[PPT] - Efficient KDM-CCA Secure Public-Key Encryption for Polynomial PowerPoint Presentation

SLIDE 1

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions

Shuai Han, Shengli Liu, and Lin Lyu

1. Shanghai Jiao Tong University
2. State Key Laboratory of Cryptology
3. Westone Cryptologic Research Center

Asiacrypt 2016, Hanoi, Vietnam

SLIDE 2

Key-Dependent Message

KDM security: allow adversary to access encryptions of messages, which are

closely dependent on the secret keys.

Enc(pk, f(sk))

SLIDE 3

Key-Dependent Message

KDM security: allow adversary to access encryptions of messages, which are

closely dependent on the secret keys.

Enc(pk, f(sk))

Applications:

– Hard disk encryption – Anonymous credential system

SLIDE 4

Key-Dependent Message

KDM security: allow adversary to access encryptions of messages, which are

closely dependent on the secret keys.

Enc(pk, f(sk))

Applications:

– Hard disk encryption – Anonymous credential system

Traditional security notion does not imply KDM security.

[ABBC’10, CGH’12, MO’14, BHW’15, KRW’15, KW’16, AP’16] · · ·

SLIDE 5

Public-Key Encryption

PKE = (Setup, Gen, Enc, Dec):

Alice Bob

(pk, sk) ←$ Gen(prm)

SLIDE 6

Public-Key Encryption

PKE = (Setup, Gen, Enc, Dec):

Alice Bob

(pk, sk) ←$ Gen(prm)

pke.ct ←$ Enc(pk, m)

pke.ct

SLIDE 7

Public-Key Encryption

PKE = (Setup, Gen, Enc, Dec):

Alice Bob

(pk, sk) ←$ Gen(prm)

pke.ct ←$ Enc(pk, m)

pke.ct

m ← Dec(sk, pke.ct)

SLIDE 8

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn

… …

SLIDE 9

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn f

… …

SLIDE 10

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn

pke.ct∗ ←$ Enc(pki, f(sk1, · · · , skn)) pke.ct∗ ←$ Enc(pki, 0)

r

f

… …

SLIDE 11

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn

pke.ct∗ ←$ Enc(pki, f(sk1, · · · , skn)) pke.ct∗ ←$ Enc(pki, 0)

r

pke.ct∗ f

… …

SLIDE 12

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn

pke.ct∗ ←$ Enc(pki, f(sk1, · · · , skn)) pke.ct∗ ←$ Enc(pki, 0)

r

pke.ct∗

pke.ct

f

… …

SLIDE 13

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn

pke.ct∗ ←$ Enc(pki, f(sk1, · · · , skn)) pke.ct∗ ←$ Enc(pki, 0)

r

pke.ct∗

pke.ct

f m ← Dec(ski, pke.ct)

… …

SLIDE 14

KDM Security

User 1 User i User n

(pk1, sk1) ←$ Gen(prm) (pki, ski) ←$ Gen(prm) (pkn, skn) ←$ Gen(prm) pk1, · · · , pkn

pke.ct∗ ←$ Enc(pki, f(sk1, · · · , skn)) pke.ct∗ ←$ Enc(pki, 0)

r

pke.ct∗

pke.ct

f m ← Dec(ski, pke.ct) m

… …

SLIDE 15

Function Set of KDM Security

KDM security is related to a set of functions F from SK × · · · × SK to M. – Fcirc: the set of selection functions. f : (sk1, · · · , skn) −→ ski – Faff: the set of affine functions. f : (sk1, · · · , skn) −→

n

i=1

ai · ski + b – Fd

poly: the set of polynomial functions of bounded degree d.

f : (sk1, · · · , skn) −→

0≤c1+···+cn ≤d

a(c1, ···,cn) · skc1

1 · · · skcn n

SLIDE 16

Function Set of KDM Security

KDM security is related to a set of functions F from SK × · · · × SK to M. – Fcirc: the set of selection functions. f : (sk1, · · · , skn) −→ ski – Faff: the set of affine functions. f : (sk1, · · · , skn) −→

n

i=1

ai · ski + b – Fd

poly: the set of polynomial functions of bounded degree d.

f : (sk1, · · · , skn) −→

0≤c1+···+cn ≤d

a(c1, ···,cn) · skc1

1 · · · skcn n

The larger F is, the stronger the security is.

SLIDE 17

Related Works: KDM-CPA secure PKE

PKE Scheme KDM-CPA Function Set KDM-CCA?

|Ciphertext|

Assumption [BHHO’08], [BG’10] Faff

−

O(ℓ) |G| DDH/QR/DCR [ACPS’09] Faff

−

O(1) |G| LWE [BGK’11] Fd

poly

−

O(ℓd+1) |G| DDH/LWE [MTY’11] Fd

poly

−

O(d) |G| DCR – ℓ: security parameter. – d: bounded degree of polynomial functions.

SLIDE 18

Related Works: KDM-CCA secure PKE

PKE Scheme KDM-CCA Function Set KDM-CCA?

|Ciphertext|

Assumption [BHHO’08] + [CCS’09] Faff

√

O(ℓ) |G| DDH [Hofheinz’13] Fcirc

√

O(1) |G| DDH & DCR [LLJ’15] Faff ?

O(1) |G|

DDH & DCR – ℓ: security parameter. – d: bounded degree of polynomial functions.

SLIDE 19

Our Contribution

PKE Scheme KDM-CCA Function Set KDM-CCA?

|Ciphertext|

Assumption Our first scheme Faff

√

O(1) |G| DDH & DCR Our second scheme Fd

poly

√

O(d9) |G| DDH & DCR

We give the first efficient KDM[Faff]-CCA secure PKE with compact ciphertexts.

– Compact: the ciphertexts consist only a constant number of group elements. – Efficient: our scheme is free of NIZK and free of pairing.

SLIDE 20

Our Contribution

PKE Scheme KDM-CCA Function Set KDM-CCA?

|Ciphertext|

Assumption Our first scheme Faff

√

O(1) |G| DDH & DCR Our second scheme Fd

poly

√

O(d9) |G| DDH & DCR

We give the first efficient KDM[Faff]-CCA secure PKE with compact ciphertexts.

– Compact: the ciphertexts consist only a constant number of group elements. – Efficient: our scheme is free of NIZK and free of pairing.

We extend our technique, and construct the first efficient KDM[Fd

poly]-CCA

secure PKE with almost compact ciphertexts.

SLIDE 21

Synopsis

1. The LLJ Scheme [Lu, Li and Jia, 2015]
2. Introducing: Authenticated Encryption with Auxiliary-Input
3. KDM-CCA secure PKE for Affine Functions
4. KDM-CCA secure PKE for Polynomial Functions

SLIDE 22

The LLJ Scheme from Related-Key Attack secure “AE”

The LLJ Scheme

AE

DDH INT-Faff-RKA

KDM[Faff]-CCA

One essential building block called “Authenticated Encryption” (AE) is employed.
The “INT-Faff-RKA” (ciphertext-integrity against related-key attacks) security

proof of the LLJ’s AE does not go through to the DDH assumption.

?

SLIDE 23

INT-Faff-RKA security of LLJ’s AE

No trapdoor

DDH Problem Solver

DDH tuple or Random tuple forgery Decision bit: 0/1 Decision procedure Adversary against

f

INT-Faff-RKA AE

LLJ’s AE: (ElGamal)-type.

(gr, gkr).

The DDH adversary does not have any trapdoor to convert the forgery from the

adversary of AE to a decision bit in an efficient way.

SLIDE 24

Synopsis

1. The LLJ Scheme [Lu, Li and Jia, 2015]
2. Introducing: Authenticated Encryption with Auxiliary-Input
3. KDM-CCA secure PKE for Affine Functions
4. KDM-CCA secure PKE for Polynomial Functions

SLIDE 25

A Plausible Solution

Our new AIAE: (Kurosawa-Desmedt [KD’04])-type.
gr

1, gr 2, gr(k1+k3t) 1

, gr(k2+k4t)

2

.

SLIDE 26

A Plausible Solution

Our new AIAE: (Kurosawa-Desmedt [KD’04])-type.
gr

1, gr 2, gr(k1+k3t) 1

, gr(k2+k4t)

2

.

New Problem!

The secret key of our AIAE consists of several elements k = (k1, k2, k3, k4). The affine function of k is too complicated to prove the INT-Faff-RKA security.

f : (k1, k2, k3, k4) −→ (

4

i=1

ai,1 · ki + b1,

4

i=1

ai,2 · ki + b2,

4

i=1

ai,3 · ki + b3,

4

i=1

ai,4 · ki + b4)

SLIDE 27

Our Solution: Authenticated Encryption with Auxiliary-Input

AIAE = (AIAE.Setup, AIAE.Enc, AIAE.Dec):

Alice Bob

k k

We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE).

