Citation Context

...coding that we call a distribution-transforming encoder (DTE). A DTE is designed 2 with an estimate of the message distribution pm in mind, making it conceptually similar to arithmetic/Huffman coding =-=[20]-=-. The message space for a DTE is exactly the support of pm (messages with non-zero probability). Encoding a message sampled from pm yields a “seed” value distributed (approximately) uniformly. It is o...

Citation Context

...pm and pk are independent of the RO. Semantic security. In the case that keys are sufficiently unpredictable and adversaries are computationally bounded, our HE schemes will achieve semantic security =-=[25]-=-. Our schemes will therefore never provide worse confidentiality than conventional encryption, and in particular the MR advantage in this case equals the min-entropy of the message distribution pm plu...

Citation Context

...ovide a form of information-theoretic encryption, as their MR security does not rely on any computational hardness assumption. Information-theoretic encryption schemes, starting with the one-time pad =-=[40]-=-, have seen extensive study. Most closely related is entropic security [22, 39], where the idea is to exploit high-entropy messages to perform encryption that leaks no predicate on the plaintext even ...

Citation Context

...enote a conventional symmetric encryption scheme, but note that the syntax and semantics match those of an HE scheme. Message and key distributions. We denote a distribution on set S by a map p : S → =-=[0, 1]-=- and require that∑ s∈S p(s) = 1. The min-entropy of a distribution is defined to be − logmaxs∈S p(s). Sampling according to such a distribution is written s←p S, and we assume all sampling is efficien...

Citation Context

...ted to HE is a rich literature on deception and decoys in computer security. Honeypots, fake computer systems intended to attract and study attacks, are a stock-in-trade of computer security research =-=[42]-=-. Researchers have proposed honeytokens [21, 43], which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include ...

Citation Context

...J-DTE be the scheme described above. Then AdvdteRSA-REJ-DTE,pm(A) ≤ (1− 2/(3ℓ))t−1 for any adversary A. Proof: Let π(x) be the number of primes less than or equal to x. Then Bertrand’s postulate (cf. =-=[41]-=-) states that π(2ℓ) − π(2ℓ−1) > 2ℓ−13ℓ for ℓ > 2. Thus the probability of each sample from {0, 1}ℓ−2 being a prime is at least 2/3ℓ. One can verify that the SAMP1RSA-REJ-DTE,pm and SAMP0RSA-REJ-DTE,pm...

Citation Context

...rovides useful bounds (by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic =-=[2, 4, 12]-=- and hedged [3, 37] public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the...

Citation Context

...ration algorithm generates an RSA key of bit-length 2ℓ via rejection sampling of random values p, q ∈ [2ℓ−1, 2ℓ). The rejection criterion for either p or q is failure of a Miller-Rabin primality test =-=[32, 36]-=-; the resulting distribution of primes is (essentially) uniform over the range. The private exponent is computed as d = e−1 mod (p − 1)(q − 1) for some fixed e (typically 65537), yielding secret key (...

Citation Context

... which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). Under (non-interactive) non-committing encryption =-=[18,34]-=-, a ciphertext can be “opened” to an arbitrary message under a suitably selected key. (For example, a one-time pad is non-committing.) HE has a different requirement, namely that decrypting a fixed ci...

Citation Context

... which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). Under (non-interactive) non-committing encryption =-=[18,34]-=-, a ciphertext can be “opened” to an arbitrary message under a suitably selected key. (For example, a one-time pad is non-committing.) HE has a different requirement, namely that decrypting a fixed ci...

Citation Context

...tribution with min-entropy µ. This brute-force bound is the best possible for in-use schemes. Unfortunately empirical studies show this level of security to frequently be insufficient. A recent study =-=[13]-=- reports µ < 7 for passwords observed in a real-world population of 69+ million users. (1.08% of users chose the same password.) For any slowdown c small enough to support timely decryption in normal ...

Citation Context

...ferent keys yields independent-looking samples of the message space. Note that unlike non-committing encryption [34], HE is achievable in the non-programmable random oracle model. Deniable encryption =-=[17]-=- also allows ciphertexts to be opened to chosen messages; HE schemes do not in general offer deniability. Canetti, Halevi, and Steiner [19] propose a protocol in which a password specifies a subset of...

Citation Context

...rovides useful bounds (by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic =-=[2, 4, 12]-=- and hedged [3, 37] public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the...

Citation Context

...es for which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). (Non-interactive) non-committing encryption =-=[14, 29]-=- are schemes for which a ciphertext can be “opened” to an arbitrary message by finding an appropriate key to do so. (For example, a one-time-pad is non-committing.) HE has no such requirement, rather ...

