Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Published byGrady Tillison Modified over 9 years ago

Similar presentations

Presentation on theme: "Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego."— Presentation transcript:

1 Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego

2 2 Security for Public-Key Encryption client server Ideally: Protect against all possible attacks pk, sk For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91]) pk Modeling all possible attacks is hard (if possible at all) insecure channel

3 3 Chosen-Ciphertext Security (PKE) pk cici m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c*=Enc(pk,b) (pk,sk) Keygen(1 n ) b {0,1} $

4 4 Chosen-Ciphertext Security (PKE) pk, c i ≠ c* m i =Dec(sk, c i ) Π=(KeyGen, Enc, Dec) c* b {0,1} $ (pk,sk) Keygen(1 n )

5 5 Chosen-Ciphertext Security (PKE) b’ Security against CCA attacks For all efficient adversaries b {0,1} $ Π=(KeyGen, Enc, Dec) pk,c* (pk,sk) Keygen(1 n ) |Pr [b’=b]-1/2| =negl(n)

6 CCA-Secure Encryption (overview) 6 Generic Constructions Concrete Instantiations 1998 2009 1991 I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring 2004 2008 [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

7 CCA-Secure Encryption (overview) 7 Generic Constructions Concrete Instantiations 1998 2009 1991 I II [DDN 91] Enhanced TDPs [CS98] DDH [HK09] Factoring 2004 2008 [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH [PW08] LTDFs [RS09] Correlated inputs

8 8 Lossy Trapdoor Functions [PW08] F(s inj,. ) : 1-1.. computational requirement {0,1} n F =(G, F, F -1 ) (n, l )-lossy TDF {0,1} n (s inj, t) G(inj) F(s inj,. ) (s loss, ) G(loss) F(s loss,. ) |Img(F(s loss,. ))|=2 n- l F -1 (t,. )

9 9 CCA-PKE from LTDFs & Correlated Inputs ( generic constructions) [Peikert, Waters 08] (n, n(1-o(1))) LTDFs All But One TDFs CCA-secure PKE CCA-secure PKE [Rosen, Segev 09] (n, n(1-o(1))) LTDFs Correlated input OWFs CCA-secure PKE CCA-secure PKE This work (n, 1/poly(n)) LTDFs CCA-secure PKE CCA-secure PKE Correlated input OWFs

10 Rest of talk OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 10

11 11 One-Wayness Under Correlated Inputs family of efficiently computable functions [Def] (w-wise product) Generation: Evaluation: (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w (x 1, x 2, …, x w ) One-Wayness: F one-way under C w -correlated inputs if for all PPT adversaries A F =(G, F) GwGw Pr[A(f 1, …, f w, f 1 (x 1 ),…, f w (x w ))= (x 1,..., x w )] : negligible where (x 1,..., x w ) ~ C w

12 Rosen-Segev Simplified construction 12 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i )

13 13 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) Rosen-Segev Simplified construction

14 14 Components 1.F =(G, F, F -1 ): injective TDFs, OW under C w -correlated inputs 2.Π = (Kg, Sign, Ver) one-time signature scheme 3.h hardcore predicate for F under C w -correlated inputs The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... G Enc t 1,0 t 1,1 f 1,0 f 1,1 f w,0 f w,1 t w,0 t w,1 (VK, SK) Kg ;VK=VK 1... VK w {0,1} w ; x = (x 1,…, x w ) C w y i =f i,Vk i (x i ) 14 c 1 = b h(f 1,Vk 1, …, f w,Vk w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) Rosen-Segev Simplified construction

15 15 For CCA proof : 2 requirements from C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any x i : w-repetition distribution x 1 =x 2 =...=x w Instantiation ([RS09]) (n, n(1-1/w))-lossy TDFs OW under w-repetition CwCw Rosen-Segev Simplified construction

16 Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 16 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

17 Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 17 ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

