Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.

Published byIris Shields Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International."— Presentation transcript:

1 1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International

2 2 Public Key Cryptography M M PK SK Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices)

3 3 Trapdoor Functions (TDF) [DH76] f(x) x PK: f( * ) TD Receiver recovers all input Input = x

4 4 Uses of TDFs  Public Key Encryption (PKE)  PKE against active attackers CCA-security [NY90,DDN91]  NIZKs [BFM88]

5 5 PKE  TDF E(M,r) M PK: E(*,*) SK Message: M Randomness: r r Input not recovered. Not a TDF!

6 6 Building TDFs from PKE (a failure) E(x,x) x PK: E(*,*) SK Input: x Insecure! BB-Impossible [GMR05] Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices)

7 7 This Talk First “non-native” TDF constructions New CCA-secure cryptosystems DDH TDF CCA-Enc Lattices Factoring [CS98] [NY90, DDN91][RSA78] [PW07]

8 8 Key Idea: Lossy TDFs Concepts Realizations

9 9 Lossy TDFs: A Tale of Two Keys x PK: f( * ) TD Injective Keys x’ f inj ( ) x TD Lossy Keys x’ f lossy ( ) PK: f( * ) 

10 10 Properties 1)Injective: 8 x,x’ f inj ( x )  f inj ( x’ ) f -1 (TD, f inj ( x )) = x 2) Lossy: n input size r < n residual leakage (range < 2 r ) k = n-r lossiness

11 11 Key-Type Indist. Attacker cannot tell key-type Injective Lossy Prob. < ½ + negl. ?

12 12 Building A Trapdoor Function Use Lossy-TDF with Injective Keys PK: f inj ( * ) TD Correctness: Direct Security ??

13 13 Sequence of Game Proofs Define Games: Game-1, …, Game-N Game-1 is actual security game Properties 1)Game-i  c Game-i+1 2)Advantage(Game-N)  0 (info theoretic)

14 14 Proving Non-Invertability f lossy ( ) f inj ( ) f inj ( x ) x’ Game-1 Game-2 Key Indist. Game-2: 9 ¼ 2 k z s.t. f losssy (x) = f lossy (z) ) negl. advantage Big Idea: Challenge over Public Key Type! x

15 15 Public Key Enc. (Chosen-plaintext) KeyGen PubKey: SK: f inj ( * ) TD, d (extractor seed) Enc(M,PK) x CT = (C 1,C 2 ) = f inj (x), M © Ext(d, x) Dec(CT,SK) x’ = f -1 (C 1 ) M= C 1 © Ext(x’,d)

16 16 CPA Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b ) Game-1 Game-2 Key Indist. Wins if b’=b Game-2: Ext(x,d) ¼ Uniform | f lossy (x) ) negl. advantage b b’

17 17 CCA Security[RS91] M PK SK M’

18 18 Preventing CCA Attacks Non-Interactive Zero Knowledge (NIZK) [DY90,RS91,DDN91, CS98,S99, CS02, ES02] CT = Enc(M,r) + NIZK Decrypt: 1) Check NIZK 2) Decrypt Factoring (RSA) Cyclic Groups (DH) Linear equations (lattices) Theme: Decryptor not recover r

19 19 “Witness Recovering” Encryption E(M,r) M PK: E(*,*) SK Message: M Randomness: r r “Re-encrypt” to test

20 20 All-but-One (ABO) Encryption g b* ( *,* ) TD b* Generate “lossy branch” b* x x’ g b* (b=b*,x ) x x’ g b* (b  b*,x ) Correctness: g -1 (TD, b, g b* (b  b*, x)) = x Security: Lossy Branch indist.

21 21 CCA Enc KeyGen PubKey: SK: f inj ( * ) TD f, d (extractor seed) Enc(M,PK) x, ( VK, SigSK ) CT = VK, C 1 = f inj (x), C 2 =g b* (VK,x), C 3 = M © Ext(d, x),  = Sig(SK Sig, (C 1 …C 3 )) Dec(CT,SK) 2) x’ = f -1 (C 1 ) g b* (*,*) TD g 1) Check  4) M= C 3 © Ext(x’,d) 3) Re-encrypt with x’

22 22 Chosen Ciphertext Security f lossy ( ) f inj ( ) M 0, M 1 Enc(PK,M b )=CT* Game-1 Game-2 Signature Wins if b’=b Game-5: Ext(x,d) ¼ Uniform | g(b*,x), f lossy (x) ) negl. advantage b b’ CT i  CT*=(VK*…) Dec(CT_i) Game-3 Hidden Branch Game-4 Equivalent Game-5 Key Indist. g b* (*,*)g VK* (*,*) Game-2: Reject sigs from VK*Game-3: Lossy Branch = VK*Game-4: Decrypt with ABO keyGame-5: Make key Lossy

23 23 …,but Where do they Come From?

24 24 Homomorphic Encryption E(a) © E(b) = E(a+b) c ¢ E(a) = E(c ¢ a)

25 25 Creating Lossy TDFs E(1) E(0) x1x1 xnxn = E(x 1 ) E(x n ) Injective: Encrypt Identity Matrix Evaluate: Matrix Multiplication E(0)

26 26 Creating Lossy TDFs E(0) x1x1 xnxn = Lossy: Encrypt Zero Matrix E(0) Msg. output independent of input, but …

27 27 DDH-Construction Group G order q Input size: n > 3 lg(q) Pick: g, h 1 = g a 1, …, h n =g a n 2 G r 1, …, r n 2 Z q

28 28 Creating Lossy TDFs (injective) h 1 r 1 g hnrn ghnrn g h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 if i =j A i,,j = h j r i g 1 else A i,,j = h j r i grngrn Use a i ’s to recover x i ’s,g a 1  x i r i g x 1 g  x i r i,g a n  x i r i g x n

29 29 Creating Lossy TDFs (lossy) h1r1h1r1 hnrnhnrn h1r2h1r2 h1rnh1rn hnr1hnr1 x1x1 xnxn = h2r1h2r1 gr1gr1 A i,,j = h j r i grngrn,g a 1  x i r i g  x i r i g a n  x i r i Only lg(q) bits of information ) n- lg(q) bits lost! DDH ) Key Indist.

30 30 Lattice Realization Similar Structure Gaussian Noise Issue Reduce to Learning w/ Error Lattices [R05]

31 31 Conclusions First TDFs w/o factoring First CCA from lattices Main Ideas: Loose Information Simulator changes parameters Future: CCA-secure PKE

Download ppt "1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
7. Asymmetric encryption-

7. Asymmetric encryption-
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Lattice-Based Cryptography

Lattice-Based Cryptography

Similar presentations

Ads by Google