Leakage-resilient Identity-based Encryption in Bounded Retrieval Model with Nearly Optimal Leakage-Ratio

We propose new constructions of leakage-resilient public-key encryption (PKE) and identity-based encryption (IBE) schemes in the bounded retrieval model (BRM). In the BRM, adversaries are allowed to obtain at most $\ell$-bit leakage from a secret key and we can increase $\ell$ only by increasing the size of secret keys without losing efficiency in any other performance measure. We call $\ell/|\textsf{sk}|$ leakage-ratio where $|\textsf{sk}|$ denotes a bit-length of a secret key. Several PKE/IBE schemes in the BRM are known. However, none of these constructions achieve a constant leakage-ratio under a standard assumption in the standard model. Our PKE/IBE schemes are the first schemes in the BRM that achieve leakage-ratio $1-\epsilon$ for any constant $\epsilon>0$ under standard assumptions in the standard model. As previous works, we use identity-based hash proof systems (IB-HPS) to construct IBE schemes in the BRM. It is known that a parameter for IB-HPS called the universality-ratio is translated into the leakage-ratio of the resulting IBE scheme in the BRM. We construct an IB-HPS with universality-ratio $1-\epsilon$ for any constant $\epsilon>0$ based on any inner-product predicate encryption (IPE) scheme with compact secret keys. Such IPE schemes exist under the $d$-linear, subgroup decision, learning with errors, or computational bilinear Diffie-Hellman assumptions. As a result, we obtain IBE schemes in the BRM with leakage-ratio $1-\epsilon$ under any of these assumptions. Our PKE schemes are immediately obtained from our IBE schemes

Leakage-Resilient Inner-Product Functional Encryption in the Bounded-Retrieval Model

We propose a leakage-resilient inner-product functional encryption scheme (IPFE) in the bounded-retrieval model (BRM). This is the first leakage-resilient functional encryption scheme in the BRM. In our leakage model, an adversary is allowed to obtain at most $l$-bit knowledge from each secret key. And our scheme can flexibly tolerate arbitrarily leakage bound $l$, by only increasing the size of secret keys, while keeping all other parts small and independent of $l$. Technically, we develop a new notion: Inner-product hash proof system (IP-HPS). IP-HPS is a variant of traditional hash proof systems. Its output of decapsulation is an inner-product value, instead of the encapsulated key. We propose an IP-HPS scheme under DDH-assumption. Then we show how to make an IP-HPS scheme to tolerate $l\u27$-bit leakage, and we can achieve arbitrary large $l\u27$ by only increasing the size of secret keys. Finally, we show how to build a leakage-resilient IPFE in the BRM with leakage bound $l=\frac{l\u27}{n}$ from our IP-HPS scheme

IBE with Incompressible Master Secret and Small Identity Secrets

Side-stepping the protection provided by cryptography, exfiltration attacks are becoming a considerable real-world threat. With the goal of mitigating the exfiltration of cryptographic keys, big-key cryptosystems have been developed over the past few years. These systems come with very large secret keys which are thus hard to exfiltrate. Typically, in such systems, the setup time must be large as it generates the large secret key. However, subsequently, the encryption and decryption operations, that must be performed repeatedly, are required to be efficient. Specifically, the encryption uses only a small public key and the decryption only accesses small ciphertext-dependent parts of the full secret key. Nonetheless, these schemes require decryption to have access to the entire secret key. Thus, using such big-key cryptosystems necessitate that users carry around large secret keys on their devices, which can be a hassle and in some cases might also render exfiltration easy. With the goal of removing this problem, in this work, we initiate the study of big-key identity-based encryption (bk-IBE). In such a system, the master secret key is allowed to be large but we require that the identity-based secret keys are short. This allows users to use the identity-based short keys as the ephemeral secret keys that can be more easily carried around and allow for decrypting ciphertexts matching a particular identity, e.g. messages that were encrypted on a particular date. In particular: -We build a new definitional framework for bk-IBE capturing a range of applications. In the case when the exfiltration is small our definition promises stronger security --- namely, an adversary can break semantic security for only a few identities, proportional to the amount of leakage it gets. In contrast, in the catastrophic case where a large fraction of the master secret key has been ex-filtrated, we can still resort to a guarantee that the ciphertexts generated for a randomly chosen identity (or, an identity with enough entropy) remain protected. We demonstrate how this framework captures the best possible security guarantees. -We show the first construction of such a bk-IBE offering strong security properties. Our construction is based on standard assumptions on groups with bilinear pairings and brings together techniques from seemingly different contexts such as leakage resilient cryptography, reusable two-round MPC, and laconic oblivious transfer. We expect our techniques to be of independent interest

