Cryptography in Bounded Storage Model: Ensuring Secure Communication

Slide Note
Embed
Share

Cryptography in the Bounded Storage Model provides insights into securing communication with secrecy and authenticity. The model limits adversaries' memory without runtime restrictions, ensuring unconditional security for various primitives. Explore how this model safeguards messages from eavesdroppers and guarantees the message's origin, offering efficient protection against potential threats.

lor_mc
lor_mc Follow

Uploaded on Sep 24, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Authentication in the Bounded Storage Model Yevgeniy Dodis Willy Quach Daniel Wichs New York University Northeastern University Northeastern University NTT Reseach EUROCRYPT 2022

  2. Cryptography 101: Secure Communication Secrecy: message is hidden from Eve Eve Authenticity: Bob is convinced message comes from Alice (and not from Eve) Alice Bob Hello! Without restriction on adversaries, key |message|[Shannon49] Key can only be reused a few times Public-key setting impossible

  3. Cryptography 101: Secure Communication Secrecy: message is hidden from Eve Eve Authenticity: Bob is convinced message comes from Alice (and not from Eve) Alice Bob Hello! Without restriction on adversaries, key |message|[Shannon49] Restrict to efficient adversaries: typically polynomial run-time Requires computational assumptions: at least ? ?? Cryptographers seldom sleep well

  4. The Bounded Storage Model (BSM) [Maurer92] Secrecy: message is hidden from Eve Eve Authenticity: Bob is convinced message comes from Alice (and not from Eve) Alice Bob Hello! Alternative assumption on adversaries: limited memory No restriction on runtime of adversaries Honest users use much less memory than the adversary Surprisingly, unconditional security for many primitives in that model!

  5. The Bounded Storage Model (BSM) [Maurer92] Blah Blah Secrecy: message is hidden from Eve Blah Eve Authenticity: Bob is convinced message comes from Alice (and not from Eve) Alice Bob Blah Blah Blah Alternative assumption on adversaries: limited memory No restriction on runtime of adversaries Honest users use much less memory than the adversary Surprisingly, unconditional security for many primitives in that model!

  6. The Bounded Storage Model (BSM) [Maurer92] ??? Blah Blah Secrecy: message is hidden from Eve Blah Eve Authenticity: Bob is convinced message comes from Alice (and not from Eve) Alice Bob Blah BlahBlah Blah BlahBlah Blah Blah Blah Alternative assumption on adversaries: limited memory No restriction on runtime of adversaries Honest users use much less memory than the adversary Surprisingly, unconditional security for many primitives in that model!

  7. The (Streaming) BSM [Raz16,GuanZhandry19,DodisQuachWichs21] Memory ? Memory ? Memory ? Blah Blah Blah Blah Users stream their messages Messages are possibly long, of size ? Generated and processed using memory ? Adversary has memory ? ?, and unbounded runtime

  8. Prior Work in the BSM Adversary/Honest Memory Gap Symmetric-Key Encryption [Maurer92, ,Vadhan04,Raz16] [Cachin-Maurer97, , Guan-Zhandry19] Key Agreement (!) Oblivious Transfer, MPC Unconditional security in the BSM (!) Schemes are reusable (up to an exponential number of times) Security power of the adversary (compared to honest users)

  9. Prior Work in the BSM Adversary/Honest Memory Gap ? = 2?(?) Symmetric-Key Encryption [Maurer92, ,Vadhan04,Raz16] ? = ?(?2)* [Cachin-Maurer97, , Guan-Zhandry19] Key Agreement (!) ? = ?(?2)* Oblivious Transfer, MPC Unconditional security in the BSM (!) Schemes are reusable (up to an exponential number of times) Security power of the adversary (compared to honest users) If ? is exponential, honest users need to stream exponentially many bits For polynomially efficient honest users, use ? = poly(?) What about authentication? *Can make gap exponential at the cost of much larger communication and interaction [DQW21]

  10. Our Results: Authentication in the BSM 1. Symmetric-key authentication with long tags Tags are larger than the adversary memory Up to exponential gap: ? = 2?(?) 2. Symmetric-key authentication with short tags Tags fit in honest user memory Quadratic gap: ? = ?(?2) (tight) All schemes have unconditional security and are reusable 3. Public-Key Signatures Quadratic gap: ? = ?(?2) (tight)

  11. Our Results: Authentication in the BSM 1. Symmetric-key authentication with long tags Tags are larger than the adversary memory Up to exponential gap: ? = 2?(?) 2. Symmetric-key authentication with short tags Tags fit in honest user memory Quadratic gap: ? = ?(?2) (tight) All schemes have unconditional security and are reusable 3. Public-Key Signatures Quadratic gap: ? = ?(?2) (tight)

  12. Symmetric-Key Authentication (MACs) in the BSM Alice ? Bob ? potentially large: ? streamed sk sk Correctness: Bob accepts messages authenticated by Alice

  13. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? potentially large: ? streamed sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability:

  14. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? potentially large: ? streamed sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Reusability: Eve can see arbitrarily many authentications

  15. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? potentially large: ? streamed sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Reusability: Eve can see arbitrarily many authentications

  16. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? potentially large: ? streamed sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Reusability: Eve can see arbitrarily many authentications

  17. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Eve cannot make Bob accept fake authentications Reusability: Eve can see arbitrarily many authentications

  18. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Active Eve cannot make Bob accept fake authentications Streaming channel with Alice to receive authentication of her choice Streaming channel with Bob to check whether authentications are accepted Can modify authentications on the fly (in a streaming manner, using memory ?)

  19. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Active Eve cannot make Bob accept fake authentications Streaming channel with Alice to receive authentication of her choice Streaming channel with Bob to check whether authentications are accepted Can modify authentications on the fly (in a streaming manner, using memory ?)

  20. Symmetric-Key Authentication (MACs) in the BSM Eve ? Alice ? Bob ? sk sk Correctness: Bob accepts messages authenticated by Alice Unforgeability: Active Eve cannot make Bob accept fake authentications Streaming channel with Alice to receive authentication of her choice Streaming channel with Bob to check whether authentications are accepted Can modify authentications on the fly (in a streaming manner, using memory ?)

  21. Constructing MACs with Long Tags Eve ? Alice ? Bob ? sk sk Main idea: encrypt tags of an information-theoretic one-time MAC Symmetric-key encryption in the BSM Intuition for security:

  22. Constructing MACs with Long Tags Eve ? Alice ? Bob ? sk sk Main idea: encrypt tags of an information-theoretic one-time MAC Symmetric-key encryption in the BSM Intuition for security: 1. If Eve passively observes authentications, security of applies

  23. Constructing MACs with Long Tags Eve ? Alice ? Bob ? sk sk Main idea: encrypt tags of an information-theoretic one-time MAC Symmetric-key encryption in the BSM Intuition for security: 1. If Eve passively observes authentications, security of applies 2. If Eve tries to relay one authentication to Bob, one-time MAC security applies Can still hurt security of MAC needs to authenticate the encryption too

  24. Constructing MACs with Long Tags Eve ? Alice ? Bob ? ? = 2?(?) large tags sk sk Main idea: encrypt tags of an information-theoretic one-time MAC Symmetric-key encryption in the BSM Intuition for security: 1. If Eve passively observes authentications, security of applies 2. If Eve tries to relay one authentication to Bob, one-time MAC security applies Can still hurt security of MAC needs to authenticate the encryption too In general Eve can delay/mix her input/output streams Still works

  25. Our Results: Authentication in the BSM 1. Symmetric-key authentication with long tags Tags are larger than the adversary memory Up to exponential gap: ? = 2?(?) 2. Symmetric-key authentication with short tags Tags fit in honest user memory Quadratic gap: ? = ?(?2) (tight) All schemes have unconditional security and are reusable 3. Public-Key Signatures Quadratic gap: ? = ?(?2) (tight)

  26. MAC with Short Tags In previous construction, tags don t even fit in Eve s memory ? How short can the tags be? Can we have tags that fit in honest users memory ?? No need to stream nor send long messages! Impossible if ? ?2 (Eve cannot store too many tags) Eve ? Alice ? Bob ? We (surprisingly) can! Small: ?? sk sk

  27. MAC with Short Tags from Razs Lower Bound [Raz16] proves that learning parities is hard using bounded memory 0,1? Rephrasing: ???? ??, ??,? is an unconditionally secure weak PRF against adversaries with memory ? = ? ?2 (tight) Noiseless LPN? MACs from LPN? Generic construction from key-homomorphic weak PRFs [DodisKiltzPietrzakWichs12] in the standard sense. More work required in the bounded memory setting Gives a MAC in the BSM with short tags, where ? = ?(?2) (tight)

  28. MAC with Short Tags from Razs Lower Bound [Raz16] proves that learning parities is hard using bounded memory 0,1? Rephrasing: ???? ??, ??,? is an unconditionally securekey-homomorphic weak PRF against adversaries with memory ? = ? ?2 (tight) Noiseless LPN? MACs from LPN? Generic construction from key-homomorphic weak PRFs [DodisKiltzPietrzakWichs12] in the standard sense. More work required in the bounded memory setting Gives a MAC in the BSM with short tags, where ? = ?(?2) (tight)

