Results 1  10
of
32
Efficient NonMalleable Codes and KeyDerivation for PolySize Tampering Circuits
, 2013
"... Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
Nonmalleable codes, defined by Dziembowski, Pietrzak and Wichs (ICS ’10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c ′ = f(c) such that c ′ = c, then the tampered message x ′ contained in c ′ reveals no information about x. Nonmalleable codes have applications to immunizing cryptosystems against tampering attacks and relatedkey attacks. One cannot have an efficient nonmalleable code that protects against all efficient tampering functions f. However, in this work we show “the next best thing”: for any polynomial bound s given apriori, there is an efficient nonmalleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size F  ≤ 2s, there is an efficient nonmalleable code that protects against all f ∈ F. The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are informationtheoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is nonmalleable with overwhelming
Cryptography Secure Against RelatedKey Attacks and Tampering
, 2011
"... We show how to leverage the RKA (RelatedKey Attack) security of blockciphers to provide RKA security for a suite of highlevel primitives. This motivates a more general theoretical question, namely, when is it possible to transfer RKA security from a primitive P1 to a primitive P2? We provide both ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
We show how to leverage the RKA (RelatedKey Attack) security of blockciphers to provide RKA security for a suite of highlevel primitives. This motivates a more general theoretical question, namely, when is it possible to transfer RKA security from a primitive P1 to a primitive P2? We provide both positive and negative answers. What emerges is a broad and high level picture of the way achievability of RKA security varies across primitives, showing, in particular, that some primitives resist “more ” RKAs than others. A technical challenge was to achieve RKA security even for the practical classes of relatedkey deriving (RKD) functions underlying fault injection attacks that fail to satisfy the “clawfreeness ” assumption made in previous works. We surmount this barrier for the first time based on the construction of PRGs that are not only RKA secure but satisfy a new notion of identitycollisionresistance.
RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures
, 2012
"... We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. In particular, we obtain IBE schemes that are RKA secure for sets consisting of all affine functions and all polynomial functions of bounded degree. Based on this we obtain the first constructions of RKAsecure schemes for the same sets for the following primitives: CCAsecure publickey encryption, CCAsecure symmetric encryption and Signatures. All our results are in the standard model and hold under reasonable hardness assumptions.
Semantic security under relatedkey attacks and applications
 Cited on page 4.) 16 M. Bellare. New proofs for NMAC and HMAC: Security without collisionresistance. In C. Dwork, editor, CRYPTO 2006, volume 4117 of LNCS
, 2011
"... In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general de ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
In a relatedkey attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for randomized encryption schemes. We begin by providing general definitions for semantic security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the adversary can choose the linear relation adaptively during the attack. More concretely, we present two approaches for constructing RKAsecure encryption schemes. The first is based on standard randomized encryption schemes which additionally satisfy a natural “keyhomomorphism” property. We instantiate this approach under numbertheoretic or latticebased assumptions such as the Decisional DiffieHellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is based on RKAsecure pseudorandom generators. This approach can yield either deterministic, onetime use schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by constructing a simple RKAsecure pseurodandom generator
CorrelatedInput Secure Hash Functions
"... Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of the “avalanche effect, ” a wellknown heuristic in cryptographic hash function design. One can interpret “security ” in different ways: e.g., asking for onewayness or that the hash values look uniformly and independently random; the latter case can be seen as a generalization of correlationrobustness introduced by Ishai et al. (CRYPTO 2003). We give specific applications of these notions to passwordbased login and efficient search on encrypted data. Our main construction achieves them (without random oracles) for inputs related by polynomials over the input space (namely Zp), based on corresponding variants of the qDiffie Hellman Inversion assumption. Additionally, we show relations between correlatedinput secure hash functions and cryptographic primitives secure under relatedkey attacks. Using our techniques, we are also able to obtain a host of new results for such relatedkey attack secure cryptographic primitives. 1
On the Security of the “FreeXOR” Technique
"... Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kol ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Yao’s garbledcircuit approach enables constantround secure twoparty computation for any boolean circuit. In Yao’s original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement that allows XOR gates in the circuit to be evaluated “for free”, i.e., incurring no cryptographic operations and zero communication. Their “freeXOR ” technique has proven very popular, and has been shown to improve performance of garbledcircuit protocols by up to a factor of 4. Kolesnikov and Schneider proved security of their approach in the random oracle model, and claimed that (an unspecified variant of) correlation robustness would suffice; this claim has been repeated in subsequent work, and similar ideas have since been used (with the same claim about correlation robustness) in other contexts. We show that, in fact, the freeXOR technique cannot be proven secure based on correlation robustness alone: somewhat surprisingly, some form of circular security is also required. We propose an appropriate notion of security for hash functions capturing the necessary requirements, and prove security of the freeXOR approach when instantiated with any hash function satisfying our definition. Our results do not impact the security of the freeXOR technique in practice, or imply an error in the freeXOR work, but instead pin down the assumptions needed to prove security.
