efficient kdm cca secure public key encryption for
play

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial - PowerPoint PPT Presentation

Mar 16, 2023 •208 likes •950 views

Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu, and Lin Lyu 1. Shanghai Jiao Tong University 2. State Key Laboratory of Cryptology 3. Westone Cryptologic Research Center Asiacrypt 2016, Hanoi,

  1. Efficient KDM-CCA Secure Public-Key Encryption for Polynomial Functions Shuai Han, Shengli Liu, and Lin Lyu 1. Shanghai Jiao Tong University 2. State Key Laboratory of Cryptology 3. Westone Cryptologic Research Center Asiacrypt 2016, Hanoi, Vietnam

  2. Key-Dependent Message • KDM security: allow adversary to access encryptions of messages, which are closely dependent on the secret keys. Enc ( pk , f ( sk ))

  3. Key-Dependent Message • KDM security: allow adversary to access encryptions of messages, which are closely dependent on the secret keys. Enc ( pk , f ( sk )) • Applications: – Hard disk encryption – Anonymous credential system

  4. Key-Dependent Message • KDM security: allow adversary to access encryptions of messages, which are closely dependent on the secret keys. Enc ( pk , f ( sk )) • Applications: – Hard disk encryption – Anonymous credential system • Traditional security notion does not imply KDM security. [ABBC’10, CGH’12, MO’14, BHW’15, KRW’15, KW’16, AP’16] · · ·

  5. Public-Key Encryption PKE = ( Setup , Gen , Enc , Dec ) : ( pk , sk ) ← $ Gen ( prm ) Alice Bob

  6. Public-Key Encryption PKE = ( Setup , Gen , Enc , Dec ) : ( pk , sk ) ← $ Gen ( prm ) pke.ct pke.ct ← $ Enc ( pk , m ) Alice Bob

  7. Public-Key Encryption PKE = ( Setup , Gen , Enc , Dec ) : ( pk , sk ) ← $ Gen ( prm ) pke.ct pke.ct ← $ Enc ( pk , m ) m ← Dec ( sk , pke.ct ) Alice Bob

  8. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n pk 1 , · · · , pk n

  9. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n f pk 1 , · · · , pk n

  10. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n pke.ct ∗ ← $ Enc ( pk i , f ( sk 1 , · · · , sk n )) or pke.ct ∗ ← $ Enc ( pk i , 0 ) f pk 1 , · · · , pk n

  11. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n pke.ct ∗ ← $ Enc ( pk i , f ( sk 1 , · · · , sk n )) or pke.ct ∗ ← $ Enc ( pk i , 0 ) f pke.ct ∗ pk 1 , · · · , pk n

  12. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n pke.ct ∗ ← $ Enc ( pk i , f ( sk 1 , · · · , sk n )) pke.ct or pke.ct ∗ ← $ Enc ( pk i , 0 ) f pke.ct ∗ pk 1 , · · · , pk n

  13. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n pke.ct ∗ ← $ Enc ( pk i , f ( sk 1 , · · · , sk n )) m ← Dec ( sk i , pke.ct ) pke.ct or pke.ct ∗ ← $ Enc ( pk i , 0 ) f pke.ct ∗ pk 1 , · · · , pk n

  14. KDM Security ( pk 1 , sk 1 ) ← $ Gen ( prm ) ( pk i , sk i ) ← $ Gen ( prm ) ( pk n , sk n ) ← $ Gen ( prm ) … … User 1 User i User n pke.ct ∗ ← $ Enc ( pk i , f ( sk 1 , · · · , sk n )) m ← Dec ( sk i , pke.ct ) pke.ct or pke.ct ∗ ← $ Enc ( pk i , 0 ) f pke.ct ∗ m pk 1 , · · · , pk n

  15. Function Set of KDM Security KDM security is related to a set of functions F from SK × · · · × SK to M . – F circ : the set of selection functions. f : ( sk 1 , · · · , sk n ) �− → sk i – F aff : the set of affine functions. n f : ( sk 1 , · · · , sk n ) �−→ � a i · sk i + b i = 1 – F d poly : the set of polynomial functions of bounded degree d . a ( c 1 , ··· , c n ) · sk c 1 1 · · · sk c n f : ( sk 1 , · · · , sk n ) �−→ � n 0 ≤ c 1 + ··· + c n ≤ d

