Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia Univ.), and Hoeteck Wee (CUNY, Queens College) Seung Geol Choi Columbia University

2 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

Semi-honest vs. Malicious –corrupted parties behave honestly or –arbitrarily # corrupted parties –Honest majority vs. dishonest majority. Static vs. Adaptive [CFGN96] –corrupts parties are determined at the outset or –during the protocol adaptively Adversarial corruption in MPC te More Realistic Assumption on the Adversary

Black-box construction of Adaptively secure MPC with Dishonest Majority MPC Adaptively secure oblivious transfer [IPS08] (Aug.) NC-PKE [CLOS02, CDMW09] Q: What are the assumptions achieving black-box construction of MPC (NC-PKE)? - Of theoretical interest - More efficient: avoid general NP reductions incurred by ZK proofs.

Non-Committing Encryption (NCE) [CFGN96] Encryption that realizes a secure channel against an adaptive adversary –(Possibly interactive) encryption: (Gen, Enc, Dec) –with additional property: SIM SIM generates pairs of (e, c) that opens to 0 and to 1. (sender equivocal & receiver equivocal) Enc(0) Enc(1)

Non-Committing Public Key Encryption (NC-PKE) Two-round NCE –Bob sends his pk to Alice –Alice sends an encryption under pk to Bob –Desirable

Goal Construct (Aug.) NC-PKE from lower primitives in a black-box manner. MPC Adaptively secure oblivious transfer [IPS08] (Aug.) NC-PKE [CLOS02, CDMW09]

8 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

Known NCE Constructions [B97,DN00] [CFGN96] NC-PKE Simulatable common domain TDP CDH RSA 3-round NCE Simulatable PKE DDH LWE [GPV08]

Main Result Construct NC-PKE from trapdoor Simulatable PKE –Relaxed notion of simulatable PKE –First NC-PKE from LWE Construct trapdoor simulatable PKE from hardness of factoring –First NC-PKE from Factoring Trapdoor simulatable PKE NC-PKE Simulatable common domain TDP CDH RSA 3-round NCE Simulatable PKE DDH LWE Factoring

Our Contribution From LWE and factoring, first black box constructions of –NC-PKE –Adaptively secure OT –Adaptively secure MPC with dishonest majority MPC Oblivious Transfer [CLOS02,CDMW09] [IPS08] (Aug.) NC-PKE LWE Factoring Trapdoor Simulatable PKE

12 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

Simulatable PKE [DN00] PKE (Gen, Enc, Dec) with additional properties –Property 1: Oblivious Sampling oGen: generates a random pk w/o learning about its sk oRndEnc: generates a random ciphertext w/o learning about its plaintext E.g. ElGamal: –key: (y = g x, x)  Pick random y in G –Enc: (g r, m*y r )  pick random (c 1, c 2 ) from G

Simulatable PKE [DN00] Property 2: Invertibility –rGen Input: a normally-generated pub-key e, Output: randomness r G s.t. oGen(r G ) = e –rRndEnc Input: a normally-generated key and ciphertext (e,c) Output: randomness r E s.t. oRndEnc(e,r E ) = c –E.g. ElGamal: key: y from (y = g x, x)  Output y Enc: y and (c 1, c 2 ) from (y,x) and (g r, m*y r )  Output (c 1, c 2 ) –Property 1: Oblivious Sampling oGen: generates a random pk w/o learning about its sk oRndEnc: generates a random ciphertext w/o learning about its plaintext E.g. ElGamal: –key: (y = g x, x)  Pick random e in G –Enc: (g r, m*y r )  pick random (c 1, c 2 ) from G Trapdoor + randomness for Gen + randomness for Gen,End & plaintext

NCE from (trapdoor) simulatable PKE Need to construct SIM that generates ciphertexts that open to both 0 and 1. General Idea: SIM lies about obliviousness. –Protocol specifies some pk’s and ciphertexts should be generated obliviously. –SIM knows everything (all the pk’s and ciphertexts are generated by normal Gen, Enc). –SIM: clever lies on the set of obliviously generated pk’s and ciphertexts (via rGen, rRndEnc) lead to opening to both 0 and 1.

