Unconditionally Secure Chaffing-and-Winnowing for

Multiple Use

Wataru Kitada1, Goichiro Hanaoka2, Kanta Matsuura1, Hideki Imai2

1. IIS, the University of Tokyo2. RCIS, AIST

• Detailed analysis of Chaffing-and-Winnowing (C&W) under multiple-use setting

• More efficient Chaffing-and-Winnowing– C&W for n-time use from n-spoofing secure

A-code

– practical C&W from A-code with a specific property

Overview of This Work

2

We show:

Contents

• Overview

• Unconditionally Secure C&W for Multiple Use

• C&W with one authentication tag

• Future Work and Conclusion

3

• Overview– Chaffing and Winnowing– Previous Work– Our Contribution

• Unconditionally Secure C&W for Multiple Use

• C&W with one authentication tag

• Future Work and Conclusion 4

Chaffing-and-Winnowing (C&W)

• A technique to achieve confidentiality without using encryption when sending data over an insecure channel.

• Proposed by R. Rivest“Chaffing and winnowing: confidentiality without encryption” http://theory.lcs.mit.edu/~rivest/publications.html

Basic Idea

• Send plaintext directly• No encryption is performed • Send dummies with the plaintext. chaff• Only one of the plaintext is authentic, the

other ones are dummies• Receiver can distinguish plaintext (wheat)

from dummies (chaff). winnow• Being able to distinguish plaintext from

dummies would require an adversary to know the secret key.

7

Chaffing-and-Winnowing

• Example– Authentication code (A-code) : Ak(M)– Plaintext: “Hi Bob”

A1=Ak(“Hi Bob”)A2=Ak’(“Hi Larry”)

(“Hi Bob”,A1),(“Hi Larry”,A2)

ComputeAk(“Hi Bob”) and Ak(“Hi Larry”)CompareAk(“Hi Bob”) and A1,Ak(“Hi Larry”) and A2

“Hi Bob”

Previous Work

• Bellare and Boldyreva, ASIACRYPT 2000– Showed the security of C&W in the

computationally secure setting

• Hanaoka et al., AAECC 2006 (HHHWI06)– Showed the security of C&W in the

unconditinally secure setting

8

Main Result of HHHWI06

9

Impersonation- secure A-code

Perfectly secure and

Non-Malleableencryption

Impersonation- and

substitution- secure A-code

Perfectly secure

encryption

Theorem 1

Theorem 2

C&W

C&W

We can achieve:

Related Work

• Stinson, manuscript, 2006– “Unconditionally secure chaffing and winnowing

with short authentication tags”– construct C&W from short authentication tags

10

Impersonation- secureA-code

with short tag

Perfectly secure

encryptionC&W

Our Contribution

• Our work is extension of HHHWI06– HHHWI06 only consider the case in one-time use

• Then, we extend for multiple use– In other words, to generalize the HHHWI06– Detailed analysis of C&W under multiple-use

setting• construct unconditionally secure C&W for multiple use• show C&W with one authentication tag

11

One-time/Multiple Use

12

One-time use

Multiple use

• Overview

• Unconditionally Secure C&W for Multiple Use– Security Notions– Our Result– Construction and Comparison

• C&W with one authentication tag

• Future Work and Conclusion

13

Security on A-code

14

),( 11 M

),( nnM

),( M

n-Spoofing

),( M

Impersonation

),( M

),( M

Substitution

Perfect Security

15

),(,),,( 1111 nn CMCM

nC

n-Perfect Security (n-PS)

Perfect Security

nC

?nM

C

C

?M

Non-Malleability (1/2)

• An adversary is given n ciphertexts

• Corresponding plaintexts are

• Non-Malleability:– inability to generate a ciphertext

whose plaintext is related to• for example

– Definition

16

nCC ,,1

nMM ,,1

C

nMM ,,1 M

orMMorMorMM jiii 21

)),(,),,(|(

)),(,),,(,|(

11

11

nn

nn

CMCMMH

CMCMCMH

Non-Malleability (2/2)

