Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine

  • Scott Yilek
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)


Typical security models used for proving security of deployed cryptographic primitives do not allow adversaries to rewind or reset honest parties to an earlier state. Thus, it is common to see cryptographic protocols rely on the assumption that fresh random numbers can be continually generated. In this paper, we argue that because of the growing popularity of virtual machines and, specifically, their state snapshot and revert features, the security of cryptographic protocols proven under these assumptions is called into question. We focus on public-key encryption security in a setting where resetting is possible and random numbers might be reused. We show that existing schemes and security models are insufficient in this setting. We then provide new formal security models and show that making a simple and efficient modification to any existing PKE scheme gives us security under our new models.


Virtual Machine Random Oracle Cryptographic Protocol Cryptographic Primitive Pseudorandom Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
    Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zero-knowledge and its applications. In: 42nd Annual Symposium on Foundations of Computer Science – FOCS 2001, pp. 116–125. IEEE, Los Alamitos (2001)Google Scholar
  4. 4.
    Bellare, M., Boldyreva, A., Kurosawa, K., Staddon, J.: Multi-recipient encryption schemes: Efficient constructions and their security. IEEE Transactions on Information Theory 53(11) (2007)Google Scholar
  5. 5.
    Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Brakerski, Z., Naor, M., Ristenpart, T., Segev, G., Shacham, H., Yilek, S.: Hedged public-key encryption: How to protect against bad randomness. In: ASIACRYPT 2009. LNCS, pp. 232–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Kohno, T., Shoup, V.: Stateful public-key cryptosystems: How to encrypt with one 160-bit exponentiation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security – CCS 2006, pp. 380–389. ACM, New York (2006)CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proceedings of 1st ACM Conference on Computer and Communications Security – CCS 1993, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge. In: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing – STOC 2000, pp. 235–244. ACM, New York (2000)CrossRefGoogle Scholar
  13. 13.
    Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the 2001 Workshop on Hot Topics in Operating Systems, pp. 133–138 (2001)Google Scholar
  14. 14.
    Cox, R.S., Gribble, S.D., Levy, H.M., Hansen, J.G.: A safety-oriented platform for web applications. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 350–364. IEEE, Los Alamitos (2006)Google Scholar
  15. 15.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33(1), 167–226 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Desai, A., Hevia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 368–383. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Garfinkel, T., Rosenblum, M.: When virtual is harder than real: Security challenges in virtual machine based computing environments. In: Proceedings of the 10th Workshop on Hot Topics in Operating Systems – HotOS-X (May 2005)Google Scholar
  18. 18.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Goyal, V., Sahai, A.: Resettably secure computation. In: EUROCRYPT 2009. Springer, Heidelberg (2009)Google Scholar
  20. 20.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM Journal on Computing 28(4), 1364–1396 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Micali, S., Reyzin, L.: Soundness in the public-key model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 542. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  23. 23.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  24. 24.
    Ristenpart, T., Yilek, S.: When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of the Network and Distributed System Security Symposium – NDSS 2010. Internet Society (to appear, 2010)Google Scholar
  25. 25.
    Rogaway, P., Shrimpton, T.: Deterministic authenticated-encryption: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Yilek, S.: Resettable public-key encryption: How to encrypt on a virtual machine. Cryptology ePrint Archive, Report 2009/474 (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Scott Yilek
    • 1
  1. 1.Department of Computer Science and EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations