 Thank you so high again Thanks for staying here so I'm going to talk about something completely different in this talk, which is nothing to do with the previous talk so unfortunately they cannot recycle any slides and So I'm going to talk about a new concept. This is a completely new concept which is called multi essence security and I try to explain what is this and its connection to pass through a base cryptography and In particular, I want to start motivating this work By talking about the problem of file encryption So the goal is that we want to store some data privately on a hard drive by using symmetric encryption and Of course one problem we have to face here, which might be problematic every now and then is that if we do that We also need to remember somehow to store our keys in order to be the key that we used to encrypt in order to be able To retrieve the data at a later point in time Okay, this might not always be feasible so an alternative solution which has been proposed is to leverage on the fact that Passwords are supposed to be easy to remember and derive cryptographic keys from passwords And in particular, this is the whole idea behind Password-based encryption which is used within a multitude of different products around and in password-based encryption We derive cryptographic keys from user passwords by using a special Cryptographic function, which is called a key derivation function or KDF for short and the idea is that we have given a password We are going to derive such a key and then use this key within a conventional symmetric encryption scheme to encrypt messages Of course as long as you remember the password, you're also going to be able to recover your data but the problem is that Choosing good passwords is a very very hard task So we need to choose password that on the one hand are Hard to guess by an adversary, but on the other hand we want them to be easy to remember So decide to kind of attention and even if you look at the media We'll find many many Articles telling you all of the sort of things that can happen because of one of these two problems Okay, and so the people are inherently lazy So people are always going to choose in fact passwords that are very easy to remember and that are not that good And this leads to a common problem, which is what is known as dictionary attack so it is So an attacker can break a password based system By exploiting the fact that most of the password chosen by users are within a fairly small that was sufficiently small dictionary of very likely common passwords and One technique used by system designers to mitigate such dictionary attacks is to make KDF computations That sufficiently expensive so that such a dictionary attack is going to be slowed down So for example one common technique To derive a key derivation function is to just iterate a cryptographic hash function such as a function from the shaft family A certain number of times c times Okay, and if we use this within a password based encryption system To derive our key then the expectation that we have is that if we need to apply a certain amount of work Say n to retrieve a password for example to a dictionary attack and n will be the dictionary size Then we would expect that because of the complexity of computing the KDF It will take work time of work equal to c times n roughly to break the password based encryption scheme using this KDF But here we have to make an important point note that even if we assume that we choose passwords really really well So any sign something like 2 to the 32 should be fantastic I think and we also let the KDF computation be variable as low So we let c be something like 2 to the 20 then at the end of the day We're not going to get anything better than 52 bits of security. Okay, which is not really great So it seems that we have an unavoidable fact if you use password based encryption That it is very well possible that an attacker can break one particular instance of a of a password based encryption scheme So is this the end? So the point that we want to make and this is not that there are other things that we would like to expect from a good K derivation function and a password based encryption scheme in particular We want to look at the multi user setting Where there are many users each one using their own passwords to encrypt piles and what we've just seen It's only the fact that if you have an attacker and the attacker wants to retrieve a Say some message that has been encrypted by user one from a corresponding cypher tech C1 Then you can do that in work C times n and we might not be happy because C times n is just too small But what we want to ask here is the question what happens now if the adversary wants to retrieve a message from a second cypher tech Belonging to another user how much work does the adversary need to do? Much additional work and the expectation here is that ideally we would like to amount of work to increase linearly in the number of Cypher techs, so we would like the work to be m times c times n to retrieve and plain text But this is not easy to ensure I mean for example if we use the kdf function I just defined a couple of slides ago then we can really have an easy Dictionary attack where we just go do a lot of pre computation and go through all possible passwords Derivable corresponding keys. This is going to takes work n times c and then whenever we have a cypher text that we want to decrypt We just try all possible keys and this will give us to retrieve and message will give us work n times c plus m Which is much smaller than what we want and so a new design goal that we would like to To to hold for our kdf's is what we call multi-stance security amplification We would like to design kdf's with the property that the amount of work to break Multiple instances increases linearly in the number of instances Okay, now interestingly, so if you look at the actual proposals in standards in particular in pkcs 5 To how to design kdf's we're going to see that they all use a technique Which is known as salting which indeed happens to prevent the attack. I just mentioned So in particular the most common key derivation function is called kdf one here It's going to use iteration as before but before iterating the password It's going to first compute a fresh random value for each kdf computation Which we