Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lossy Trapdoor Functions and Their Applications

Published byまいか たつざわ Modified over 5 years ago

Similar presentations

Presentation on theme: "Lossy Trapdoor Functions and Their Applications"— Presentation transcript:

1 Lossy Trapdoor Functions and Their Applications
Chris Peikert SRI International Brent Waters SRI International

2 Trapdoor Functions (TDF) [DH76]
Receiver recovers all input PK: f( * ) TD Input = x f(x) x

3 PKE  TDF E(M,r) M SK Message: M Randomness: r r
Input not recovered. Not a TDF!

4 Building TDFs from PKE (a failure)
SK Input: x E(x,x) x Insecure! BB-Impossible [GMR05]

5 Injective TDFs: A Building Block?
Multi-Party Computation[Y82,…] Non-Interactive Zero Knowledge [BFM88] (CCA-Secure) PKE [ GM84, NY90,RS91,DDN91,S99…] 30 years since RSA: Only Factoring Candidates Quantum Attacks Break Factoring! [S94]

6 Our Results First “non-native” TDF constructions
New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91] [RSA78] [PW07] [PW07]

7 Lossy TDFs: A Tale of Two Keys
Injective Keys ginj( ) TD PK: g(*) x x’ Lossy Keys glossy( ) x PK: g(*) TD x’ Property: Indistinguishable key types Attacker can’t invert

8 ? Key-Type Indist. Attacker cannot tell key-type Injective Lossy
Prob. < ½ + negl.

9 Homomorphic Encryption
E(a) © E(b) = E(a+b) c¢ E(a) = E(c¢a) El Gamal’ PK: ga CT: gr , gargm (gr1, gar1gm1) © (gr2, gar2gm2) = (gr 1 +r2, ga(r1+r2) gm1+m2)

10 = Creating Lossy TDFs Injective: Encrypt Identity Matrix
Evaluate: Matrix Multiplication E(1) E(0) E(0) x1 xn E(0) E(1) = E(0) E(1) E(x1) E(xn)

11 = Creating Lossy TDFs Lossy: Encrypt Zero Matrix
Msg. output independent of input , but … E(0) E(0) E(0) x1 xn E(0) E(0) = E(0) E(0) E(0)

12 DDH-Construction Group G order q Input size: n > 3 lg(q) Pick:
g, h1= ga1 , … , hn=gan 2 G r1, … , rn 2 Zq

13 Creating Lossy TDFs (injective)
if i =j Ai,,j = hjri g1 else Ai,,j = hjri h1r1 g h2r1 x1 xn gr1 hnr1 h1r2 = grn h1rn hnrn g y=i xi ri ,g a1  xiri gx1 g xiri ,g an  xiri gxn

14 Creating Lossy TDFs (injective)
if i =j Ai,,j = hjri g1 else Ai,,j = hjri h1r1 g h2r1 x1 xn gr1 hnr1 h1r2 = Use ai’s to recover xi’s grn h1rn hnrn g y=i xi ri ,ga1 y gx1 gy ,g an y gxn

15 Creating Lossy TDFs (lossy)
Ai,,j = hjri DDH ) Key Indist. h1r1 h2r1 x1 xn gr1 hnr1 h1r2 = grn h1rn hnrn y=i xi ri ,g a1 y gy g an y Only lg(q) bits of information ) n- lg(q) bits lost!

16 Lattice Realization Learning with Error (LWE) Lattice Connection [R05]
Challenge: Extra bits leaked

17 Injective Trapdoors Lossy Key Indist. Advlossy = negl. ¼ Advinj
Injective Keys ginj( ) TD PK: g(*) x Lossy Keys glossy( ) x PK: g(*) Lossy Key Indist. Advlossy = negl. ¼ Advinj

18 Summary Trapdoors and CCA Security
First CCA-secure system from lattices [AD97] Witness Recovering Techniques A New General Primitive? Many applications (CRHF, OT) Multiple Relizations

19 Thank You

20 Thank You

21 Lossy TDFs: A Tale of Two Keys
Injective Keys ginj( ) TD PK: g(*) x x’ Lossy Keys glossy( ) x PK: g(*) TD x’ Property: Indistinguishable key types Attacker can’t invert

22 Lossy TDFs: A Tale of Two Keys
Injective Keys TD finj( ) PK: f( * ) x x’ Lossy Keys TD flossy( ) PK: f( * ) x x’

23 Lossy Trapdoor Functinons
How To Build Them How to build them Injective Trapdoor Functions CCA-secure Encryption

24 Trapdoor Function Candidates
Factoring (e.g. RSA, QR) Cyclic Groups (e.g. DDH) Linear equations (lattices) Large Scale Quantum Attacks?

25 Properties Injective: 8 x,x’ finj( x )  finj( x’ )
f-1 (TD, finj( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2r) k = n-r lossiness

26 Building A Trapdoor Function
Use Lossy-TDF with Injective Keys PK: finj( * ) TD Correctness: Direct Security ??

27 Security for (Injective) TDF
f( x ) x x’ Adv. wins iff x’=x

28 Sequence of Game Proofs
Define Games: Game-1 , … , Game-N Game-1 is actual security game Properties Game-i c Game-i+1 Advantage(Game-N)  0 (info theoretic)

29 Proving Non-Invertability
finj( ) flossy( ) Game-1 finj( x ) flossy( x ) Key Indist. x Game-2 x’ Adv. wins iff x’=x Game-2: 9 ¼ 2k z s.t. flosssy(x) = flossy(z) ) negl. advantage Big Idea: Challenge over Public Key Type!

30 CCA Security[RS91] ? PK SK Practical: B[98] Attack on RSA PKCS#1
“Meet me at 8 –Bob” ? “a7%($,..” “Meet me …” Practical: B[98] Attack on RSA PKCS#1

31 Chosen Ciphertext Security (CCA-1)
PK CTi Dec(CTi) M0, M1 Enc(PK,Mb)=CT* b Wins if b’=b b’

32 Preventing CCA Attacks
Non-Interactive Zero Knowledge (NIZK) [NY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Theme: Decryptor not recover r Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices)

33 “Witness Recovering” Encryption
PK: E(*,*) SK Message: M Randomness: r E(M,r) M r “Re-encrypt” to test

34 All-but-One (ABO) TDF Generate “lossy branch” b* x x TDb* x’ x’
gb*( *,* ) TDb* gb*(b=b*,x ) gb*(b b*,x ) x x x’ x’ Correctness: g-1(TD, b , gb*(b  b*, x)) = x Security: Lossy Branch indist.

35 CCA-1 Enc. KeyGen Enc(M,PK) Dec(CT,SK) finj( * ) gb*(*,*) PubKey:
, d (extractor seed) SK: TDf TDg Enc(M,PK) x, e CT = e, C1= finj(x) , C2=gb*(e,x) , C3= M © Ext(x, d) Dec(CT,SK) 1) x’ = f-1(C1) 3) M= C3 © Ext(x’,d) 2) Re-encrypt with x’

36 Chosen Ciphertext Security
Game-1 ge*(*,*) gb*(*,*) finj( ) flossy( ) Probabilistic CTi Dec(CTi) Game-2 Hidden Branch M0, M1 Game-3 Enc(PK,Mb)=CT*=(e*,…) Equivalent b Game-4 Wins if b’=b b’ Key Indist. Game-5 Game-4: Decrypt with ABO key Game-5: Ext(x,d) ¼ Uniform | g(b*,x), flossy(x) ) negl. advantage Game-3: Lossy Branch = e* Game-2: Reject sigs from e* Game-5: Make key Lossy

37 Full CCA Security Queries before and after challenge CT
Sign CT with One-Time Signature

38 Conclusions First TDFs w/o factoring First CCA from lattices
Main Ideas: Loose Information Simulator changes parameters

39 Future Directions Lossy TDF as a general tool OT
Collision Resistant Hash Applications of Lossy Idea General Realizations?

40 CCA Enc KeyGen Enc(M,PK) Dec(CT,SK) finj( * ) gb*(*,*) PubKey:
, d (extractor seed) SK: TDf TDg Enc(M,PK) x, ( VK, SigSK ) CT = VK, C1= finj(x) , C2=gb*(VK,x) , C3= M © Ext(d, x), = Sig(SKSig, (C1…C3)) Dec(CT,SK) 1) Check  3) Re-encrypt with x’ 2) x’ = f-1(C1) 4) M= C3 © Ext(x’,d)

41 Chosen Ciphertext Security
Game-1 gb*(*,*) gVK*(*,*) finj( ) flossy( ) Signature M0, M1 Game-2 Enc(PK,Mb)=CT* Hidden Branch b Game-3 CTi  CT*=(VK*…) Equivalent Dec(CT_i) Game-4 Wins if b’=b b’ Key Indist. Game-5 Game-4: Decrypt with ABO key Game-5: Ext(x,d) ¼ Uniform | g(b*,x), flossy(x) ) negl. advantage Game-5: Make key Lossy Game-2: Reject sigs from VK* Game-3: Lossy Branch = VK*

Download ppt "Lossy Trapdoor Functions and Their Applications"

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Lattice-Based Cryptography

Lattice-Based Cryptography
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Lattice-Based Cryptography

Lattice-Based Cryptography
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google