SLIDE 28

Our Solution: Authenticated Encryption with Auxiliary-Input

AIAE = (AIAE.Setup, AIAE.Enc, AIAE.Dec):

Alice Bob

k k

We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE).

– AIAE must have auxiliary input “aux”.

SLIDE 29

Our Solution: Authenticated Encryption with Auxiliary-Input

AIAE = (AIAE.Setup, AIAE.Enc, AIAE.Dec):

Alice Bob

k k

aiae.ct ←$ AIAE.Enc(k, m, aux)

aiae.ct, aux

We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE).

– AIAE must have auxiliary input “aux”.

SLIDE 30

Our Solution: Authenticated Encryption with Auxiliary-Input

AIAE = (AIAE.Setup, AIAE.Enc, AIAE.Dec):

Alice Bob

k k

aiae.ct ←$ AIAE.Enc(k, m, aux) m ← AIAE.Dec(k, aiae.ct, aux)

aiae.ct, aux

We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE).

– AIAE must have auxiliary input “aux”.

SLIDE 31

Our Solution: Authenticated Encryption with Auxiliary-Input

AIAE = (AIAE.Setup, AIAE.Enc, AIAE.Dec):

Alice Bob

k k

aiae.ct ←$ AIAE.Enc(k, m, aux) m ← AIAE.Dec(k, aiae.ct, aux)

aiae.ct, aux

We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE).

– AIAE must have auxiliary input “aux”. – Weak INT-F-RKA security: an additional “special rule” for the forgery.

SLIDE 32

Weak INT-F-RKA security for AIAE

User

k

f, m, aux

SLIDE 33

Weak INT-F-RKA security for AIAE

User

k

f, m, aux

aiae.ct ←$ AIAE.Enc(f(k), m, aux)

SLIDE 34

Weak INT-F-RKA security for AIAE

User

k

aiae.ct

f, m, aux

aiae.ct ←$ AIAE.Enc(f(k), m, aux)

SLIDE 35

Weak INT-F-RKA security for AIAE

User

k

aiae.ct

f, m, aux

aiae.ct ←$ AIAE.Enc(f(k), m, aux) f ∗, aiae.ct∗, aux∗

SLIDE 36

Weak INT-F-RKA security for AIAE

User

k

aiae.ct

f, m, aux

aiae.ct ←$ AIAE.Enc(f(k), m, aux) f ∗, aiae.ct∗, aux∗

1

AIAE.Dec(f ∗(k), aiae.ct∗, aux∗) , ?

2

Special rule

SLIDE 37

Our AIAE

DDH tuple or Random tuple forgery Decision procedure Sample trapdoor itself Adversary against

f

weak INT-Fraff-RKA

AIAE

DDH Problem Solver

Decision bit: 0/1

We prove the weak INT-Fraff-RKA security of our AIAE w.r.t. a smaller restricted

affine function set Fraff.

f : (k1, k2, k3, k4) −→ (a · k1 + b1, a · k2 + b2, a · k3 + b3, a · k4 + b4)

SLIDE 38

Synopsis

1. The LLJ Scheme [Lu, Li and Jia, 2015]
2. Introducing: Authenticated Encryption with Auxiliary-Input
3. KDM-CCA secure PKE for Affine Functions
4. KDM-CCA secure PKE for Polynomial Functions

SLIDE 39

The LLJ’s Method does not work for Our AIAE

The LLJ Scheme

AE

DDH INT-Faff-RKA

KDM[Faff]-CCA

Our AIAE only achieves a very weak INT-Fraff-RKA security w.r.t. a small Fraff.

We cannot apply the LLJ’s method to construct KDM[Faff]-CCA secure PKE.

SLIDE 40

Our Approach

Build KDM-CCA secure PKE from three building blocks: KEM, E and AIAE.

– KEM: a key encapsulation mechanism.

