lossy trapdoor functions and their applications
play

Lossy Trapdoor Functions and Their Applications Chris Peikert - PowerPoint PPT Presentation

Feb 08, 2023 •195 likes •925 views

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing

  1. Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15

  2. On Losing Information 2 / 15

  3. On Losing Information 2 / 15

  4. On Losing Information 2 / 15

  5. On Losing Information 2 / 15

  6. On Losing Information 2.3 MB → 0.4 MB 2 / 15

  7. On Losing Information 2 / 15

  8. On Losing Information Lossy object indistinguishable from original 2 / 15

  9. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 3 / 15

  10. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 / 15

  11. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions 3 / 15

  12. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15

  13. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15

  14. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F − 1 F F ( x ) { 0 , 1 } N 4 / 15

  15. Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15

  16. Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F D F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15

  17. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? 5 / 15

  18. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Lattice-Based Crypto: ◮ Simple & parallelizable ◮ Resist quantum algorithms (so far) ◮ Security from worst-case assumptions [Ajtai,. . . ] 5 / 15

  19. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Black-Box Separations: PKE [GMR] [GMM] TDF CCA 5 / 15

  20. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ✔ TDF ✔ [RSA,R,P] ✔ ✔ This Work: Factoring TDF Disc log Lossy TDF CCA Lattices CRHF , OT, . . . 5 / 15

  21. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj { 0 , 1 } n x F − 1 F { 0 , 1 } N 6 / 15

  22. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  23. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  24. Lossy Trapdoor Functions c ≈ F F ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  25. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . 7 / 15

  26. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S inj x ? F I = x 7 / 15

  27. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x 7 / 15

  28. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). 7 / 15

  29. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). Main Technique ◮ Swapping F with F yields statistically secure system. 7 / 15

  30. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. 8 / 15

  31. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . 8 / 15

  32. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15

  33. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15

  34. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H 8 / 15

  35. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H ◮ Public key ( F , H ) , secret key F − 1 . Encrypt m ∈ { 0 , 1 } k as ( F ( x ) , m ⊕ H ( x )) . 8 / 15

  36. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle 9 / 15

  37. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] 9 / 15

  38. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty ◮ Verify ciphertext is “well-formed” ◮ Usually via zero-knowledge proof ◮ Our approach: recover randomness 9 / 15

  39. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . 10 / 15

  40. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . 10 / 15

  41. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · 10 / 15

  42. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · ◮ Lossy TDFs ⇔ all-but-one TDFs. 10 / 15

  43. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 KeyGen ( F , G , H ) 11 / 15

  44. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen m ( F , G , H ) y 1 = F ( x ) y 2 = G ( b , x ) c = H ( x ) ⊕ m 11 / 15

  45. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt m ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15

  46. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15

  47. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  48. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Challenge KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  49. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  50. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  51. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ ◮ Challenge ciphertext hides m statistically. 11 / 15

Recommend

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and Examplar-Based Generation of Color LUTs D. Tschumperl C. Porquet A. Mahboubi Normandie Univ, UNICAEN, ENSICAEN, CNRS GREYC, F-14000 Caen,

751 views • 32 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of

A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of

A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of Electrical Engineering Princeton University Joint work with: Paul Cuff and H. Vincent Poor November 9, 2015 Overview 1 compression/source coding 1 2

134 views • 12 slides
New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

954 views • 60 slides
Applications of exponential functions Applications of exponential functions abound throughout the

Applications of exponential functions Applications of exponential functions abound throughout the

Applications of exponential functions Applications of exponential functions abound throughout the sciences. Exponential functions are the primary functions that scientists work with. Here are some examples. Elementary Functions Exponential

241 views • 7 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Typical Applications Map functions on data structures Scheduling functions PolyTest

Typical Applications Map functions on data structures Scheduling functions PolyTest

Typical Applications Map functions on data structures Scheduling functions PolyTest polymorphic testing monomorphic testing over functions Many, many more...? Today: quantification over functions is avoided No Show

329 views • 16 slides
Asymptotics of symmetric functions with applications to Setup Asymptotics of statistical

Asymptotics of symmetric functions with applications to Setup Asymptotics of statistical

Asymptotics of symmetric functions with applications to statistical mechanics and representation theory Greta Panova (UCLA) Normalized Schur functions S Asymptotics of symmetric functions with applications to Setup Asymptotics of

661 views • 40 slides
Reducing Checkpoint Size in PlasComCM with Lossy Compression 14th Annual Workshop on Charm++ and

Reducing Checkpoint Size in PlasComCM with Lossy Compression 14th Annual Workshop on Charm++ and

Reducing Checkpoint Size in PlasComCM with Lossy Compression 14th Annual Workshop on Charm++ and its Applications Jon Calhoun 1 , Franck Cappello 1 , 2 , Luke Olson 1 , and Marc Snir 1 , 2 , Sheng Di 2 1 University of Illinois at Urbana-Champaign

653 views • 22 slides
CS 220: Discrete Structures and their Applications Functions Chapter 5 in zybooks Functions A

CS 220: Discrete Structures and their Applications Functions Chapter 5 in zybooks Functions A

CS 220: Discrete Structures and their Applications Functions Chapter 5 in zybooks Functions A function maps elements from one set X to elements of another set Y. A B Brian C Drew range: {A, B, D} D Alan F Ben domain target X =

454 views • 34 slides
Compression Outline Introduction : Lossy vs. Lossless, Benchmarks, 15-583:Algorithms in the

Compression Outline Introduction : Lossy vs. Lossless, Benchmarks, 15-583:Algorithms in the

Compression Outline Introduction : Lossy vs. Lossless, Benchmarks, 15-583:Algorithms in the Real World Information Theory : Entropy, etc. Probability Coding : Huffman + Arithmetic Coding Data Compression II Arithmetic Coding Applications of

933 views • 9 slides
The Parametric Complexity of Lossy Counter Machines Sylvain Schmitz ICALP , July 12, 2019,

The Parametric Complexity of Lossy Counter Machines Sylvain Schmitz ICALP , July 12, 2019,

Lossy Counter Machines Controlled Sequences Antichain Factorisation Width Function Theorem The Parametric Complexity of Lossy Counter Machines Sylvain Schmitz ICALP , July 12, 2019, Patras 1/15 Lossy Counter Machines Controlled Sequences

1.52k views • 123 slides
Tieta functions and applications in cryptography Fonctions thta et applications en cryptographie

Tieta functions and applications in cryptography Fonctions thta et applications en cryptographie

Tieta functions and applications in cryptography Fonctions thta et applications en cryptographie Tise dinformatique Damien Robert 1 1 Caramel team, Nancy Universits, CNRS, INRIA Nancy Grand Est 21/07/2010 (Nancy) Outline Public-key

1.44k views • 60 slides
RPL- Routing over Low Power and Lossy Networks Michael Richardson Ines Robles IETF 94

RPL- Routing over Low Power and Lossy Networks Michael Richardson Ines Robles IETF 94

RPL- Routing over Low Power and Lossy Networks Michael Richardson Ines Robles IETF 94 Questions to answers today 1. What is a low power/lossy network? How does that relate to IoT? 2. What is RPL and how does it work? 3. Why couldn't we do

1.33k views • 66 slides
Ackermann-Hardness for Lossy Counter Machines (and Reset Petri Nets) Philippe Schnoebelen LSV,

Ackermann-Hardness for Lossy Counter Machines (and Reset Petri Nets) Philippe Schnoebelen LSV,

Ackermann-Hardness for Lossy Counter Machines (and Reset Petri Nets) Philippe Schnoebelen LSV, CNRS & ENS Cachan + Oxford 1-year visitor QM EECSTCS Seminar, London, June 20th 2012 Part I: Lossy counter machines 2/20 C OUNTER M ACHINES

559 views • 20 slides
Algorithms in the Real World Data Compression 4 Page 1 Compression Outline Introduction : Lossy

Algorithms in the Real World Data Compression 4 Page 1 Compression Outline Introduction : Lossy

Algorithms in the Real World Data Compression 4 Page 1 Compression Outline Introduction : Lossy vs. Lossless, Benchmarks, Information Theory : Entropy, etc. Probability Coding : Huffman + Arithmetic Coding Applications of Probability Coding :

832 views • 22 slides
Applications of Trigonometric Functions MCR3U: Functions Example A ferris wheel has a diameter

Applications of Trigonometric Functions MCR3U: Functions Example A ferris wheel has a diameter

t r i g o n o m e t r i c f u n c t i o n s t r i g o n o m e t r i c f u n c t i o n s Applications of Trigonometric Functions MCR3U: Functions Example A ferris wheel has a diameter of 16 m, with a minimum height of 2 m above the ground. It

416 views • 3 slides

More recommend