DOCSLIB.ORG

Usable Human Authentication: a Quantitative Treatment Jeremiah Blocki CMU-CS-14-108 June 30, 2014

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Usable Human Authentication: a Quantitative Treatment Jeremiah Blocki CMU-CS-14-108 June 30, 2014 Usable Human Authentication: A Quantitative Treatment Jeremiah Blocki CMU-CS-14-108 June 30, 2014 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Thesis Committee: Manuel Blum, Co-Chair Anupam Datta, Co-Chair Luis von Ahn Ron Rivest, MIT Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Copyright c 2014 Jeremiah Blocki This research was sponsored by the Naval Surface Warfare Center under grant number N00164- 03-DG6623-0009, the National Science Foundation under grant numbers CNS-0831178, CCR- 0122581, DGE-0750271, DGE-1252522, and CCF-0424422, and the Air Force under grant number FA95501210040. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity. Keywords: Human Authentication, Passwords, Password Management Scheme, Usability Model, Security Model, Password Composition Policy, GOTCHA I would like to thank my beautiful wife Heather for her love and support. I would also like to thank my parents for raising me and caring for me over the years. Finally, I would like to thank my Lord and Savior Jesus Christ for creating me, saving me and placing all of the people I mentioned above into my life. iv Abstract A typical computer user today manages passwords for many dif- ferent online accounts. Users struggle with this task — often forgetting their passwords or adopting insecure practices, such as using the same passwords for multiple accounts and selecting weak passwords. While there are many books, articles, papers and even comics about select- ing strong individual passwords, there is very little work on password management schemes — systematic strategies to help users create and remember multiple passwords. Before we can design good password management schemes it is necessary to address a fundamental ques- tion: How can we quantify the usability or security of a password management scheme. One way to quantify the usability of a password management scheme would be to conduct user studies evaluating each user’s success at remembering multiple passwords over an extended period of time. However, these user studies would necessarily be slow and expensive and would need to be repeated for each new password management scheme. Our thesis is that user models and security mod- els can guide the development of password management schemes with analyzable usability and security properties. We present several results in support of this thesis. First, we introduce Naturally Rehearsing Pass- word schemes. Notably, our user model, which is based on research on human memory about spaced rehearsal, allows us to analyze the us- ability of this family of schemes while experimentally validating only the common user model underlying all of them. Second, we introduce Human Computable Password schemes, which leverage human capa- bilities for simple arithmetic operations. We provide constructions that make modest demands on users and we prove that these constructions provide strong security: an adversary who has seen about 100 10-digit passwords of a user cannot compute any other passwords except with very low probability. Our password management schemes are pre- cisely specified and publishable: the security proofs hold even if the adversary knows the scheme and has extensive background knowl- edge about the user (hobbies, birthdate, etc.). They do not require any significant server-side changes. In further support of our thesis, we show that user models and security models can also be used to develop server-side defenses against online and offline attacks. vi Acknowledgments I am indebted to my advisors Manuel Blum and Anupam Datta for all of their guidance and encouragement over the years. I would like to thank Luis Von Ahn and Ron Rivest for serving on my thesis committee and for giving me helpful comments and suggestions about my work. I would like to thank Ariel Procaccia, Saranga Komanduri and Or Sheffet who coauthored the paper Optimizing Pass- word Composition Policies with me. Saranga Komanduri has also collaborated with me to run user studies to empirically test several of the usability models pre- sented in this thesis. Calvin Beideman, a bright high school student, worked with me on the paper Set Families with Low Pairwise Intersection, and Shikun Zhang has been working with me to develop a password management application based on ideas from this thesis. I would also like to thank Santosh Vempala for many helpful discussions about statistical algorithms and random planted satisfiability problems, and Ryan O’Donnell for pointing me to recent general hypercontractiv- ity results. These discussions helped me to obtain the main technical result in my work on Human Computable Passwords. I am thankful to Steven Rudich for running Andrew’s Leap, a summer program at Carnegie Mellon University for high school students interested in computer science, and for his continued interest in my research. The Andrew’s Leap program helped me to decide to study computer science as an undergraduate at CMU. I am thankful to Lenore Blum for helping me find a summer Research Experience for Undergraduates program while I was a sophomore at CMU, and I am thankful to Ryan Williams and Manuel Blum for advising me during the summer. My experience during the summer REU convinced me to pursue a PhD in computer science. vii Some passages have been quoted verbatim from the following sources: Optimizing Password Composition Policies [34, 35] by Jeremiah Blocki, Saranga Komanduri, Ariel Procaccia and Or Sheffet. GOTCHA Password Hackers! [31, 32] by Jeremiah Blocki, Manuel Blum and Anupam Datta. Naturally Rehearsing Passwords [30, 33] by Jeremiah Blocki, Manuel Blum and Anupam Datta. Human Computable Passwords [36] by Jeremiah Blocki, Manuel Blum and Anupam Datta. Set Families with Low Pairwise Intersection[25] by Calvin Beideman and Jeremiah Blocki. The material from Chapter 4 is based on ongoing research with Anupam Datta, Saranga Koman- duri and Lorrie Cranor. viii Contents 1 Overview 1 1.1 Introduction . .1 1.2 Statement of Thesis . .4 1.2.1 User Models . .4 1.2.2 Quantitative Security Model . .8 1.2.3 Developing Human Authentication Schemes with Analyz- able Security and Usability Properties . .8 1.3 Usable and Secure Password Management . 11 1.3.1 Overview . 12 1.4 Human Computable Passwords . 16 1.4.1 Overview . 17 1.5 Empirical Validation of User Model . 22 1.6 A Defense against Online Attacks . 23 1.6.1 Overview . 23 1.7 A Defense Against Offline Attacks . 25 1.7.1 Background . 25 1.7.2 GOTCHAs . 26 1.7.3 Overview . 26 2 Naturally Rehearsing Passwords 29 2.1 Introduction . 29 ix 2.2 Related Work. 32 2.3 Definitions . 35 2.3.1 Associative Memory and Cue-Association Pairs . 35 2.3.2 Visitation Schedules and Rehearsal Requirements . 36 2.3.3 Password Management Scheme . 37 2.4 Usability Model . 38 2.4.1 Rehearsal Requirements . 39 2.4.2 Visitation Schedules. 40 2.5 Security Model . 42 2.6 Our Construction . 45 2.6.1 Constructing n; `; γ -sharing set families . 46 2.6.2 Shared Cues . 48 2.6.3 Usability and Security Analysis . 49 2.7 Discussion and Future Work . 51 3 Human Computable Passwords 53 3.1 Introduction . 53 3.2 Related Work . 57 3.3 Definitions . 59 3.3.1 Notation . 59 3.3.2 Requirements for a Human Computable Function . 61 3.3.3 Password Unforgeability . 62 3.3.4 Security Parameters of f ..................... 63 3.4 Statistical Adversaries and Lower Bounds . 64 3.4.1 Statistical Algorithms . 64 3.4.2 Statistical Dimension Lower Bounds . 66 3.5 Security Analysis . 68 3.5.1 Breaking UF-RCA is Equivalent to Secret Recovery . 68 3.5.2 Gaussian Elimination . 71 x 3.6 Candidate Secure Human Computable Functions . 72 3.6.1 Candidate Scheme 1 . 74 3.6.2 Candidate Scheme 2 . 75 3.6.3 Usability: . 75 3.6.4 Statistical Algorithms: Security Upper Bound . 78 3.7 Discussion . 79 3.7.1 Human Computable Passwords Challenge . 79 3.7.2 Security Under Continuous Leakage . 80 3.7.3 Open Questions . 80 4 Empirical Validation of User Model 83 4.1 Introduction . 83 4.2 Related Work . 85 4.3 Study Design . 87 4.3.1 Recruitment Text . 88 4.3.2 Memorization Phase . 88 4.3.3 Rehearsal Phase . 93 4.3.4 Follow Up Survey . 94 4.3.5 Rehearsal Schedules . 95 4.3.6 List of People, Actions and Objects from the User Study . 96 4.4 Preliminary Results . 97 4.4.1 Discussion . 103 5 Password Composition Policies: A Defense Against Online Attacks 105 5.1 Introduction . 105 5.1.1 Our Model . 106 5.1.2 Our Results . 108 5.1.3 Related Work . 110 5.2 A Model of Password Composition Policies . 111 xi 5.3 Ranking Model: Complexity Results . 113 5.3.1 Positive Rules: Efficient Algorithm for Constant k ...... 114 5.3.2 Special Case k = 1......................... 115 5.3.3 The General Case . 116 5.3.4 Singleton Rules: Hardness for Large k ............. 118 5.3.5 Negative Rules: Hardness of Approximation for k = 1 . 120 5.4 Normalization Model: Complexity Results . 123 5.4.1 Singleton Rules: Efficient Algorithm for large k ........ 123 5.4.2 Negative Rules: Hardness for k = 1 .............. 124 5.4.3 Positive Rules: Hardness of Approximation for Large k ... 126 5.5 Efficient Sampling Algorithms . 126 5.6 Experiments . 128 5.6.1 Experiment Rules . 129 5.6.2 Baselines . 130 5.6.3 Performance . 130 5.7 Discussion . 131 6 GOTCHAs: A Defense Against Offline Attacks 135 6.1 Introduction . 135 6.1.1 Related Work .