(k, kem.ct) ←$ KEM.Enc(pk),

k ← KEM.Dec(sk, kem.ct). – E: a public-key encryption scheme. E.ct ←$ E.Enc(pk, m), m ← E.Dec(sk, E.ct). – AIAE: an authenticated encryption with auxiliary-input. AIAE.ct ←$ AIAE.Enc(k, m, aux), m ← AIAE.Dec(k, AIAE.ct, aux). ENCRYPTION

pk KEM.Enc AIAE.Enc kem.ct aux = kem.ct aiae.ct

DECRYPTION

k

aiae.ct kem.ct aux = kem.ct k sk

m

AIAE.Dec KEM.Dec

m

E.Enc E.ct E.ct E.Dec

SLIDE 41

Our Construction

ENCRYPTION

pk KEM.Enc AIAE.Enc kem.ct aux = kem.ct

k

aiae.ct

m

E.Enc E.ct

– KEM and E share the same key pair (pk, sk). – AIAE.Enc uses k encapsulated by KEM to encrypt E.ct with aux = kem.ct.

SLIDE 42

Our Construction

pk Enc Enc ct .ct aiae.ct

DECRYPTION

k

ct kem.ct aux = kem.ct k sk

m

AIAE.Dec KEM.Dec

m

Enc .ct E.ct E.Dec

– KEM and E share the same key pair (pk, sk). – AIAE.Enc uses k encapsulated by KEM to encrypt E.ct with aux = kem.ct.

SLIDE 43

Proof Idea of KDM[Faff]-CCA Security

pk KEM.Enc AIAE.Enc kem.ct aux = kem.ct

k

aiae.ct E.Enc E.ct f(sk)

The Encryption Oracle:

Divide the secret key sk to two independent parts,

sk mod N

sk

N sk mod φ(N)

sk

SLIDE 44

Proof Idea of KDM[Faff]-CCA Security

KEM.Enc AIAE.Enc kem.ct aux = kem.ct

k

aiae.ct E.Enc f(sk) sk E.ct

The Encryption Oracle:

Use sk to answer the encryption queries.

SLIDE 45

Proof Idea of KDM[Faff]-CCA Security

sk mod φ(N)

KEM.Enc AIAE.Enc kem.ct aux = kem.ct

k

aiae.ct f(sk) sk

I

E.

I E.Enc

E.ct

The Encryption Oracle:

Under the DCR assumption, E.Enc is changed to

E.Enc. –

E.Enc behaves like an entropy filter for Faff, such that

is reserved.

sk mod N

sk

SLIDE 46

Proof Idea of KDM[Faff]-CCA Security

sk mod N

AIAE.Enc aux = kem.ct aiae.ct f(sk) sk

I

E.

I E.Enc K KEM.Enc

sk mod φ(N)

E.ct

k

kem.ct hides k∗

k = fraff(k∗) for some base key k∗

The Encryption Oracle:

Under the DCR assumption, KEM.Enc is changed to

KEM.Enc. – k is expressed as an Fraff-function of a fixed base key k∗. – In kem.ct, protects the base key k∗.

sk mod N

sk

SLIDE 47

Proof Idea of KDM[Faff]-CCA Security

The Decryption Oracle:

aiae.ct kem.ct aux = kem.ct k sk AIAE.Dec KEM.Dec

m

E.ct E.Dec

Divide the secret key sk to two independent parts,

sk mod N

sk

N sk mod φ(N)

sk

SLIDE 48

Proof Idea of KDM[Faff]-CCA Security

The Decryption Oracle:

k

aiae.ct kem.ct aux = kem.ct sk AIAE.Dec E.ct E.Dec

sk mod φ(N)

K KEM.Dec

m

KEM.Dec rejects the query, if the computation of k involves

.

sk mod N

sk

– By the weak INT-Fraff-RKA security of AIAE, this change is computationally indistinguishable.

SLIDE 49

Proof Idea of KDM[Faff]-CCA Security

The Decryption Oracle:

aiae.ct kem.ct aux = kem.ct sk AIAE.Dec E.ct

sk mod φ(N)

K KEM.Dec k J E.Dec m

sk mod φ(N)

E.Dec rejects the query, if the computation of m involves

.

sk mod N

sk

– Since E has an authentication functionality, this change is computationally indistinguishable.

SLIDE 50

Proof Idea of KDM[Faff]-CCA Security

sk mod N

AIAE.Enc aux = kem.ct aiae.ct f(sk) sk

I

E.

I E.Enc

sk mod φ(N)

E.ct

k

hides k∗

K K KEM.Enc

k = fraff( k

∗) for some base key k ∗

kem.ct

The Encryption Oracle:

We compute k as Fraff-functions of an independent base key k∗.

