Download presentation

Presentation is loading. Please wait.

Published byGrady Tillison Modified over 3 years ago

1
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego

2
2 Security for Public-Key Encryption client server Ideally: Protect against all possible attacks pk, sk For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91]) pk Modeling all possible attacks is hard (if possible at all) insecure channel

3
3 Chosen-Ciphertext Security (PKE) pk cici m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c*=Enc(pk,b) (pk,sk) Keygen(1 n ) b {0,1} $

4
4 Chosen-Ciphertext Security (PKE) pk, c i ≠ c* m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c* b {0,1} $ (pk,sk) Keygen(1 n )

5
5 Chosen-Ciphertext Security (PKE) b’ Security against CCA attacks For all efficient adversaries b {0,1} $ Π=(KeyGen, Enc, Dec) pk,c* (pk,sk) Keygen(1 n ) |Pr [b’=b]-1/2| =negl(n)

6
CCA-Secure Encryption (overview) 6 Generic Constructions Concrete Instantiations 1998 2009 1991 I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring 2004 2008 [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

7
CCA-Secure Encryption (overview) 7 Generic Constructions Concrete Instantiations 1998 2009 1991 I II [DDN 91] Enhanced TDPs [CS98] DDH [HK09] Factoring 2004 2008 [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH [PW08] LTDFs [RS09] Correlated inputs

8
8 Lossy Trapdoor Functions [PW08] F(s inj,. ) : 1-1.. computational requirement {0,1} n F =(G, F, F -1 ) (n, l )-lossy TDF {0,1} n (s inj, t) G(inj) F(s inj,. ) (s loss, ) G(loss) F(s loss,. ) |Img(F(s loss,. ))|=2 n- l F -1 (t,. )

9
9 CCA-PKE from LTDFs & Correlated Inputs ( generic constructions) [Peikert, Waters 08] (n, n(1-o(1))) LTDFs All But One TDFs CCA-secure PKE CCA-secure PKE [Rosen, Segev 09] (n, n(1-o(1))) LTDFs Correlated input OWFs CCA-secure PKE CCA-secure PKE This work (n, 1/poly(n)) LTDFs CCA-secure PKE CCA-secure PKE Correlated input OWFs

10
Rest of talk OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 10

11
11 One-Wayness Under Correlated Inputs family of efficiently computable functions [Def] (w-wise product) Generation: Evaluation: (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w (x 1, x 2, …, x w ) One-Wayness: F one-way under C w -correlated inputs if for all PPT adversaries A F =(G, F) GwGw Pr[A(f 1, …, f w, f 1 (x 1 ),…, f w (x w ))= (x 1,..., x w )] : negligible where (x 1,..., x w ) ~ C w

12
Rosen-Segev Simplified construction 12 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i )

13
13 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) Rosen-Segev Simplified construction

14
14 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) 14 c 1 = b h(f 1,Vk 1, …, f w,Vk w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) Rosen-Segev Simplified construction

15
15 For CCA proof : 2 requirements from C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any x i : w-repetition distribution x 1 =x 2 =...=x w Instantiation ([RS09]) (n, n(1-1/w))-lossy TDFs OW under w-repetition CwCw Rosen-Segev Simplified construction

16
Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 16 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

17
Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 17 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

18
Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 18 c 1 = b h(f 1,σ 1, …, f w,σ w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

19
19 Required properties for C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any d distinct x i How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ? Focus of this work Rosen-Segev Generalized construction distance of the ECC

20
Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 20

21
21 [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided Sligthly LTDFs CCA F = (n, l )-lossy TDF with domain {0,1} n (x 1,..., x w ) ~ C w with H ∞ (x 1,..., x w ) = μ > w. (n- l ) + ω(log n) f 1, f 2,…,f w G inj (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w G loss (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) takes at most 2 w(n- l ) values ≈ H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) 2 ω(log n) many preimages 2 ω(log n) many preimages unique preimage unique preimage

