definition and applications lossy trapdoor functions 2
TRANSCRIPT
Definition and applications
Lossy Trapdoor Functions
2
3
Lossy Trapdoor Functions
Definition [PW08]
(·)pkFD R
' (·)pkFD 'R R
( , ) (1 )kpk sk Gen
( ') '(1 )kpk Gen
1( ,·)pkF sk
'cpk pk
Invertible
Lossy
4
Lossy Trapdoor Functions
Implications
LTDF[PW08]
TDF
IND-CPA
Det. Enc. [BFO08](New!)
Hedged Enc.
[BB+09](New!)
Others …
[BKPW12] What about the IB setting?
5
Lossy Trapdoor Functions
Constructing a primitive
Setup Encrypt Decrypt
Gen Evalpk Invert
Setup Encrypt Decrypt?
Gen’ Evalpk’
Ga
me
1G
am
e 2
Secure!
C hides M!
IND
Working towards a definition
Identity-Based Lossy Trapdoor Function[BKPW12]
6
7
Identity-Based Lossy Trapdoor Functions
IBE - Functionality
( , )mpk msk MKGen
( , )IDsk KGen msk ID
C ( , , )Enc mpk ID M
( ,sk ,C)IDM Dec mpk
,(·)
mpk IDF
( , )IDsk KGen msk ID
( , )mpk msk MKGen
Constructed with an IB-LTDF uses:
1
,( ,·)IDmpk ID
F sk
IBE [Sha84,BF01] consists of:
8
Identity-Based Lossy Trapdoor Functions
Functional requirements
D
Invertible
, 1(·)mpk IDF
1, 1 1( ,·)mpk ID IDF sk
( , )IDsk KGen msk ID
( , ) (1 )kmpk msk MKGen
R, 3(·)mpk IDF
1, 3 3( ,·)mpk ID IDF sk
, 2 (·)mpk IDF
1, 2 2( ,·)mpk ID IDF sk
9
Identity-Based Lossy Trapdoor Functions
IBE – Security Game / Reduction
*IDmpk
IDIDsk
1 2,M M
( , *, )bC Enc mpk ID M0,1Rb
*b
( ) Pr[ *] 1/ 2Adv b b
IDIDsk
can try to invert .
should be lossy', *
(·)mpk IDF
',(·)
mpk IDF
( , )mpk msk MKGen
( , )IDsk KGen msk ID
Using IB-LTDF
( ', ') 'mpk msk MKGen
' '( ', )IDsk KGen msk ID
(·)*,IDmpk
F (·)*,' IDmpk
F
10
Identity-Based Lossy Trapdoor Functions
Towards defining sec. requirements
D
D'R R
Sec. Requirement?
Invertible
Lossy
, (·)mpk IDF
1, ( ,·)mpk ID IDF sk
R
', 1(·)mpk IDF', 3(·)mpk IDF
', 2 (·)mpk IDF
1', 2 2( ,·)mpk ID IDF sk
R
( , )IDsk KGen msk ID
( , )mpk msk MKGen
'( ', )IDsk KGen msk ID
( ', ') 'mpk msk MKGen
11
Identity-Based Lossy Trapdoor Functions
[BKPW12] limitations
LTDF[PW08]
IB-LTDF (S)[BKPW12]
TDF (New!)
IND-CPA
Det. Enc. [BFO08](New!)
(New!)
Hedged Enc.
[BB+09](New!)
(New!)
Others … hopefully
12
Identity-Based Lossy Trapdoor Functions
[BKPW12] limitations
LTDF[PW08]
IB-LTDF (S)[BKPW12]
IB-LTDF (A)[BKPW12]
TDF (New!) (New!)
IND-CPA ?
Det. Enc. [BFO08](New!)
(New!) ?
Hedged Enc.
[BB+09](New!)
(New!) ?
Others … hopefully ?
New Definition and Hierarchical Extension
Identity-Based Lossy Trapdoor Function
13
14
Identity-Based Lossy Trapdoor Functions
Our definition (I)
*ID
ID
*b
ID
[ ]mpk I
[ ]IDsk I
[ ]IDsk I
Real Experiment
Outputs 1 iff * 1 * is lossy are injectiveb ID ID
I( [ ], [ ])mpk I msk I L( [ ], [ ])mpk L msk L
[ ] [ ]IDsk L KGen L[ ] [ ]IDsk I KGen I
[ ] [ ]IDsk I KGen I [ ] [ ]IDsk L KGen L
has small range[ ],ID*(·)mpk LF has full range[ ],ID (·)mpk LF
mpk
IDsk
IDsk
[ ]mpk L
[ ]IDsk L
[ ]IDsk L
Lossy Experiment
( ) Pr[RealEXP 1] Pr[LossyEXP 1]Adv
15
Identity-Based Lossy Trapdoor Functions
Our definition (II)
* is lossy are injectiveID ID
Extra Cond. #1:
Pr[ * is lossy are injective]ID ID big enough
Extra Cond. #2:
indep. from guess
16
Identity-Based Lossy Trapdoor Functions
[EHLR14] implications
LTDF[PW08]
IB-LTDF (S)[EHLR14]
IB-LTDF (A)[EHLR14]
TDF
IND-CPA
Det. Enc. [BFO08](New!)
(New!)*
Hedged Enc.
[BB+09](New!)
(New!)
Others … hopefully hopefully
*Also in [XXZ12]
17
*Also in [XXZ12]
Identity-Based Lossy Trapdoor Functions
[EHLR14] implications
LTDF[PW08]
IB-LTDF (S)[EHLR14]
IB-LTDF (A)[EHLR14]
HIB-LTDF (S,A)[EHLR14]
TDF (New!)
IND-CPA
Det. Enc. [BFO08](New!)
(New!)* (New!)
Hedged Enc.
[BB+09](New!)
(New!) (New!)
Others … hopefully hopefully hopefullyUsing [CHK03]…
[EHLR14] Forward Secure Det. Enc. (New!)
[EHLR14] Forward Secure Hedged Enc. (New!)
Construction
Identity-Based Lossy Trapdoor Function
18
19
Identity-Based Lossy Trapdoor Functions
• Construction similar to [PW08]
o Matrix-vector paradigm
• Building block: a new Hierarchical Predicate Encryption
o Hidden Predicate defines Injective or Lossy
• To evaluate the function for an identity:
1. Homomorphically evaluate the Predicate for the Identity
2. Obtain a matrix of HIBE ciphertexts
3. Compute the matrix-vector product in the exponent
Our construction
Conclusion
Identity-Based Lossy Trapdoor Function
20
21
Identity-Based Lossy Trapdoor Functions
• We give a new definition
• We give a hierarchical extension of the definition
• Our definition implies new primitives with adaptive security:
o One-way HIB Trapdoor Functions
o HIB Deterministic Encryption
o HIB Hedged Encryption
o Forward Secure Deterministic Encryption
o Forward Secure Hedged Encryption
• We give a construction which satisfies the extended definition
Our contributions
THANK YOU!