– In E.Enc and the Decryption Oracle, is not involved.

sk mod N

sk

– In kem.ct, the base key k∗ is protected by perfectly.

sk mod N

sk

SLIDE 51

Proof Idea of KDM[Faff]-CCA Security

sk mod N

AIAE.Enc aux = kem.ct f(sk) sk

I

E.

I E.Enc

hides k∗

k = fraff( k

∗) for some base key k ∗

kem.ct

K K KEM.Enc k

aiae.ct

The Encryption Oracle:

By the IND-Fraff-RKA security of AIAE, we change aiae.ct as encryptions of 0.

– k is an Fraff-function of k∗, which is independent of other parts of the game.

SLIDE 52

Proof Idea of KDM[Faff]-CCA Security

sk mod N

AIAE.Enc aux = kem.ct f(sk) sk

I

E.

I E.Enc

hides k∗

k = fraff( k

∗) for some base key k ∗

kem.ct

K K KEM.Enc k

aiae.ct

The Encryption Oracle:

By the IND-Fraff-RKA security of AIAE, we change aiae.ct as encryptions of 0.

– k is an Fraff-function of k∗, which is independent of other parts of the game.

The advantage of the adversary is zero.

SLIDE 53

Synopsis

1. The LLJ Scheme [Lu, Li and Jia, 2015]
2. Introducing: Authenticated Encryption with Auxiliary-Input
3. KDM-CCA secure PKE for Affine Functions
4. KDM-CCA secure PKE for Polynomial Functions

SLIDE 54

Our Approach

ENCRYPTION

pk KEM.Enc AIAE.Enc kem.ct aux = kem.ct aiae.ct

DECRYPTION

k

aiae.ct kem.ct aux = kem.ct k sk

m

AIAE.Dec KEM.Dec

m

E.Enc E.ct E.ct E.Dec

We design a new E: an entropy filter for the set of polynomial functions Fd

poly.

– Entropy Filter ([LLJ’15]): through some computationally indistinguishable change, can be reserved by E.Enc(pk, f(sk)), for f ∈ Fd

poly. sk mod N

sk

SLIDE 55

Our Approach

ENCRYPTION

pk KEM.Enc AIAE.Enc kem.ct aux = kem.ct aiae.ct

DECRYPTION

k

aiae.ct kem.ct aux = kem.ct k sk

m

AIAE.Dec KEM.Dec

m

E.Enc E.ct E.ct E.Dec

We design a new E: an entropy filter for the set of polynomial functions Fd

poly.

– Entropy Filter ([LLJ’15]): through some computationally indistinguishable change, can be reserved by E.Enc(pk, f(sk)), for f ∈ Fd

poly. sk mod N

sk

The other two building blocks KEM and AIAE are the same.

SLIDE 56

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

E.Enc E.ct f(sk) pk

E.ct = (table, e, t)

prm = (g1, · · · , g5).

sk = (x1, · · · , x4, y1, · · · , y4). pk = (h1, · · · , h4) = (g−x1

1

g−y1

2

, g−x2

2

g−y2

3

, g−x3

3

g−y3

4

, g−x4

4

g−y4

5

).

SLIDE 57

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

E.Enc E.ct f(sk) pk

E.ct = (table, e, t)

prm = (g1, · · · , g5).

sk = (x1, · · · , x4, y1, · · · , y4). pk = (h1, · · · , h4) = (g−x1

1

g−y1

2

, g−x2

2

g−y2

3

, g−x3

3

g−y3

4

, g−x4

4

g−y4

5

).

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

SLIDE 58

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

E.Enc E.ct f(sk) pk

E.ct = (table, e, t)

prm = (g1, · · · , g5).

sk = (x1, · · · , x4, y1, · · · , y4). pk = (h1, · · · , h4) = (g−x1

1

g−y1

2

, g−x2

2

g−y2

3

, g−x3

3

g−y3

4

, g−x4

4

g−y4

5

).

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

table =

u0,1 u0,2

· · ·

u0,8 u1,1 · v0 u1,2

· · ·

u1,8 u2,1 u2,2 · v1 · · · u2,8

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7 .

e = v8 · T f(sk).

t = gf(sk) mod φ(N)

1

.