Load more

Recommended publications
  • Solve for X in Terms of Y Worksheet
    Solve For X In Terms Of Y Worksheet Unseen or self-slain, Levin never exenterating any insurants! Fazeel rivalling congenitally? Uriah still orient orderly while glycosidic Whitby castigated that hypocaust. We are in pointslope form style overrides in the terms in x and error. Suggest you might not only one variable you do questions on any method can i am good practice. Here raise a fun way ill get students engaged and paid them into task. In algebra worksheets encompasses tasks for unknowns will need scratch paper and problem into examples are worksheets, these easy and combining like terms that contains fractions. Each mark only given two exponents to else with; complicated mixed up writing and things that go more advanced student might work just are flesh alone. How many students were new each bus? Each term is a new topics. To add your child learn how graphs. Work for a free linear equations word problems word search for x in terms of y terms of names, then solve age word problem solving a few slides for additional. Make sure post use caution same operations on both sides of simultaneous equation! Will his costume win first prize? Navigate through umpteen trigonometric worksheets. How heritage does thepair ofpants cost? Edited by Eddie Judd, Crestwood Middle School Edited by Dave Wesley, Crestwood Middle star To be: Undo the operations by working backward. The Equations Worksheets are randomly created and son never repeat so you below an endless supply trade quality Equations Worksheets to situation in the classroom or own home. This activity for terms together or in a term in these values of shows this approach and other.
    [Show full text]
  • A Decade of Lattice Cryptography
    Full text available at: http://dx.doi.org/10.1561/0400000074 A Decade of Lattice Cryptography Chris Peikert Computer Science and Engineering University of Michigan, United States Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000074 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is C. Peikert. A Decade of Lattice Cryptography. Foundations and Trends R in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2014. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-113-9 c 2016 C. Peikert All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for in- ternal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.
    [Show full text]
  • Summer Review Packet for Students Entering AP Calculus-AB
    Summer Review Packet For Students Entering AP Calculus-AB Complete all work in the packet and have it ready to be turned in to your Calculus teacher on the first day of classes on Monday August 16, 2021. SHOW ALL WORK! An answer alone without work may result in no credit given. A CALCULATOR is NOT to be used while working on this packet. The problems in this packet are designed to help you review topics that are important to your success in Calculus. The problems must be done correctly, not just tried. Use your notes from previous math courses to help you. You may also visit the following websites to help: https://www.khanacademy.org/ http://www.coolmath.com/precalculus-review-calculus-intro http://mathforum.org/library/drmath/drmath.high.html We will review these topics for the first few days of school. There will be an examination covering these topics on Friday August 20, 2021. For those that miss any of the review days, you will still be obliged to take the exam on the fifth day because these topics are review from previous classes. Calculus is relatively easy, it’s the algebra that is hard. Most of the time, you’ll understand the calculus concept being taught, but will struggle to get the correct answer because of your background skills. Please be diligent and figure out what you need help with so that we can clarify for you. A little extra work this summer will go a long way to help you succeed in AP Calculus. Print out a copy of the packet from Sonora High School website under Students & Parents tab then Summer Assignments, then choose AP Calculus.
    [Show full text]
  • Teaching Strategies for Improving Algebra Knowledge in Middle and High School Students
    EDUCATOR’S PRACTICE GUIDE A set of recommendations to address challenges in classrooms and schools WHAT WORKS CLEARINGHOUSE™ Teaching Strategies for Improving Algebra Knowledge in Middle and High School Students NCEE 2015-4010 U.S. DEPARTMENT OF EDUCATION About this practice guide The Institute of Education Sciences (IES) publishes practice guides in education to provide edu- cators with the best available evidence and expertise on current challenges in education. The What Works Clearinghouse (WWC) develops practice guides in conjunction with an expert panel, combining the panel’s expertise with the findings of existing rigorous research to produce spe- cific recommendations for addressing these challenges. The WWC and the panel rate the strength of the research evidence supporting each of their recommendations. See Appendix A for a full description of practice guides. The goal of this practice guide is to offer educators specific, evidence-based recommendations that address the challenges of teaching algebra to students in grades 6 through 12. This guide synthesizes the best available research and shares practices that are supported by evidence. It is intended to be practical and easy for teachers to use. The guide includes many examples in each recommendation to demonstrate the concepts discussed. Practice guides published by IES are available on the What Works Clearinghouse website at http://whatworks.ed.gov. How to use this guide This guide provides educators with instructional recommendations that can be implemented in conjunction with existing standards or curricula and does not recommend a particular curriculum. Teachers can use the guide when planning instruction to prepare students for future mathemat- ics and post-secondary success.
