Multi-instance Security and Its Application to Password-Based Cryptography

This paper develops a theory of multi-instance mi security and applies it to provide the first proof-based support for the classical practice of salting in password-based cryptography. Mi-security comes into play in settings like password-based cryptography where it is computationally feasible to compromise a single instance, and provides a second line of defense, aiming to ensure in the case of passwords, via salting that the effort to compromise all of some large number m of instances grows linearly with m. The first challenge is definitions, where we suggest LORX-security as a good metric for mi security of encryption and support this claim by showing it implies other natural metrics, illustrating in the process that even lifting simple results from the si setting to the mi one calls for new techniques. Next we provide a composition-based framework to transfer standard single-instance si security to mi-security with the aid of a key-derivation function. Analyzing password-based KDFs from the PKCS#5 standard to show that they meet our indifferentiability-style mi-security definition for KDFs, we are able to conclude with the first proof that per password salts amplify mi-security as hoped in practice. We believe that mi-security is of interest in other domains and that this work provides the foundation for its further theoretical development and practical application.

[1]  Noam Nisan,et al.  On Yao's XOR-Lemma , 1995, Electron. Colloquium Comput. Complex..

[2]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[3]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[4]  Xavier Boyen New Paradigms for Password Security , 2008, ACISP.

[5]  Bogdan Warinschi,et al.  Revisiting Difficulty Notions for Client Puzzles and DoS Resilience , 2012, ISC.

[6]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[7]  Martín Abadi,et al.  Password-Based Encryption Analyzed , 2005, ICALP.

[8]  Jonathan Katz,et al.  A new framework for efficient password-based authenticated key exchange , 2010, CCS '10.

[9]  Thomas Holenstein,et al.  One-Way Secret-Key Agreement and Applications to Circuit Polarization and Immunization of Public-Key Encryption , 2005, CRYPTO.

[10]  Bruce Schneier,et al.  Secure Applications of Low-Entropy Keys , 1997, ISW.

[11]  David Pointcheval,et al.  Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework , 2008, CT-RSA.

[12]  Luca Trevisan,et al.  Amplifying Collision Resistance: A Complexity-Theoretic Treatment , 2007, CRYPTO.

[13]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[14]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[15]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[16]  Michael Luby,et al.  A Study of Password Security , 1987, CRYPTO.

[17]  Tadayoshi Kohno,et al.  Attacking and repairing the winZip encryption scheme , 2004, CCS '04.

[18]  Feng-Hao Liu,et al.  Parallel Repetition Theorems for Interactive Arguments , 2010, TCC.

[19]  F. Frances Yao,et al.  Design and analysis of password-based key derivation functions , 2005, IEEE Transactions on Information Theory.

[20]  Jürg Wullschleger Oblivious-transfer amplification , 2007, Ausgezeichnete Informatikdissertationen.

[21]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[22]  Iftach Haitner A Parallel Repetition Theorem for Any Interactive Argument , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[23]  Oded Goldreich,et al.  Three XOR-Lemmas - An Exposition , 1995, Electron. Colloquium Comput. Complex..

[24]  Rafael Pass,et al.  An Efficient Parallel Repetition Theorem , 2010, TCC.

[25]  Aravind Srinivasan,et al.  Randomized Distributed Edge Coloring via an Extension of the Chernoff-Hoeffding Bounds , 1997, SIAM J. Comput..

[26]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[27]  Thomas Holenstein,et al.  Key agreement from weak bit agreement , 2005, STOC '05.

[28]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Ueli Maurer,et al.  Computational Indistinguishability Amplification: Tight Product Theorems for System Composition , 2009, IACR Cryptol. ePrint Arch..

[30]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[31]  Falk Unger,et al.  A Probabilistic Inequality with Applications to Threshold Direct-Product Theorems , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[32]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[33]  Russell Impagliazzo,et al.  Constructive Proofs of Concentration Bounds , 2010, APPROX-RANDOM.

[34]  Feng-Hao Liu,et al.  Efficient String-Commitment from Weak Bit-Commitment , 2010, ASIACRYPT.

[35]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[36]  David A. Wagner,et al.  Proofs of Security for the Unix Password Hashing Algorithm , 2000, ASIACRYPT.

[37]  Leonid A. Levin,et al.  Security preserving amplification of hardness , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[38]  Shai Halevi,et al.  Degradation and Amplification of Computational Hardness , 2008, TCC.

[39]  Krzysztof Pietrzak,et al.  Parallel Repetition of Computationally Sound Protocols Revisited , 2010, Journal of Cryptology.

[40]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[41]  Omer Reingold,et al.  On the Power of the Randomized Iterate , 2006, SIAM J. Comput..

[42]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[43]  Steven Myers,et al.  Efficient Amplification of the Security of Weak Pseudo-random Function Generators , 2001, EUROCRYPT.

[44]  Ueli Maurer,et al.  A Hardcore Lemma for Computational Indistinguishability: Security Amplification for Arbitrarily Weak PRGs with Optimal Stretch , 2010, TCC.

[45]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[46]  Ran Canetti,et al.  Hardness Amplification of Weakly Verifiable Puzzles , 2005, TCC.

[47]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[48]  Moni Naor,et al.  Does parallel repetition lower the error in computationally sound protocols? , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[49]  Rafael Pass,et al.  An efficient parallel repetition theorem for Arthur-Merlin games , 2007, STOC '07.

[50]  Xavier Boyen,et al.  Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys , 2007, USENIX Security Symposium.

[51]  Yuval Ishai,et al.  Basing Weak Public-Key Cryptography on Strong One-Way Functions , 2008, TCC.

[52]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[53]  Kenneth G. Paterson,et al.  One-Time-Password-Authenticated Key Exchange , 2010, ACISP.

[54]  Jacques Stern,et al.  Extended Notions of Security for Multicast Public Key Cryptosystems , 2000, ICALP.

[55]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[56]  Moni Naor,et al.  Immunizing Encryption Schemes from Decryption Errors , 2004, EUROCRYPT.

[57]  Colin Boyd,et al.  Stronger Difficulty Notions for Client Puzzles and Denial-of-Service-Resistant Protocols , 2011, CT-RSA.

[58]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[59]  Stefano Tessaro,et al.  Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma , 2011, TCC.

[60]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[61]  Russell Impagliazzo,et al.  Chernoff-Type Direct Product Theorems , 2007, Journal of Cryptology.

[62]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[63]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.