Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

Published byAdam Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International."— Presentation transcript:

1 1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International

2 2 Trapdoor Functions (TDF) [DH76] f(x) x PK: f( * ) TD Receiver recovers all input Input = x

3 3 Some Uses of TDFs  Public Key Encryption (PKE)  NIZKs [BFM88]  PKE against active attackers CCA-security [NY90,DDN91]

4 4 PKE  TDF E(M,r) M PK: E(*,*) SK Message: M Randomness: r r Input not recovered. Not a TDF!

5 5 Building TDFs from PKE (a failure) E(x,x) x PK: E(*,*) SK Input: x Insecure! BB-Impossible [GMR05]

6 6 Trapdoor Function Candidates Factoring (e.g. RSA, QR) Cyclic Groups (e.g. DDH) Linear equations (lattices) Large Scale Quantum Attacks?

7 7 This Talk First “non-native” TDF constructions New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91][RSA78] [PW07]

8 8 This Talk  Lossy TDFs  How to build them  Injective Trapdoor Functions  CCA-secure Encryption

9 9 Lossy TDFs: A Tale of Two Keys x PK: f( * ) TD Injective Keys x’ f inj ( ) x TD Lossy Keys x’ f lossy ( ) PK: f( * ) 

10 10 Properties 1)Injective: 8 x,x’ f inj ( x )  f inj ( x’ ) f -1 (TD, f inj ( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2 r ) k = n-r lossiness

11 11 Key-Type Indist. Attacker cannot tell key-type Injective Lossy Prob. < ½ + negl. ?

12 12 Homomorphic Encryption E(a) © E(b) = E(a+b) c ¢ E(a) = E(c ¢ a) El Gamal’ PK: g a CT: g r, g ar g m (g r 1, g ar 1 g m 1 ) © (g r 2, g ar 2 g m 2 ) = (g r 1 +r 2, g a(r 1 +r 2 ) g m 1 +m 2 )

13 13 Creating Lossy TDFs E(1) E(0) x1x1 xnxn = E(x 1 ) E(x n ) Injective: Encrypt Identity Matrix Evaluate: Matrix Multiplication E(0)

14 14 Creating Lossy TDFs E(0) x1x1 xnxn = Lossy: Encrypt Zero Matrix E(0) Msg. output independent of input, but …

15 15 DDH-Construction Group G order q Input size: n > 3 lg(q) Pick: g, h 1 = g a 1, …, h n =g a n 2 G r 1, …, r n 2 Z q

16 16 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn,g a 1  x i r i g x 1 g  x i r i,g a n  x i r i g x n y=  i x i r i

17 17 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn Use a i ’s to recover x i ’s,g a 1 y g x 1 gygy,g a n y g x n y=  i x i r i

18 18 Creating Lossy TDFs (lossy) h1r1h1r1 hnrnhnrn h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 A i,,j = h j r i grngrn,g a 1 y gygy g a n y Only lg(q) bits of information ) n- lg(q) bits lost! DDH ) Key Indist. y=  i x i r i

19 19 Learning With Error Realization Reduce to Learning w/ Error Lattices [R05] Similar Structure Challenge: Extra bits leaked

20 20 Building A Trapdoor Function Use Lossy-TDF with Injective Keys PK: f inj ( * ) TD Correctness: Direct Security ??

21 21 Security for (Injective) TDF f( ) f( x ) x’ x Adv. wins iff x’=x

22 22 Sequence of Game Proofs Define Games: Game-1, …, Game-N Game-1 is actual security game Properties 1)Game-i  c Game-i+1 2)Advantage(Game-N)  0 (info theoretic)

23 23 Proving Non-Invertability f lossy ( ) f inj ( ) f inj ( x ) x’ Game-1 Game-2 Key Indist. Game-2: 9 ¼ 2 k z s.t. f losssy (x) = f lossy (z) ) negl. advantage Big Idea: Challenge over Public Key Type! x f lossy ( x ) Adv. wins iff x’=x

24 24 CCA Security[RS91] PK SK “Meet me at 8 –Bob” “a7%($,..” ? “Meet me …” Practical: B[98] Attack on RSA PKCS#1

25 25 Chosen Ciphertext Security (CCA-1) PK M 0, M 1 Enc(PK,M b )=CT* b Wins if b’=b b’ CT i Dec(CT i )

26 26 Preventing CCA Attacks Non-Interactive Zero Knowledge (NIZK) [NY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices) Theme: Decryptor not recover r

27 27 “Witness Recovering” Encryption E(M,r) M PK: E(*,*) SK Message: M Randomness: r r “Re-encrypt” to test

28 28 All-but-One (ABO) TDF g b* ( *,* ) TD b* Generate “lossy branch” b* x x’ g b* (b=b*,x ) x x’ g b* (b  b*,x ) Correctness: g -1 (TD, b, g b* (b  b*, x)) = x Security: Lossy Branch indist.

29 29 CCA-1 Enc. KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, e CT = e, C 1 = f inj (x), C 2 =g b* (e,x), C 3 = M © Ext(x, d) Dec(CT,SK) 1) x’ = f -1 (C 1 ) g b* (*,*) TD g 3) M= C 3 © Ext(x’,d) 2) Re-encrypt with x’

30 30 Chosen Ciphertext Security f lossy ( ) f inj ( ) Game-1 Game-2 Probabilistic Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage M 0, M 1 Enc(PK,M b )=CT*=(e*,…) b b’ Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g e* (*,*) Game-2: Reject sigs from e*Game-3: Lossy Branch = e*Game-4: Decrypt with ABO keyGame-5: Make key Lossy CT i Dec(CT i )

31 31 Full CCA Security  Queries before and after challenge CT  Sign CT with One-Time Signature

32 32 Conclusions First TDFs w/o factoring First CCA from lattices Main Ideas: Loose Information Simulator changes parameters

33 33 Future Directions  Lossy TDF as a general tool OT Collision Resistant Hash  Applications of Lossy Idea  General Realizations?

34 34 THE END

35 35 CCA Enc KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, ( VK, SigSK ) CT = VK, C 1 = f inj (x), C 2 =g b* (VK,x), C 3 = M © Ext(d, x),  = Sig(SK Sig, (C 1 …C 3 )) Dec(CT,SK) 2) x’ = f -1 (C 1 ) g b* (*,*) TD g 1) Check  4) M= C 3 © Ext(x’,d) 3) Re-encrypt with x’

36 36 Chosen Ciphertext Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b )=CT* Game-1 Game-2 Signature Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage b b’ CT i  CT*=(VK*…) Dec(CT_i) Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g VK* (*,*) Game-2: Reject sigs from VK*Game-3: Lossy Branch = VK*Game-4: Decrypt with ABO keyGame-5: Make key Lossy

Download ppt "1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
7. Asymmetric encryption-

7. Asymmetric encryption-
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lattice-Based Cryptography

Lattice-Based Cryptography
Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Similar presentations

Ads by Google