Lossy Encryption from General Assumptions Brett Hemenway and Rafail - - PowerPoint PPT Presentation

Lossy Encryption from General Assumptions

Brett Hemenway and Rafail Ostrovsky

Crypto in the Clouds Workshop, MIT

August 5, 2009

Brett Hemenway and Rafail Ostrovsky

Outline

Motivation Definitions Our Results

Brett Hemenway and Rafail Ostrovsky

Outline

Motivation Definitions Our Results

Brett Hemenway and Rafail Ostrovsky

Motivation

Brett Hemenway and Rafail Ostrovsky

Motivation

Brett Hemenway and Rafail Ostrovsky

Motivation

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri)

Brett Hemenway and Rafail Ostrovsky

Motivation

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri)

Brett Hemenway and Rafail Ostrovsky

Motivation

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri)

Brett Hemenway and Rafail Ostrovsky

Motivation

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri) S3 S4 S6 m4, r4 m3, r3 m6, r6

Brett Hemenway and Rafail Ostrovsky

Motivation

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri) S3 S4 S6 m4, r4 m3, r3 m6, r6 Do the uncorrupted messages remain secure?

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding.

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96) Extensions (B97,CHK05)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96) Extensions (B97,CHK05) Deniable Encryption (CDNO07)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96) Extensions (B97,CHK05) Deniable Encryption (CDNO07) Meaningful/Meaningless Encryption (KN08)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96) Extensions (B97,CHK05) Deniable Encryption (CDNO07) Meaningful/Meaningless Encryption (KN08) Dual-Mode Encryption (PVW08)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96) Extensions (B97,CHK05) Deniable Encryption (CDNO07) Meaningful/Meaningless Encryption (KN08) Dual-Mode Encryption (PVW08) Lossy Encryption (BHY09)

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption

This problem has been attacked by creating encryption protocols that are not always binding. Interactive Protocols (BH92) Non-committing Encryption (CFGN96) Extensions (B97,CHK05) Deniable Encryption (CDNO07) Meaningful/Meaningless Encryption (KN08) Dual-Mode Encryption (PVW08) Lossy Encryption (BHY09)

Brett Hemenway and Rafail Ostrovsky

Outline

Motivation Definitions Our Results

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

◮ Recognized long ago in folklore. Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

◮ Recognized long ago in folklore. ◮ Formalized in [DNRS03],[BHY09] Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

◮ Recognized long ago in folklore. ◮ Formalized in [DNRS03],[BHY09]

◮ If the adversary does not learn the randomness, then this

follows from IND-CPA security.

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

◮ Recognized long ago in folklore. ◮ Formalized in [DNRS03],[BHY09]

◮ If the adversary does not learn the randomness, then this

follows from IND-CPA security.

◮ If the messages are independent, then this follows from

IND-CPA security.

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

◮ Recognized long ago in folklore. ◮ Formalized in [DNRS03],[BHY09]

◮ If the adversary does not learn the randomness, then this

follows from IND-CPA security.

◮ If the messages are independent, then this follows from

IND-CPA security.

◮ No one has been able to show that IND-CPA security implies

IND-SOA security.

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security

◮ This type of security is called Selective Opening Security.

◮ Recognized long ago in folklore. ◮ Formalized in [DNRS03],[BHY09]

◮ If the adversary does not learn the randomness, then this

follows from IND-CPA security.

◮ If the messages are independent, then this follows from

IND-CPA security.

◮ No one has been able to show that IND-CPA security implies

IND-SOA security.

◮ No one has been able to exhibit an IND-CPA secure system

that is not IND-SOA security.

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E)

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn))

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

◮ (m1, . . . , mn) ← M

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E)

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn))

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ (m′ 1, . . . , m′ n) ← M|MI

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ (m′ 1, . . . , m′ n) ← M|MI ◮ b ← A(((mi, ri))i∈I, (m′ 1, . . . , m′ n))

Brett Hemenway and Rafail Ostrovsky

Selective Opening Security: Indistinguishability [BHY09]

IND-SO-ENC (Real)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ b ← A(((mi, ri))i∈I, (m1, . . . , mn))

IND-SO-ENC (Ideal)

◮ (m1, . . . , mn) ← M ◮ r1, . . . , rn ← coins(E) ◮ I ← A((E(m1, ri), . . . , E(mn, rn)) ◮ (m′ 1, . . . , m′ n) ← M|MI ◮ b ← A(((mi, ri))i∈I, (m′ 1, . . . , m′ n))