Citation Context

...rovides useful bounds (by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic =-=[2, 4, 12]-=- and hedged [3, 37] public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the...

Citation Context

...ve proposed honeytokens [21, 43], which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include false documents =-=[15]-=-, false network traffic [14], and many variants. The Kamouflage system [11] is particularly relevant. It conceals a true password vault encrypted under a true master password among N bogus vaults encr...

Citation Context

...ndomness. In natural applications of HE, the message space M must encompass messages of special format, rather than just bitstrings. In this sense, HE is related to format-preserving encryption (FPE) =-=[6]-=-, although HE is randomized and has no preservation requirement (our ciphertexts are unstructured bit strings). An implication of our approach, however, is that some FPE constructions (e.g., for credi...

Citation Context

... not rely on any computational hardness assumption. Information-theoretic encryption schemes, starting with the one-time pad [40], have seen extensive study. Most closely related is entropic security =-=[22, 39]-=-, where the idea is to exploit high-entropy messages to perform encryption that leaks no predicate on the plaintext even against unbounded attackers (and hence beyond the brute-force bound). Their goa...

Citation Context

...(by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic [2, 4, 12] and hedged =-=[3, 37]-=- public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the case that keys are...

Citation Context

... not rely on any computational hardness assumption. Information-theoretic encryption schemes, starting with the one-time pad [40], have seen extensive study. Most closely related is entropic security =-=[22, 39]-=-, where the idea is to exploit high-entropy messages to perform encryption that leaks no predicate on the plaintext even against unbounded attackers (and hence beyond the brute-force bound). Their goa...

Citation Context

...keys gives rise to independent-looking samples of the message space. Note that unlike non-committing encryption [29], HE is achievable in the non-programmable random oracle model. Deniable encryption =-=[15]-=- also allows opening a ciphertext to a chosen message; HE schemes do not in general provide deniability. Canetti, Halevi, and Steiner [13] propose a protocol in which a password specifies a subset of ...

Citation Context

...he non-programmable random oracle model. Deniable encryption [17] also allows ciphertexts to be opened to chosen messages; HE schemes do not in general offer deniability. Canetti, Halevi, and Steiner =-=[19]-=- propose a protocol in which a password specifies a subset of CAPTCHAs that must be solved to decrypt a credential store. Their scheme creates ambiguity around where human effort can be most effective...

Citation Context

...(by targeting MR security) even when the combined entropy of messages and keys is insufficient to achieve entropic security. See also the discussion in Appendix A. Deterministic [2, 4, 12] and hedged =-=[3, 37]-=- public-key encryption rely on entropy in messages to offset having no or only poor randomness during encryption. HE similarly exploits adversarial uncertainty about messages in the case that keys are...

Citation Context

...n smaller encodings. Some prime number generators do not produce uniform prime numbers. A classic algorithm picks a random integer in [2ℓ−1, 2ℓ) and increments it by two until a prime is found (c.f., =-=[16, 26]-=-). In this case, a DTE can be constructed that requires only 2(ℓ − 2)-bit seeds, and so is space-optimal. The OpenSSL library does something between the two approaches so-far described (c.f., [33]). I...

Citation Context

...simply by decrypting C using the key with the highest probability, which is at most 1/2µ. Previously proposed security tools have exploited exactly this intuition for special cases. Hoover and Kausik =-=[28]-=- consider the problem of encrypting a (uniformly-chosen) RSA or DSA secret exponent for authenticating a user to a remote system. Only the remote system holds the associated public key. To hedge again...

Citation Context

...to foil offline brute-force attacks, but mainly by means of hiding valid authentication credentials in an explicitly stored list of plausible-looking fake ones (often called “decoys” or “honeywords”) =-=[11, 29]-=-. Similarly, detection of system breaches using “honeytokens,” such as fake credit-card numbers, is a common industry practice [43]. Honey encryption (HE). Inspired by such decoy systems, we set out t...

Citation Context

...n smaller encodings. Some prime number generators do not produce uniform prime numbers. A classic algorithm picks a random integer in [2ℓ−1, 2ℓ) and increments it by two until a prime is found (c.f., =-=[16, 26]-=-). In this case, a DTE can be constructed that requires only 2(ℓ − 2)-bit seeds, and so is space-optimal. The OpenSSL library does something between the two approaches so-far described (c.f., [33]). I...

Citation Context

...to foil offline brute-force attacks, but mainly by means of hiding valid authentication credentials in an explicitly stored list of plausible-looking fake ones (often called “decoys” or “honeywords”) =-=[11, 29]-=-. Similarly, detection of system breaches using “honeytokens,” such as fake credit-card numbers, is a common industry practice [43]. Honey encryption (HE). Inspired by such decoy systems, we set out t...

Citation Context

...a salting, which slows attacks against multiple users, and iterated application of one-way functions, which slows decryption and thus attacks by a constant factor c (e.g., c = 10,000). Recent results =-=[7]-=- prove that for conventional PBE schemes (e.g., [35]), work q suffices to crack a single ciphertext with probability q/c2µ for passwords selected from a distribution with min-entropy µ. This brute-for...

Citation Context

...however, are unlikely to coincide with this special case, and so we seek other bounds. Majorization. To analyze more general settings, we exploit a result due to Berenrink, Friedetzky, Hu, and Martin =-=[8]-=- that builds on a technique called “majorization” earlier used for the balls-and-bins setting by Azar, Broder, Karlin, and Upfal [1]. Distributions such as pk and pd can be viewed as vectors of approp...

Citation Context

...theorem 3Convention is to have m balls and n bins, but we use a balls and b bins to avoid confusion since m connotes messages. 4Technically speaking we only require the non-programmable random oracle =-=[23, 34]-=-. 9 from [8, Cor. 3.5], slightly recast to use our terminology. We also extend our definition of load to include the i highest loaded bins: let Lipk,pd be the random variable which is the total weight...

Citation Context

... 43], which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include false documents [15], false network traffic =-=[14]-=-, and many variants. The Kamouflage system [11] is particularly relevant. It conceals a true password vault encrypted under a true master password among N bogus vaults encrypted under bogus master pas...

Citation Context

...PE constructions (e.g., for credit-card encryption) can be shown to achieve HE-like security guarantees when message distributions are uniform. HE is also conceptually related to collisionful hashing =-=[10]-=-, the idea of creating password hashes for which it is relatively easy to find inverses and thus hard to identify the original, correct password (as opposed to identifying a correct message). Under (n...

Citation Context

...usible-looking fake ones (often called “decoys” or “honeywords”) [11, 29]. Similarly, detection of system breaches using “honeytokens,” such as fake credit-card numbers, is a common industry practice =-=[43]-=-. Honey encryption (HE). Inspired by such decoy systems, we set out to build HE schemes that provide security beyond the brute-force barrier. These schemes yield candidate messages during brute-force ...

Citation Context

...yields valid-looking exponents, and that an attacker can at best use each candidate exponent in a brute-force online attack against the remote system. Their work led to a commercially deployed system =-=[30]-=-. Other systems similarly seek to foil offline brute-force attacks, but mainly by means of hiding valid authentication credentials in an explicitly stored list of plausible-looking fake ones (often ca...

Citation Context

...[16, 26]). In this case, a DTE can be constructed that requires only 2(ℓ − 2)-bit seeds, and so is space-optimal. The OpenSSL library does something between the two approaches so-far described (c.f., =-=[33]-=-). It first picks a random, odd integer p. If p or p−1 is divisible 1We could also output bottom, but we would then need to permit errors in decoding and HE decryption. 2Doing so would also require ou...

Citation Context

...fication Values (CVVs), and (user-selected) PINs. Encryption of PINs requires a DTE that handles a non-uniform distribution over messages, as empirical studies show a heavy user bias in PIN selection =-=[9]-=-. The resulting analysis consequently involves a balls-and-bins game with non-uniform bin capacities, a somewhat unusual setup in the literature. In each of the cases above we are able to prove close ...

Citation Context

...and decoys in computer security. Honeypots, fake computer systems intended to attract and study attacks, are a stock-in-trade of computer security research [42]. Researchers have proposed honeytokens =-=[21, 43]-=-, which are data objects whose use signals a compromise, and honeywords [29], a system that uses passwords as honeytokens. Additional proposals include false documents [15], false network traffic [14]...

Citation Context

...seed values that map to particular messages (prime pairs), effectively inverting the PRG, which is infeasible. One could instead attempt to use more randomness-efficient rejection-sampling techniques =-=[24]-=- to obtain smaller encodings. Some prime number generators do not produce uniform prime numbers. A classic algorithm picks a random integer in [2ℓ−1, 2ℓ) and increments it by two until a prime is foun...

Citation Context

...ration algorithm generates an RSA key of bit-length 2ℓ via rejection sampling of random values p, q ∈ [2ℓ−1, 2ℓ). The rejection criterion for either p or q is failure of a Miller-Rabin primality test =-=[32, 36]-=-; the resulting distribution of primes is (essentially) uniform over the range. The private exponent is computed as d = e−1 mod (p − 1)(q − 1) for some fixed e (typically 65537), yielding secret key (...