Download presentation
Presentation is loading. Please wait.
Published byAdam Tate Modified over 9 years ago
1
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International
2
2 Trapdoor Functions (TDF) [DH76] f(x) x PK: f( * ) TD Receiver recovers all input Input = x
3
3 Some Uses of TDFs Public Key Encryption (PKE) NIZKs [BFM88] PKE against active attackers CCA-security [NY90,DDN91]
4
4 PKE TDF E(M,r) M PK: E(*,*) SK Message: M Randomness: r r Input not recovered. Not a TDF!
5
5 Building TDFs from PKE (a failure) E(x,x) x PK: E(*,*) SK Input: x Insecure! BB-Impossible [GMR05]
6
6 Trapdoor Function Candidates Factoring (e.g. RSA, QR) Cyclic Groups (e.g. DDH) Linear equations (lattices) Large Scale Quantum Attacks?
7
7 This Talk First “non-native” TDF constructions New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91][RSA78] [PW07]
8
8 This Talk Lossy TDFs How to build them Injective Trapdoor Functions CCA-secure Encryption
9
9 Lossy TDFs: A Tale of Two Keys x PK: f( * ) TD Injective Keys x’ f inj ( ) x TD Lossy Keys x’ f lossy ( ) PK: f( * )
10
10 Properties 1)Injective: 8 x,x’ f inj ( x ) f inj ( x’ ) f -1 (TD, f inj ( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2 r ) k = n-r lossiness
11
11 Key-Type Indist. Attacker cannot tell key-type Injective Lossy Prob. < ½ + negl. ?
12
12 Homomorphic Encryption E(a) © E(b) = E(a+b) c ¢ E(a) = E(c ¢ a) El Gamal’ PK: g a CT: g r, g ar g m (g r 1, g ar 1 g m 1 ) © (g r 2, g ar 2 g m 2 ) = (g r 1 +r 2, g a(r 1 +r 2 ) g m 1 +m 2 )
13
13 Creating Lossy TDFs E(1) E(0) x1x1 xnxn = E(x 1 ) E(x n ) Injective: Encrypt Identity Matrix Evaluate: Matrix Multiplication E(0)
14
14 Creating Lossy TDFs E(0) x1x1 xnxn = Lossy: Encrypt Zero Matrix E(0) Msg. output independent of input, but …
15
15 DDH-Construction Group G order q Input size: n > 3 lg(q) Pick: g, h 1 = g a 1, …, h n =g a n 2 G r 1, …, r n 2 Z q
16
16 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn,g a 1 x i r i g x 1 g x i r i,g a n x i r i g x n y= i x i r i
17
17 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn Use a i ’s to recover x i ’s,g a 1 y g x 1 gygy,g a n y g x n y= i x i r i
18
18 Creating Lossy TDFs (lossy) h1r1h1r1 hnrnhnrn h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 A i,,j = h j r i grngrn,g a 1 y gygy g a n y Only lg(q) bits of information ) n- lg(q) bits lost! DDH ) Key Indist. y= i x i r i
19
19 Learning With Error Realization Reduce to Learning w/ Error Lattices [R05] Similar Structure Challenge: Extra bits leaked
20
20 Building A Trapdoor Function Use Lossy-TDF with Injective Keys PK: f inj ( * ) TD Correctness: Direct Security ??
21
21 Security for (Injective) TDF f( ) f( x ) x’ x Adv. wins iff x’=x
22
22 Sequence of Game Proofs Define Games: Game-1, …, Game-N Game-1 is actual security game Properties 1)Game-i c Game-i+1 2)Advantage(Game-N) 0 (info theoretic)
23
23 Proving Non-Invertability f lossy ( ) f inj ( ) f inj ( x ) x’ Game-1 Game-2 Key Indist. Game-2: 9 ¼ 2 k z s.t. f losssy (x) = f lossy (z) ) negl. advantage Big Idea: Challenge over Public Key Type! x f lossy ( x ) Adv. wins iff x’=x
24
24 CCA Security[RS91] PK SK “Meet me at 8 –Bob” “a7%($,..” ? “Meet me …” Practical: B[98] Attack on RSA PKCS#1
25
25 Chosen Ciphertext Security (CCA-1) PK M 0, M 1 Enc(PK,M b )=CT* b Wins if b’=b b’ CT i Dec(CT i )
26
26 Preventing CCA Attacks Non-Interactive Zero Knowledge (NIZK) [NY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices) Theme: Decryptor not recover r
27
27 “Witness Recovering” Encryption E(M,r) M PK: E(*,*) SK Message: M Randomness: r r “Re-encrypt” to test
28
28 All-but-One (ABO) TDF g b* ( *,* ) TD b* Generate “lossy branch” b* x x’ g b* (b=b*,x ) x x’ g b* (b b*,x ) Correctness: g -1 (TD, b, g b* (b b*, x)) = x Security: Lossy Branch indist.
29
29 CCA-1 Enc. KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, e CT = e, C 1 = f inj (x), C 2 =g b* (e,x), C 3 = M © Ext(x, d) Dec(CT,SK) 1) x’ = f -1 (C 1 ) g b* (*,*) TD g 3) M= C 3 © Ext(x’,d) 2) Re-encrypt with x’
30
30 Chosen Ciphertext Security f lossy ( ) f inj ( ) Game-1 Game-2 Probabilistic Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage M 0, M 1 Enc(PK,M b )=CT*=(e*,…) b b’ Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g e* (*,*) Game-2: Reject sigs from e*Game-3: Lossy Branch = e*Game-4: Decrypt with ABO keyGame-5: Make key Lossy CT i Dec(CT i )
31
31 Full CCA Security Queries before and after challenge CT Sign CT with One-Time Signature
32
32 Conclusions First TDFs w/o factoring First CCA from lattices Main Ideas: Loose Information Simulator changes parameters
33
33 Future Directions Lossy TDF as a general tool OT Collision Resistant Hash Applications of Lossy Idea General Realizations?
34
34 THE END
35
35 CCA Enc KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, ( VK, SigSK ) CT = VK, C 1 = f inj (x), C 2 =g b* (VK,x), C 3 = M © Ext(d, x), = Sig(SK Sig, (C 1 …C 3 )) Dec(CT,SK) 2) x’ = f -1 (C 1 ) g b* (*,*) TD g 1) Check 4) M= C 3 © Ext(x’,d) 3) Re-encrypt with x’
36
36 Chosen Ciphertext Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b )=CT* Game-1 Game-2 Signature Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage b b’ CT i CT*=(VK*…) Dec(CT_i) Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g VK* (*,*) Game-2: Reject sigs from VK*Game-3: Lossy Branch = VK*Game-4: Decrypt with ABO keyGame-5: Make key Lossy
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.