1 / 33

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions. Petros Mol, Scott Yilek. PKC 2010. UC, San Diego. May 27, 2010. Security for Public-Key Encryption. server. client. insecure channel. pk. pk, sk. Ideally: Protect against all possible attacks.

dante
Télécharger la présentation

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions Petros Mol, Scott Yilek PKC 2010 UC, San Diego May 27, 2010

  2. Security for Public-Key Encryption server client insecure channel pk pk, sk Ideally: Protect against all possible attacks Modeling all possible attacks is hard (if possible at all) For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91])

  3. Chosen-Ciphertext Security (PKE) Π=(KeyGen, Enc, Dec) pk (pk,sk) Keygen(1n) ci c*=Enc(pk,b) mi=Dec(sk , ci) $ b {0,1}

  4. Chosen-Ciphertext Security (PKE) Π=(KeyGen, Enc, Dec) ci ≠ c* (pk,sk) Keygen(1n) mi=Dec(sk , ci) pk, c* $ b {0,1}

  5. Chosen-Ciphertext Security (PKE) Π=(KeyGen, Enc, Dec) (pk,sk) Keygen(1n) b’ pk, c* $ b {0,1} Security against CCA attacks For all efficient adversaries |Pr [b’=b]-1/2| =negl(n)

  6. CCA-Secure Encryption (overview) [DDN 91] Enhanced TDPs [RS09] Correlatedinputs [CS 02] UHPS [CHK 04] IBE [PW08] LTDFs Generic Constructions 1998 2006 I I I I I I I 2008 2009 1991 2002 2004 Concrete Instantiations [CS98] DDH [CKS08] CDH [HK09] Factoring [BCHK 06] BCDH

  7. CCA-Secure Encryption (overview) [DDN 91] Enhanced TDPs [RS09] Correlatedinputs [CS 02] UHPS [CHK 04] IBE [PW08] LTDFs Generic Constructions 1998 2006 I I I I I I I 2002 2008 2009 1991 2004 Concrete Instantiations [CS98] DDH [CKS08] CDH [HK09] Factoring [BCHK 06] BCDH

  8. Lossy Trapdoor Functions [PW08] F =(G, F, F-1) (n,l)-lossy TDF {0,1}n F(sinj , .) . . Injectivemode (sinj , t) G(inj) F-1(t, .) F(sinj , .) : 1-1 computational requirement {0,1}n (sloss , ) G(loss) F(sloss ,.) Lossy mode F(sloss ,.) |Img(F(sloss ,.))|=2n-l F(sloss ,.)

  9. CCA-PKE from LTDFs & Correlated Inputs(generic constructions) [Peikert, Waters 08] CCA-secure PKE (n, n(1-o(1))) LTDFs All But One TDFs [Rosen, Segev 09] Correlated input OWFs (n, n(1-o(1))) LTDFs CCA-secure PKE This work (n, 1/poly(n)) LTDFs Correlated input OWFs CCA-secure PKE

  10. Rest of talk • OW under Correlated Inputs and the Rosen-Segev Construction • CCA-security from Slightly LTDFs • A Slightly LTDF based on Modular Squaring • Conclusions

  11. One-Wayness Under Correlated Inputs family of efficiently computable functions F =(G, F) [Def] (w-wise product) f1, f2,…,fw Gw • Generation: (x1, x2, … , xw) (f1(x1), f2(x2),…, fw(xw)) • Evaluation: • One-Wayness: Fone-way under Cw-correlated inputs if for all PPT adversaries A Pr[A(f1,…, fw, f1(x1),…, fw(xw))= (x1,..., xw)] : negligible where (x1,..., xw) ~ Cw

  12. Rosen-Segev Simplified construction • Components • F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs • Π = (Kg, Sign, Ver)one-time signature scheme • hhardcore predicate for F under Cw-correlated inputs The Construction: E= (KeyGen, Enc, Dec) t1,0 t1,1 tw,0 tw,1 . . . sk KeyGen G . . . f1,0 f1,1 fw,0 fw,1 pk x = (x1,… , xw) Cw (VK, SK) Kg ; VK=VK1. . .VKw {0,1}w ; yi =fi,Vki (xi) Enc

  13. Rosen-Segev Simplified construction • Components • F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs • Π = (Kg, Sign, Ver)one-time signature scheme • hhardcore predicate for F under Cw-correlated inputs The Construction: E= (KeyGen, Enc, Dec) t1,0 t1,1 tw,0 tw,1 . . . sk KeyGen G . . . f1,0 f1,1 fw,0 fw,1 pk x = (x1,… , xw) Cw (VK, SK) Kg ; VK=VK1. . .VKw{0,1}w ; yi =fi,Vki (xi) Enc

  14. Rosen-Segev Simplified construction • Components • F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs • Π = (Kg, Sign, Ver)one-time signature scheme • hhardcore predicate for F under Cw-correlated inputs The Construction: E= (KeyGen, Enc, Dec) t1,0 t1,1 tw,0 tw,1 . . . sk KeyGen G . . . f1,0 f1,1 fw,0 fw,1 pk x = (x1,… , xw) Cw (VK, SK) Kg ; VK=VK1. . .VKw{0,1}w ; yi =fi,Vki (xi) Enc c1 = b h(f1,Vk1, … , fw,Vkw , x) (VK, y1, … , yw, c1, c2 ) c2 =Sign(SK, y1, … , yw, c1 ) 14

  15. Rosen-Segev Simplified construction • For CCA proof : 2 requirements from Cw • Hardness assumption: F should be OW under Cw • almost perfect simulation of decryption:(x1,…, xw)reconstructable from any xi x1=x2=. . .=xw : w-repetition distribution Cw Instantiation ([RS09]) (n, n(1-1/w))-lossy TDFs OW under w-repetition

  16. Rosen-Segev Generalized construction Additional Component ECC: ΣkΣw with distance d The Construction: E= (KeyGen, Enc, Dec) . . . . . . t1,0 t1,|Σ|-1 . . . tw,0 tw,|Σ|-1 sk KeyGen pk . . . . . . f1,0 f1,|Σ|-1 . . . fw,0 fw,|Σ|-1 (VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σw Σw x = (x1,… , xw) Cw yi =fi,σi (xi) Enc 16

  17. Rosen-Segev Generalized construction Additional Component ECC: ΣkΣw with distance d The Construction: E= (KeyGen, Enc, Dec) . . . . . . t1,0 t1,|Σ|-1 . . . tw,0 tw,|Σ|-1 sk KeyGen pk . . . . . . f1,0 f1,|Σ|-1 . . . fw,0 fw,|Σ|-1 (VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σwΣw x = (x1,… , xw) Cw yi =fi,σi (xi) Enc 17

  18. Rosen-Segev Generalized construction Additional Component ECC: ΣkΣw with distance d The Construction: E= (KeyGen, Enc, Dec) . . . . . . t1,0 t1,|Σ|-1 . . . tw,0 tw,|Σ|-1 sk KeyGen pk . . . . . . f1,0 f1,|Σ|-1 . . . fw,0 fw,|Σ|-1 (VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σwΣw x = (x1,… , xw) Cw yi =fi,σi (xi) Enc (VK, y1, … , yw, c1, c2 ) c1 = b h(f1,σ1, … , fw,σw , x) c2 =Sign(SK, y1, … , yw, c1 ) 18

  19. Rosen-Segev Generalized construction • Required properties for Cw • Hardness assumption: F should be OW under Cw • almost perfect simulation of decryption:(x1,…, xw)reconstructable from any d distinct xi distance of the ECC Focus of this work How much lossiness is required from Floss= (G, F, F-1) in order for Fw to be OW under Cw?

