leakage resilient cryptography from puncturable
play

Leakage-Resilient Cryptography from Puncturable Primitives and - PowerPoint PPT Presentation

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation ASIACRYPT 2018 Dec. 5th 2018 1 / 55 Yu Chen 1 Yuyu Wang 2 Hong-Sheng Zhou 3 1 SKLOIS-IIE-CAS, UCAS 2 Tokyo Institute of Technology, IOHK, AIST 3 Virginia Commonwealth


  1. Weak Puncturable PRF R wPPRF Theorem: sPPRF R 16 / 55 R β ← − { 0 , 1 } β =? ( pp, k ) ← Gen ( λ ) x ∗ ← − X pp, x ∗ , k x ∗ , y ∗ β k x ∗ ← Punc ( k, x ∗ ) y ∗ 0 ← F ( k, x ∗ ) y ∗ ← − Y 1

  2. Weak Puncturable PRF R R R 16 / 55 β ← − { 0 , 1 } β =? ( pp, k ) ← Gen ( λ ) x ∗ ← − X pp, x ∗ , k x ∗ , y ∗ β k x ∗ ← Punc ( k, x ∗ ) y ∗ 0 ← F ( k, x ∗ ) y ∗ ← − Y 1 Theorem: sPPRF ⇔ wPPRF

  3. Preserving Functionality: , Pr Indistinguishability of Obfuscation PPT adversaries , a negl. function : Pr Pr Pr 17 / 55 Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if:

  4. Indistinguishability of Obfuscation PPT adversaries , a negl. function : Pr Pr Pr 17 / 55 Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if: Preserving Functionality: ∀ C ∈ C λ , ∀ x ∈ { 0 , 1 } ∗ Pr [ C ′ ( x ) = C ( x ) : C ′ ← i O ( C )] = 1 C 0 i O i O ( C 0 )

  5. 17 / 55 Indistinguishability of Obfuscation Indistinguishability Obfuscation [BGI + 12] A uniform PPT machine i O is called an indistinguishability obfuscator if: Preserving Functionality: ∀ C ∈ C λ , ∀ x ∈ { 0 , 1 } ∗ Pr [ C ′ ( x ) = C ( x ) : C ′ ← i O ( C )] = 1 ∀ PPT adversaries ( S , D ) , ∃ a negl. function α : Pr [ ∀ x, C 0 ( x ) = C 1 ( x ) : ( C 0 , C 1 , aux ) ← S ( λ )] ≥ 1 − α ( λ ) ⇒ | Pr [ D ( aux, i O ( C 0 )) = 1] − Pr [ D ( aux, i O ( C 1 )) = 1] | ≤ α ( λ ) ≡ C 0 C 1 i O i O ≈ c i O ( C 0 ) i O ( C 1 )

  6. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 18 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  7. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 55 R F sk

  8. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 55 R F sk

  9. In order to answer arbitrary leakage queries, it seems Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox must know Typically does not know since the challenge instance is embedded in it 19 / 55 R F sk

  10. Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox Typically does not know since the challenge instance is embedded in it 19 / 55 R f F sk f ( sk ) In order to answer arbitrary leakage queries, it seems R must know sk

  11. Approaches towards Leakage Resilience Assumptions Technical hurdle: a seemingly paradox 19 / 55 R f F sk f ( sk ) In order to answer arbitrary leakage queries, it seems R must know sk Typically R does not know sk since the challenge instance is embedded in it

  12. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK LR SIG lossy even in the presence of leakage Regev PKE is LR 20 / 55 R F sk

  13. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK LR SIG lossy even in the presence of leakage Regev PKE is LR 20 / 55 R f F sk

  14. Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK Akavia et al. [AGV09]: normal Approach I Regev PKE is LR leakage even in the presence of lossy LR SIG 20 / 55 Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the leakage-resilient Assumptions presence of partial leakage of secret R f F sk f ( sk )

  15. Akavia et al. [AGV09]: normal Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient lossy even in the presence of leakage Regev PKE is LR 20 / 55 R f F sk f ( sk ) Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK ⇒ LR SIG

  16. Approach I Rely on leakage-resilient assumptions, i.e., the assumption still holds even in the presence of partial leakage of secret Assumptions leakage-resilient 20 / 55 R f F sk f ( sk ) Katz and Vaikuntanathan [KV09]: UOWHF is LR-OW + ss-NIZK ⇒ LR SIG Akavia et al. [AGV09]: normal pk ≈ c lossy pk even in the presence of sk leakage ⇒ Regev PKE is LR

