Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

Published byEmanuel Commer Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller."— Presentation transcript:

1 1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller Boston University & MIT Lincoln Lab

2 Public Key Encryption (PKE) 2 PK m Need randomness to achieve semantic security $ Enc c

3 Public Key Encryption (PKE) 3 PK m $ What can be achieved without randomness? Enc

4 Why deterministic PKE? The question of deterministic symmetric key encryption is well understood: Key: k Messages: m 1, …, m n Encryption: pad 1 || … || pad n = prg(k) c i = pad i  m i Deterministic PKE is difficult but has important applications: –Supporting devices with limited/no randomness –Enabling encrypted search –E.g. spam filtering by keyword on encrypted email 4 prg – pseudorandom generator Each bit appears random to bounded distinguisher

5 Deterministic PKE PKE scheme where encryption is deterministic –Introduced by [BellareBoldyrevaO’Neill07] Need source of randomness  messages are only hope Security defined w.r.t. high entropy message distribution M –H ∞ (M)≥μ  for all m, Pr[M=m] ≤ (1/2) μ Even most likely message is hard to guess E.g.: Uniform with first bit 1, Network packet with fixed header –Message distribution must be independent of public key An approach: fake coins to chosen plaintext-secure (CPA) scheme [Bellare BoldyrevaO’Neill07, BelllareFischlinO’NeillRistenpart08] 5

6 Results Deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Equivalence between Indistinguishability & Semantic Security –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 6

7 Results Deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Equivalence between Indistinguishability & Semantic Security –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 7 Focus of the talk

8 Our Scheme: Encrypt with hardcore Enc hc 8 $ PK m Enc

9 Our Scheme −Enc hc 9 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext TDF : Easy to compute, hard to invert without key hc : Pseudorandom given output of TDF Ext : Converts high entropy distributions to uniform

10 Our Scheme −Enc hc 10 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext Question: Why is this semantically secure?

11 11 Indistinguishability Semantic SecurityFor a message distribution M Outline of Security Proof PK m Enc hc TDF c Ext General Definitional Equivalence

12 Compute f from ciphertext Semantic Security for Deterministic PKE 12 AdversaryChallenger DetEnc b DetEnc(m b ), pk A M – message distribution f – test function

13 Semantic Security for Deterministic PKE 13 AdversaryChallenger DetEnc b DetEnc(m b ), pk A M – message distribution f – test function Compute f from ciphertextCompute f from random ciphertext

14 Indistinguishability for Deterministic PKE 14 b DetEnc(m), pk AdversaryChallenger A DetEnc M 0 – message distribution M 1 – message distribution

15 15 Indistinguishability: Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c General Definitional Equivalence

16 16 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c General Definitional Equivalence

17 Our Scheme −Enc hc 17 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext Question: Why is this secure?

18 Our Scheme −Enc hc 18 PK m Enc TDF – Trapdoor function hc – Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. hc TDF Ext Question: Why is this secure indistinguishable? To gain intuition we will try removing the extractor.

19 Toy Scheme −Enc hc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enc can reveal its first coin. 19 PK hc TDF m Enc

20 Toy Scheme −Enc hc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enc can reveal its first coin. 20 PK hc TDF m Enc

21 21 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c

22 22 Robust hardcore function: hc is hardcore on M|e for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c

23 23 Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c Q: Is any hc robust? A: NO! Define event e : fix first bit(previous example!)

24 24 Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF Q: Is any hc robust? A: NO! Define event e : fix first bit(previous example!)

25 Robustness: Implicit in Prior Work 25 Iterated trapdoor permutation Lossy trapdoor function Arbitrary trapdoor function [GL89] hc bit at each iteration ([BM84] PRG) TDF Robust hc function [Belllare Fischlin O’Neill Ristenpart08] [Boldyreva Fehr O’Neill 08] This work Pairwise Independent Hash Function Any function with enough hc bits + extractor Ext

26 Hardcore function: hc(M) is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M 26 Outline of Security Proof PK m Enc hc TDF c Ext( )

27 Hardcore function: hc(M) is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]≥1/4 Semantic Security:For a message distribution M 27 Outline of Security Proof PK m Enc hc TDF c Ext Rest of the talk Ext( )

28 Hardcore function Robust hardcore function Indistinguishability Semantic Security 28 Outline of Security Proof PK m Enc hc TDF c Ext

29 29 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Comp. Entropy: hc(M|e) high computational entropy 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom 4.Robust hc function: Ext( hc(M|e) ) | TDF( M|e ) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

30 (1) Hc function (2) Comp. Entropy 30 Know: hc produces pseudorandom bits on M Want: hc produces pseudorandom bits on M|e M hc(M)≈U hc

