1 lossy trapdoor functions and their applications brent waters sri international chris peikert sri...
TRANSCRIPT
1
Lossy Trapdoor Functions and Their Applications
Brent WatersSRI International
Chris PeikertSRI International
2
Trapdoor Functions (TDF) [DH76]
f(x)
x
PK: f( * ) TD
Receiver recovers all input
Input = x
3
Some Uses of TDFs
Public Key Encryption (PKE)
NIZKs [BFM88]
PKE against active attackers•CCA-security [NY90,DDN91]
4
PKE TDF
E(M,r)
M
PK: E(*,*) SK
Message: MRandomness: r
r
Input not recovered. Not a TDF!
5
Building TDFs from PKE (a failure)
E(x,x)
x
PK: E(*,*) SK
Input: x
Insecure! BB-Impossible [GMR05]
6
Trapdoor Function Candidates
•Factoring (e.g. RSA, QR)
•Cyclic Groups (e.g. DDH)
•Linear equations (lattices)
Large Scale Quantum Attacks?
7
This Talk
•First “non-native” TDF constructions
•New CCA-secure cryptosystems
DDH
TDF CCA-Enc
Lattices
Factoring
[CS98]
[NY90, DDN91]
[RSA78]
[PW07]
[PW07] [PW07]
[PW07]
8
This Talk
Lossy TDFs
How to build them
Injective Trapdoor Functions
CCA-secure Encryption
9
Lossy TDFs: A Tale of Two Keys
xPK: f( * )
TDInjective Keys
x’
finj( )
x
TDLossy Keys
x’
flossy( )PK: f( * )
10
Properties
1)Injective:
• 8 x,x’ finj( x ) finj( x’ )
• f-1 (TD, finj( x )) = x
2) Lossy:
• n input size
• r < n residual leakage (range < 2r)
• k = n-r lossiness
11
Key-Type Indist.
Attacker cannot tell key-type
Injective
Lossy
Prob. < ½ + negl.
?
12
Homomorphic Encryption
E(a) © E(b) = E(a+b) c¢ E(a) = E(c
¢a)El Gamal’
PK: ga
CT: gr , gargm
(gr1, gar1gm1) © (gr2, gar2gm2) = (gr 1 +r2, ga(r1+r2) gm1+m2)
13
Creating Lossy TDFs
E(1)
E(1)
E(1)
E(0)
E(0)
E(0)x1 xn
=
E(x1) E(xn)
Injective: Encrypt Identity Matrix
Evaluate: Matrix Multiplication
E(0)
14
Creating Lossy TDFs
E(0)
E(0)
E(0)
E(0)
E(0)
E(0)x1 xn
=
E(0) E(0)
Lossy: Encrypt Zero Matrix
E(0)
Msg. output independent of input , but …
15
DDH-Construction
Group G order q
Input size: n > 3 lg(q)
Pick:
g, h1= ga1 , … , hn=gan 2 G
r1, … , rn 2 Zq
16
Creating Lossy TDFs (injective)
h1r1 g
hnrn g
h1r2
h1rn
hnr1
x1 xn
=h2
r1gr1
if i =j Ai,,j = hjri g1
else Ai,,j = hjri
grn
,g a1 x
iri gx1g x
iri ,g a
n xiri gxn
y=i xi ri
17
Creating Lossy TDFs (injective)
h1r1 g
hnrn g
h1r2
h1rn
hnr1
x1 xn
=h2
r1gr1
if i =j Ai,,j = hjri g1
else Ai,,j = hjri
grnUse ai’s to recover xi’s
,ga1 y gx1gy ,g a
n y gxny=i xi ri
18
Creating Lossy TDFs (lossy)
h1r1
hnrn
h1r2
h1rn
hnr1
x1 xn
=h2
r1gr1
Ai,,j = hjri
grn
,g a1 y gy g an y
Only lg(q) bits of information )
n- lg(q) bits lost!
DDH ) Key Indist.
y=i xi ri
19
Learning With Error Realization
•Reduce to Learning w/ Error
•Lattices [R05]
•Similar Structure
•Challenge: Extra bits leaked
20
Building A Trapdoor Function
Use Lossy-TDF with Injective Keys
PK: finj( * ) TD
Correctness: Direct
Security ??
