provably secure key assignment schemes from factoring · eduarda s. v. freire and kenneth g....

Eduarda S. V. Freire and Kenneth G. Paterson

Information Security Group Royal Holloway, University of London

Provably Secure Key Assignment Schemes from Factoring

Outline of the Talk Ø  Hierarchical Key Assignment Schemes

§  Definition of Security Notions §  Some Previous Work §  Cryptographic Assumptions

§  The Factoring Assumption §  Security of BBS Generator

§  Provably Secure KAS under the Factoring Assumption §  A KR-secure Scheme §  KI-secure Schemes

Hierarchical Key Assignment Schemes

§  Method for implementing access control policies where some users have more access rights than others

§  These schemes can be useful for: §  Content distribution §  Management of databases containing sensitive

information §  Government communications §  Broadcast services (such as cable TV)


An access control policy can be represented by a directed graph G=(V,E), also called poset

c

a

b

f e d

u

v

V: Set of disjoint classes, called security classes

Edge (u,v) E: Users in class u have access

to data in class v, represented by v ≤ u.

∈v ≤ u

Any class should be able to access secret data of all its successor in the hierarchy.

Any set of classes should NOT be able to access data of any class that is not a successor of any class in the set.


Solution: Assign an encryption key and some private information to each class in the graph (hierarchy) , as well as some public information.

c

a

b

f e d

ka,Sa Pub

kb,Sb kc,Sc

kd,Sd ke,Se kf,Sf

Private information + public info will be used to generate

encryption keys


A key assignment scheme is a pair of algorithms Gen, Derive: (S,k,pub) ßGen(1ρ,G) §  S is the set of private information §  k is the set of keys §  pub is the public information kv ßDerive(1ρ,G,pub,u,v,Su) for each class v V such that v ≤ u, where

∈

Su is the private information assigned to class u and kv is the key assigned to class v.

Outline of the Talk ü  Hierarchical Key Assignment Schemes

Ø  Definition of Security Notions §  Some Previous Work §  Cryptographic Assumptions

§  The factoring Assumption §  Security of BBS Generator


Definition of Security Notions

§  Types of Adversaries §  Static Adversary §  Dynamic Adversary

§  Security Goals [Atallah et al.] §  Key Recovery §  Key Indistinguishability

The adversary first chooses a class u V to attack and then is allowed

to access the private information assigned to all classes v V, such that u ≤ v .

Types of Adversaries Static Adversary

u

a

b

f e d

∈∈

Astat

I want to attack u

Types of Adversaries Static Adversary

The adversary first chooses a class u V to attack and then is allowed

to access the private information assigned to all classes v V, such that u ≤ v .

u

a

b

f e d

∈∈

Astat

I want to attack u

Now I want Sb, Sd, Se, Sf

Types of Adversaries Dynamic Adversary

The adversary first gets access to all public information and

adaptively chooses a number of classes to corrupt, and then chooses a class u V to attack. After this the adversary is still

allowed to corrupt class of its choice subject to u ≤ v.

u

a

b

f e d

∈

Adyn

Pub





u

a

b

f e d

∈

Adyn

I want Sb, Sd, Se





u

a

b

f e d

∈

Adyn

I want Sb, Sd, Se

Now I want to attack u





u

a

b

f e d

∈

Adyn

I want Sb, Sd, Se


Now I want Sf





u

a

b

f e d

∈

Adyn

I want Sb, Sd, Se


Now I want Sf

Ateniese et al.: static and dynamic adv

are polynomially equivalent

§  Security w.r.t. Key Recovery (KR) An adversary is not able to compute a key to which it should not have access.

§  Security w.r.t. Key Indistinguishability (KI) An adversary is not able to distinguish between a real key that it should not have access to and a random string of the same length.

Security Goals by Atallah et al.

The advantage of A is defined to be . The scheme is said to be secure if is negligible.