18 Additional Component The Construction: E = (KeyGen, Enc, Dec) KeyGen sk pk... Enc t 1,0 t 1,|Σ|-1 (VK, SK) Kg, VK Σ k ; ECC(VK) = σ 1... σ w Σ w x = (x 1,…, x w ) C w y i =f i,σ i (x i ) 18 c 1 = b h(f 1,σ 1, …, f w,σ w, x) (VK, y 1, …, y w, c 1, c 2 ) c 2 =Sign (SK, y 1, …, y w, c 1 ) ECC: Σ k Σ w with distance d... t w,0 t w,|Σ|-1... f 1,0 f 1,|Σ|-1... f w,0 f w,|Σ|-1... Rosen-Segev Generalized construction

19 19 Required properties for C w Hardness assumption: F should be OW under C w almost perfect simulation of decryption: (x 1,…, x w ) reconstructable from any d distinct x i How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ? Focus of this work Rosen-Segev Generalized construction distance of the ECC

20 Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 20

21 21 [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided Sligthly LTDFs CCA F = (n, l )-lossy TDF with domain {0,1} n (x 1,..., x w ) ~ C w with H ∞ (x 1,..., x w ) = μ > w. (n- l ) + ω(log n) f 1, f 2,…,f w G inj (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) f 1, f 2,…,f w G loss (f 1 (x 1 ), f 2 (x 2 ),…, f w (x w )) takes at most 2 w(n- l ) values ≈ H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) 2 ω(log n) many preimages 2 ω(log n) many preimages unique preimage unique preimage

22 22 (d,w)-subset reconstructable distribution ……… xi1xi1 xi2xi2 xidxid... x1x1 x2x2 x w-1 xwxw Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If x i {0,1} n, then H ∞ (x 1,..., x w ) ≈ d. n

23 23 Achieving High Entropy VK 1 k w ECC Desired property: If VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 1 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound) ECC(VK 2 ) k

24 24 Putting the Pieces Together Illustration: CCA-Security from (n,1)-lossy TDFs (n,1)-lossy TDFs imply CCA-security [Lemma] F =(G, F, F -1 ) family of (n, l )-lossy TDFs, then F w is OW under any distribution C w provided H ∞ ( C w ) = μ ≥ w(n- l ) + ω(log n) ECC: [w, k, d=w-k+1] Reed-Solomon Input Distribution: (d, w)-subset reconstructable distribution k=n ε, w=n θ, where θ> 1+ ε. d=w-k+1 Entropy: d. n > (w-k). n = w. (n-kn/w) > w. (n-1) + ω(log n)

25 Summary: CCA from correlated inputs 25 Construction(d,w) Sufficient lossiness Rosen- Segev simplified d=1n(1-1/w) Rosen- Segev generalized d/w=ε:const 0<ε<1 ? Rosen-Segev*d/w=1-ο(1)1/poly(n) * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

26 26 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR [PW08, RS09] 1/poly(n) n(1-o(1)) DDH

27 27 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR 1/poly(n) n(1-o(1)) DDH this work

28 Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 28

29 Hardness Assumption: 2vs3Primes 29 Slightly LTDF from 2vs3Primes 2Primes n p, q: primes N= pq ; |N|=n 3Primes n p,q, r : primes N’ =pqr ; |N’|=n The construction F Sample injective: N 2Primes n+1 ; s inj =N ; t=(p,q) Evaluate: F: {0,1} n Z N F(N, x) =(x 2 mod N, (x>N/2), ( J N (x)=1)) N ≈ N’ c Sample lossy: N 3Primes n+1 ; s loss =N

30 [Theorem] Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs. 30 Slightly LTDF from 2vs3Primes ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) y t=(p,q) x, -x z, -z xzxz b1b1 b2b2 x Immediate from 2vs3Primes assumption

31 31 Slightly LTDF from 2vs3Primes 8-to-1 ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1)) {0,1} n x ≥ N/2 gcd(x,N)>1 and x<N/2 gcd(x,N)=1 and x<N/2 |Img({0,1} n )|≤ 2 n-1/4 ≤ φ(N)/4 ≤ (N-φ(N))/2 ≤ 2 n -N/2

32 Talk Outline OW under Correlated Inputs and the Rosen-Segev Construction CCA-security from Slightly LTDFs A Slightly LTDF based on Modular Squaring Conclusions 32

33 Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 33 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ?

