Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

Similar presentations


Presentation on theme: "1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller."— Presentation transcript:

1 1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller Boston University & MIT Lincoln Lab

2 Public Key Encryption (PKE) 2 PK m Need randomness to achieve semantic security $ Enc c

3 Public Key Encryption (PKE) 3 PK m $ What can be achieved without randomness? Enc

4 Why deterministic PKE? The question of deterministic symmetric key encryption is well understood: Key: k Messages: m 1, …, m n Encryption: pad 1 || … || pad n = prg(k) c i = pad i  m i Deterministic PKE is difficult but has important applications: –Supporting devices with limited/no randomness –Enabling encrypted search –E.g. spam filtering by keyword on encrypted 4 prg – pseudorandom generator Each bit appears random to bounded distinguisher

5 Deterministic PKE PKE scheme where encryption is deterministic –Introduced by [BellareBoldyrevaO’Neill07] Need source of randomness  messages are only hope Security defined w.r.t. high entropy message distribution M –H ∞ (M)≥μ  for all m, Pr[M=m] ≤ (1/2) μ Even most likely message is hard to guess E.g.: Uniform with first bit 1, Network packet with fixed header –Message distribution must be independent of public key An approach: fake coins to chosen plaintext-secure (CPA) scheme [Bellare BoldyrevaO’Neill07, BelllareFischlinO’NeillRistenpart08] 5

6 Results Deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Equivalence between Indistinguishability & Semantic Security –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 6

7 Results Deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Equivalence between Indistinguishability & Semantic Security –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 7 Focus of the talk

8 Our Scheme: Encrypt with hardcore Enc hc 8 $ PK m Enc

9 Our Scheme −Enc hc 9 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext TDF : Easy to compute, hard to invert without key hc : Pseudorandom given output of TDF Ext : Converts high entropy distributions to uniform

10 Our Scheme −Enc hc 10 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext Question: Why is this semantically secure?

11 11 Indistinguishability Semantic SecurityFor a message distribution M Outline of Security Proof PK m Enc hc TDF c Ext General Definitional Equivalence

12 Compute f from ciphertext Semantic Security for Deterministic PKE 12 AdversaryChallenger DetEnc b DetEnc(m b ), pk A M – message distribution f – test function

13 Semantic Security for Deterministic PKE 13 AdversaryChallenger DetEnc b DetEnc(m b ), pk A M – message distribution f – test function Compute f from ciphertextCompute f from random ciphertext

14 Indistinguishability for Deterministic PKE 14 b DetEnc(m), pk AdversaryChallenger A DetEnc M 0 – message distribution M 1 – message distribution

15 15 Indistinguishability: Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c General Definitional Equivalence

16 16 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c General Definitional Equivalence

17 Our Scheme −Enc hc 17 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext Question: Why is this secure?

18 Our Scheme −Enc hc 18 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext Question: Why is this secure indistinguishable? To gain intuition we will try removing the extractor.

19 Toy Scheme −Enc hc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enc can reveal its first coin. 19 PK hc TDF m Enc

20 Toy Scheme −Enc hc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enc can reveal its first coin. 20 PK hc TDF m Enc

21 21 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c

22 22 Robust hardcore function: hc is hardcore on M|e for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c

23 23 Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c Q: Is any hc robust? A: NO! Define event e : fix first bit(previous example!)

24 24 Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF Q: Is any hc robust? A: NO! Define event e : fix first bit(previous example!)

25 Robustness: Implicit in Prior Work 25 Iterated trapdoor permutation Lossy trapdoor function Arbitrary trapdoor function [GL89] hc bit at each iteration ([BM84] PRG) TDF Robust hc function [Belllare Fischlin O’Neill Ristenpart08] [Boldyreva Fehr O’Neill 08] This work Pairwise Independent Hash Function Any function with enough hc bits + extractor Ext

26 Hardcore function: hc(M) is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M 26 Outline of Security Proof PK m Enc hc TDF c Ext( )

27 Hardcore function: hc(M) is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M 27 Outline of Security Proof PK m Enc hc TDF c Ext Rest of the talk Ext( )

28 Hardcore function Robust hardcore function Indistinguishability Semantic Security 28 Outline of Security Proof PK m Enc hc TDF c Ext

29 29 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Comp. Entropy: hc(M|e) high computational entropy 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom 4.Robust hc function: Ext( hc(M|e) ) | TDF( M|e ) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

30 (1) Hc function (2) Comp. Entropy 30 Know: hc produces pseudorandom bits on M Want: hc produces pseudorandom bits on M|e M hc(M)≈U hc

31 31 Know: hc produces pseudorandom bits on M Want: hc produces pseudorandom bits on M|e hc(M)≈U Problem: hc(M|e) cannot be pseudorandom For example, event e can fix the first bit of hc(M) Solution: Use HILL entropy! M M|e (hc(M|e))≈U hc (1) Hc function (2) Comp. Entropy

32 32 Know: hc produces pseudorandom bits on M Want: H HILL ( M | E ) is high M|e hc (1) Hc function (2) Comp. Entropy

33 33 Know: hc produces pseudorandom bits on M Want: H HILL ( hc(M|e) ) is high M|e hc (1) Hc function (2) Comp. Entropy H HILL (X)≥μ if  Y, H ∞ (Y)≥μ X≈ ε,s Y Distinguisher Advantage Distinguisher Size

34 34 Know: hc produces pseudorandom bits on M Want: H HILL ( hc(M|e) ) is high M|e How is H HILL ( hc(M|e) ) related to H HILL ( hc(M) ) ? General question: How is H HILL ( X|E=e ) related to H HILL ( X ) ? hc (1) Hc function (2) Comp. Entropy H HILL (X)≥μ if  Y, H ∞ (Y)≥μ X≈ ε,s Y ε,s Distinguisher Advantage Distinguisher Size

35 Conditional Computational Entropy 35 Our Lemma: Info-Theoretic Case: Warning: this is not H HILL ! Different Y (that has true entropy) for each distinguisher (“metric*”) Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08]

36 Conditional Computational Entropy 36 Our Lemma: Info-Theoretic Case: Warning: this is not H HILL ! Can be converted to HILL entropy with a loss in circuit size [BSW03, ReingoldTrevisanTulsianiVadhan08] Our Theorem:

37 Tangent: Avg Case Cond. Entropy 37 Our Lemma: Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04] : We can apply the lemma multiple times to measure H(M |E 1,E 2 ) Cannot measure entropy when original distribution is conditional Average case conditioning useful for leakage resilience Works on conditional computational entropy: [ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08], [ChungKalaiLiuRaz11],[GentryWichs10] Distribution not a single event!

38 38 M|e  hc (1) Hc function (2) Comp. Entropy HILL entropy Our Theorem:

39 39 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]≥1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]≥1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

40 40 M|e Ext HILL entropy pseudorandom  Extractors convert distributions w/ min-entropy to uniform w/ H HILL to pseudorandom hc (2) Cond. Comp. Entropy (3) Unif. Ext Output

41 41 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]≥1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]≥1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

42 42 (3) Unif. Ext Output (4) Robust hc function TDF M pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore)

43 43 (3) Unif. Ext Output (4) Robust hc function TDF M pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

44 M|e 44 (3) Unif. Ext Output (4) Robust hc function TDF pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

45 45 (3) Unif. Ext Output (4) Robust hc function TDF hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) HILL entropy M|e

46 46 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom M|e pseudorandom

47 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) 47 M|e

48 48 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) M|e

49 49 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]≥1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]≥1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

50 Our Scheme −Enc hc If hc is hardcore on M 50 PK m Enc Ext  Enc hc is secure on M hc TDF

51 Enc hc, deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Definitional Equivalence –Conditional Computational Entropy Allows encryption of messages from block sources –Each message has entropy conditioned on previous msgs: H ∞ (M i | M 1,…, M i-1 ) is high Results 51

52 Results Enc hc, deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Definitional Equivalence –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 52 Briefly

53 Extending to multiple messages 53 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that “decorrelates” messages: Use a 2 q -wise independent hash function

54 Extending to multiple messages 54 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that “decorrelates” messages: Use a 2 q -wise independent hash function PK m Enc hc TDF c Ext

55 Extending to multiple messages 55 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that “decorrelates” messages: Use a 2 q -wise independent hash function First scheme for q -arbitrarily correlated messages PK m Enc hc TDF c Hash

56 Extending to multiple messages 56 Lemma (Extension of LHL): Let M 1,…, M q be high entropy, arbitrarily correlated random variables (M i ≠ M j ), Hash family of 2q -wise indep. hash functions (keyed by K ) K, Hash(K, M 1 ),…, Hash(K, M q ) ≈ K, U 1,…, U q

57 Results Enc hc, deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Definitional Equivalence –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 57

58 Thank you!


Download ppt "1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller."

Similar presentations


Ads by Google