Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

PKC 2010

May 27, 2010

Petros Mol, Scott Yilek

1

UC, San Diego

2

Security for Public-Key Encryptionclient server

Ideally: Protect against all possible attacks

pk, sk

For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91])

pk

Modeling all possible attacks is hard (if possible at all)

insecure channel

3

Chosen-Ciphertext Security (PKE)

pk ci

mi=Dec(sk , ci)

Π=(KeyGen, Enc, Dec)

c*=Enc(pk,b)

(pk,sk) Keygen(1n)

b {0,1}

$

4


pk,

ci ≠ c*

mi=Dec(sk , ci)


c*

b {0,1}

$

(pk,sk) Keygen(1n)

5


b’

Security against CCA attacks

For all efficient adversaries

b {0,1}

$


pk, c*

(pk,sk) Keygen(1n)

|Pr [b’=b]-1/2| =negl(n)

CCA-Secure Encryption (overview)

6

Gen

eric

C

onst

ruct

ions

Con

cret

e In

stan

tiatio

ns

1998

20091991I I I

[DDN 91]Enhanced TDPs

[PW08]LTDFs

[RS09]Correlatedinputs

[CS98]DDH [HK09]

Factoring

2004 2008

[CS 02]UHPS

II2002

[CHK 04]IBE

[BCHK 06]BCDH

2006I I

[CKS08]CDH

CCA-Secure Encryption (overview)

7

Gen

eric

C

onst

ruct

ions

Con

cret

e In

stan

tiatio

ns

1998

20091991I I I

[DDN 91]Enhanced TDPs

[CS98]DDH [HK09]

Factoring

2004 2008

[CS 02]UHPS

II2002

[CHK 04]IBE

[BCHK 06]BCDH

2006I I

[CKS08]CDH

[PW08]LTDFs

[RS09]Correlatedinputs

8

Lossy Trapdoor Functions [PW08]

Injectivemode

F(sinj , .) : 1-1

..

Lossymode

computationalrequirement

{0,1}n

F =(G, F, F-1) (n,l)-lossy TDF {0,1}n

(sinj , t) G(inj)

F(sinj , .

)

(sloss , ) G(loss)

F(sloss ,.

)F(sloss ,.

)F(sloss ,.)

|Img(F(sloss ,.))|=2n-l

F-

1(t , .)

9

CCA-PKE from LTDFs & Correlated Inputs(generic constructions)

[Peikert, Waters 08]

(n, n(1-o(1))) LTDFs

All But One TDFs

CCA-securePKE

[Rosen, Segev 09]

(n, n(1-o(1))) LTDFs

Correlated input OWFs

CCA-securePKE

This work

(n, 1/poly(n))

LTDFs

CCA-securePKE

Correlated input OWFs

Rest of talk• OW under Correlated Inputs and the Rosen-Segev Construction

• CCA-security from Slightly LTDFs

• A Slightly LTDF based on Modular Squaring

• Conclusions

10

11

One-Wayness Under Correlated Inputs

family of efficiently computable functions

[Def] (w-wise product)

• Generation:

• Evaluation:

(f1(x1), f2(x2),…, fw(xw))

f1, f2,…,fw

(x1, x2, … , xw)

• One-Wayness: F one-way under Cw-correlated inputs if for all PPT adversaries A

F =(G, F)

Gw

Pr[A(f1, …, fw, f1(x1),…, fw(xw))= (x1,..., xw)] : negligible

where (x1,..., xw) ~ Cw

Rosen-Segev Simplified construction

12

Components1. F =(G, F, F-1): injective TDFs, OW under Cw-correlated

inputs2. Π = (Kg, Sign, Ver) one-time signature scheme3. h hardcore predicate for F under Cw-correlated inputsThe Construction: E= (KeyGen, Enc, Dec)

KeyGensk

pk

. . .

. . . G

Enc

t1,0 t1,1

f1,0 f1,1 fw,0 fw,1

tw,0 tw,1

(VK, SK) Kg ;VK=VK1. . .VKw

{0,1}w ;

x = (x1,… , xw) Cw yi =fi,Vki

(xi)

13



KeyGensk

pk

. . .

. . . G

Enc

t1,0 t1,1

f1,0 f1,1 fw,0 fw,1

tw,0 tw,1


{0,1}w ;


(xi)


14



KeyGensk

pk

. . .

. . . G

Enc

t1,0 t1,1

f1,0 f1,1 fw,0 fw,1

tw,0 tw,1


{0,1}w ;


(xi)

14

c1 = b h(f1,Vk1, … , fw,Vkw

,

x)(VK, y1, … , yw, c1, c2 )

c2 =Sign (SK, y1, … , yw, c1 )


15

For CCA proof : 2 requirements from Cw

• Hardness assumption: F should be OW under Cw

• almost perfect simulation of decryption: (x1,…, xw) reconstructable from any xi

: w-repetition distribution x1=x2=. . .=xw

Instantiation ([RS09])

(n, n(1-1/w))-lossy TDFs OW under w-repetition

Cw


Additional Component

The Construction: E= (KeyGen, Enc, Dec)

KeyGen

sk

pk

. . .

Enc

t1,0 t1,|Σ|-1

(VK, SK) Kg , VK Σk ; ECC(VK) = σ1. . .σw

Σw x = (x1,… , xw) Cw

yi =fi,σi (xi)

16

ECC: Σk Σw with distance d

. . . tw,0 tw,|Σ|-1. . .

. . .f1,0 f1,|Σ|-1. . . fw,0 fw,|Σ|-1. . .

Rosen-Segev Generalized construction



KeyGen

sk

pk

. . .

Enc

t1,0 t1,|Σ|-1


Σw x = (x1,… , xw) Cw

yi =fi,σi (xi)

17


. . . tw,0 tw,|Σ|-1. . .

. . .f1,0 f1,|Σ|-1. . . fw,0 fw,|Σ|-1. . .




KeyGen

sk

pk

. . .

Enc

t1,0 t1,|Σ|-1


Σw x = (x1,… , xw) Cw

yi =fi,σi (xi)

18

c1 = b h(f1,σ1, … , fw,σw

,

x)

(VK, y1, … , yw, c1, c2 )

c2 =Sign (SK, y1, … , yw, c1 )


. . . tw,0 tw,|Σ|-1. . .

. . .f1,0 f1,|Σ|-1. . . fw,0 fw,|Σ|-1. . .


19

Required properties for Cw

• Hardness assumption: F should be OW under Cw

• almost perfect simulation of decryption: (x1,…, xw) reconstructable from any d distinct xi

How much lossiness is required from Floss = (G, F, F-1)

in order for Fw to be OW under Cw ?

Focus of this work


distance of the ECC

Talk Outline• OW under Correlated Inputs and the Rosen-Segev Construction



• Conclusions

20

21

[Lemma] F =(G, F, F-1) family of (n,l)-lossy TDFs, then Fw is OW under any distribution Cw provided

Sligthly LTDFs CCA

• F = (n,l)-lossy TDF with domain {0,1}n

• (x1,..., xw) ~ Cw with H∞(x1,..., xw) = μ > w.(n-l) + ω(log n)

f1, f2,…,fw

Ginj

(f1(x1), f2(x2),…, fw(xw))

f1, f2,…,fw Gloss(f1(x1), f2(x2),…, fw(xw))

takes at most 2w(n-l) values≈

H∞(Cw) = μ ≥ w(n-l) + ω(log n)

2ω(log n) manypreimagesuniquepreimage

22

(d,w)-subset reconstructable distribution

… … …xi1xi2

xid

. . .x1 x2 xw-1 xw

Property: All w elements can be reconstructed by any d distinct xi’s

Efficient Sampling: (d,w)-threshold secret sharing scheme

Entropy: If xi {0,1}n , then H∞(x1,..., xw) ≈ d.n

23

Achieving High Entropy

…VK1

… k …

…

w

ECC

Desired property: If VK1≠ VK2, then ECC(VK1), ECC(VK2) “far apart”

ECC

VK2

ECC(VK1)

Reed Solomon Codes: d=w-k+1 (meet Singleton bound)

ECC(VK2)

k

24

Putting the Pieces Together

Illustration: CCA-Security from (n,1)-lossy TDFs

(n,1)-lossy TDFs imply CCA-security

[Lemma] F =(G, F, F-1) family of (n,l)-lossy TDFs, then Fw is OW under any distribution Cw provided

H∞(Cw) = μ ≥ w(n-l) + ω(log n)

• ECC: [w, k, d=w-k+1] Reed-Solomon• Input Distribution: (d, w)-subset reconstructable

distribution• k=nε, w=nθ, where θ> 1+ ε. d=w-k+1

Entropy: d.n > (w-k).n = w.(n-kn/w) > w.(n-1) + ω(log n)

Summary: CCA from correlated inputs

25

Construction (d,w) Sufficient lossiness

Rosen- Segevsimplified

d=1 n(1-1/w)

Rosen- Segevgeneralized

d/w=ε:const0<ε<1 ?

Rosen-Segev* d/w=1-ο(1) 1/poly(n)

* Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.

26

amount of lossiness (bits)

hardnessassumption

II

LWEcn I

1 I

loge I

From LTDFs to CCA-Security (generically)

RSA functionΦ-hiding

mod squaringQR

[PW08, RS09]

1/poly(n)

n(1-o(1)) DDH

27

amount of lossiness (bits)

hardnessassumption

II

LWEcn I

1 I

loge I

From LTDFs to CCA-Security (generically)

RSA functionΦ-hiding

mod squaringQR

1/poly(n)

n(1-o(1)) DDH

this work




• Conclusions

28

Hardness Assumption: 2vs3Primes

29

Slightly LTDF from 2vs3Primes

2Primesn

p , q: primesN= pq ; |N|=n

3Primesn

p ,q, r : primes N’ =pqr ; |N’|=n

The construction F

• Sample injective: N 2Primesn+1 ; sinj=N ; t=(p,q)

• Evaluate: F: {0,1}n ZN

F(N , x) =(x2 mod N, (x>N/2) , (JN(x)=1))

N ≈ N’c

• Sample lossy: N 3Primesn+1 ;

sloss=N

[Theorem] Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs.

30


• Invertibility ( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))

y t=(p,q) x , -xz , -z

xzb1 b2 x

• Indistinguishability

Immediate from 2vs3Primes assumption

31

• Lossiness (N= pqr)


8-to-1ZN

( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))

{0,1}n

x ≥ N/2

gcd(x,N)>1 and

x<N/2

gcd(x,N)=1 and

x<N/2

|Img({0,1}n)|≤ 2n-

1/4

≤ φ(N)/4

≤ (N-φ(N))/2

≤ 2n-N/2




• Conclusions

32

Conclusions

Summary• Slightly LTDFs are powerful.

• Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness.

• Construction of a slightly LTDF from 2vs3PRIMES

33

Open Problems• CCA-security from new hardness assumptions (via slightly

lossy TDFs)

• Is small lossiness enough for BB construction of other primitives (for example CRHF) ?

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Documents

Transcript of Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions