Efficient Lossy Trapdoor Functions based on Subgroup Membership - PowerPoint PPT Presentation

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 1 / 23

Introduction 1 Our Contribution 2 SMA = ⇒ LTDF Concrete Examples Conclusion 3 Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 2 / 23

Outline Introduction 1 Our Contribution 2 SMA = ⇒ LTDF Concrete Examples Conclusion 3 Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 3 / 23

Lossy Trapdoor Function (LTDF) Peikert and Waters proposed the LTDF in STOC 2008.  TDF, Hard Core ;     OT ;  DDH, LWE → LTDF → CR Hash ;     CCA,...  Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 4 / 23

Lossy Trapdoor Function [PW’08] From Peikert’s slides c F ≈ F Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 5 / 23

Definition of LTDF Injective model Lossy with l bits ( s, t ) ← S inj (1 n ) ; s ← S loss (1 n ) ; f ( s, · ) : { 0 , 1 } m → { 0 , 1 } ∗ f ( s, · ) : { 0 , 1 } m → { 0 , 1 } ∗ F ltd F ltd F − 1 f ( t, F ltd f ( s, x )) = x . F ltd f ( s, · ) has size at most ltd 2 m − l ; c { s : s ← S lossy } ≈ { s : ( s, t ) ← S inj } . Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 6 / 23

Constructions of LTDF DDH or d -liner [PW’08],[FGKRS’10], [Wee12]; QR assumption [FGKRS’10],[JL’13], [Wee12] DCR assumption [BFO’08], [FGKRS’10], [Wee12] LWE assumption [PW’08],[Wee12] Φ -Hiding [KOS’10]. The DCR based construction is one of the most efficient constructions. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 7 / 23

DCR Assumption over Z ∗ N s [Pai98, Dam01] Definition Let N = pq for p = 2 p ′ + 1 , q = 2 q ′ + 1 and s ≥ 2 P := { a = x N s − 1 mod N s | x ∈ Z ∗ N } , M := { a = (1 + N ) y x N s − 1 mod N s | x ∈ Z ∗ N , y ∈ Z N s − 1 } . c { a ← P } ≈ { a ← M } 1 N s − 1 -th residuosity is a subgroup with order 2 p ′ q ′ ≈ N/ 2 . 2 For a in M , a 2 p ′ q ′ = 1 + y 2 p ′ q ′ N mod N s . Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 8 / 23

DCR Based LTDF For input m ∈ [0 , N s − 1 ] , the two function models follow: Injective model Lossy model { (1 + N ) x N s − 1 } m { x N s − 1 } m N s = H × K = < (1 + N ) > ×{ x N s − 1 } Z ∗ s ≥ 3 in order to make enough lossiness. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 9 / 23

Motivation ? General Subgroup membership assumption → LTDF − − − mod N 3 mod N 2 ? ? mod N − − − → − − − → Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 10 / 23

Outline Introduction 1 Our Contribution 2 SMA = ⇒ LTDF Concrete Examples Conclusion 3 Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 11 / 23

Our Contribution Subgroup membership assumption + 2 Properties � → LTDF − − − − mod N 3 mod N 2 mod N � � − − − − → − − − − → Shrinking the subgroup or Enlarging the quotient group. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 12 / 23

Subgroup Membership Assumption [Gj φ steen 05] Definition (SMA) Let G be a finite cyclic group. G = < g > = G/K × K = G/K × < h > The subgroup membership assumption SM ( G,K ) asserts that, c { x, x ← K } ≈ { x, x ← G \ K ] } . N s = < (1 + N ) > ×{ x N s − 1 } Z ∗ Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 13 / 23

2 Properties SDL ( G,K,g ) is easy with a trapdoor t ; 1 | G/K | ≫ | K | . (Lossy property) 2 Definition (Subgroup Discrete Logarithm Problem [Gj φ steen 05]) If ϕ : G → G/K is the canonical epimorphism, then SDL ( G,K,g ) is: To compute log ϕ ( g ) ( ϕ ( x )) for x ← G. (1 + N ) y z N s − 1 → y. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 14 / 23

Generic construction Let ( G, K, g, h, t ) be an instance of SM ( G,K ) with 2 properties. For m ∈ [0 , | G/K | ] , the two models follow, Injective model Lossy model 1 a = gh r for r ≤ | K | and t=t; 1 a = h r for r ≤ | K | ; f ( a, m ) = a m = [ gh r ] m f ( a, m ) = a m = [ h r ] m 2 F ltd 2 F ltd 3 | F ltd 3 Recover m by solving f ( a, · ) | < | K | as F ltd f ( a, · ) SDL ( G,K,g ) with t . falls into K ; Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 15 / 23

SMA ⇒ LTDF Theorem (1 in page 240) If the SM G,K with two above properties holds, This is an (log | G/K | , log | G/K | − log | K | ) LTDF. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 16 / 23

DCR& QR based LTDF over Z ∗ N 2 Let N = pq with p = 2 k p ′ + 1 , q = 2 k q ′ + 1 . For y ∈ QNR N , let G = < (1 + N ) y N > with order N 2 k p ′ q ′ ; N , let K = < h 2 k N For h 1 ∈ Z ∗ > with order p ′ q ′ . 1 Theorem (3 in page 243) DCR & QR ⇒ SM ( G,K ) . Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 17 / 23

Extended p -subgroup based LTDF over Z ∗ N 2 Let N = p 2 q with p = 2 p ′ + 1 , q = 2 q ′ + 1 , For y ∈ Z ∗ N , Let h = y 2 N 2 Let G = < (1 + N ) h > with order Np ′ q ′ ; Let K = < h > with order p ′ q ′ . SM ( G,K ) is a generalization of p subgroup in [OU98] Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 18 / 23

Decisional RSA [Groth 05] based LTDF over Z ∗ N Let N = pq with p = 2 p ′ r p + 1 , q = 2 q ′ r q + 1 , Let r p , r q be B -smooth with t distinct prime factors and l ≈ log B . N , let h = x 2 r p r q and g ← QR N . For x ∈ Z ∗ Let G = < g > with order larger than p ′ q ′ 2 ( t − d )( l − 1) ; Let K = < h > with order p ′ q ′ . This SM ( G,K ) assumption is the Decisional RSA assumption in [Groth 05]. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 19 / 23

Outline Introduction 1 Our Contribution 2 SMA = ⇒ LTDF Concrete Examples Conclusion 3 Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 20 / 23

Comparison with previous constructions Assumption Input size Lossiness Index size Efficiency n 2 Multi n 2 G DDH n n − | G | LWE n cn n ( d + w ) Z q n ( d + w ) Multi n 2 Multi n 2 G d-linear n n − d | G | Z ∗ QR log N 1 1 Multi N k ) 2 Multi ( n k ) 2 Z ∗ ( n DDH& QR n n − log N N Z ∗ Φ -hiding log N log e log e log N N DCR 2 log N log N Z ∗ 3 log x log N N 3 9 3 QR & DCR 8 log N 8 log N Z ∗ 2 log x log N N 2 1 E p -sub log N 3 log N Z ∗ 2 log x log N N 2 D RSA l x l x − l p ′ − l q ′ Z ∗ log x log N N l x = 698 , l p ′ = l q ′ = 160 Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 21 / 23

Conclusion We present a generic construction of LTDFs from subgroup membership assumptions. We give three efficient constructions based on 1 DCR & QR; 2 Extended p Subgroup; 3 Decisional RSA. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 22 / 23

Thank you Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 23 / 23