31 31 Know: hc produces pseudorandom bits on M Want: hc produces pseudorandom bits on M|e hc(M)≈U Problem: hc(M|e) cannot be pseudorandom For example, event e can fix the first bit of hc(M) Solution: Use HILL entropy! M M|e (hc(M|e))≈U hc (1) Hc function (2) Comp. Entropy

32 32 Know: hc produces pseudorandom bits on M Want: H HILL ( M | E ) is high M|e hc (1) Hc function (2) Comp. Entropy

33 33 Know: hc produces pseudorandom bits on M Want: H HILL ( hc(M|e) ) is high M|e hc (1) Hc function (2) Comp. Entropy H HILL (X)≥μ if  Y, H ∞ (Y)≥μ X≈ ε,s Y Distinguisher Advantage Distinguisher Size

34 34 Know: hc produces pseudorandom bits on M Want: H HILL ( hc(M|e) ) is high M|e How is H HILL ( hc(M|e) ) related to H HILL ( hc(M) ) ? General question: How is H HILL ( X|E=e ) related to H HILL ( X ) ? hc (1) Hc function (2) Comp. Entropy H HILL (X)≥μ if  Y, H ∞ (Y)≥μ X≈ ε,s Y ε,s Distinguisher Advantage Distinguisher Size

35 Conditional Computational Entropy 35 Our Lemma: Info-Theoretic Case: Warning: this is not H HILL ! Different Y (that has true entropy) for each distinguisher (“metric*”) Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08]

36 Conditional Computational Entropy 36 Our Lemma: Info-Theoretic Case: Warning: this is not H HILL ! Can be converted to HILL entropy with a loss in circuit size [BSW03, ReingoldTrevisanTulsianiVadhan08] Our Theorem:

37 Tangent: Avg Case Cond. Entropy 37 Our Lemma: Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04] : We can apply the lemma multiple times to measure H(M |E 1,E 2 ) Cannot measure entropy when original distribution is conditional Average case conditioning useful for leakage resilience Works on conditional computational entropy: [ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08], [ChungKalaiLiuRaz11],[GentryWichs10] Distribution not a single event!

38 38 M|e  hc (1) Hc function (2) Comp. Entropy HILL entropy Our Theorem:

39 39 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]≥1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]≥1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

40 40 M|e Ext HILL entropy pseudorandom  Extractors convert distributions w/ min-entropy to uniform w/ H HILL to pseudorandom hc (2) Cond. Comp. Entropy (3) Unif. Ext Output

41 41 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]≥1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]≥1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

42 42 (3) Unif. Ext Output (4) Robust hc function TDF M pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore)

43 43 (3) Unif. Ext Output (4) Robust hc function TDF M pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

44 M|e 44 (3) Unif. Ext Output (4) Robust hc function TDF pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

45 45 (3) Unif. Ext Output (4) Robust hc function TDF hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) HILL entropy M|e

46 46 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom M|e pseudorandom

47 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) 47 M|e

48 48 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) M|e

49 49 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]≥1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]≥1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security

50 Our Scheme −Enc hc If hc is hardcore on M 50 PK m Enc Ext  Enc hc is secure on M hc TDF

51 Enc hc, deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Definitional Equivalence –Conditional Computational Entropy Allows encryption of messages from block sources –Each message has entropy conditioned on previous msgs: H ∞ (M i | M 1,…, M i-1 ) is high Results 51

52 Results Enc hc, deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Definitional Equivalence –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 52 Briefly

53 Extending to multiple messages 53 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that “decorrelates” messages: Use a 2 q -wise independent hash function

54 Extending to multiple messages 54 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that “decorrelates” messages: Use a 2 q -wise independent hash function PK m Enc hc TDF c Ext

55 Extending to multiple messages 55 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that “decorrelates” messages: Use a 2 q -wise independent hash function First scheme for q -arbitrarily correlated messages PK m Enc hc TDF c Hash

56 Extending to multiple messages 56 Lemma (Extension of LHL): Let M 1,…, M q be high entropy, arbitrarily correlated random variables (M i ≠ M j ), Hash family of 2q -wise indep. hash functions (keyed by K ) K, Hash(K, M 1 ),…, Hash(K, M q ) ≈ K, U 1,…, U q

57 Results Enc hc, deterministic PKE from: –General: Arbitrary TDF with enough hardcore bits –Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier –These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : –Improved Definitional Equivalence –Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages –Extension of LHL to correlated sources using 2q -wise indep. hash –Extension of crooked LHL to improve parameters 57

58 Thank you!

Download ppt "1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

Similar presentations

Ads by Google