SLIDE 59

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

sk E.Enc E.ct f(sk)

E.ct = (table, e, t)

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

⇒ ˆ

vj = u−x1

j,1 u−y1 j,2 u−x2 j,3 u−y2 j,4 u−x3 j,5 u−y3 j,6 u−x4 j,7 u−y4 j,8

table =

u0,1 u0,2

· · ·

u0,8

⇒ ˆ

v0 = v0 u1,1 · v0 u1,2

· · ·

u1,8

⇒ ˆ

v1 = v1 u2,1 u2,2 · v1 · · · u2,8

⇒ ˆ

v2 = v2

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7 ⇒ ˆ v8 = v8

SLIDE 60

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

sk E.Enc E.ct f(sk)

E.ct = (table, e, t)

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

⇒ ˆ

vj = u−x1

j,1 u−y1 j,2 u−x2 j,3 u−y2 j,4 u−x3 j,5 u−y3 j,6 u−x4 j,7 u−y4 j,8

table =

u0,1 u0,2

· · ·

u0,8

⇒ ˆ

v0 = v0 u1,1 · v0 u1,2

· · ·

u1,8

⇒ ˆ

v1 = v1 u2,1 u2,2 · v1 · · · u2,8

⇒ ˆ

v2 = v2

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7 ⇒ ˆ v8 = v8

e = v8 · T f(sk) ⇒ e = ˆ

v8 · T f(sk). t = gf(sk) mod φ(N)

1

.

SLIDE 61

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

sk mod φ(N)

I

E.

I E.Enc

E.ct f(sk) sk

E.ct = (table, e, t)

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

⇒ ˆ

vj = u−x1

j,1 u−y1 j,2 u−x2 j,3 u−y2 j,4 u−x3 j,5 u−y3 j,6 u−x4 j,7 u−y4 j,8

table =

u0,1 u0,2

· · ·

u0,8

⇒ ˆ

v0 = v0 u1,1 · v0 · Ta

u1,2

· · ·

u1,8

⇒ ˆ

v1 = v1 · T−ax1 u2,1 u2,2 · v1 · · · u2,8

⇒ ˆ

v2 = v2 · T−ax1y1

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7 ⇒ ˆ v8 = v8 · T−ax1y1···x4y4 = v8 ·T−f(sk)

SLIDE 62

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

sk mod φ(N)

I

E.

I E.Enc

E.ct f(sk) sk

E.ct = (table, e, t)

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

⇒ ˆ

vj = u−x1

j,1 u−y1 j,2 u−x2 j,3 u−y2 j,4 u−x3 j,5 u−y3 j,6 u−x4 j,7 u−y4 j,8

table =

u0,1 u0,2

· · ·

u0,8

⇒ ˆ

v0 = v0 u1,1 · v0 · Ta

u1,2

· · ·

u1,8

⇒ ˆ

v1 = v1 · T−ax1 u2,1 u2,2 · v1 · · · u2,8

⇒ ˆ

v2 = v2 · T−ax1y1

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7 ⇒ ˆ v8 = v8 · T−ax1y1···x4y4 = v8 ·T−f(sk)

e = v8 · T f(sk) ⇒ e = ˆ

v8 · T f(sk) ⇒ e = v8. t = gf(sk) mod φ(N)

1

.

SLIDE 63

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

sk mod φ(N)

I

E.

I E.Enc

E.ct f(sk) sk

E.ct = (table, e, t)

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

table =

u0,1 u0,2

· · ·

u0,8 u1,1 · v0 · Ta

u1,2

· · ·

u1,8 u2,1 u2,2 · v1 · · · u2,8

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7

e = v8.

t = gf(sk) mod φ(N)

1

.

SLIDE 64

E designed for monomial f(sk) = a · x1y1x2y2x3y3x4y4

sk mod φ(N)

I

E.

I E.Enc

E.ct f(sk) sk

E.ct = (table, e, t)

For j ∈ [0, 8],

uj,1 uj,2 · · · uj,8 = g

rj,1 1

g

rj,1 2

g

rj,2 2

g

rj,2 3

g

rj,3 3

g

rj,3 4

g

rj,4 4

g

rj,4 5

. vj = h

rj,1 1

h

rj,2 2

h

rj,3 3

h

rj,4 4

.

table =

u0,1 u0,2

· · ·

u0,8 u1,1 · v0 · Ta

u1,2

· · ·

u1,8 u2,1 u2,2 · v1 · · · u2,8

. . . . . . ... . . .

u8,1 u8,2

· · ·

u8,8 · v7

e = v8.

t = gf(sk) mod φ(N)

1

.

