Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research Weizmann Institute Silicon Valley
Probabilistic Encryption Enc 𝑞𝑙 𝑛 Semantic Security [GM82]: No adversary can learn any meaningful information on 𝑛 Encryption algorithm must be randomized 2
Deterministic Encryption Efficiency: short ciphertexts Each 𝑞𝑙 may even define a permutation Functionality: searchable encryption Each 𝑞𝑙 defines a one-to-one mapping Easy to check whether 𝑑 encrypts 𝑛 relative to 𝑞𝑙 3
What About Security? Inherent limitation: Each 𝑞𝑙 defines a one-to-one mapping Easy to check whether 𝑑 encrypts 𝑛 relative to 𝑞𝑙 Security for high-entropy messages [BBO07] Inspired by [RW02, DS05] in the symmetric-key setting Exciting line of research [BFO08, BFOR08, BBNRSSY09 , O’N 10 ,…] Meaningful for various applications (e.g., key encapsulation) Enc 𝑞𝑙 𝑙𝑓𝑧 , AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … 4
Notion of Security ([BBO07] simplified) 𝑞𝑙 Enc 𝑞𝑙 𝑛 High-entropy message source ℳ 𝒯 5
The Auxiliary-Input Setting Enc 𝑞𝑙 𝑙𝑓𝑧 , AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … Encryption as a building block of a larger system Additional information is available Does 𝑙𝑓𝑧 have any entropy given (AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … ) ? No security guarantees from current models and schemes (noticed already by [DS05, BBO07]) 6
This Talk: Better Security Model Deterministic encryption in the auxiliary-input setting Hard-to-invert auxiliary inputs Generalizes the high-entropy setting Constructions Security w.r.t all auxiliary inputs that are sub-exponentially hard Based on standard hardness assumptions 𝑒 -Linear for any 𝑒 ≥ 1 (Decisional Diffie- Hellman,…) Subgroup indistinguishability [BG10] ( Quadratic Residuosity, Composite Residuosity ,…) 7
Outline Hard-to-invert auxiliary inputs Security in the auxiliary-input setting Construction based on 𝒆 -Linear 8
Hard-to-Invert Auxiliary Inputs Definition A function 𝑔 is 𝜗 -hard-to-invert relative to 𝒴 if for any efficient algorithm 𝐵 it holds that 𝑦←𝒴 𝐵 𝑔 𝑦 Pr = 𝑦 ≤ 𝜗 𝑔 𝑙𝑓𝑧 = AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … 𝐵 is required to output the exact same 𝑦 (and not any 𝑦′ ∈ 𝑔 −1 𝑔 𝑦 as with one-wayness) The source of hardness may be any combination of: Information-theoretic hardness ( 𝑔 has many collisions) Computational hardness ( 𝑔 is injective) 9
Our Notion of Security (simplified) 𝑞𝑙 Enc 𝑞𝑙 𝑛 𝑔 𝑛 𝑔 is hard-to-invert relative to ℳ 𝒯 𝑔 𝑛 10
Construction Based on 𝑒 -Linear Based on the lossy trapdoor function of [FGKRS10] - group of order 𝑞 generated by 𝐵 𝑗𝑘 = 𝑏 𝑗𝑘 𝑜×𝑜 Sample 𝐵 ← ℤ 𝑞 Key generation Output 𝑡𝑙 = 𝐵 −1 and 𝑞𝑙 = 𝐵 ∈ 𝑜×𝑜 Given 𝑛 ∈ 0,1 𝑜 output 𝐵𝑛 ∈ 𝑜 Encryption 𝑛 𝑘 𝑗 = 𝑏 𝑗𝑘 𝑛 𝑘 𝐵𝑛 = 𝐵 𝑘 Given 𝑤 ∈ 𝑜 compute 𝑛 = 𝐵 −1 𝑤 ∈ 𝑜 𝑗𝑘 Decryption 𝑘 Output 𝑛 ∈ 0,1 𝑜 11
Proof of Security 𝑠 𝛽 2 𝑠 𝐵 𝑞𝑙 𝐶 ⋮ 𝛽 𝑜 𝑠 𝛾 𝑠 , 𝑛 𝛽 2 𝛾 𝛽 2 𝑠 , 𝑛 𝐵 𝑛 Enc 𝑞𝑙 𝑛 𝐶 𝑛 ⋮ ⋮ 𝛽 𝑜 𝛾 𝛽 𝑜 𝑠 , 𝑛 𝑔 𝑛 Independent of 𝑛 [BHHO08,NS09]: 𝑒 -Linear ⇒ 𝐵 ≈ 𝑑 𝐶 where 𝑠𝑏𝑜𝑙 𝐶 = 𝑒 [GL89,DGKPV10]: 𝑔 is 𝜗 -hard-to-invert relative to ℳ ⇒ 𝑠 , 𝑠 , 𝑛 is pseudorandom 12
Additional Features of Our Schemes Security for multiple users & related messages Any number of users, linearly-related messages Without requiring sub-exponential hardness Enc 𝑞𝑙 1 𝑛 1 , … , Enc 𝑞𝑙 𝑜 𝑛 𝑜 Homomorphic properties Additions and one multiplication 𝐵𝑛 1 ⋅ 𝐵𝑛 2 = 𝐵 𝑛 1 +𝑛 2 𝑓 𝐵𝑛 1 , 𝐵𝑛 2 𝑈 𝑈 𝐵 𝑈 = 𝑓 , 𝐵𝑛 1 𝑛 2 13
Conclusions and Open Problems Deterministic encryption in the auxiliary-input setting Meaningful security for hard-to-invert auxiliary inputs Open problems Eliminating sub-exponential hardness requirement Security beyond linearly-related messages Dealing with 𝑞𝑙 -dependent messages and auxiliary inputs Thank you! 14
Recommend
More recommend