a and b is a quadratic residue
iff
exactly one of a,b is a quadratic residue
PIR of [KO97] - actions of the user
Basic idea: arrange the string R into a square
s x s – matrix, where s = √t
a1 a2
1
row d
2
ac
3
as
…
The user on input i:
1. generates a random N
we will work in ZN+
i
2. produces a1,…,as,
such that:
only ac is QNR
t
3. sends N,a1,…,as, to the
database
PIR of [KO97] - actions of the database
R:
a1
a22
a32
a1
a2
0
it is a QR
iff
Ri=1
a4
a52
a6
a3
a4
a5
a6
1
1
0
1
0
b1 := a1a22a32a4a52a6
1
0
0
0
1
1
b2 := a12a2a3a4a52a62
0
1
1
1
0
0
b3 := a1a22a32a42a5a6
…
The database sends
b1,…,bs
to the user
PIR of [KO97] – final remarks
The user just looks at bd and decides
that
 Ri = 1 if bd is a QR
 Ri = 0, otherwise.
Security follows from the fact that
the database cannot distinguish QR
from QNR
PIR of [KO97] – the end
Example (2/3)
a long string R=(R1,...,Rt) of length t
an encrypted index i = 1,...,t:
E(K,i)
We construct the encryption scheme (E,D).
ingridients:
• (E’,D’) - some encryption scheme with a key K’.
• PIR
(E,D):
key K:
user’ secret N
K’
E(K,i):
Q(N,i)
E’(K’,i)
this is secure...
Example (3/3)
a long string R=(R1,...,Rt) of length t
Q(N,i)
E’(K,i)
The adversary simulates the user
and stores A(Q(N,i),R)
A(Q(N,i),R)
user’s secret N
K’
Ri
Idea 2
Recall the Idea 1:
key K’
(E,D) --- some encryption scheme
cryptographic pseudorandom generator
use message M
as a key for
encryption (E,D)
key K
Encr(K,
a random
message
M
message
M
message M’
E(M,
message M’
)
)
Idea 2 – security proof (sketch)
Suppose we have an adversary
A that breaks the scheme
Consider a modified scheme
a random message L
Encr(K,
a random message M
From the security of (E,D):
A cannot break the
modfied scheme.
Hence we can construct
an adversary that breaks
the original scheme!
)
message M’
E(M,
E(L,
message M’
)
Complexity-theoretic view on
encryption
The adversary knows C and she
knows that M = M0 or M = M1
and wants to decide if
there exists K such that
C = Encr(K,M0)
C
this is an NP – language!
Observe that if |M| >> |K| then the
probability that
is negligible
M1
C0
C0
keys
for random M0 and M1
and a random K0
there exists K1 such that
Encr(K0,M0) = Encr(K1,M1)
messages
M0
K0
C0
C0
C0
C0
Complexity-theoretic view
classical encryption
exists
=>
P ≠NP
In case of FSS the adversary
1.
stores some information about C
(“compresses it”)
2.
later obtains the witness K
FSS exists
=>
P ≠NP
and there exist NP problems
that are “incompressible”
Compressibility of NP-instances
This notion was recently studied in:
Danny Harnik, Moni Naor
On the Compressibility of NP Instances and
Cryptographic Applications
ECCC Report TR06-022, 2006
See also:
Bella Dubrov, Yuval Ishai
On the Randomness Complexity of Efficient Sampling
STOC 2006
The contribution of [HN06]
They describe a hierarchy of
incompressible NP-languages.
The show several implications for
cryptography and complexity of the
assumption that certain languages
are incompressible.
The idea of [HN06]
Def. An NP-language L is compressible to L’ if
there exists an poly-time algorithm Z such that:
 Z(x)
L’ <=> x L
 the length of Z(x) is polynomial in x and in
log w, where w is the witness of x
Compression is witness-retrievable if one can
compute (in poly-time) the witness for Z(x) from
w and Z(x).
(Observe that we need the witness-retrievability in
our case!)
The end
Questions
?