17

) )( ( , , ) )( ( 11 nn MECMEC

n-Non-Malleability (n-NM)

Non-Malleability

))(( MEC )or)2(or)1(( MEMEC

) )(

)2(or)1( (

orMMEor

MEMEC

ji

ii

Our Results (1/3)

• Construct unconditionally secure C&W for multiple use– from n-spoofing secure A-code to n-perfectly

secure (n-PS) encryption– from (n+1)-spoofing secure A-code to n-perfectly

secure (n-PS) and n-Non-Malleable (n-NM) encryption

18

Our Results (2/3)

19

n-spoofing secure A-code

n-PS andn-NM

encryption

(n+1)-spoofing secure A-code

n-PS encryptionC&W

C&W

Our Results (3/3)

20

Imp A-code

PS and NMencryption

Imp and Sub A-code

PS encryptionC&W

C&W

n-spoofing secure A-code

n-PS andn-NM

encryption

(n+1)-spoofing secure A-code

n-PS encryptionC&W

C&W

HHHWI06

Our Result

Construction

21 valid.as accepted is such that selects

, recievingOn :Decryption

))(||(: send Then

.*)(such that finds and

*)( sets ,* send To:Encryption

)()( , allfor ),(, allfor

such that, keysdistinct picks Then

. S to give and , generates TI:GenKey

mmR

c

mAmcS

mAk

mASm

mAmAmkkk

MS

Randkk

Mmk

ki

k

kkiji

i

i

ji

Comparison

22

Construction Key Size [bits] Ciphertext Size [bits]

Our proposal

　 　

n copies ofHHHWI06

　 　

Mn 2log)1(

Mn 2log2

MM 2log

MM 2log

• Overview

• Unconditionally Secure C&W for Multiple Use

• C&W with one authentication tag

• Future Work and Conclusion

23

Overview (1/2)

• C&W with one authentication tag– If the underlying A-code has a specific property,

we can construct C&W with one authentication tag

24

n-Spf A-code with a specific

property

n-PS andn-NM

encryption with one tag

(n+1)-Spf A-code with a

specific property

n-PS encryption with

one tagC&W

C&W

Overview (2/2)

• From this result, we can see that theseA-codes can be seen as conventional encryptions– we prove that to send one tag corresponding to

the message is secure

25

Authentication Encryption

M M

)f(M )f(MC C

Can be seen as

The specific property

• “For all a, there exists at least one k such that, for all m, Ak(m)=a”

• There exists an example of an A-code which is n-Spoofing secure and has this property

26

),f( , allfor such that, exist there, allfor kmMmKkA

n

i

iimk

0

For example:

Construction

27

.output and ,)(such that selects

, recievingOn :Decryption

. to send and

,)(: sets , send To:Encryption

. S to give and , generates TI:GenKey

ccmAmR

c

Rc

mAcSm

Randkk

k

k

Comparison

28

Construction Key Size [bits]Ciphertext Size

[bits]

Need specific

A-codes?

Our proposal(previous)

　 　 No

Our proposal(with one tag)

　 　 Yes

n copies ofHHHWI06

　 　 No

Mn 2log)1(

Mn 2log2

Mn 2log)1( M2log

MM 2log

MM 2log

The construction with one tag is practical

• Overview

• Unconditionally Secure C&W for Multiple Use

• C&W with one authentication tag

• Future Work and Conclusion

29

Future Work

• Remove the restriction that(like Stinson’s work)– In [Stinson’06], C&W is constructed from A-

code with short tags (more weak A-code)

– [Stinson’06]D.R. Stinson, “Unconditionally secure chaffing and winnowing with short authentication tags,” Cryptology ePrint Archive, Report 2006/189, 2006.

30

MA

Conclusion

• Detailed analysis of C&W under multiple-use setting– from n-Spf secure A-code to n-PS encryption– from (n+1)-Spf secure A-code to n-PS and n-NM

encryption

• More efficient Chaffing-and-Winnowing– C&W for n-time use from n-spoofing secure A-

code– practical C&W from A-code with a specific

property• provide same function as conventional encryption

31