Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Download Presentation

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Loading in 2 Seconds...

- 117 Views
- Uploaded on
- Presentation posted in: General

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Petros Mol, Scott Yilek

PKC 2010

UC, San Diego

May 27, 2010

server

client

insecure channel

pk

pk, sk

Ideally: Protect against all possible attacks

Modeling all possible attacks is hard (if possible at all)

For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91])

Π=(KeyGen, Enc, Dec)

pk

(pk,sk) Keygen(1n)

ci

c*=Enc(pk,b)

mi=Dec(sk , ci)

$

b {0,1}

Π=(KeyGen, Enc, Dec)

ci ≠ c*

(pk,sk) Keygen(1n)

mi=Dec(sk , ci)

pk,

c*

$

b {0,1}

Π=(KeyGen, Enc, Dec)

(pk,sk) Keygen(1n)

b’

pk,

c*

$

b {0,1}

Security against CCA attacks

For all efficient adversaries

|Pr [b’=b]-1/2| =negl(n)

[DDN 91]

Enhanced TDPs

[RS09]

Correlatedinputs

[CS 02]

UHPS

[CHK 04]

IBE

[PW08]

LTDFs

Generic Constructions

1998

2006

I

I

I

I

I

I

I

2008

2009

1991

2002

2004

Concrete Instantiations

[CS98]

DDH

[CKS08]

CDH

[HK09]

Factoring

[BCHK 06]

BCDH

[DDN 91]

Enhanced TDPs

[RS09]

Correlatedinputs

[CS 02]

UHPS

[CHK 04]

IBE

[PW08]

LTDFs

Generic Constructions

1998

2006

I

I

I

I

I

I

I

2002

2008

2009

1991

2004

Concrete Instantiations

[CS98]

DDH

[CKS08]

CDH

[HK09]

Factoring

[BCHK 06]

BCDH

F =(G, F, F-1) (n,l)-lossy TDF

{0,1}n

F(sinj , .)

.

.

Injectivemode

(sinj , t) G(inj)

F-1(t, .)

F(sinj , .) : 1-1

computational

requirement

{0,1}n

(sloss , ) G(loss)

F(sloss ,.)

Lossy

mode

F(sloss ,.)

|Img(F(sloss ,.))|=2n-l

F(sloss ,.)

[Peikert, Waters 08]

CCA-secure

PKE

(n, n(1-o(1))) LTDFs

All But One TDFs

[Rosen, Segev 09]

Correlated input OWFs

(n, n(1-o(1))) LTDFs

CCA-secure

PKE

This work

(n, 1/poly(n)) LTDFs

Correlated input OWFs

CCA-secure

PKE

- OW under Correlated Inputs and the Rosen-Segev Construction
- CCA-security from Slightly LTDFs
- A Slightly LTDF based on Modular Squaring
- Conclusions

family of efficiently computable functions

F =(G, F)

[Def] (w-wise product)

f1, f2,…,fw

Gw

- Generation:

(x1, x2, … , xw)

(f1(x1), f2(x2),…, fw(xw))

- Evaluation:

- One-Wayness: Fone-way under Cw-correlated inputs if for all PPT adversaries A

Pr[A(f1,…, fw, f1(x1),…, fw(xw))= (x1,..., xw)] : negligible

where (x1,..., xw) ~ Cw

- Components
- F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs
- Π = (Kg, Sign, Ver)one-time signature scheme
- hhardcore predicate for F under Cw-correlated inputs

The Construction: E= (KeyGen, Enc, Dec)

t1,0

t1,1

tw,0

tw,1

. . .

sk

KeyGen

G

. . .

f1,0

f1,1

fw,0

fw,1

pk

x = (x1,… , xw) Cw

(VK, SK) Kg ;

VK=VK1. . .VKw {0,1}w ;

yi =fi,Vki (xi)

Enc

Rosen-Segev Simplified construction

- Components
- F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs
- Π = (Kg, Sign, Ver)one-time signature scheme
- hhardcore predicate for F under Cw-correlated inputs

