1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

Slides:



Advertisements
Similar presentations
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Advertisements

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
7. Asymmetric encryption-
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Lattice-Based Cryptography
Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Slide 1 Vitaly Shmatikov CS 380S Semantic Security.
0x1A Great Papers in Computer Security
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Cryptography Lecture 8 Stefan Dziembowski
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert.
Definition and applications Lossy Trapdoor Functions 2.
The Paillier Cryptosystem
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Selective-opening security in the presence of randomness failures
Authenticated encryption
Group theory exercise.
Topic 24: Finding Prime Numbers, RSA
Cryptography Lecture 26.
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Topic 30: El-Gamal Encryption
Cryptography Lecture 25.
Lossy Trapdoor Functions and Their Applications
The power of Pairings towards standard model security
Cryptography Lecture 22.
Cryptography Lecture 21.
Cryptography Lecture 25.
Cryptography Lecture 24.
Cryptography Lecture 23.
Presentation transcript:

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International

2 Public Key Cryptography M M PK SK Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices)

3 Trapdoor Functions (TDF) [DH76] f(x) x PK: f( * ) TD Receiver recovers all input Input = x

4 Uses of TDFs  Public Key Encryption (PKE)  PKE against active attackers CCA-security [NY90,DDN91]  NIZKs [BFM88]

5 PKE  TDF E(M,r) M PK: E(*,*) SK Message: M Randomness: r r Input not recovered. Not a TDF!

6 Building TDFs from PKE (a failure) E(x,x) x PK: E(*,*) SK Input: x Insecure! BB-Impossible [GMR05] Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices)

7 This Talk First “non-native” TDF constructions New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91][RSA78] [PW07]

8 Key Idea: Lossy TDFs Concepts Realizations

9 Lossy TDFs: A Tale of Two Keys x PK: f( * ) TD Injective Keys x’ f inj ( ) x TD Lossy Keys x’ f lossy ( ) PK: f( * ) 

10 Properties 1)Injective: 8 x,x’ f inj ( x )  f inj ( x’ ) f -1 (TD, f inj ( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2 r ) k = n-r lossiness

11 Key-Type Indist. Attacker cannot tell key-type Injective Lossy Prob. < ½ + negl. ?

12 Building A Trapdoor Function Use Lossy-TDF with Injective Keys PK: f inj ( * ) TD Correctness: Direct Security ??

13 Sequence of Game Proofs Define Games: Game-1, …, Game-N Game-1 is actual security game Properties 1)Game-i  c Game-i+1 2)Advantage(Game-N)  0 (info theoretic)

14 Proving Non-Invertability f lossy ( ) f inj ( ) f inj ( x ) x’ Game-1 Game-2 Key Indist. Game-2: 9 ¼ 2 k z s.t. f losssy (x) = f lossy (z) ) negl. advantage Big Idea: Challenge over Public Key Type! x

15 Public Key Enc. (Chosen-plaintext) KeyGen PubKey: SK: f inj ( * ) TD, d (extractor seed) Enc(M,PK) x CT = (C 1,C 2 ) = f inj (x), M © Ext(d, x) Dec(CT,SK) x’ = f -1 (C 1 ) M= C 1 © Ext(x’,d)

16 CPA Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b ) Game-1 Game-2 Key Indist. Wins if b’=b Game-2: Ext(x,d) ¼ Uniform | f lossy (x) ) negl. advantage b b’

17 CCA Security[RS91] M PK SK M’

18 Preventing CCA Attacks Non-Interactive Zero Knowledge (NIZK) [DY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices) Theme: Decryptor not recover r

19 “Witness Recovering” Encryption E(M,r) M PK: E(*,*) SK Message: M Randomness: r r “Re-encrypt” to test

20 All-but-One (ABO) Encryption g b* ( *,* ) TD b* Generate “lossy branch” b* x x’ g b* (b=b*,x ) x x’ g b* (b  b*,x ) Correctness: g -1 (TD, b, g b* (b  b*, x)) = x Security: Lossy Branch indist.

21 CCA Enc KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, ( VK, SigSK ) CT = VK, C 1 = f inj (x), C 2 =g b* (VK,x), C 3 = M © Ext(d, x),  = Sig(SK Sig, (C 1 …C 3 )) Dec(CT,SK) 2) x’ = f -1 (C 1 ) g b* (*,*) TD g 1) Check  4) M= C 3 © Ext(x’,d) 3) Re-encrypt with x’

22 Chosen Ciphertext Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b )=CT* Game-1 Game-2 Signature Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage b b’ CT i  CT*=(VK*…) Dec(CT_i) Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g VK* (*,*) Game-2: Reject sigs from VK*Game-3: Lossy Branch = VK*Game-4: Decrypt with ABO keyGame-5: Make key Lossy

23 …,but Where do they Come From?

24 Homomorphic Encryption E(a) © E(b) = E(a+b) c ¢ E(a) = E(c ¢ a)

25 Creating Lossy TDFs E(1) E(0) x1x1 xnxn = E(x 1 ) E(x n ) Injective: Encrypt Identity Matrix Evaluate: Matrix Multiplication E(0)

26 Creating Lossy TDFs E(0) x1x1 xnxn = Lossy: Encrypt Zero Matrix E(0) Msg. output independent of input, but …

27 DDH-Construction Group G order q Input size: n > 3 lg(q) Pick: g, h 1 = g a 1, …, h n =g a n 2 G r 1, …, r n 2 Z q

28 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn Use a i ’s to recover x i ’s,g a 1  x i r i g x 1 g  x i r i,g a n  x i r i g x n

29 Creating Lossy TDFs (lossy) h1r1h1r1 hnrnhnrn h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 A i,,j = h j r i grngrn,g a 1  x i r i g  x i r i g a n  x i r i Only lg(q) bits of information ) n- lg(q) bits lost! DDH ) Key Indist.

30 Lattice Realization Similar Structure Gaussian Noise Issue Reduce to Learning w/ Error Lattices [R05]

31 Conclusions First TDFs w/o factoring First CCA from lattices Main Ideas: Loose Information Simulator changes parameters Future: CCA-secure PKE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.