on the lossiness of the rabin trapdoor function
play

On the Lossiness of the Rabin Trapdoor Function Yannick Seurin - PowerPoint PPT Presentation

Aug 24, 2022 •233 likes •803 views

On the Lossiness of the Rabin Trapdoor Function Yannick Seurin ANSSI, France March 27, 2014 PKC 2014 Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 1 / 28 Summary Summary of results We show that the Rabin Trapdoor Function (modular

  1. On the Lossiness of the Rabin Trapdoor Function Yannick Seurin ANSSI, France March 27, 2014 — PKC 2014 Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 1 / 28

  2. Summary Summary of results We show that the Rabin Trapdoor Function (modular squaring) is a lossy trapdoor function when adequately restricting its domain, under an extension of the Φ -Hiding assumption for e = 2 that we name the 2- Φ / 4-Hiding assumption We apply this result to the security of Rabin Full Domain Hash signatures, and show that deterministic variants of Rabin-FDH have a tight reduction from the 2- Φ / 4-Hiding assumption (tight reductions were previously only known for probabilistic variants) By extending a previous “meta-reduction” result by Coron & Kakvi-Kiltz, we show that these deterministic variants of Rabin-FDH are unlikely to have a tight black-box reduction from the Factoring assumption Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 2 / 28

  3. Summary Summary of results We show that the Rabin Trapdoor Function (modular squaring) is a lossy trapdoor function when adequately restricting its domain, under an extension of the Φ -Hiding assumption for e = 2 that we name the 2- Φ / 4-Hiding assumption We apply this result to the security of Rabin Full Domain Hash signatures, and show that deterministic variants of Rabin-FDH have a tight reduction from the 2- Φ / 4-Hiding assumption (tight reductions were previously only known for probabilistic variants) By extending a previous “meta-reduction” result by Coron & Kakvi-Kiltz, we show that these deterministic variants of Rabin-FDH are unlikely to have a tight black-box reduction from the Factoring assumption Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 2 / 28

  4. Summary Summary of results We show that the Rabin Trapdoor Function (modular squaring) is a lossy trapdoor function when adequately restricting its domain, under an extension of the Φ -Hiding assumption for e = 2 that we name the 2- Φ / 4-Hiding assumption We apply this result to the security of Rabin Full Domain Hash signatures, and show that deterministic variants of Rabin-FDH have a tight reduction from the 2- Φ / 4-Hiding assumption (tight reductions were previously only known for probabilistic variants) By extending a previous “meta-reduction” result by Coron & Kakvi-Kiltz, we show that these deterministic variants of Rabin-FDH are unlikely to have a tight black-box reduction from the Factoring assumption Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 2 / 28

  5. Outline Outline Lossiness of the Rabin Trapdoor Function 1 Application to Rabin-Williams-FDH Signatures 2 Extending the Coron-Kakvi-Kiltz Meta-Reduction Result 3 Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 3 / 28

  6. Lossiness of the Rabin Trapdoor Function Outline Lossiness of the Rabin Trapdoor Function 1 Application to Rabin-Williams-FDH Signatures 2 Extending the Coron-Kakvi-Kiltz Meta-Reduction Result 3 Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 4 / 28

  7. Lossiness of the Rabin Trapdoor Function Lossy Trapdoor Function (LTDF) introduced by Peikert and Waters [PW08] have found a wide range of applications (black-box construction of IND-CCA2 PKE, etc.) Reminder: (classical) Trapdoor Function (TDF) A Trapdoor Function (TDF) consists of a generation procedure ( f , td ) ← InjGen ( 1 k ) such that f is injective, easy to compute, but hard to invert without the trapdoor td . f |D| = |C| range R domain D codomain C f − 1 td Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 5 / 28

  8. Lossiness of the Rabin Trapdoor Function Lossy Trapdoor Function (LTDF) introduced by Peikert and Waters [PW08] have found a wide range of applications (black-box construction of IND-CCA2 PKE, etc.) Reminder: (classical) Trapdoor Function (TDF) A Trapdoor Function (TDF) consists of a generation procedure ( f , td ) ← InjGen ( 1 k ) such that f is injective, easy to compute, but hard to invert without the trapdoor td . f |D| = |C| range R domain D codomain C f − 1 td Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 5 / 28

  9. Lossiness of the Rabin Trapdoor Function Lossy Trapdoor Function (LTDF) f f R R D C D C f − 1 td ( f , td ) ← InjGen ( 1 k ) f ← LossyGen ( 1 k ) ≃ indist. ≃ Definition: LTDF A Lossy Trapdoor Function (LTDF) consists of an (injective) generation procedure InjGen as for a classical TDF a lossy generation procedure f ← LossyGen ( 1 k ) such that f has range smaller than domain by a factor ℓ . Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 6 / 28

  10. Lossiness of the Rabin Trapdoor Function Lossy Trapdoor Function (LTDF) f f R R D C D C f − 1 td ( f , td ) ← InjGen ( 1 k ) f ← LossyGen ( 1 k ) ≃ indist. ≃ Security requirement: Lossy and injective functions must be computationally hard to distinguish: � Pr [( f , td ) ← InjGen ( 1 k ) : D ( f ) = 1 ] � � = negl ( k ) − Pr [ f ← LossyGen ( 1 k ) : D ( f ) = 1 ] � Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 6 / 28

  11. Lossiness of the Rabin Trapdoor Function Certified TDF Definition (Certified TDF) A TDF ( f , td ) ← InjGen ( 1 k ) is said to be certified if there exists a polynomial-time algorithm which tells whether f (possibly adversarially generated) is injective or not A certified TDF is “somehow” the opposite of a lossy TDF: TDF is certified = ⇒ TDF cannot be lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 7 / 28

  12. Lossiness of the Rabin Trapdoor Function Certified TDF Definition (Certified TDF) A TDF ( f , td ) ← InjGen ( 1 k ) is said to be certified if there exists a polynomial-time algorithm which tells whether f (possibly adversarially generated) is injective or not A certified TDF is “somehow” the opposite of a lossy TDF: TDF is certified = ⇒ TDF cannot be lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 7 / 28

  13. Lossiness of the Rabin Trapdoor Function The RSA example Injective RSA trapdoor function pick N = pq , with p , q distinct primes pick prime e ≥ 3 with gcd ( e , φ ( N )) = 1 compute d = e − 1 mod φ ( N ) return ( N , e ) defining f : x �→ x e mod N and td = d ⇒ f is injective over Z ∗ N Lossy RSA function pick N = pq with p , q distinct primes pick prime e ≥ 3 such that e divides φ ( N ) return ( N , e ) defining f : x �→ x e mod N ⇒ f is (at least) e -to-1 over Z ∗ N Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 8 / 28

  14. Lossiness of the Rabin Trapdoor Function RSA: lossy or certified? 1 3 N N 4 e e = 2? Lossy Certified Certified ( Φ -Hiding) [CMS99, KKM12] if e prime and e > N , then e must be co-prime with φ ( N ) ⇒ certified 1 4 < e < N , Coppersmith alg. allows to factorize N if e | φ ( N ) , N ⇒ certified 1 4 , it is assumed hard to tell, given ( N , e ) , whether for e < N gcd ( e , φ ( N )) = 1 or e | φ ( N ) ( Φ -Hiding assumption [CMS99]) ⇒ lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 9 / 28

  15. Lossiness of the Rabin Trapdoor Function RSA: lossy or certified? 1 3 N N 4 e e = 2? Lossy Certified Certified ( Φ -Hiding) [CMS99, KKM12] if e prime and e > N , then e must be co-prime with φ ( N ) ⇒ certified 1 4 < e < N , Coppersmith alg. allows to factorize N if e | φ ( N ) , N ⇒ certified 1 4 , it is assumed hard to tell, given ( N , e ) , whether for e < N gcd ( e , φ ( N )) = 1 or e | φ ( N ) ( Φ -Hiding assumption [CMS99]) ⇒ lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 9 / 28

  16. Lossiness of the Rabin Trapdoor Function RSA: lossy or certified? 1 3 N N 4 e e = 2? Lossy Certified Certified ( Φ -Hiding) [CMS99, KKM12] if e prime and e > N , then e must be co-prime with φ ( N ) ⇒ certified 1 4 < e < N , Coppersmith alg. allows to factorize N if e | φ ( N ) , N ⇒ certified 1 4 , it is assumed hard to tell, given ( N , e ) , whether for e < N gcd ( e , φ ( N )) = 1 or e | φ ( N ) ( Φ -Hiding assumption [CMS99]) ⇒ lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 9 / 28

  17. Lossiness of the Rabin Trapdoor Function RSA: lossy or certified? 1 3 N N 4 e e = 2? Lossy Certified Certified ( Φ -Hiding) [CMS99, KKM12] if e prime and e > N , then e must be co-prime with φ ( N ) ⇒ certified 1 4 < e < N , Coppersmith alg. allows to factorize N if e | φ ( N ) , N ⇒ certified 1 4 , it is assumed hard to tell, given ( N , e ) , whether for e < N gcd ( e , φ ( N )) = 1 or e | φ ( N ) ( Φ -Hiding assumption [CMS99]) ⇒ lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 9 / 28

  18. Lossiness of the Rabin Trapdoor Function RSA: lossy or certified? 1 3 N N 4 e e = 2? Lossy Certified Certified ( Φ -Hiding) [CMS99, KKM12] if e prime and e > N , then e must be co-prime with φ ( N ) ⇒ certified 1 4 < e < N , Coppersmith alg. allows to factorize N if e | φ ( N ) , N ⇒ certified 1 4 , it is assumed hard to tell, given ( N , e ) , whether for e < N gcd ( e , φ ( N )) = 1 or e | φ ( N ) ( Φ -Hiding assumption [CMS99]) ⇒ lossy Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 9 / 28

  19. Lossiness of the Rabin Trapdoor Function What about e = 2? The Rabin TDF Modular squaring is never injective over Z ∗ N , it is 4-to-1 x �→ x 2 mod N QR N Z ∗ Z ∗ N N Theorem (Blum) If N = pq is a Blum integer (i.e., p , q = 3 mod 4 ), then any quadratic residue has a unique square root which is also a q.r., called its principal square root. ⇒ when N is Blum, modular squaring is 1-to-1 over QR N Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 10 / 28

Recommend

Overview Rabin Medical Center The Vision Rabin Medical Center the Leading Academic Medical

Overview Rabin Medical Center The Vision Rabin Medical Center the Leading Academic Medical

Overview Rabin Medical Center The Vision Rabin Medical Center the Leading Academic Medical Center in Israel: In treatment and quality of care In supportive attention offered to the patients and their families In innovation and

763 views • 44 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Yehuda Lindell Bar-Ilan University, Israel Tal Rabin IBM Research, New York A set of parties

Yehuda Lindell Bar-Ilan University, Israel Tal Rabin IBM Research, New York A set of parties

Gilad Asharov Bar-Ilan University, Israel Yehuda Lindell Bar-Ilan University, Israel Tal Rabin IBM Research, New York A set of parties with private inputs wish to compute some joint function of their inputs Parties wish to preserve some

478 views • 24 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
The Rabin cryptosystem revisited Michele Elia 1 , Matteo Piva 2 , Davide Schipani 3 Mykonos, 30th

The Rabin cryptosystem revisited Michele Elia 1 , Matteo Piva 2 , Davide Schipani 3 Mykonos, 30th

The Rabin cryptosystem revisited Michele Elia 1 , Matteo Piva 2 , Davide Schipani 3 Mykonos, 30th May 2012 1 Polytechnic of Turin 2 Univesity of Trento 3 University of Zurich M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May

503 views • 21 slides
References Compiled by Jill Rabin M.S. CCC-SLP/L IBCLC Ahearn, W.H., Castine, T., Nault, K., and

References Compiled by Jill Rabin M.S. CCC-SLP/L IBCLC Ahearn, W.H., Castine, T., Nault, K., and

References Compiled by Jill Rabin M.S. CCC-SLP/L IBCLC Ahearn, W.H., Castine, T., Nault, K., and Green, G. (2001). An assessment of food acceptance in children with autism and pervasive development disorder-not otherwise specified. Journal of

315 views • 9 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

954 views • 60 slides
Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11 Threshold Cryptography Setting: A

678 views • 39 slides
Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio (UCSD) Nicholas Genise (UCSD) Modern Cryptography Founded on Mathematics / Complexity Theory Start from mathematical problem P that is

461 views • 32 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

768 views • 53 slides
MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test MA/CSSE

MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test MA/CSSE

MA/CSSE 473 Day 08 Randomized Primality Testing Carmichael Numbers Miller-Rabin test MA/CSSE 473 Day 08 Student questions Fermat's Little Theorem Implications of Fermats Little Theorem What we can show and what we cant

211 views • 7 slides
Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 ,

Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 ,

Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 , Jintai Ding 2 , Bart Preneel 1 1: KU Leuven, ESAT/COSIC first.secondname@esat.kuleuven.be 2: University of Cincinnati, jintai.ding@uc.edu 1/24

587 views • 24 slides
Trapdoor simulation of quantum algorithms Daniel J. Bernstein University of Illinois at Chicago

Trapdoor simulation of quantum algorithms Daniel J. Bernstein University of Illinois at Chicago

Trapdoor simulation of quantum algorithms Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Algorithms in CS courses WHAT is your

598 views • 38 slides
252 State Complexity Klaus Sutner Carnegie Mellon University statecomp 2018/2/2 12:17 Total

252 State Complexity Klaus Sutner Carnegie Mellon University statecomp 2018/2/2 12:17 Total

252 State Complexity Klaus Sutner Carnegie Mellon University statecomp 2018/2/2 12:17 Total Recall: NFAs 1 State Complexity Alternating Automata Rabin and Scott 3 In 1959, Rabin and Scott wrote the seminal paper in automata

846 views • 41 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
String Matching: Rabin-Karp Algorithm Greg Plaxton Theory in Programming Practice, Fall 2005

String Matching: Rabin-Karp Algorithm Greg Plaxton Theory in Programming Practice, Fall 2005

String Matching: Rabin-Karp Algorithm Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The (Exact) String Matching Problem The (exact) string matching problem: Given a text

98 views • 7 slides
Function Calls Function Calls Python supports expressions with math-like functions A

Function Calls Function Calls Python supports expressions with math-like functions A

Module 3 Function Calls Function Calls Python supports expressions with math-like functions A function in an expression is a function call Function calls have the form name (x,y,) function argument name Arguments are

333 views • 20 slides

More recommend