Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tkn20: change seed size for MAC key from 128->448 bits in accordance … #394

Merged
merged 1 commit into from
Jan 25, 2023
Merged

tkn20: change seed size for MAC key from 128->448 bits in accordance … #394

merged 1 commit into from
Jan 25, 2023

Conversation

tanyav2
Copy link
Contributor

@tanyav2 tanyav2 commented Jan 23, 2023
edited
Loading

…with BK paper

Section 4 Encapsulation Schemes in the Boneh-Katz transform requires the seed size that is used to generate MAC key to be equal to 448 bits. Currently we were using 128 bits. This is not directly related to security parameter size, instead it is due to statistical arguments used in the construction of the proof. Thanks to @mtcvenema for flagging.

As a consequence, the size of the ciphertext increases by the same length (40 bytes), making this an API breaking change.

cc @wbl

@tanyav2 tanyav2 added fix-A-bug code that fix a bug changesAPI PR changes the API of a package labels Jan 23, 2023
@tanyav2
Copy link
Contributor Author

tanyav2 commented Jan 24, 2023

EDIT: I have now changed the seed size to now be 576 bits (as opposed to 448 described earlier). This is because while the paper uses 448 bit seed to get a commitment that is a 128 bit string, we were generating a 256 bit commitment. In order to maintain the statistical security difference mentioned in the proof (2^(-63)), we have to increase the seed size to 576 bits. @mtcvenema confirms this.

wbl
wbl approved these changes Jan 25, 2023
View reviewed changes
abe/cpabe/tkn20/internal/tkn/bk.go
@@ -13,6 +13,8 @@ import (
// https://www.iacr.org/archive/pkc2011/65710074/65710074.pdf that
// apply the Boneh-Katz transform to Attribute based encryption.

const macKeySeedSize = 72
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be worth explaining the rational for the seed size in a comment.

@mtcvenema
Copy link

EDIT: I have now changed the seed size to now be 576 bits (as opposed to 448 described earlier). This is because while the paper uses 448 bit seed to get a commitment that is a 128 bit string, we were generating a 256 bit commitment. In order to maintain the statistical security difference mentioned in the proof (2^(-63)), we have to increase the seed size to 576 bits. @mtcvenema confirms this.

I confirm. To give some rational: in the Boneh-Katz paper (https://eprint.iacr.org/2004/261.pdf - page 12, Theorem 2), they prove that using hash functions with an input domain of 448 bits and output of 128 bits provides the statistical hiding property by distinguishing between 'bad' inputs and 'good' inputs. Basically, the idea is that the number of bad inputs should be very small (i.e., 1 in 2^{65}), and for the good inputs, statistical hiding follows with the leftover-hash lemma. The argument for good inputs remains the same for our case, where we have a larger output space, but the argument for bad inputs changes. To ensure that the probability that we pick a bad input is also 1 in 2^{65}, we fix the size of our input space to 576 bits.

@tanyav2 tanyav2 merged commit 74436aa into main Jan 25, 2023
@tanyav2 tanyav2 deleted the abe/seed-size branch January 25, 2023 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@armfazh armfazh armfazh approved these changes

@wbl wbl wbl approved these changes

@bwesterb bwesterb Awaiting requested review from bwesterb

@cjpatton cjpatton Awaiting requested review from cjpatton

Assignees
No one assigned
Labels
changesAPI PR changes the API of a package fix-A-bug code that fix a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tanyav2 @mtcvenema @wbl @armfazh