detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors...
TRANSCRIPT
![Page 1: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/1.jpg)
Detection of Algebraic Manipulationwith Applications to
Robust Secret Sharingand
Fuzzy Extractors
Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Daniel Wichs
![Page 2: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/2.jpg)
Properties of §(G):
1. §(G) provides privacy.
2. §(G) allows algebraic manipulation.
2G+
Storage §(G)
What’s g?
¢ 2G
Abstract Storage Device §(G)
g
![Page 3: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/3.jpg)
Abstract Storage Device §(G)Q: Why study devices with these properties?
A: They appear implicitly in crypto applications:– Secret Sharing– Fuzzy Extractors
Problem: Because of algebraic manipulation, the above primitives are vulnerable to certain active adversarial attacks.
Task: A general method that helps us add “robustness” to secret sharing and fuzzy extractors.
![Page 4: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/4.jpg)
s = “Cut the blue wire!”
Application: Secret Sharing
g2G
S1
S2
S3
S4
S5
S6
Qualified sets: can recover g.Unqualified sets: learn nothing about g.
![Page 5: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/5.jpg)
Application: Secret SharingS1
S2
S3
S4
S5
S6
S’4
S’3
S’2
What’sg?
Unqualified Set
![Page 6: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/6.jpg)
g ’= Rec(S1,S2’ ,S3’ ,S4’,S5,S6) s’ = “Cut the red wire!”
Application: Secret Sharing
Robust Secret Sharing: An adversary who corrupts an unqualified set of players cannot cause the recovery of s’ s.
![Page 7: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/7.jpg)
g’ =Rec( )
= Rec(S1,S2 ,S3 ,S4,S5,S6) + Rec(0, ¢2, ¢3, ¢4, 0, 0)
= g + ¢
Linear Secret Sharing
S1,S’2,S’3,S’4,S5,S6
So is limited to algebraic manipulation! .
Assume Secret Sharing is Linear (i.e. [Sha79,KW93,…])
![Page 8: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/8.jpg)
Linear Secret SharingS1
S2
S3
S4
S5
S6
§(G)
• Privacy of SS ) Privacy of §(G).• Linearity of SS ) Algebraic Manipulation.
Need: A way to store data on §(G) so that algebraic manipulation can be detected.
![Page 9: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/9.jpg)
Algebraic Manipulation Detection (AMD) Codes
An AMD Code consists of– A probabilistic encoding function E: S ! G– A decoding function D: G ! S [ {?}
For any s, D(E(s)) = s For any s2 S , ¢ 2 G
Pr[D(E(s) + ¢) {s,?}]· ²
Robust Secret Sharing: Share E(s).
![Page 10: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/10.jpg)
g’ =Rec(S1,S’2,S’3,S’4,S5,S6) = g + ¢
=E(s)+¢
D(g’) = D(E(s) + ¢) 2 {s,?}
Robust Linear Secret Sharing
Recall:
![Page 11: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/11.jpg)
Construction of AMD Code
Systematic AMD code:E(s) = (s, k, h(s,k)) where k is random.
G = S £ G1 £ G2
Construction: h(s,k) = kd+2 + § si ki
Intuition: ¢3 = h(s+¢1,k+¢2) – h(s,k) is a non-zero polynomial in k.
– hence hard to guess for a random k.
i=0
d
![Page 12: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/12.jpg)
Parameters and Optimality
To get robustness security ² = 2- ·, encoding of s adds overhead 2· + O(log(|s|)) bits.
Almost matches lower bound of 2· bits.
Previous constructions of Robust SS implicitly defined AMD codes with overhead linear in |s|. [CPS02, OK96, PSV99]
To share a 1MB message with robustness ² = 2-128
– Previous construction had an overhead of 2 MB.– We get an overhead of less than 300 bits.
![Page 13: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/13.jpg)
Application #2
Fuzzy Extractors
![Page 14: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/14.jpg)
Fuzzy ExtractorsSecret w:“secret_Password”
Secret w’ :“Secret~password”w ¼ w’
w GenP
R
Robust
P Repw’ RFuzzy Extractor:R looks uniformly
random even after I see P.
P *
R *Robust fuzzy extractor:
I will detect P * P.
?
![Page 15: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/15.jpg)
Robust Fuzzy ExtractorsSecret w Secret w’
w GenP
RRepw’
P *
R /?
(Bob in the future)
Does not allow interaction!
![Page 16: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/16.jpg)
The Price of RobustnessNon-robust fuzzy extractors with “good” parameters were constructed for several natural metrics. [DORS04]
Until now, to get robustness, you had to choose:– Interaction + computational assumptions + CRS [BDKOS05]
– Random Oracle model [BDKOS05] – Entropy rate of w more than ½ + extract short keys [DKRS06]
Would like to get a non-interactive protocol that works for all entropy rates and does not require random oracles.
I.T. robustness requires that the entropy rate of w is more than ½, even in the non-fuzzy case w=w’.– The price of robustness, w.o. RO/CRS/assumptions, is HIGH! [DS02]
This talk: Robustness is essentially FREE in the CRS model!
