lossy trapdoor functions and their applications
play

Lossy Trapdoor Functions and Their Applications Chris Peikert - PowerPoint PPT Presentation

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing


  1. Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15

  2. On Losing Information 2 / 15

  3. On Losing Information 2 / 15

  4. On Losing Information 2 / 15

  5. On Losing Information 2 / 15

  6. On Losing Information 2.3 MB → 0.4 MB 2 / 15

  7. On Losing Information 2 / 15

  8. On Losing Information Lossy object indistinguishable from original 2 / 15

  9. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 3 / 15

  10. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 / 15

  11. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions 3 / 15

  12. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15

  13. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15

  14. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F − 1 F F ( x ) { 0 , 1 } N 4 / 15

  15. Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15

  16. Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F D F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15

  17. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? 5 / 15

  18. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Lattice-Based Crypto: ◮ Simple & parallelizable ◮ Resist quantum algorithms (so far) ◮ Security from worst-case assumptions [Ajtai,. . . ] 5 / 15

  19. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Black-Box Separations: PKE [GMR] [GMM] TDF CCA 5 / 15

  20. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ✔ TDF ✔ [RSA,R,P] ✔ ✔ This Work: Factoring TDF Disc log Lossy TDF CCA Lattices CRHF , OT, . . . 5 / 15

  21. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj { 0 , 1 } n x F − 1 F { 0 , 1 } N 6 / 15

  22. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  23. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  24. Lossy Trapdoor Functions c ≈ F F ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  25. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . 7 / 15

  26. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S inj x ? F I = x 7 / 15

  27. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x 7 / 15

  28. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). 7 / 15

  29. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). Main Technique ◮ Swapping F with F yields statistically secure system. 7 / 15

  30. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. 8 / 15

  31. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . 8 / 15

  32. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15

  33. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15

  34. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H 8 / 15

  35. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H ◮ Public key ( F , H ) , secret key F − 1 . Encrypt m ∈ { 0 , 1 } k as ( F ( x ) , m ⊕ H ( x )) . 8 / 15

  36. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle 9 / 15

  37. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] 9 / 15

  38. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty ◮ Verify ciphertext is “well-formed” ◮ Usually via zero-knowledge proof ◮ Our approach: recover randomness 9 / 15

  39. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . 10 / 15

  40. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . 10 / 15

  41. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · 10 / 15

  42. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · ◮ Lossy TDFs ⇔ all-but-one TDFs. 10 / 15

  43. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 KeyGen ( F , G , H ) 11 / 15

  44. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen m ( F , G , H ) y 1 = F ( x ) y 2 = G ( b , x ) c = H ( x ) ⊕ m 11 / 15

  45. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt m ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15

  46. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15

  47. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  48. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Challenge KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  49. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  50. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  51. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ ◮ Challenge ciphertext hides m statistically. 11 / 15

Recommend


More recommend