Showing papers by "Adam O'Neill published in 2016"

Generic Attacks on Secure Outsourced Databases

Abstract: Recently, various protocols have been proposed for securely outsourcing database storage to a third party server, ranging from systems with "full-fledged" security based on strong cryptographic primitives such as fully homomorphic encryption or oblivious RAM, to more practical implementations based on searchable symmetric encryption or even on deterministic and order-preserving encryption. On the flip side, various attacks have emerged that show that for some of these protocols confidentiality of the data can be compromised, usually given certain auxiliary information. We take a step back and identify a need for a formal understanding of the inherent efficiency/privacy trade-off in outsourced database systems, independent of the details of the system. We propose abstract models that capture secure outsourced storage systems in sufficient generality, and identify two basic sources of leakage, namely access pattern and ommunication volume. We use our models to distinguish certain classes of outsourced database systems that have been proposed, and deduce that all of them exhibit at least one of these leakage sources. We then develop generic reconstruction attacks on any system supporting range queries where either access pattern or communication volume is leaked. These attacks are in a rather weak passive adversarial model, where the untrusted server knows only the underlying query distribution. In particular, to perform our attack the server need not have any prior knowledge about the data, and need not know any of the issued queries nor their results. Yet, the server can reconstruct the secret attribute of every record in the database after about $N^4$ queries, where N is the domain size. We provide a matching lower bound showing that our attacks are essentially optimal. Our reconstruction attacks using communication volume apply even to systems based on homomorphic encryption or oblivious RAM in the natural way. Finally, we provide experimental results demonstrating the efficacy of our attacks on real datasets with a variety of different features. On all these datasets, after the required number of queries our attacks successfully recovered the secret attributes of every record in at most a few seconds.

Selective-Opening Security in the Presence of Randomness Failures

Abstract: We initiate the study of public-key encryption PKE secure against selective-opening attacks SOA in the presence of randomness failures, i.e., when the sender may inadvertently use low-quality randomness. In the SOA setting, an adversary can adaptively corrupt senders; this notion is natural to consider in tandem with randomness failures since an adversary may target senders by multiple means. Concretely, we first treat SOA security of nonce-based PKE. After formulating an appropriate definition of SOA-secure nonce-based PKE, we provide efficient constructions in the non-programmable random-oracle model, based on lossy trapdoor functions. We then lift our notion of security to the setting of "hedged" PKE, which ensures security as long as the sender's seed, message, and nonce jointly have high entropy. This unifies the notions and strengthens the protection that nonce-based PKE provides against randomness failures even in the non-SOA setting. We lift our definitions and constructions of SOA-secure nonce-based PKE to the hedged setting as well.

Leakage-Resilient Public-Key Encryption from Obfuscation

Abstract: The literature on leakage-resilient cryptography contains various leakage models that provide different levels of security. In this work, we consider the bounded leakage and the continual leakage models. In the bounded leakage model Akavia et al. --- TCC 2009, it is assumed that there is a fixed upper bound L on the number of bits the attacker may leak on the secret key in the entire lifetime of the scheme. Alternatively, in the continual leakage model Brakerski et al. --- FOCS 2010, Dodis et al. --- FOCS 2010, the lifetime of a cryptographic scheme is divided into "time periods" between which the scheme's secret key is updated. Furthermore, in its attack the adversary is allowed to obtain some bounded amount of leakage on the current secret key during each time period. In the continual leakage model, a challenging problem has been to provide security against leakage on key updates, that is, leakage that is a function not only of the current secret key but also the randomness used to update it. We propose a new, modular approach to overcome this problem. Namely, we present a compiler that transforms any public-key encryption or signature scheme that achieves a slight strengthening of continual leakage resilience, which we call consecutive continual leakage resilience, to one that is continual leakage resilient with leakage on key updates, assuming indistinguishability obfuscation Barak et al. --- CRYPTO 2001, Garg et al. --- FOCS 2013. Under the stronger assumption of public-coin differing-inputs obfuscation Ishai eti¾?al. --- TCC 2015 the leakage rate tolerated by our compiled scheme is essentially as good as that of the starting scheme. Our compiler is obtained by making a new connection between the problems of leakage on key updates and so-called "sender-deniable" encryption Canetti et al. --- CRYPTO 1997. In particular, our compiler adapts and optimizes recent techniques of Sahai and Waters STOC 2014 that make any encryption scheme sender-deniable. We then show that prior continual leakage resilient schemes can be upgraded to security against consecutive continual leakage without introducing new assumptions. In the bounded leakage model, we develop an entirely new approach to constructing leakage-resilient encryption from obfuscation directly, based upon the public-key encryption scheme from $${\mathsf {iO}} $$ and punctured pseudorandom functions due to Sahai and Waters STOC 2014. In particular, we achieve 1 leakage-resilient public key encryption tolerating L bits of leakage for any L from $${\mathsf {iO}} $$ and one-way functions, 2 leakage-resilient public key encryption with optimal leakage rate of $$1-o1$$ based on public-coin differing-inputs obfuscation and collision-resistant hash functions.

Deniable Functional Encryption

Abstract: Deniable encryption, first introduced by Canetti et al. [14], allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that "open" the communication to a different message. Here we initiate its study for the more general case of functional encryption FE, as introduced by Boneh et al. [12], wherein a receiver in possession of a key k can compute from any encryption of a message x the value Fk,i¾?x according to the scheme's functionality F. Our results are summarized as follows: We put forth and motivate the concept of deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. [31] in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are "normal" and "deniable" secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. This parallels the "multi-distributional" model of deniability previously considered for public-key encryption. In the first model, we show that any FE scheme for the general circuit functionality as several recent candidate construction achieve can be converted into an FE scheme having receiver deniability, without introducing any additional assumptions. In addition we show an efficient receiver deniable FE for Boolean Formulae from bilinear maps. In the second multi-distributional model, we show a specific FE scheme for the general circuit functionality having receiver deniability. This result additionally assumes differing-inputs obfuscation and relies on a new technique we call delayed trapdoor circuits. To our knowledge, a scheme in the multi-distributional model was not previously known even in the simpler case of identity-based encryption. Finally, we show that receiver deniability for FE implies some form of simulation security, further motivating study of the latter and implying optimality of our results.

Multi-input Functional Encryption with Unbounded-Message Security

Abstract: Multi-input functional encryption MIFE was introduced by Goldwasser et al. EUROCRYPT 2014 as a compelling extension of functional encryption. In MIFE, a receiver is able to compute a joint function of multiple, independently encrypted plaintexts. Goldwasser eti¾?al. EUROCRYPT 2014 show various applications of MIFE to running SQL queries over encrypted databases, computing over encrypted data streams, etc. The previous constructions of MIFE due to Goldwasser et al. EUROCRYPT 2014 based on indistinguishability obfuscation had a major shortcoming: it could only support encrypting an a priori bounded number of message. Once that bound is exceeded, security is no longer guaranteed to hold. In addition, it could only support selective-security, meaning that the challenge messages and the set of "corrupted" encryption keys had to be declared by the adversary up-front. In this work, we show how to remove these restrictions by relying instead on sub-exponentially secure indistinguishability obfuscation. This is done by carefully adapting an alternative MIFE scheme of Goldwasser et al. that previously overcame these shortcomings except for selective security wrt.i¾?the set of "corrupted" encryption keys by relying instead on differing-inputs obfuscation, which is now seen as an implausible assumption. Our techniques are rather generic, and we hope they are useful in converting other constructions using differing-inputs obfuscation to ones using sub-exponentially secure indistinguishability obfuscation instead.