Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Slides:



Advertisements
Similar presentations
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
ElGamal Security Public key encryption from Diffie-Hellman
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
7. Asymmetric encryption-
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Definition and applications Lossy Trapdoor Functions 2.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
Ilya Mironov, Omkant Pandey, Omer Reingold, Gil Segev Microsoft Research.
Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( )
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Topic 26: Discrete LOG Applications
Selective-opening security in the presence of randomness failures
Digital Signature Schemes and the Random Oracle Model
Risky Traitor Tracing and New Differential Privacy Negative Results
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Topic 30: El-Gamal Encryption
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 25.
Lossy Trapdoor Functions and Their Applications
The power of Pairings towards standard model security
Cryptography Lecture 21.
Cryptography Lecture 23.
Presentation transcript:

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego

2 Security for Public-Key Encryption client server Ideally: Protect against all possible attacks pk, sk For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91]) pk Modeling all possible attacks is hard (if possible at all) insecure channel

3 Chosen-Ciphertext Security (PKE) pk cici m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c*=Enc(pk,b) (pk,sk) Keygen(1 n ) b {0,1} $

4 Chosen-Ciphertext Security (PKE) pk, c i ≠ c* m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c* b {0,1} $ (pk,sk) Keygen(1 n )

5 Chosen-Ciphertext Security (PKE) b’ Security against CCA attacks For all efficient adversaries b {0,1} $ Π=(KeyGen, Enc, Dec) pk,c* (pk,sk) Keygen(1 n ) |Pr [b’=b]-1/2| =negl(n)

CCA-Secure Encryption (overview) 6 Generic Constructions Concrete Instantiations I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

CCA-Secure Encryption (overview) 7 Generic Constructions Concrete Instantiations I II [DDN 91] Enhanced TDPs [CS98] DDH [HK09] Factoring [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH [PW08] LTDFs [RS09] Correlated inputs

8 Lossy Trapdoor Functions [PW08] F(s inj,. ) : computational requirement {0,1} n F =(G, F, F -1 ) (n, l )-lossy TDF {0,1} n (s inj, t) G(inj) F(s inj,. ) (s loss, ) G(loss) F(s loss,. ) |Img(F(s loss,. ))|=2 n- l F -1 (t,. )

9 CCA-PKE from LTDFs & Correlated Inputs ( generic constructions) [Peikert, Waters 08] (n, n(1-o(1))) LTDFs All But One TDFs CCA-secure PKE CCA-secure PKE [Rosen, Segev 09] (n, n(1-o(1))) LTDFs Correlated input OWFs CCA-secure PKE CCA-secure PKE This work (n, 1/poly(n)) LTDFs CCA-secure PKE CCA-secure PKE Correlated input OWFs

Rest of talk OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 10

11 One-Wayness Under Correlated Inputs family of efficiently computable functions [Def] (w-wise product) Generation: Evaluation: (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w (x 1, x 2, …, x w ) One-Wayness: F one-way under C w -correlated inputs if for all PPT adversaries A F =(G, F) GwGw Pr[A(f 1, …, f w, f 1 (x 1 ),…, f w (x w ))= (x 1,..., x w )] : negligible where (x 1,..., x w ) ~ C w

Rosen-Segev Simplified construction 12 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i )

13 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) Rosen-Segev Simplified construction

14 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) 14 c 1 = b h(f 1,Vk 1, …, f w,Vk w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) Rosen-Segev Simplified construction

15 For CCA proof : 2 requirements from C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any x i : w-repetition distribution x 1 =x 2 =...=x w Instantiation ([RS09]) (n, n(1-1/w))-lossy TDFs OW under w-repetition CwCw Rosen-Segev Simplified construction

Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 16 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 17 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 18 c 1 = b h(f 1,σ 1, …, f w,σ w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

19 Required properties for C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any d distinct x i How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ? Focus of this work Rosen-Segev Generalized construction distance of the ECC

Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 20

21 [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided Sligthly LTDFs CCA F = (n, l )-lossy TDF with domain {0,1} n (x 1,..., x w ) ~ C w with H ∞ (x 1,..., x w ) = μ > w. (n- l ) + ω(log n) f 1, f 2,…,f w G inj (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w G loss (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) takes at most 2 w(n- l ) values ≈ H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) 2 ω(log n) many preimages 2 ω(log n) many preimages unique preimage unique preimage

22 (d,w)-subset reconstructable distribution ……… xi1xi1 xi2xi2 xidxid... x1x1 x2x2 x w-1 xwxw Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If x i {0,1} n, then H ∞ (x 1,..., x w ) ≈ d. n

23 Achieving High Entropy VK 1 k w ECC Desired property: If VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 1 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound) ECC(VK 2 ) k

24 Putting the Pieces Together Illustration: CCA-Security from (n,1)-lossy TDFs (n,1)-lossy TDFs imply CCA-security [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) ECC: [w, k, d=w-k+1] Reed-Solomon Input Distribution: (d, w)-subset reconstructable distribution k=n ε, w=n θ, where θ> 1+ ε. d=w-k+1 Entropy: d. n > (w-k). n = w. (n-kn/w) > w. (n-1) + ω(log n)

Summary: CCA from correlated inputs 25 Construction(d,w) Sufficient lossiness Rosen- Segev simplified d=1n(1-1/w) Rosen- Segev generalized d/w=ε:const 0<ε<1 ? Rosen-Segev*d/w=1-ο(1)1/poly(n) * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

26 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR [PW08, RS09] 1/poly(n) n(1-o(1)) DDH

27 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR 1/poly(n) n(1-o(1)) DDH this work

Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 28

Hardness Assumption: 2vs3Primes 29 Slightly LTDF from 2vs3Primes 2Primes n p, q: primes N= pq ; |N|=n 3Primes n p,q, r : primes N’ =pqr ; |N’|=n The construction F Sample injective: N 2Primes n+1 ; s inj =N ; t=(p,q) Evaluate: F: {0,1} n Z N F(N, x) =(x 2 mod N, (x>N/2), ( J N (x)=1)) N ≈ N’ c Sample lossy: N 3Primes n+1 ; s loss =N

[Theorem] Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs. 30 Slightly LTDF from 2vs3Primes ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) y t=(p,q) x, -x z, -z xzxz b1b1 b2b2 x Immediate from 2vs3Primes assumption

31 Slightly LTDF from 2vs3Primes 8-to-1 ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) {0,1} n x ≥ N/2 gcd(x,N)>1 and x<N/2 gcd(x,N)=1 and x<N/2 |Img({0,1} n )|≤ 2 n-1/4 ≤ φ(N)/4 ≤ (N-φ(N))/2 ≤ 2 n -N/2

Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 32

Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 33 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ?

Introductory Slide Importance of PKE encryption Also importance of CCA security [Rackoff Simon91] 34

CCA-Secure Encryption (overview) 35 Generic Constructions Concrete Instantiations I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 36 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 37 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

38 CCA proof: For almost perfect simulation of decryption by the simulator, it suffices that (x 1,…, x w ) can be reconstructed from any d distinct x i Rosen-Segev Generalized Construction Security requirement: F OW under such distribution C w Focus of this work How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ?

39 (d,w)-subset reconstructible distribution ……… xi1xi1 xi2xi2 xidxid xi1xi1 xidxid xi2xi2... x1x1 x2x2 x w-1 xwxw,,..., Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If, then

40 Achieving High Entropy k VK 1 k ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

41 Achieving High Entropy k VK 1 ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

Summary: PKE from correlated inputs 42 Construction(d,w) Sufficient lossiness CPA/CCA d=w not needed OWF suffice CPA Rosen- Segev simplified d=1n(1-1/w)CCA Rosen- Segev generalized d/w=ε:const 0<ε<1 ? CCA Rosen-Segev*d/w=1-ο(1)1/poly(n)CCA * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

43 Dec If Ver()=1, recover x i from y i for i=1,…,w If x i s are from the “correct” distribution return c 1 h(f 1,Vk 1, …, f w,Vk w, x)

44 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR

45 Slightly LTDF from 2vs3Primes and 8-to-1 and ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1))

Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 46 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ? Amplify the lossiness rate (as opposed to the lossiness amount)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.