  16. Function Set of KDM Security KDM security is related to a set of functions F from SK × · · · × SK to M . – F circ : the set of selection functions. f : ( sk 1 , · · · , sk n ) �−→ sk i – F aff : the set of affine functions. n f : ( sk 1 , · · · , sk n ) �−→ � a i · sk i + b i = 1 – F d poly : the set of polynomial functions of bounded degree d . a ( c 1 , ··· , c n ) · sk c 1 1 · · · sk c n f : ( sk 1 , · · · , sk n ) �−→ � n 0 ≤ c 1 + ··· + c n ≤ d The larger F is, the stronger the security is.

  17. Related Works: KDM-CPA secure PKE KDM-CPA PKE Scheme KDM-CCA? | Ciphertext | Assumption Function Set [BHHO’08], [BG’10] F aff − O ( ℓ ) | G | DDH/QR/DCR [ACPS’09] F aff − O ( 1 ) | G | LWE F d O ( ℓ d + 1 ) | G | [BGK’11] DDH/LWE − poly F d [MTY’11] O ( d ) | G | DCR − poly – ℓ : security parameter. – d : bounded degree of polynomial functions.

  18. Related Works: KDM-CCA secure PKE KDM-CCA PKE Scheme KDM-CCA? | Ciphertext | Assumption Function Set √ [BHHO’08] + [CCS’09] F aff O ( ℓ ) | G | DDH √ [Hofheinz’13] O ( 1 ) | G | DDH & DCR F circ � [LLJ’15] ? O ( 1 ) | G | DDH & DCR F aff – ℓ : security parameter. – d : bounded degree of polynomial functions.

  19. Our Contribution KDM-CCA PKE Scheme KDM-CCA? | Ciphertext | Assumption Function Set √ Our first scheme F aff O ( 1 ) | G | DDH & DCR √ F d O ( d 9 ) | G | Our second scheme DDH & DCR poly • We give the first efficient KDM [ F aff ] -CCA secure PKE with compact ciphertexts. – Compact: the ciphertexts consist only a constant number of group elements. – Efficient: our scheme is free of NIZK and free of pairing.

  20. Our Contribution KDM-CCA PKE Scheme KDM-CCA? | Ciphertext | Assumption Function Set √ Our first scheme F aff O ( 1 ) | G | DDH & DCR √ F d O ( d 9 ) | G | Our second scheme DDH & DCR poly • We give the first efficient KDM [ F aff ] -CCA secure PKE with compact ciphertexts. – Compact: the ciphertexts consist only a constant number of group elements. – Efficient: our scheme is free of NIZK and free of pairing. • We extend our technique, and construct the first efficient KDM [ F d poly ] -CCA secure PKE with almost compact ciphertexts.

  21. Synopsis 1. The LLJ Scheme [Lu, Li and Jia, 2015] 2. Introducing: Authenticated Encryption with Auxiliary-Input 3. KDM-CCA secure PKE for Affine Functions 4. KDM-CCA secure PKE for Polynomial Functions

  22. The LLJ Scheme from Related-Key Attack secure “ AE ” The LLJ Scheme AE � ? INT- F aff -RKA DDH KDM[ F aff ]-CCA • One essential building block called “Authenticated Encryption” (AE) is employed. • The “INT- F aff -RKA” (ciphertext-integrity against related-key attacks) security proof of the LLJ’s AE does not go through to the DDH assumption.

  23. INT- F aff -RKA security of LLJ’s AE DDH Problem Solver DDH tuple or Random tuple No trapdoor Adversary against INT- F aff -RKA of Decision bit: 0/1 AE Decision forgery procedure • LLJ’s AE: (ElGamal)-type. ( g r , g kr ) . • The DDH adversary does not have any trapdoor to convert the forgery from the adversary of AE to a decision bit in an efficient way.