E.Enc behaves like an entropy filter for the monomial.

SLIDE 65

General E designed for Polynomial Functions

A polynomial function f in sk = (x1, · · · , x4, y1, · · · , y4) of degree d is

f(sk) =

0≤c1+···+c8 ≤d

a(c1, ···,c8) · xc1

1 yc2 1 · · · xc7 4 yc8 4 .

SLIDE 66

General E designed for Polynomial Functions

A polynomial function f in sk = (x1, · · · , x4, y1, · · · , y4) of degree d is

f(sk) =

0≤c1+···+c8 ≤d

a(c1, ···,c8) · xc1

1 yc2 1 · · · xc7 4 yc8 4 .

For each monomial c = (c1, · · · , c8), E.Enc creates a pair of table(c) and v(c).

The products of these v(c) are used to hide the message: e =

c

v(c) · T f(sk).

SLIDE 67

General E designed for Polynomial Functions

A polynomial function f in sk = (x1, · · · , x4, y1, · · · , y4) of degree d is

f(sk) =

0≤c1+···+c8 ≤d

a(c1, ···,c8) · xc1

1 yc2 1 · · · xc7 4 yc8 4 .

For each monomial c = (c1, · · · , c8), E.Enc creates a pair of table(c) and v(c).

The products of these v(c) are used to hide the message: e =

c

v(c) · T f(sk).

Under the DCR assumption, E.Enc is changed to

E.Enc, such that each v(c) is multiplied with an additional term: ˆ v(c) = v(c) · T−a(c1,···,c8)·xc1

1 yc2 1 ···xc7 4 yc8 4 .

SLIDE 68

General E designed for Polynomial Functions

A polynomial function f in sk = (x1, · · · , x4, y1, · · · , y4) of degree d is

f(sk) =

0≤c1+···+c8 ≤d

a(c1, ···,c8) · xc1

1 yc2 1 · · · xc7 4 yc8 4 .

For each monomial c = (c1, · · · , c8), E.Enc creates a pair of table(c) and v(c).

The products of these v(c) are used to hide the message: e =

c

v(c) · T f(sk).

Under the DCR assumption, E.Enc is changed to

E.Enc, such that each v(c) is multiplied with an additional term: ˆ v(c) = v(c) · T−a(c1,···,c8)·xc1

1 yc2 1 ···xc7 4 yc8 4 .

Consequently, e =

c

ˆ v(c) · T f(sk) =

c

v(c) · T

−

c

a(c1,···,c8)·xc1

1 yc2 1 ···xc7 4 yc8 4 · T f(sk) =

c

v(c).

SLIDE 69

General E designed for Polynomial Functions

A polynomial function f in sk = (x1, · · · , x4, y1, · · · , y4) of degree d is

f(sk) =

0≤c1+···+c8 ≤d

a(c1, ···,c8) · xc1

1 yc2 1 · · · xc7 4 yc8 4 .

For each monomial c = (c1, · · · , c8), E.Enc creates a pair of table(c) and v(c).

The products of these v(c) are used to hide the message: e =

c

v(c) · T f(sk).

Under the DCR assumption, E.Enc is changed to

E.Enc, such that each v(c) is multiplied with an additional term: ˆ v(c) = v(c) · T−a(c1,···,c8)·xc1

1 yc2 1 ···xc7 4 yc8 4 .

Consequently, e =

c

ˆ v(c) · T f(sk) =

c

v(c) · T

−

c

a(c1,···,c8)·xc1

1 yc2 1 ···xc7 4 yc8 4 · T f(sk) =

c

v(c).

E.Enc behaves like an entropy filter for polynomial functions.

SLIDE 70

Conclusion

SLIDE 71

Conclusion

In this work, we propose:

A new approach for constructing KDM-CCA secure PKE scheme, from

KEM, E, and a new primitive called “AIAE”.

SLIDE 72

Conclusion

In this work, we propose:

A new approach for constructing KDM-CCA secure PKE scheme, from

KEM, E, and a new primitive called “AIAE”.

Efficient KDM[Faff]-CCA secure PKE with compact ciphertexts.
Efficient KDM[Fd

poly]-CCA secure PKE with almost compact ciphertexts.

SLIDE 73