Security Goals Key Recovery (KR-ST)

AdvKR-ST(1ρ,G)

A

AdvKR-ST(1ρ,G) = Pr[k’u = ku]

A

Experiment ExpKR-ST(1ρ,G):

A u ßA (1ρ,G)

(S,k,pub) ßGen (1ρ,G) corr ß{Sv: u ≤ v} k’u ßA (1ρ,G,pub,corr) return k’u

The advantage of A is defined to be The scheme is said to be secure if is negligible.

Security Goals Key Indistinguishability (KI-ST)

AdvKI-ST(1ρ,G) = |Pr[ExpKI-ST-1(1ρ,G) = 1] - Pr[ExpKI-ST-0(1ρ,G) = 1]|.

A

Experiment ExpKI-ST-1(1ρ,G):

A u ßA (1ρ,G)

(S,k,pub) ßGen (1ρ,G) corr ß {Sv: u ≤ v}

return b’

Experiment ExpKI-ST-0(1ρ,G):

A u ßA (1ρ,G)

(S,k,pub) ßGen (1ρ,G) corr ß {Sv: u ≤ v} r ß{0,1}ρ

return b’

k’u ßA (1ρ,G,pub,corr,ku)

k’u ßA (1ρ,G,pub,corr,r)

AdvKI-ST(1ρ,G)

A

A A


ü  Definition of Security Notions Ø  Some Previous Work §  Cryptographic Assumptions



Some Previous Work

§  [Atallah et al. ‘06]

§  KR-secure schemes based on pseudorandom functions; §  KI-secure schemes based on any CCA-secure symmetric encryption;

§  [Ateniese et al. ‘06] §  KI-secure schemes under the BDDH assumption; §  KI-secure schemes based on the OW-CPA security of a symmetric

encryption scheme;

Some Previous Work

§  [D’ Arco et al. ’10] §  Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be

KR-secure under the RSA assumption; §  Construction yielding KI-secure schemes using as components KR-

secure schemes and the Goldreich-Levin hard-core bit (GL-bit).

Some Previous Work

§  [D’ Arco et al. ’10] §  Proved the Akl-Taylor, MacKinnon et al., and Harn-Lin schemes to be

KR-secure under the RSA assumption; §  Construction yielding KI-secure schemes using as components KR-

secure schemes and the Goldreich-Levin hard-core bit (GL-bit).

§  [Crampton et al. ’10] §  New approach to constructing KAS for arbitrary posets using chain

partitions. This idea was instantiated using two different cryptographic bases: collision-resistant hash functions and the RSA primitive. Unfortunately, none of these come with a formal security analysis.

In This Work

§  We propose

§  A KR-secure scheme under the factoring assumption for totally ordered hierarchies;

§  The first construction which directly yields schemes provably secure in the sense of KI-ST under the factoring assumption for general posets.


ü  Definition of Security Notions ü  Some Previous Work Ø  Cryptographic Assumptions



Let (N,p,q)ß GenF(1ρ), where N=pq, and p and q are ρ-bit primes. For an algorithm AF, its factoring advantage is defined to be The factoring assumption (with respect to GenF) states that is negligible. We will consider two instances of GenF:

Cryptographic Assumptions The factoring assumption

Advfac (1ρ) = Pr[(N,p,q)ßGenF(1ρ): AF(N)={p,q}]. GenF,AF

Advfac (1ρ) GenF,AF

GenBlum(1ρ) : p= 3 mod 4, q = 3 mod 4 GenS(1ρ) : p= 1 mod 2n, q = 3 mod 4

Let N be a Blum integer, that is: N=pq, where p = q = 3 mod 4. Let x be a quadratic residue mod N The BBS pseudorandom generator applied to x and modulus N is defined to have output where LSBN(x) denotes the least significant bit of x.

Cryptographic Assumptions The BBS pseudorandom generator

BBSN(x) = (LSBN(x), LSBN(x2), …, LSBN(x2l-1)) є {0,1}l,

Let D be a distinguisher The advantage of D is defined to be The BBS generator is secure if is negligible for any PPT D.

Cryptographic Assumptions Security of BBS generator

AdvBBS(1ρ) = |Pr[ExpBBS-1(1ρ) = 1] - Pr[ExpBBS-0(1ρ) = 1]|.

D

Experiment ExpBBS-1(1ρ):

D

x,N ßGen (1ρ)

d ßD(N,z=x2lmodN,BBSN(x))

return b’

Experiment ExpBBS-0(1ρ):

D

x,N ßGen (1ρ) r ß{0,1} l

return b’

AdvBBS(1ρ)

D

d ßD(N,z=x2lmodN,r)

D D

BBS distinguisher è factoring algorithm


ü  Definition of Security Notions ü  Some Previous Work ü  Cryptographic Assumptions

ü The factoring Assumption ü Security of BBS Generator

Ø  Provably Secure KAS under the Factoring Assumption §  A KR-secure Scheme §  KI-secure Schemes

Algorithm Gen(1ρ,G):

1.  Run GenS(1ρ) to obtain two ρ-bit primes p=1 mod 2n and q=3 mod 4 and compute N=pq

2.  Let pub=N be the public information 3.  Randomly choose a secret value γ from ZN 4.  For each class ui є V, set kui=Sui=γ2i mod N 5.  Let S and k be the sets of private info and keys 6.  Output (S,k,pub)

Let G=(V,E) be a directed graph, where V={u0, …, un-1} and ui+1 < ui for all i.

Provably Secure KAS A Basic Scheme

Algorithm Derive (G,pub,ui,uj,kui):

1.  For j > i, compute kuj=(kui)2j-i mod N 2.  Output kuj

*

u0 ku0=γ mod N

ku1=γ2 mod N

ku2=γ22 mod N

kui=γ2i mod N

kui+1=γ2i+1 mod N

kun-2=γ2n-2 mod N

u1

u2

ui

ui+1

un-2

un-1 kun-1=γ2n-1 mod N

Provably Secure KAS KR-Security of the Basic Scheme

u0 Su0=ku0=γ mod N

Su1= ku1=γ2 mod N

Su2= ku2=γ22 mod N

Sui= kui=γ2i mod N

Sui+1= kui+1=γ2i+1 mod N

Sun-2= kun-2=γ2n-2 mod N

u1

u2

ui

ui+1

un-2

un-1 Sun-1= kun-1=γ2n-1 mod N

Astat

I want to attack ui


u0 Su0=ku0=γ mod N

Su1= ku1=γ2 mod N

Su2= ku2=γ22 mod N

Sui= kui=γ2i mod N



u1

u2

ui

ui+1

un-2


Astat

I want to attack ui Now I want

Sui+1, …, Sun-1


Theorem: Assume the factoring assumption relative to GenS holds. Then our basic scheme is KR-ST secure.

u0 Su0=ku0=γ mod N

Su1= ku1=γ2 mod N

Su2= ku2=γ22 mod N

Sui= kui=γ2i mod N



u1

u2

ui

ui+1

un-2


Astat

I want to attack ui Now I want

Sui+1, …, Sun-1

I output k’ui

AdvKR-ST(1ρ,G) = Advfac (1ρ) Astat GenS,AF


àTight reduction to factoring in the KR-ST security model

Why p = 1 mod 2n and q = 3 mod 4?

p ≠ 1 mod 2n and q = 3 mod 4? à Reduction from the higher quadratic residuosity assumption

p =3 mod 4 and q = 3 mod 4? à Reduction from the standard quadratic residuosity assumption

Provably Secure KAS The FP Scheme (1 chain)

p=q=3 mod 4 ß GenBlum(1ρ)

γßQRN

Sui=γ2il mod N

u0

u1

u2

un-1

ku0=BBSN(γ) = (LSBN(γ), LSBN(γ2), …, LSBN(γ2l-1))

ku1=BBSN(γ2l )

ku2=BBSN(γ22l )

kun-1=BBSN(γ2(n-1)l )

kui= BBSN(Sui)

Let P=(V,E) be a directed graph and consider a security parameter ρ. Algorithm Gen(1ρ,P): 1. p=q=3 mod4ß GenBlum(1ρ) 2. Select a chain partition of V into w chains C0, …, Cw-1, where Ci has

length li.

Provably Secure KAS The FP Scheme (General Posets)

a

c b

e f

i h

k j

l

d

g

u0

u0 u1

u1 u0

u1 u0

u1 u3

u2

u2

u2

C0

C1

C3

C2

A partition of V A set V 1

0

0

0 1

1

2

3

1

2

3

3 We build on ideas from

Crampton et al. to construct our FP scheme

Dilworth’s theorem: Every poset (V,≤) can be partitioned into w chains, where w is the width of V.

Algorithm Gen(1ρ,P): 3. Select w values γ0, …, γw-1 at random from QRN

4. For each uj є V, 0 ≤ j < li, compute Tuj=γi2jl mod N


u0

u0 u1

u1 u0

u1 u0

u1 u3

u2

u2

u2

C0

C1

C3

C2

A partition of V A set V

1

γ0 0

0

0 1

1

2

3

1

2

3

3

γ1

γ2

γ3

i i

a

c b

e f

i h

k j

l

d

g

Algorithm Gen(1ρ,P): 5. For each u є V, define the private information Su to be {Tui

, 0≤ i ≤ w-1} , where ui is the maximal class in u Ci, and the encryption key ku to be BBSN(Tu).


A set V

Te =Tu1=γ12l mod N

1

Tu0=γ3 mod N 3

Se={Tu1, Tu0} 1 3

↓

ke=BBSN(Te)

a

c b

e f

i h

k j

l

d

g

u1

u0

u0 u1 u0

u1 u0

u1 u3

u2

u2

u2

C0

C1

C3

C2

A partition of V

1

1

0

0

0

1

2

3

1

2

3

3

Algorithm Gen(1ρ,P): 5. For each u є V, define the private information Su to be {Tui

, 0≤ i ≤ w-1} , where ui is the maximal class in u Ci, and the encryption key ku to be BBSN(Tu).


u1

u0

u0 u1 u0

u1 u0

u1 u3

u2

u2

u2

C0

C1

C3

C2

A partition of V A set V

1

1

0

0

0

1

2

3

1

2

3

3

Te =Tu1=γ12l mod N

1

Th=Tu0=γ3 mod N 3

↓

ke=BBSN(Te)

a

c b

e f

i h

k j

l

d

g

Se={Te, Th}

Algorithm Derive :


u0

u1

u1 u0

u1 u0

u1 u3

u2

u2

u2

u0

C0

C1

C3

C2

0

0

0 1

1

2

3

1

2

3

3

1

Su1={Tu1, Tu0} 1 1 3

ku2=BBSN(Tu2)

Tu2=(Tu0)22l mod N 3 3

3 3

Provably Secure KAS KI-Security of the FP Scheme

Astat

I want to attack e

a

b

e f

i h

k j

l

d

g

C0

C1

C3

C2

c


Astat

I want to attack e

Now I want Sd, Sg, Sh,

Sf, Si…

a

b

e f

i h

k j

l

d

g

C0

C1

C3

C2

c


Astat

I want to attack e


Sf, Si…

I receive a value

V

a

b

e f

i h

k j

l

d

g

C0

C1

C3

C2

Challenger picks b: b=0 àV = ke b=1 àV = random value

c


Assuming the factoring assumption relative to GenBlum holds, the FP scheme is KI-ST secure.

Astat

I want to attack e


Sf, Si…

I receive a value

V

AdvKI-ST (1ρ,P) = AdvBBS(1ρ) D Astat

a

b

e f

i h

k j

l

d

g

C0

C1

C3

C2

BBS distinguisher è factoring algorithm

Challenger picks b: b=0 àV = ke b=1 àV = random value

c

I output b’

Final Remarks §  Characteristics of the FP scheme:

§  Direct construction; §  Small public info; §  At most w private values per node; §  Efficient derivation: repeated squarings modulo N.

THANKS!

provably secure key assignment schemes from factoring · eduarda s. v. freire and kenneth g....

Documents