chosen ciphertext security from subset sum
play

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 - PowerPoint PPT Presentation

Feb 05, 2023 •159 likes •965 views

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universitt Bochum 2 Sapienza University of Rome 1 Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based

  1. Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universität Bochum 2 Sapienza University of Rome 1

  2. Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

  3. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. 3

  4. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. 3

  5. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA) 3

  6. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA) Our Results ▶ We construct a CCA-secure PKE from Subset Sum (using [MP12]). 3

  7. Our Contribution State of the Art ▶ CPA-secure Public Key Encryption (PKE) from Subset Sum [LPS10]. ▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA) Our Results ▶ We construct a CCA-secure PKE from Subset Sum (using [MP12]). ▶ The security of our PKE does not decrease with the message length. 3

  8. Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

  9. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , 5

  10. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . 5

  11. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . Hardness of Subset Sum n δ := log µ : n Θ( 1 Θ( log 2 n ) n ) Θ( 1 ) 5

  12. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . Hardness of Subset Sum n δ := log µ : n Θ( 1 1 Θ( log 2 n ) n ) Θ( log n ) Θ( 1 ) 1 ▶ We focus on δ = Θ( log n ) . 5

  13. Subset Sum Subset Sum ( n , µ ) : Find secret s ∈ { 0 , 1 } n , given ( A := ( a 1 , . . . , a n ) , t := s 1 a 1 + · · · + s n a n ) ∈ Z n µ × Z µ . Hardness of Subset Sum n δ := log µ : n Θ( 1 1 Θ( log 2 n ) n ) Θ( log n ) Θ( 1 ) 1 ▶ We focus on δ = Θ( log n ) . Decisional Subset Sum [IN96]: ( A , t ) is hard to distinguish from uniform. 5

  14. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q 6

  15. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , 6

  16. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : 6

  17. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : a = a m · q m − 1 + . . . + a 1 · q 0 � = ( a m , . . . , a 1 ) T ∈ Z m q 6

  18. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : a = a m · q m − 1 + . . . + a 1 · q 0 � = ( a m , . . . , a 1 ) T ∈ Z m q 6

  19. “LWE” form of Subset Sum [LPS10] ( A , t ) ∈ Z n µ × Z µ → Z m × n × Z m q q Let µ = q m , then we can represent a ∈ Z µ as value in Z m q : a = a m · q m − 1 + . . . + a 1 · q 0 � = ( a m , . . . , a 1 ) T ∈ Z m q Therefore   a m a m · · · 1 n   . ... . . .  ∈ Z m × n A = ( a 1 , . . . , a n ) � =  . . q a 1 a 1 · · · n 1 6

  20. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m , 7

  21. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = ̸ � s 1   · · · + s n     +   q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n 7

  22. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1   · · · + s n    +    q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. 7

  23. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1   · · · + s n    +    q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. 7

  24. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1   · · · + s n    +    q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. 7

  25. “LWE” form of Subset Sum [LPS10] t = s 1 a 1 + · · · + s n a n ∈ Z q m ,       a m a m e m ( A , s ) 1 n       . . . . . .       . . . ∈ Z m = � s 1    · · · + s n    +   q ,     a 2 a 2 e 2 ( A , s ) 1 n a 1 a 1 e 1 ( A , s ) 1 n where e ( A , s ) is a vector of carries. From now on, ( A , t = As + e ( A , s )) ∈ Z m × n × Z m q ( m samples). q 7

  26. Many Samples from Subset Sum µ = q m 8

  27. Many Samples from Subset Sum µ = q m ⇒ m samples 8

  28. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = 8

  29. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q 8

  30. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q 8

  31. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q ▶ output ( RA , R t = RAs + Re ( A , s )) ∈ Z ℓ × n × Z ℓ q q 8

  32. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q ▶ output ( RA , R t = RAs + Re ( A , s )) ∈ Z ℓ × n × Z ℓ q q ▶ Leftover hash lemma [HILL99]: If ( A , t ) is uniform ⇒ ( A , t , RA , R t ) is uniform. 8

  33. Many Samples from Subset Sum µ = q m ⇒ m samples ⇒ δ = n m · log q (easy for e.g. m = n 2 ) n log µ = From m to ℓ samples: ▶ given ( A , t ) ∈ Z m × n × Z m q q ▶ R ← D ℓ × m , where D has sufficient min-entropy. q ▶ output ( RA , R t = RAs + Re ( A , s )) ∈ Z ℓ × n × Z ℓ q q ▶ Leftover hash lemma [HILL99]: If ( A , t ) is uniform ⇒ ( A , t , RA , R t ) is uniform. ▶ ( RA , R t ) is not Subset Sum distributed ( Re ( A , s ) ̸ = e ( RA , s )) . 8

  34. Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

  35. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. 10

  36. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): TBE = ( Gen , Enc , Dec ) . 10

  37. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): TBE = ( Gen , Enc , Dec ) . Correctness: For ( sk , pk ) ← Gen ( 1 n ) : Dec ( sk , τ, Enc ( pk , τ, M )) = M 10