  24. Synopsis 1. The LLJ Scheme [Lu, Li and Jia, 2015] 2. Introducing: Authenticated Encryption with Auxiliary-Input 3. KDM-CCA secure PKE for Affine Functions 4. KDM-CCA secure PKE for Polynomial Functions

  25. A Plausible Solution • Our new AIAE: (Kurosawa-Desmedt [KD’04])-type. � � 2 , g r ( k 1 + k 3 t ) , g r ( k 2 + k 4 t ) g r 1 , g r . 1 2

  26. A Plausible Solution • Our new AIAE: (Kurosawa-Desmedt [KD’04])-type. � � 2 , g r ( k 1 + k 3 t ) , g r ( k 2 + k 4 t ) g r 1 , g r . 1 2 New Problem! The secret key of our AIAE consists of several elements k = ( k 1 , k 2 , k 3 , k 4 ) . The affine function of k is too complicated to prove the INT- F aff -RKA security. 4 4 4 4 f : ( k 1 , k 2 , k 3 , k 4 ) �−→ ( � a i , 1 · k i + b 1 , � a i , 2 · k i + b 2 , � a i , 3 · k i + b 3 , � a i , 4 · k i + b 4 ) i = 1 i = 1 i = 1 i = 1

  27. Our Solution: Authenticated Encryption with Auxiliary-Input AIAE = ( AIAE . Setup , AIAE . Enc , AIAE . Dec ) : k k Alice Bob • We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE).

  28. Our Solution: Authenticated Encryption with Auxiliary-Input AIAE = ( AIAE . Setup , AIAE . Enc , AIAE . Dec ) : k k Alice Bob • We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE). – AIAE must have auxiliary input “aux”.

  29. Our Solution: Authenticated Encryption with Auxiliary-Input AIAE = ( AIAE . Setup , AIAE . Enc , AIAE . Dec ) : k k aiae.ct , aux aiae.ct ← $ AIAE.Enc ( k , m , aux ) Alice Bob • We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE). – AIAE must have auxiliary input “aux”.

  30. Our Solution: Authenticated Encryption with Auxiliary-Input AIAE = ( AIAE . Setup , AIAE . Enc , AIAE . Dec ) : k k aiae.ct , aux aiae.ct ← $ AIAE.Enc ( k , m , aux ) m ← AIAE.Dec ( k , aiae.ct , aux ) Alice Bob • We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE). – AIAE must have auxiliary input “aux”.

  31. Our Solution: Authenticated Encryption with Auxiliary-Input AIAE = ( AIAE . Setup , AIAE . Enc , AIAE . Dec ) : k k aiae.ct , aux aiae.ct ← $ AIAE.Enc ( k , m , aux ) m ← AIAE.Dec ( k , aiae.ct , aux ) Alice Bob • We introduce “Authenticated Encryption with Auxiliary-Input” (AIAE). – AIAE must have auxiliary input “aux”. – Weak INT- F -RKA security: an additional “special rule” for the forgery.

  32. Weak INT- F -RKA security for AIAE k User f , m , aux

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng

Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer Hong-Sheng Zhou University of Connecticut Joint work with Juan Garay (AT&T) and Daniel Wichs (NYU) CRYPTO 2009 Outline Background New Approach

789 views • 36 slides
Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee Chonbuk National University, Republic of Korea June 14, 2019@ Workshop on Modern Trends in Cryptography Table of contents 1. Introduction 2.

537 views • 25 slides
An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay anjay Madr adria ia Prof ofes essor or and and Sit ite e Dir irect ector or for or NS NSF F I/UC UCRC Cent enter er on on Net

634 views • 30 slides
Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get

Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get

Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get CCA security, we used a MAC Bob would accept only messages from Alice But in PKE, Bob wants to receive messages from Eve as well! But only if it is

336 views • 14 slides
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP RECALL Diffie-Hellman Key-exchange Secure if (g x ,g y ,g xy ) (g x ,g y ,g r ) Random x {0,..,|G|-1} Random y

173 views • 13 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

779 views • 47 slides
Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Jung Hee Cheon, Miran Kim,

Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Jung Hee Cheon, Miran Kim,

Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Secure Searching of Biomarkers Using Hybrid GSW Encryption Scheme Jung Hee Cheon, Miran Kim, Yongsoo Song Seoul National University, South Korea iDASH Privacy & Security

283 views • 12 slides
Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure Updatable Encryption with Integrity Protection. EUROCRYPT 2019 M Klooss, A Lehmann, A Rupp Updatable Encryption with Post-Compromise Security. EUROCRYPT

1.08k views • 46 slides
Secure storage in the cloud using property preserving encryption Kenny Paterson Information