34 Introductory Slide Importance of PKE encryption Also importance of CCA security [Rackoff Simon91] 34

35 CCA-Secure Encryption (overview) 35 Generic Constructions Concrete Instantiations 1998 2009 1991 I II [DDN 91] Enhanced TDPs [PW08] LTDFs [RS09] Correlated inputs [CS98] DDH [HK09] Factoring 2004 2008 [CS 02] UHPS II 2002 [CHK 04] IBE [BCHK 06] BCDH 2006 II [CKS08] CDH

36 Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 36 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

37 Very “rich” primitive –Injective One-Way TDFs –Collision resistant hash functions –CPA/CCA secure encryption –Deterministic/hedged encryption –PKE secure under selective opening attacks 37 Lossy Trapdoor Functions Constructions from various hardness assumptions –DDH, LWE [PW08] –Decisional Composite Residuosity (DCR) [RS08,BFO08] –QR, d-Linear [FGKRS10] –Φ-hiding [KOS10]

38 38 CCA proof: For almost perfect simulation of decryption by the simulator, it suffices that (x 1,…, x w ) can be reconstructed from any d distinct x i Rosen-Segev Generalized Construction Security requirement: F OW under such distribution C w Focus of this work How much lossiness is required from F loss = (G, F, F -1 ) in order for F w to be OW under C w ?

39 39 (d,w)-subset reconstructible distribution ……… xi1xi1 xi2xi2 xidxid xi1xi1 xidxid xi2xi2... x1x1 x2x2 x w-1 xwxw,,..., Property: All w elements can be reconstructed by any d distinct x i ’s Efficient Sampling: (d,w)-threshold secret sharing scheme Entropy: If, then

40 40 Achieving High Entropy k VK 1 k ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

41 41 Achieving High Entropy k VK 1 ECC(VK 1 ) w ECC Desired property: VK1≠ VK2, then ECC(VK 1 ), ECC(VK 2 ) “far apart” ECC VK 2 ECC(VK 2 ) Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

42 Summary: PKE from correlated inputs 42 Construction(d,w) Sufficient lossiness CPA/CCA d=w not needed OWF suffice CPA Rosen- Segev simplified d=1n(1-1/w)CCA Rosen- Segev generalized d/w=ε:const 0<ε<1 ? CCA Rosen-Segev*d/w=1-ο(1)1/poly(n)CCA * Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

43 43 Dec If Ver()=1, recover x i from y i for i=1,…,w If x i s are from the “correct” distribution return c 1 h(f 1,Vk 1, …, f w,Vk w, x)

44 44 amount of lossiness (bits) hardness assumption I I LWE cn I 1 I loge I From LTDFs to CCA-Security (generically) RSA function Φ-hiding mod squaring QR

45 45 Slightly LTDF from 2vs3Primes and 8-to-1 and ZNZN ( y= x 2 mod N, b 1 = (x>N/2), b 2 = (J N (x)=1))

46 Conclusions Summary Slightly LTDFs are powerful. Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. Construction of a slightly LTDF from 2vs3PRIMES 46 Open Problems CCA-security from new hardness assumptions (via slightly lossy TDFs) Is small lossiness enough for BB construction of other primitives (for example CRHF) ? Amplify the lossiness rate (as opposed to the lossiness amount)

Download ppt "Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
7. Asymmetric encryption-

7. Asymmetric encryption-
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

Similar presentations

Ads by Google