Bounded Tamper Resilience: How to go beyond the Algebraic Barrier
, 2013
"... Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
Related key attacks (RKAs) are powerful cryptanalytic attacks where an adversary can change the secret key and observe the effect of such changes at the output. The state of the art in RKA security protects against an apriori unbounded number of certain algebraic induced key relations, e.g., affine functions or polynomials of bounded degree. In this work, we show that it is possible to go beyond the algebraic barrier and achieve security against arbitrary key relations, by restricting the number of tampering queries the adversary is allowed to ask for. The latter restriction is necessary in case of arbitrary key relations, as otherwise a generic attack of Gennaro et al. (TCC 2004) shows how to recover the key of almost any cryptographic primitive. We describe our contributions in more detail below. 1. We show that standard ID and signature schemes constructed from a large class of Σprotocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover’s state a bounded number of times and obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters.
Key Homomorphic PRFs and Their Applications∗
, 2014
"... A pseudorandom function F: K ×X → Y is said to be key homomorphic if given F (k1, x) and F (k2, x) there is an efficient algorithm to compute F (k1 ⊕ k2, x), where ⊕ denotes a group operation on k1 and k2 such as xor. Key homomorphic PRFs are natural objects to study and have a number of interesting ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
A pseudorandom function F: K ×X → Y is said to be key homomorphic if given F (k1, x) and F (k2, x) there is an efficient algorithm to compute F (k1 ⊕ k2, x), where ⊕ denotes a group operation on k1 and k2 such as xor. Key homomorphic PRFs are natural objects to study and have a number of interesting applications: they can simplify the process of rotating encryption keys for encrypted data stored in the cloud, they give one round distributed PRFs, and they can be the basis of a symmetrickey proxy reencryption scheme. Until now all known constructions for key homomorphic PRFs were only proven secure in the random oracle model. We construct the first provably secure key homomorphic PRFs in the standard model. Our main construction is based on the learning with errors (LWE) problem. In the proof of security we need a variant of LWE where query points are nonuniform and we show that this variant is as hard as the standard LWE. We also construct key homomorphic PRFs based on the decision linear assumption in groups with an `linear map. We leave as an open problem the question of constructing standard model key homomorphic PRFs from more general assumptions.
Garbling XOR Gates “For Free” in the Standard Model
"... Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of t ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of the circuit C (proportional to the complexity of symmetric encryption). Kolesnikov and Schneider (ICALP 2008) introduced an optimized variant that garbles XOR gates “for free ” in a way that involves no cryptographic operations and no communication. This variant has become very popular and has lead to notable performance improvements. The security of the freeXOR optimization was originally proved in the random oracle model. Despite some partial progress (Choi et al., TCC 2012), the question of replacing the random oracle with a standard cryptographic assumption has remained open. We resolve this question by showing that the freeXOR approach can be realized in the standard model under the learning parity with noise (LPN) assumption. Our result is obtained in two steps: 1. We show that the random oracle can be replaced with a symmetric encryption which remains secure under a combined form of relatedkey (RK) and keydependent message (KDM) attacks; 2. We show that such a symmetric encryption can be constructed based on the LPN assumption. As an additional contribution, we prove that the combination of RK and KDM security is nontrivial in the following sense: There exists an encryption scheme which achieves RK security and KDM security separately, but breaks completely at the presence of combined RKKDM attacks.
On CipherDependent RelatedKey Attacks in the IdealCipher Model
"... Abstract. Bellare and Kohno introduced a formal framework for the study of relatedkey attacks against blockciphers. They established sufficient conditions (outputunpredictability and collisionresistance) on the set of relatedkeyderiving (RKD) functions under which an ideal cipher is secure again ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Bellare and Kohno introduced a formal framework for the study of relatedkey attacks against blockciphers. They established sufficient conditions (outputunpredictability and collisionresistance) on the set of relatedkeyderiving (RKD) functions under which an ideal cipher is secure against relatedkey attacks, and suggested this could be used to derive security goals for real blockciphers. However, to do so requires the reinterpretation of results proven in the idealcipher model for the standard model (in which a blockcipher is modelled as, say, a pseudorandom permutation family). As we show here, this is a fraught activity. In particular, building on a recent idea of Bernstein, we first demonstrate a relatedkey attack that applies generically to a large class of blockciphers. The attack exploits the existence of a short description of the blockcipher, and so does not apply in the idealcipher model. However, the specific RKD functions used in the attack are provably outputunpredictable and collisionresistant. In this sense, the attack can be seen as a separation between the idealcipher model and the standard model. Second, we investigate how the relatedkey attack model of Bellare and Kohno can be extended to include sets of RKD functions that themselves access the ideal cipher. Precisely such relatedkey functions underlie the generic attack, so our extended modelling allows us to capture a larger universe of relatedkey attacks in the idealcipher model. We establish a new set of conditions on relatedkey functions that is sufficient to prove a theorem analogous to the main result of Bellare and Kohno, but for our extended model. We then exhibit nontrivial classes