Download presentation
Presentation is loading. Please wait.
1
Lossy Trapdoor Functions and Their Applications
Chris Peikert SRI International Brent Waters SRI International
2
Trapdoor Functions (TDF) [DH76]
Receiver recovers all input PK: f( * ) TD Input = x f(x) x
3
PKE TDF E(M,r) M SK Message: M Randomness: r r
Input not recovered. Not a TDF!
4
Building TDFs from PKE (a failure)
SK Input: x E(x,x) x Insecure! BB-Impossible [GMR05]
5
Injective TDFs: A Building Block?
Multi-Party Computation[Y82,…] Non-Interactive Zero Knowledge [BFM88] (CCA-Secure) PKE [ GM84, NY90,RS91,DDN91,S99…] 30 years since RSA: Only Factoring Candidates Quantum Attacks Break Factoring! [S94]
6
Our Results First “non-native” TDF constructions
New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91] [RSA78] [PW07] [PW07]
7
Lossy TDFs: A Tale of Two Keys
Injective Keys ginj( ) TD PK: g(*) x x’ Lossy Keys glossy( ) x PK: g(*) TD x’ Property: Indistinguishable key types Attacker can’t invert
8
? Key-Type Indist. Attacker cannot tell key-type Injective Lossy
Prob. < ½ + negl.
9
Homomorphic Encryption
E(a) © E(b) = E(a+b) c¢ E(a) = E(c¢a) El Gamal’ PK: ga CT: gr , gargm (gr1, gar1gm1) © (gr2, gar2gm2) = (gr 1 +r2, ga(r1+r2) gm1+m2)
10
= Creating Lossy TDFs Injective: Encrypt Identity Matrix
Evaluate: Matrix Multiplication E(1) E(0) E(0) x1 xn E(0) E(1) = E(0) E(1) E(x1) E(xn)
11
= Creating Lossy TDFs Lossy: Encrypt Zero Matrix
Msg. output independent of input , but … E(0) E(0) E(0) x1 xn E(0) E(0) = E(0) E(0) E(0)
12
DDH-Construction Group G order q Input size: n > 3 lg(q) Pick:
g, h1= ga1 , … , hn=gan 2 G r1, … , rn 2 Zq
13
Creating Lossy TDFs (injective)
if i =j Ai,,j = hjri g1 else Ai,,j = hjri h1r1 g h2r1 x1 xn gr1 hnr1 h1r2 = grn h1rn hnrn g y=i xi ri ,g a1 xiri gx1 g xiri ,g an xiri gxn
14
Creating Lossy TDFs (injective)
if i =j Ai,,j = hjri g1 else Ai,,j = hjri h1r1 g h2r1 x1 xn gr1 hnr1 h1r2 = Use ai’s to recover xi’s grn h1rn hnrn g y=i xi ri ,ga1 y gx1 gy ,g an y gxn
15
Creating Lossy TDFs (lossy)
Ai,,j = hjri DDH ) Key Indist. h1r1 h2r1 x1 xn gr1 hnr1 h1r2 = grn h1rn hnrn y=i xi ri ,g a1 y gy g an y Only lg(q) bits of information ) n- lg(q) bits lost!
16
Lattice Realization Learning with Error (LWE) Lattice Connection [R05]
Challenge: Extra bits leaked
17
Injective Trapdoors Lossy Key Indist. Advlossy = negl. ¼ Advinj
Injective Keys ginj( ) TD PK: g(*) x Lossy Keys glossy( ) x PK: g(*) Lossy Key Indist. Advlossy = negl. ¼ Advinj
18
Summary Trapdoors and CCA Security
First CCA-secure system from lattices [AD97] Witness Recovering Techniques A New General Primitive? Many applications (CRHF, OT) Multiple Relizations
19
Thank You
20
Thank You
21
Lossy TDFs: A Tale of Two Keys
Injective Keys ginj( ) TD PK: g(*) x x’ Lossy Keys glossy( ) x PK: g(*) TD x’ Property: Indistinguishable key types Attacker can’t invert
22
Lossy TDFs: A Tale of Two Keys
Injective Keys TD finj( ) PK: f( * ) x x’ Lossy Keys TD flossy( ) PK: f( * ) x x’
23
Lossy Trapdoor Functinons
How To Build Them How to build them Injective Trapdoor Functions CCA-secure Encryption
24
Trapdoor Function Candidates
Factoring (e.g. RSA, QR) Cyclic Groups (e.g. DDH) Linear equations (lattices) Large Scale Quantum Attacks?
25
Properties Injective: 8 x,x’ finj( x ) finj( x’ )
f-1 (TD, finj( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2r) k = n-r lossiness
26
Building A Trapdoor Function
Use Lossy-TDF with Injective Keys PK: finj( * ) TD Correctness: Direct Security ??
27
Security for (Injective) TDF
f( x ) x x’ Adv. wins iff x’=x
28
Sequence of Game Proofs
Define Games: Game-1 , … , Game-N Game-1 is actual security game Properties Game-i c Game-i+1 Advantage(Game-N) 0 (info theoretic)
29
Proving Non-Invertability
finj( ) flossy( ) Game-1 finj( x ) flossy( x ) Key Indist. x Game-2 x’ Adv. wins iff x’=x Game-2: 9 ¼ 2k z s.t. flosssy(x) = flossy(z) ) negl. advantage Big Idea: Challenge over Public Key Type!
30
CCA Security[RS91] ? PK SK Practical: B[98] Attack on RSA PKCS#1
“Meet me at 8 –Bob” ? “a7%($,..” “Meet me …” Practical: B[98] Attack on RSA PKCS#1
31
Chosen Ciphertext Security (CCA-1)
PK CTi Dec(CTi) M0, M1 Enc(PK,Mb)=CT* b Wins if b’=b b’
32
Preventing CCA Attacks
Non-Interactive Zero Knowledge (NIZK) [NY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Theme: Decryptor not recover r Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices)
33
“Witness Recovering” Encryption
PK: E(*,*) SK Message: M Randomness: r E(M,r) M r “Re-encrypt” to test
34
All-but-One (ABO) TDF Generate “lossy branch” b* x x TDb* x’ x’
gb*( *,* ) TDb* gb*(b=b*,x ) gb*(b b*,x ) x x x’ x’ Correctness: g-1(TD, b , gb*(b b*, x)) = x Security: Lossy Branch indist.
35
CCA-1 Enc. KeyGen Enc(M,PK) Dec(CT,SK) finj( * ) gb*(*,*) PubKey:
, d (extractor seed) SK: TDf TDg Enc(M,PK) x, e CT = e, C1= finj(x) , C2=gb*(e,x) , C3= M © Ext(x, d) Dec(CT,SK) 1) x’ = f-1(C1) 3) M= C3 © Ext(x’,d) 2) Re-encrypt with x’
36
Chosen Ciphertext Security
Game-1 ge*(*,*) gb*(*,*) finj( ) flossy( ) Probabilistic CTi Dec(CTi) Game-2 Hidden Branch M0, M1 Game-3 Enc(PK,Mb)=CT*=(e*,…) Equivalent b Game-4 Wins if b’=b b’ Key Indist. Game-5 Game-4: Decrypt with ABO key Game-5: Ext(x,d) ¼ Uniform | g(b*,x), flossy(x) ) negl. advantage Game-3: Lossy Branch = e* Game-2: Reject sigs from e* Game-5: Make key Lossy
37
Full CCA Security Queries before and after challenge CT
Sign CT with One-Time Signature
38
Conclusions First TDFs w/o factoring First CCA from lattices
Main Ideas: Loose Information Simulator changes parameters
39
Future Directions Lossy TDF as a general tool OT
Collision Resistant Hash Applications of Lossy Idea General Realizations?
40
CCA Enc KeyGen Enc(M,PK) Dec(CT,SK) finj( * ) gb*(*,*) PubKey:
, d (extractor seed) SK: TDf TDg Enc(M,PK) x, ( VK, SigSK ) CT = VK, C1= finj(x) , C2=gb*(VK,x) , C3= M © Ext(d, x), = Sig(SKSig, (C1…C3)) Dec(CT,SK) 1) Check 3) Re-encrypt with x’ 2) x’ = f-1(C1) 4) M= C3 © Ext(x’,d)
41
Chosen Ciphertext Security
Game-1 gb*(*,*) gVK*(*,*) finj( ) flossy( ) Signature M0, M1 Game-2 Enc(PK,Mb)=CT* Hidden Branch b Game-3 CTi CT*=(VK*…) Equivalent Dec(CT_i) Game-4 Wins if b’=b b’ Key Indist. Game-5 Game-4: Decrypt with ABO key Game-5: Ext(x,d) ¼ Uniform | g(b*,x), flossy(x) ) negl. advantage Game-5: Make key Lossy Game-2: Reject sigs from VK* Game-3: Lossy Branch = VK*
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.