call the salt and then a penny to the password and then apply the iteration and in particular if you use this within Password-based encryption what is going to happen is that upon each encryption we are going to choose a free for fresh salt Compute the kdf with that salt and then we need to append the salt of the ciphertext in order to allow for decryption afterwards So in particular each encryption is going to be with a different salt and pre computation as in the previous attack Does not work anymore. So is this by chance is just salting just preventing this particular attack or can we actually prove that? Salting probably ensures multi instant security amplification, which would be our goal and Before I go to I turn to this question Let me just point out that this is far from being a purely academic theoretical question You might have heard that a few months ago There's been an attack against LinkedIn where millions of passwords have been leaked of different users And it turns out that the reason this was actually possible to break so many password from multiple users was that neither Iteration nor salting were actually used by LinkedIn and this made the job very very easy So it is a very important question to analyze the effect of salting and iteration with respect to amplification so The question is what do we know where it turns out that we do not really know anything or whether salting provides in a provable way Multi-instant security amplification and the reason is not only as you would expect that nobody has proved that But the main point is there's also no formal model to address multi-instant security of cryptographic schemes Okay, and this leads us exactly to our two contributions So the first main contribution is of our work is to define a general definition of framework to deal with multi-instant security of Arbitrary cryptographic primitives and the second contribution is just as a case study of our framework to study Multi-instant security amplification for Password-based encryption And now I guess I will spend most of the time in the remainder of this talk talking about how we Model multi-instant security And to do this let me first review how we can model security of password-based encryption in the single instant setting So the basic way to do that is just to adopt the notion of semantic security of left or right semantic security To the password-based setting so we consider our game involving an adversary and a challenger and where the challenger chooses first the random bit B and Samples a password and then the adversary can make queries consisting of pairs of messages m0 and m1 of equal length and Obtains an encryption of mb under the given password And then at the end the adversary outputs a bit B prime and wins the game if P primes equal B And we have a corresponding advantage measure that tells us how well the adversary performs Which essentially looks at the probability that the bit B prime equals B And then we subtract one half to take into account the fact that you can always guess the bit B We probability one half three really by just outputting a random guess and then we multiply everything by two to make These a number between zero that's the usual way We also look at other property like puzzle recovery ability security where the adversary just interacts with the encryption scheme under a secret password and wants to guess which password is actually used and The advantage is just the probability that the adversary guesses the right password Okay, now we will like to extend this type of security notions to the To the multi-easterns world So our goal is for a certain scheme s and for a certain security property P like an encryption scheme and left or right semantic security Is to define a security metric that captures? The success of an adversary in doing the following so the adversary is going to attack m instances of the scheme in concurrently in parallel and We might even allow the adversary to corrupt Some of the instances for example corruption will mean in the password-based setting to learn the corresponding password and also The adversary is going to win The game if it breaks all of the uncorrupted instances So This is quite easy to do if we look at a security property like puzzle recover Recoverability security and here we can just to do this very natural so instead of having one challenger We are going to have multiple challengers each one sampling a password independently and then the adversary can concurrently interact with these challengers and obtain encryptions for this corresponding passwords of arbitrary messages in a concurrent fashion and Corruptions are just modeled by having special corruption queries to the individual challengers that are going to reveal the passwords and at the end the adversary is going to output a vector of Passwords and is going to win if all of the passwords have been guessed correctly Okay, the advantage is just this probability. So this is not so surprising But what is surprising is that for other types of security properties like left or right semantic security Where the adversary's task is to guess a bit things get a bit quick trickier. So in particular Here it's quite easy to define the experiment initially. So again, we have independent challengers the adversary can interact in a concurrent fashion But the real question is what happens at the end? What does the adversary output and what is the advantage that measures the success of the adversary? So because the naive attempt will do what we've done before. So this is what we call the end advantage so we just let the adversary output a vector of bits and Corresponding to the each instance we have M instances and the adversary wins if all of these bits are correct and the advantage is just the probability The problem is that this quantity does not measure the harness of winning all uncorrupted instances And this is this is quite subtle to see but the point is the following assume We have two instances and we have an adversary that is pretty good at guessing the first bit corresponding to the first instance It does so with probability three quarters Our larger than three quarters then it's very easy to obtain an adversary that doesn't even look at the second Instance it doesn't might even all make queries to the other challenger and just guess is the