IETF Logo Mail Archive

[Cfrg] Big-key cryptography

Aaron Zauner <azet@azet.org> Mon, 07 December 2015 00:27 UTC

Return-Path: <azet@azet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A3C1A8ADB for <cfrg@ietfa.amsl.com>; Sun, 6 Dec 2015 16:27:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_41=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpJbqabFR08C for <cfrg@ietfa.amsl.com>; Sun, 6 Dec 2015 16:27:53 -0800 (PST)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E80501A8AD7 for <cfrg@irtf.org>; Sun, 6 Dec 2015 16:27:52 -0800 (PST)
Received: by lbpu9 with SMTP id u9so8275777lbp.2 for <cfrg@irtf.org>; Sun, 06 Dec 2015 16:27:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=Zmj6lGN0IdszKE4WfTyBmT//X1T64+E5/aA8sCrWz0U=; b=ZCJzd9cIYqnZOXcKXghrhbQrYtn48zfOlYA2Iin/enLXw/t5qc846FHgPzw2PGaD3w uvtvWOXuXaW6IYwi5dJDwt2YfKlSXO15xKQFVM0SBEnMrbG+Zkik5eKnhiIRfgvNw9Sr PGgz5+eCqSlMUNdxxUU2Bn+Xwqw2sxijDYW0U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type; bh=Zmj6lGN0IdszKE4WfTyBmT//X1T64+E5/aA8sCrWz0U=; b=NHsRBXhU6GQGRnkeWpNhuRjCWW8nD4/R28xYLIEoSbK/Y02YicSb7lBVv9uO7Vxk0p JkcBgwJw9b9VdPaljmP+UrhokoJZcpV/SEHLBsEie51OvmN7W2ZTaG+YSmGLhLfJpmAX 5+7Ie6O7cLOxgY+XJlxvBBrWpcaCKArsahTHxhSaekdkA+3ZVRjVudLl8fwW4UCJm4d2 4uPpIIkC/ty9dQqytXCo2p74yzihJN8QtXFPro81UX2Ha8yJNlNceA32fctCE+ujfw3O m5KXo5mGI5eQ8FlP3VSWgTp0Tw0GDH3kDFWG8APV9Ic+ZR6TuZlhPUKb6/Nb6tU6IP07 7lzw==
X-Gm-Message-State: ALoCoQnUhCvmDr7cV2Oz2Dl+NsUkQwzakGWgVoUN9sw1PXYrbADVDfxgB9kAVecFZ2V6nBWBuk+a
X-Received: by 10.112.63.130 with SMTP id g2mr10745637lbs.28.1449448070948; Sun, 06 Dec 2015 16:27:50 -0800 (PST)
Received: from [192.168.1.103] ([41.232.113.177]) by smtp.gmail.com with ESMTPSA id c77sm4440371lfb.41.2015.12.06.16.27.49 for <cfrg@irtf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 06 Dec 2015 16:27:49 -0800 (PST)
Message-ID: <5664D280.306@azet.org>
Date: Mon, 07 Dec 2015 01:27:44 +0100
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: "'cfrg@irtf.org'" <cfrg@irtf.org>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enigA4690DB65B9F2EBDAC9AFFFD"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zFRnvoBIcbYlCUee5UlSYOVd4so>
Subject: [Cfrg] Big-key cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2015 00:27:54 -0000

Hi,

People that have read Rogaway's recent IACR Distinguished Lecture [0]
might have noticed (besides an amazing essay on crypto, ethics and
politics of course) that there's new work mentioned on something they
call 'Big-key cryptography'. Let me quote Verbatim:

```
Suppose you have a bigkey K. You want to use it for some protocol P that
has been designed to use a conventional-length key K. So choose a random
value R (maybe 256 bits) and hash it to get some number p of probes into
the bigkey:

i_1 = H(R, 1) i_2 = H(R, 2) ... i_p = H(R, p) .

Each probe i_j points into K: it’s a number between 1 and |K|. So you
grab the p bits at those locations and hash them, along with R, to get a
derived key K:

K = H'(R, K[i_1], . . . , K[i_p]) = XKEY(K, R) .

Where you would otherwise have used the protocol P with a shared key K,
you will now use P with a shared bigkey K, a freshly chosen R, this
determining the conventional key K = XKEY(K, R).

We show that derived-key K is indistinguishable from a uniformly random
key K0 even if the adversary gets R and can learn lots of information
about the bigkey K. The result is quantitative, measuring how good the
derived key is as a function of the length of the bigkey, the number of
bits leaked from it, the number of probes p, the length of R, and the
number of random-oracle calls.

[...]

I think that the subkey prediction problem, and the key-encapsulation
algorithm based on it, will give rise to nice means for
exfiltration-resistant authenticated-encryption and pseudorandom
generators. In general, I see bigkey cryptography as one tool that
cryptographers can contribute to make mass surveillance harder.
```

This seems to be a yet unpublished manuscript but I can think of quite a
few instances where this approach might come in handy for keys used in
various high-confidentiality protocols. What does CFRG think?

Thanks,
Aaron

[0] - http://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf p. 31-32

v2.23.0 | Report a Bug | By Email