Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security

Similar documents
Signatures for Network Coding

Introduction to Cryptography

Multi-Instance Security and its Application to Password- Based Cryptography

RSA hybrid encryption schemes

Computing and Communications 2. Information Theory -Channel Capacity

Online Cryptography Course. Odds and ends. Key Deriva1on. Dan Boneh

Cryptography, Number Theory, and RSA

Juan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH)

RSA hybrid encryption schemes

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

TMA4155 Cryptography, Intro

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptography

SHA-3 and permutation-based cryptography

Self-Scrambling Anonymizer. Overview

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

4. Design Principles of Block Ciphers and Differential Attacks

Sequential Aggregate Signatures from Trapdoor Permutations

Generic Attacks on Feistel Schemes

A SECURITY MODEL FOR ANONYMOUS CREDENTIAL SYSTEMS

Local Algorithms & Error-correction

Course Developer: Ranjan Bose, IIT Delhi

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Threshold Implementations. Svetla Nikova

Derandomized Constructions of k-wise (Almost) Independent Permutations

ABC: Enabling Smartphone Authentication with Built-in Camera

TCP/IP COVERT TIMING CHANNEL: THEORY TO IMPLEMENTATION. Sarah H. Sellke, Chih-Chun Wang Saurabh Bagchi, and Ness B. Shroff

Provably weak instances of Ring-LWE revisited

CS 261 Notes: Zerocash

Collusion-Free Multiparty Computation in the Mediated Model

DELAY-POWER-RATE-DISTORTION MODEL FOR H.264 VIDEO CODING

RATIONAL SECRET SHARING OVER AN ASYNCHRONOUS BROADCAST CHANNEL WITH INFORMATION THEORETIC SECURITY

Cryptanalysis of an Improved One-Way Hash Chain Self-Healing Group Key Distribution Scheme

NEW FINDINGS ON RFID AUTHENTICATION SCHEMES AGAINST DE-SYNCHRONIZATION ATTACK. Received March 2011; revised July 2011

Generic Attacks on Feistel Schemes

Formal Description of the Chord Protocol using ASM

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

The number theory behind cryptography

An enciphering scheme based on a card shuffle

PROBABILISTIC MITIGATION OF CONTROL CHANNEL JAMMING VIA RANDOM KEY DISTRIBUTION

Sequential Aggregate Signatures from Trapdoor Permutations

6. Find an inverse of a modulo m for each of these pairs of relatively prime integers using the method

Block Ciphers Security of block ciphers. Symmetric Ciphers

On Symmetric Key Broadcast Encryption

Diffusion of Networking Technologies

Network-Wide Broadcast

Information Theory and Communication Optimal Codes

The Game-Theoretic Approach to Machine Learning and Adaptation

The Capability of Error Correction for Burst-noise Channels Using Error Estimating Code

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Bivariate Polynomials Modulo Composites and Their Applications

DUBLIN CITY UNIVERSITY

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Permutation Groups. Every permutation can be written as a product of disjoint cycles. This factorization is unique up to the order of the factors.

Fast Sorting and Pattern-Avoiding Permutations

Policy Teaching. Through Reward Function Learning. Haoqi Zhang, David Parkes, and Yiling Chen

Research Article A Collaboratively Hidden Location Privacy Scheme for VANETs

Secure communication based on noisy input data Fuzzy Commitment schemes. Stephan Sigg

Background Dirty Paper Coding Codeword Binning Code construction Remaining problems. Information Hiding. Phil Regalia

MATH 433 Applied Algebra Lecture 12: Sign of a permutation (continued). Abstract groups.

Multi-user Space Time Scheduling for Wireless Systems with Multiple Antenna

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Time-Efficient Protocols for Neighbor Discovery in Wireless Ad Hoc Networks

Introduction to Source Coding

Asymptotically Optimal Two-Round Perfectly Secure Message Transmission

PIMRC 2016: Practical Examples of Physical Layer Security

Anti-Collusion Fingerprinting for Multimedia

Orthomorphisms of Boolean Groups. Nichole Louise Schimanski. A dissertation submitted in partial fulfillment of the requirements for the degree of

Exploring Signature Schemes with Subliminal Channel

Cooperative Tx/Rx Caching in Interference Channels: A Storage-Latency Tradeoff Study

Guest Editorial: Low-Power Digital Filter Design Techniques and Their Applications

Electrical and Computer Engineering ETDs

Fast Online Learning of Antijamming and Jamming Strategies

UNIVERSALITY IN SUBSTITUTION-CLOSED PERMUTATION CLASSES. with Frédérique Bassino, Mathilde Bouvel, Valentin Féray, Lucas Gerin and Mickaël Maazoun

Diffie-Hellman key-exchange protocol

Hamming Codes as Error-Reducing Codes

Low Complexity Cross Parity Codes for Multiple and Random Bit Error Correction

Phase Calibrated Ring Oscillator PUF Design and Application

HELP: Helper-Enabled In-Band Device Pairing Resistant Against Signal Cancellation

