Download presentation

Presentation is loading. Please wait.

Published byGrady Tillison Modified about 1 year ago

1
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego

2
2 Security for Public-Key Encryption client server Ideally: Protect against all possible attacks pk, sk For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91]) pk Modeling all possible attacks is hard (if possible at all) insecure channel

3
3 Chosen-Ciphertext Security (PKE) pk cici m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c*=Enc(pk,b) (pk,sk) Keygen(1 n ) b {0,1} $

4
4 Chosen-Ciphertext Security (PKE) pk, c i ≠ c* m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c* b {0,1} $ (pk,sk) Keygen(1 n )

5
5 Chosen-Ciphertext Security (PKE) b’ Security against CCA attacks For all efficient adversaries b {0,1} $ Π=(KeyGen, Enc, Dec) pk,c* (pk,sk) Keygen(1 n ) |Pr [b’=b]-1/2| =negl(n)

6
CCA-Secure Encryption (overview) 6 Generic Constructions Concrete Instantiations I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

7
CCA-Secure Encryption (overview) 7 Generic Constructions Concrete Instantiations I II [DDN 91] Enhanced TDPs [CS98] DDH [HK09] Factoring [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH [PW08] LTDFs [RS09] Correlated inputs

8
8 Lossy Trapdoor Functions [PW08] F(s inj,. ) : computational requirement {0,1} n F =(G, F, F -1 ) (n, l )-lossy TDF {0,1} n (s inj, t) G(inj) F(s inj,. ) (s loss, ) G(loss) F(s loss,. ) |Img(F(s loss,. ))|=2 n- l F -1 (t,. )

9
9 CCA-PKE from LTDFs & Correlated Inputs ( generic constructions) [Peikert, Waters 08] (n, n(1-o(1))) LTDFs All But One TDFs CCA-secure PKE CCA-secure PKE [Rosen, Segev 09] (n, n(1-o(1))) LTDFs Correlated input OWFs CCA-secure PKE CCA-secure PKE This work (n, 1/poly(n)) LTDFs CCA-secure PKE CCA-secure PKE Correlated input OWFs

10
Rest of talk OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 10

11
11 One-Wayness Under Correlated Inputs family of efficiently computable functions [Def] (w-wise product) Generation: Evaluation: (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w (x 1, x 2, …, x w ) One-Wayness: F one-way under C w -correlated inputs if for all PPT adversaries A F =(G, F) GwGw Pr[A(f 1, …, f w, f 1 (x 1 ),…, f w (x w ))= (x 1,..., x w )] : negligible where (x 1,..., x w ) ~ C w

12
Rosen-Segev Simplified construction 12 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i )

13
13 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) Rosen-Segev Simplified construction

14
14 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) 14 c 1 = b h(f 1,Vk 1, …, f w,Vk w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) Rosen-Segev Simplified construction

15
15 For CCA proof : 2 requirements from C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any x i : w-repetition distribution x 1 =x 2 =...=x w Instantiation ([RS09]) (n, n(1-1/w))-lossy TDFs OW under w-repetition CwCw Rosen-Segev Simplified construction

16
Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 16 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

17
Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 17 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

18
Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 18 c 1 = b h(f 1,σ 1, …, f w,σ w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

19
19 Required properties for C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any d distinct x i How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ? Focus of this work Rosen-Segev Generalized construction distance of the ECC

20
Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 20

21
21 [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided Sligthly LTDFs CCA F = (n, l )-lossy TDF with domain {0,1} n (x 1,..., x w ) ~ C w with H ∞ (x 1,..., x w ) = μ > w. (n- l ) + ω(log n) f 1, f 2,…,f w G inj (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w G loss (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) takes at most 2 w(n- l ) values ≈ H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) 2 ω(log n) many preimages 2 ω(log n) many preimages unique preimage unique preimage

22
22 (d,w)-subset reconstructable distribution ……… xi1xi1 xi2xi2 xidxid... x1x1 x2x2 x w-1 xwxw Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If x i {0,1} n, then H ∞ (x 1,..., x w ) ≈ d. n

23
23 Achieving High Entropy VK 1 k w ECC Desired property: If VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 1 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound) ECC(VK 2 ) k

24
24 Putting the Pieces Together Illustration: CCA-Security from (n,1)-lossy TDFs (n,1)-lossy TDFs imply CCA-security [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) ECC: [w, k, d=w-k+1] Reed-Solomon Input Distribution: (d, w)-subset reconstructable distribution k=n ε, w=n θ, where θ> 1+ ε. d=w-k+1 Entropy: d. n > (w-k). n = w. (n-kn/w) > w. (n-1) + ω(log n)

25
Summary: CCA from correlated inputs 25 Construction(d,w) Sufficient lossiness Rosen- Segev simplified d=1n(1-1/w) Rosen- Segev generalized d/w=ε:const 0<ε<1 ? Rosen-Segev*d/w=1-ο(1)1/poly(n) * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

26
26 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR [PW08, RS09] 1/poly(n) n(1-o(1)) DDH

27
27 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR 1/poly(n) n(1-o(1)) DDH this work

28
Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 28

29
Hardness Assumption: 2vs3Primes 29 Slightly LTDF from 2vs3Primes 2Primes n p, q: primes N= pq ; |N|=n 3Primes n p,q, r : primes N’ =pqr ; |N’|=n The construction F Sample injective: N 2Primes n+1 ; s inj =N ; t=(p,q) Evaluate: F: {0,1} n Z N F(N, x) =(x 2 mod N, (x>N/2), ( J N (x)=1)) N ≈ N’ c Sample lossy: N 3Primes n+1 ; s loss =N

30
[Theorem] Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs. 30 Slightly LTDF from 2vs3Primes ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) y t=(p,q) x, -x z, -z xzxz b1b1 b2b2 x Immediate from 2vs3Primes assumption

31
31 Slightly LTDF from 2vs3Primes 8-to-1 ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) {0,1} n x ≥ N/2 gcd(x,N)>1 and x

32
Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 32

33
Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 33 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ?

34
Introductory Slide Importance of PKE encryption Also importance of CCA security [Rackoff Simon91] 34

35
CCA-Secure Encryption (overview) 35 Generic Constructions Concrete Instantiations I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

36
Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 36 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

37
Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 37 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

38
38 CCA proof: For almost perfect simulation of decryption by the simulator, it suffices that (x 1,…, x w ) can be reconstructed from any d distinct x i Rosen-Segev Generalized Construction Security requirement: F OW under such distribution C w Focus of this work How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ?

39
39 (d,w)-subset reconstructible distribution ……… xi1xi1 xi2xi2 xidxid xi1xi1 xidxid xi2xi2... x1x1 x2x2 x w-1 xwxw,,..., Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If, then

40
40 Achieving High Entropy k VK 1 k ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

41
41 Achieving High Entropy k VK 1 ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

42
Summary: PKE from correlated inputs 42 Construction(d,w) Sufficient lossiness CPA/CCA d=w not needed OWF suffice CPA Rosen- Segev simplified d=1n(1-1/w)CCA Rosen- Segev generalized d/w=ε:const 0<ε<1 ? CCA Rosen-Segev*d/w=1-ο(1)1/poly(n)CCA * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

43
43 Dec If Ver()=1, recover x i from y i for i=1,…,w If x i s are from the “correct” distribution return c 1 h(f 1,Vk 1, …, f w,Vk w, x)

44
44 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR

45
45 Slightly LTDF from 2vs3Primes and 8-to-1 and ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1))

46
Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 46 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ? Amplify the lossiness rate (as opposed to the lossiness amount)

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google