Cryptographic Reverse Firewall via Malleable Smooth Projective Hash - - PowerPoint PPT Presentation

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions

Rongmao Chen, Yi Mu, Guomin Yang, Willy Susilo, Fuchun Guo and Mingwu Zhang

Asiacrypt 2016, Hanoi

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

Background

q Edward Snowden Revelations q Massive surveillance by intelligence agencies q Undermining security mechanisms

q subverting cryptographic protocols q deploying security weakness in implementations

Background

q Edward Snowden Revelations q Massive surveillance by intelligence agencies q Undermining security mechanisms

q subverting cryptographic protocols q deploying security weakness in implementations

q Post-Snowden Cryptography

q How to achieve meaningful security for cryptographic protocols in the presence of an adversary that may arbitrarily tamper with the victim’s machine?

IACR Statement On Mass Surveillance

The membership of the IACR repudiates mass surveillance and the undermining

• f

cryptographic solutions and standards，Population-wide surveillance threatens democracy and human dignity. We call for expediting research and deployment

• f

effective techniques to protect personal privacy against governmental and corporate overreach.

• -Copenhagen, Eurocrypt 2014

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

Cryptographic Reverse Firewall [MS15]

p A stateful algorithm 𝒳

p Input: current state 𝜐 and message 𝑛 p Output: updated state 𝜐̃ and message 𝑛 %

p A “composed” party 𝒳 ∘ P

p 𝒳 is applied to the incoming and outgoing messages of party P p the state of 𝒳 is initialized to the public parameters p 𝒳 is called a reverse firewall for P p “active router” between P ’s private network and the

• utside

𝒳 P

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

Cryptographic Reverse Firewall [MS15]

𝒳 P

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

p Transparent to legitimate traffic

p does not break functionality (Functionality-maintaining)

p 𝒳 shares no secret with P

p we do not trust the firewall (Security-preserving)

p No corrupted implementation of P can leak information through 𝒳 (Exfiltration-resistant) p Stackable reverse firewalls

p composition of multiple reverse firewalls 𝒳 ∘ 𝒳 ∘ ⋯ ∘ 𝒳 ∘ P

p Underlying protocol has some functionality yA yB

Property I: Functionality-Maintaining

𝑛𝑜

…

𝑛1

p Protocol with 𝒳 has the same functionality

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

yA yB

𝑛𝑜

…

𝑛1

p Protocol with 𝒳 satisfies the same security notions

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

p Underlying protocol satisfies some security notions

Property II: Security-Preserving

𝑛𝑜

…

𝑛1

p Corrupted protocol with 𝒳 remains secure

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

p Corrupted implementation may break the security

Property II: Security-Preserving

Strong vs Weak Security-Preserving Eavesdropper vs Peer Party

Property III: Exfiltration-Resistant

p Corrupted implementation of P cannot leak any information to an eavesdropping attacker

≈ 𝑫

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

𝑛1 𝑛1 * 𝑛𝑜 𝑛𝑜 *

… …

Strong vs Weak Exfiltration-Resistance Eavesdropper vs Peer Party

Research Goal

The “holy grail” would be a full characterization

• f

functionalities and security properties for which reverse firewall exists.

• -By Mironov and Stephens-Davidowitz

Eurocrypt 2015 This work: a general approach for designing CRFs for functionalities that are realizable by Smooth Projective Hash Functions

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

Smooth Projective Hash Function [CS02]

… … …

ProjHash(pp,hp,C,w) (C, w) X Y Hash(pp,hk,C’) C’ L X/L SPHFSetup(1𝑚)=pp; HashKG(pp)=hk; ProjKG(pp,hk)=hp V’

p Correctness: Hash(pp,hk,C) = ProjHash(pp,hp,C,w); p Smoothness: V’ ≈ S R

$ Y ;

p Hard Subset Membership: L ≈ 𝐷 X/L

Hash(pp,hk,C)

Our Extension: Malleable SPHF

p Randomness Sampling p SampR(pp) ⟶ 𝑠

% p SampW(pp) ⟶ w *

p Projection Key Updating

p MaulK(pp,hp, 𝑠 % ) ⟶ hp 8 p MaulH(pp,hp, 𝑠 % ,C) ⟶ hv 8

p Element Re-randomization

p ReranE(pp,C, 𝑥 *) ⟶ 𝐷 8 p ReranH(pp,hp,C, 𝑥 *) ⟶ hv 8

p Property I: Projection Key Malleability

hp hk C Hash hv ProjHash w hv’

=

if exists

Our Extension: Malleable SPHF

hp hk C Hash hv

Our Extension: Malleable SPHF

p Property I: Projection Key Malleability

hp

hp 8

MaulK SampR hk C Hash hv 𝑠 %

① hp0 8 ≈ 𝐷 hp1 8

② hv ∗ hv

8 = h

Our Extension: Malleable SPHF

p Property I: Projection Key Malleability

hp

hp 8

MaulK SampR hk

hk 8

C Hash Hash hv hv’ 𝑠 %

① hp0 8 ≈ 𝐷 hp1 8

② hv ∗ hv

8 = h

Our Extension: Malleable SPHF

p Property I: Projection Key Malleability

hp

hp 8

MaulK SampR hk

hk 8

C Hash Hash MaulH hv hv’

hv 8 ① hp0 8 ≈ 𝐷 hp1 8

② hv ∗ hv

8 = hv’

𝑠 %

Our Extension: Malleable SPHF

p Property I: Projection Key Malleability

p Property II: Element Re-randomizability

hk Hash hv C

Our Extension: Malleable SPHF

𝐷 > ReranE SampW hk Hash hv 𝑥 % C ① 𝐷0 8 ≈ 𝐷 𝐷1 8 ② hv ∗ ℎ𝑤

8 = h

p Property II: Element Re-randomizability

Our Extension: Malleable SPHF

𝐷 > ReranE SampW hk Hash Hash hv hv’ 𝑥 % C hk hp ① 𝐷0 8 ≈ 𝐷 𝐷1 8

p Property II: Element Re-randomizability

Our Extension: Malleable SPHF

𝐷 > ReranE SampW hk Hash Hash ReranH hv hv’

hv 8

𝑥 % C hp hk ① 𝐷0 8 ≈ 𝐷 𝐷1 8 ② hv ∗ hv

8 = hv’

p Property II: Element Re-randomizability

Our Extension: Malleable SPHF

𝐷 > ReranE SampW hk Hash Hash ReranH hv hv’

hv 8

𝑥 % C hp hk ① 𝐷0 8 ≈ 𝐷 𝐷1 8 ② hv ∗ hv

8 = hv’

p Property II: Element Re-randomizability

Our Extension: Malleable SPHF

③ 𝐷 > ∈L iff C ∈L

p Graded Rings [BCC+13]

p common formalization of cyclic groups, bilinear groups, and multilinear groups p

∀ 𝑏, 𝑐 ∈ 𝕬𝑞, 𝑏⨁𝑐 = 𝑏 + 𝑐, 𝑏⨀𝑐 = 𝑏 L 𝑐

p

∀ 𝑣1, 𝑤1 ∈ 𝔿, 𝑣1⨁𝑤1 = 𝑣1 L 𝑤1, 𝑣1 ⊖ 𝑤1 = 𝑣1 L 𝑤1

PQ；∀ 𝑑 ∈ 𝕬𝑞,

𝑑⨀𝑣1 = 𝑣1

𝑑

p

∀ 𝑣1, 𝑤1 ∈ 𝔿, 𝑣1⨀𝑤1 = 𝑓 𝑣1, 𝑤1 ∈ 𝔿𝑈 (𝑓: 𝔿×𝔿 ⟶ 𝔿𝑈)

p Generic SPHF via Graded Rings [BCC+13]

p

𝛥: 𝒴 ⟼ 𝔿[×\ , 𝛪: 𝒴 ⟼ 𝔿Q×\

p

𝐷 ∈ ℒ ⟺ ∃𝛍 ∈ 𝕬𝑞

Q×[ s. t. , 𝛪 𝐷 = 𝛍⨀𝛥 𝐷

p

hk: = 𝜷 = (𝛽1, … , 𝛽𝑜)Τ $ ← 𝕬𝑞

\ , hp ∶= 𝛿 𝐷 = 𝛥 𝐷 ⨀𝜷 ∈ 𝔿𝑙

p Hash(pp,hk,C) ∶= 𝛪 𝐷 ⨀𝜷 , ProjHash(pp,hp,C,w) ∶=

𝛍⨀ 𝛿 𝐷

A Generic Construction of Malleable SPHF

𝛪 𝐷 ⨀𝜷 = 𝛍⨀𝛥 𝐷 ⨀𝜷 = 𝛍⨀ 𝛿 𝐷

p Generic Malleable SPHF via Graded Rings

p MaulK(pp,hp=𝛿 𝐷 , 𝒔

*)： hp 8 = 𝛿 𝐷 ⨁𝛥 𝐷 ⨀ 𝒔 *

p MaulH(pp,hp, 𝒔

*,C)： hv 8 = 𝛪 𝐷 ⨀ 𝒔 *

p ReranK(pp,C, 𝑥

*)： 𝐷 8 = 𝛪 𝐷 ⨁ 𝛍 8⨀𝛥 𝐷

p ReranH(pp,hp,C, 𝑥

*)： hv 8 = 𝛍 8 ⨀ 𝛿 𝐷

A Generic Construction of Malleable SPHF

Theorem

The above construction is a malleable SPHF if the follows hold:

• 𝛪: 𝒴 ⟼ 𝔿Q×\ is an identity function;
• 𝛥: 𝒴 ⟼ 𝔿[×\ is a constant function;
• The hard subset membership holds.

pInstantiation from the k-linear assumption

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

p Message Transmission Protocol

• p

q, qr

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp,C,w) CT = V ⨁ M hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) Input: pp, M Input: pp M’ = CT ⊝ Hash(pp,hk,C) Hash(pp,hk,C)= ProjHash(pp,hp,C,w)

M’= M

Message Transmission Protocol with CRFs

• p

q, qr

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp,C,w) CT = V ⨁ M hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) M’ = CT ⊝ Hash(pp,hk,C)

Message Transmission Protocol with CRFs

p Firewall for

Input: pp, M Input: pp Input: pp Bob’s output message

• p

𝑠̃

$

← SampR(pp)

hp 8 ←MaulK(pp,hp, 𝑠

%) (C, w)

$

← SampYes(pp) V = ProjHash(pp,hp

8,C,w)

CT = V ⨁ M hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) M’ = CT ⊝Hash(pp,hk,C)

q, qr

Message Transmission Protocol with CRFs

Input: pp, M Input: pp Input: pp

• p

*

p Firewall for

Message Transmission Protocol with CRFs

• p

Input: pp, M Input: pp 𝑠̃

$

← SampR(pp)

hp 8 ←MaulK(pp,hp, 𝑠

%)

• p

*

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp

8,C,w)

CT = V ⨁ M hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) M’ = 𝐷𝑈

8 ⊝Hash(pp,hk,C)

q, qr 8 q, qr ∆𝑊=MaulH(pp,hp,C,𝑠̃)

𝐷𝑈 8 = CT ⊝ ∆𝑊

𝐷𝑈 8 = CT ⊝ ∆𝑊 = V ⊝ ∆𝑊⨁ M=Hash(pp,hk,C) ⨁ M

M’ = M

Input: pp

p Firewall for

Message Transmission Protocol with CRFs

• p

Input: pp, M Input: pp 𝑠̃

$

← SampR(pp)

hp 8 ←MaulK(pp,hp, 𝑠

%)

• p

*

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp

8,C,w)

CT = V ⨁ M hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) M’ = 𝐷𝑈

8 ⊝Hash(pp,hk,C)

q, qr 8 q, qr ∆𝑊=MaulH(pp,hp,C,𝑠̃)

𝐷𝑈 8 = CT ⊝ ∆𝑊

𝐷𝑈 8 = CT ⊝ ∆𝑊 = V ⊝ ∆𝑊⨁ M=Hash(pp,hk,C) ⨁ M

M’ = M

Input: pp

Strong Exfiltration-Resistance

p Firewall for

Alice’s output message

• p

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp,C,w) CT = V ⨁ M hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) Input: pp, M Input: pp M’ = CT ⊝Hash(pp,hk,C)

Message Transmission Protocol with CRFs

p Firewall for

q, qr

Input: pp

• p

hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) Input: pp, M Input: pp M’ = 𝐷𝑈

8 ⊝Hash(pp,hk,𝐷 v)

Message Transmission Protocol with CRFs

q v , qr 8 q, qr

𝑥 %

$

← SampW(pp)

𝐷 v =ReranE(pp,C,𝑥

%)

∆𝑊=ReranH(pp,hp,C,𝑥

% )

𝐷𝑈 8 = CT ⨁ ∆𝑊

Input: pp 𝐷𝑈 8 = CT ⨁ ∆𝑊= V ⨁∆𝑊⨁ M=Hash(pp,hk,𝐷 v) ⨁ M

M’ = M

p Firewall for

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp,C,w) CT = V ⨁ M

• p

hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) Input: pp, M Input: pp M’ = 𝐷𝑈

