Unconditionally Secure ChaffingandWinnowing for Multiple Use - PowerPoint PPT Presentation
1 / 31
Title:
Unconditionally Secure ChaffingandWinnowing for Multiple Use
Description:
Detailed analysis of Chaffing-and-Winnowing (C&W) under multiple-use setting ... winnow ... secure chaffing and winnowing with short authentication tags' ... – PowerPoint PPT presentation
Number of Views:50
Avg rating:3.0/5.0
Title: Unconditionally Secure ChaffingandWinnowing for Multiple Use
1
Unconditionally Secure Chaffing-and-Winnowing for
Multiple Use
- Wataru Kitada1, Goichiro Hanaoka2, Kanta
Matsuura1, Hideki Imai2 - 1. IIS, the University of Tokyo2. RCIS, AIST
2
Overview of This Work
We show
- Detailed analysis of Chaffing-and-Winnowing (CW)
under multiple-use setting - More efficient Chaffing-and-Winnowing
- CW for n-time use from n-spoofing secure A-code
- practical CW from A-code with a specific property
3
Contents
- Overview
- Unconditionally Secure CW for Multiple Use
- CW with one authentication tag
- Future Work and Conclusion
4
- Overview
- Chaffing and Winnowing
- Previous Work
- Our Contribution
- Unconditionally Secure CW for Multiple Use
- CW with one authentication tag
- Future Work and Conclusion
5
Chaffing-and-Winnowing (CW)
- A technique to achieve confidentiality without
using encryption when sending data over an
insecure channel. - Proposed by R. Rivest
- Chaffing and winnowing confidentiality without
encryption http//theory.lcs.mit.edu/rivest/publ
ications.html
6
Basic Idea
- Send plaintext directly
- No encryption is performed
- Send dummies with the plaintext. chaff
- Only one of the plaintext is authentic, the other
ones are dummies - Receiver can distinguish plaintext (wheat) from
dummies (chaff). winnow - Being able to distinguish plaintext from dummies
would require an adversary to know the secret key.
7
Chaffing-and-Winnowing
- Example
- Authentication code (A-code) Ak(M)
- Plaintext Hi Bob
Hi Bob
(Hi Bob,A1),(Hi Larry,A2)
ComputeAk(Hi Bob) and Ak(Hi
Larry)CompareAk(Hi Bob) and A1,Ak(Hi
Larry) and A2
A1Ak(Hi Bob)A2Ak(Hi Larry)
8
Previous Work
- Bellare and Boldyreva, ASIACRYPT 2000
- Showed the security of CW in the computationally
secure setting - Hanaoka et al., AAECC 2006 (HHHWI06)
- Showed the security of CW in the unconditinally
secure setting
9
Main Result of HHHWI06
We can achieve
Theorem 1
Impersonation- secure A-code
Perfectly secure encryption
CW
Theorem 2
Perfectly secure andNon-Malleableencryption
Impersonation- and substitution- secure A-code
CW
10
Related Work
- Stinson, manuscript, 2006
- Unconditionally secure chaffing and winnowing
with short authentication tags - construct CW from short authentication tags
Impersonation- secureA-code with short tag
Perfectly secure encryption
CW
11
Our Contribution
- Our work is extension of HHHWI06
- HHHWI06 only consider the case in one-time use
- Then, we extend for multiple use
- In other words, to generalize the HHHWI06
- Detailed analysis of CW under multiple-use
setting - construct unconditionally secure CW for multiple
use - show CW with one authentication tag
12
One-time/Multiple Use
One-time use
Multiple use
13
- Overview
- Unconditionally Secure CW for Multiple Use
- Security Notions
- Our Result
- Construction and Comparison
- CW with one authentication tag
- Future Work and Conclusion
14
Security on A-code
n-Spoofing
15
Perfect Security
n-Perfect Security (n-PS)
Perfect Security
16
Non-Malleability (1/2)
- An adversary is given n ciphertexts
- Corresponding plaintexts are
- Non-Malleability
- inability to generate a ciphertextwhose
plaintext is related to - for example
- Definition
17
Non-Malleability (2/2)
n-Non-Malleability (n-NM)
Non-Malleability
18
Our Results (1/3)
- Construct unconditionally secure CW for multiple
use - from n-spoofing secure A-code to n-perfectly
secure (n-PS) encryption - from (n1)-spoofing secure A-code to n-perfectly
secure (n-PS) and n-Non-Malleable (n-NM)
encryption
19
Our Results (2/3)
n-spoofing secure A-code
n-PS encryption
CW
n-PS andn-NM encryption
(n1)-spoofing secure A-code
CW
20
Our Results (3/3)
HHHWI06
Our Result
21
Construction
22
Comparison
23
- Overview
- Unconditionally Secure CW for Multiple Use
- CW with one authentication tag
- Future Work and Conclusion
24
Overview (1/2)
- CW with one authentication tag
- If the underlying A-code has a specific property,
we can construct CW with one authentication tag
25
Overview (2/2)
- From this result, we can see that theseA-codes
can be seen as conventional encryptions - we prove that to send one tag corresponding to
the message is secure
Authentication
Encryption
Can be seen as
26
The specific property
- For all a, there exists at least one k such
that, for all m, Ak(m)a - There exists an example of an A-code which is
n-Spoofing secure and has this property
For example
27
Construction
28
Comparison
The construction with one tag is practical
29
- Overview
- Unconditionally Secure CW for Multiple Use
- CW with one authentication tag
- Future Work and Conclusion
30
Future Work
- Remove the restriction that(like Stinsons work)
- In Stinson06, CW is constructed from A-code
with short tags (more weak A-code) - Stinson06D.R. Stinson, Unconditionally
secure chaffing and winnowing with short
authentication tags, Cryptology ePrint Archive,
Report 2006/189, 2006.
31
Conclusion
- Detailed analysis of CW under multiple-use
setting - from n-Spf secure A-code to n-PS encryption
- from (n1)-Spf secure A-code to n-PS and n-NM
encryption - More efficient Chaffing-and-Winnowing
- CW for n-time use from n-spoofing secure A-code
- practical CW from A-code with a specific
property - provide same function as conventional encryption
Recommended
CrystalGraphics Presentations
