Upload
grady-tillison
View
218
Download
2
Embed Size (px)
Citation preview
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions
PKC 2010
May 27, 2010
Petros Mol, Scott Yilek
1
UC, San Diego
2
Security for Public-Key Encryptionclient server
Ideally: Protect against all possible attacks
pk, sk
For PKE: Security against Adaptive Chosen-Ciphertext Attacks ([Rackoff, Simon 91])
pk
Modeling all possible attacks is hard (if possible at all)
insecure channel
3
Chosen-Ciphertext Security (PKE)
pk ci
mi=Dec(sk , ci)
Π=(KeyGen, Enc, Dec)
c*=Enc(pk,b)
(pk,sk) Keygen(1n)
b {0,1}
$
4
Chosen-Ciphertext Security (PKE)
pk,
ci ≠ c*
mi=Dec(sk , ci)
Π=(KeyGen, Enc, Dec)
c*
b {0,1}
$
(pk,sk) Keygen(1n)
5
Chosen-Ciphertext Security (PKE)
b’
Security against CCA attacks
For all efficient adversaries
b {0,1}
$
Π=(KeyGen, Enc, Dec)
pk, c*
(pk,sk) Keygen(1n)
|Pr [b’=b]-1/2| =negl(n)
CCA-Secure Encryption (overview)
6
Gen
eric
C
onst
ruct
ions
Con
cret
e In
stan
tiatio
ns
1998
20091991I I I
[DDN 91]Enhanced TDPs
[PW08]LTDFs
[RS09]Correlatedinputs
[CS98]DDH [HK09]
Factoring
2004 2008
[CS 02]UHPS
II2002
[CHK 04]IBE
[BCHK 06]BCDH
2006I I
[CKS08]CDH
CCA-Secure Encryption (overview)
7
Gen
eric
C
onst
ruct
ions
Con
cret
e In
stan
tiatio
ns
1998
20091991I I I
[DDN 91]Enhanced TDPs
[CS98]DDH [HK09]
Factoring
2004 2008
[CS 02]UHPS
II2002
[CHK 04]IBE
[BCHK 06]BCDH
2006I I
[CKS08]CDH
[PW08]LTDFs
[RS09]Correlatedinputs
8
Lossy Trapdoor Functions [PW08]
Injectivemode
F(sinj , .) : 1-1
..
Lossymode
computationalrequirement
{0,1}n
F =(G, F, F-1) (n,l)-lossy TDF {0,1}n
(sinj , t) G(inj)
F(sinj , .
)
(sloss , ) G(loss)
F(sloss ,.
)F(sloss ,.
)F(sloss ,.)
|Img(F(sloss ,.))|=2n-l
F-
1(t , .)
9
CCA-PKE from LTDFs & Correlated Inputs(generic constructions)
[Peikert, Waters 08]
(n, n(1-o(1))) LTDFs
All But One TDFs
CCA-securePKE
[Rosen, Segev 09]
(n, n(1-o(1))) LTDFs
Correlated input OWFs
CCA-securePKE
This work
(n, 1/poly(n))
LTDFs
CCA-securePKE
Correlated input OWFs
Rest of talk• OW under Correlated Inputs and the Rosen-Segev Construction
• CCA-security from Slightly LTDFs
• A Slightly LTDF based on Modular Squaring
• Conclusions
10
11
One-Wayness Under Correlated Inputs
family of efficiently computable functions
[Def] (w-wise product)
• Generation:
• Evaluation:
(f1(x1), f2(x2),…, fw(xw))
f1, f2,…,fw
(x1, x2, … , xw)
• One-Wayness: F one-way under Cw-correlated inputs if for all PPT adversaries A
F =(G, F)
Gw
Pr[A(f1, …, fw, f1(x1),…, fw(xw))= (x1,..., xw)] : negligible
where (x1,..., xw) ~ Cw
Rosen-Segev Simplified construction
12
Components1. F =(G, F, F-1): injective TDFs, OW under Cw-correlated
inputs2. Π = (Kg, Sign, Ver) one-time signature scheme3. h hardcore predicate for F under Cw-correlated inputsThe Construction: E= (KeyGen, Enc, Dec)
KeyGensk
pk
. . .
. . . G
Enc
t1,0 t1,1
f1,0 f1,1 fw,0 fw,1
tw,0 tw,1
(VK, SK) Kg ;VK=VK1. . .VKw
{0,1}w ;
x = (x1,… , xw) Cw yi =fi,Vki
(xi)
13
Components1. F =(G, F, F-1): injective TDFs, OW under Cw-correlated
inputs2. Π = (Kg, Sign, Ver) one-time signature scheme3. h hardcore predicate for F under Cw-correlated inputsThe Construction: E= (KeyGen, Enc, Dec)
KeyGensk
pk
. . .
