Efficient Lossy Trapdoor Functions based on Subgroup Membership - - PowerPoint PPT Presentation

efficient lossy trapdoor functions based on subgroup
SMART_READER_LITE
LIVE PREVIEW

Efficient Lossy Trapdoor Functions based on Subgroup Membership - - PowerPoint PPT Presentation

Jun 17, 2023 44 likes •282 views

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

slide-1
SLIDE 1

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions

Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu

Institute of Information Engineering , Chinese Academy of Sciences

2013.11.21

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 1 / 23

slide-2
SLIDE 2

1

Introduction

2

Our Contribution SMA = ⇒ LTDF Concrete Examples

3

Conclusion

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 2 / 23

slide-3
SLIDE 3

Outline

1

Introduction

2

Our Contribution SMA = ⇒ LTDF Concrete Examples

3

Conclusion

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 3 / 23

slide-4
SLIDE 4

Lossy Trapdoor Function (LTDF)

Peikert and Waters proposed the LTDF in STOC 2008. DDH, LWE → LTDF →            TDF, Hard Core; OT; CR Hash; CCA,...

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 4 / 23

slide-5
SLIDE 5

Lossy Trapdoor Function [PW’08]

From Peikert’s slides

F

c

≈ F

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 5 / 23

slide-6
SLIDE 6

Definition of LTDF

Injective model (s, t) ← Sinj(1n); Fltd

f(s, ·) : {0, 1}m → {0, 1}∗

F −1

ltd f(t, Fltd f(s, x)) = x.

Lossy with l bits s ← Sloss(1n); Fltd

f(s, ·) : {0, 1}m → {0, 1}∗

Fltd

f(s, ·) has size at most

2m−l; {s : s ← Slossy}

c

≈ {s : (s, t) ← Sinj}.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 6 / 23

slide-7
SLIDE 7

Constructions of LTDF

DDH or d-liner [PW’08],[FGKRS’10], [Wee12]; QR assumption [FGKRS’10],[JL’13], [Wee12] DCR assumption [BFO’08], [FGKRS’10], [Wee12] LWE assumption [PW’08],[Wee12] Φ-Hiding [KOS’10]. The DCR based construction is one of the most efficient constructions.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 7 / 23

slide-8
SLIDE 8

DCR Assumption over Z∗

N s[Pai98, Dam01]

Definition

Let N = pq for p = 2p′ + 1, q = 2q′ + 1 and s ≥ 2 P := {a = xNs−1 mod Ns|x ∈ Z∗

N},

M := {a = (1 + N)yxNs−1 mod Ns|x ∈ Z∗

N, y ∈ ZNs−1}.

{a ← P}

c

≈ {a ← M}

1 Ns−1-th residuosity is a subgroup with order 2p′q′ ≈ N/2. 2 For a in M,

a2p′q′ = 1 + y2p′q′N mod Ns.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 8 / 23

slide-9
SLIDE 9

DCR Based LTDF

For input m ∈ [0, Ns−1], the two function models follow: Injective model

{(1 + N)xN s−1}m

Lossy model

{xN s−1}m

Z∗

Ns = H × K =< (1 + N) > ×{xNs−1}

s ≥ 3 in order to make enough lossiness.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 9 / 23

slide-10
SLIDE 10

Motivation

General Subgroup membership assumption ? − − − → LTDF mod N3 ? − − − → mod N2 ? − − − → mod N

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 10 / 23

slide-11
SLIDE 11

Outline

1

Introduction

2

Our Contribution SMA = ⇒ LTDF Concrete Examples

3

Conclusion

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 11 / 23

slide-12
SLIDE 12

Our Contribution

Subgroup membership assumption + 2 Properties

− − − → LTDF mod N3

− − − → mod N2

− − − → mod N Shrinking the subgroup or Enlarging the quotient group.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 12 / 23

slide-13
SLIDE 13

Subgroup Membership Assumption [Gjφsteen 05]

Definition (SMA)

Let G be a finite cyclic group. G =< g >= G/K × K = G/K× < h > The subgroup membership assumption SM(G,K) asserts that, {x, x ← K}

c

≈ {x, x ← G \ K]}. Z∗

Ns =< (1 + N) > ×{xNs−1}

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 13 / 23

slide-14
SLIDE 14

2 Properties

1

SDL(G,K,g) is easy with a trapdoor t;

