Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang - - PowerPoint PPT Presentation

efficient threshold encryption from lossy trapdoor
SMART_READER_LITE
LIVE PREVIEW

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang - - PowerPoint PPT Presentation

Aug 20, 2022 521 likes •855 views

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

slide-1
SLIDE 1

Efficient Threshold Encryption from Lossy Trapdoor Functions

Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences

slide-2
SLIDE 2

2

Outline

 Background  Our Results  Our Constructions  Conclusions

slide-3
SLIDE 3

3

pk sk

...

n parties

sk2 sk1 skn

Threshold Public Key Encryption (ThPKE)

slide-4
SLIDE 4

4

pk sk

C=ThEnc(pk,m)

...

n parties

pk

Threshold Public Key Encryption (ThPKE)

slide-5
SLIDE 5

5

pk sk

...

n parties

pk

m1 = ThDec(C,sk1) m2 = ThDec(C,sk2) mn = ThDec(C,skn) If more than tp parties are honest m = Combine(m1,m2, …, mn)

Threshold Public Key Encryption (ThPKE)

slide-6
SLIDE 6

6

ThPKE=(ThGen, ThEnc, ThDec ThCom)  ThGen: (pk, sk) ThGen(λ, n, tp)  ThEnc: C ThEnc(pk,m)  ThDec: mi ThDec(ski, C) ThCom: m ThCom(m1,m2,…,mn)

Formal definition

slide-7
SLIDE 7

7

Static Attacker Challenger Announce threshold tp to be corrupted pk sk1, sk2 ,…, sktp (i , C) mi=ThDec(C, ski)

m0, m1 C*=ThEnc(pk, mb), b {0,1} (i , C ≠ C*)

Output b’ (guess b) mi=ThDec(C, ski)

Security

slide-8
SLIDE 8

8

Related work

 Introduced by Desmedt’87 and Desmedt- Frankel’90  Shoup-Gennaro’98 (ROM)  Canetti-Goldwasser’99 (interactive or storage of secrets)  Zhang-Hanaoka-Shikata-Imai’04,Dodis-Katz’05 (generic constructions from ME)  Boneh-Boyen-Halevi’05, Arita–Tsurudome’09 (pairing)  Bendlin-Damgard’10 (lattice, not generic)

slide-9
SLIDE 9

9

Overview of our results

1. Generic threshold public encryption

 Inspired from Dodis-Katz’05  Weaker components than those in DK’05

 sTag-CCA instead of Tag-CCA

2. sTag-CCA PKE from lossy trapdoor functions

 ThPKE from lattices (against quantum attackers)

  • 3. Comparisons with other schemes from Lattice

 slightly efficient than the known lattice based scheme (BD’10)

slide-10
SLIDE 10

Basic Ideas

10

Threshold PKE Full Tag-CCA PKE Lossy Trapdoor Functions Multiple Encryption Technique ([ZHSI04,DK05])

?

Efficient Solutions

slide-11
SLIDE 11

Towards our goal…

11

Threshold PKE sTag-CCA PKE Lossy Trapdoor Functions

  • 1. ThPKE from sTag-CCA PKE

(Improving [ZHSI04,DK05])

  • 2. sTag-CCA PKE from Lossy

Trapdoor Functions

slide-12
SLIDE 12

12

 Tag-based PKE (TPKE) Informally, the encryption and the decryption algorithms take an additional input: a “tag” (denoted as τ).

TPKE=(TGen, TEnc, TDec)

 (pk,sk)TGen(k)  (C, τ)TEnc(pk, τ, m)  mTDec(sk, C, τ)

Ingredients

slide-13
SLIDE 13

13

 Full Tag-CCA (used in DK’05)

 (C, τ) ≠ (C*, τ*) in 2nd CCA-query stage  (C, τ*) is a legal query as long as C ≠ C*

 sTag-CCA

 τ ≠τ* for a query (C, τ) in 2nd CCA-query stage  Any (C*, τ) with τ ≠ τ* is a legal query

sTag-CCA is a weaker security defnition than full Tag-CCA !

Security of TPKE

slide-14
SLIDE 14

14

Other ingredients

 Secret Share scheme SS = (Share, Rec) with privacy threshold tp

 (m1,m2,…,mn)Share(m, n)  mRec(m1,m2,…,mn)  tp legal shares do not reveal any information of m

 Signature scheme ∑=(Gen, Sign, Ver)  Strongly unforgeable one-time signature

 An attacker is able to make at most one query to the sign oracle on a message m, and obtain σ.  The attacker wins if he outputs (m*, σ*) ≠ (m, σ) and Ver(m*, σ*) =1

slide-15
SLIDE 15

15

Construction: step 1

“SS + TPKE + Sig = ThPKE”

Step 1

slide-16
SLIDE 16

16

Security of TPKE

Selective Attacker Challenger

Select τ* to the challenger pk (C, τ ≠ τ* ) m=TDec(sk, C, τ )

m0, m1 (C*, τ*) =TEnc(pk, τ* mb) b {0,1} (C, τ ≠ τ* ) m=TDec(sk, C, τ )

Output b’ (guess b)

slide-17
SLIDE 17

Intuition of the design of DK’05

17

c1 = TEnc(pk1, svk, m1) c2 = TEnc(pk2, svk, m2) cn = TEnc(pkn, svk, mn)

σ = Sign(ssk, (c1,…cn))

The adversary can no longer modify the ciphertext!

c= < svk,c1,c2,… ,cn,σ>

slide-18
SLIDE 18

18

Our construction

 Given TPKE=(TGen, TEnc, TDec), SS = (Share, Rec)

∑ = (Gen, Sign, Ver), we construct ThPKE=(ThGen,ThEnc, ThDec, ThCom) as follows.

 ThGen(n, tp)

 (pk1,sk1) TGen, …, (pkn,skn) TGen,  Set PK=(pk1,…, pkn), Ski=ski

 ThEnc(PK, m)

 (m1,…,mn)=Share(m); (svk,ssk) Gen  c1 = TEnc(pk1, svk, m1),…, cn = TEnc(pkn, svk, mn)  σ = Sign(ssk, (c1,…cn))  Output C=(svk, c1,…cn, σ)

slide-19
SLIDE 19

19

Our construction

 ThDec(Ski, C)

 Parse C = (svk, c1,…cn, σ)  Check Ver(svk, (c1,…cn)) =1; if not, abort  Output mi = TDec(ski, ci ,svk)

 ThCom(m1,…,mn)

 Output m=Rec(m1,…,mn)

slide-20
SLIDE 20

20

Theorem 1. ThPKE constructed above is a CCA secure threshold encryption scheme, if TPKE is sTag-CCA secure, SS is tp secure and ∑ is one-time strongly unforgeable.

Proof sketch: We define a sequence of games to prove this theorem. W.l.o.g we assume {n-tp+1,…n} are corrupted. 1, If decryption query C is of the form (svk*, c1,…cn σ), abort. This can be done via the one-time strongly unforgeable signature.

Security of our scheme

slide-21
SLIDE 21

21

  • 2. For 1 ≤ i ≤ n – tp-1, the challenger change the challenge ciphertext as:

Game i: (TEnc(pk1,0), …,TEnc(pki, 0), TEnc(pki+1,mi+1),…,TEnc(pkn,mn) Game i+1: (TEnc(pk1,0), …,TEnc(pki, 0), TEnc(pki+1,0),…, TEnc(pkn,mn) View(Game i) ≈ View(Game i+1) according to the sTag-CCA of TPKE scheme !

Security of our scheme

slide-22
SLIDE 22

Up to now…

22

Threshold PKE sTag-CCA PKE Lossy Trapdoor Functions

  • 1. ThPKE from sTag-CCA PKE

(Improving [ZHSI04,DK05])

?

Efficient Solutions

slide-23
SLIDE 23

23

We obtain sTag-CCA PKE from lossy trapdoor functions and All-But-One (ABO) trapdoor functions [PK’08].

Construction: step 2

How to sTag-CCA PKE

slide-24
SLIDE 24

24

Lossy trapdoor functions

slide-25
SLIDE 25

25

(s,td) Sabo(b*) G(s,b,x): an injective trapdoor function (with b ≠ b*) G(s,b*,x): a lossy function

s0 ≈ s1

(s0,td0) Sabo(b0), (s1,td1) Sabo(b1) For any b0,b1

All-But-One trapdoor functions

“LF + Additional Branch Set”

slide-26
SLIDE 26

26

Our sTag-CCA PKE

PKE = (Gen, Enc, Dec)

 Gen(k)

 (F, F-1) S(inj,k), (s, td) Sabo(0,k),  Sample a pairwise independent hash h  pk=(F,G, h), sk=(F-1) (td’ for proof)

 Enc (m)

 Choose b (tag) from the branch set.  Randomly choose x (compactible with F and G)  C=< F(x), G(s, b, x), h(x) XOR m >  Output (C, b)

slide-27
SLIDE 27

27

Our sTag-CCA PKE

 Dec (C, b)

 Parse C as (c1, c2, c3)  x= F-1(c1)  Check F(x) = c1, G(s, x, b)= c2; If not, abort  Output x XOR c3

It is exactly the Peikert-Waters “basic PKE” from LTFs !

In [ PW08] , it was proved that this construction is CCA1 secure.

slide-28
SLIDE 28

28

Theorem 2. The encryption scheme PKE=(Gen, Enc, Dec) described above is sTag-CCA secure.

Our sTag-CCA PKE

slide-29
SLIDE 29

29

Game 1: (s, td) Sabo(b*) instead of (s, td) Sabo(0) Game 2: use td to answer decryption queries. Game 3: (s, *) S(lossy) instead of (s, td) S(inj) Game 4: use randomly chosen r instead of c3*

Proof sketch

slide-30
SLIDE 30

Wrapping up the whole story…

30

Threshold PKE sTag-CCA PKE Lossy Trapdoor Functions

  • 1. ThPKE from sTag-CCA PKE

(Improving [ZHSI04,DK05])

  • 2. sTag-CCA PKE from Lossy

Trapdoor Functions

slide-31
SLIDE 31

31

Comparisons of ThPKE

slide-32
SLIDE 32

32

Conclusions

 ThPKE from LTFs 1. ThPKE from sTag-CCA PKE

  • 2. sTag-CCA PKE from LTFs

 Concrete implementation from Lattices

 (Slightly) better than the previous one from lattice [BD’10]