Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as q can be different Memory content transc = (q, op) are the same. [encrypt the state] can be different [KLW-technique] [encrypt the data] 58
Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as q can be different Memory content Hide access transc = (q, op) are the same. [encrypt the state] can be different pattern. [KLW-technique] [encrypt the data] [oram] 59
Starting point: Canetti-Holmgren’s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as q can be different Memory content Hide access transc = (q, op) are the same. [encrypt the state] can be different pattern. [KLW-technique] [encrypt the data] [oram] 60
Canetti-Holmgren (ITCS16) 61
Canetti-Holmgren (ITCS16) + Zoom-in the core step: 62
Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature 63
Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator (iO-friendly) Accumulator (iO-friendly) Splittable signature Accumulator iO-friendly Merkle-tree What is written in eprint 2015/1074 64
Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator G(D 0 ) (iO-friendly) Accumulator (iO-friendly) Splittable signature e z i l a i t i n i Accumulator iO-friendly Merkle-tree What is written in eprint 2015/1074 65
Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator G(D 0 ) (iO-friendly) Accumulator (iO-friendly) Splittable signature e z i l a i t i n i G(P i+1 ) e t a c t i n e h t u A Accumulator iO-friendly Merkle-tree key What is written in eprint 2015/1074 66
Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (iO-friendly) Iterator G(D 0 ) (iO-friendly) Accumulator (iO-friendly) Splittable signature e z i l a i t i n i G(P i+1 ) e t a c t i n e h t u A Accumulator iO-friendly Merkle-tree key update G(D i+1 ) What is written in eprint 2015/1074 67
Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator 68
Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 69
Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 70
Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 71
Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 72
y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (iO-friendly property): there’s only one preimage x* of the current root value y*. x* #Merkletree 73
y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (iO-friendly property): there’s only one preimage x* of the current root value y*. Impossible information theoretically. x* #Merkletree 74
y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (iO-friendly property): there’s only one preimage x* of the current root value y*. Impossible information theoretically. x* #Merkletree KLW’s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->H*, H ≈ H* 75
y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (iO-friendly property): there’s only one preimage x* of the current root value y*. Impossible information theoretically. x* #Merkletree KLW’s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->H*, H ≈ H* Alternatively: SSB hashing => [Ananth-Chen-Chung-Lin-Lin] 76
Selective Enforcing Adaptive Enforcing 77
Selective Enforcing Adaptive Enforcing x* <= Adversary 78
Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* 79
Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H Gen( ) => H Enforcing(x*, y*) => H* 80
Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H x* <= Adversary(H) Gen( ) => H Enforcing(x*, y*) => H* 81
Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H x* <= Adversary(H) Gen( ) => H Enforcing(x*, y*) => H* Enforcing(x*, y*) => H* 82
Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H x* <= Adversary(H) Gen( ) => H Enforcing(x*, y*) => H* Enforcing(x*, y*) => H* ( … wait, what?) 83
#Mindblowing 84
Fact I Can separate the key 85
key = hk + vk G(D 0 ) e z i l a i t i n i G(P i+1 ) e t a c t i n e h t u A Accumulator iO-friendly Merkle-tree key update G(D i+1 ) What is written in eprint 2015/1074 86
key = hk + vk G(D 0 ) hk e z i l a i t i n i G(P i+1 ) e t a c t i n e h t u A Accumulator vk iO-friendly Merkle-tree key update G(D i+1 ) hk What is written in eprint 2015/1074 87
Adaptive Enforcing hk 88
Adaptive Enforcing hk x* <= Adversary( hk ) 89
Adaptive Enforcing hk x* <= Adversary( hk ) ≈ vk vk*(x*) 90
Fact II If you believe diO ... 91
Adaptive Enforcing key = hk + vk 92
Adaptive Enforcing key = hk + vk hk always_hk_Gen( ) -> hk := CRHF key h 93
Adaptive Enforcing key = hk + vk hk x* <= Adversary(H) always_hk_Gen( ) -> hk := CRHF key h 94
Adaptive Enforcing key = hk + vk hk x* <= Adversary(H) vk always_hk_Gen( ) -> hk := CRHF key h normal_vk_Gen( ) -> vk vk(x,y) = diO( if h(x)=y, output 1; else: output 0 ) 95
Adaptive Enforcing key = hk + vk hk x* <= Adversary(H) ≈ vk vk*(x*) always_hk_Gen( ) -> hk := CRHF key h normal_vk_Gen( ) -> vk vk(x,y) = diO( if h(x)=y, output 1; else: output 0 ) enforce_vk_Gen( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) 96
Fact III: If you don’t believe diO, can still do this with iO. 97
From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring 98
From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) 99
From iO + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = diO( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) By diO-iO equivalence lemma [ Boyle-Chung-Pass ‘14 ]: “ If f1 and f2 differ only on polynomially many input-output values, and they are hard to find, then iO(f1) ≈ iO(f2) ” 100
Recommend
More recommend