8 ⊝Hash(pp,hk,𝐷 v)

Message Transmission Protocol with CRFs

q v , qr 8 q, qr

𝑥 %

$

← SampW(pp)

𝐷 v =ReranE(pp,C,𝑥

%)

∆𝑊=ReranH(pp,hp,C,𝑥

% )

𝐷𝑈 8 = CT ⨁ ∆𝑊

Input: pp 𝐷𝑈 8 = CT ⨁ ∆𝑊= V ⨁∆𝑊⨁ M=Hash(pp,hk,𝐷 v) ⨁ M

M’ = M

Weak Exfiltration-Resistance (against Bob)

p Firewall for

(C, w)

$

← SampYes(pp) V = ProjHash(pp,hp,C,w) CT = V ⨁ M

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

p Oblivious Signature-Based Envelope [BPV’12]

qw

• p, x

hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) V = Hash(pp,hk,𝐷y) Q = V ⨁ P 𝐷y

$

← Encrypt(pp, 𝜏; 𝑠) Input: pp, P, M Input: pp, 𝜏, M V’=ProjHash(pp,hp,𝐷y,r) P’ = Q ⊝ V’ P’ = P iff 𝜏 is a valid signature of predefined message M

Oblivious Signature-Based Envelope with CRFs

𝓜 = {valid encryption of 𝝉𝐍}

qw

• p, x

hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) V = Hash(pp,hk,𝐷y

8)

Q = V ⨁ P 𝐷y

$

← Encrypt(pp, 𝜏; 𝑠) Input: pp, P, M Input: pp, 𝜏, M V’=ProjHash(pp,hp,𝐷y ,r) P’ = 𝑅 € ⊝ V’

Oblivious Signature-Based Envelope with CRFs

𝑥 %

$

← SampW(pp)

𝐷y

8 =ReranE(pp,𝐷y,𝑥

%)

∆𝑊=ReranH(pp,hp,𝐷y,𝑥

%)

𝑅 € = Q ⊝ ∆𝑊

Input: pp, M

qw

*

• p, x

€

p Firewall for

qw

• p, x

hk

$

← HashKG(pp) hp ← ProjKG(pp,hk) V = Hash(pp,hk,𝐷y) Q = V ⨁ P 𝐷y

$

← Encrypt(pp, 𝜏; 𝑠) Input: pp, P, M Input: pp, 𝜏, M V’=ProjHash(pp, hp 8,𝐷y,r) P’ = 𝑅 € ⊝ V’

Oblivious Signature-Based Envelope with CRFs

p Firewall for

𝑠̃

$

← SampR(pp)

hp 8 ← ProjMaul(pp,hp,𝑠̃) ∆𝑊=MaulH(pp,hp,𝐷y,𝑠̃) 𝑅 € = 𝑅 ⨁ ∆𝑊

Input: pp, M

• p

8 , x v

Oblivious Signature-Based Envelope with CRFs

p Instantiation of OSBE [BPV’12]

p Linear Encryption of Waters Signatures

p We extend the instantiation to be a malleable SPHF

p Follow the Graded-Ring SPFH paradigm

p 𝛪: 𝒴 ⟼ 𝔿Q×\ is not an identity function

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

(𝜟, q‚)

(ƒ„, qr„)…†‡

ˆ

𝜟

$

← SampB(pp)

(𝐷𝑐, 𝒙)

$

← SampI(𝜟,b) Input: pp, M1, M2 Input: pp, 𝑐

𝑊𝑐 = λ(𝒙)⨀𝛿𝑗 𝑁𝑐 = 𝐷𝑈𝑐 ⊖ 𝑊𝑐

Input: pp

Oblivious Transfer with CRFs

𝜟 = (𝛥1, … , 𝛥𝑜) ∈ 𝔿[×\ : Element Basis

1 − 𝑐= PairG(𝜟, 𝐷𝑐)

hk0= 𝜷0

$

← 𝕬𝑞\, hp0=𝛿0 = 𝜟⨀𝜷0 hk1= 𝜷1

$

← 𝕬𝑞\, hp1=𝛿1 = 𝜟⨀𝜷1 (𝑊𝑗)„Ž•

Q

← (𝐷𝑗⨀𝜷𝑗)„Ž•

Q

(𝐷𝑈𝑗)„Ž•

Q

← (𝑊𝑗⨁𝑁𝑗)„Ž•

Q

p OT via Graded Rings (Variant of HK-OT [HK’12])

