1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International

2 Trapdoor Functions (TDF) [DH76] f(x) x PK: f( * ) TD Receiver recovers all input Input = x

3 Some Uses of TDFs  Public Key Encryption (PKE)  NIZKs [BFM88]  PKE against active attackers CCA-security [NY90,DDN91]

4 PKE  TDF E(M,r) M PK: E(*,*) SK Message: M Randomness: r r Input not recovered. Not a TDF!

5 Building TDFs from PKE (a failure) E(x,x) x PK: E(*,*) SK Input: x Insecure! BB-Impossible [GMR05]

6 Trapdoor Function Candidates Factoring (e.g. RSA, QR) Cyclic Groups (e.g. DDH) Linear equations (lattices) Large Scale Quantum Attacks?

7 This Talk First “non-native” TDF constructions New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91][RSA78] [PW07]

8 This Talk  Lossy TDFs  How to build them  Injective Trapdoor Functions  CCA-secure Encryption

9 Lossy TDFs: A Tale of Two Keys x PK: f( * ) TD Injective Keys x’ f inj ( ) x TD Lossy Keys x’ f lossy ( ) PK: f( * ) 

10 Properties 1)Injective: 8 x,x’ f inj ( x )  f inj ( x’ ) f -1 (TD, f inj ( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2 r ) k = n-r lossiness

11 Key-Type Indist. Attacker cannot tell key-type Injective Lossy Prob. < ½ + negl. ?

12 Homomorphic Encryption E(a) © E(b) = E(a+b) c ¢ E(a) = E(c ¢ a) El Gamal’ PK: g a CT: g r, g ar g m (g r 1, g ar 1 g m 1 ) © (g r 2, g ar 2 g m 2 ) = (g r 1 +r 2, g a(r 1 +r 2 ) g m 1 +m 2 )

13 Creating Lossy TDFs E(1) E(0) x1x1 xnxn = E(x 1 ) E(x n ) Injective: Encrypt Identity Matrix Evaluate: Matrix Multiplication E(0)

14 Creating Lossy TDFs E(0) x1x1 xnxn = Lossy: Encrypt Zero Matrix E(0) Msg. output independent of input, but …

15 DDH-Construction Group G order q Input size: n > 3 lg(q) Pick: g, h 1 = g a 1, …, h n =g a n 2 G r 1, …, r n 2 Z q

16 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn,g a 1  x i r i g x 1 g  x i r i,g a n  x i r i g x n y=  i x i r i

17 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn Use a i ’s to recover x i ’s,g a 1 y g x 1 gygy,g a n y g x n y=  i x i r i

18 Creating Lossy TDFs (lossy) h1r1h1r1 hnrnhnrn h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 A i,,j = h j r i grngrn,g a 1 y gygy g a n y Only lg(q) bits of information ) n- lg(q) bits lost! DDH ) Key Indist. y=  i x i r i

19 Learning With Error Realization Reduce to Learning w/ Error Lattices [R05] Similar Structure Challenge: Extra bits leaked

20 Building A Trapdoor Function Use Lossy-TDF with Injective Keys PK: f inj ( * ) TD Correctness: Direct Security ??

21 Security for (Injective) TDF f( ) f( x ) x’ x Adv. wins iff x’=x

22 Sequence of Game Proofs Define Games: Game-1, …, Game-N Game-1 is actual security game Properties 1)Game-i  c Game-i+1 2)Advantage(Game-N)  0 (info theoretic)

23 Proving Non-Invertability f lossy ( ) f inj ( ) f inj ( x ) x’ Game-1 Game-2 Key Indist. Game-2: 9 ¼ 2 k z s.t. f losssy (x) = f lossy (z) ) negl. advantage Big Idea: Challenge over Public Key Type! x f lossy ( x ) Adv. wins iff x’=x

24 CCA Security[RS91] PK SK “Meet me at 8 –Bob” “a7%($,..” ? “Meet me …” Practical: B[98] Attack on RSA PKCS#1

25 Chosen Ciphertext Security (CCA-1) PK M 0, M 1 Enc(PK,M b )=CT* b Wins if b’=b b’ CT i Dec(CT i )

26 Preventing CCA Attacks Non-Interactive Zero Knowledge (NIZK) [NY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices) Theme: Decryptor not recover r

27 “Witness Recovering” Encryption E(M,r) M PK: E(*,*) SK Message: M Randomness: r r “Re-encrypt” to test

28 All-but-One (ABO) TDF g b* ( *,* ) TD b* Generate “lossy branch” b* x x’ g b* (b=b*,x ) x x’ g b* (b  b*,x ) Correctness: g -1 (TD, b, g b* (b  b*, x)) = x Security: Lossy Branch indist.

29 CCA-1 Enc. KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, e CT = e, C 1 = f inj (x), C 2 =g b* (e,x), C 3 = M © Ext(x, d) Dec(CT,SK) 1) x’ = f -1 (C 1 ) g b* (*,*) TD g 3) M= C 3 © Ext(x’,d) 2) Re-encrypt with x’

30 Chosen Ciphertext Security f lossy ( ) f inj ( ) Game-1 Game-2 Probabilistic Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage M 0, M 1 Enc(PK,M b )=CT*=(e*,…) b b’ Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g e* (*,*) Game-2: Reject sigs from e*Game-3: Lossy Branch = e*Game-4: Decrypt with ABO keyGame-5: Make key Lossy CT i Dec(CT i )

31 Full CCA Security  Queries before and after challenge CT  Sign CT with One-Time Signature

32 Conclusions First TDFs w/o factoring First CCA from lattices Main Ideas: Loose Information Simulator changes parameters

33 Future Directions  Lossy TDF as a general tool OT Collision Resistant Hash  Applications of Lossy Idea  General Realizations?

34 THE END

35 CCA Enc KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, ( VK, SigSK ) CT = VK, C 1 = f inj (x), C 2 =g b* (VK,x), C 3 = M © Ext(d, x),  = Sig(SK Sig, (C 1 …C 3 )) Dec(CT,SK) 2) x’ = f -1 (C 1 ) g b* (*,*) TD g 1) Check  4) M= C 3 © Ext(x’,d) 3) Re-encrypt with x’

36 Chosen Ciphertext Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b )=CT* Game-1 Game-2 Signature Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage b b’ CT i  CT*=(VK*…) Dec(CT_i) Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g VK* (*,*) Game-2: Reject sigs from VK*Game-3: Lossy Branch = VK*Game-4: Decrypt with ABO keyGame-5: Make key Lossy