on forward-secure storage

Download On Forward-Secure Storage

Post on 15-Jan-2016




0 download

Embed Size (px)


On Forward-Secure Storage. Stefan Dziembowski Warsaw University and University of Rome La Sapienza. The m ain idea. Limited Communication Model : Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen . D. - PowerPoint PPT Presentation


  • On Forward-Secure Storage

    Stefan Dziembowski

    Warsaw University


    University of Rome La Sapienza

  • The main ideaLimited Communication Model:

    Construct cryptographic protocols where the secrets are so large that cannot be efficiently stolen.

    D.Intrusion-Resilience via the Bounded-Storage ModelTCC 2006

    D. Cash, Y. Z. Ding, Y. Dodis, W. Lee, R. Lipton and S. Walfish Intrusion-Resilient Authentication in the Limited Communication Model

    (There it was used to construct intrusion-resilient protocols for authentication and session-key generation.)

  • The problem that we considerkey Kmessage MC = E(K,M)Cinstalls a virusretrieves C

    One of the following happens: The key K leaks to the adversary or The adversary breaks the scheme

    The adversary can compute M

  • Our ideaDesign an encryption scheme such that the ciphertext C is so large that the

    adversary cannot retrieve it completely

    message M ciphertext C=Encr(K,M) We call it a Forward-Secure Storage (FSS)

  • Practicality?

  • Forward-Secure StorageWe allow the adversary to compute an arbitrary function h of C.ciphertext C=Encr(K,M) function hretrieved value U=h(C)length tlength s
  • Computational power of the adversaryWe consider the following variants: computational: the adversary is limited to poly-time information-theoretic: the adversary is infinitely-powerful hybrid: the adversary gains infinite power after he computed the function h. This models the fact that the in the future the current cryptosystems may be broken!

  • Our ContributionFormal definition of FSS Constructions of FSS schemes: IT-securecomputationally-securea scheme with a conjectured hybrid security Connections with the theory of Harnik and Naor

  • A tool: the Bounded Storage ModelIt turns out that this is related to the Bounded Storage Model (BSM) [Maurer 1992]

    In the BSM the security of the protocols is based on the assumption that one can broadcast more bits than the adversary can store.

    The computing power of the adversary may be unlimited!

  • The Bounded-Storage Model (BSM) an introductionshortinitialkey Kknows:U=h(R)randomizer disappearsX ?Eve shouldnt be able to distinguish X from random

  • BSM previous resultsSeveral key-expansion functions f were proven secure [DR02, DM04b, Lu04, Vad04].

    Of course their security depends on the bound on the memory of the adversary.

    We call a function s-secure if it is secure against an adversary that has memory of a size s.

  • How is BSM related to our model?Seems that the assumptions are oposite:

  • BSM vs. LCMBounded-Storage Model:Limitted-Communication Model:R comes from a satellitestored value UC is stored on a computerretrieved value U

  • Information-theoretic solution a wrong ideaKRXMYf(),=messagekeyciphertext in the BSM encryptionf s-secure in the BSMxorciphertext(R,Y)

    Shannon theoremthis cannot work!

  • What exactly goes wrong?Suppose the adversary has some information about M.

    He can see(R, f(K,R) xor M ).

    So, he can solve (for K) the equation W = f(K,R) xor M.

    If he has enough information about M and K is short, he will succed!

    Idea: Blind the message M!denote it W

  • A better ideaKRXMYf(),=messagekey is a pair (K,Z)ciphertext(R,Y)Zxor

  • Why does it work?IntuitionThe adversary can compute any function h of:

    Y is of no use for him, since it is xor-ed with a random string Z! So if this FSS scheme can be broken then also the BSMfunction f can be broken (by an adversary using the same amount of memory). RY = f(K,R) xor M xor Z

  • Problem with the information-theoretic schemeThe secret key needs to be larger than the message!

    What if we want the key to be shorter?

    We need to switch to the computational settings...

  • Computational FSS (with a short key)(Encr,Decr) an IT-secure FSS(E,D) a standard encryption schemeEncr1(Encr(E()))=,,,KKKKMK is a random key for the standard encryption schemeMIntuition: when the adversary learns K he has no idea about K and therefore no idea about M.


  • Hybrid securityWhat about the hybrid security?

    Recall the scenario:

    ciphertext C=Encr(K,M) hretrieved value U=h(C)M ?

  • Is this scheme secure in the hybrid model?The adversary retrives only the second part! Later, when she gets infinite computing power, she can recover the message M! Thus, the scheme is not secure in the hybrid model!Encr(E()),,KKKM

  • A scheme (Encr2,Decr2)Does there exist an FSS scheme with hybrid security (and a short key)?

    Idea: Generate K pseudorandomly!

    (Encr,Decr) an IT-secure FSSG a cryptographic PRG


  • Is the scheme from the previous slide secure?It cannot be IT-secure, but is it

    computationally-secure?secure in the hybrid model? We leave it as an open problem. Looks secure...

    We can show the following:

    Very informally,it is secure if one-way functions cannot be used to construct Oblivious Transfer.

  • Computational security of Encr2 (1/2)there exists an adversary Athat breaks the (Encr2,Decr2) schemeWe show that ifthenone can construct an Oblivious Transfer protocol with:

    an unconditional privacy of the Senderprivacy of the Receiver based on the security of the PRG G.

  • Computational security of Encr2 (2/2)Simplification: assume that |M| = 1 and the adversary can guess it with probability 1.We construct an honest-but-curious Rabin OT.

    receiversenderinput: MX = G(K) with prob. 0.5X is random with prob. 0.5Encr(X,M)KIf X = G(K) then the adversary outputs M.MU - memory of the adversaryA computationally-limited sendercannot distinguish these cases!If X is random then the receiver learns nothing about M (this follows from the IT-security of Encr)!

  • How to interpret this result?Which PRGs G are safe to use in this protocol?

    In some sense: those that cannot be used to construct OT.

    But maybe there exist wrong PRGs...

    (see: S. Dziembowski and U. MaurerOn Generating the Initial Key in the Bounded-Storage Model, EUROCRYPT '04)

  • Hybrid security of Encr2The argument for the hybrid security is slightly weaker.

    We can construct only an OT-protocol with a computationally-unbounded algorithm for the Receiver...

    This is because the receiver has to simulate an unbounded adversary.


  • Summary

  • A complexity-theoretic viewSuppose the adversary wants to know if a given C is a ciphertext of some message M.NP-language:L = {C : there exists K such that C = Encr(K,M)}.

    standard encryptionFSSis C in L?Can we compress C to some U, s.t. |U|

  • The theory of Harnik and NaorThis question was recently studied in:Danny Harnik, Moni Naor On the Compressibility of NP Instances andCryptographic Applications FOCS 2006

    See also:Bella Dubrov, Yuval Ishai On the Randomness Complexity of Efficient SamplingSTOC 2006

  • Compressibility of NP InstancesInformally, an NP language L is compressible if there exists an efficient algorithm that

    compresses every string X to a shorter string U,

    in such a way that an infinitely-powerful solver can decideif X is in L basing only on U.

    Proving that some language is incompressible(from standard assumptions)is an open problem..

    This is why showing an FSS scheme provably-secure in the hybrid model may be hard!

  • Questions?