structure preserving smooth projective hashing
play

Structure Preserving Smooth Projective Hashing Olivier Blazy , Cline - PowerPoint PPT Presentation

Structure Preserving Smooth Projective Hashing Olivier Blazy , Cline Chevalier O. Blazy (Xlim) (SP)2H 1 / 25 Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 2 / 25 Global


  1. Structure Preserving Smooth Projective Hashing Olivier Blazy , Céline Chevalier O. Blazy (Xlim) (SP)2H 1 / 25

  2. Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 2 / 25

  3. Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 2 / 25

  4. Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 2 / 25

  5. Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 2 / 25

  6. Global Framework 1 Motivation Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 3 / 25

  7. Conditional Actions Oblivious Transfer Database User C ( line ) ← − − − − − − − − − − − − − − − DB [ line ] − − − − − − − − − − − − − − − → � The User learns the value of line but nothing else � The Database learns nothing O. Blazy (Xlim) (SP)2H 4 / 25

  8. Conditional Actions Password Authenticated Key Exchange Bob Alice f ( pw A ) ← − − − − − − − − − − − − − − − f ( pw B , f A ) − − − − − − − − − − − − − − − → � The Users obtain the same key iff their passwords match � An Adversary learns nothing O. Blazy (Xlim) (SP)2H 5 / 25

  9. UC Requirements for Adaptive Corruptions First flow should be extractable First flow should be equivocable Memory should be adapted accordingly Memory as a scalar No real trapdoor possible � Partial Erasure is the only way Memory as a group element Allows extra trapdoor O. Blazy (Xlim) (SP)2H 6 / 25

  10. UC Requirements for Adaptive Corruptions First flow should be extractable First flow should be equivocable Memory should be adapted accordingly Memory as a scalar No real trapdoor possible � Partial Erasure is the only way Memory as a group element Allows extra trapdoor O. Blazy (Xlim) (SP)2H 6 / 25

  11. UC Requirements for Adaptive Corruptions First flow should be extractable First flow should be equivocable Memory should be adapted accordingly Memory as a scalar No real trapdoor possible � Partial Erasure is the only way Memory as a group element Allows extra trapdoor O. Blazy (Xlim) (SP)2H 6 / 25

  12. UC Requirements for Adaptive Corruptions First flow should be extractable First flow should be equivocable Memory should be adapted accordingly Memory as a scalar No real trapdoor possible � Partial Erasure is the only way Memory as a group element Allows extra trapdoor O. Blazy (Xlim) (SP)2H 6 / 25

  13. UC Requirements for Adaptive Corruptions First flow should be extractable First flow should be equivocable Memory should be adapted accordingly Memory as a scalar No real trapdoor possible � Partial Erasure is the only way Memory as a group element Allows extra trapdoor O. Blazy (Xlim) (SP)2H 6 / 25

  14. Global Framework 1 Cryptographic Tools 2 Encryption Scheme Smooth Projective Hash Function Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 7 / 25

  15. Definition (Encryption Scheme) E = ( Setup , KeyGen , Encrypt , Decrypt ) : Setup ( K ) : param; KeyGen ( param ) : public encryption key pk, private decryption key dk; Encrypt ( pk , m ; r ) : encrypts m ∈ M in c using pk; Decrypt ( dk , c ) : decrypts c under dk. Indistinguishability under Chosen Ciphertext Attack O. Blazy (Xlim) (SP)2H 8 / 25

  16. Definition (Smooth Projective Hash Functions) [CS02] Let { H } be a family of functions: X , domain of these functions L , subset (a language) of this domain such that, for any point x in L , H ( x ) can be computed by using either a secret hashing key hk: H ( x ) = Hash L ( hk ; x ) ; or a public projected key hp: H ′ ( x ) = ProjHash L ( hp ; x , w ) Public mapping hk �→ hp = ProjKG L ( hk , x ) O. Blazy (Xlim) (SP)2H 9 / 25

  17. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w O. Blazy (Xlim) (SP)2H 10 / 25

  18. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w O. Blazy (Xlim) (SP)2H 10 / 25

  19. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w O. Blazy (Xlim) (SP)2H 10 / 25

  20. Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 O. Blazy (Xlim) (SP)2H 11 / 25

  21. Definition (Structure Preserving Smooth Projective Hash Functions) X = G k ∗ , L � G k ∗ such that, for any point x in L , H ( x ) can be computed as: H ( x ) = Hash L ( hk ; x ) ∈ G T ; H ′ ( x ) = ProjHash L ( hp ; x , w ) hp , x , w are group elements O. Blazy (Xlim) (SP)2H 12 / 25

  22. Definition (Structure Preserving Smooth Projective Hash Functions) X = G k ∗ , L � G k ∗ such that, for any point x in L , H ( x ) can be computed as: H ( x ) = Hash L ( hk ; x ) ∈ G T ; H ′ ( x ) = ProjHash L ( hp ; x , w ) hp , x , w are group elements O. Blazy (Xlim) (SP)2H 12 / 25

  23. Why? Witnesses can now be Group Elements This means, compatible with Groth Sahai Proofs (QA-NIZK, . . . ) Witnesses can now have trapdoors O. Blazy (Xlim) (SP)2H 13 / 25

  24. Why? Witnesses can now be Group Elements This means, compatible with Groth Sahai Proofs (QA-NIZK, . . . ) Witnesses can now have trapdoors O. Blazy (Xlim) (SP)2H 13 / 25

  25. Retro-Compatibilty SPHF SP-SPHF Word u [ ω ⊙ Γ( u )] 1 [ ω ⊙ Γ( u )] 1 Witness w ω Λ = [ f ⊙ ω ] 2 hk λ λ hp = [ γ ( u )] 1 [Γ( u ) ⊙ λ ] 1 [Γ( u ) ⊙ λ ] 1 Hash ( hk , u ) [Θ( u ) ⊙ λ ] 1 [ f ⊙ Θ( u ) ⊙ λ ] T ProjHash ( hp , u , w ) [ ω ⊙ γ ( u )] 1 [ Λ ⊙ γ ( u )] T O. Blazy (Xlim) (SP)2H 14 / 25

  26. SPHF SP-SPHF h r , g r h r , g r DH g r Witness w r 2 hk λ, µ λ, µ h λ g µ h λ g µ hp ( h r ) λ ( g r ) µ e (( h r ) λ ( g r ) µ , g 2 ) Hash ( hk , u ) hp r e ( hp , g r ProjHash ( hp , u , w ) 2 ) Figure: Example of conversion of classical SPHF into SP-SPHF O. Blazy (Xlim) (SP)2H 15 / 25

  27. Global Framework 1 Cryptographic Tools 2 Structure-Preserving SPHF 3 Applications 4 Generic Constructions SPHF-friendly UC Commitment Efficiency MDDH O. Blazy (Xlim) (SP)2H 16 / 25

  28. Oblivious Transfer [Rab81] A user U wants to access a line ℓ in a database D composed of t of them: U learns nothing more than the value of the line ℓ D does not learn which line was accessed by U Correctness: if U request a single line, he learns it Security Notions Oblivious: D does not learn which line was accessed ; Semantic Security: U does not learn any information about the other lines. O. Blazy (Xlim) (SP)2H 17 / 25

  29. Oblivious Transfer [Rab81] A user U wants to access a line ℓ in a database D composed of t of them: U learns nothing more than the value of the line ℓ D does not learn which line was accessed by U Correctness: if U request a single line, he learns it Security Notions Oblivious: D does not learn which line was accessed ; Semantic Security: U does not learn any information about the other lines. O. Blazy (Xlim) (SP)2H 17 / 25

  30. Oblivious Transfer [Rab81] A user U wants to access a line ℓ in a database D composed of t of them: U learns nothing more than the value of the line ℓ D does not learn which line was accessed by U Correctness: if U request a single line, he learns it Security Notions Oblivious: D does not learn which line was accessed ; Semantic Security: U does not learn any information about the other lines. O. Blazy (Xlim) (SP)2H 17 / 25

  31. Generic 1-out-of- t Oblivious Transfer (Simplified) User U picks ℓ : Computes C = Encrypt ( ℓ ; s ) with a UC commit SPHF friendly ( d being the decommit information). He sends C and keeps d while erasing the rest. For each line L j , server S computes hk j , hp j , and H j = Hash L j ( hk j , C ) , M j = H j ⊕ L j and sends M j , hp j . For the line ℓ , user computes H ′ ℓ = ProjHash L ℓ ( hp ℓ , C , d ) , and then L ℓ = M ℓ ⊕ H ′ ℓ O. Blazy (Xlim) (SP)2H 18 / 25

  32. Generic 1-out-of- t Oblivious Transfer (Simplified) User U picks ℓ : Computes C = Encrypt ( ℓ ; s ) with a UC commit SPHF friendly ( d being the decommit information). He sends C and keeps d while erasing the rest. For each line L j , server S computes hk j , hp j , and H j = Hash L j ( hk j , C ) , M j = H j ⊕ L j and sends M j , hp j . For the line ℓ , user computes H ′ ℓ = ProjHash L ℓ ( hp ℓ , C , d ) , and then L ℓ = M ℓ ⊕ H ′ ℓ O. Blazy (Xlim) (SP)2H 18 / 25

Recommend


More recommend