Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15
On Losing Information 2 / 15
On Losing Information 2 / 15
On Losing Information 2 / 15
On Losing Information 2 / 15
On Losing Information 2.3 MB → 0.4 MB 2 / 15
On Losing Information 2 / 15
On Losing Information Lossy object indistinguishable from original 2 / 15
This Talk 1 Trapdoor functions without factoring: discrete log & lattices 3 / 15
This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 / 15
This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions 3 / 15
Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15
Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15
Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F − 1 F F ( x ) { 0 , 1 } N 4 / 15
Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15
Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F D F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15
Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? 5 / 15
Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Lattice-Based Crypto: ◮ Simple & parallelizable ◮ Resist quantum algorithms (so far) ◮ Security from worst-case assumptions [Ajtai,. . . ] 5 / 15
Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Black-Box Separations: PKE [GMR] [GMM] TDF CCA 5 / 15
Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ✔ TDF ✔ [RSA,R,P] ✔ ✔ This Work: Factoring TDF Disc log Lossy TDF CCA Lattices CRHF , OT, . . . 5 / 15
Lossy Trapdoor Functions ( F , F − 1 ) ← S inj { 0 , 1 } n x F − 1 F { 0 , 1 } N 6 / 15
Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15
Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15
Lossy Trapdoor Functions c ≈ F F ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15
Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . 7 / 15
Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S inj x ? F I = x 7 / 15
Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x 7 / 15
Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). 7 / 15
Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). Main Technique ◮ Swapping F with F yields statistically secure system. 7 / 15
Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. 8 / 15
Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . 8 / 15
Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15
Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15
Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H 8 / 15
Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H ◮ Public key ( F , H ) , secret key F − 1 . Encrypt m ∈ { 0 , 1 } k as ( F ( x ) , m ⊕ H ( x )) . 8 / 15
Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle 9 / 15
Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] 9 / 15
Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty ◮ Verify ciphertext is “well-formed” ◮ Usually via zero-knowledge proof ◮ Our approach: recover randomness 9 / 15
All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . 10 / 15
All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . 10 / 15
All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · 10 / 15
All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · ◮ Lossy TDFs ⇔ all-but-one TDFs. 10 / 15
Lossy TDFs ⇒ CCA-Secure Encryption F − 1 KeyGen ( F , G , H ) 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen m ( F , G , H ) y 1 = F ( x ) y 2 = G ( b , x ) c = H ( x ) ⊕ m 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt m ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Challenge KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15
Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ ◮ Challenge ciphertext hides m statistically. 11 / 15
Recommend
More recommend