![Page 17: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/17.jpg)
Randomness Extractors
ExtSecret: w
Public Seed: iR
Can extract almost all entropy in w.The extracted string is random, even givenThe public seed
(i,R) ¼ (i, U)
![Page 18: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/18.jpg)
Non-fuzzy Key Exchange
R=Ext(w,i) R=Ext(w,i)
i
Choose iNot robust!
![Page 19: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/19.jpg)
Non-fuzzy Key ExchangeCRS: Extractor seed i
R=Ext(w,i) R=Ext(w,i)
Trivial! No communication necessary!But does not generalize to fuzzy case…
Robust!
![Page 20: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/20.jpg)
Correcting Errors using a Secure Sketch
SSw S
Recw’
wS
SS(w) is very short and does not leak out much info about w.
![Page 21: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/21.jpg)
Fuzzy Extractor
w
P = (i,S)
RExt
SS
i
S
Gen() : Rep(w’,P) :
w
w w’
w’RecS w
wRExti
Cannot put in CRS since S is user-
specific.
Let’s try to only put i in the CRS and
“authenticate” S.
![Page 22: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/22.jpg)
Robust Fuzzy Extractor?
w
P = (S,¾)
R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’RecS w
w Exti
CRS: Extractor seed i
MACk ¾S VerS
¾
Rk“yes”,”no”
k
R
R
Split extracted randomnessInto 2 parts.
Use k as a key to a MAC to
“authenticate” S
![Page 23: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/23.jpg)
Robust Fuzzy Extractor?
w
P * = (S *, ¾*)
R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’RecS * w
w Exti
CRS: Extractor seed i
MACk ¾S Ver
¾*
Rk“yes”,”no”
kS *
![Page 24: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/24.jpg)
Robust Fuzzy Extractor?
w
P * = (S *, ¾*)
R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’RecS * w*
Exti
CRS: Extractor seed i
MACk ¾S Ver
¾*
Rk“yes”,”no”
kS *
w*
![Page 25: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/25.jpg)
Robust Fuzzy Extractor?
w
P * = (S *, ¾*)
R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’RecS * w*
Exti
CRS: Extractor seed i
MACk ¾S Ver
¾*
Rk*
“yes”,”no”
k*S *
w*
Might not be secure!But let’s see - how insecure is it?Assume that the secure sketch
and extractor are linear...
![Page 26: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/26.jpg)
Robust Fuzzy Extractor?
w R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’Rec
Exti
CRS: Extractor seed i
MACk ¾S Ver “yes”,
”no”
S+¢Sw*
w* Rk*
k*
¾*S *
P * = (S *, ¾*)
![Page 27: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/27.jpg)
w+¢w
w+¢w
Robust Fuzzy Extractor?
w R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’RecS+¢S
Exti
CRS: Extractor seed i
MACk ¾S Ver “yes”,
”no”
Rk*
k*
¾*S *
P * = (S *, ¾*)
![Page 28: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/28.jpg)
k+¢k
Rk +¢k
w+¢w
Robust Fuzzy Extractor?
w R,kExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’Rec
Exti
CRS: Extractor seed i
MACk ¾S Ver “yes”,
”no”
w+¢w
S+¢S
P * = (S *, ¾*)
¾*S *
![Page 29: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/29.jpg)
k
R
Robust Fuzzy Extractor?
w
P = (S,¾)
RExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’Rec
Exti
CRS: Extractor seed i
MACk ¾S Ver “yes”,
”no”§(G)
• Can think of MAC key k as stored on a device §(G).• Can’t encode k using an AMD code.• Need a new MAC primitive.
S * w*
¾*S *
w*
![Page 30: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/30.jpg)
MAC with Key Manipulation Security (KMS-MAC)
A (one-time) MAC that is secure even if the key used for verification is stored on §(G).
Given ¾ = MACk(s) can’t come up with ¢ and ¾’ = MACk+¢(s’).
Systematic AMD code ) KMS-MAC:– E(s) = (s, k, h(s,k))– MAC (k1,k2)
(s) = h(s,k1)+k2
![Page 31: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/31.jpg)
k
R
Robust Fuzzy Extractor?
wRExt
SS
i
S
Gen(): Rep(w’,P):
w
w w’
w’Rec
Exti
CRS: Extractor seed i
MACk ¾S Ver “yes”,
”no”§(G)
S * w*
¾*S *
w*
Use a KMS-MAC!
P * = (S *, ¾*)
![Page 32: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/32.jpg)
Parameters
Because our KMS-MAC has short keys, we loose very little randomness to achieve robustness!
In the CRS model, robustness comes essentially for FREE.– At least for “linear” fuzzy extractors
![Page 33: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/33.jpg)
Review
Devices §(G) appear naturally in crypto applications.– Linear Secret Sharing.– Fuzzy Extractors in CRS model.
Use AMD codes or KMS-MACs to get robustness.
![Page 34: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,](https://reader038.vdocuments.net/reader038/viewer/2022103111/5518c14b550346b31f8b55b2/html5/thumbnails/34.jpg)
THANK YOU!
Questions?