second bit uniform yet random Then these adversaries still going to get advantage at least three eight three over eight Which is above the trivial random guess, but it doesn't even try to attack the second instance And so this is not what we want And so a better alternative is to look at what we call the extra advantage Which actually seems to be the right alternative is that here? We just let the adversary Output one bit one single bit not a vector of bits be prime and the adversary wins If this beat equals the X or of all of the beats chosen by the challengers be one up to be and of course we scale by one half as before and This is going to be what we call the extra advantage and here you see what I've said before doesn't work anymore So even if you have an adversary, which is really good at guessing the first beat And now he tries to randomly guess the second bit or he doesn't even interact with the other challenger Then the adversary can only guess the extra with probability one half and it doesn't get any advantage so We looked at relationship between Security notions and for example doesn't you can have like certain an interesting picture. So for example if you look at So left or right security both in the extra and in the end case They end up implying the multi-stance version of passive-recoverability security But what is interesting is that in fact the extra advantage version of left or right security does imply in most cases to a very beautiful probabilistic lemma by Falkhunger The the the end version of left or right security Which shows exactly that extra is the right way to go In fact, there is also some sort of weak implication in the other direction that I want to discuss through the Goldreich-Leving theorem But this is very is very weak in a computational sense and doesn't give us anything useful When we want to work with practical parameters Okay, and I just want to quickly point out that there's our other interesting Phenomenon as if we want to look at relations between security properties in the multi-stance scenario That shows that there are many interesting technical questions So for example if you look at that alternative way of defining semantic security Which is real or random security here below where the adversary only inputs a message m0 this is query consists of a message m0 and And then depending on the choice of the bit B by the challenger either obtains an encryption of m0 or Obtains an encryption of a random message Okay This is another way of defining security of encryption and we all know that this is a classical textbook Theorem at least not for the case case of traditional encryption that these two notions are essentially equivalent because their advantages Are within a factor two of each other, okay? And the reason they are within a factor two of each other is because the proof goes via what is known as a hybrid argument Where we upper bound? The left or right advantage in terms of twice the real of the real or random advantage This is a traditional crypto one-on-one Exercise, but what what what can we do if we now move to the multi-stance setting? Can we do something similar and relate the multi-stance versions of real or random and left or right security? And it turns out that here things are much tricker We can do that but it's not legal to extend the hybrid argument at all in fact It's quite involved and in particular the factor two that we have in the single eastern setting is going to become 2 to the n And it's going to be increasing exponentially And this is because we have to consider way more hybrids and one will think we can cheat and optimize this But it turns out that this this bound is actually tight and we can't do any better It's it's fine because in most cases this factor to the end which looks huge won't be that huge because the advantages Involved will be very small, but this shows our things are actually subtle when we move to the multi-stance scenario so let me just spend very few words about what's happening with password-based encryption and So we do indeed as an application in the paper now confirm the expectation that using salting ensures multi-stance security amplification and the key point of our analysis is to prove security of the KDF function from the pks pkcs 5 in the random oracle model and in particular I won't say anything about is just a very high level The crucial point is that we introduced a notion a security notion for KDS Which is a variant of the indifference ability notion by Maura render in Hollenstein Which has some interesting feature in particular that it is restricted in the sense that Simulators are only allowed to make a much smaller number of queries than the queries that they actually have to answer But given this at the end everything is fine We're gonna get a final theorem that is going to give us a concrete security bound in the random oracle model for password-based encryption and in particular If we look you don't have to look at the bound in detail But it means that as long as the underlying encryption scheme is semantically secure Then the leading term in this bound is going to be this one Which is going to tell us that we really need to invest work and Time c times n to break the underlying password-based encryption where it'll work here work is measured in terms of random oracle queries Okay, so This was all I wanted to say In summary, so what we've seen here is that our main observation is that so there are multiple users That are using encryption password-based encryption of any other cryptographic schemes in the world and that there are settings like password-based encryption Where weak individual instances of cryptographic schemes are inherently unavoidable So you can't avoid that one single instance can be broken But multi-instance security still provides an interesting second line of defense where we're gonna say okay That's something we cannot avoid but at least we want our scheme to ensure that breaking many instances of the scheme is hard and this leads some some very interesting technical questions as we've seen and One of them is exactly was analyzing a concrete Password-based concretely possible base encryption in this setting But there are certainly other applications that can be found and other interesting technical questions to be answered Okay. Thank you very much