    [Show full text]
  • Multi-Input Functional Encryption with Unbounded-Message Security
    Multi-Input Functional Encryption with Unbounded-Message Security Vipul Goyal ⇤ Aayush Jain † Adam O’ Neill‡ Abstract Multi-input functional encryption (MIFE) was introduced by Goldwasser et al. (EUROCRYPT 2014) as a compelling extension of functional encryption. In MIFE, a receiver is able to compute a joint function of multiple, independently encrypted plaintexts. Goldwasser et al. (EUROCRYPT 2014) show various applications of MIFE to running SQL queries over encrypted databases, computing over encrypted data streams, etc. The previous constructions of MIFE due to Goldwasser et al. (EUROCRYPT 2014) based on in- distinguishability obfuscation had a major shortcoming: it could only support encrypting an apriori bounded number of message. Once that bound is exceeded, security is no longer guaranteed to hold. In addition, it could only support selective-security,meaningthatthechallengemessagesandthesetof “corrupted” encryption keys had to be declared by the adversary up-front. In this work, we show how to remove these restrictions by relying instead on sub-exponentially secure indistinguishability obfuscation. This is done by carefully adapting an alternative MIFE scheme of Goldwasser et al. that previously overcame these shortcomings (except for selective security wrt. the set of “corrupted” encryption keys) by relying instead on differing-inputs obfuscation, which is now seen as an implausible assumption. Our techniques are rather generic, and we hope they are useful in converting other constructions using differing-inputs obfuscation to ones using sub-exponentially secure indistinguishability obfuscation instead. ⇤Microsoft Research, India. Email: [email protected]. †UCLA, USA. Email: [email protected]. Work done while at Microsoft Research, India. ‡Georgetown University, USA. Email: [email protected].
    [Show full text]
  • Algorithms and Complexity Results for Learning and Big Data
    Algorithms and Complexity Results for Learning and Big Data BY Ad´ am´ D. Lelkes B.Sc., Budapest University of Technology and Economics, 2012 M.S., University of Illinois at Chicago, 2014 THESIS Submitted as partial fulfillment of the requirements for the degree of Doctor of Philosophy in Mathematics in the Graduate College of the University of Illinois at Chicago, 2017 Chicago, Illinois Defense Committee: Gy¨orgyTur´an,Chair and Advisor Lev Reyzin, Advisor Shmuel Friedland Lisa Hellerstein, NYU Tandon School of Engineering Robert Sloan, Department of Computer Science To my parents and my grandmother / Sz¨uleimnek´esnagymam´amnak ii Acknowledgments I had a very enjoyable and productive four years at UIC, which would not have been possible without my two amazing advisors, Lev Reyzin and Gy¨orgy Tur´an. I would like to thank them for their guidance and support in every aspect of my graduate studies and research and for always being available when I had questions. Gyuri's humility, infinite patience, and meticulous attention to detail, as well as the breadth and depth of his knowledge, set an example for me to aspire to. Lev's energy and enthusiasm for research and his effectiveness at doing it always inspired me; the hours I spent in Lev's office were often the most productive hours of my week. Both Gyuri and Lev served as role models for me both as researchers and as people. Also, I would like to thank Gyuri and his wife R´ozsafor their hospitality. They invited me to their home a countless number of times, which made time in Chicago much more pleasant.