𝐷

Oblivious Transfer with CRFs

(𝜟, q•)

(ƒ„, qr„)…†‡

ˆ

𝐷1 8= PairG( 𝜟 8, 𝐷0 8) hk0= 𝜷0

$

← 𝕬𝑞\, hp0=𝛿0 = 𝜟 8⨀𝜷0 hk1= 𝜷1

$

← 𝕬𝑞\, hp1=𝛿1 = 𝜟 8⨀𝜷1 (𝑊𝑗)„Ž•

Q

← (𝐷𝑗 v ⨀𝜷𝑗)„Ž•

Q

(𝐷𝑈𝑗)„Ž•

Q

← (𝑊𝑗⨁𝑁𝑗)„Ž•

Q

𝜟

$

← SampB(pp)

(𝐷0, 𝒙)

$

← SampI(𝜟,b) Input: pp, M1, M2 Input: pp, 𝑐

𝑊𝑐 = λ(𝒙)⨀𝛿𝑗 𝑁𝑐 = 𝐷𝑈𝑐 8 ⊖ 𝑊𝑐 𝑻 v $ ← SampS(pp) 𝜟 v ← 𝜟 ⨀𝑻 v, 𝐷•

‘ ← 𝐷0 ⨀𝑻

v 𝒙 %

$

← SampW(pp) 𝐷 ← λ 𝒙 % ⨀𝜟 v 𝐷0 8 ← 𝐷•

‘ ⨁𝐷 ( 𝜟 8 , q• 8)

Input: pp

Oblivious Transfer with CRFs

(∆𝑊𝑗)„Ž•

Q

← (λ(𝒙 %)⨀𝛿𝑗)„Ž•

Q

(𝐷𝑈𝑗 8 )„Ž•

Q

← (𝐷𝑈𝑗⨁∆𝑊𝑗)„Ž•

Q (ƒ„, qr„ 8 )…†‡

ˆ

𝑻 v : Basis Transformation Matrix

p Firewall for

(𝜟, q•)

𝜟

$

← SampB(pp)

(𝐷0, 𝒙)

$

← SampI(𝜟,b) Input: pp, M1, M2 Input: pp, 𝑐

𝑊𝑐 = λ 𝒙 ⨀ 𝛿𝒄 * 𝑁𝑐 = 𝐷𝑈𝑐 8 ⊖ 𝑊𝑐

Input: pp

Oblivious Transfer with CRFs

𝐷1= PairG(𝜟, 𝐷0) hk0= 𝜷0

$

← 𝕬𝑞\, hp0=𝛿0 = 𝜟⨀𝜷0 hk1= 𝜷1

$

← 𝕬𝑞\, hp1=𝛿1 = 𝜟⨀𝜷1 (𝑊𝑗)„Ž•

Q

← (𝐷𝑗⨀𝜷𝑗)„Ž•

Q

(𝐷𝑈𝑗)„Ž•

Q

← (𝑊𝑗⨁𝑁𝑗)„Ž•

Q (ƒ„, qr„)…†‡

ˆ

( ƒ𝒋 *, qr„ 8 )…†‡

ˆ

p Firewall for

𝒔𝟏 *

$

← SampR(pp) 𝒔𝟐 *

$

← SampR(pp) ( 𝛿𝒋 *)„Ž•

Q

← (𝛿𝑗 ⨁(𝜟⨀ 𝒔𝒋 *))„Ž•

Q

(∆𝑊𝑗)„Ž•

Q

← (𝐷𝑗⨀ 𝒔𝒋 *)„Ž•

Q

(𝐷𝑈𝑗 8 )„Ž•

Q

← (𝐷𝑈𝑗⨁∆𝑊𝑗)„Ž•

Q

Instantiations of OT with CRFs

p OT-CRF construction in [MS15] p A more efficient variant p A more general construction based on k-linear assumption

Outline

n Background n Cryptographic Reverse Firewall n Part I: Malleable Smooth Projective Hash Function n Part II: CRF Constructions Via Malleable SPHFs

n Unkeyed Message Transmission Protocol n Oblivious Signature-Based Envelope Protocol n Oblivious Transfer Protocol

n Conclusions and Future Work

+ CRFs + CRFs

Mathematical Structure Building Blocks Cryptographic Protocols

+ CRFs SPHF Malleable SPHF Graded Rings Oblivious Transfer MTP, OSBE …

Conclusions and Future Work

MPC…

? ?

Other Structures

Thank you！