  20. Talk Outline • OW under Correlated Inputs and the Rosen-Segev Construction • CCA-security from Slightly LTDFs • A Slightly LTDF based on Modular Squaring • Conclusions

  21. Sligthly LTDFs CCA • F = (n,l)-lossy TDF with domain {0,1}n • (x1,..., xw) ~ Cw with H∞(x1,..., xw) = μ > w.(n-l) + ω(log n) [Lemma] F =(G, F, F-1)family of (n,l)-lossy TDFs,then Fwis OW under any distributionCwprovided (f1(x1), f2(x2),…, fw(xw)) takes at most2w(n-l) values 2ω(logn)many preimages f1, f2,…,fw Gloss ≈ unique preimage f1, f2,…,fw Ginj (f1(x1), f2(x2),…, fw(xw)) H∞(Cw) = μ≥ w(n-l) + ω(log n)

  22. (d,w)-subset reconstructable distribution … … … xi1 xid xi2 Property: All w elements can be reconstructed by any d distinctxi’s . . . x1 x2 xw-1 xw Efficient Sampling:(d,w)-threshold secret sharing scheme Entropy: If xi {0,1}n , then H∞(x1,..., xw) ≈ d.n

  23. Achieving High Entropy ECC(VK1) VK1 ECC k … … w VK2 ECC(VK2) ECC … Desired property: IfVK1≠ VK2, thenECC(VK1), ECC(VK2) “far apart” … k Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

  24. Putting the Pieces Together Illustration: CCA-Security from (n,1)-lossy TDFs • ECC:[w, k, d=w-k+1]Reed-Solomon • Input Distribution: (d, w)-subset reconstructable distribution • k=nε, w=nθ, where θ> 1+ ε. d=w-k+1 [Lemma] F =(G, F, F-1)family of (n,l)-lossy TDFs,then Fwis OW under any distributionCwprovided Entropy:d.n > (w-k).n = w.(n-kn/w) >w.(n-1) + ω(log n) H∞(Cw) = μ≥ w(n-l) + ω(log n) (n,1)-lossy TDFs imply CCA-security

  25. Summary: CCA from correlated inputs *Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

  26. From LTDFs to CCA-Security (generically) amount of lossiness (bits) [PW08, RS09] DDH n(1-o(1)) I cn LWE I RSA function Φ-hiding loge I mod squaring QR 1 I 1/poly(n) I hardness assumption

  27. From LTDFs to CCA-Security (generically) amount of lossiness (bits) DDH n(1-o(1)) I cn LWE I RSA function Φ-hiding loge I mod squaring QR 1 I 1/poly(n) I hardness assumption this work

  28. Talk Outline • OW under Correlated Inputs and the Rosen-Segev Construction • CCA-security from Slightly LTDFs • A Slightly LTDF based on Modular Squaring • Conclusions

  29. Slightly LTDF from 2vs3Primes Hardness Assumption: 2vs3Primes 3Primesn p ,q, r : primes N’ =pqr ; |N’|=n 2Primesn p , q: primes N= pq ; |N|=n c N ≈ N’ The construction F • Sample injective:N 2Primesn+1 ;sinj=N ; t=(p,q) • Sample lossy:N 3Primesn+1 ;sloss=N • Evaluate:F: {0,1}n ZN • F(N , x) =(x2 mod N, (x>N/2) , (JN(x)=1))

  30. Slightly LTDF from 2vs3Primes [Theorem]Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs. • Indistinguishability Immediate from 2vs3Primes assumption ( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1)) • Invertibility x z x , -x z , -z x y b1 b2 t=(p,q)

  31. Slightly LTDF from 2vs3Primes • Lossiness(N= pqr) ( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1)) ZN {0,1}n 8-to-1 gcd(x,N)=1 and x<N/2 ≤ φ(N)/4 gcd(x,N)>1 and x<N/2 ≤ (N-φ(N))/2 ≤ 2n-N/2 x ≥ N/2 |Img({0,1}n)|≤ 2n-1/4

  32. Talk Outline • OW under Correlated Inputs and the Rosen-Segev Construction • CCA-security from Slightly LTDFs • A Slightly LTDF based on Modular Squaring • Conclusions

  33. Conclusions Summary • Slightly LTDFs are powerful. • Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness. • Construction of a slightly LTDF from 2vs3PRIMES Open Problems • CCA-security from new hardness assumptions (via slightly lossyTDFs) • Is small lossiness enough for BB construction of other primitives (for example CRHF) ?

More Related