    [Show full text]
  • Cryptanalysis of Boyen's Attribute-Based Encryption Scheme
    Cryptanalysis of Boyen’s Attribute-Based Encryption Scheme in TCC 2013 Shweta Agrawal1, Rajarshi Biswas1, Ryo Nishimaki2, Keita Xagawa2, Xiang Xie3, and Shota Yamada4 1 IIT Madras, Chennai, India [email protected], [email protected] 2 NTT Secure Platform Laboratories, Tokyo, Japan [ryo.nishimaki.zk,keita.xagawa.zv]@hco.ntt.co.jp 3 Shanghai Key Laboratory of Privacy-Preserving Computation, China [email protected] 4 National Institute of Advanced Industrial Science and Technology (AIST), Tokyo [email protected] Abstract. In TCC 2013, Boyen suggested the first lattice based con- struction of attribute based encryption (ABE) for the circuit class NC1. Unfortunately, soon after, a flaw was found in the security proof of the scheme. However, it remained unclear whether the scheme is actually insecure, and if so, whether it can be repaired. Meanwhile, the construc- tion has been heavily cited and continues to be extensively studied due to its technical novelty. In particular, this is the first lattice based ABE which uses linear secret sharing schemes (LSSS) as a crucial tool to en- force access control. In this work, we show that the scheme is in fact insecure. To do so, we provide a polynomial-time attack that completely breaks the security of the scheme. We suggest a route to fix the security of the scheme, via the notion of admissible linear secret sharing schemes (LSSS) and instantiate these for the class of DNFs. Subsequent to our work, Datta, Komargodski and Waters (Eurocrypt 2021) provided a construction of admissible LSSS for NC1 and resurrected Boyen’s claimed result.
    [Show full text]
  • Access Control Encryption for General Policies from Standard Assumptions
    Access Control Encryption for General Policies from Standard Assumptions Sam Kim David J. Wu Stanford University Stanford University [email protected] [email protected] Abstract Functional encryption enables fine-grained access to encrypted data. In many scenarios, however, it is important to control not only what users are allowed to read (as provided by traditional functional encryption), but also what users are allowed to send. Recently, Damg˚ardet al. (TCC 2016) introduced a new cryptographic framework called access control encryption (ACE) for restricting information flow within a system in terms of both what users can read as well as what users can write. While a number of access control encryption schemes exist, they either rely on strong assumptions such as indistinguishability obfuscation or are restricted to simple families of access control policies. In this work, we give the first ACE scheme for arbitrary policies from standard assumptions. Our construction is generic and can be built from the combination of a digital signature scheme, a predicate encryption scheme, and a (single-key) functional encryption scheme that supports randomized functionalities. All of these primitives can be instantiated from standard assumptions in the plain model and therefore, we obtain the first ACE scheme capable of supporting general policies from standard assumptions. One possible instantiation of our construction relies upon standard number-theoretic assumptions (namely, the DDH and RSA assumptions) and standard lattice assumptions (namely, LWE). Finally, we conclude by introducing several extensions to the ACE framework to support dynamic and more fine-grained access control policies. 1 Introduction In the last ten years, functional encryption [BSW11, O'N10] has emerged as a powerful tool for enforcing fine-grained access to encrypted data.
    [Show full text]
  • Student Text and Homework Helper
    UNIT 3 QUADRATIC FUNCTIONS AND EQUATIONS STUDENT TEXT AND HOMEWORK HELPER Randall I. Charles • Allan E. Bellman • Basia Hall William G. Handlin, Sr. • Dan Kennedy Stuart J. Murphy • Grant Wiggins Boston, Massachusetts • Chandler, Arizona • Glenview, Illinois • Hoboken, New Jersey Copyright © 2016 Pearson Education, Inc., or its affiliates. All Rights Reserved. Printed in the United States of America. This publication is protected by copyright, and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to Rights Management & Contracts, Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030. Pearson, Prentice Hall, Pearson Prentice Hall, and MathXL are trademarks, in the U.S. and/or other countries, of Pearson Education, Inc., or its affiliates. Apple, the Apple logo, and iTunes are trademarks of Apple Inc., registered in the U.S. and other countries. Google Play is a trademark of Google Inc. ISBN-13: 978-0-13-330063-5 ISBN-10: 0-13-330063-3 1 2 3 4 5 6 7 8 9 10 V0YJ 20 19 18 17 16 15 14 UNIT 3 QUADRATIC FUNCTIONS AND EQUATIONS TOPIC 8 Quadratic Functions and Equations TOPIC 8 Overview ............................................324 8-1 Quadratic Graphs and Their Properties ...........................326 8-2 Quadratic Functions ...........................................333 8-3 Transformations of Quadratic Functions
    [Show full text]
  • AP Physics 1 Summer Work 2018
    AP Physics 1 NAME ______________________________________ AP Ph ysics 1 S ummer Work 2018 The exercises below are a review of the math skills we will be using regularly in AP Physics 1. Make sure to read all directions throughout the packet. Final answers can be in fractions and in terms of mathematical constants (π, e , i , etc.). Your work must be written out clearly so that all steps are easy to follow. Attach extra pages if you need more space. Mark your final answers by either circling or boxing them. Your completed summer work is due the first week of class. During the first two weeks of class there will be a quiz with problems similar to those found in this review. Please do not hesitate to email me with any questions at [email protected]. Join the following Google classroom pages for links to videos and/or websites that you might find helpful or interesting. Fall Semester Class (S504A-001) – Google Classroom Code: wxa907k Spring Semester Class (S504A-002) – Google Classroom Code: 1zylul Significant Figures and Scientific Notation Revi ew 1.) How many significant figures do the following numbers have? a.) 6 .001 Answer: ___________ c.) 206,000 Answer: ___________ b.) 0 .0080 Answer: ___________ d.) 27.00 Answer: ___________ Find the following. Final answers should be in scientific notation with the correct number of significant figures. −8 2 4 3 2.) (5.0 ×10 )(2.9 ×10 ) 3.) (3.25 ×10 + 7.4 ×10 ) 26 11 1.00 ×10 8400 6.000 ×10− 4.) 2.00 ×107 5.) 1.2 ×107 Unit Conversions Review 6.) Finish the SI prefix table below.
