Selective Opening Security: Indistinguishability [BHY09] IND-SO-ENC (Real) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ b ← A ((( m i , r i )) i ∈ I , ( m 1 , . . . , m n )) IND-SO-ENC (Ideal) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ ( m ′ 1 , . . . , m ′ n ) ← M | M I ◮ b ← A ((( m i , r i )) i ∈ I , ( m ′ 1 , . . . , m ′ n )) Brett Hemenway and Rafail Ostrovsky
Selective Opening Security: Indistinguishability [BHY09] IND-SO-ENC (Real) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ b ← A ((( m i , r i )) i ∈ I , ( m 1 , . . . , m n )) IND-SO-ENC (Ideal) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ ( m ′ 1 , . . . , m ′ n ) ← M | M I ◮ b ← A ((( m i , r i )) i ∈ I , ( m ′ 1 , . . . , m ′ n )) A IND − SO − ENC − REAL = 1 A IND − SO − ENC − IDEAL = 1 � � � � �� � Pr − Pr � < ν Brett Hemenway and Rafail Ostrovsky
Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky
Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky
Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky
Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky
Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Notice: Indistinguishability + Lossiness = ⇒ IND-CPA security Brett Hemenway and Rafail Ostrovsky
Lossy Encryption is IND-SO-ENC Secure (BHY09) In Lossy mode, the distributions ( E ( m 1 , r 1 ) , . . . , E ( m n , r n )) ≈ s ( E ( m ′ 1 , r 1 ) , . . . , E ( m ′ n , r n )) Since the encryptions are statistically independent of the messages, so even after conditioning on certain openings, the rest remain independent of the messages. Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. ◮ There exists a function ReRand such that for all pk , m , r , r ′ Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. ◮ There exists a function ReRand such that for all pk , m , r , r ′ ◮ Correctness: D (ReRand( E ( pk , m , r ))) = m Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. ◮ There exists a function ReRand such that for all pk , m , r , r ′ ◮ Correctness: D (ReRand( E ( pk , m , r ))) = m ◮ Statistical rerandomization: { ReRand( E ( pk , m , r )) } ≈ s { ReRand( E ( pk , m , r ′ )) } Brett Hemenway and Rafail Ostrovsky
Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Brett Hemenway and Rafail Ostrovsky
Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Caution: this is not necessarily statistically re-randomizing. Brett Hemenway and Rafail Ostrovsky
Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Caution: this is not necessarily statistically re-randomizing. It is statistically re-randomizing for all known homomorphic cryptosystems. Brett Hemenway and Rafail Ostrovsky
Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Caution: this is not necessarily statistically re-randomizing. It is statistically re-randomizing for all known homomorphic cryptosystems. If you can sample statistically close to uniformly from the set of encryptions of 0 then homomorphic encryption is statistically rerandomizable Brett Hemenway and Rafail Ostrovsky
Outline Motivation Definitions Our Results Brett Hemenway and Rafail Ostrovsky
Our Results Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption ◮ CCA2 Selective Opening Secure definitions and constructions Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption ◮ CCA2 Selective Opening Secure definitions and constructions ◮ Constructions from statistically-hiding NIZKs in the simulation-based model Brett Hemenway and Rafail Ostrovsky
Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption ◮ CCA2 Selective Opening Secure definitions and constructions ◮ Constructions from statistically-hiding NIZKs in the simulation-based model ◮ Constructions from Lossy-Trapdoor Functions in the indistinguishability-based model Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . ◮ Decryption is the same as for the ReRandomizable scheme. Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . ◮ Decryption is the same as for the ReRandomizable scheme. This is lossy if b 0 = b 1 , and injective if b 0 � = b 1 . Brett Hemenway and Rafail Ostrovsky
ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . ◮ Decryption is the same as for the ReRandomizable scheme. This is lossy if b 0 = b 1 , and injective if b 0 � = b 1 . The indistinguishability of modes follows immediately from the Semantic Security of ( G , E , D ). Brett Hemenway and Rafail Ostrovsky
For Homomorphic Encryption Brett Hemenway and Rafail Ostrovsky
For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then Brett Hemenway and Rafail Ostrovsky
For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then ◮ We can make lossy encryption, simply by setting PK = ( pk , e ) where e = E ( pk , 0 , r ) in Lossy Mode and E ( pk , 1 , r ) in injective mode. Brett Hemenway and Rafail Ostrovsky
For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then ◮ We can make lossy encryption, simply by setting PK = ( pk , e ) where e = E ( pk , 0 , r ) in Lossy Mode and E ( pk , 1 , r ) in injective mode. ◮ Encryption of m is just e m · E ( pk , 0 , r ). Brett Hemenway and Rafail Ostrovsky
For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then ◮ We can make lossy encryption, simply by setting PK = ( pk , e ) where e = E ( pk , 0 , r ) in Lossy Mode and E ( pk , 1 , r ) in injective mode. ◮ Encryption of m is just e m · E ( pk , 0 , r ). ◮ Decryption is the same. Brett Hemenway and Rafail Ostrovsky
Oblivious Transfer Implies Lossy Encryption Sender Receiver Brett Hemenway and Rafail Ostrovsky
Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Sender Receiver Brett Hemenway and Rafail Ostrovsky
Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Brett Hemenway and Rafail Ostrovsky
Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Q b ( x 0 , x 1 ; r ) Brett Hemenway and Rafail Ostrovsky
Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Q b ( x 0 , x 1 ; r ) PK inj : PK lossy : Q 0 Q 1 E ( m , r ) ≡ Q b ( m , 0; r ) Brett Hemenway and Rafail Ostrovsky
Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Q b ( x 0 , x 1 ; r ) PK inj : PK lossy : Q 0 Q 1 E ( m , r ) ≡ Q b ( m , 0; r ) Computational receiver privacy implies indistinguishability of modes Statistical sender privacy implies lossiness of lossy branch Brett Hemenway and Rafail Ostrovsky
Chosen Ciphertext Security Chosen Ciphertext Security in the Selective Opening Setting Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary Decryption Queries Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary Decryption Queries Selective Opening Query Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary Decryption Queries Selective Opening Query Decryption Queries Output b Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary c D ( c ) . . . Selective Opening Query Decryption Queries Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary c D ( c ) . . . E ( m 1 , r 1 ) , . . . , E ( m n , r n ) I { m ′ { m i , r i } i ∈ I , j } j �∈ I Decryption Queries Brett Hemenway and Rafail Ostrovsky
IND-SO-CCA2: Definitions Challenger Adversary c D ( c ) . . . E ( m 1 , r 1 ) , . . . , E ( m n , r n ) I { m ′ { m i , r i } i ∈ I , j } j �∈ I c D ( c ) . . . Output b Brett Hemenway and Rafail Ostrovsky
Lossy Trapdoor Functions [PW08] F I ≈ F ℓ F − 1 F ℓ I F I Injective Mode Lossy Mode Brett Hemenway and Rafail Ostrovsky
Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , t ) Brett Hemenway and Rafail Ostrovsky
Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Brett Hemenway and Rafail Ostrovsky
Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Trapdoor: F − 1 ( t , F ( s , x )) = x Brett Hemenway and Rafail Ostrovsky
Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Trapdoor: Lossiness: F − 1 ( t , F ( s , x )) = x | imF ( s , · ) | ≤ 2 r Brett Hemenway and Rafail Ostrovsky
Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Trapdoor: Lossiness: F − 1 ( t , F ( s , x )) = x | imF ( s , · ) | ≤ 2 r The first outputs of G LTDF (1 λ , inj ), and G LTDF (1 λ , lossy ) are computationally indistinguishable Brett Hemenway and Rafail Ostrovsky
All-But-One Functions [PW08] G ABO (1 λ , b ∗ ) ( s , t ) Trapdoor: Lossiness: For b � = b ∗ | imF ( s , b ∗ , · ) | ≤ 2 r F − 1 ( t , b , F ( s , b , x )) = x The first outputs of G ABO (1 λ , b 0 ), and G ABO (1 λ , b 1 ) are computationally indistinguishable Brett Hemenway and Rafail Ostrovsky
Recommend
More recommend