Honey Encryption Beyond Message Recovery Security

Juels and Ristenpart introduced honey encryption HE and showed how to achieve message recovery security even in the face of attacks that can exhaustively try all likely keys. This is important in contexts like password-based encryption where keys are very low entropy, and HE schemes based on the JR construction were subsequently proposed for use in password management systems and even long-term protection of genetic data. But message recovery security is in this setting, like previous ones, a relatively weak property, and in particular does not prohibit an attacker from learning partial information about plaintexts or from usefully mauling ciphertexts. We show that one can build HE schemes that can hide partial information about plaintexts and that prevent mauling even in the face of exhaustive brute force attacks. To do so, we introduce target-distribution semantic-security and target-distribution non-malleability security notions. We prove that a slight variant of the JR HE construction can meet them. The proofs require new balls-and-bins type analyses significantly different from those used in prior work. Finally, we provide a formal proof of the folklore result that an unbounded adversary which obtains a limited number of encryptions of known plaintexts can always succeed at message recovery.

[1]  Adam O'Neill,et al.  Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles , 2008, CRYPTO.

[2]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[3]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[4]  Mihir Bellare,et al.  Deterministic and Efficiently Searchable Encryption , 2007, CRYPTO.

[5]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[6]  John P. Steinberger,et al.  Feistel Networks: Indifferentiability at 10 Rounds , 2015, IACR Cryptol. ePrint Arch..

[7]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[8]  Zengjian Hu,et al.  On weighted balls-into-bins games , 2005, Theor. Comput. Sci..

[9]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[10]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[11]  Alexander Russell,et al.  How to fool an unbounded adversary with a short key , 2002, IEEE Transactions on Information Theory.

[12]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[13]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[14]  Hovav Shacham,et al.  Hedged Public-Key Encryption: How to Protect against Bad Randomness , 2009, ASIACRYPT.

[15]  Zhicong Huang,et al.  GenoGuard: Protecting Genomic Data against Brute-Force Attacks , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Jonathan Katz,et al.  Complete characterization of security notions for probabilistic private-key encryption , 2000, STOC '00.

[17]  Thomas Ristenpart,et al.  Honey Encryption: Security Beyond the Brute-Force Bound , 2014, IACR Cryptol. ePrint Arch..

[18]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[19]  Thomas Ristenpart,et al.  Cracking-Resistant Password Vaults Using Natural Language Encoders , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Yevgeniy Dodis,et al.  Entropic Security and the Encryption of High Entropy Messages , 2005, TCC.

[21]  Mihir Bellare,et al.  Multi-instance Security and Its Application to Password-Based Cryptography , 2012, CRYPTO.

[22]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[23]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  Dana Dachman-Soled,et al.  10-Round Feistel is Indifferentiable from an Ideal Cipher , 2016, IACR Cryptol. ePrint Arch..

[25]  Martin Raab,et al.  "Balls into Bins" - A Simple and Tight Analysis , 1998, RANDOM.

[26]  Jean-Sébastien Coron,et al.  A Domain Extender for the Ideal Cipher , 2010, TCC.

[27]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[28]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..