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Math 319 Problem Set #7 Solution 18 April 2002

THE concept of security encapsulates a set of ideas that includes

Color PNG Image Authentication Scheme Based on Rehashing and Secret Sharing Method

Transmission Delay in Large Scale Ad Hoc Cognitive Radio Networksi

Anavilhanas Natural Reserve (about 4000 Km 2 )

Tiling Problems. This document supersedes the earlier notes posted about the tiling problem. 1 An Undecidable Problem about Tilings of the Plane

Network Security: Secret Key Cryptography

New Results on Unconditionally Secure Multi-receiver Manual Authentication

by Michael Filaseta University of South Carolina

Non-Interactive Secure 2PC in the Offline/Online and Batch Settings

Note Computations with a deck of cards

Number-Theoretic Algorithms

Card-based Cryptographic Protocols Using a Minimal Number of Cards

Innovative Science and Technology Publications

On the Complexity of Broadcast Setup

NUMBER THEORY AMIN WITNO

HiRLoc: High-resolution Robust Localization for Wireless Sensor Networks

Interference-Resilient Information Exchange

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Transcription:

Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security Baodong Qin 1,2, Shengli Liu 1, Tsz Hon Yuen 3, Robert H. Deng 4, Kefei Chen 5 1. Shanghai Jiao Tong University, China 2. Southwest University of Science and Technology, China 3. Huawei, Singapore 4. Singapore Management University, Singapore 5. Hangzhou Normal Unvierity, China PKC 2015 March 31, NIST 1

Contents Related-Key Attacks Previous works Continuous NM-KDFs: Definition, construction and security proof Application to RKA-security Conclusion 2

Related-Key Attacks Scenario Hardware implementation Fault attacks: heat it or cut wires to inject faults. secret key s s x M x M y=m(s,x) y =M(s,x) 3

Related-Key Attacks Assumption Leakage-proof but not tamper-proof s Composition of a system: Algorithm (codes) Public parameters Public keys (if any) Secret keys x M y=m(s,x) Leakage-proof and tamper-proof 4 Assumptions: Algorithm (codes) and PPs in a tamper-proof hardware device Only public keys and secret keys may be subjective to tampering attacks. The device does not leak any information on the secret key.

Related-Key Attacks Related-key derivation (RKD) functions (following BK03) From SK space to SK space Tamper functions If the public key pk is involved in an algorithm M, it might be subject to tampering attacks as well. In practice, the adversary has already known pk. So, tampering with pk is just dependent on the adversary s view, not the secret key. pk is implicitly determined by RKD function f. Different to the split-state model [DP08,FMNV14]: s is divided into two parts (s 1,s 2 ). fxg: (s 1,s 2 ) (f(s 1 ),g(s 2 )), f, g are independent of each other. The adversary does not know the result g(s 2 ). F: S S f: s f(s) F: S PK S PK f: (s,pk) (f(s),pk ) 5

Related-Key Attacks Two security models Related-key attacks (RKA) security [BK03] and Algorithmic tamper-proof (ATP) security [GLMMR04] non-persistent vs persistent [JW15] RKA s0 f 1 s1=f1(s0) f 2 s2=f2(s0) f 3 s3=f3(s0) ATP f 1 f 2 s0 s1=f1(s0) s2=f2(s1) f 3 s3=f3(s2) 6

Related-Key Attacks Two security models Related-key attacks (RKA) security [BK03] and Algorithmic tamper-proof (ATP) security [GLMMR04] non-persistent vs persistent [JW15] RKA s0 f 1 s1=f1(s0) f 2 s2=f2(s0) f 3 s3=f3(s0) ATP f 1 f 2 s0 s1=f1(s0) s2=f2(s1) f 3 s3=f3(s2) This paper: RKA model. We would like the RKD function class is as rich as possible. 7

Previous Works on RKAs Specific Constructions Specific primitives, specific computational assumptions RKA secure: PRFs, IBE, Signature, PKE PRFs IBE PKE Sig. RKAs on ciphers Theoretical treatment [BK03] 2010 Relations among RKA-primitives [BCM11] 2012 More constructions 2003 Practical construction [BC10] 2011 From Linear to polynomial RKAs [BPT12] 8

Previous Works on RKAs Specific Constructions Limitations: 1. Simple RKD functions: linear, affine or polynomials (bounded degree). 2. Parameter depends on the RKD functions and based on non-standard assumptions Example in [BPT12]: To compute g f(s) without known s for polynomial f(x)=a 0 +a 1 x + +a d x d public keys must provide the following elements: g s, g s2,, g sd g f(s) =g a 0 (g s ) a 1 (g sd ) a d d-extended DBDH assumption 9

Previous Works Generic Approach Tamper-resilient codes, mainly including Algebraic Manipulation Detection codes [CDF+08] Non-malleable codes [DPW10,FMVW14, ] Continuous NMC [FMNV14,JW15, ] s Encode c Decode s c Decode s = or unrelated value AMD and NMC: single-time tampering, but RKA multi-time nonpersistent tampering. Continuous NMC: multi-time tampering (persistent or non-persistent) Concurrent work [JW15]: simple and efficient, but public parameter depends on tamper functions, i.e. O(log F ). 10