    [Show full text]
  • Witness Encryption Instructor: Sanjam Garg Scribe: Fotis Iliopoulos
    CS 276 { Cryptography Sept 8, 2014 Lecture 18: Witness Encryption Instructor: Sanjam Garg Scribe: Fotis Iliopoulos 1 A story Imagine that a billionaire who loves mathematics, would like to award with 1 million dollars the mathematician(s) who will prove the Riemann Hypothesis. Of course, neither does the billionaire know if the Riemann Hypothesis is true, nor if he will be still alive (if and) when a mathematician will come up with a proof. To overcome these couple of problems, the billionaire decides to: 1. Put 1 million dollars in gold in a big treasure chest. 2. Choose an arbitrary place of the world, dig up a hole, and hide the treasure chest. 3. Encrypt the coordinates of the treasure chest in a message so that only the mathematician(s) who can actually prove the Riemann Hypothesis can decrypt it. 4. Publish the ciphertext in every newspaper in the world. The goal of this lecture is to help the billionaire with step 3. To do so, we will assume for simplicity that the proof is at most 10000 pages long. The latter assumption implies that the language L = fx such that x is an acceptable Riemann Hypothesis proofg is in NP and therefore, using a reduction, we can come up with a circuit C that takes as input x and outputs 1 if x is a proof for the Riemann Hypothesis or 0 otherwise. Our goal now is to design a pair of PPT machines (Enc; Dec) such that: 1. Enc(C; m) takes as input the circuit C and m 2 f0; 1g and outputs a ciphertext e 2 f0; 1g∗.
    [Show full text]
  • Ciphertext-Policy Attribute-Based Encryption: an Expressive, Efficient
    Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters ∗ University of Texas at Austin [email protected] Abstract We present a new methodology for realizing Ciphertext-Policy Attribute Encryption (CP- ABE) under concrete and noninteractive cryptographic assumptions in the standard model. Our solutions allow any encryptor to specify access control in terms of any access formula over the attributes in the system. In our most efficient system, ciphertext size, encryption, and decryption time scales linearly with the complexity of the access formula. The only previous work to achieve these parameters was limited to a proof in the generic group model. We present three constructions within our framework. Our first system is proven selectively secure under a assumption that we call the decisional Parallel Bilinear Diffie-Hellman Exponent (PBDHE) assumption which can be viewed as a generalization of the BDHE assumption. Our next two constructions provide performance tradeoffs to achieve provable security respectively under the (weaker) decisional Bilinear-Diffie-Hellman Exponent and decisional Bilinear Diffie- Hellman assumptions. ∗Supported by NSF CNS-0716199, CNS-0915361, and CNS-0952692, Air Force Office of Scientific Research (AFO SR) under the MURI award for \Collaborative policies and assured information sharing" (Project PRESIDIO), Department of Homeland Security Grant 2006-CS-001-000001-02 (subaward 641), a Google Faculty Research award, and the Alfred P. Sloan Foundation. 1 Introduction Public-Key encryption is a powerful mechanism for protecting the confidentiality of stored and transmitted information. Traditionally, encryption is viewed as a method for a user to share data to a targeted user or device.
    [Show full text]