LNCS 9841 Vassilis Zikas Roberto De Prisco (Eds.) Security and Cryptography for Networks 10th International Conference, SCN 2016 Amalfi, Italy, August 31 – September 2, 2016 Proceedings 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zürich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9841 More information about this series at http://www.springer.com/series/7410 Vassilis Zikas Roberto De Prisco (Eds.) • Security and Cryptography for Networks 10th International Conference, SCN 2016 Amalfi, Italy, August 31 – September 2, 2016 Proceedings 123 Editors Vassilis Zikas Rensselaer Polytechnic Institute Troy, NY USA Roberto De Prisco University of Salerno Fisciano Italy ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-319-44617-2 ISBN 978-3-319-44618-9 (eBook) DOI 10.1007/978-3-319-44618-9 Library of Congress Control Number: 2016947481 LNCS Sublibrary: SL4 – Security and Cryptology © Springer International Publishing Switzerland 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG Switzerland Preface The 10th Conference on Security and Cryptography for Networks (SCN 2016) was held in Amalfi, Italy, from August 31 to September 2, 2016 The conference has traditionally been held in Amalfi, with the exception of the fifth edition that was held in the nearby Maiori The first three editions of the conference were held in 1996, 1999, and 2002 Since 2002, the conference has been held biannually Modern communication is achieved mostly through the use of computer networks Computer networks bring many advantages, such as easy access to information and fast communication However guaranteeing security of distributed transactions is a challenging task The SCN conference is an international meeting whose goal is to bring together researchers, practitioners, and developers interested in the security of communication networks, in order to foster cooperation, facilitate exchange of ideas, and disseminate research results The conference received 67 submissions in a broad range of cryptography and security areas The Program Committee has selected, among the many high-quality submissions, 30 technical papers for publication in these proceedings The selection took into account quality, originality, and relevance to the conference’s scope In addition, this year we received a crypto-lyrics paper titled “Zero-Knowledge Made Easy So It Won’t Make You Dizzy” that the Program Committee found to be of great quality and therefore decided to grant it a special slot in the proceedings It is our hope that this can motivate more of these high-quality creative and entertaining types of submissions in the future The international Program Committee (PC) consisted of 32 members who are top experts in the conference fields At least three PC members reviewed each submitted paper, while submissions co-authored by a PC member were subjected to the more stringent evaluation of four PC members In addition to the PC members, many external reviewers joined the review process in their particular areas of expertise We were fortunate to have this knowledgeable and energetic team of experts, and are deeply grateful to all of them for their hard and thorough work, which included a very active discussion phase Special thanks to Jeremiah Blocki, Alessandra Scafuro, Susumu Kiyoshima, Dimitris Papadopoulos, Juan Garay, and Sanjam Garg, for their extra work as shepherds The program was further enriched by the invited talks of Aggelos Kiayias (University of Edinburgh, UK) and Rafael Pass (Cornell University and Cornell NYC Tech, USA) SCN 2016 was organized in cooperation with the International Association for Cryptologic Research (IACR) The paper submission, review, and discussion processes were effectively and efficiently made possible by the IACR Web-Submission-andReview software, written by Shai Halevi Many thanks to Shai for his assistance with the system’s various features and constant availability VI Preface We thank all the authors who submitted papers to this conference, the Organizing Committee members, colleagues, and student helpers for their valuable time and effort, and all the conference attendees who made this event truly intellectually stimulating through their active participation We finally thank the Dipartimento di Informatica of the Università degli Studi di Salerno, InfoCert, and the Università degli Studi di Salerno for their financial support September 2016 Vassilis Zikas Roberto De Prisco SCN 2016 The 10th Conference on Security and Cryptography for Networks Amalfi, Italy August 31 to September 2, 2016 Organized by Dipartimento di Informatica Università di Salerno In Cooperation with The International Association for Cryptologic Research (IACR) Program Chair Vassilis Zikas Rensselaer Polytechnic Institute (RPI), USA General Chair Roberto De Prisco Università di Salerno, Italy Organizing Committee Carlo Blundo Aniello Castiglione Luigi Catuogno Paolo D’Arco Università Università Università Università di di di di Salerno, Salerno, Salerno, Salerno, Italy