Chosen ciphertext security from slightly lossy trapdoor functions
This presentation is the property of its rightful owner.
Sponsored Links
1 / 33

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on
  • Presentation posted in: General

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions. Petros Mol, Scott Yilek. PKC 2010. UC, San Diego. May 27, 2010. Security for Public-Key Encryption. server. client. insecure channel. pk. pk, sk. Ideally: Protect against all possible attacks.

Download Presentation

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chosen ciphertext security from slightly lossy trapdoor functions

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Petros Mol, Scott Yilek

PKC 2010

UC, San Diego

May 27, 2010


Security for public key encryption

Security for Public-Key Encryption

server

client

insecure channel

pk

pk, sk

Ideally: Protect against all possible attacks

Modeling all possible attacks is hard (if possible at all)

For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91])


Chosen ciphertext security pke

Chosen-Ciphertext Security (PKE)

Π=(KeyGen, Enc, Dec)

pk

(pk,sk) Keygen(1n)

ci

c*=Enc(pk,b)

mi=Dec(sk , ci)

$

b {0,1}


Chosen ciphertext security pke1

Chosen-Ciphertext Security (PKE)

Π=(KeyGen, Enc, Dec)

ci ≠ c*

(pk,sk) Keygen(1n)

mi=Dec(sk , ci)

pk,

c*

$

b {0,1}


Chosen ciphertext security pke2

Chosen-Ciphertext Security (PKE)

Π=(KeyGen, Enc, Dec)

(pk,sk) Keygen(1n)

b’

pk,

c*

$

b {0,1}

Security against CCA attacks

For all efficient adversaries

|Pr [b’=b]-1/2| =negl(n)


Cca secure encryption overview

CCA-Secure Encryption (overview)

[DDN 91]

Enhanced TDPs

[RS09]

Correlatedinputs

[CS 02]

UHPS

[CHK 04]

IBE

[PW08]

LTDFs

Generic Constructions

1998

2006

I

I

I

I

I

I

I

2008

2009

1991

2002

2004

Concrete Instantiations

[CS98]

DDH

[CKS08]

CDH

[HK09]

Factoring

[BCHK 06]

BCDH


Cca secure encryption overview1

CCA-Secure Encryption (overview)

[DDN 91]

Enhanced TDPs

[RS09]

Correlatedinputs

[CS 02]

UHPS

[CHK 04]

IBE

[PW08]

LTDFs

Generic Constructions

1998

2006

I

I

I

I

I

I

I

2002

2008

2009

1991

2004

Concrete Instantiations

[CS98]

DDH

[CKS08]

CDH

[HK09]

Factoring

[BCHK 06]

BCDH


Lossy trapdoor functions pw08

Lossy Trapdoor Functions [PW08]

F =(G, F, F-1) (n,l)-lossy TDF

{0,1}n

F(sinj , .)

.

.

Injectivemode

(sinj , t) G(inj)

F-1(t, .)

F(sinj , .) : 1-1

computational

requirement

{0,1}n

(sloss , ) G(loss)

F(sloss ,.)

Lossy

mode

F(sloss ,.)

|Img(F(sloss ,.))|=2n-l

F(sloss ,.)


Cca pke from ltdfs correlated inputs generic constructions

CCA-PKE from LTDFs & Correlated Inputs(generic constructions)

[Peikert, Waters 08]

CCA-secure

PKE

(n, n(1-o(1))) LTDFs

All But One TDFs

[Rosen, Segev 09]

Correlated input OWFs

(n, n(1-o(1))) LTDFs

CCA-secure

PKE

This work

(n, 1/poly(n)) LTDFs

Correlated input OWFs

CCA-secure

PKE


Rest of talk

Rest of talk

  • OW under Correlated Inputs and the Rosen-Segev Construction

  • CCA-security from Slightly LTDFs

  • A Slightly LTDF based on Modular Squaring

  • Conclusions


One wayness under correlated inputs

One-Wayness Under Correlated Inputs

family of efficiently computable functions

F =(G, F)

[Def] (w-wise product)

f1, f2,…,fw

Gw

  • Generation:

(x1, x2, … , xw)

(f1(x1), f2(x2),…, fw(xw))

  • Evaluation:

  • One-Wayness: Fone-way under Cw-correlated inputs if for all PPT adversaries A

Pr[A(f1,…, fw, f1(x1),…, fw(xw))= (x1,..., xw)] : negligible

where (x1,..., xw) ~ Cw


Rosen segev simplified construction

Rosen-Segev Simplified construction

  • Components

  • F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs

  • Π = (Kg, Sign, Ver)one-time signature scheme

  • hhardcore predicate for F under Cw-correlated inputs

The Construction: E= (KeyGen, Enc, Dec)

t1,0

t1,1

tw,0

tw,1

. . .

sk

KeyGen

G

. . .

f1,0

f1,1

fw,0

fw,1

pk

x = (x1,… , xw) Cw

(VK, SK) Kg ;

VK=VK1. . .VKw {0,1}w ;

yi =fi,Vki (xi)

Enc


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Simplified construction

  • Components

  • F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs

  • Π = (Kg, Sign, Ver)one-time signature scheme

  • hhardcore predicate for F under Cw-correlated inputs

The Construction: E= (KeyGen, Enc, Dec)

t1,0

t1,1

tw,0

tw,1

. . .

sk

KeyGen

G

. . .

f1,0

f1,1

fw,0

fw,1

pk

x = (x1,… , xw) Cw

(VK, SK) Kg ;

VK=VK1. . .VKw{0,1}w ;

yi =fi,Vki (xi)

Enc


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Simplified construction

  • Components

  • F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs

  • Π = (Kg, Sign, Ver)one-time signature scheme

  • hhardcore predicate for F under Cw-correlated inputs

The Construction: E= (KeyGen, Enc, Dec)

t1,0

t1,1

tw,0

tw,1

. . .

sk

KeyGen

G

. . .

f1,0

f1,1

fw,0

fw,1

pk

x = (x1,… , xw) Cw

(VK, SK) Kg ;

VK=VK1. . .VKw{0,1}w ;

yi =fi,Vki (xi)

Enc

c1 = b h(f1,Vk1, … , fw,Vkw , x)

(VK, y1, … , yw, c1, c2 )

c2 =Sign(SK, y1, … , yw, c1 )

14


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Simplified construction

  • For CCA proof : 2 requirements from Cw

  • Hardness assumption: F should be OW under Cw

  • almost perfect simulation of decryption:(x1,…, xw)reconstructable from any xi

x1=x2=. . .=xw

: w-repetition distribution

Cw

Instantiation ([RS09])

(n, n(1-1/w))-lossy TDFs

OW under w-repetition


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Generalized construction

Additional Component

ECC: ΣkΣw with distance d

The Construction: E= (KeyGen, Enc, Dec)

. . .

. . .

t1,0

t1,|Σ|-1

. . .

tw,0

tw,|Σ|-1

sk

KeyGen

pk

. . .

. . .

f1,0

f1,|Σ|-1

. . .

fw,0

fw,|Σ|-1

(VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σw Σw

x = (x1,… , xw) Cw

yi =fi,σi (xi)

Enc

16


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Generalized construction

Additional Component

ECC: ΣkΣw with distance d

The Construction: E= (KeyGen, Enc, Dec)

. . .

. . .

t1,0

t1,|Σ|-1

. . .

tw,0

tw,|Σ|-1

sk

KeyGen

pk

. . .

. . .

f1,0

f1,|Σ|-1

. . .

fw,0

fw,|Σ|-1

(VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σwΣw

x = (x1,… , xw) Cw

yi =fi,σi (xi)

Enc

17


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Generalized construction

Additional Component

ECC: ΣkΣw with distance d

The Construction: E= (KeyGen, Enc, Dec)

. . .

. . .

t1,0

t1,|Σ|-1

. . .

tw,0

tw,|Σ|-1

sk

KeyGen

pk

. . .

. . .

f1,0

f1,|Σ|-1

. . .

fw,0

fw,|Σ|-1

(VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σwΣw

x = (x1,… , xw) Cw

yi =fi,σi (xi)

Enc

(VK, y1, … , yw, c1, c2 )

c1 = b h(f1,σ1, … , fw,σw , x)

c2 =Sign(SK, y1, … , yw, c1 )

18


Chosen ciphertext security from slightly lossy trapdoor functions

Rosen-Segev Generalized construction

  • Required properties for Cw

  • Hardness assumption: F should be OW under Cw

  • almost perfect simulation of decryption:(x1,…, xw)reconstructable from any d distinct xi

distance of the ECC

Focus of this work

How much lossiness is required from Floss= (G, F, F-1)

in order for Fw to be OW under Cw?