On privacy in home automation systems

Home Automation Systems (HASs) are becoming increasingly popular in newly built as well as existing properties. While offering increased living comfort, resource saving features and other commodities, most current commercial systems do not protect sufficiently against passive attacks. In this thesis we investigate privacy aspects of Home Automation Systems. We analyse the threats of eavesdropping and traffic analysis attacks, demonstrating the risks of virtually undetectable privacy violations. By taking aspects of criminal and data protection law into account, we give an interdisciplinary overview of privacy risks and challenges in the context of HASs. We present the first framework to formally model privacy guarantees of Home Automation Systems and apply it to two different dummy traffic generation schemes. In a qualitative and quantitative study of these two algorithms, we show how provable privacy protection can be achieved and how privacy and energy efficiency are interdependent. This allows manufacturers to design and build secure Home Automation Systems which protect the users' privacy and which can be arbitrarily tuned to strike a compromise between privacy protection and energy efficiency.Hausautomationssysteme (HAS) gewinnen sowohl im Bereich der Neubauten als auch bei Bestandsimmobilien stetig an Beliebtheit. Während sie den Wohnkomfort erhöhen, Einsparpotential für Strom und Wasser sowie weitere Vorzüge bieten, schützen aktuelle Systeme nicht ausreichend vor passiven Angriffen. In dieser Arbeit untersuchen wir Aspekte des Datenschutzes von Hausautomationssystemen. Wir betrachten die Gefahr des Abfangens von Daten sowie der Verkehrsanalyse und zeigen die Risiken auf, welche sich durch praktisch unsichtbare Angriffe für Nutzende ergeben. Die Betrachtung straf- und datenschutzrechtlicher Aspekte ermöglicht einen interdisziplinären Überblick über Datenschutzrisiken im Kontext von HAS. Wir stellen das erste Rahmenwerk zur formellen Modellierung von Datenschutzgarantien in Hausautomationssystemen vor und demonstrieren die Anwendung an zwei konkreten Verfahren zur Generierung von Dummy-Verkehr. In einer qualitativen und quantitativen Studie der zwei Algorithmen zeigen wir, wie Datenschutzgarantien erreicht werden können und wie sie mit der Energieeffizienz von HAS zusammenhängen. Dies erlaubt Herstellern die Konzeption und Umsetzung von Hausautomationssystemen, welche die Privatsphäre der Nutzenden schützen und die eine freie Parametrisierung ermöglichen, um einen Kompromiss zwischen Datenschutz und Energieeffizienz zu erreichen

Position Based Cryptography

We consider what constitutes {\em identities\/} in cryptography. Typical examples include your name and your social-security number, or your fingerprint/iris-scan, or your address, or your (non-revoked) public-key coming from some trusted public-key infrastructure. In many situations, however, {\bf where you are} defines your identity. For example, we know the role of a bank-teller behind a bullet-proof bank window not because she shows us her credentials but by merely knowing her location. In this paper, we initiate the study of cryptographic protocols where the identity (or other credentials and inputs) of a party are derived from its \emph{geographic location}. We start by considering the central task in this setting, i.e., securely verifying the position of a device. Despite much work in this area, we show that in the Vanilla (or standard) model, the above task (i.e., of secure positioning) is impossible to achieve. In light of the above impossibility result, we then turn to the Bounded Retrieval Model (a variant of the Bounded Storage Model) and formalize and construct information theoretically secure protocols for two fundamental tasks: \begin{itemize} \item Secure Positioning; and \item Position Based Key Exchange. \end{itemize} We then show that these tasks are in fact {\em universal\/} in this setting -- we show how we can use them to realize Secure Multi-Party Computation. Our main contribution in this paper is threefold: to place the problem of secure positioning on a sound theoretical footing; to prove a strong impossibility result that simultaneously shows the insecurity of previous attempts at the problem; and to present positive results by showing that the bounded-retrieval framework is, in fact, one of the ``right frameworks (there may be others) to study the foundations of position-based cryptography