Contributions New notion: Continuous non-malleable key derivation function (cnm-kdf) A generic construction from one-time lossy filter, onetime signature and pairwise independent hash functions, instantiated under standard assumptions. RKD functions: any bounded-degree polynomials (generalized to functions with high output entropy and input-output collision resistance (HOE&IOCR)) Application to RKA-IBE, RKA-PKE, RKA-Sig. 11

Continuous Non-Malleable KDF Inspired by non-malleable KDF [FMVW14] s Definition and Security KDF Standard security: r is random from Adv. s view (given KDF descriptions) Non-malleability: r is random even given one r. r s KDF r f(s) KDF r f(s) s 12

Continuous Non-Malleable KDF Definition and Security cnm-kdf: Input takes an auxiliary input π. Output may be failure symbol. View π as a proof or authentication of s. Failure symbol means π is invalid. π r is random even given multiple r 1, r 2 s KDF r/ π π1 s KDF r f1(s) KDF r1 π2 f2(s) KDF. πk r2 fk(s) 13 KDF rk

Continuous Non-Malleable KDF Generic Construction Components: one-time lossy filter [QL13], one-time signature and pairwise independent hash function. Properties of LF: works in two indistinguishable modes. hard to generate a non-injective tag. s t=(ta,tc) LF y S S Injective LF(t, ) LF(t, ) Lossy Y Y S = Y 14 S >> Y

Continuous Non-Malleable KDF Sample algorithm: seed s S and proof π. (vk,sigk) OTS.Gen Generic Construction Input Output: π=t y σ and s t=(vk,tc) t seed s LF y tc OTS sigk σ 15

Continuous Non-Malleable KDF Generic Construction KDF: input π=(vk,tc) y σ, output or r. KDF seed s (vk,tc) LF? y =y 0/1 π tc y σ Verify 0/1 vk 16

Continuous Non-Malleable KDF Generic Construction KDF: input π=(vk,tc) y σ, output or r. KDF seed s (vk,tc) LF h? y =y 0/1 r π tc y σ Verify 0/1 vk 17

Continuous Non-Malleable KDF Security Proof RKD functions: all degree-d polynomials over a finite field. Two properties of above RKD functions. Lemma 3: Suppose X be any random variable over some finite field and H (X) n, then H (f(x)) n-log d f is non-constant Pr[f(X)=X] d/2 n f is not identity 18

Continuous Non-Malleable KDF Highlight the idea of our proof: reject all non trivial queries. Security Proof Target: π*=t* y* σ* and r*=h(s*) or random) Trivial queries without s*: f is a constant function, output KDFπ (f) f=id and π =π*, output the symbol same* Query: (f,π =t y σ ) 19

Continuous Non-Malleable KDF Highlight the idea of our proof: Target: π*=t* y* σ* and r*=h(s*) or random) Query: (f,π =t y σ ) (1) From injective to lossy: y* reveals few information on s*. f(s*) has high residual entropy. Security Proof t* s* y* LF 20

Continuous Non-Malleable KDF Highlight the idea of our proof: Security Proof Target: π*=t* y* σ* and r*=h(s*) or random) Query: (f,π =t y σ ) (1) From injective to lossy: y* reveals few information on s*. f(s*) has high residual entropy. (2) One-time signature: t* can not be re-used. (3) Hard to generate a fresh non-injective tag even given t*: t is injective. 21

Continuous Non-Malleable KDF Highlight the idea of our proof: Security Proof Target: π*=t* y* σ* and r*=h(s*) or random) Query: (f,π =t y σ ) (1) From injective to lossy: y* reveals few information on s*. f(s*) has high residual entropy. (2) One-time signature: t* can not be re-used. (3) Hard to generate a fresh non-injective tag even given t*: t is injective. t =(vk,tc ) f(s*) LF y is correct? 22

Continuous Non-Malleable KDF Generalization From polynomial to High Output Entropy and Input-Output Collision Resistance. HOE&IOCR H (f(s)) is large Pr[f(S)=S] is negligible Polynomials H (f(s)) n-log d f is non-constant Pr[f(S)=S] d/2 n f is not identity 23

Applications RKA-secure IBE, PKE, Sig. (mpk,msk) IBE.Gen(Param; r) s π KDF r mpk =(mpk,π) and msk =s Thm.: If cnm-kdf is secure w.r.t. F, the new IBE is RKA-secure w.r.t. the same RKD function class. RKA-IBE RKA-PKE or RKA-Sig. [BCM11] Or direct construct RKA-PKE and RKA-Sig. 24

Conclusion A strengthened security model for non-malleable KDFs A generic construction of cnm-kdf w.r.t. polynomials or HOE&IOCR. Application to RKA-secure IBE, PKE and Signature. 25

Thanks http://eprint.iacr.org/2015/003

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback