Trapdoor functions from the Computational Diffie-Hellman Assumption - PowerPoint PPT Presentation

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18

Classical Public-Key Crypto 2 / 18

Classical Public-Key Crypto 2 / 18

PKE and TDF PKE pk pk c m D 1 k m c G E sk sk r 3 / 18

PKE and TDF PKE pk pk c m D 1 k m c G E sk sk r c Security: ∀ m 0 , m 1 : ( pk , E ( pk , m 0 ; r 0 )) ≡ ( pk , E ( pk , m 1 ; r 1 )) 3 / 18

PKE and TDF PKE pk pk c m D 1 k m c G E sk sk r c Security: ∀ m 0 , m 1 : ( pk , E ( pk , m 0 ; r 0 )) ≡ ( pk , E ( pk , m 1 ; r 1 )) TDF ik ik y F − 1 x 1 k y G x F tk tk 3 / 18

PKE and TDF PKE pk pk c m D 1 k m c G E sk sk r c Security: ∀ m 0 , m 1 : ( pk , E ( pk , m 0 ; r 0 )) ≡ ( pk , E ( pk , m 1 ; r 1 )) TDF ik ik y F − 1 x 1 k y G x F tk tk ? One-wayness Security: ( ik , F( ik , x )) → x is hard for random ik , x . 3 / 18

TDF vs PKE Main Difference ◮ No randomness used in the evaluation algorithm of TDF. 4 / 18

TDF vs PKE Main Difference ◮ No randomness used in the evaluation algorithm of TDF. Relations ◮ TDF implies the existence of PKE. [Yao’82, GM’82]. 4 / 18

TDF vs PKE Main Difference ◮ No randomness used in the evaluation algorithm of TDF. Relations ◮ TDF implies the existence of PKE. [Yao’82, GM’82]. ◮ TDF impossible from PKE w.r.t. black-box techniques [GMR’01]. 4 / 18

TDF Usefulness ik 1 , ik 2 ik 1 , ik 2 and tk 1 5 / 18

TDF Usefulness ik 1 , ik 2 ik 1 , ik 2 and tk 1 y 1 = F ( ik 1 , x 1 ) , y 2 = F ( ik 2 , x 2 ) 5 / 18

TDF Usefulness ik 1 , ik 2 ik 1 , ik 2 and tk 1 y 1 = F ( ik 1 , x 1 ) , y 2 = F ( ik 2 , x 2 ) Prove that x 1 = x 2 5 / 18

TDF Usefulness ik 1 , ik 2 ik 1 , ik 2 and tk 1 y 1 = F ( ik 1 , x 1 ) , y 2 = F ( ik 2 , x 2 ) Prove that x 1 = x 2 Bob : Compute x 1 = F − 1 (tk 1 , y 1 ) and check if y 2 = F(ik 2 , x 1 ). ◮ Application: black-box constructions of CCA-secure PKE ([PW’08,RS’09, etc]). 5 / 18

TDF Usefulness ik 1 , ik 2 ik 1 , ik 2 and tk 1 y 1 = F ( ik 1 , x 1 ) , y 2 = F ( ik 2 , x 2 ) Prove that x 1 = x 2 Bob : Compute x 1 = F − 1 (tk 1 , y 1 ) and check if y 2 = F(ik 2 , x 1 ). ◮ Application: black-box constructions of CCA-secure PKE ([PW’08,RS’09, etc]). PKE instead of TDF ◮ Consistency check: require some kind of proof (e.g., NIZK). [BFY90,NY90] 5 / 18

What assumptions are sufficient for TDFs? ◮ Factoring ◮ DDH and LWE [PW08] 6 / 18

What assumptions are sufficient for TDFs? ◮ Factoring ◮ DDH and LWE [PW08] Big gap from PKE! 6 / 18

What assumptions are sufficient for TDFs? ◮ Factoring ◮ DDH and LWE [PW08] Big gap from PKE! This talk: We can do it from CDH. 6 / 18

CDH and DDH G : group of order p and generator g . 7 / 18

CDH and DDH G : group of order p and generator g . Computational Diffie-Hellman (CDH) ◮ Hard to compute g xy from ( g , g x , g y ), where x , y ← Z p . 7 / 18

CDH and DDH G : group of order p and generator g . Computational Diffie-Hellman (CDH) ◮ Hard to compute g xy from ( g , g x , g y ), where x , y ← Z p . Decisional Diffie-Hellman (DDH) c ◮ ( g , g x , g y , g xy ) ≡ ( g , g x , g y , g z ), where x , y , z ← Z p 7 / 18

Why is CDH Preferable? 8 / 18

Why is CDH Preferable? ◮ CDH is a weaker assumption. ◮ There are groups in which CDH is conjectured to be hard but DDH is easy (e.g., Z ∗ p , groups with pairings). 8 / 18

Main Challenge in Building TDF from DH-Related Assumptions Why is constructing TDF from Diffie-Hellman assumptions difficult? 9 / 18

Main Challenge in Building TDF from DH-Related Assumptions Why is constructing TDF from Diffie-Hellman assumptions difficult? It doesn’t naturally offer trapdoors! 9 / 18

TDF from DDH (Failed Idea Using ElGamal Encryption) 10 / 18

TDF from DDH (Failed Idea Using ElGamal Encryption) ( G , g ), | G | = p . c = ( g r , pk r · m ) pk = g α r ? pk c 1 k m D G E m sk = α sk = α r 10 / 18

TDF from DDH (Failed Idea Using ElGamal Encryption) ( G , g ), | G | = p . c = ( g r , pk r · m ) pk = g α r ? pk c 1 k m D G E m sk = α sk = α r Main bottleneck in designing TDFs ◮ Recovering r : solving the Discrete Log! 10 / 18

DDH-Based TDF [Peikert-Waters’08] ( G , g ), | G | = p . 11 / 18

DDH-Based TDF [Peikert-Waters’08] ( G , g ), | G | = p . ◮ ik = g M where M ∈ Z n × n (and invertible) and tk = M − 1 p 11 / 18

DDH-Based TDF [Peikert-Waters’08] ( G , g ), | G | = p . ◮ ik = g M where M ∈ Z n × n (and invertible) and tk = M − 1 p g M y ( g x 1 , . . . , g x n ) F − 1 x ∈ { 0 , 1 } n y = g Mx T F tk = M − 1 11 / 18

DDH-Based TDF [Peikert-Waters’08] ( G , g ), | G | = p . ◮ ik = g M where M ∈ Z n × n (and invertible) and tk = M − 1 p g M y ( g x 1 , . . . , g x n ) F − 1 x ∈ { 0 , 1 } n y = g Mx T F tk = M − 1 ◮ Can solve discrete-log as x 1 . . . x n ∈ { 0 , 1 } ! 11 / 18

DDH-Based TDF [Peikert-Waters’08] ( G , g ), | G | = p . ◮ ik = g M where M ∈ Z n × n (and invertible) and tk = M − 1 p g M y ( g x 1 , . . . , g x n ) F − 1 x ∈ { 0 , 1 } n y = g Mx T F tk = M − 1 ◮ Can solve discrete-log as x 1 . . . x n ∈ { 0 , 1 } ! One-wayness ◮ Matrix pseudorandomness [NR97]: DDH implies g M c ≡ g M ′ , where M is a random invertible matrix and M ′ is a random rank-one matrix. 11 / 18

DDH-Based TDF [Peikert-Waters’08] ( G , g ), | G | = p . ◮ ik = g M where M ∈ Z n × n (and invertible) and tk = M − 1 p g M y ( g x 1 , . . . , g x n ) F − 1 x ∈ { 0 , 1 } n y = g Mx T F tk = M − 1 ◮ Can solve discrete-log as x 1 . . . x n ∈ { 0 , 1 } ! One-wayness ◮ Matrix pseudorandomness [NR97]: DDH implies g M c ≡ g M ′ , where M is a random invertible matrix and M ′ is a random rank-one matrix. ◮ CDH is not known to imply rank indistinguishability. 11 / 18

1 Background Introduction Main Challenges 2 Our TDF Construction Our Methodology Base Primitive: Recyclable Targeting KEM TDF from Recyclable Targeting KEM 3 Summary and Future Work 12 / 18

Our Methodology for building TDF from CDH ◮ Derandomizing a class of PKE 13 / 18

Our Methodology for building TDF from CDH ◮ Derandomizing a class of PKE ◮ TDFs from recyclable targeted key-encapsulation schemes (Recyclable Targeted KEMs) [DG’17, BBS’03] 13 / 18

Our Methodology for building TDF from CDH ◮ Derandomizing a class of PKE ◮ TDFs from recyclable targeted key-encapsulation schemes (Recyclable Targeted KEMs) [DG’17, BBS’03] Plan for the Rest of the talk ◮ Define Recyclable Targeted KEM ◮ CDH ⇒ Recyclable Targeted KEM (Not discussed. See [DG’17].) ◮ Recyclable Targeted KEM ⇒ TDF 13 / 18

Key-Encapsulation Mechanism e pk pk e c m 1 k D ❩ ✚ G m c ✚ ❩ ❩ ✚ E ✚ ❩ r sk sk e is always a single bit. 14 / 18

Recyclable Targetted KEM 15 / 18

Recyclable Targetted KEM Targeting Property [DG’17] ◮ E(pk , ( i , b ); r ) = (ct , e ) ◮ D(sk , ct) = e if (pk , sk) ∈ K(1 λ ) and sk i = b . 15 / 18

Recyclable Targetted KEM Targeting Property [DG’17] ◮ E(pk , ( i , b ); r ) = (ct , e ) ◮ D(sk , ct) = e if (pk , sk) ∈ K(1 λ ) and sk i = b . c ◮ Security: (pk , sk , ct , e ) ≡ (pk , sk , ct , e ′ ), where $ $ (ct , e ) ← − E(pk , ( i , 1 − sk i ); r ) and e ′ ← − { 0 , 1 } . 15 / 18

Recyclable Targetted KEM Targeting Property [DG’17] ◮ E(pk , ( i , b ); r ) = (ct , e ) ◮ D(sk , ct) = e if (pk , sk) ∈ K(1 λ ) and sk i = b . c ◮ Security: (pk , sk , ct , e ) ≡ (pk , sk , ct , e ′ ), where $ $ (ct , e ) ← − E(pk , ( i , 1 − sk i ); r ) and e ′ ← − { 0 , 1 } . Recyclability ct does not depend on pk. So E(pk , ( i , b ); r ) = (E 1 (( i , b ); r ) , E 2 (pk , ( i , b ); r )) = (ct , e ) 15 / 18

( i ∈ [ n ] , b ∈ { 0 , 1 } ) sk D pk E 2 E 1 ct ct e if pk = G(sk) and sk i = b r e r 16 / 18

( i ∈ [ n ] , b ∈ { 0 , 1 } ) sk D pk E 2 E 1 ct ct e if pk = G(sk) and sk i = b r e r Simple construction for recovering the first bit of the input. � ct 1 � E 1 (( i =1 , b =0); r 1 ) � r 1 � � � ◮ tk = and ik = = r ′ ct ′ E 1 (( i =1 , b =1); r ′ 1 ) 1 1 16 / 18

( i ∈ [ n ] , b ∈ { 0 , 1 } ) sk D pk E 2 E 1 ct ct e if pk = G(sk) and sk i = b r e r Simple construction for recovering the first bit of the input. � ct 1 � E 1 (( i =1 , b =0); r 1 ) � r 1 � � � ◮ tk = and ik = = r ′ ct ′ E 1 (( i =1 , b =1); r ′ 1 ) 1 1 ◮ F(ik , sk): 16 / 18

( i ∈ [ n ] , b ∈ { 0 , 1 } ) sk D pk E 2 E 1 ct ct e if pk = G(sk) and sk i = b r e r Simple construction for recovering the first bit of the input. � ct 1 � E 1 (( i =1 , b =0); r 1 ) � r 1 � � � ◮ tk = and ik = = r ′ ct ′ E 1 (( i =1 , b =1); r ′ 1 ) 1 1 ◮ F(ik , sk): let pk = G(sk). 16 / 18