Toy Construction [DN00,KO04] - 1 Key Gen: (pk 0, pk 1 ) –For a random x, pk x  Gen() pk 1-x  oGen() Encrypt. of a bit b: (c 0, c 1 ) –For a random y, c y  Enc(b), c 1-y  oEnc() Decryption of (c 0, c 1 ): –Output Dec(sk x, c x ) c0c0 c1c1 x = y b? pk 0 pk 1 x  y Decryption error = ¼ ( Can reduce by repetitions)

Toy Construction [DN00,KO04] - 2 Secure for adaptive corruption for one party –Disclaimer: Need to handle decryption error ¼ If both corrupted? 1 0 Corrupt S: m = Corrupt R: m = Corrupt R 1 0 x is fixed ( x = y ). Corrupt S 1 0 No events such as

The Idea to achieve NC-PKE Summary of the toy construction –R knows half of secret keys –Handles adaptive corruption of one party [KO04] –Cannot handle corruption of both parties: lack of freedom to simulate the secondly corrupted parties. To handle corruption of both parties –Raise the fraction of obliviousness –¾ is good enough

The Construction KeyGen: (e 1,…,e 4k ) –T: random set of size k if x ∈ T, e x  Gen() else e x  oGen() Enc of b: (c 1,…,c 4k ) –S: random set of size k, if y ∈ S, c y  Enc(b k ), else c y  oEnc() Dec of (c 1,…,c 4k ): If Dec(sk T, c T ) contains 0 k output 0. Else output 1 k = 2 Decryption error = +

Summary: NCE-PK from (trapdoor) simulatable PKE Obliviousness –¾ of keys and ciphertexts are generated obliviously. –Still, we get negligible decryption error by repetitions. –SIM can generate a (e,c) pair that opens to 0 and 1 Keys and ciphertexts are generated normally. Using (trapdoor) invertibility, fake on obliviously generated sets.

21 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

Trapdoor Simulatable PKE from Factoring There is a standard construction that achieves PKE from trapdoor one-way permutation (TDP) using hard-core bits. I.e., for a TDP f, –Gen()  (e, d) : e = f, d = f -1 –Enc(b)  (f(x), r, (x · r)  b): where r, x is random. Construct TDP from hardness of factoring Blum Integers (BI) with oblivious sampling and trapdoor invertibility

Rabin’s TDP for Blum Integers Quadratic Residues on a Bl integer N: QR N = {y : y = x 2, x ∈ Z N * } Rabin TDP –f:QR N  QR N –f(x) = x 2 mod N –Is based on hardness of factoring assumption

Basic Idea: for Keys Key Generation: sample k 3 k-bit integers w/ factoring [Bach ’88] Encryption of b given keys (N 1, …, N k 3 ) –Enc N 1 (b 1 ), …., Enc N k 3 (b k 3 ) where b = b 1  …  b k 3 –WHP, at least one N i is BI. Oblivious sampling: easy (sample k 3 integers) Trapdoor Invertibility: easy

Basic Idea : for Ciphertexts Change TDP description slightly –Q N = {a 2 k : a ∈ Z N *} where k = |N| –f: Q N  Q N, f(x) = x 2 k+1 mod N Oblivious sampling: easy (sample from Q N ) Trapdoor Invertibility: find random 2 k -th root w/ factoring

26 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

From LWE and factoring, first black box constructions of –NC-PKE –Adaptively secure OT –Adaptively secure MPC with honest minority MPC Oblivious Transfer [CLOS02,CDMW09] [IPS08] (Aug.) NC-PKE LWE Factoring Trapdoor Simulatable PKE

Thank you