. . . G
Enc
t1,0 t1,1
f1,0 f1,1 fw,0 fw,1
tw,0 tw,1
(VK, SK) Kg ;VK=VK1. . .VKw
{0,1}w ;
x = (x1,… , xw) Cw yi =fi,Vki
(xi)
Rosen-Segev Simplified construction
14
Components1. F =(G, F, F-1): injective TDFs, OW under Cw-correlated
inputs2. Π = (Kg, Sign, Ver) one-time signature scheme3. h hardcore predicate for F under Cw-correlated inputsThe Construction: E= (KeyGen, Enc, Dec)
KeyGensk
pk
. . .
. . . G
Enc
t1,0 t1,1
f1,0 f1,1 fw,0 fw,1
tw,0 tw,1
(VK, SK) Kg ;VK=VK1. . .VKw
{0,1}w ;
x = (x1,… , xw) Cw yi =fi,Vki
(xi)
14
c1 = b h(f1,Vk1, … , fw,Vkw
,
x)(VK, y1, … , yw, c1, c2 )
c2 =Sign (SK, y1, … , yw, c1 )
Rosen-Segev Simplified construction
15
For CCA proof : 2 requirements from Cw
• Hardness assumption: F should be OW under Cw
• almost perfect simulation of decryption: (x1,…, xw) reconstructable from any xi
: w-repetition distribution x1=x2=. . .=xw
Instantiation ([RS09])
(n, n(1-1/w))-lossy TDFs OW under w-repetition
Cw
Rosen-Segev Simplified construction
Additional Component
The Construction: E= (KeyGen, Enc, Dec)
KeyGen
sk
pk
. . .
Enc
t1,0 t1,|Σ|-1
(VK, SK) Kg , VK Σk ; ECC(VK) = σ1. . .σw
Σw x = (x1,… , xw) Cw
yi =fi,σi (xi)
16
ECC: Σk Σw with distance d
. . . tw,0 tw,|Σ|-1. . .
. . .f1,0 f1,|Σ|-1. . . fw,0 fw,|Σ|-1. . .
Rosen-Segev Generalized construction
Additional Component
The Construction: E= (KeyGen, Enc, Dec)
KeyGen
sk
pk
. . .
Enc
t1,0 t1,|Σ|-1
(VK, SK) Kg , VK Σk ; ECC(VK) = σ1. . .σw
Σw x = (x1,… , xw) Cw
yi =fi,σi (xi)
17
ECC: Σk Σw with distance d
. . . tw,0 tw,|Σ|-1. . .
. . .f1,0 f1,|Σ|-1. . . fw,0 fw,|Σ|-1. . .
Rosen-Segev Generalized construction
Additional Component
The Construction: E= (KeyGen, Enc, Dec)
KeyGen
sk
pk
. . .
Enc
t1,0 t1,|Σ|-1
(VK, SK) Kg , VK Σk ; ECC(VK) = σ1. . .σw
Σw x = (x1,… , xw) Cw
yi =fi,σi (xi)
18
c1 = b h(f1,σ1, … , fw,σw
,
x)
(VK, y1, … , yw, c1, c2 )
c2 =Sign (SK, y1, … , yw, c1 )
ECC: Σk Σw with distance d
. . . tw,0 tw,|Σ|-1. . .
. . .f1,0 f1,|Σ|-1. . . fw,0 fw,|Σ|-1. . .
Rosen-Segev Generalized construction
19
Required properties for Cw
• Hardness assumption: F should be OW under Cw
• almost perfect simulation of decryption: (x1,…, xw) reconstructable from any d distinct xi
How much lossiness is required from Floss = (G, F, F-1)
in order for Fw to be OW under Cw ?
Focus of this work
Rosen-Segev Generalized construction
distance of the ECC
Talk Outline• OW under Correlated Inputs and the Rosen-Segev Construction
• CCA-security from Slightly LTDFs
• A Slightly LTDF based on Modular Squaring
• Conclusions
20
21
[Lemma] F =(G, F, F-1) family of (n,l)-lossy TDFs, then Fw is OW under any distribution Cw provided
Sligthly LTDFs CCA
• F = (n,l)-lossy TDF with domain {0,1}n
• (x1,..., xw) ~ Cw with H∞(x1,..., xw) = μ > w.(n-l) + ω(log n)
f1, f2,…,fw
Ginj
(f1(x1), f2(x2),…, fw(xw))
f1, f2,…,fw Gloss(f1(x1), f2(x2),…, fw(xw))
takes at most 2w(n-l) values≈
H∞(Cw) = μ ≥ w(n-l) + ω(log n)
2ω(log n) manypreimagesuniquepreimage
22
(d,w)-subset reconstructable distribution
… … …xi1xi2
xid
. . .x1 x2 xw-1 xw
Property: All w elements can be reconstructed by any d distinct xi’s
Efficient Sampling: (d,w)-threshold secret sharing scheme
Entropy: If xi {0,1}n , then H∞(x1,..., xw) ≈ d.n
23
Achieving High Entropy
…VK1
… k …
…
w
ECC
Desired property: If VK1≠ VK2, then ECC(VK1), ECC(VK2) “far apart”
ECC
VK2
ECC(VK1)
Reed Solomon Codes: d=w-k+1 (meet Singleton bound)
ECC(VK2)
k
24
Putting the Pieces Together
Illustration: CCA-Security from (n,1)-lossy TDFs
(n,1)-lossy TDFs imply CCA-security
[Lemma] F =(G, F, F-1) family of (n,l)-lossy TDFs, then Fw is OW under any distribution Cw provided
H∞(Cw) = μ ≥ w(n-l) + ω(log n)
• ECC: [w, k, d=w-k+1] Reed-Solomon• Input Distribution: (d, w)-subset reconstructable
distribution• k=nε, w=nθ, where θ> 1+ ε. d=w-k+1
Entropy: d.n > (w-k).n = w.(n-kn/w) > w.(n-1) + ω(log n)
Summary: CCA from correlated inputs
25
Construction (d,w) Sufficient lossiness
Rosen- Segevsimplified
d=1 n(1-1/w)
Rosen- Segevgeneralized
d/w=ε:const0<ε<1 ?
Rosen-Segev* d/w=1-ο(1) 1/poly(n)
* Construction instantiated with Reed-Solomon codes and high min-entropy input distribution.
26
amount of lossiness (bits)
hardnessassumption
II
LWEcn I
1 I
loge I
From LTDFs to CCA-Security (generically)
RSA functionΦ-hiding
mod squaringQR
[PW08, RS09]
1/poly(n)
n(1-o(1)) DDH
27
amount of lossiness (bits)
hardnessassumption
II
LWEcn I
1 I
loge I
From LTDFs to CCA-Security (generically)
RSA functionΦ-hiding
mod squaringQR
1/poly(n)
n(1-o(1)) DDH
this work
Talk Outline• OW under Correlated Inputs and the Rosen-Segev Construction
• CCA-security from Slightly LTDFs
• A Slightly LTDF based on Modular Squaring
• Conclusions
28
Hardness Assumption: 2vs3Primes
29
Slightly LTDF from 2vs3Primes
2Primesn
p , q: primesN= pq ; |N|=n
3Primesn
p ,q, r : primes N’ =pqr ; |N’|=n
The construction F
• Sample injective: N 2Primesn+1 ; sinj=N ; t=(p,q)
• Evaluate: F: {0,1}n ZN
F(N , x) =(x2 mod N, (x>N/2) , (JN(x)=1))
N ≈ N’c
• Sample lossy: N 3Primesn+1 ;
sloss=N
[Theorem] Under the 2vs3Primes assumption, F is a family of (n,¼)-lossy TDFs.
30
Slightly LTDF from 2vs3Primes
• Invertibility ( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))
y t=(p,q) x , -xz , -z
xzb1 b2 x
• Indistinguishability
Immediate from 2vs3Primes assumption
31
• Lossiness (N= pqr)
Slightly LTDF from 2vs3Primes
8-to-1ZN
( y= x2 mod N, b1= (x>N/2) , b2= (JN(x)=1))
{0,1}n
x ≥ N/2
gcd(x,N)>1 and
x<N/2
gcd(x,N)=1 and
x<N/2
|Img({0,1}n)|≤ 2n-
1/4
≤ φ(N)/4
≤ (N-φ(N))/2
≤ 2n-N/2
Talk Outline• OW under Correlated Inputs and the Rosen-Segev Construction
• CCA-security from Slightly LTDFs
• A Slightly LTDF based on Modular Squaring
• Conclusions
32
Conclusions
Summary• Slightly LTDFs are powerful.
• Black-box construction of CCA-secure PKE from LTDFs with minimal lossiness.
• Construction of a slightly LTDF from 2vs3PRIMES
33
Open Problems• CCA-security from new hardness assumptions (via slightly
lossy TDFs)
• Is small lossiness enough for BB construction of other primitives (for example CRHF) ?