  17. Dodis et al. [DGK 10]: DDH Approach II Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; leftover hash lemma (leakage-resilient fact) detached strategy + leakage-resilient assumptions/facts Ext ; Naor and Segev [NS09]: SMP F Assumptions 21 / 55 F sk c

  18. Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; Ext detached strategy + leakage-resilient assumptions/facts ; Naor and Segev [NS09]: SMP Assumptions 21 / 55 F sk c ≈ c F sk ˆ c

  19. Naor and Segev [NS09]: SMP Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; ; Ext detached strategy + leakage-resilient assumptions/facts Assumptions 21 / 55 F sk c f ≈ c f ( sk ) F sk ˆ c

  20. Dodis et al. [DGK 10]: DDH Approach II leftover hash lemma (leakage-resilient fact) Goldreich-Levin theorem (leakage-resilient assumption) model) (auxliary-input w.r.t. hc ; 21 / 55 Assumptions detached strategy + leakage-resilient assumptions/facts F sk c f ≈ c f ( sk ) F sk ˆ c Naor and Segev [NS09]: SMP ⇒ c ≈ c ˆ c ; k ← Ext ( sk, ˆ c )

  21. Approach II detached strategy + leakage-resilient assumptions/facts Goldreich-Levin theorem (leakage-resilient assumption) model) leftover hash lemma (leakage-resilient fact) 21 / 55 Assumptions F sk c f ≈ c f ( sk ) F sk ˆ c Naor and Segev [NS09]: SMP ⇒ c ≈ c ˆ c ; k ← Ext ( sk, ˆ c ) Dodis et al. [DGK + 10]: DDH ⇒ c ≈ c ˆ c ; k ← hc ˆ c ( sk ) w.r.t. f (auxliary-input

  22. A common theme of the two above main approaches queries with real secret key. design with specifjc structure. It is interesting to investigate the possibility of simulate leakage oracle computationally , i.e., answering leakage queries with simulated leakage This might lend new techniques to address the unsolved problems in LRC. 22 / 55 R always try to simulate leakage oracle perfectly , i.e., answering leakage To do so, we have to either rely on LR assumptions or resort to sophisticated

  23. 23 / 55 Dachman-Soled et al. [DGL + 16] discovered powerful applications of i O to LRC Sahai-Waters PKE � leakage resilient

  24. Background: Sahai-Waters KEM R Encaps 24 / 55 Ingredients: i O , PRG G : { 0 , 1 } λ → { 0 , 1 } 2 λ , weak puncturable PRF F : SK × { 0 , 1 } 2 λ → Y Gen ( λ ) : pick sk ← − SK , pk ← i O ( Encaps ) Encaps ( pk ; r ) : ( c, k ) ← pk ( r ) Decaps ( sk, c ) : k ← F ( sk, c ) Constants: PPRF key sk Input: randomness r ∈ { 0 , 1 } λ 1 compute x ← G ( r ) ; output c = x , k ← F ( sk, x )

  25. Dachman-Soled et al. [DGL 16] made Sahai-Waters KEM leakage-resilient by Why Sahai-Waters is not Leakage-Resilient? , and thus may not be random anymore in twice. using to handle arbitrary leakage queries. , and thus unable only knows Proof perspective: in some hybrid game, ’s view. queries on The proof uses “punctured programs” technique and security is reduced to the could be leaked via leakage Construction perspective: the information of The sources for non-leakage-resilient R weak pseudorandomness of punctured PRF 25 / 55 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ←

  26. Dachman-Soled et al. [DGL 16] made Sahai-Waters KEM leakage-resilient by Why Sahai-Waters is not Leakage-Resilient? The proof uses “punctured programs” technique and security is reduced to the twice. using to handle arbitrary leakage queries. The sources for non-leakage-resilient weak pseudorandomness of punctured PRF R 25 / 55 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ← Construction perspective: the information of y ∗ could be leaked via leakage queries on sk , and thus may not be random anymore in A ’s view. Proof perspective: in some hybrid game, R only knows sk x ∗ , and thus unable

  27. Why Sahai-Waters is not Leakage-Resilient? The proof uses “punctured programs” technique and security is reduced to the weak pseudorandomness of punctured PRF R The sources for non-leakage-resilient to handle arbitrary leakage queries. 25 / 55 pk ← i O ( Encaps ( sk )) ⇝ pk ← i O ( Encaps ∗ ( sk x ∗ )) session key k ∗ ← y ∗ ← F ( sk, x ∗ ) , where x ∗ − { 0 , 1 } 2 λ ← Construction perspective: the information of y ∗ could be leaked via leakage queries on sk , and thus may not be random anymore in A ’s view. Proof perspective: in some hybrid game, R only knows sk x ∗ , and thus unable Dachman-Soled et al. [DGL + 16] made Sahai-Waters KEM leakage-resilient by using i O twice.

  28. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 26 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  29. Abstract and Generalize the Core Idea ? , is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 55 sk R

  30. Abstract and Generalize the Core Idea ? is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 55 sk R sk x ∗ , y ∗

  31. Abstract and Generalize the Core Idea ? is effjcient compostion lemma simulate leakage in a computationally indistinguishable manner 27 / 55 sk C ≡ R sk x ∗ , y ∗ C ′

  32. Abstract and Generalize the Core Idea is effjcient simulate leakage in a computationally indistinguishable manner lemma compostion 27 / 55 ? i O ( C ) sk C i O ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) C ′

  33. Abstract and Generalize the Core Idea compostion simulate leakage in a computationally indistinguishable manner lemma 27 / 55 ? i O ( C ) f ( i O ( C )) sk C f is effjcient i O ≈ c ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) f ( i O ( C ′ )) C ′

  34. Abstract and Generalize the Core Idea compostion simulate leakage in a computationally indistinguishable manner lemma 27 / 55 ? i O ( C ) f ( i O ( C )) sk C f is effjcient i O ≈ c ≈ c ≡ R sk x ∗ , y ∗ i O ( C ′ ) f ( i O ( C ′ )) C ′

  35. Key Observation Can we push the idea to extreme? Punc-PRF into Punc-“publicly evaluable” PRF These two results suggest: 28 / 55 Dachman-Soled et al. [DGL + 16]: Sahai-Waters KEM can be made LR by setting sk as an obfuscated program Chen et al. [CZ14]: the essence of Sahai-Waters KEM – i O bootstraps i O ( Punc-PEPRF ) � LR PEPRF

  36. Punc (Puncturable) Publicly Evaluable PRF 29 / 55 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  37. (Puncturable) Publicly Evaluable PRF 29 / 55 sk x ∗ ← Punc ( sk, x ∗ ) ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  38. Security of (Puncturable) Publicly Evaluable PRF Gen Samp Punc R R , , Pr negl 30 / 55

  39. Security of (Puncturable) Publicly Evaluable PRF Samp Punc R R , , Pr negl 30 / 55 ( pk, sk ) ← Gen ( λ ) pk

  40. Security of (Puncturable) Publicly Evaluable PRF R negl Pr R 30 / 55 ← − { 0 , 1 } β ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗

  41. Security of (Puncturable) Publicly Evaluable PRF R negl Pr R 30 / 55 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′

  42. Security of (Puncturable) Publicly Evaluable PRF R R 30 / 55 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) y ∗ 0 ← F ( sk, x ∗ ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′ | Pr [ β = β ′ ] − 1/2 | ≤ negl ( λ )

  43. Security of (Puncturable) Publicly Evaluable PRF R R 30 / 55 ← − { 0 , 1 } β β =? ( pk, sk ) ← Gen ( λ ) pk ( x ∗ , w ∗ ) ← Samp ( λ ) sk x ∗ ← Punc ( sk, x ∗ ) f i y ∗ 0 ← F ( sk, x ∗ ) f i ( sk ) y ∗ ← − Y 1 x ∗ , y ∗ β , sk x ∗ β ′ | Pr [ β = β ′ ] − 1/2 | ≤ negl ( λ )

  44. LR-PEPRF from Punc-PEPRF 1 : Ext to from LR PEPRF Ext output Input: Idea: Obfuscate-and-Extract Constants: Punc-PEPRF secret key Priv Ext Pub Priv Samp Gen 31 / 55

  45. LR-PEPRF from Punc-PEPRF Priv : Ext to from LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Ext 31 / 55 Idea: Obfuscate-and-Extract ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W

  46. LR-PEPRF from Punc-PEPRF Priv : Ext to from LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Ext Idea: Obfuscate-and-Extract 31 / 55 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Pub ( pk, x, w ) W S

  47. LR-PEPRF from Punc-PEPRF Idea: Obfuscate-and-Extract LR PEPRF Ext output 1 Input: Constants: Punc-PEPRF secret key Priv Ext 31 / 55 ( pk, sk ) ← Gen ( λ ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Z Pub ( pk, x, w ) W S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  48. LR-PEPRF from Punc-PEPRF Ext LR PEPRF 1 Priv Idea: Obfuscate-and-Extract 31 / 55 i O Constants: Punc-PEPRF secret key sk ( pk, sk ) ← Gen ( λ ) ˆ sk Input: ˆ x = ( x, s ) output z ← Ext ( F ( sk, x ) , s ) Priv ( sk, x ) X F ( sk, x ) Y L Samp ( λ ) Z Pub ( pk, x, w ) W S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  49. 32 / 55 R setting. Theorem: The above PEPRF ˆ F is leakage-resilient under appropriate parameter Game 0. (the original game) ˆ sk ← i O ( Priv ) sk ← i O ( Priv ∗ ) , where y ∗ ← F ( sk, x ∗ ) Game 1. ˆ Priv ∗ Constants: Punc-PEPRF punctured key sk x ∗ , x ∗ and y ∗ Input: ˆ x = ( x, s ) 1 If x = x ∗ , output Ext ( y ∗ , s ) . Else, output Ext ( F ( sk x ∗ , x ) , s ) . Game 2. y ∗ ← − Y Priv ≡ Priv ∗ + i O ⇒ Game 0 ≈ c Game 1 punc-PEPRF ⇒ Game 1 ≈ c Game 2 randomness extractor ⇒ z ∗ ← Ext ( y ∗ , s ∗ ) ≈ s U Z

  50. Constructions of Punc-PEPRF How to construct Punc-PEPRF? clarify and encompass Dachman-Soled et al’s construction instantiated succinctly “derivable” is a mild property that satisfjed by all the known realizations of 33 / 55 i O ( Punc-PEPRF ) ⇝ LR-PEPRF ⇒ LR-KEM wPPRF+PRG+ i O (a slight modifjcation of SW KEM) Punc-TDF ⇐ correlated-product TDF [RS09] PTDF can be viewed as a special type of adaptive TDF – O inv can be Punc-EHPS ⇐ derivable EHPS EHPS [Wee10]

  51. Signifjcance Matsuda and Hanaoka [MH15]: Punc-KEM – capture a common pattern towards CCA security CCA security obtained via punctured road can be converted to Leakage-Resilience PKE via CP-TDF PKE via EHPS 34 / 55 Punc-PEPRF ⇒ Punc-KEM with perfect punctured decapsulation soundness in a non-black-box manner via i O

  52. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 35 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  53. Extension to the Symmetric Setting Ext LR wPRF 1 Priv 36 / 55 i O ( weak-Punc-PRF ) ⇝ LR-weak-PRF ⇒ LR-SKE i O Constants: wPPRF secret key sk ( pp, sk ) ← Gen ( λ ) ˆ sk Input: ˆ x = ( x, s ) output z ← Ext ( F ( sk, x ) , s ) F ( sk, x ) X Y Z S ˆ F from X × S to Z : Ext ( F ( sk, x ) , s )

  54. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 37 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  55. Review of Sahai-Waters Signature R Verify 38 / 55 Essence of Sahai-Waters Signature: i O makes PRF-based MAC publicly verifjable Gen ( λ ) : pick k ← − K for sPPRF F : K × M → Y , pick a OWF g : Y → Z ; set sk ← k , vk ← i O ( Verify ) . Sign ( sk, m ) : output σ ← F ( k, m ) . Verify ( vk, m, σ ) : output vk ( m, σ ) . Constants: sPPRF key k Input: message m and signature σ 1 output g ( σ ) =? g ( F ( k, m )) .

  56. Proof of Selective Security Theorem: Sahai-Waters signature is selectively secure. 39 / 55 Game 0. (original game) vk ← i O ( Verify ) . Game 1. vk ← i O ( Verify ∗ ) , here z ∗ ← g ( σ ∗ ) , σ ∗ ← F ( k, m ∗ ) . Verify ∗ Constants: punctured sPPRF key k m ∗ and z ∗ Input: message m and signature σ 1 If m = m ∗ , output g ( σ ) =? z ∗ . 2 Else, output g ( σ ) =? g ( F ( k m ∗ , m )) . Game 2. σ ∗ ← Y . Verify ≡ Verify ∗ + i O ⇒ Game 0 ≈ c Game 1 sPPRF ⇒ Game 1 ≈ c Game 2 OWF ⇒ σ ∗ is unpredictable in Game 2

  57. How to make Sahai-Waters’s signature Leakage-Resilient? unable to reduce unforgeability to one-wayness of . those on can translate leakage queries on secret key to In the fjnal security game, Our solution: using LR OWF instead of standard OWF does not know Proof perspective: ) preimage of (the Construction perspective: leakage queries leak the information of Problems 40 / 55 Technical hurdle: how to handle leakage queries? 1 express signing algorithm as a program and obfuscate the program as sk 2 simulate leakage queries with function-equivalent key – an obfuscation of a program build from k m ∗ and σ ∗

  58. How to make Sahai-Waters’s signature Leakage-Resilient? Problems Our solution: using LR OWF instead of standard OWF In the fjnal security game, can translate leakage queries on secret key to those on . 40 / 55 Technical hurdle: how to handle leakage queries? 1 express signing algorithm as a program and obfuscate the program as sk 2 simulate leakage queries with function-equivalent key – an obfuscation of a program build from k m ∗ and σ ∗ Construction perspective: leakage queries leak the information of σ ∗ (the preimage of z ∗ ) ⇒ unable to reduce unforgeability to one-wayness of g Proof perspective: R does not know σ ∗

  59. How to make Sahai-Waters’s signature Leakage-Resilient? Problems Our solution: using LR OWF instead of standard OWF 40 / 55 Technical hurdle: how to handle leakage queries? 1 express signing algorithm as a program and obfuscate the program as sk 2 simulate leakage queries with function-equivalent key – an obfuscation of a program build from k m ∗ and σ ∗ Construction perspective: leakage queries leak the information of σ ∗ (the preimage of z ∗ ) ⇒ unable to reduce unforgeability to one-wayness of g Proof perspective: R does not know σ ∗ In the fjnal security game, R can translate leakage queries on secret key to those on σ ∗ .

  60. How to achieve adaptive security? Using Extremely Lossy Function [Zha16] hash the message before signing: deterministic but relying on exponential hardness assumption Applying “prefjx-guessing technique” [RW14]: randomized but public-coin So far the best solution to the open problem posed by Boyle et al. [BSW11] (Eurocrypt’ 11) 41 / 55 LR OWF + sPPRF + i O ⇒ deterministic LR SIG (selective)

  61. Outline Leakage-Resilient PKE Leakage-Resilient SKE Leakage-Resilient Signature 42 / 55 1 Background 2 Motivation 3 Primitives 4 Our Framework Towards Leakage-Resilience 5 Achieving Optimal Leakage Rate

  62. How to achieve optimal leakage rate? The leakage rate of our basic constructions is low Can we achieve optimal leakage rate? 43 / 55 secret key is an obfuscated program � large size the maximum leakage amount ≤ log 2 | Y |

  63. Dachman-Soled et al. ’s Approach Secret key – a secret obfuscated program (like a gun that must be kept secretly) Decompose the secret obfuscated program make the logic part public set a trigger device inside the public program and use trigger as the secret key 44 / 55

  64. Dachman-Soled et al. ’s Approach Secret key – a secret obfuscated program (like a gun that must be kept secretly) Decompose the secret obfuscated program make the logic part public set a trigger device inside the public program and use trigger as the secret key 44 / 55

  65. The Case of LR-PEPRF from Punc-PEPRF Priv Priv 45 / 55 Constants: Punc-PEPRF secret key sk Input: ˆ x = ( x, s ) 1 Output z ← Ext ( F ( sk, x ) , s ) Modifjcation: ct ∗ ← Enc ( k e , 0 n ) , n = log | Y | ; pick a CRHF h , set h ( ct ∗ ) = t ∗ ct ∗ is set as secret key, obfuscated program is made public. Constants: Punc-PEPRF secret key sk , t ∗ Input: ct , ˆ x = ( x, s ) 1 If h ( ct ) ̸ = t ∗ , output ⊥ . Else, output z ← Ext ( F ( sk, x ) , s ) . greatly shrink the size of secret key: an obfuscated program � a ciphertext

Recommend


More recommend