Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Published byAlban Flowers Modified over 9 years ago

Similar presentations

Presentation on theme: "Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia."— Presentation transcript:

1 Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia Univ.), and Hoeteck Wee (CUNY, Queens College) Seung Geol Choi Columbia University

2 2 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

3 Semi-honest vs. Malicious –corrupted parties behave honestly or –arbitrarily # corrupted parties –Honest majority vs. dishonest majority. Static vs. Adaptive [CFGN96] –corrupts parties are determined at the outset or –during the protocol adaptively Adversarial corruption in MPC te More Realistic Assumption on the Adversary

4 Black-box construction of Adaptively secure MPC with Dishonest Majority MPC Adaptively secure oblivious transfer [IPS08] (Aug.) NC-PKE [CLOS02, CDMW09] Q: What are the assumptions achieving black-box construction of MPC (NC-PKE)? - Of theoretical interest - More efficient: avoid general NP reductions incurred by ZK proofs.

5 Non-Committing Encryption (NCE) [CFGN96] Encryption that realizes a secure channel against an adaptive adversary –(Possibly interactive) encryption: (Gen, Enc, Dec) –with additional property: SIM SIM generates pairs of (e, c) that opens to 0 and to 1. (sender equivocal & receiver equivocal) Enc(0) Enc(1)

6 Non-Committing Public Key Encryption (NC-PKE) Two-round NCE –Bob sends his pk to Alice –Alice sends an encryption under pk to Bob –Desirable

7 Goal Construct (Aug.) NC-PKE from lower primitives in a black-box manner. MPC Adaptively secure oblivious transfer [IPS08] (Aug.) NC-PKE [CLOS02, CDMW09]

8 8 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

9 Known NCE Constructions [B97,DN00] [CFGN96] NC-PKE Simulatable common domain TDP CDH RSA 3-round NCE Simulatable PKE DDH LWE [GPV08]

10 Main Result Construct NC-PKE from trapdoor Simulatable PKE –Relaxed notion of simulatable PKE –First NC-PKE from LWE Construct trapdoor simulatable PKE from hardness of factoring –First NC-PKE from Factoring Trapdoor simulatable PKE NC-PKE Simulatable common domain TDP CDH RSA 3-round NCE Simulatable PKE DDH LWE Factoring

11 Our Contribution From LWE and factoring, first black box constructions of –NC-PKE –Adaptively secure OT –Adaptively secure MPC with dishonest majority MPC Oblivious Transfer [CLOS02,CDMW09] [IPS08] (Aug.) NC-PKE LWE Factoring Trapdoor Simulatable PKE

12 12 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

13 Simulatable PKE [DN00] PKE (Gen, Enc, Dec) with additional properties –Property 1: Oblivious Sampling oGen: generates a random pk w/o learning about its sk oRndEnc: generates a random ciphertext w/o learning about its plaintext E.g. ElGamal: –key: (y = g x, x)  Pick random y in G –Enc: (g r, m*y r )  pick random (c 1, c 2 ) from G

14 Simulatable PKE [DN00] Property 2: Invertibility –rGen Input: a normally-generated pub-key e, Output: randomness r G s.t. oGen(r G ) = e –rRndEnc Input: a normally-generated key and ciphertext (e,c) Output: randomness r E s.t. oRndEnc(e,r E ) = c –E.g. ElGamal: key: y from (y = g x, x)  Output y Enc: y and (c 1, c 2 ) from (y,x) and (g r, m*y r )  Output (c 1, c 2 ) –Property 1: Oblivious Sampling oGen: generates a random pk w/o learning about its sk oRndEnc: generates a random ciphertext w/o learning about its plaintext E.g. ElGamal: –key: (y = g x, x)  Pick random e in G –Enc: (g r, m*y r )  pick random (c 1, c 2 ) from G Trapdoor + randomness for Gen + randomness for Gen,End & plaintext

15 NCE from (trapdoor) simulatable PKE Need to construct SIM that generates ciphertexts that open to both 0 and 1. General Idea: SIM lies about obliviousness. –Protocol specifies some pk’s and ciphertexts should be generated obliviously. –SIM knows everything (all the pk’s and ciphertexts are generated by normal Gen, Enc). –SIM: clever lies on the set of obliviously generated pk’s and ciphertexts (via rGen, rRndEnc) lead to opening to both 0 and 1.

16 Toy Construction [DN00,KO04] - 1 Key Gen: (pk 0, pk 1 ) –For a random x, pk x  Gen() pk 1-x  oGen() Encrypt. of a bit b: (c 0, c 1 ) –For a random y, c y  Enc(b), c 1-y  oEnc() Decryption of (c 0, c 1 ): –Output Dec(sk x, c x ) c0c0 c1c1 x = y b? pk 0 pk 1 x  y Decryption error = ¼ ( Can reduce by repetitions)

17 Toy Construction [DN00,KO04] - 2 Secure for adaptive corruption for one party –Disclaimer: Need to handle decryption error ¼ If both corrupted? 1 0 Corrupt S: m = 1 1 0 Corrupt R: m = 0 1 0 1 0 Corrupt R 1 0 x is fixed ( x = y ). Corrupt S 1 0 No events such as

18 The Idea to achieve NC-PKE Summary of the toy construction –R knows half of secret keys –Handles adaptive corruption of one party [KO04] –Cannot handle corruption of both parties: lack of freedom to simulate the secondly corrupted parties. To handle corruption of both parties –Raise the fraction of obliviousness –¾ is good enough

19 The Construction KeyGen: (e 1,…,e 4k ) –T: random set of size k if x ∈ T, e x  Gen() else e x  oGen() Enc of b: (c 1,…,c 4k ) –S: random set of size k, if y ∈ S, c y  Enc(b k ), else c y  oEnc() Dec of (c 1,…,c 4k ): If Dec(sk T, c T ) contains 0 k output 0. Else output 1 k = 2 Decryption error = +

20 Summary: NCE-PK from (trapdoor) simulatable PKE Obliviousness –¾ of keys and ciphertexts are generated obliviously. –Still, we get negligible decryption error by repetitions. –SIM can generate a (e,c) pair that opens to 0 and 1 Keys and ciphertexts are generated normally. Using (trapdoor) invertibility, fake on obliviously generated sets.

21 21 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

22 Trapdoor Simulatable PKE from Factoring There is a standard construction that achieves PKE from trapdoor one-way permutation (TDP) using hard-core bits. I.e., for a TDP f, –Gen()  (e, d) : e = f, d = f -1 –Enc(b)  (f(x), r, (x · r)  b): where r, x is random. Construct TDP from hardness of factoring Blum Integers (BI) with oblivious sampling and trapdoor invertibility

23 Rabin’s TDP for Blum Integers Quadratic Residues on a Bl integer N: QR N = {y : y = x 2, x ∈ Z N * } Rabin TDP –f:QR N  QR N –f(x) = x 2 mod N –Is based on hardness of factoring assumption

24 Basic Idea: for Keys Key Generation: sample k 3 k-bit integers w/ factoring [Bach ’88] Encryption of b given keys (N 1, …, N k 3 ) –Enc N 1 (b 1 ), …., Enc N k 3 (b k 3 ) where b = b 1  …  b k 3 –WHP, at least one N i is BI. Oblivious sampling: easy (sample k 3 integers) Trapdoor Invertibility: easy

25 Basic Idea : for Ciphertexts Change TDP description slightly –Q N = {a 2 k : a ∈ Z N *} where k = |N| –f: Q N  Q N, f(x) = x 2 k+1 mod N Oblivious sampling: easy (sample from Q N ) Trapdoor Invertibility: find random 2 k -th root w/ factoring

26 26 Outline Motivation Our Work –Our Contribution –NC-PKE from Trapdoor Simulatable PKE –Trapdoor Simulatable PKE from Factoring Conclusion

27 From LWE and factoring, first black box constructions of –NC-PKE –Adaptively secure OT –Adaptively secure MPC with honest minority MPC Oblivious Transfer [CLOS02,CDMW09] [IPS08] (Aug.) NC-PKE LWE Factoring Trapdoor Simulatable PKE

28 Thank you

Download ppt "Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia."

Similar presentations

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
7. Asymmetric encryption-

7. Asymmetric encryption-
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google