chosen ciphertext security from subset sum
play

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 - PowerPoint PPT Presentation

Feb 05, 2023 •159 likes •965 views

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universitt Bochum 2 Sapienza University of Rome 1 Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based

  1. Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universität Bochum 2 Sapienza University of Rome 1

  2. Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

  3. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. 3

  4. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. 3

  5. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA) 3

  6. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA) Our Results ▶ We construct a CCA-secure PKE from Subset Sum (using [MP12]). 3

  7. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA) Our Results ▶ We construct a CCA-secure PKE from Subset Sum (using [MP12]). ▶ The security of our PKE does not decrease with the message length. 3

  8. Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

  9. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , 5

  10. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . 5

  11. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . Hardness of Subset Sum n δ := log µ : n Θ( 1 Θ( log 2 n ) n ) Θ( 1 ) 5

  12. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . Hardness of Subset Sum n δ := log µ : n Θ( 1 1 Θ( log 2 n ) n ) Θ( log n ) Θ( 1 ) 1 ▶ We focus on δ = Θ( log n ) . 5

  13. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . Hardness of Subset Sum n δ := log µ : n Θ( 1 1 Θ( log 2 n ) n ) Θ( log n ) Θ( 1 ) 1 ▶ We focus on δ = Θ( log n ) . Decisional Subset Sum [IN96]: ( A , t ) is hard to distinguish from uniform. 5

  14. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q 6

  15. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , 6

  16. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : 6

  17. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : a = a m · q m − 1 + . . . + a 1 · q 0 � = ( a m , . . . , a 1 ) T ∈ Z m q 6

  18. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : a = a m · q m − 1 + . . . + a 1 · q 0 � = ( a m , . . . , a 1 ) T ∈ Z m q 6

  19. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : a = a m · q m − 1 + . . . + a 1 · q 0 � = ( a m , . . . , a 1 ) T ∈ Z m q Therefore   a m a m · · · 1 n   . ... . . .  ∈ Z m × n A = ( a 1 , . . . , a n ) � =  . . q a 1 a 1 · · · n 1 6

  20. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m , 7

  21. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = ̸ � s 1   · · · + s n     +   q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n 7

  22. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1   · · · + s n    +    q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. 7

  23. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1   · · · + s n    +    q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. 7

  24. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1   · · · + s n    +    q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. 7

  25. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1    · · · + s n    +   q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. From now on, ( A , t = As + e ( A , s )) ∈ Z m × n × Z m q ( m samples). q 7

  26. Many Samples from Subset Sum µ = q m 8

  27. Many Samples from Subset Sum µ = q m ⇒ m samples 8

  28. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = 8

  29. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q 8

  30. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q 8

  31. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q ▶ output ( RA , R t = RAs + Re ( A , s )) ∈ Z ℓ × n × Z ℓ q q 8

  32. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q ▶ output ( RA , R t = RAs + Re ( A , s )) ∈ Z ℓ × n × Z ℓ q q ▶ Leftover hash lemma [HILL99]: If ( A , t ) is uniform ⇒ ( A , t , RA , R t ) is uniform. 8

  33. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q ▶ output ( RA , R t = RAs + Re ( A , s )) ∈ Z ℓ × n × Z ℓ q q ▶ Leftover hash lemma [HILL99]: If ( A , t ) is uniform ⇒ ( A , t , RA , R t ) is uniform. ▶ ( RA , R t ) is not Subset Sum distributed ( Re ( A , s ) ̸ = e ( RA , s )) . 8

  34. Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

  35. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. 10

  36. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): TBE = ( Gen , Enc , Dec ) . 10

  37. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): TBE = ( Gen , Enc , Dec ) . Correctness: For ( sk , pk ) ← Gen ( 1 n ) : Dec ( sk , τ, Enc ( pk , τ, M )) = M 10

  38. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): TBE = ( Gen , Enc , Dec ) . Correctness: For ( sk , pk ) ← Gen ( 1 n ) : Dec ( sk , τ, Enc ( pk , τ, M )) = M Security: 10

  39. CCA secure PKE Adv . Given a One-Time Signature ( OTS ), ( sk , pk ) ← Gen ( 1 n ) [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): M = Dec ( sk , τ, c ) TBE = ( Gen , Enc , Dec ) . · · · b ← { 0 , 1 } Correctness: c ∗ ← Enc ( pk , τ ∗ , M b ) For ( sk , pk ) ← Gen ( 1 n ) : Dec ( sk , τ, Enc ( pk , τ, M )) = M M = Dec ( sk , τ, c ) Security: For all ppt Adv . : Pr [ b ′ = b ] = 1 / 2 . · · ·

Recommend

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS France CNRS-ENS France Asiacrypt '03 Taipei - Taiwan December 1 st 2003 Summary Summary Asymmetric

235 views • 21 slides
Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

341 views • 21 slides
RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret) M = S(C) anyone else

796 views • 16 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

1.19k views • 105 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners

Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners

Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight line. 23/01/2012 Contents Current

425 views • 16 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

csci 210: Data Structures More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an array that sum up to a given target Permute: finding all permutations of a given string Subset: finding all

436 views • 15 slides
Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Subset Sum Subset Sum Instance : X = { x 1 , . . . , x n } n integer positive num- Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ? Subset Sum SolveSubsetSum ( X , t , M ) b [ 0 . . . Mn ] -

260 views • 5 slides
The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson

The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson

The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson jcb82,sdp36,rja14@cl.cam.ac.uk Computer Laboratory Financial Crypto 2012 Kralendijk, Bonaire, Netherlands Feb 27, 2012 Whats a stolen wallet

816 views • 49 slides
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset

More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset

More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers or services Arranged

974 views • 60 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides

More recommend