2

|G/K| ≫ |K|. (Lossy property)

Definition (Subgroup Discrete Logarithm Problem [Gjφsteen 05])

If ϕ : G → G/K is the canonical epimorphism, then SDL(G,K,g) is: To compute logϕ(g)(ϕ(x)) for x ← G. (1 + N)yzNs−1 → y.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 14 / 23

slide-15
SLIDE 15

Generic construction

Let (G, K, g, h, t) be an instance of SM(G,K) with 2 properties. For m ∈ [0, |G/K|], the two models follow, Injective model

1 a = ghr for r ≤ |K| and t=t; 2 Fltd

f(a, m) = am = [ghr]m

3 Recover m by solving

SDL(G,K,g) with t. Lossy model

1 a = hr for r ≤ |K|; 2 Fltd

f(a, m) = am = [hr]m

3 |Fltd

f(a, ·)| < |K| as Fltd f(a, ·)

falls into K ;

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 15 / 23

slide-16
SLIDE 16

SMA⇒ LTDF

Theorem (1 in page 240)

If the SMG,K with two above properties holds, This is an (log |G/K|, log |G/K| − log |K|) LTDF.

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 16 / 23

slide-17
SLIDE 17

DCR& QR based LTDF over Z∗

N 2

Let N = pq with p = 2kp′ + 1, q = 2kq′ + 1. For y ∈ QNRN, let G =< (1 + N)yN > with order N2kp′q′; For h1 ∈ Z∗

N, let K =< h2kN 1

> with order p′q′.

Theorem (3 in page 243)

DCR&QR ⇒ SM(G,K).

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 17 / 23

slide-18
SLIDE 18

Extended p-subgroup based LTDF over Z∗

N 2

Let N = p2q with p = 2p′ + 1, q = 2q′ + 1, For y ∈ Z∗

N, Let h = y2N2

Let G =< (1 + N)h > with order Np′q′; Let K =< h > with order p′q′. SM(G,K) is a generalization of p subgroup in [OU98]

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 18 / 23

slide-19
SLIDE 19

Decisional RSA [Groth 05] based LTDF over Z∗

N

Let N = pq with p = 2p′rp + 1, q = 2q′rq + 1, Let rp, rq be B-smooth with t distinct prime factors and l ≈ log B. For x ∈ Z∗

N, let h = x2rprq and g ← QRN.

Let G =< g > with order larger than p′q′2(t−d)(l−1); Let K =< h > with order p′q′. This SM(G,K) assumption is the Decisional RSA assumption in [Groth 05].

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 19 / 23

slide-20
SLIDE 20

Outline

1

Introduction

2

Our Contribution SMA = ⇒ LTDF Concrete Examples

3

Conclusion

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 20 / 23

slide-21
SLIDE 21

Comparison with previous constructions

Assumption Input size Lossiness Index size Efficiency DDH n n − |G| n2G n2 Multi LWE n cn n(d + w)Zq n(d + w) Multi d-linear n n − d|G| n2G n2 Multi QR log N 1 Z∗

N

1 Multi DDH& QR n n − log N ( n

k )2Z∗ N

( n

k )2 Multi

Φ-hiding log N log e Z∗

N

log e log N DCR 2 log N log N Z∗

N3

3 log x log N QR & DCR

9 8 log N 3 8 log N

Z∗

N2

2 log x log N E p-sub log N

1 3 log N

Z∗

N2

2 log x log N D RSA lx lx − lp′ − lq′ Z∗

N

log x log N lx = 698, lp′ = lq′ = 160

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 21 / 23

slide-22
SLIDE 22

Conclusion

We present a generic construction of LTDFs from subgroup membership assumptions. We give three efficient constructions based on

1 DCR & QR; 2 Extended p Subgroup; 3 Decisional RSA. Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 22 / 23

slide-23
SLIDE 23

Thank you

Xue, Li, Lu, Jia, Liu (IIE) Efficient LTDF based on SMP 2013.11.21 23 / 23