Talk outline

Talk Outline

  • OW under Correlated Inputs and the Rosen-Segev Construction

  • CCA-security from Slightly LTDFs

  • A Slightly LTDF based on Modular Squaring

  • Conclusions


Sligthly ltdfs cca

Sligthly LTDFs CCA

  • F = (n,l)-lossy TDF with domain {0,1}n

  • (x1,..., xw) ~ Cw with H∞(x1,..., xw) = μ > w.(n-l) + ω(log n)

[Lemma] F =(G, F, F-1)family of (n,l)-lossy TDFs,then Fwis OW under any distributionCwprovided

(f1(x1), f2(x2),…, fw(xw))

takes at most2w(n-l) values

2ω(logn)many

preimages

f1, f2,…,fw Gloss

unique

preimage

f1, f2,…,fw Ginj

(f1(x1), f2(x2),…, fw(xw))

H∞(Cw) = μ≥ w(n-l) + ω(log n)


D w subset reconstructable distribution

(d,w)-subset reconstructable distribution

xi1

xid

xi2

Property: All w elements can be reconstructed by any d distinctxi’s

. . .

x1

x2

xw-1

xw

Efficient Sampling:(d,w)-threshold secret sharing scheme

Entropy: If xi {0,1}n , then H∞(x1,..., xw) ≈ d.n


Achieving high entropy

Achieving High Entropy

ECC(VK1)

VK1

ECC

k

w

VK2

ECC(VK2)

ECC

Desired property: IfVK1≠ VK2, thenECC(VK1), ECC(VK2) “far apart”

k

Reed Solomon Codes: d=w-k+1 (meet Singleton bound)


Putting the pieces together

Putting the Pieces Together

Illustration: CCA-Security from (n,1)-lossy TDFs

  • ECC:[w, k, d=w-k+1]Reed-Solomon

  • Input Distribution: (d, w)-subset reconstructable distribution

  • k=nε, w=nθ, where θ> 1+ ε. d=w-k+1

[Lemma] F =(G, F, F-1)family of (n,l)-lossy TDFs,then Fwis OW under any distributionCwprovided

Entropy:d.n > (w-k).n = w.(n-kn/w) >w.(n-1) + ω(log n)

H∞(Cw) = μ≥ w(n-l) + ω(log n)

(n,1)-lossy TDFs imply CCA-security


Summary cca from correlated inputs

Summary: CCA from correlated inputs

*Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.


From ltdfs to cca security generically

From LTDFs to CCA-Security (generically)

amount of lossiness (bits)

[PW08, RS09]

DDH

n(1-o(1))

I

cn

LWE

I

RSA function

Φ-hiding

loge

I

mod squaring

QR

1

I

1/poly(n)

I

hardness

assumption


From ltdfs to cca security generically1

From LTDFs to CCA-Security (generically)

amount of lossiness (bits)

DDH

n(1-o(1))

I

cn

LWE

I

RSA function

Φ-hiding

loge

I

mod squaring

QR

1

I

1/poly(n)

I

hardness

assumption

this work


Talk outline1

Talk Outline

  • OW under Correlated Inputs and the Rosen-Segev Construction

  • CCA-security from Slightly LTDFs

  • A Slightly LTDF based on Modular Squaring

  • Conclusions


Slightly ltdf from 2vs3primes

Slightly LTDF from 2vs3Primes

Hardness Assumption: 2vs3Primes

3Primesn

p ,q, r : primes

N’ =pqr ; |N’|=n

2Primesn

p , q: primes

N= pq ; |N|=n

c

N ≈ N’

The construction F

  • Sample injective:N 2Primesn+1 ;sinj=N ; t=(p,q)

  • Sample lossy:N 3Primesn+1 ;sloss=N

  • Evaluate:F: {0,1}n ZN

    • F(N , x) =(x2 mod N, (x>N/2) , (JN(x)=1))


Slightly ltdf from 2vs3primes1

Slightly LTDF from 2vs3Primes

[Theorem]Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs.

  • Indistinguishability

Immediate from 2vs3Primes assumption

( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))

  • Invertibility

x

z

x , -x

z , -z

x

y

b1

b2

t=(p,q)


Chosen ciphertext security from slightly lossy trapdoor functions

Slightly LTDF from 2vs3Primes

  • Lossiness(N= pqr)

( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))

ZN

{0,1}n

8-to-1

gcd(x,N)=1 and

x<N/2

≤ φ(N)/4

gcd(x,N)>1 and

x<N/2

≤ (N-φ(N))/2

≤ 2n-N/2

x ≥ N/2

|Img({0,1}n)|≤ 2n-1/4


Talk outline2

Talk Outline

  • OW under Correlated Inputs and the Rosen-Segev Construction

  • CCA-security from Slightly LTDFs

  • A Slightly LTDF based on Modular Squaring

  • Conclusions


Conclusions

Conclusions

Summary

  • Slightly LTDFs are powerful.

  • Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness.

  • Construction of a slightly LTDF from 2vs3PRIMES

Open Problems

  • CCA-security from new hardness assumptions (via slightly lossyTDFs)

  • Is small lossiness enough for BB construction of other primitives (for example CRHF) ?


  • Login