21
Security for (Injective) TDF
f( )
f( x )
x’x
Adv. wins iff x’=x
22
Sequence of Game Proofs
• Define Games: Game-1 , … , Game-N
•Game-1 is actual security game
Properties
1) Game-i c Game-i+1
2) Advantage(Game-N) 0 (info theoretic)
23
Proving Non-Invertability
flossy( )finj( )
finj( x )
x’
Game-1
Game-2
Key Indist.
Game-2: 9 ¼ 2k z s.t. flosssy(x) = flossy(z)
) negl. advantage
Big Idea: Challenge over Public Key Type!
xflossy( x )
Adv. wins iff x’=x
24
CCA Security[RS91]
PK SK“Meet me
at 8 –Bob”
“a7%($,..”
?
“Meet me …”
Practical: B[98] Attack on RSA PKCS#1
25
Chosen Ciphertext Security (CCA-1)
PK
M0, M1
Enc(PK,Mb)=CT*b
Wins if b’=b b’
CTi
Dec(CTi)
26
Preventing CCA Attacks
Non-Interactive Zero Knowledge (NIZK)
[NY90,RS91,DDN91, CS98,S99, CS02, ES02]
CT = Enc(M,r) + NIZK
Decrypt: 1) Check NIZK
2) Decrypt
•Factoring (RSA)
•Cyclic Groups (DH)
•Linear equations (lattices)
Theme: Decryptor not recover r
27
“Witness Recovering” Encryption
E(M,r)
M
PK: E(*,*) SK
Message: MRandomness: r
r
“Re-encrypt” to test
28
All-but-One (ABO) TDF
gb*( *,* )
TDb*
Generate “lossy branch” b*
xx’
gb*(b=b*,x )
xx’
gb*(b b*,x )
Correctness: g-1(TD, b , gb*(b b*, x)) = x
Security: Lossy Branch indist.
29
CCA-1 Enc.
KeyGen PubKey:
SK:
finj( * )
TDf
, d (extractor seed)
Enc(M,PK)
x, e
CT = e, C1= finj(x) , C2=gb*(e,x) , C3= M © Ext(x, d)
Dec(CT,SK)1) x’ = f-1(C1)
gb*(*,*)
TDg
3) M= C3 © Ext(x’,d)
2) Re-encrypt with x’
30
Chosen Ciphertext Security
flossy( )finj( )Game-1
Game-2
Probabilistic
Wins if b’=b
Game-5: Ext(x,d) ¼ Uniform |
g(b*,x), flossy(x) ) negl. advantage
M0, M1
Enc(PK,Mb)=CT*=(e*,…)b
b’
Game-3Hidden Branch
Game-4Equivalen
t
Game-5
Key Indist.
gb*(*,*)ge*(*,*)
Game-2: Reject sigs from e*Game-3: Lossy Branch = e*Game-4: Decrypt with ABO keyGame-5: Make key Lossy
CTi
Dec(CTi)
31
Full CCA Security
Queries before and after challenge CT
Sign CT with One-Time Signature
32
Conclusions
•First TDFs w/o factoring
•First CCA from lattices
Main Ideas:
•Loose Information
•Simulator changes parameters
33
Future Directions
Lossy TDF as a general tool•OT•Collision Resistant Hash
Applications of Lossy Idea
General Realizations?
34
THE END
35
CCA Enc
KeyGen PubKey:
SK:
finj( * )
TDf
, d (extractor seed)
Enc(M,PK)
x, ( VK, SigSK )
CT = VK, C1= finj(x) , C2=gb*(VK,x) , C3= M © Ext(d, x),
= Sig(SKSig, (C1…C3))
Dec(CT,SK)
2) x’ = f-1(C1)
gb*(*,*)
TDg
1) Check
4) M= C3 © Ext(x’,d)
3) Re-encrypt with x’
36
Chosen Ciphertext Security
flossy( )finj( )
M0, M1
Enc(PK,Mb)=CT*
Game-1
Game-2
Signature
Wins if b’=b
Game-5: Ext(x,d) ¼ Uniform |
g(b*,x), flossy(x) ) negl. advantage
b
b’
CTi CT*=(VK*…)Dec(CT_i)
Game-3Hidden Branch
Game-4Equivalen
t
Game-5
Key Indist.
gb*(*,*)gVK*(*,*)
Game-2: Reject sigs from VK*Game-3: Lossy Branch = VK*Game-4: Decrypt with ABO keyGame-5: Make key Lossy