unconditionally secure chaffing-and-winnowing for multiple use wataru kitada 1, goichiro hanaoka 2,...
TRANSCRIPT
![Page 1: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/1.jpg)
Unconditionally Secure Chaffing-and-Winnowing for
Multiple Use
Wataru Kitada1, Goichiro Hanaoka2, Kanta Matsuura1, Hideki Imai2
1. IIS, the University of Tokyo2. RCIS, AIST
![Page 2: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/2.jpg)
• Detailed analysis of Chaffing-and-Winnowing (C&W) under multiple-use setting
• More efficient Chaffing-and-Winnowing– C&W for n-time use from n-spoofing secure
A-code
– practical C&W from A-code with a specific property
Overview of This Work
2
We show:
![Page 3: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/3.jpg)
Contents
• Overview
• Unconditionally Secure C&W for Multiple Use
• C&W with one authentication tag
• Future Work and Conclusion
3
![Page 4: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/4.jpg)
• Overview– Chaffing and Winnowing– Previous Work– Our Contribution
• Unconditionally Secure C&W for Multiple Use
• C&W with one authentication tag
• Future Work and Conclusion 4
![Page 5: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/5.jpg)
Chaffing-and-Winnowing (C&W)
• A technique to achieve confidentiality without using encryption when sending data over an insecure channel.
• Proposed by R. Rivest“Chaffing and winnowing: confidentiality without encryption” http://theory.lcs.mit.edu/~rivest/publications.html
![Page 6: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/6.jpg)
Basic Idea
• Send plaintext directly• No encryption is performed • Send dummies with the plaintext. chaff• Only one of the plaintext is authentic, the
other ones are dummies• Receiver can distinguish plaintext (wheat)
from dummies (chaff). winnow• Being able to distinguish plaintext from
dummies would require an adversary to know the secret key.
![Page 7: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/7.jpg)
7
Chaffing-and-Winnowing
• Example– Authentication code (A-code) : Ak(M)– Plaintext: “Hi Bob”
A1=Ak(“Hi Bob”)A2=Ak’(“Hi Larry”)
(“Hi Bob”,A1),(“Hi Larry”,A2)
ComputeAk(“Hi Bob”) and Ak(“Hi Larry”)CompareAk(“Hi Bob”) and A1,Ak(“Hi Larry”) and A2
“Hi Bob”
![Page 8: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/8.jpg)
Previous Work
• Bellare and Boldyreva, ASIACRYPT 2000– Showed the security of C&W in the
computationally secure setting
• Hanaoka et al., AAECC 2006 (HHHWI06)– Showed the security of C&W in the
unconditinally secure setting
8
![Page 9: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/9.jpg)
Main Result of HHHWI06
9
Impersonation- secure A-code
Perfectly secure and
Non-Malleableencryption
Impersonation- and
substitution- secure A-code
Perfectly secure
encryption
Theorem 1
Theorem 2
C&W
C&W
We can achieve:
![Page 10: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/10.jpg)
Related Work
• Stinson, manuscript, 2006– “Unconditionally secure chaffing and winnowing
with short authentication tags”– construct C&W from short authentication tags
10
Impersonation- secureA-code
with short tag
Perfectly secure
encryptionC&W
![Page 11: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/11.jpg)
Our Contribution
• Our work is extension of HHHWI06– HHHWI06 only consider the case in one-time use
• Then, we extend for multiple use– In other words, to generalize the HHHWI06– Detailed analysis of C&W under multiple-use
setting• construct unconditionally secure C&W for multiple use• show C&W with one authentication tag
11
![Page 12: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/12.jpg)
One-time/Multiple Use
12
One-time use
Multiple use
![Page 13: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/13.jpg)
• Overview
• Unconditionally Secure C&W for Multiple Use– Security Notions– Our Result– Construction and Comparison
• C&W with one authentication tag
• Future Work and Conclusion
13
![Page 14: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/14.jpg)
Security on A-code
14
),( 11 M
),( nnM
),( M
n-Spoofing
),( M
Impersonation
),( M
),( M
Substitution
![Page 15: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/15.jpg)
Perfect Security
15
),(,),,( 1111 nn CMCM
nC
n-Perfect Security (n-PS)
Perfect Security
nC
?nM
C
C
?M
![Page 16: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/16.jpg)
Non-Malleability (1/2)
• An adversary is given n ciphertexts
• Corresponding plaintexts are
• Non-Malleability:– inability to generate a ciphertext
whose plaintext is related to• for example
– Definition
16
nCC ,,1
nMM ,,1
C
nMM ,,1 M
orMMorMorMM jiii 21
)),(,),,(|(
)),(,),,(,|(