Italy Italy Italy Steering Committee Alfredo De Santis Ueli Maurer Rafail Ostrovsky Giuseppe Persiano Jacques Stern Douglas Stinson Gene Tsudik Moti Yung Università di Salerno, Italy ETH Zürich, Switzerland University of California - Los Angeles, USA Università di Salerno, Italy ENS, France University of Waterloo, Canada University of California - Irvine, USA Snapchat and Columbia University, USA Program Committee Divesh Aggarwal Shweta Agrawal Joël Alwen EPFL, Switzerland Indian Institute of Technology, India IST, Austria VIII SCN 2016 Gilad Asharov Foteini Baldimtsi Jeremiah Blocki David Cash Nishanth Chandran Karim El Defrawy Sebastian Faust Juan Garay Sanjam Garg Shafi Goldwasser Stanislaw Jarecki Iordanis Kerenidis Ranjit Kumaresan Steve Lu Ueli Maurer Charalampos Papamanthou Anat Paskin-Cherniavsky Rafael Pass Kenny Paterson Christian Rechberger Raphael Reischuk Alessandra Scafuro Peter Schwabe Damien Stehl Marc Stevens Vanessa Teague Stefano Tessaro Hong-Sheng Zhou Vassilis Zikas The Hebrew University of Jerusalem, Israel Boston University, USA and University of Athens, Greece Microsoft Research, USA Rutgers University, USA Microsoft Research, India HRL Labs, USA Ruhr-Universität Bochum, Germany Yahoo Labs, USA UC Berkeley, USA MIT, USA UC Irvine, USA University of Paris Diderot 7, France MIT, USA Stealth Software Technologies Inc., USA ETH Zurich, Switzerland University of Maryland, USA Ariel University, Israel Cornell University and Cornell NYC Tech., USA Royal Holloway, University of London, UK DTU, Denmark ETH Zurich, Switzerland Boston University and Northeastern University, USA Radboud University, The Netherlands ENS de Lyon, France CWI, The Netherlands University of Melbourne, Australia UC Santa Barbara, USA Virginia Commonwealth University, USA RPI, USA External Reviewers Shashank Agrawal Daniel Apon Christian Badertscher Saikrishna Badrinarayan Iddo Bentov Alexandra Berkoff Florian Bourse Christina Brzuska Jie Chen Alain Couvreur Chris Culnane Joan Daemen Wei Dai Angelo De Caro Akshay Degwekar David Derler Julien Devigne Lo Ducas Lisa Eckey Xiong Fan Carmit Hazay Brett Hemenway Aayush Jain Charanjit Jutla Chethan Kamath Handan Kilinc Susumu Kiyoshima Karen Klein Ahmed Kosba Luke Kowalczyk SCN 2016 Eyal Kushilevitz Kim Laine Joshua Lampkins Adeline Langlois Enrique Larraia Tancrede Lepoint Satyanarayana Lokam Bernardo Machado David Rusydi Makarim Antonio Marcedone Nico Marcel Döttling Alexander May Sebastian Meiser Peihan Miao Sonia Mihaela Bogos Katerina Mitrokotsa Pratyay Mukherjee Kartik Nayak Dimitris Papadopoulos Kostas Papagiannopoulos Alain Passelgue Antigoni Polychroniadou Ishaan Preet Singh Srinivasan Raghuraman Somindu Ramanna Kim Ramchen Vanishree Rao Tom Ristenpart Abhi shelat Katerina Samari Daniel Slamanig Nigel Smart Pratik Soni Akshayaram Srinivasan Douglas Stebila Bjoern Tackmann Qiang Tang Alin Tomescu Roberto Trifiletti Daniel Tschudi Daniele Venturi Frederik Vercauteren Ivan Visconti Michael Walter Xiao Wang Udi Weinsberg Sophia Yabukov Yupeng Zhang Joe Zimmerman Sponsoring Institutions Dipartimento di Informatica, Università di Salerno, Italy InfoCert, Rome, Italy Università di Salerno, Italy IX A Unified Approach to Idealized Model Separations 591 Fig Functionality FGG of a function ensemble is to capture the intuitive notion of what it means to “instantiate” a random oracle Let out : N → N be a length function An out -ensemble is a sequence ∗ (n) F = {Fn }n∈N of families of functions Fn = {fs : {0, 1} → {0, 1} out }s∈{0,1} n such that the following condition holds: There exists a polynomial-time algorithm Eval such that for every s ∈ {0, 1} ∗ and x ∈ {0, 1} it holds that Eval(s, x) = fs (x) n Let eval (n) be the length of the bitstring representation of Eval for function family Fn ; we have that eval (n) ≤ p(n), where p(·) is a polynomial Let an ( out , eval )-ensemble be an out -ensemble such that the bitstring representation of Eval is less than or equal to eval In what follows, we in general not care what the output length of the function is, as long as it is polynomial in the security parameter We denote this class of ensembles as (poly, )-ensembles; that is, the class of -ensembles such that < p(n), where p(·) is some polynomial, and the bitstring representation of Eval is less than or equal to Indistinguishability Obfuscation All our constructions use indistinguishability obfuscation (iO), defined as follows Let {Cλ } be the class of circuits of size at most λ, where λ ≤ p(n) for some polynomial p(·) We utilize the notion of family-indistinguishability obfuscators [2,18], and we reproduce it here mostly verbatim A uniform ppt algorithm iO is a family-indistinguishability obfuscator for a circuit class {Cλ } if the following two conditions hold: For all λ ∈ N and for all C ∈ Cλ , it holds that Pr ∀x, C (x) = C(x) : C ← iO(1λ , C) = 592 M.D Green et al For all ppt adversaries Samp and A, there exists a negligible function negl(·) such that if Pr ∀x, C0 (x) = C1 (x) : (C0 , C1 , σ) ← Samp(1λ ) > − negl(λ) then Pr[A(σ, iO(1λ , C0 )) = : (C0 , C1 , σ) ← Samp(1λ )] − Pr[A(σ, iO(1λ , C1 )) = : (C0 , C1 , σ) ← Samp(1λ )] ≤ negl(λ) Random Oracle Separation for Bit-Encryption As our first result, we present a random oracle separation for the case of (publickey) bit-encryption Note that most existing techniques for showing idealized model separations work by having the adversary send some specially-crafted message to an oracle; the oracle, given this message, leaks the secret key and thus the adversary can easily break security However, in the case of bit-encryption, the only values an adversary can send are bits, and thus these approaches not work in this setting Consider the security game PubKA,Π between a challenger C and an adversary A for a public-key bit-encryption scheme Π = (Gen, Enc, Dec): C runs (pk, sk) ← Gen(1n ), chooses b ←$ {0, 1}, computes c ← Encpk (b), and sends (pk, c) to A A outputs a bit b and succeeds if b = b Definition 3.1 (IND-CPA Security) A public-key bit-encryption scheme Π is IND-CPA -secure if for all ppt adversaries A there exists a negligible function negl such that Pr [PubKA,Π (n) = 1] ≤ 12 + negl(n) Theorem 3.2 Assume there exists an IND-CPA-secure public-key bit-encryption scheme and an indistinguishability obfuscator secure in the standard model Let p(·) be a polynomial Then for all < p(n), there exists a public-key bitencryption scheme that is IND-CPA-secure in the random oracle model but insecure when the random oracle is instantiated using any (poly, )-ensemble Proof Our construction, at a high level, works as follows Taking an existing bit-encryption scheme, we modify it by appending an obfuscated circuit to the public-key The obfuscated circuit is built as follows We choose n random values xi and compute yi ← H(xi ), where H is either a random oracle or a function ensemble, depending on whether we are operating in the random oracle or standard model The circuit hardcodes the values xi and yi , along with the secret key to the original bit-encryption scheme On input a description of a hash function h, the circuit outputs the secret key if and only if yi = h(xi ) for all i In the random oracle model it is unlikely that such a hash function can be found to satisfy yi = h(xi ) for all i, whereas in the standard model this is easily satisfied (since h is public) A Unified Approach to Idealized Model Separations 593 Fig Program C Fig Program C Note that this approach is similar to that given by Maurer et al [26], who provide an alternate proof of the separation result given by Canetti et al [10] The main difference is our use of indistinguishability obfuscation, which allows the adversary to break security in the standard model without needing to send messages to the challenger Next, we present the proof details Let iO be an indistinguishability obfuscator, let Π = (Gen , Enc , Dec ) be an existing IND-CPA-secure public-key bit-encryption scheme, and let O be a random oracle Fix some polynomial p(·) and value < p(n) The scheme Π = (Gen, Enc, Dec) is constructed as follows Note that all algorithms are provided oracle access to O n – Gen: On input 1n , proceed as follows For i ∈ {1, , n}, choose xi ←$ {0, 1} and compute yi ← O(xi ) Next, run (pk , sk ) ← Gen (1n ), and set sk := sk Then, create an obfuscation iO(C) of the program C as described in Fig Finally, let pk := (pk , iO(C)) and output (pk, sk) – Enc: On input pk and bit b, parse pk as (pk , iO(C)) and compute c ← Encpk (b) Output c – Dec: On input private key sk = sk and ciphertext c, compute m := Decsk (c) Output m Lemma 3.3 Assume that Π is an IND-CPA-secure public-key bit-encryption scheme and that iO is an indistinguishability obfuscator Then, for any choice of < p(n) the construction Π is an IND-CPA-secure bit-encryption scheme in the random oracle model Proof Consider the following two hybrids HybridH0 : This is the IND-CPA game for scheme Π 594 M.D Green et al HybridH1 : This hybrid is the same as H0 except that now we change program C into program C as in Fig Claim If iO is an indistinguishability obfuscator in the standard model, then with high probability over the choices of the random oracle the two hybrids H0 and H1 are computationally indistinguishable Proof The proof is by a reduction to the security of the indistinguishability obfuscator The proof relies on the fact that with high probability there is no “small representation” of a random oracle That is, the probability that there exists a description h ∈ {0, 1} of a function h such that for i ∈ {1, , n} it holds that yi = h(xi ) is negligible Thus, with high probability over the choices of the random oracle, programs C and C are equivalent, and thus we can reduce security to that of indistinguishability obfuscation More formally, let Func out (n) be the class of all functions mapping x1 , , x n to out (n)-bit outputs; there are n out (n) such functions Also note that there exist ≤ functions capable of being represented by bits Thus, the probability that a random function from Func out (n) can be represented in bits is ≤ /2 n out (n) = negl(n) Thus, with all but negligible probability over the choices of the random oracle, programs C and C are equivalent Therefore, if there is a difference in advantage, we can create an algorithm B that breaks the security of indistinguishability obfuscation Algorithm B runs as the challenger in the IND-CPA game When it is time to create the obfuscated program it submits both programs C0 = C and C1 = C to an indistinguishability obfuscation challenger If the challenger chooses the first then we are in H0 ; if it chooses the second then we are in H1 Thus, any adversary with non-negligible advantage in the two hybrids leads to B as an attacker on the security of the indistinguishability obfuscator We now show that an adversary who can successfully attack hybrid H1 can be used to construct an adversary attacking the underlying IND-CPA scheme Claim Pr [PubKA,H1 (n) = 1] ≤ Pr [PubKB,Π (n) = 1] where A is the adversary in H1 and B is the IND-CPA adversary against the underlying encryption scheme Π Proof The adversary B runs A When B receives pk , it in H1 and provides pk := (pk , iO(C )) to A When B ciphertext c, it forwards c to A Finally, B outputs the bit Clearly, if A can win the H1 game with probability IND-CPA game with at least generates iO(C ) as receives a challenge b output by A then B can win the Together, these claims show Pr [PubKA,Π (n) = 1] ≤ Pr [PubKB,Π (n) = 1], where A is the IND-CPA adversary against Π and B is the IND-CPA adversary against the underlying encryption scheme Π Since the underlying Π is INDCPA-secure, we have that Pr [PubKB,Π (n) = 1] ≤ 12 + negl(n) Therefore we obtain Pr [PubKA,Π (n) = 1] ≤ 12 + negl(n), which completes the proof A Unified Approach to Idealized Model Separations 595 Lemma 3.4 For all < p(n), there exists a public-key bit-encryption scheme secure in the random oracle model but insecure when implemented with any efficiently computable (poly, )-ensemble Proof Fix some < p(n) We modify the scheme Π described above to use (poly, )-ensemble F to implement the random oracle, thus obtaining the scheme Π = (Gen, Enc, Dec): n – Gen: On input 1n , choose s ←$ {0, 1} , run (pk, sk) ←$ Genfs (1n ), and output ((pk, s), (sk, s)) – Enc: Output Encpk (b) – Dec: Output Decsk (c) Now the seed s is part of the public key, and it is known to the adversary Thus, the adversary can simply parse pk into (pk , iO(C)), and provide as input to iO(C) the description of Eval , thus learning sk Extensions Our approach used in Sect can be applied to more than just bit-encryption Here we show how to extend our result to provide separations for protocols satisfying most “natural” simulation- or game-based definitions In Sect 4.1, we show how to adapt our separation to work for a large class of protocols secure under simulation-based definitions Likewise, in Sect 4.2, we adapt our separation to work for a class of protocols secure under game-based definitions Although the theorem statements below provide separations in the random oracle model, the same approach can be applied to other idealized models (e.g., the generic-group model) 4.1 Separations for Simulation-Based Definitions Here we focus on the universal composability (UC) framework [9]; we believe the separation detailed below can be easily adapted to other simulation-based models In what follows, we assume the reader is familiar with the UC framework We consider well-formed functionalities [12] We call an ideal functionality f trivial if it can be realized by an “all revealing” protocol π as described in the following: Definition 4.1 Let f be an ideal functionality in the UC framework, and let π be a protocol where, upon initialization, all parties broadcast their initial randomness and inputs Then f is trivial if for all environments E and for all adversaries A, there exists a simulator S such that Pr[execf,S,E = execπ,A,E ] = We now prove the following Recall that Eval is the algorithm such that Eval(s, x) = fs (x) for all s ∈ {0, 1} n and x ∈ {0, 1}∗ 596 M.D Green et al Theorem 4.2 Consider a non-trivial ideal functionality f in the UC framework, and let π be a protocol which UC-realizes f in the F-hybrid world Then for all choices of ∈ poly(n), there exists some protocol π which UC-realizes f in the (F, FRO )-hybrid world but is not UC-realizable when instantiated with a (poly, )-ensemble Proof Fix some non-trivial ideal functionality f for some set of parties P = {P1 , , Pm }, and let π be a t-round protocol which UC-realizes f On protocol initialization, each party Pi is initialized with randomness ri and given input xi k denote the message sent from party Pi to party Pj in round k; without Let Mi,j loss of generality, we assume that for all parties Pi and Pj and for all rounds k exists4 ≤ k ≤ t, message Mi,j Now fix some ∈ poly(n) We construct a protocol π as follows Protocol π runs exactly as π except for the first round of the protocol In this round, n each party Pi proceeds as follows For j ∈ {1, , n}, Pi chooses zj ←$ {0, 1} and computes yj ← O(zj ) Then, based on input xi , randomness ri , as well as {zj , yj }j , party Pi creates an obfuscation of the program Ci as defined in Fig and sends iO(Ci ) over the standard channel, in addition to sending message Mi,j as normal (i.e., this message may be sent using some hybrid functionality) Fig Program Ci Lemma 4.3 Assume that iO is an indistinguishability obfuscator Then for any choice of ∈ poly(n) the construction π UC-realizes f in the (F, FRO )-hybrid world Proof (Sketch) This follows directly from the fact that with high probability there is no “small representation” of a random oracle, and the argument is very similar to that shown in Lemma 3.3 We thus only give the high-level idea below Let A be an adversary attacking protocol π ; we construct a simulator S as follows The simulator S simply runs the simulator S for protocol π and outputs whatever S outputs Intuitively, the output of S is indistinguishable from that of A because π is exactly the same as π except for the sending of iO(Ci ) by FRO is defined in Fig k This is without loss of generality because Mi,j can always be the empty message A Unified Approach to Idealized Model Separations 597 party Pi However, with high probability over the choices of the random oracle (cf Lemma 3.3), this obfuscation is identical to the obfuscation of the zero circuit, and thus A gains no advantage from this additional information Lemma 4.4 Assume that iO is an indistinguishability obfuscator Then for any choice of ∈ poly(n) the construction π is completely insecure in the F-hybrid world (i.e., when the random oracle is instantiated by any efficiently computable (poly, )-ensemble) Proof (Sketch) Let A be an adversary attacking π Adversary A reads the messages sent by all parties, and thus receives iO(Ci ) from all parties Pi (recall that iO(Ci ) is sent over the standard channel) Thus, A can extract Pi ’s randomness and input by providing the instantiation of the random oracle as input to iO(Ci ), and can thus reproduce the internal state and inputs of all parties Now suppose towards a contradiction that π UC-realizes f This implies that there exists some simulator S which when interacting with f produces a similar transcript to that produced by A; namely, S must be able to reproduce the internal state and inputs of all honest parties given only access to f However, this implies that f is trivial, a contradiction This completes the proof Theorem 4.2 can be easily adapted to other idealized models besides the random oracle model, such as the generic group model, the random permutation model, etc Thus, assuming iO, we are able to show idealized model separations for most protocols secure in the UC framework 4.2 Separations for Game-Based Definitions We first give a general framework for what we mean by a “game-based” definition We consider only single-stage games, where an adversary A interacts with some challenger C A game-based definition G is defined by a tuple (C, O1 , , Ok , Ok+1 , Om , k, f, T ), where C denotes a ppt algorithm (i.e., the challenger’s code), O1 , , Ok denote oracles available to both A and C, Ok+1 , , Om denote oracles available to only C, f denotes a predicate function, and T denotes a threshold function Each oracle Oi outputs tuples of strings The randomness of all the oracles is initialized by C A scheme/protocol Π implements G if it implements the oracles O1 , , Om For definition G and scheme Π which implements G, let z ← A O1 , ,Ok denote the output of the adversary after interacting with C, where all the oracle calls are “routed through” C That is, each oracle available to A is first initialized by C, where the initialization fixes both the oracle’s randomness and (optionally) some of the oracle’s inputs; all queries by A to oracle Oi go through this (fixed) oracle For example, if Oi is an encryption oracle, C fixes both the initial randomness as well as the public key; any queries by A will thus be encrypted under the fixed public key using the fixed initial randomness The predicate f takes as input the initial randomness of C and the output of A, and outputs a bit 598 M.D Green et al We define A’s success probability against scheme Π in G as SuccA [G, Π] = def Pr r,r1 , ,rk z ← A O1 , ,Ok : f (r, z) = That is, A’s success probability is the probability it can make the predicate f output 1, where the probability is over the choices of C’s and the oracles’ randomness We say that a scheme Π securely implements G, or is secure, if it holds that SuccA [G, Π] ≤ T (n) + negl(n); otherwise the scheme is called insecure As an example, consider the definition for bit-encryption as presented in Sect This is captured in our framework as follows We define three oracles, O1 = Enc, O2 = Gen, and O3 = Dec, corresponding to the three algorithms required for bit-encryption Since A only has access to the encryption oracle, we set k = The challenger C is defined as in Sect The predicate f (r, z) runs C(r) until C computes b, and outputs whether or not b equals z (where z is the value output by A) The threshold function is set to T (n) = 1/2 We call a game-based definition G trivially secure if for all secure schemes Π it holds that SuccA [G, Π] = Pr r,r1 , ,rk z ← A O1 , ,Ok (r) : f (r, z) = That is, a definition is trivially secure if a scheme satisfying the definition is as secure as the setting where the adversary is given all the initial randomness to C As an example, note that bit encryption is not trivially secure, as if A was given the randomness r of C, it could simply run C internally and extract the secret key sk, thus succeeding with probability 1, whereas without r we have that A succeeds with probability 1/2 + negl(n) (assuming some underlying hard problem, of course) However, consider a game where C chooses a random x, computes y := H(x) for some cryptographic hash function H, and sends y to A; security holds if A cannot find an x = x such that H(x ) = y In this setting, whether A has x or not does not necessarily help it break security, and thus this definition may be trivially secure for certain instantiations of H Note that we can easily integrate idealized models, such as the random oracle model, into this framework by including an additional oracle which implements the desired idealized functionality to both A and C Now we want to show that for all game-based definitions G, for all protocols Π which securely implement G in the random oracle model, and for all choices of ∈ poly(n), there exists some protocol Π secure in the random oracle model but insecure in the standard model when instantiated with a (poly, )-ensemble However, it turns out that the notion of a game-based definition defined above is too strong to prove this result This is because we place no restrictions on the challenger C As an example, consider a modified bit-encryption game where the challenger acts exactly as before, except it refuses to send any bits to A that “look like” an obfuscated circuit This simple modification to the challenger prevents our attack from working for particular implementations of iO, e.g., ones that prepend each obfuscated circuit with the string “this is an obfuscated circuit” A Unified Approach to Idealized Model Separations 599 We thus consider a restriction on the above framework, and in particular, a restriction on the actions of C Consider a challenger which, on input randomness r, runs with oracle access to O1 , , Om as before When C queries an oracle, it receives back a tuple (s1 , ) We call a challenger weakened if all messages sent to A are values within the tuples output by the oracle queries For example, if C queries an oracle which implements key generation for some public-key cryptosystem, it receives back the tuple (pk, sk) If the challenger is weakened, it can send pk, sk, both or neither to A, but it cannot send f (pk) for some arbitrary function f , and likewise it cannot send some value x not output by an oracle Note that most game-based definitions use this weakened challenger notion We call G a weak game-based definition if it is a game-based definition as defined above, except with the requirement that C be a weakened challenger We are now ready to prove the following theorem Theorem 4.5 Consider a non-trivially secure weak game-based definition G, and let Π be a protocol which securely implements G Then for all choices of ∈ poly(n), there exists some protocol Π secure in the random oracle model but insecure when instantiated with a (poly, )-ensemble Proof Fix some non-trivially secure weak game-based definition G, and let Π be a protocol which securely implements G (Π need not be in the random oracle model) Fix some ∈ poly(n) We construct a protocol Π as follows Protocol Π runs exactly as Π except for the first message sent from C to A Let M be this message In protocol Π , C proceeds as follows Let r be the initial randomness of n C For i ∈ {1, , n}, C chooses xi ←$ {0, 1} and computes yi ← O(xi ) Then, C creates an obfuscation iO(C) of the program C defined in Fig and sends M to A, where M = (M, iO(C)) Fig Program C Lemma 4.6 Assume that iO is an indistinguishability obfuscator Then for any choice of ∈ poly(n) the construction Π securely implements G in the random oracle model Proof (Sketch) This follows exactly as in Lemma 4.3 600 M.D Green et al Lemma 4.7 Assume that iO is an indistinguishability obfuscator Then for any choice of ∈ poly(n) the construction Π is insecure when the random oracle is instantiated by any efficiently computable (poly, )-ensemble Proof (Sketch) We apply the same idea as in Lemma 4.4 Let A be the adversary Upon receiving the first message from C, A can extract C’s initial randomness r and thus reproduce the internal state of C By our assumption that G is not trivially secure, Π is thus insecure This completes the proof Note that as in the simulation-based case, we can easily adapt Theorem 4.5 to other idealized models and thus achieve idealized model separations for most game-based protocols, assuming indistinguishability obfuscation Extensions to the Generic Group Model To demonstrate how to adapt Theorems 4.2 and 4.5 to other idealized models, we provide here an adaptation to the generic group model We first define the generic group model and how this model is instantiated using encoding ensembles [15] (which can be thought of as analogous to the function ensembles used for instantiating the random oracle model) Generic Group Model Let out : N → N be a length function with out (n) ≥ (n) n, and define the set S = {0, 1} out Let p be an n-bit prime The generic group model is defined by two oracles, Oenc and Oadd , available to all parties, where Oenc : Zp → S such that Oenc (x) = Oenc (y) iff x = y and Oadd : S × S × Z2 → S b such that Oadd (Oenc (x), Oenc (y), b) = Oenc (x + (−1) y).5 Encoding Ensembles Let out : N → N be a length function with out (n) ≥ n An out -encoding-ensemble is a sequence F = {Fn }n∈N of families of functions (n) Fn = {fs : Zp → {0, 1} out }s∈{0,1} n such that the following conditions hold: n There exists a polynomial-time algorithm Eval such that for every s ∈ {0, 1} and x ∈ Zp it holds that Eval(s, x) = fs (x) There exists a polynomial-time algorithm Add such that Add(s, fs (x), b fs (y), b) = fs (x + (−1) y) As in the function ensemble case, let eval (n) be the length of the bitstring representation of Eval Let a (poly, )-encoding-ensemble be a class of -encoding∈ poly(n) (with the restriction that ≥ n) and the ensembles such that bitstring representation of Eval is ≤ Let FGG denote the “natural” adaptation of the generic group model to the UC framework (see Fig 2) We can now prove the following theorem Note that we only need Oenc to prove our separations results A Unified Approach to Idealized Model Separations 601 Theorem 5.1 Consider a non-trivial ideal functionality f in the UC framework, and let π be a protocol which UC-realizes f in the F-hybrid world Then for all choices of ∈ poly(n), there exists some protocol π which UC-realizes f in the (F, FGG )-hybrid world but is not UC-realizable when instantiated with a (poly, )-encoding-ensemble Proof The proof structure follows exactly that shown in Theorem 4.2 The only difference is that instead of each party querying the random oracle when constructing the obfuscated circuit, they instead query Oenc The proof follows immediately from the fact that with high probability there is no “small representation” of Oenc , whereas when Oenc is instantiated with a concrete function, the adversary can easily extract the hidden information to break security The adaptation of Theorem 4.5 is similar, and thus we only present the theorem statement Theorem 5.2 Consider a non-trivially secure weak game-based definition G, and let Π be a protocol which securely implements G Then for all choices of ∈ poly(n), there exists some protocol Π secure in the generic group model but insecure when instantiated with a (poly, )-encoding-ensemble Acknowledgments The authors would like to thank Brent Waters and Susan Hohenberger for helpful conversations during the course of this work References Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks In: Nguyen, P.Q., Oswald, E (eds.) EUROCRYPT 2014 LNCS, vol 8441, pp 221–238 Springer, Heidelberg (2014) Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (Im)possibility of obfuscating programs J ACM 59(2), (2012) Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem In: Cachin, C., Camenisch, J.L (eds.) EUROCRYPT 2004 LNCS, vol 3027, pp 171–188 Springer, Heidelberg (2004) Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs In: Canetti, R., Garay, J.A (eds.) CRYPTO 2013, Part II LNCS, vol 8043, pp 398–415 Springer, Heidelberg (2013) Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols In: Ashby, V (ed.) ACM CCS 1993, pp 62–73 ACM Press (1993) Bitansky, N., Canetti, R., Cohn, H., Goldwasser, S., Kalai, Y.T., Paneth, O., Rosen, A.: The impossibility of obfuscation with auxiliary input or a universal simulator In: Garay, J.A., Gennaro, R (eds.) CRYPTO 2014, Part II LNCS, vol 8617, pp 71–89 Springer, Heidelberg (2014) Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding In: Lindell, Y (ed.) TCC 2014 LNCS, vol 8349, pp 1–25 Springer, Heidelberg (2014) FGG is defined in Fig 602 M.D Green et al Brzuska, C., Farshim, P., Mittelbach, A.: Random-oracle uninstantiability from indistinguishability obfuscation In: Dodis, Y., Nielsen, J.B (eds.) TCC 2015, Part II LNCS, vol 9015, pp 428–455 Springer, Heidelberg (2015) Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols In: 42nd FOCS, pp 136–145 IEEE Computer Society Press (2001) 10 Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited J ACM 51(4), 557–594 (2004) 11 Canetti, R., Goldreich, O., Halevi, S.: On the random-oracle methodology as applied to length-restricted signature schemes In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 40–57 Springer, Heidelberg (2004) 12 Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable twoparty and multi-party secure computation In: 34th STOC, pp 494–503 ACM Press (2002) 13 Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and modulus switching for fully homomorphic encryption over the integers In: Pointcheval, D., Johansson, T (eds.) EUROCRYPT 2012 LNCS, vol 7237, pp 446–464 Springer, Heidelberg (2012) 14 De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulation-based security for functional encryption In: Canetti, R., Garay, J.A (eds.) CRYPTO 2013, Part II LNCS, vol 8043, pp 519–535 Springer, Heidelberg (2013) 15 Dent, A.W.: Adapting the weaknesses of the random oracle model to the generic group model In: Zheng, Y (ed.) ASIACRYPT 2002 LNCS, vol 2501, pp 100–109 Springer, Heidelberg (2002) 16 Dent, A.W.: Fundamental problems in provable security and cryptography Philos Trans R So A 364, 3215–3230 (2006) 17 Dodis, Y., Oliveira, R., Pietrzak, K.: On the generic insecurity of the full domain hash In: Shoup, V (ed.) CRYPTO 2005 LNCS, vol 3621, pp 449–466 Springer, Heidelberg (2005) 18 Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits In: FOCS (2013) 19 Gentry, C.: A fully homomorphic encryption scheme Ph.D thesis, Stanford University (2008) 20 Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm In: 44th FOCS, pp 102–115 IEEE Computer Society Press (2003) 21 Hofheinz, D., Jager, T., Khurana, D., Sahai, A., Waters, B., Zhandry, M.: How to generate and use universal samplers Cryptology ePrint Archive, Report 2014/507 (2014) http://eprint.iacr.org/2014/507 22 Hofheinz, D., Kamath, A., Koppula, V., Waters, B.: Adaptively secure constrained pseudorandom functions Cryptology ePrint Archive, Report 2014/720 (2014) http://eprint.iacr.org/2014/720 23 Hofheinz, D., Mă uller-Quade, J.: Universally composable commitments using random oracles In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 58–76 Springer, Heidelberg (2004) 24 Kiltz, E., Pietrzak, K.: On the security of padding-based encryption schemes – or – why we cannot prove OAEP secure in the standard model In: Joux, A (ed.) EUROCRYPT 2009 LNCS, vol 5479, pp 389–406 Springer, Heidelberg (2009) A Unified Approach to Idealized Model Separations 603 25 Leurent, G., Nguyen, P.Q.: How risky is the random-oracle model? In: Halevi, S (ed.) CRYPTO 2009 LNCS, vol 5677, pp 445–464 Springer, Heidelberg (2009) 26 Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 21–39 Springer, Heidelberg (2004) 27 Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, p 111 Springer, Heidelberg (2002) 28 Shoup, V.: Lower bounds for discrete logarithms and related problems In: Fumy, W (ed.) EUROCRYPT 1997 LNCS, vol 1233, pp 256–266 Springer, Heidelberg (1997) Author Index Attrapadung, Nuttapong Au, Man Ho 42 Baum, Carsten 468 Beierle, Christof 431 Beimel, Amos 509 Biagioni, Silvio 62 Boldyreva, Alexandra 83 Bradley, Tatiana 449 Brakerski, Zvika 551 Camenisch, Jan 104, 353 Catalano, Dario 333 Chen, Jie 23 Choudhury, Ashish 147 Cohen, Ran 129 Dagmi, Or 551 del Pino, Rafael 273 Deng, Yi 237 Di Raimondo, Mario 333 Dolev, Shlomi 529 ElDefrawy, Karim 529 Enderlein, Robert R 104 Faber, Sky 449 Faro, Simone 333 Farràs, Oriol 509 Fuchsbauer, Georg 391 Fujisaki, Eiichiro 257 Garay, Juan 237 Ghosh, Esha 216 Gnam, Trotta 191 Goodrich, Michael T 216 Green, Matthew D 587 Guo, Fuchun Hanaoka, Goichiro 42, 372 Hanser, Christian 391 Hazay, Carmit 313, 486 Hemenway, Brett 169 Kamath, Chethan 391 Katz, Jonathan 587 Kim, Jongkil Kim, Taesoo 83 Lampkins, Joshua 529 Lehmann, Anja 353 Libert, Bent 23 Ling, San 237 Lipton, Richard 83 Lu, Steve 169 Lyubashevsky, Vadim 273 Malozemoff, Alex J 587 Marcedone, Antonio 571 Masny, Daniel 62 Matsuda, Takahiro 372 Maurer, Ueli 104 Mittelbach, Arno 198 Neven, Gregory 353 Ogawa, Kazuto 42 Ohrimenko, Olga 216 Ohtake, Go 42 Orsini, Emmanuela 147 Ostrovsky, Rafail 169, 529 Pass, Rafael 571 Patra, Arpita 147 Peikert, Chris 129, 411 Peter, Naty 509 Pointcheval, David 273 Ramanna, Somindu C 23 Reyzin, Leonid 292 Samelin, Kai 353 Shelat, Abhi 571 Slamanig, Daniel 391 Smart, Nigel P 147 Susilo, Willy 606 Author Index Tamassia, Roberto 216 Tanaka, Keisuke 372 Tsudik, Gene 449 Warinschi, Bogdan 83 Watanabe, Hajime 42 Welser IV, William 169 Venkitasubramaniam, Muthuramakrishnan 486 Venturi, Daniele 62, 198 Yakoubov, Sophia 292 Yamada, Shota 42 Yung, Moti 237, 529 Wang, Huaxiong 237 Wang, Yuyu 372 Zarosim, Hila 313 Zhou, Hong-Sheng 587 ... Vassilis Zikas Roberto De Prisco (Eds.) • Security and Cryptography for Networks 10th International Conference, SCN 2016 Amalfi, Italy, August 31 – September 2, 2016 Proceedings 123 Editors Vassilis... InfoCert, and the Università degli Studi di Salerno for their financial support September 2016 Vassilis Zikas Roberto De Prisco SCN 2016 The 10th Conference on Security and Cryptography for Networks. .. International Publishing AG Switzerland Preface The 10th Conference on Security and Cryptography for Networks (SCN 2016) was held in Amalfi, Italy, from August 31 to September 2, 2016 The conference has traditionally