lossy encryption from general assumptions
play

Lossy Encryption from General Assumptions Brett Hemenway and Rafail - PowerPoint PPT Presentation

Lossy Encryption from General Assumptions Brett Hemenway and Rafail Ostrovsky Crypto in the Clouds Workshop, MIT August 5, 2009 Brett Hemenway and Rafail Ostrovsky Outline Motivation Definitions Our Results Brett Hemenway and Rafail


  1. Selective Opening Security: Indistinguishability [BHY09] IND-SO-ENC (Real) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ b ← A ((( m i , r i )) i ∈ I , ( m 1 , . . . , m n )) IND-SO-ENC (Ideal) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ ( m ′ 1 , . . . , m ′ n ) ← M | M I ◮ b ← A ((( m i , r i )) i ∈ I , ( m ′ 1 , . . . , m ′ n )) Brett Hemenway and Rafail Ostrovsky

  2. Selective Opening Security: Indistinguishability [BHY09] IND-SO-ENC (Real) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ b ← A ((( m i , r i )) i ∈ I , ( m 1 , . . . , m n )) IND-SO-ENC (Ideal) ◮ ( m 1 , . . . , m n ) ← M ◮ r 1 , . . . , r n ← coins( E ) ◮ I ← A (( E ( m 1 , r i ) , . . . , E ( m n , r n )) ◮ ( m ′ 1 , . . . , m ′ n ) ← M | M I ◮ b ← A ((( m i , r i )) i ∈ I , ( m ′ 1 , . . . , m ′ n )) A IND − SO − ENC − REAL = 1 A IND − SO − ENC − IDEAL = 1 � � � � �� � Pr − Pr � < ν Brett Hemenway and Rafail Ostrovsky

  3. Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky

  4. Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky

  5. Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky

  6. Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Brett Hemenway and Rafail Ostrovsky

  7. Lossy Encryption in Detail G (1 λ , mode ) , E ( pk , m , r ) , D ( sk , c ) Correctness: Lossiness: For all m , r For all m 0 , m 1 { E ( pk L , m 0 , r ) } ≈ s { E ( pk L , m 1 , r ) } D ( E ( pk I , m , r )) = m Indistinguishability { pk I : pk I ← G (1 λ , Injective ) } ≈ c { pk L : pk L ← G (1 λ , Lossy ) } Notice: Indistinguishability + Lossiness = ⇒ IND-CPA security Brett Hemenway and Rafail Ostrovsky

  8. Lossy Encryption is IND-SO-ENC Secure (BHY09) In Lossy mode, the distributions ( E ( m 1 , r 1 ) , . . . , E ( m n , r n )) ≈ s ( E ( m ′ 1 , r 1 ) , . . . , E ( m ′ n , r n )) Since the encryptions are statistically independent of the messages, so even after conditioning on certain openings, the rest remain independent of the messages. Brett Hemenway and Rafail Ostrovsky

  9. ReRandomizable Encryption Brett Hemenway and Rafail Ostrovsky

  10. ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. Brett Hemenway and Rafail Ostrovsky

  11. ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. ◮ There exists a function ReRand such that for all pk , m , r , r ′ Brett Hemenway and Rafail Ostrovsky

  12. ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. ◮ There exists a function ReRand such that for all pk , m , r , r ′ ◮ Correctness: D (ReRand( E ( pk , m , r ))) = m Brett Hemenway and Rafail Ostrovsky

  13. ReRandomizable Encryption ◮ ( G , E , D ) is semantically secure. ◮ There exists a function ReRand such that for all pk , m , r , r ′ ◮ Correctness: D (ReRand( E ( pk , m , r ))) = m ◮ Statistical rerandomization: { ReRand( E ( pk , m , r )) } ≈ s { ReRand( E ( pk , m , r ′ )) } Brett Hemenway and Rafail Ostrovsky

  14. Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Brett Hemenway and Rafail Ostrovsky

  15. Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Caution: this is not necessarily statistically re-randomizing. Brett Hemenway and Rafail Ostrovsky

  16. Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Caution: this is not necessarily statistically re-randomizing. It is statistically re-randomizing for all known homomorphic cryptosystems. Brett Hemenway and Rafail Ostrovsky

  17. Homomorphic Encryption If E ( pk , m , r ) E ( pk , m ′ , r ′ ) = E ( pk , m + m ′ , r ∗ ), then we can re-randomize by doing ReRand( E ( pk , m , r )) = E ( pk , m , r ) E ( pk , 0 , r ′ ) . Caution: this is not necessarily statistically re-randomizing. It is statistically re-randomizing for all known homomorphic cryptosystems. If you can sample statistically close to uniformly from the set of encryptions of 0 then homomorphic encryption is statistically rerandomizable Brett Hemenway and Rafail Ostrovsky

  18. Outline Motivation Definitions Our Results Brett Hemenway and Rafail Ostrovsky

  19. Our Results Brett Hemenway and Rafail Ostrovsky

  20. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption Brett Hemenway and Rafail Ostrovsky

  21. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: Brett Hemenway and Rafail Ostrovsky

  22. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik Brett Hemenway and Rafail Ostrovsky

  23. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. Brett Hemenway and Rafail Ostrovsky

  24. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

  25. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

  26. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

  27. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption ◮ CCA2 Selective Opening Secure definitions and constructions Brett Hemenway and Rafail Ostrovsky

  28. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption ◮ CCA2 Selective Opening Secure definitions and constructions ◮ Constructions from statistically-hiding NIZKs in the simulation-based model Brett Hemenway and Rafail Ostrovsky

  29. Our Results ◮ ReRandomizable Encryption “is” Lossy Encryption ◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚ ard-Jurik ◮ The first proof that Paillier/Damg˚ ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem. ◮ Statistically Hiding-OT implies Lossy Encryption ◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption ◮ CCA2 Selective Opening Secure definitions and constructions ◮ Constructions from statistically-hiding NIZKs in the simulation-based model ◮ Constructions from Lossy-Trapdoor Functions in the indistinguishability-based model Brett Hemenway and Rafail Ostrovsky

  30. ReRandomizable Encryption “is” Lossy Encryption Brett Hemenway and Rafail Ostrovsky

  31. ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. Brett Hemenway and Rafail Ostrovsky

  32. ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . Brett Hemenway and Rafail Ostrovsky

  33. ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . Brett Hemenway and Rafail Ostrovsky

  34. ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . ◮ Decryption is the same as for the ReRandomizable scheme. Brett Hemenway and Rafail Ostrovsky

  35. ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . ◮ Decryption is the same as for the ReRandomizable scheme. This is lossy if b 0 = b 1 , and injective if b 0 � = b 1 . Brett Hemenway and Rafail Ostrovsky

  36. ReRandomizable Encryption “is” Lossy Encryption ◮ Let ( G , E , D , ReRand) be a ReRandomizable Encryption. ◮ Let ( pk , sk ) ← G e 0 = E ( pk , b 0 , r 0 ), e 1 = E ( pk , b 1 , r 1 ). Define PK = ( pk , e 0 , e 1 ), SK = sk . ◮ Encryption of b will be ReRand( e b ) . ◮ Decryption is the same as for the ReRandomizable scheme. This is lossy if b 0 = b 1 , and injective if b 0 � = b 1 . The indistinguishability of modes follows immediately from the Semantic Security of ( G , E , D ). Brett Hemenway and Rafail Ostrovsky

  37. For Homomorphic Encryption Brett Hemenway and Rafail Ostrovsky

  38. For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then Brett Hemenway and Rafail Ostrovsky

  39. For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then ◮ We can make lossy encryption, simply by setting PK = ( pk , e ) where e = E ( pk , 0 , r ) in Lossy Mode and E ( pk , 1 , r ) in injective mode. Brett Hemenway and Rafail Ostrovsky

  40. For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then ◮ We can make lossy encryption, simply by setting PK = ( pk , e ) where e = E ( pk , 0 , r ) in Lossy Mode and E ( pk , 1 , r ) in injective mode. ◮ Encryption of m is just e m · E ( pk , 0 , r ). Brett Hemenway and Rafail Ostrovsky

  41. For Homomorphic Encryption ◮ If ( G , E , D ) is homomorphic and E ( pk , 0 , r ) is statistically close to uniform on the set of encryptions of 0, then ◮ We can make lossy encryption, simply by setting PK = ( pk , e ) where e = E ( pk , 0 , r ) in Lossy Mode and E ( pk , 1 , r ) in injective mode. ◮ Encryption of m is just e m · E ( pk , 0 , r ). ◮ Decryption is the same. Brett Hemenway and Rafail Ostrovsky

  42. Oblivious Transfer Implies Lossy Encryption Sender Receiver Brett Hemenway and Rafail Ostrovsky

  43. Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Sender Receiver Brett Hemenway and Rafail Ostrovsky

  44. Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Brett Hemenway and Rafail Ostrovsky

  45. Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Q b ( x 0 , x 1 ; r ) Brett Hemenway and Rafail Ostrovsky

  46. Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Q b ( x 0 , x 1 ; r ) PK inj : PK lossy : Q 0 Q 1 E ( m , r ) ≡ Q b ( m , 0; r ) Brett Hemenway and Rafail Ostrovsky

  47. Oblivious Transfer Implies Lossy Encryption x 0 x 1 b Q b ( · , · ; · ) Sender Receiver Q b ( x 0 , x 1 ; r ) PK inj : PK lossy : Q 0 Q 1 E ( m , r ) ≡ Q b ( m , 0; r ) Computational receiver privacy implies indistinguishability of modes Statistical sender privacy implies lossiness of lossy branch Brett Hemenway and Rafail Ostrovsky

  48. Chosen Ciphertext Security Chosen Ciphertext Security in the Selective Opening Setting Brett Hemenway and Rafail Ostrovsky

  49. IND-SO-CCA2: Definitions Challenger Adversary Brett Hemenway and Rafail Ostrovsky

  50. IND-SO-CCA2: Definitions Challenger Adversary Decryption Queries Brett Hemenway and Rafail Ostrovsky

  51. IND-SO-CCA2: Definitions Challenger Adversary Decryption Queries Selective Opening Query Brett Hemenway and Rafail Ostrovsky

  52. IND-SO-CCA2: Definitions Challenger Adversary Decryption Queries Selective Opening Query Decryption Queries Output b Brett Hemenway and Rafail Ostrovsky

  53. IND-SO-CCA2: Definitions Challenger Adversary c D ( c ) . . . Selective Opening Query Decryption Queries Brett Hemenway and Rafail Ostrovsky

  54. IND-SO-CCA2: Definitions Challenger Adversary c D ( c ) . . . E ( m 1 , r 1 ) , . . . , E ( m n , r n ) I { m ′ { m i , r i } i ∈ I , j } j �∈ I Decryption Queries Brett Hemenway and Rafail Ostrovsky

  55. IND-SO-CCA2: Definitions Challenger Adversary c D ( c ) . . . E ( m 1 , r 1 ) , . . . , E ( m n , r n ) I { m ′ { m i , r i } i ∈ I , j } j �∈ I c D ( c ) . . . Output b Brett Hemenway and Rafail Ostrovsky

  56. Lossy Trapdoor Functions [PW08] F I ≈ F ℓ F − 1 F ℓ I F I Injective Mode Lossy Mode Brett Hemenway and Rafail Ostrovsky

  57. Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , t ) Brett Hemenway and Rafail Ostrovsky

  58. Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Brett Hemenway and Rafail Ostrovsky

  59. Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Trapdoor: F − 1 ( t , F ( s , x )) = x Brett Hemenway and Rafail Ostrovsky

  60. Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Trapdoor: Lossiness: F − 1 ( t , F ( s , x )) = x | imF ( s , · ) | ≤ 2 r Brett Hemenway and Rafail Ostrovsky

  61. Lossy Trapdoor Functions in Detail G LTDF (1 λ , inj ) ( s , ⊥ ) G LTDF (1 λ , lossy ) ( s , t ) Trapdoor: Lossiness: F − 1 ( t , F ( s , x )) = x | imF ( s , · ) | ≤ 2 r The first outputs of G LTDF (1 λ , inj ), and G LTDF (1 λ , lossy ) are computationally indistinguishable Brett Hemenway and Rafail Ostrovsky

  62. All-But-One Functions [PW08] G ABO (1 λ , b ∗ ) ( s , t ) Trapdoor: Lossiness: For b � = b ∗ | imF ( s , b ∗ , · ) | ≤ 2 r F − 1 ( t , b , F ( s , b , x )) = x The first outputs of G ABO (1 λ , b 0 ), and G ABO (1 λ , b 1 ) are computationally indistinguishable Brett Hemenway and Rafail Ostrovsky

Recommend


More recommend