11
11
nn
nn
CMCMMH
CMCMCMH
![Page 17: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/17.jpg)
Non-Malleability (2/2)
17
) )( ( , , ) )( ( 11 nn MECMEC
n-Non-Malleability (n-NM)
Non-Malleability
))(( MEC )or)2(or)1(( MEMEC
) )(
)2(or)1( (
orMMEor
MEMEC
ji
ii
![Page 18: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/18.jpg)
Our Results (1/3)
• Construct unconditionally secure C&W for multiple use– from n-spoofing secure A-code to n-perfectly
secure (n-PS) encryption– from (n+1)-spoofing secure A-code to n-perfectly
secure (n-PS) and n-Non-Malleable (n-NM) encryption
18
![Page 19: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/19.jpg)
Our Results (2/3)
19
n-spoofing secure A-code
n-PS andn-NM
encryption
(n+1)-spoofing secure A-code
n-PS encryptionC&W
C&W
![Page 20: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/20.jpg)
Our Results (3/3)
20
Imp A-code
PS and NMencryption
Imp and Sub A-code
PS encryptionC&W
C&W
n-spoofing secure A-code
n-PS andn-NM
encryption
(n+1)-spoofing secure A-code
n-PS encryptionC&W
C&W
HHHWI06
Our Result
![Page 21: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/21.jpg)
Construction
21 valid.as accepted is such that selects
, recievingOn :Decryption
))(||(: send Then
.*)(such that finds and
*)( sets ,* send To:Encryption
)()( , allfor ),(, allfor
such that, keysdistinct picks Then
. S to give and , generates TI:GenKey
mmR
c
mAmcS
mAk
mASm
mAmAmkkk
MS
Randkk
Mmk
ki
k
kkiji
i
i
ji
![Page 22: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/22.jpg)
Comparison
22
Construction Key Size [bits] Ciphertext Size [bits]
Our proposal
n copies ofHHHWI06
Mn 2log)1(
Mn 2log2
MM 2log
MM 2log
![Page 23: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/23.jpg)
• Overview
• Unconditionally Secure C&W for Multiple Use
• C&W with one authentication tag
• Future Work and Conclusion
23
![Page 24: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/24.jpg)
Overview (1/2)
• C&W with one authentication tag– If the underlying A-code has a specific property,
we can construct C&W with one authentication tag
24
n-Spf A-code with a specific
property
n-PS andn-NM
encryption with one tag
(n+1)-Spf A-code with a
specific property
n-PS encryption with
one tagC&W
C&W
![Page 25: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/25.jpg)
Overview (2/2)
• From this result, we can see that theseA-codes can be seen as conventional encryptions– we prove that to send one tag corresponding to
the message is secure
25
Authentication Encryption
M M
)f(M )f(MC C
Can be seen as
![Page 26: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/26.jpg)
The specific property
• “For all a, there exists at least one k such that, for all m, Ak(m)=a”
• There exists an example of an A-code which is n-Spoofing secure and has this property
26
),f( , allfor such that, exist there, allfor kmMmKkA
n
i
iimk
0
For example:
![Page 27: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/27.jpg)
Construction
27
.output and ,)(such that selects
, recievingOn :Decryption
. to send and
,)(: sets , send To:Encryption
. S to give and , generates TI:GenKey
ccmAmR
c
Rc
mAcSm
Randkk
k
k
![Page 28: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/28.jpg)
Comparison
28
Construction Key Size [bits]Ciphertext Size
[bits]
Need specific
A-codes?
Our proposal(previous)
No
Our proposal(with one tag)
Yes
n copies ofHHHWI06
No
Mn 2log)1(
Mn 2log2
Mn 2log)1( M2log
MM 2log
MM 2log
The construction with one tag is practical
![Page 29: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/29.jpg)
• Overview
• Unconditionally Secure C&W for Multiple Use
• C&W with one authentication tag
• Future Work and Conclusion
29
![Page 30: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/30.jpg)
Future Work
• Remove the restriction that(like Stinson’s work)– In [Stinson’06], C&W is constructed from A-
code with short tags (more weak A-code)
– [Stinson’06]D.R. Stinson, “Unconditionally secure chaffing and winnowing with short authentication tags,” Cryptology ePrint Archive, Report 2006/189, 2006.
30
MA
![Page 31: Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University](https://reader035.vdocument.in/reader035/viewer/2022070415/5697bfd11a28abf838cab3e3/html5/thumbnails/31.jpg)
Conclusion
• Detailed analysis of C&W under multiple-use setting– from n-Spf secure A-code to n-PS encryption– from (n+1)-Spf secure A-code to n-PS and n-NM
encryption
• More efficient Chaffing-and-Winnowing– C&W for n-time use from n-spoofing secure A-
code– practical C&W from A-code with a specific
property• provide same function as conventional encryption
31