22
22 (d,w)-subset reconstructable distribution ……… xi1xi1 xi2xi2 xidxid... x1x1 x2x2 x w-1 xwxw Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If x i {0,1} n, then H ∞ (x 1,..., x w ) ≈ d. n

23
23 Achieving High Entropy VK 1 k w ECC Desired property: If VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 1 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound) ECC(VK 2 ) k

24
24 Putting the Pieces Together Illustration: CCA-Security from (n,1)-lossy TDFs (n,1)-lossy TDFs imply CCA-security [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) ECC: [w, k, d=w-k+1] Reed-Solomon Input Distribution: (d, w)-subset reconstructable distribution k=n ε, w=n θ, where θ> 1+ ε. d=w-k+1 Entropy: d. n > (w-k). n = w. (n-kn/w) > w. (n-1) + ω(log n)

25
Summary: CCA from correlated inputs 25 Construction(d,w) Sufficient lossiness Rosen- Segev simplified d=1n(1-1/w) Rosen- Segev generalized d/w=ε:const 0<ε<1 ? Rosen-Segev*d/w=1-ο(1)1/poly(n) * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

26
26 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR [PW08, RS09] 1/poly(n) n(1-o(1)) DDH

27
27 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR 1/poly(n) n(1-o(1)) DDH this work

28
Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 28

29
Hardness Assumption: 2vs3Primes 29 Slightly LTDF from 2vs3Primes 2Primes n p, q: primes N= pq ; |N|=n 3Primes n p,q, r : primes N’ =pqr ; |N’|=n The construction F Sample injective: N 2Primes n+1 ; s inj =N ; t=(p,q) Evaluate: F: {0,1} n Z N F(N, x) =(x 2 mod N, (x>N/2), ( J N (x)=1)) N ≈ N’ c Sample lossy: N 3Primes n+1 ; s loss =N

30
[Theorem] Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs. 30 Slightly LTDF from 2vs3Primes ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) y t=(p,q) x, -x z, -z xzxz b1b1 b2b2 x Immediate from 2vs3Primes assumption

31
31 Slightly LTDF from 2vs3Primes 8-to-1 ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) {0,1} n x ≥ N/2 gcd(x,N)>1 and x<N/2 gcd(x,N)=1 and x<N/2 |Img({0,1} n )|≤ 2 n-1/4 ≤ φ(N)/4 ≤ (N-φ(N))/2 ≤ 2 n -N/2

32
Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 32

33
Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 33 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ?

34
Introductory Slide Importance of PKE encryption Also importance of CCA security [Rackoff Simon91] 34

35
CCA-Secure Encryption (overview) 35 Generic Constructions Concrete Instantiations 1998 2009 1991 I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring 2004 2008 [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

36
Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 36 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

37
Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 37 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

38
38 CCA proof: For almost perfect simulation of decryption by the simulator, it suffices that (x 1,…, x w ) can be reconstructed from any d distinct x i Rosen-Segev Generalized Construction Security requirement: F OW under such distribution C w Focus of this work How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ?

39
39 (d,w)-subset reconstructible distribution ……… xi1xi1 xi2xi2 xidxid xi1xi1 xidxid xi2xi2... x1x1 x2x2 x w-1 xwxw,,..., Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If, then

40
40 Achieving High Entropy k VK 1 k ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

41
41 Achieving High Entropy k VK 1 ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

42
Summary: PKE from correlated inputs 42 Construction(d,w) Sufficient lossiness CPA/CCA d=w not needed OWF suffice CPA Rosen- Segev simplified d=1n(1-1/w)CCA Rosen- Segev generalized d/w=ε:const 0<ε<1 ? CCA Rosen-Segev*d/w=1-ο(1)1/poly(n)CCA * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

43
43 Dec If Ver()=1, recover x i from y i for i=1,…,w If x i s are from the “correct” distribution return c 1 h(f 1,Vk 1, …, f w,Vk w, x)

44
44 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR

45
45 Slightly LTDF from 2vs3Primes and 8-to-1 and ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1))

46
Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 46 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ? Amplify the lossiness rate (as opposed to the lossiness amount)

Similar presentations

OK

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google