Bounded key-dependent message security

Boaz Barak; Iftach Haitner; Dennis Hofheinz; Yuval Ishai

doi:10.1007/978-3-642-13190-5_22

Bounded key-dependent message security

Boaz Barak, Iftach Haitner, Dennis Hofheinz, Yuval Ishai

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

99 Scopus citations

Abstract

We construct the first public-key encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, and for arbitrary but fixed polynomials L and N, we obtain a public-key encryption scheme that resists key-dependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme that additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that its algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain non-standard hardness assumptions. Finally, we extend an impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions if the proof makes only a black-box use of the query function and the adversary attacking the scheme. This shows that the non-black-box use of the query function in our proof of security is inherent.

Original language	English
Title of host publication	Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
Pages	423-444
Number of pages	22
DOIs	https://doi.org/10.1007/978-3-642-13190-5_22
State	Published - 2010
Event	29th in the Series of EuropeanConferences on the Theory and Application of Cryptographic Techniques, Eurocrypt 2010 - French Riviera, France Duration: 30 May 2010 → 3 Jun 2010

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	6110 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th in the Series of EuropeanConferences on the Theory and Application of Cryptographic Techniques, Eurocrypt 2010
Country/Territory	France
City	French Riviera
Period	30/05/10 → 3/06/10

Keywords

KDM/clique/circular security
formal security
fully homomorphic encryption

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-13190-5_22

Cite this

Barak, B., Haitner, I., Hofheinz, D., & Ishai, Y. (2010). Bounded key-dependent message security. In Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings (pp. 423-444). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6110 LNCS). https://doi.org/10.1007/978-3-642-13190-5_22

Barak, Boaz ; Haitner, Iftach ; Hofheinz, Dennis et al. / Bounded key-dependent message security. Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. 2010. pp. 423-444 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{84728d2a2afe4ecaa864e0056a4df287,

title = "Bounded key-dependent message security",

abstract = "We construct the first public-key encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, and for arbitrary but fixed polynomials L and N, we obtain a public-key encryption scheme that resists key-dependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme that additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that its algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain non-standard hardness assumptions. Finally, we extend an impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions if the proof makes only a black-box use of the query function and the adversary attacking the scheme. This shows that the non-black-box use of the query function in our proof of security is inherent.",

keywords = "KDM/clique/circular security, formal security, fully homomorphic encryption",

author = "Boaz Barak and Iftach Haitner and Dennis Hofheinz and Yuval Ishai",

year = "2010",

doi = "10.1007/978-3-642-13190-5_22",

language = "אנגלית",

isbn = "3642131891",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "423--444",

booktitle = "Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",

note = "29th in the Series of EuropeanConferences on the Theory and Application of Cryptographic Techniques, Eurocrypt 2010 ; Conference date: 30-05-2010 Through 03-06-2010",

}

Barak, B, Haitner, I, Hofheinz, D & Ishai, Y 2010, Bounded key-dependent message security. in Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6110 LNCS, pp. 423-444, 29th in the Series of EuropeanConferences on the Theory and Application of Cryptographic Techniques, Eurocrypt 2010, French Riviera, France, 30/05/10. https://doi.org/10.1007/978-3-642-13190-5_22

Bounded key-dependent message security. / Barak, Boaz; Haitner, Iftach; Hofheinz, Dennis et al.
Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. 2010. p. 423-444 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6110 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Bounded key-dependent message security

AU - Barak, Boaz

AU - Haitner, Iftach

AU - Hofheinz, Dennis

AU - Ishai, Yuval

PY - 2010

Y1 - 2010

N2 - We construct the first public-key encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, and for arbitrary but fixed polynomials L and N, we obtain a public-key encryption scheme that resists key-dependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme that additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that its algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain non-standard hardness assumptions. Finally, we extend an impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions if the proof makes only a black-box use of the query function and the adversary attacking the scheme. This shows that the non-black-box use of the query function in our proof of security is inherent.

AB - We construct the first public-key encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, and for arbitrary but fixed polynomials L and N, we obtain a public-key encryption scheme that resists key-dependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme that additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that its algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain non-standard hardness assumptions. Finally, we extend an impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions if the proof makes only a black-box use of the query function and the adversary attacking the scheme. This shows that the non-black-box use of the query function in our proof of security is inherent.

KW - KDM/clique/circular security

KW - formal security

KW - fully homomorphic encryption

UR - http://www.scopus.com/inward/record.url?scp=77954643565&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-13190-5_22

DO - 10.1007/978-3-642-13190-5_22

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:77954643565

SN - 3642131891

SN - 9783642131899

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 423

EP - 444

BT - Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

T2 - 29th in the Series of EuropeanConferences on the Theory and Application of Cryptographic Techniques, Eurocrypt 2010

Y2 - 30 May 2010 through 3 June 2010

ER -

Barak B, Haitner I, Hofheinz D, Ishai Y. Bounded key-dependent message security. In Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. 2010. p. 423-444. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-13190-5_22

Bounded key-dependent message security

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this