Secure storage in the cloud using property preserving encryption Kenny Paterson Information

Secure storage in the cloud using property preserving encryption Kenny Paterson Information Security Group Overview 1. Application scenarios. 2. Deterministic encryption and search. 3. OPE/ORE and range queries. 4. Analysing access pattern

877 views • 48 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
ENERGA Group 2013 results 10 March 2014 This graph shows the contribution of the individual

ENERGA Group 2013 results 10 March 2014 This graph shows the contribution of the individual

ENERGA Group 2013 results 10 March 2014 This graph shows the contribution of the individual business segments to adjusted EBITDA of the Group in 2013. Summary of 2013 Individual net profit of ENERGA SA was PLN 499 m in 2013 and consequently

824 views • 46 slides
Loans and Business Support Growing Futures Together COMMUNITY FUTURES DEVELOPMENT CORPORATION

Loans and Business Support Growing Futures Together COMMUNITY FUTURES DEVELOPMENT CORPORATION

Loans and Business Support Growing Futures Together COMMUNITY FUTURES DEVELOPMENT CORPORATION Federally funded by Federal Development Agency for Southern Ontario (FedDev) Mission Mandate Access to Capital Business Services

516 views • 15 slides
ANNUAL GENERAL MEETING 16 APRIL 2014 INCOME STATEMENT Growth % Constant 2012 m 2013

ANNUAL GENERAL MEETING 16 APRIL 2014 INCOME STATEMENT Growth % Constant 2012 m 2013

WE SOURCE WE CONSOLIDATE WE DELIVER ANNUAL GENERAL MEETING 16 APRIL 2014 INCOME STATEMENT Growth % Constant 2012 m 2013 Reported Exchange Revenue 6,097.7 5,359.2 14 12 Operating profit* 414.4 352.4 18 16 Net finance cost

403 views • 15 slides
ENERGY ACCESS AND BALANCE OF INTERESTS Presented by ukasz Houbowski PKN ORLEN is a

ENERGY ACCESS AND BALANCE OF INTERESTS Presented by ukasz Houbowski PKN ORLEN is a

NEW ENERGY SECURITY CONFIGURATION ENERGY ACCESS AND BALANCE OF INTERESTS Presented by ukasz Houbowski PKN ORLEN is a leading-edge player on the fuels and energy ORLEN Paliwa a company of the ORLEN Capital Group. The markets, and the

565 views • 7 slides
The pallet and packaging industry in Poland Krakw, 11-12 May 2017 Wood industry Wood raw

The pallet and packaging industry in Poland Krakw, 11-12 May 2017 Wood industry Wood raw

The pallet and packaging industry in Poland Krakw, 11-12 May 2017 Wood industry Wood raw material state property 83% private property 17% 30% the entire teritory 9,1 mln ha of area average forest age 60

278 views • 16 slides
INTERNATIONAL 21 st Century Bilingual Education Kerry Neuman, Programme Director PBI: Bilingual

INTERNATIONAL 21 st Century Bilingual Education Kerry Neuman, Programme Director PBI: Bilingual

PERMATA BANGSA INTERNATIONAL 21 st Century Bilingual Education Kerry Neuman, Programme Director PBI: Bilingual Immersion Programme School-based, content driven immersion aim for: Academic achievement Additive bilingualism and

362 views • 17 slides
GLAXOSMITHKLINE 2013 Results Review Sir Andrew Witty Hello. I would like to welcome you to the

GLAXOSMITHKLINE 2013 Results Review Sir Andrew Witty Hello. I would like to welcome you to the

GLAXOSMITHKLINE 2013 Results Review Sir Andrew Witty Hello. I would like to welcome you to the 2013 Results Review for GlaxoSmithKline. It gives me great pleasure to take this opportunity to talk you through some of the achievements and

302 views • 18 slides
Central Pattana Plc. Property Development and Investment Analyst Briefing : 4Q15 & FY15

Central Pattana Plc. Property Development and Investment Analyst Briefing : 4Q15 & FY15

Central Pattana Plc. Property Development and Investment Analyst Briefing : 4Q15 & FY15 Performance Review Disclaimer The information contained in this presentation is for information purposes only and does not constitute an offer or

798 views • 77 slides

More recommend