  29. Our Results: Authentication in the BSM 1. Symmetric-key authentication with long tags Tags are larger than the adversary memory Up to exponential gap: ? = 2?(?) 2. Symmetric-key authentication with short tags Tags fit in honest user memory Quadratic gap: ? = ?(?2) (tight) All schemes have unconditional security and are reusable 3. Public-Key Signatures Quadratic gap: ? = ?(?2) (tight)

  30. Signatures in the (Streaming) BSM Public, long, authenticated stream, once for all verification key Alice ? Bob ? potentially large: ? vd sk Small verification digest Small signing key Verify vd,?,? = Sign(sk,?) Potentially long, streamed

  31. Signatures in the (Streaming) BSM Public, long, authenticated stream, once for all verification key Alice ? Bob ? potentially large: ? vd sk Small verification digest Small signing key Verify vd ,?,? = Sign(sk,?) Potentially long, streamed

  32. Signatures in the (Streaming) BSM Public, long, authenticated stream, once for all verification key Alice ? Bob ? potentially large: ? vd sk Small verification digest Small signing key Eve ?

  33. Signatures in the (Streaming) BSM Public, long, authenticated stream, once for all verification key Alice ? Bob ? potentially large: ? vd sk Small verification digest Small signing key Verify vd,?,? = Sign(sk,?) Eve ?

  34. Constructing Signatures (1) Public, long, authenticated stream, once for all verification key Alice ? Bob ? Key agreement potentially large: ? sk sk Small signing key BSM MAC MAC(sk,?) Potentially long, streamed

  35. Constructing Signatures (1) Public, long, authenticated stream, once for all verification key Alice ? Bob ? Key agreement potentially large: ? sk sk Small signing key BSM MAC MAC(sk,?) Potentially long, streamed

  36. Constructing Signatures (1) Public, long, authenticated stream, once for all verification key Alice ? Eve ? Key agreement potentially large: ? sk sk Small signing key BSM MAC MAC(sk,?) Potentially long, streamed

  37. Constructing Signatures (1) Public, long, authenticated stream, once for all verification key Alice ? Eve ? Key agreement potentially large: ? sk sk Small signing key How to agree on a key using a single broadcast message ?

  38. Set Key Agreement Public, long, authenticated stream Alice ? Bob ? potentially large: ? sk = sk1, ,sk? sk?= sk? ? ?,? [?] 1. Alice and Bob share |?| keys

  39. Set Key Agreement Public, long, authenticated stream Alice ? Bob ? potentially large: ? sk = sk1, ,sk? sk?= sk? ? ?,? [?] 1. Alice and Bob share |?| keys

  40. Set Key Agreement Public, long, authenticated stream Alice ? Bob ? potentially large: ? sk = sk1, ,sk? sk?= sk? ? ?,? [?] ??? ??? 1. Alice and Bob share |?| keys 2. Some sk?,? ? looks uniform to Eve even given all the other keys The index ?depends on Eve Alice and Bob don t know ?

  41. Constructing Signatures (2) Public, long, authenticated stream, once for all verification key Alice ? Bob ? Set key agreement potentially large: ? Small signing key sk? sk BSM MAC MAC sk?,? Potentially long, streamed ? [?] Security inherits from MAC security with sk?

  42. Summary We study authentication in the (streaming) bounded storage model Adversaries have unlimited computational power, but limited memory Enables unconditional security and reusability (!) We give three constructions: 1. A MAC with long tags Adversaries have exponentially large memory ? = 2?(?), but tags are even larger 2. A MAC with short tags: tags fit in honest users memory (!), no need to stream Adversaries have quadratic memory ? = ?(?2) (tight) 3. A signature scheme Adversaries have quadratic memory ? = ?(?2) (tight) Both verification keys and signatures are longer than ? Thanks for listening! https://ia.cr/2022/690 Thanks Eysa Lee for the drawings!

Related


Cryptography in the Bounded Storage Model: Revisited - Eurocrypt 2023

Cryptography in the Bounded Storage Model: Revisited - Eurocrypt 2023

loc_bod
Regret-Bounded Vehicle Routing Approximation Algorithms

Regret-Bounded Vehicle Routing Approximation Algorithms

lilgrbl
Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

pendragon
Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

damari
Introduction to Cryptography: The Science of Secure Communication

Introduction to Cryptography: The Science of Secure Communication

catt504
Bounded Satisfiability Checking for Early Legal Compliance Verification

Bounded Satisfiability Checking for Early Legal Compliance Verification

nicksongi
Exploring Cloud Cryptography for Secure Data Processing

Exploring Cloud Cryptography for Secure Data Processing

vespera
Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

rago_a
Understanding Public-Key Cryptography and Its Applications

Understanding Public-Key Cryptography and Its Applications

nbull
Lower Bounds on Sampling Good Codes in Bounded-Depth Circuits

Lower Bounds on Sampling Good Codes in Bounded-Depth Circuits

nysh_101
Overview of Basic Security Properties and Cryptography Fundamentals

Overview of Basic Security Properties and Cryptography Fundamentals

kawhi
Foundations of Cryptography: MIT Course Overview and Key Concepts

Foundations of Cryptography: MIT Course Overview and Key Concepts

dherb
Exploring Public-Key Cryptography and Ancient Mathematical Techniques

Exploring Public-Key Cryptography and Ancient Mathematical Techniques

kbre
Evolution of Proofs in Cryptography

Evolution of Proofs in Cryptography

ahmari
Understanding Secure Information Transmission in Cryptography

Understanding Secure Information Transmission in Cryptography

rene_1
Understanding Secure PRFs and PRPs in Cryptography

Understanding Secure PRFs and PRPs in Cryptography

tanyah
Introduction to Cryptography: Basics, Terminology, and Significance

Introduction to Cryptography: Basics, Terminology, and Significance

lucius
Introduction to Cryptography, Cryptanalysis, and Cryptology

Introduction to Cryptography, Cryptanalysis, and Cryptology

waverly
Understanding Public Key Cryptography in Network Security

Understanding Public Key Cryptography in Network Security

mwasd
Overview of Public-Key Cryptography and Knapsack Problem in Cryptology

Overview of Public-Key Cryptography and Knapsack Problem in Cryptology

dhrn907
Cryptography and Information Security Fundamentals

Cryptography and Information Security Fundamentals

brer179
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography

kenna
Nicor Gas Supply and Storage Overview

Nicor Gas Supply and Storage Overview

shouryad
Various Structures for Seed Storage and Improved Rural Storage Methods

Various Structures for Seed Storage and Improved Rural Storage Methods

theodora

More Related Content

Understanding Tape Storage: LTO and LTFS Overview
Understanding Tape Storage: LTO and LTFS Overview
PELICAN: A Building Block for Exascale Cold Data Storage
PELICAN: A Building Block for Exascale Cold Data Storage
Evolution of Ceph's Storage Backends: Lessons Learned
Evolution of Ceph's Storage Backends: Lessons Learned
The Fascinating World of Cryptography
The Fascinating World of Cryptography
Understanding Cryptography in the Digital World
Understanding Cryptography in the Digital World
Cache Attack on BLISS Lattice-Based Signature Scheme
Cache Attack on BLISS Lattice-Based Signature Scheme
Ascon: The Lightweight Cryptography Standard for IoT
Ascon: The Lightweight Cryptography Standard for IoT
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Key Management and Distribution Techniques in Cryptography
Key Management and Distribution Techniques in Cryptography
Gas Storage Investment Workshop Insights
Gas Storage Investment Workshop Insights
Formal Verification of Quantum Cryptography by Dominique Unruh
Formal Verification of Quantum Cryptography by Dominique Unruh
Exploring the World of Quantum Money and Cryptography
Exploring the World of Quantum Money and Cryptography
Post-Quantum Cryptography Security Proofs and Models Overview
Post-Quantum Cryptography Security Proofs and Models Overview
Exploring Post-Quantum Cryptography and Constructive Reductions
Exploring Post-Quantum Cryptography and Constructive Reductions
Understanding Cryptography: Basic Concepts in Number Theory and Divisibility
Understanding Cryptography: Basic Concepts in Number Theory and Divisibility
Key Distribution and Management in Cryptography
Key Distribution and Management in Cryptography
Introduction to RSA Cryptography and Public Key Encryption
Introduction to RSA Cryptography and Public Key Encryption
Understanding Cryptography: Basics of Encryption and Padding
Understanding Cryptography: Basics of Encryption and Padding
Understanding the Importance of Web Cryptography API and Its Application
Understanding the Importance of Web Cryptography API and Its Application
HPE Nimble Storage Solutions: Starter Kits Promotion
HPE Nimble Storage Solutions: Starter Kits Promotion
IGU Gas Storage Committee 2022-23 Meeting Highlights
IGU Gas Storage Committee 2022-23 Meeting Highlights
Overview of EGI Online Storage Service Architecture and Interfaces
Overview of EGI Online Storage Service Architecture and Interfaces
Infinite Impulse Response Filters
Infinite Impulse Response Filters
Achieving Bounded Latency in Data Centers: A Comprehensive Study
Achieving Bounded Latency in Data Centers: A Comprehensive Study