Homomorphic Smooth Projective Hashing Hoeteck Wee ENS, Paris . . - - PowerPoint PPT Presentation

. . . . . . . .

KDM-Security via

Homomorphic Smooth Projective Hashing

Hoeteck Wee

ENS, Paris

“ encpk(sk) ”

key-dependent message security. [Black Rogaway Shrimpton 02] this work. unifying framework with a simple proof of security

. . . . . . . .

“ encpk(sk) ”

key-dependent message security. [Black Rogaway Shrimpton 02]

▶ applications: formal methods [Adão Bana Herzog Scedrov 05],

credentials [Camenisch Lysyanskaya 01], fully homomorphic encryption [Gentry 09]

this work. unifying framework with a simple proof of security

. . . . . . . .

“ encpk(sk) ”

key-dependent message security. [Black Rogaway Shrimpton 02]

▶ many constructions [Boneh Halevi Hamburg Ostrovsky 08, Applebaum Cash Peikert Sahai 09, Brakerski Goldwasser 10, Brakerski Vaikuntanathan 11, Barak Haitner Hofheinz Ishai 10, Brakerski Goldwasser Kalai 11, Malkin Teranishi Yung 11, Applebaum 11, ...]

this work. unifying framework with a simple proof of security

. . . . . . . .

“ encpk(sk) ”

key-dependent message security. [Black Rogaway Shrimpton 02]

▶ many constructions [Boneh Halevi Hamburg Ostrovsky 08, Applebaum Cash Peikert Sahai 09, Brakerski Goldwasser 10, Brakerski Vaikuntanathan 11, Barak Haitner Hofheinz Ishai 10, Brakerski Goldwasser Kalai 11, Malkin Teranishi Yung 11, Applebaum 11, ...]

this work. unifying framework with a simple proof of security

. . . . . . . .

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk

+ map

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) determined given µ(sk)

where µ is lossy

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) witness r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C / ∈ Gy) random given µ(sk)

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

subgroup assumption. uniform(Gy) ≈c uniform(G)

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

DDH instantiation. [Cramer Shoup 98]

− pp = (g, ga), Gy = (gr, gar) ⊂ G = G2 − DDH assumption ⇔ uniform(Gy) ≈c uniform(G)

x y c

c cxcy G i.e.

x y gr gar

gx

ay r

x y gx

ay x y gr gar

g xr

ayr

random given x ay and r r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

DDH instantiation. [Cramer Shoup 98]

− pp = (g, ga), Gy = (gr, gar) ⊂ G = G2 − Λ(x,y)(c0, c1) = cx

0cy 1

i.e.

x y gr gar

gx

ay r

x y gx

ay x y gr gar

g xr

ayr

random given x ay and r r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

DDH instantiation. [Cramer Shoup 98]

− pp = (g, ga), Gy = (gr, gar) ⊂ G = G2 − Λ(x,y)(c0, c1) = cx

0cy 1 i.e. Λ(x,y)(gr, gar) = (gx+ay)r

x y gx

ay x y gr gar

g xr

ayr

random given x ay and r r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

DDH instantiation. [Cramer Shoup 98]

− pp = (g, ga), Gy = (gr, gar) ⊂ G = G2 − Λ(x,y)(c0, c1) = cx

0cy 1 i.e. Λ(x,y)(gr, gar) = (gx+ay)r

− µ(x, y) = gx+ay

x y gr gar

g xr

ayr

random given x ay and r r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

DDH instantiation. [Cramer Shoup 98]

− pp = (g, ga), Gy = (gr, gar) ⊂ G = G2 − Λ(x,y)(c0, c1) = cx

0cy 1 i.e. Λ(x,y)(gr, gar) = (gx+ay)r

− µ(x, y) = gx+ay − Λ(x,y)(gr, gar′) = g(xr+ayr′) random given x + ay and r ̸= r′

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

cpa-secure encryption. Λsk(·) as one-time pad

− gen(pp) : (pk, sk), pk = µ(sk) − encpk(m) : (C, Λsk(C)

pub(pk,C,r)

· m), C

r

← Gy

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

cpa-secure encryption. Λsk(·) as one-time pad

− gen(pp) : (pk, sk), pk = µ(sk) − encpk(m) : (C, Λsk(C) · m), C

r

← Gy − decsk(C, ψ) : Λsk(C)−1 · ψ

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

cpa-secure encryption. Λsk(·) as one-time pad

− gen(pp) : (pk, sk), pk = µ(sk) − encpk(m) : (C, Λsk(C) · m), C

r

← Gy subgroup + smoothness ⇒ cpa-security C

sk C C

r y

c C sk C C

r

s C random C

r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

cpa-secure encryption. Λsk(·) as one-time pad

− gen(pp) : (pk, sk), pk = µ(sk) − encpk(m) : (C, Λsk(C) · m), C

r

← Gy

subgroup + smoothness ⇒ cpa-security

(C, Λsk(C))C

r

←Gy ≈c (C, Λsk(C))C

r

←G s C random C

r

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

cpa-secure encryption. Λsk(·) as one-time pad

− gen(pp) : (pk, sk), pk = µ(sk) − encpk(m) : (C, Λsk(C) · m), C

r

← Gy subgroup + smoothness ⇒ cpa-security (C, Λsk(C))C

r

←Gy ≈c (C, Λsk(C))C

r

←G ≈s (C, random)C

r

←G

. . . . . . . .

Projective Hashing

• definition. projective hash function for G ⊇ Gy [Cramer Shoup 02]

− family Λsk(C ∈ G) indexed by sk + map µ − (projective) Λsk(C ∈ Gy) = pub(µ(sk), C, r) − (smoothness) Λsk(C

r

← G) random given µ(sk), C

cpa-secure encryption. Λsk(·) as one-time pad

− gen(pp) : (pk, sk), pk = µ(sk) − encpk(m) : (C, Λsk(C) · m), C

r

← Gy subgroup + smoothness ⇒ cpa-security (C, Λsk(C))C

r

←Gy ≈c (C, Λsk(C))C

r

←G ≈s (C, random)C

r

←G

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure

, if

sk

is homomorphic

i.e.

sk C

C

sk C sk C

1.

e , subgroup C C

r y

c

C e C

r y

2.

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F e.g. f(sk) = ski or f(sk) = 1 − ski or f(sk) = sk2 + sk5 + sk7

• theorem. CPA scheme is KDM secure

, if

sk

is homomorphic

i.e.

sk C

C

sk C sk C

1.

e , subgroup C C

r y

c

C e C

r y

2.

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure

, if

sk

is homomorphic

i.e.

sk C

C

sk C sk C

1.

e , subgroup C C

r y

c

C e C

r y

2.

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic i.e. Λsk(C0 · C1) = Λsk(C0) · Λsk(C1)

1.

e , subgroup C C

r y

c

C e C

r y

2.

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C, Λsk(C) )C

r

←Gy

( C · e, Λsk(C · e) )C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C · e−1, Λsk(C) )C

r

←Gy

( C, Λsk(C · e) )C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C · e−1, Λsk(C) )C

r

←Gy

( C, Λsk(C) · Λsk(e) )C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C · e−1, Λsk(C) )C

r

←Gy

( C, Λsk(C) · Λsk(e)

• encpk(Λsk(e))

)C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure ,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C · e−1, Λsk(C)

pub(pk,C)

)C

r

←Gy

( C, Λsk(C) · Λsk(e)

• encpk(Λsk(e))

)C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C · e−1, Λsk(C)

pub(pk,C)

)C

r

←Gy

( C, Λsk(C) · Λsk(e)

• encpk(Λsk(e))

)C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

KDM security

• definition. (gen, enc, dec) is KDM secure w.r.t. F if

sim(pk, f) ≈c encpk(f(sk)) for all f ∈ F

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

i.e.

sk C

C

sk C sk C

• 1. ∀e ∈ G, subgroup ⇒ ( C )C

r

←Gy ≈c ( C · e )C

r

←Gy

2.

≈c ( C · e−1, Λsk(C)

pub(pk,C)

)C

r

←Gy

( C, Λsk(C) · Λsk(e)

• encpk(Λsk(e))

)C

r

←Gy

• note. only use smoothness for CPA security.

. . . . . . . .

Instantiations

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

DDH instantiation I. [Cramer Shoup 98]

sk x y

q x y c

c cxcy

x y g

gx

DDH instantiation II. [Boneh Halevi Hamburg Ostrovsky 08]

sk gx gx x x ,

log q

pp g g ,

y

gr gr G

x x

c c cx cx

. . . . . . . .

Instantiations

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

DDH instantiation I. [Cramer Shoup 98]

sk = (x, y) ∈ Z2

q,

Λ(x,y)(c0, c1) = cx

0cy 1,

Λ(x,y)(g, 1) = gx

DDH instantiation II. [Boneh Halevi Hamburg Ostrovsky 08]

sk gx gx x x ,

log q

pp g g ,

y

gr gr G

x x

c c cx cx

. . . . . . . .