The Construction: E= (KeyGen, Enc, Dec)

t1,0

t1,1

tw,0

tw,1

. . .

sk

KeyGen

G

. . .

f1,0

f1,1

fw,0

fw,1

pk

x = (x1,… , xw) Cw

(VK, SK) Kg ;

VK=VK1. . .VKw{0,1}w ;

yi =fi,Vki (xi)

Enc

Rosen-Segev Simplified construction

- Components
- F =(G, F, F-1): injective TDFs, OW under Cw-correlated inputs
- Π = (Kg, Sign, Ver)one-time signature scheme
- hhardcore predicate for F under Cw-correlated inputs

The Construction: E= (KeyGen, Enc, Dec)

t1,0

t1,1

tw,0

tw,1

. . .

sk

KeyGen

G

. . .

f1,0

f1,1

fw,0

fw,1

pk

x = (x1,… , xw) Cw

(VK, SK) Kg ;

VK=VK1. . .VKw{0,1}w ;

yi =fi,Vki (xi)

Enc

c1 = b h(f1,Vk1, … , fw,Vkw , x)

(VK, y1, … , yw, c1, c2 )

c2 =Sign(SK, y1, … , yw, c1 )

14

Rosen-Segev Simplified construction

- For CCA proof : 2 requirements from Cw
- Hardness assumption: F should be OW under Cw
- almost perfect simulation of decryption:(x1,…, xw)reconstructable from any xi

x1=x2=. . .=xw

: w-repetition distribution

Cw

Instantiation ([RS09])

(n, n(1-1/w))-lossy TDFs

OW under w-repetition

Rosen-Segev Generalized construction

Additional Component

ECC: ΣkΣw with distance d

The Construction: E= (KeyGen, Enc, Dec)

. . .

. . .

t1,0

t1,|Σ|-1

. . .

tw,0

tw,|Σ|-1

sk

KeyGen

pk

. . .

. . .

f1,0

f1,|Σ|-1

. . .

fw,0

fw,|Σ|-1

(VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σw Σw

x = (x1,… , xw) Cw

yi =fi,σi (xi)

Enc

16

Rosen-Segev Generalized construction

Additional Component

ECC: ΣkΣw with distance d

The Construction: E= (KeyGen, Enc, Dec)

. . .

. . .

t1,0

t1,|Σ|-1

. . .

tw,0

tw,|Σ|-1

sk

KeyGen

pk

. . .

. . .

f1,0

f1,|Σ|-1

. . .

fw,0

fw,|Σ|-1

(VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σwΣw

x = (x1,… , xw) Cw

yi =fi,σi (xi)

Enc

17

Rosen-Segev Generalized construction

Additional Component

ECC: ΣkΣw with distance d

The Construction: E= (KeyGen, Enc, Dec)

. . .

. . .

t1,0

t1,|Σ|-1

. . .

tw,0

tw,|Σ|-1

sk

KeyGen

pk

. . .

. . .

f1,0

f1,|Σ|-1

. . .

fw,0

fw,|Σ|-1

(VK, SK) Kg , VKΣk; ECC(VK) = σ1. . .σwΣw

x = (x1,… , xw) Cw

yi =fi,σi (xi)

Enc

(VK, y1, … , yw, c1, c2 )

c1 = b h(f1,σ1, … , fw,σw , x)

c2 =Sign(SK, y1, … , yw, c1 )

18

Rosen-Segev Generalized construction

- Required properties for Cw
- Hardness assumption: F should be OW under Cw
- almost perfect simulation of decryption:(x1,…, xw)reconstructable from any d distinct xi

distance of the ECC

Focus of this work

How much lossiness is required from Floss= (G, F, F-1)

in order for Fw to be OW under Cw?