  38. CCA secure PKE Given a One-Time Signature ( OTS ), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): TBE = ( Gen , Enc , Dec ) . Correctness: For ( sk , pk ) ← Gen ( 1 n ) : Dec ( sk , τ, Enc ( pk , τ, M )) = M Security: 10

  39. CCA secure PKE Adv . Given a One-Time Signature ( OTS ), ( sk , pk ) ← Gen ( 1 n ) [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption ( TBE ): M = Dec ( sk , τ, c ) TBE = ( Gen , Enc , Dec ) . · · · b ← { 0 , 1 } Correctness: c ∗ ← Enc ( pk , τ ∗ , M b ) For ( sk , pk ) ← Gen ( 1 n ) : Dec ( sk , τ, Enc ( pk , τ, M )) = M M = Dec ( sk , τ, c ) Security: For all ppt Adv . : Pr [ b ′ = b ] = 1 / 2 . · · ·

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS France CNRS-ENS France Asiacrypt '03 Taipei - Taiwan December 1 st 2003 Summary Summary Asymmetric

235 views • 21 slides
Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

341 views • 21 slides
RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret) M = S(C) anyone else

796 views • 16 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

1.19k views • 105 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
troll batul How might you model a battle between two trolls? How might you model a battle between

troll batul How might you model a battle between two trolls? How might you model a battle between

CSCI261 Lecture 23: Passing by Reference, Objects and Memory troll batul How might you model a battle between two trolls? How might you model a battle between two trolls? Define and describe trolls (attributes, behavior) Describe the battle

529 views • 15 slides
Functions (Alice In Action, Ch 3) 17 July 2013 Slides Credit: Joel Adams, Alice in Action

Functions (Alice In Action, Ch 3) 17 July 2013 Slides Credit: Joel Adams, Alice in Action

CS 101 Lecture 17 Functions (Alice In Action, Ch 3) 17 July 2013 Slides Credit: Joel Adams, Alice in Action Objectives Create functions messages that return a value to their sender Learn Alice techniques: the vehicle property for

131 views • 9 slides
Patent Troll Terminology -Patent assertion entity (PAE) -Non-practicing entity (NPE)

Patent Troll Terminology -Patent assertion entity (PAE) -Non-practicing entity (NPE)

4/16/2015 The Misinterpretation of eBay v. MercExchange and Why: An Analysis of the Case History, Precedent, and Parties Forthcoming, Chapman L. Rev. Professor Ryan T. Holte Southern Illinois University School of Law rholte@law.siu.edu

534 views • 9 slides
Finding Bots and Trolls Joshua Uyheng juyheng@cs.cmu.edu CASOS Center, Institute for Software

Finding Bots and Trolls Joshua Uyheng juyheng@cs.cmu.edu CASOS Center, Institute for Software

<Your Name> Finding Bots and Trolls Joshua Uyheng juyheng@cs.cmu.edu CASOS Center, Institute for Software Research Carnegie Mellon University CASOS Summer Institute 2020 Center for Computational Analysis of Social and Organizational

547 views • 7 slides
A Dataset for Troll Classification of TamilMemes Shardul Suryawanshi, Bharathi Raja

A Dataset for Troll Classification of TamilMemes Shardul Suryawanshi, Bharathi Raja

A Dataset for Troll Classification of TamilMemes Shardul Suryawanshi, Bharathi Raja Chakravarthi, Pranav Varma, Mihael Arcan, John P. McCrae, Paul Buitelaar Data Science Institute, National University of Ireland Galway

155 views • 14 slides
Bad Actors in Social Media Francesca Spezzano Boise State University

Bad Actors in Social Media Francesca Spezzano Boise State University

Bad Actors in Social Media Francesca Spezzano Boise State University francescaspezzano@boisestate.edu CyberSafety 2016 The First ACM International Workshop on Computational Methods for CyberSafety Indianapolis, Oct 28, 2016 Keynote Outline

919 views • 73 slides
The Number of Meanings of English Number Words Chris Kennedy University of Chicago University

The Number of Meanings of English Number Words Chris Kennedy University of Chicago University

The Number of Meanings of English Number Words Chris Kennedy University of Chicago University of Illinois 16 September, 2010 The Issue Sentences with number words appear to give rise to three different kinds of scalar inferences in different

1.07k views • 72 slides
NJIPLA Presentation JANUARY 24, 2013 by Anthony S. Volpe 30 South 17 th Street Philadelphia | Pa

NJIPLA Presentation JANUARY 24, 2013 by Anthony S. Volpe 30 South 17 th Street Philadelphia | Pa

Issues to Consider During Settlement and Licensing Negotiations with an NPE NJIPLA Presentation JANUARY 24, 2013 by Anthony S. Volpe 30 South 17 th Street Philadelphia | Pa 19103-4009 215.568.6400 | VKLAW.com Word Images of a Patent

341 views • 16 slides

More recommend