Instantiations

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

DDH instantiation I. [Cramer Shoup 98]

sk = (x, y) ∈ Z2

q,

Λ(x,y)(c0, c1) = cx

0cy 1,

Λ(x,y)(g, 1) = gx

DDH instantiation II. [Boneh Halevi Hamburg Ostrovsky 08]

− sk = (gx1, . . . , gxℓ), x1, . . . , xℓ ∈ {0, 1}, ℓ ≈ 3 log q pp g g ,

y

gr gr G

x x

c c cx cx

. . . . . . . .

Instantiations

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

DDH instantiation I. [Cramer Shoup 98]

sk = (x, y) ∈ Z2

q,

Λ(x,y)(c0, c1) = cx

0cy 1,

Λ(x,y)(g, 1) = gx

DDH instantiation II. [Boneh Halevi Hamburg Ostrovsky 08]

− sk = (gx1, . . . , gxℓ), x1, . . . , xℓ ∈ {0, 1}, ℓ ≈ 3 log q − pp = (g1, . . . , gℓ), Gy = (gr

1, . . . , gr ℓ) ⊂ G = Gℓ

− Λ(x1,...,xℓ)(c1, . . . , cℓ) = cx1

1 · · · cxℓ ℓ

. . . . . . . .

Instantiations

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

DDH instantiation I. [Cramer Shoup 98]

sk = (x, y) ∈ Z2

q,

Λ(x,y)(c0, c1) = cx

0cy 1,

Λ(x,y)(g, 1) = gx

DDH instantiation II. [Boneh Halevi Hamburg Ostrovsky 08]

− sk = (gx1, . . . , gxℓ), x1, . . . , xℓ ∈ {0, 1}, ℓ ≈ 3 log q − pp = (g1, . . . , gℓ), Gy = (gr

1, . . . , gr ℓ) ⊂ G = Gℓ

− Λ(x1,...,xℓ)(c1, . . . , cℓ) = cx1

1 · · · cxℓ ℓ

− Λ(x1,...,xℓ)(g, 1, . . . , 1) = gx1

. . . . . . . .

Instantiations

• theorem. CPA scheme is KDM secure w.r.t. {sk → Λsk(e)}e∈G,

if Λsk(·) is homomorphic

DDH instantiation I. [Cramer Shoup 98]

sk = (x, y) ∈ Z2

q,

Λ(x,y)(c0, c1) = cx

0cy 1,

Λ(x,y)(g, 1) = gx

DDH instantiation II. [Boneh Halevi Hamburg Ostrovsky 08]

− sk = (gx1, . . . , gxℓ), x1, . . . , xℓ ∈ {0, 1}, ℓ ≈ 3 log q − pp = (g1, . . . , gℓ), Gy = (gr

1, . . . , gr ℓ) ⊂ G = Gℓ

− Λ(x1,...,xℓ)(c1, . . . , cℓ) = cx1

1 · · · cxℓ ℓ

− Λ(x1,...,xℓ)(ga1, . . . , gaℓ) = ga1x1+···+aℓxℓ

. . . . . . . .

Additional Results

1 instantiations from DCR, QR [Brakerski Goldwasser 10] fixed functions f ft [Brakerski Goldwasser Kalai 11] –

x x

c c

t

cx cx cf

sk

cft sk UC-secure oblivious transfer [Peikert Waters Vaikuntanathan 08]

// thank you

. . . . . . . .

Additional Results

1 instantiations from DCR, QR [Brakerski Goldwasser 10] 2 fixed functions f1, . . . , ft [Brakerski Goldwasser Kalai 11] – Λ(x1,...,xℓ)(c1, . . . , cℓ+t) = cx1

1 · · · cxℓ ℓ cf1(sk) ℓ+1 · · · cft(sk) ℓ+1

UC-secure oblivious transfer [Peikert Waters Vaikuntanathan 08]

// thank you

. . . . . . . .

Additional Results

1 instantiations from DCR, QR [Brakerski Goldwasser 10] 2 fixed functions f1, . . . , ft [Brakerski Goldwasser Kalai 11] – Λ(x1,...,xℓ)(c1, . . . , cℓ+t) = cx1

1 · · · cxℓ ℓ cf1(sk) ℓ+1 · · · cft(sk) ℓ+1

3 UC-secure oblivious transfer [Peikert Waters Vaikuntanathan 08]

// thank you

. . . . . . . .

Additional Results

1 instantiations from DCR, QR [Brakerski Goldwasser 10] 2 fixed functions f1, . . . , ft [Brakerski Goldwasser Kalai 11] – Λ(x1,...,xℓ)(c1, . . . , cℓ+t) = cx1

1 · · · cxℓ ℓ cf1(sk) ℓ+1 · · · cft(sk) ℓ+1

3 UC-secure oblivious transfer [Peikert Waters Vaikuntanathan 08]

// thank you