- OW under Correlated Inputs and the Rosen-Segev Construction
- CCA-security from Slightly LTDFs
- A Slightly LTDF based on Modular Squaring
- Conclusions

- F = (n,l)-lossy TDF with domain {0,1}n
- (x1,..., xw) ~ Cw with H∞(x1,..., xw) = μ > w.(n-l) + ω(log n)

[Lemma] F =(G, F, F-1)family of (n,l)-lossy TDFs,then Fwis OW under any distributionCwprovided

(f1(x1), f2(x2),…, fw(xw))

takes at most2w(n-l) values

2ω(logn)many

preimages

f1, f2,…,fw Gloss

≈

unique

preimage

f1, f2,…,fw Ginj

(f1(x1), f2(x2),…, fw(xw))

H∞(Cw) = μ≥ w(n-l) + ω(log n)

…

…

…

xi1

xid

xi2

Property: All w elements can be reconstructed by any d distinctxi’s

. . .

x1

x2

xw-1

xw

Efficient Sampling:(d,w)-threshold secret sharing scheme

Entropy: If xi {0,1}n , then H∞(x1,..., xw) ≈ d.n

ECC(VK1)

VK1

ECC

k

…

…

w

VK2

ECC(VK2)

ECC

…

Desired property: IfVK1≠ VK2, thenECC(VK1), ECC(VK2) “far apart”

…

k

Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

Illustration: CCA-Security from (n,1)-lossy TDFs

- ECC:[w, k, d=w-k+1]Reed-Solomon
- Input Distribution: (d, w)-subset reconstructable distribution
- k=nε, w=nθ, where θ> 1+ ε. d=w-k+1

[Lemma] F =(G, F, F-1)family of (n,l)-lossy TDFs,then Fwis OW under any distributionCwprovided

Entropy:d.n > (w-k).n = w.(n-kn/w) >w.(n-1) + ω(log n)

H∞(Cw) = μ≥ w(n-l) + ω(log n)

(n,1)-lossy TDFs imply CCA-security

*Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

amount of lossiness (bits)

[PW08, RS09]

DDH

n(1-o(1))

I

cn

LWE

I

RSA function

Φ-hiding

loge

I

mod squaring

QR

1

I

1/poly(n)

I

hardness

assumption

amount of lossiness (bits)

DDH

n(1-o(1))

I

cn

LWE

I

RSA function

Φ-hiding

loge

I

mod squaring

QR

1

I

1/poly(n)

I

hardness

assumption

this work

- OW under Correlated Inputs and the Rosen-Segev Construction
- CCA-security from Slightly LTDFs
- A Slightly LTDF based on Modular Squaring
- Conclusions

Hardness Assumption: 2vs3Primes

3Primesn

p ,q, r : primes

N’ =pqr ; |N’|=n

2Primesn

p , q: primes

N= pq ; |N|=n

c

N ≈ N’

The construction F

- Sample injective:N 2Primesn+1 ;sinj=N ; t=(p,q)

- Sample lossy:N 3Primesn+1 ;sloss=N

- Evaluate:F: {0,1}n ZN
- F(N , x) =(x2 mod N, (x>N/2) , (JN(x)=1))

[Theorem]Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs.

- Indistinguishability

Immediate from 2vs3Primes assumption

( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))

- Invertibility

x

z

x , -x

z , -z

x

y

b1

b2

t=(p,q)

Slightly LTDF from 2vs3Primes

- Lossiness(N= pqr)

( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))

ZN

{0,1}n

8-to-1

gcd(x,N)=1 and

x<N/2

≤ φ(N)/4

gcd(x,N)>1 and

x<N/2

≤ (N-φ(N))/2

≤ 2n-N/2

x ≥ N/2

|Img({0,1}n)|≤ 2n-1/4

- OW under Correlated Inputs and the Rosen-Segev Construction
- CCA-security from Slightly LTDFs
- A Slightly LTDF based on Modular Squaring
- Conclusions

Summary

- Slightly LTDFs are powerful.
- Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness.
- Construction of a slightly LTDF from 2vs3PRIMES

Open Problems

- CCA-security from new hardness assumptions (via slightly lossyTDFs)
- Is small lossiness enough for BB construction of other primitives (for example CRHF) ?