NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS - - PowerPoint PPT Presentation

nonce based cryptography
SMART_READER_LITE
LIVE PREVIEW

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS - - PowerPoint PPT Presentation

Jan 09, 2023 141 likes •522 views

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

slide-1
SLIDE 1

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED CRYPTOGRAPHY

RETAINING SECURITY WHEN RANDOMNESS FAILS

Mihir Bellare and Björn Tackmann University of California, San Diego

Eurocrypt 2016, Vienna — May 11, 2016

slide-2
SLIDE 2

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

WEAK RANDOMNESS

DUAL EC

insufficient entropy ECDSA randomness insufficient entropy

RSA Certificate Keys

coinciding prime factors [1]

[1; Heninger, Durumeric, Wustrow, Halderman, 2012; Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter, 2012]

bugs and bad implementations targeted attack(s) /dev/random

... is not robust [2]

[2; Dodis, Pointcheval, Ruhault, Vergnaud, Wichs, 2013]

… and more?

slide-3
SLIDE 3

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

PUBLIC-KEY ENCRYPTION

public key private key

PKE.kg PKE.enc PKE.dec

[Goldwasser, Micali, 1984] ciphertext plaintext

  • 1. key generation
  • 2. encryption
  • 3. decryption

private key public key ciphertext plaintext

slide-4
SLIDE 4

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

PUBLIC-KEY ENCRYPTION

public key private key

PKE.kg PKE.enc PKE.dec

[Goldwasser, Micali, 1984] ciphertext plaintext

  • 1. key generation
  • 2. encryption
  • 3. decryption

private key public key ciphertext plaintext

slide-5
SLIDE 5

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

PUBLIC-KEY ENCRYPTION

public key private key

PKE.kg PKE.enc PKE.dec

[Goldwasser, Micali, 1984] ciphertext plaintext

  • 1. key generation
  • 2. encryption
  • 3. decryption

private key public key ciphertext randomness randomness plaintext

slide-6
SLIDE 6

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

USING PUBLIC-KEY ENCRYPTION

(sk, pk) ←$ PKE.kg pk sk c ←$ PKE.enc(pk, m) (authenticated) m ← PKE.dec(sk, c) sk c m message c ciphertext pk public key sk secret key

alice bob

slide-7
SLIDE 7

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

SYMMETRIC ENCRYPTION AND NONCES

SE.enc SE.dec

  • 1. encryption
  • 2. decryption

ciphertext plaintext shared key shared key [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004] plaintext ciphertext

slide-8
SLIDE 8

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

SYMMETRIC ENCRYPTION AND NONCES

SE.enc SE.dec

  • 1. encryption
  • 2. decryption

ciphertext plaintext shared key shared key [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004] randomness plaintext ciphertext

slide-9
SLIDE 9

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

SYMMETRIC ENCRYPTION AND NONCES

SE.enc SE.dec

  • 1. encryption
  • 2. decryption

ciphertext plaintext nonce nonce shared key shared key [Bellare, Desai, Jokipii, Rogaway, 1997; Rogaway, 2004] plaintext ciphertext

slide-10
SLIDE 10

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

WHAT ABOUT NONCE-BASED PKE?

all input values may be known to an attacker! NPE.enc

public key ciphertext nonce plaintext

slide-11
SLIDE 11

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

THE INTUITION

  • 1. setup: generation of good random seed
  • 2. keep state: sender stores seed


but we hedge scheme against exposure

  • 3. encryption: use seed along with nonce
slide-12
SLIDE 12

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED PKE

public key

NPE.skg NPE.enc

ciphertext

  • 1b. sender key generation
  • 2. encryption

plaintext seed seed randomness nonce

  • 1a. receiver key generation
  • 3. decryption

as before as before

slide-13
SLIDE 13

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

USING NONCE-BASED PKE

pk sk c ← NPE.enc(pk, seed, m, nonce) (authenticated) c m ← NPE.dec(sk, c) sk (sk, pk) ←$ NPE.rkg seed ←$ NPE.skg seed seed m message c ciphertext pk public key sk secret key

alice bob

slide-14
SLIDE 14

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

USING NONCE-BASED PKE

pk sk c ← NPE.enc(pk, seed, m, nonce) (authenticated) c m ← NPE.dec(sk, c) sk (sk, pk) ←$ NPE.rkg seed ←$ NPE.skg seed seed

the sender has to keep state, but …

  • 1. same seed valid for multiple receivers
  • 2. different seeds on, e.g., different devices
  • 3. seeds can be updated at any time … and
  • 4. … we are hedging against exposure of the seed

m message c ciphertext pk public key sk secret key

alice bob

slide-15
SLIDE 15

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

SECURITY GUARANTEES

  • r

security is guaranteed if either sender seed secret and (nonce, message) pairs unique and sender seed public nonces secret and unpredictable. include in nonces, e.g., sender and receiver addresses, time, system RNG output

slide-16
SLIDE 16

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

A RANDOM-ORACLE-BASED SCHEME

PKE.enc

seed message public key nonce ciphertext randomness

NPE.enc

RO || decryption remains unchanged

slide-17
SLIDE 17

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

MAIN TOOL: HEDGED EXTRACTORS

(a) PRF if seed is secret (b) strong extractor if seed public but random HE

seed randomness nonce message

slide-18
SLIDE 18

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

ADAPTING TO HEDGED-EXTRACTORS

PKE.enc HE

seed message public key nonce ciphertext randomness

NPE.enc

slide-19
SLIDE 19

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

SECURITY 1: PSEUDO-RANDOMNESS

b ←$ {0,1}

Oracle F(x):

if b = 0 then return (consistent) random value else return FRO(k, x)

Oracle RO(v)

x w

A

v y Advprf(F, A) = 2 Pr [ b’ ←$ AF,RO; b = b’ ] - 1

slide-20
SLIDE 20

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

(UNPREDICTABLE) NONCE GENERATORS

state ← ⊥

Oracle GEN(aux):

if exposed then return ⊥ (n, state) ← NG(aux, state) return n

Oracle EXPOSE:

return state

state

A

NG aux state nonce state Advpred(NG, A) = Pr [ n ←$ AGEN,EXPOSE; n ∈ N or collision ] aux

slide-21
SLIDE 21

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

SECURITY 2: EXTRACTION

b ←$ {0,1} ; seed ←$ SEEDS

Oracle ROR(m, aux):

if exposed then return ⊥ generate nonce n ←$ NG(aux) if b = 0 then return random value else return HERO(seed, (m, n))

Oracle EXPOSE:

return state

state

A

m, aux

Oracle RO(v)

w v r Advror(HE, NG, A) = 2 Pr [ b’ ←$ AROR,EXPOSE,RO; b = b’ ] - 1 seed

slide-22
SLIDE 22

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

THE RANDOM-ORACLE SCHEME

RO ||

seed nonce message randomness

HE

Advprf(HE, A) ≤ q • 2-k q RO queries Advror(HE, NG, A) ≤ q • Advpred(NG, B) seed length k

slide-23
SLIDE 23

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

RECALL: ALMOST-UNIVERSAL HASHING

AUHF

Definition: F: K × X → Z is 𝜁-AUHF if ∀ x ≠ y: Prk[ F(k, x) = F(k, y) ] ≤ 𝜁 Leftover Hash Lemma: Let F be 𝜁-AUHF, then k, z ≈𝜁’(k) k, F(k, x) with k ←$ K; z ←$ Z; x with min-entropy k

randomness seed (entropic) input [Impagliazzo, Levin, Luby, 1989]

slide-24
SLIDE 24

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

THE STANDARD-MODEL SCHEME

PRF AUHF

randomness seed nonce message

Advprf(HE, A) ≤ Advprf(PRF, B) Advror(HE, NG, A) ≤ q • 𝜁’(k)

HE

if Advpred(NG, C) ≤ 2-k

slide-25
SLIDE 25

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

THE STANDARD-MODEL SCHEME

PRF AUHF caveat: nonces must be independent of seed

randomness seed nonce message

Advprf(HE, A) ≤ Advprf(PRF, B) Advror(HE, NG, A) ≤ q • 𝜁’(k)

HE

if Advpred(NG, C) ≤ 2-k

slide-26
SLIDE 26

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED PRIVACY, ONE

Oracle ENC(m0, m1, aux):

if |m0| ≠ |m1| then return ⊥ generate nonce n ←$ NG(aux) if msg+nonce repeated then return ⊥ c ← NPE.encRO(pk, seed, mb, n) return c

Oracle DEC(c’):

decrypt c’

m’

A

Oracle RO(v)

w v c Advnbp1(NPE, A) = 2 Pr [ b’ ←$ AENC,DEC,RO; b = b’ ] - 1 c’ m0, m1, aux

b ←$ {0,1} seed ←$ SEEDS ; (pk, sk) ←$ NPE.kg

pk

slide-27
SLIDE 27

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED PRIVACY, ONE

Oracle ENC(m0, m1, aux):

if |m0| ≠ |m1| then return ⊥ generate nonce n ←$ NG(aux) if msg+nonce repeated then return ⊥ c ← NPE.encRO(pk, seed, mb, n) return c

Oracle DEC(c’):

decrypt c’

m’

A

Oracle RO(v)

w v c Advnbp1(NPE, A) = 2 Pr [ b’ ←$ AENC,DEC,RO; b = b’ ] - 1 c’ m0, m1, aux

b ←$ {0,1} seed ←$ SEEDS ; (pk, sk) ←$ NPE.kg

pk

slide-28
SLIDE 28

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED PRIVACY, TWO

Oracle ENC(m0, m1, aux):

if |m0| ≠ |m1| then return ⊥ generate nonce n ←$ NG(aux) c ← NPE.encRO(pk, seed, mb, n) return c

Oracle DEC(c’):

decrypt c’

m’

A

Oracle RO(v)

w v c c’ m0, m1, aux pk, seed Advnbp2(NPE, A) = 2 Pr [ b’ ←$ AENC,DEC,RO; b = b’ ] - 1

b ←$ {0,1} seed ←$ SEEDS ; (pk, sk) ←$ NPE.kg

slide-29
SLIDE 29

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED PRIVACY, TWO

Oracle ENC(m0, m1, aux):

if |m0| ≠ |m1| then return ⊥ generate nonce n ←$ NG(aux) c ← NPE.encRO(pk, seed, mb, n) return c

Oracle DEC(c’):

decrypt c’

m’

A

Oracle RO(v)

w v c c’ m0, m1, aux pk, seed Advnbp2(NPE, A) = 2 Pr [ b’ ←$ AENC,DEC,RO; b = b’ ] - 1

b ←$ {0,1} seed ←$ SEEDS ; (pk, sk) ←$ NPE.kg

slide-30
SLIDE 30

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

BUILDING NONCE-BASED PUBLIC-KEY ENCRYPTION

PKE.enc HE

seed message public key nonce ciphertext randomness

Advnbp1(NPE, A) ≤ 2 • Advprf(HE, B) + Advind(PKE, C) Advnbp2(NPE, A) ≤ 2 • Advror(HE, B) + Advind(PKE, C)

NPE.enc

slide-31
SLIDE 31

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

RELATED APPROACHES

assumption standard pke encryptor has access to fresh uniform randomness deterministic pke messages contain a certain entropy hedged pke message and nonce together have a certain entropy nonce-based pke seed secret, nonce unique or seed random, nonce entropic

slide-32
SLIDE 32

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED SIGNATURES

DS.sign HE

seed message signature key nonce signature randomness

Advnbuf1(NDS, A) ≤ 2 • Advprf(HE, B) + Advuf(DS, C) Advnbuf2(NDS, A) ≤ 2 • Advror(HE, B) + Advuf(DS, C)

NDS.sign

slide-33
SLIDE 33

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

THANKS! QUESTIONS?

slide-34
SLIDE 34

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED UNFORGEABILITY, ONE

Oracle SIG(m, aux):

generate nonce n ← NG(aux) s ← NDS.signRO(sk, seed, m, n) return s

A

Oracle RO(v)

w v s m, aux pk

b ←$ {0,1} ; state ← ⊥ ; seed ←$ SEEDS (pk, sk) ←$ NDS.kg

Advnbuf1(NDS, A) = Pr [ s’ ←$ ASIG,RO; s’ valid and fresh ]

slide-35
SLIDE 35

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED UNFORGEABILITY, ONE

Oracle SIG(m, aux):

generate nonce n ← NG(aux) s ← NDS.signRO(sk, seed, m, n) return s

A

Oracle RO(v)

w v s m, aux pk

b ←$ {0,1} ; state ← ⊥ ; seed ←$ SEEDS (pk, sk) ←$ NDS.kg

Advnbuf1(NDS, A) = Pr [ s’ ←$ ASIG,RO; s’ valid and fresh ]

slide-36
SLIDE 36

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED UNFORGEABILITY, TWO

Oracle SIG(m, aux):

generate nonce n ← NG(aux) s ← NDS.signRO(sk, seed, m, n) return s

A

Oracle RO(v)

w v s m, aux pk, seed

b ←$ {0,1} ; state ← ⊥ ; seed ←$ SEEDS (pk, sk) ←$ NDS.kg

Advnbuf2(NDS, A) = Pr [ s’ ←$ ASIG,RO; s’ valid and fresh ]

slide-37
SLIDE 37

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography]

NONCE-BASED UNFORGEABILITY, TWO

Oracle SIG(m, aux):

generate nonce n ← NG(aux) s ← NDS.signRO(sk, seed, m, n) return s

A

Oracle RO(v)

w v s m, aux pk, seed

b ←$ {0,1} ; state ← ⊥ ; seed ←$ SEEDS (pk, sk) ←$ NDS.kg

Advnbuf2(NDS, A) = Pr [ s’ ←$ ASIG,RO; s’ valid and fresh ]