Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols
description
Transcript of Improved Non-Committing Encryption with Application to Adaptively Secure Protocols
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols
joint work withDana Dachman-Soled (Columbia Univ.),
Tal Malkin (Columbia Univ.), andHoeteck Wee (CUNY, Queens College)
Seung Geol Choi Columbia University
2
Outline
• Motivation
• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring
• Conclusion
• Semi-honest vs. Malicious– corrupted parties behave honestly or– arbitrarily
• # corrupted parties– Honest majority vs. dishonest majority.
• Static vs. Adaptive [CFGN96]– corrupts parties are determined at the outset
or– during the protocol adaptively
Adversarial corruption in MPC
More Realistic Assumption on the Adversary
Black-box construction of Adaptively secure MPC with Dishonest Majority
MPC
Adaptively secureoblivious transfer
[IPS08]
(Aug.) NC-PKE
[CLOS02, CDMW09]
Q: What are the assumptions achieving black-box construction of MPC (NC-PKE)?
- Of theoretical interest- More efficient: avoid general NP reductions incurred by ZK proofs.
Non-Committing Encryption (NCE) [CFGN96]
• Encryption that realizes a secure channel against an adaptive adversary– (Possibly interactive) encryption: (Gen, Enc, Dec)– with additional property: SIM
• SIM generates pairs of (e, c) that opens to 0 and to 1.(sender equivocal & receiver equivocal)
Enc(0) Enc(1)
Non-Committing Public Key Encryption (NC-PKE)
• Two-round NCE– Bob sends his pk to Alice– Alice sends an encryption under pk to Bob– Desirable
Goal
Construct (Aug.) NC-PKE from lower primitives
in a black-box manner.
MPC
Adaptively secureoblivious transfer
[IPS08]
(Aug.) NC-PKE
[CLOS02, CDMW09]
8
Outline
• Motivation
• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring
• Conclusion
Known NCE Constructions
[B97,DN00]
[CFGN96]
NC-PKESimulatable
common domain TDPCDHRSA
3-round NCE
Simulatable PKEDDH
LWE[GPV08]
Main Result• Construct NC-PKE from trapdoor Simulatable PKE
– Relaxed notion of simulatable PKE– First NC-PKE from LWE
• Construct trapdoor simulatable PKE from hardness of factoring– First NC-PKE from Factoring
Trapdoor simulatable PKE
NC-PKESimulatable
common domain TDPCDHRSA
3-round NCE
Simulatable PKEDDHLWE
Factoring
Our Contribution
From LWE and factoring, first black box constructions of– NC-PKE– Adaptively secure OT– Adaptively secure MPC with
dishonest majority
MPC
Oblivious Transfer[CLOS02,CDMW09]
[IPS08]
(Aug.) NC-PKE
LWEFactoring
TrapdoorSimulatable PKE
12
Outline
• Motivation
• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring
• Conclusion
Simulatable PKE [DN00]
• PKE (Gen, Enc, Dec) with additional properties– Property 1: Oblivious Sampling
• oGen: generates a random pk w/o learning about its sk
• oRndEnc: generates a random ciphertext w/o learning about its plaintext
• E.g. ElGamal:– key: (y = gx, x) Pick random y in G
– Enc: (gr, m*yr) pick random (c1, c2) from G
Simulatable PKE [DN00]
• Property 2: Invertibility– rGen
• Input: a normally-generated pub-key e,
• Output: randomness rG s.t. oGen(rG) = e
– rRndEnc• Input: a normally-generated key and ciphertext (e,c)
• Output: randomness rE s.t. oRndEnc(e,rE) = c
– E.g. ElGamal:• key: y from (y = gx, x) Output y
• Enc: y and (c1, c2) from (y,x) and (gr, m*yr) Output (c1, c2)
– Property 1: Oblivious Sampling• oGen: generates a random pk w/o learning about its sk• oRndEnc: generates a random ciphertext w/o learning about its plaintext• E.g. ElGamal:
– key: (y = gx, x) Pick random e in G
– Enc: (gr, m*yr) pick random (c1, c2) from G
Trapdoor
Trapdoor
+ randomness for Gen
+ randomness for Gen,End & plaintext
NCE from (trapdoor) simulatable PKE
• Need to construct SIM that generates ciphertexts that open to both 0 and 1.
• General Idea: SIM lies about obliviousness.– Protocol specifies some pk’s and ciphertexts
should be generated obliviously.– SIM knows everything (all the pk’s and
ciphertexts are generated by normal Gen, Enc).– SIM: clever lies on the set of obliviously
generated pk’s and ciphertexts (via rGen, rRndEnc) lead to opening to both 0 and 1.
Toy Construction [DN00,KO04] - 1
• Key Gen: (pk0, pk1) – For a random x,
pkx Gen()pk1-x oGen()
• Encrypt. of a bit b: (c0, c1)– For a random y,
cy Enc(b), c1-y oEnc()
• Decryption of (c0, c1): – Output Dec(skx, cx)
c0c1
x = y
b?
pk0 pk1
x y Decryption error = ¼
( Can reduce by repetitions)
Toy Construction [DN00,KO04] - 2
• Secure for adaptive corruption for one party
– Disclaimer: Need to handle decryption error ¼ • If both corrupted?
1 0
Corrupt S: m = 1
1 0
Corrupt R: m = 0
1 0
1 0
Corrupt R
1 0
x is fixed ( x = y ).
Corrupt S
1 0
No events such as
The Idea to achieve NC-PKE
• Summary of the toy construction– R knows half of secret keys – Handles adaptive corruption of one party
[KO04]– Cannot handle corruption of both parties:
lack of freedom to simulate the secondly corrupted parties.
• To handle corruption of both parties– Raise the fraction of obliviousness– ¾ is good enough
The Construction
• KeyGen: (e1,…,e4k)– T: random set of size k
if x∈T, ex Gen()else ex oGen()
• Enc of b: (c1,…,c4k)– S: random set of size k,
if y∈S, cy Enc(bk), else cy oEnc()
• Dec of (c1,…,c4k): If Dec(skT, cT) contains 0k output 0. Else output 1
k = 2
Decryption error
= +
Summary: NCE-PK from (trapdoor) simulatable PKE
• Obliviousness– ¾ of keys and ciphertexts are generated
obliviously.– Still, we get negligible decryption error by
repetitions.– SIM can generate a (e,c) pair that opens to 0
and 1• Keys and ciphertexts are generated normally.• Using (trapdoor) invertibility, fake on obliviously
generated sets.
21
Outline
• Motivation
• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring
• Conclusion
Trapdoor Simulatable PKE from Factoring
• There is a standard construction that achieves PKE from trapdoor one-way permutation (TDP) using hard-core bits. I.e., for a TDP f,– Gen() (e, d) : e = f, d = f-1
– Enc(b) (f(x), r, (x · r) b): where r, x is random. • Construct TDP from hardness of factoring
Blum Integers (BI) with oblivious sampling and trapdoor invertibility
Rabin’s TDP for Blum Integers
• Quadratic Residues on a Bl integer N: QRN = {y : y = x2 , x Z∈ N*}
• Rabin TDP– f:QRN QRN
– f(x) = x2 mod N– Is based on hardness of factoring assumption
Basic Idea: for Keys
• Key Generation: sample k3 k-bit integers w/ factoring [Bach ’88]
• Encryption of b given keys (N1, …, Nk3)
– EncN1(b1), …., EncNk3(bk3)
where b = b1 … bk3
– WHP, at least one Ni is BI.
• Oblivious sampling: easy (sample k3 integers)• Trapdoor Invertibility: easy
Basic Idea : for Ciphertexts
• Change TDP description slightly– QN = {a2k : a Z∈ N*} where k = |N|
– f: QN QN , f(x) = x2k+1 mod N
• Oblivious sampling: easy (sample from QN)
• Trapdoor Invertibility: find random 2k-th root w/ factoring
26
Outline
• Motivation
• Our Work– Our Contribution– NC-PKE from Trapdoor Simulatable PKE– Trapdoor Simulatable PKE from Factoring
• Conclusion
Conclusion
From LWE and factoring, first black box constructions of– NC-PKE– Adaptively secure OT– Adaptively secure MPC with
honest minority
MPC
Oblivious Transfer
[CLOS02,CDMW09]
[IPS08]
(Aug.) NC-PKE
LWEFactoring
TrapdoorSimulatable PKE