• Pr
• AIND−SO−ENC−REAL = 1
• − Pr
• AIND−SO−ENC−IDEAL = 1
• < ν

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption in Detail

G(1λ, mode), E(pk, m, r), D(sk, c) Correctness: For all m, r D(E(pkI, m, r)) = m Lossiness: For all m0, m1 {E(pkL, m0, r)} ≈s {E(pkL, m1, r)} Indistinguishability {pkI : pkI ← G(1λ, Injective)} ≈c {pkL : pkL ← G(1λ, Lossy)}

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption in Detail

G(1λ, mode), E(pk, m, r), D(sk, c) Correctness: For all m, r D(E(pkI, m, r)) = m Lossiness: For all m0, m1 {E(pkL, m0, r)} ≈s {E(pkL, m1, r)} Indistinguishability {pkI : pkI ← G(1λ, Injective)} ≈c {pkL : pkL ← G(1λ, Lossy)}

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption in Detail

G(1λ, mode), E(pk, m, r), D(sk, c) Correctness: For all m, r D(E(pkI, m, r)) = m Lossiness: For all m0, m1 {E(pkL, m0, r)} ≈s {E(pkL, m1, r)} Indistinguishability {pkI : pkI ← G(1λ, Injective)} ≈c {pkL : pkL ← G(1λ, Lossy)}

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption in Detail

G(1λ, mode), E(pk, m, r), D(sk, c) Correctness: For all m, r D(E(pkI, m, r)) = m Lossiness: For all m0, m1 {E(pkL, m0, r)} ≈s {E(pkL, m1, r)} Indistinguishability {pkI : pkI ← G(1λ, Injective)} ≈c {pkL : pkL ← G(1λ, Lossy)}

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption in Detail

G(1λ, mode), E(pk, m, r), D(sk, c) Correctness: For all m, r D(E(pkI, m, r)) = m Lossiness: For all m0, m1 {E(pkL, m0, r)} ≈s {E(pkL, m1, r)} Indistinguishability {pkI : pkI ← G(1λ, Injective)} ≈c {pkL : pkL ← G(1λ, Lossy)} Notice: Indistinguishability + Lossiness = ⇒ IND-CPA security

Brett Hemenway and Rafail Ostrovsky

Lossy Encryption is IND-SO-ENC Secure (BHY09)

In Lossy mode, the distributions (E(m1, r1), . . . , E(mn, rn)) ≈s (E(m′

1, r1), . . . , E(m′ n, rn))

Since the encryptions are statistically independent of the messages, so even after conditioning on certain openings, the rest remain independent of the messages.

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption

◮ (G, E, D) is semantically secure.

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption

◮ (G, E, D) is semantically secure. ◮ There exists a function ReRand such that for all pk, m, r, r′

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption

◮ (G, E, D) is semantically secure. ◮ There exists a function ReRand such that for all pk, m, r, r′

◮ Correctness:

D(ReRand(E(pk, m, r))) = m

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption

◮ (G, E, D) is semantically secure. ◮ There exists a function ReRand such that for all pk, m, r, r′

◮ Correctness:

D(ReRand(E(pk, m, r))) = m

◮ Statistical rerandomization:

{ReRand(E(pk, m, r))} ≈s {ReRand(E(pk, m, r ′))}

Brett Hemenway and Rafail Ostrovsky

Homomorphic Encryption

If E(pk, m, r)E(pk, m′, r′) = E(pk, m + m′, r∗), then we can re-randomize by doing ReRand(E(pk, m, r)) = E(pk, m, r)E(pk, 0, r′).

Brett Hemenway and Rafail Ostrovsky

Homomorphic Encryption

If E(pk, m, r)E(pk, m′, r′) = E(pk, m + m′, r∗), then we can re-randomize by doing ReRand(E(pk, m, r)) = E(pk, m, r)E(pk, 0, r′). Caution: this is not necessarily statistically re-randomizing.

Brett Hemenway and Rafail Ostrovsky

Homomorphic Encryption

If E(pk, m, r)E(pk, m′, r′) = E(pk, m + m′, r∗), then we can re-randomize by doing ReRand(E(pk, m, r)) = E(pk, m, r)E(pk, 0, r′). Caution: this is not necessarily statistically re-randomizing. It is statistically re-randomizing for all known homomorphic cryptosystems.

Brett Hemenway and Rafail Ostrovsky

Homomorphic Encryption

If E(pk, m, r)E(pk, m′, r′) = E(pk, m + m′, r∗), then we can re-randomize by doing ReRand(E(pk, m, r)) = E(pk, m, r)E(pk, 0, r′). Caution: this is not necessarily statistically re-randomizing. It is statistically re-randomizing for all known homomorphic cryptosystems. If you can sample statistically close to uniformly from the set of encryptions of 0 then homomorphic encryption is statistically rerandomizable

Brett Hemenway and Rafail Ostrovsky

Outline

Motivation Definitions Our Results

Brett Hemenway and Rafail Ostrovsky

Our Results

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption

◮ CCA2 Selective Opening Secure definitions and constructions

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption

◮ CCA2 Selective Opening Secure definitions and constructions

◮ Constructions from statistically-hiding NIZKs in the

simulation-based model

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption

◮ CCA2 Selective Opening Secure definitions and constructions

◮ Constructions from statistically-hiding NIZKs in the

simulation-based model

◮ Constructions from Lossy-Trapdoor Functions in the

indistinguishability-based model

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

◮ Let (G, E, D, ReRand) be a ReRandomizable Encryption.

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

◮ Let (G, E, D, ReRand) be a ReRandomizable Encryption. ◮ Let (pk, sk) ← G

e0 = E(pk, b0, r0), e1 = E(pk, b1, r1). Define PK = (pk, e0, e1), SK = sk.

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

◮ Let (G, E, D, ReRand) be a ReRandomizable Encryption. ◮ Let (pk, sk) ← G

e0 = E(pk, b0, r0), e1 = E(pk, b1, r1). Define PK = (pk, e0, e1), SK = sk.

◮ Encryption of b will be

ReRand(eb).

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

◮ Let (G, E, D, ReRand) be a ReRandomizable Encryption. ◮ Let (pk, sk) ← G

e0 = E(pk, b0, r0), e1 = E(pk, b1, r1). Define PK = (pk, e0, e1), SK = sk.

◮ Encryption of b will be

ReRand(eb).

◮ Decryption is the same as for the ReRandomizable scheme.

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

◮ Let (G, E, D, ReRand) be a ReRandomizable Encryption. ◮ Let (pk, sk) ← G

e0 = E(pk, b0, r0), e1 = E(pk, b1, r1). Define PK = (pk, e0, e1), SK = sk.

◮ Encryption of b will be

ReRand(eb).

◮ Decryption is the same as for the ReRandomizable scheme.

This is lossy if b0 = b1, and injective if b0 = b1.

Brett Hemenway and Rafail Ostrovsky

ReRandomizable Encryption “is” Lossy Encryption

◮ Let (G, E, D, ReRand) be a ReRandomizable Encryption. ◮ Let (pk, sk) ← G

e0 = E(pk, b0, r0), e1 = E(pk, b1, r1). Define PK = (pk, e0, e1), SK = sk.

◮ Encryption of b will be

ReRand(eb).

◮ Decryption is the same as for the ReRandomizable scheme.

This is lossy if b0 = b1, and injective if b0 = b1. The indistinguishability of modes follows immediately from the Semantic Security of (G, E, D).

Brett Hemenway and Rafail Ostrovsky

For Homomorphic Encryption

Brett Hemenway and Rafail Ostrovsky

For Homomorphic Encryption

◮ If (G, E, D) is homomorphic and E(pk, 0, r) is statistically

close to uniform on the set of encryptions of 0, then

Brett Hemenway and Rafail Ostrovsky

For Homomorphic Encryption

◮ If (G, E, D) is homomorphic and E(pk, 0, r) is statistically

close to uniform on the set of encryptions of 0, then

◮ We can make lossy encryption, simply by setting PK = (pk, e)

where e = E(pk, 0, r) in Lossy Mode and E(pk, 1, r) in injective mode.

Brett Hemenway and Rafail Ostrovsky

For Homomorphic Encryption

◮ If (G, E, D) is homomorphic and E(pk, 0, r) is statistically

close to uniform on the set of encryptions of 0, then

◮ We can make lossy encryption, simply by setting PK = (pk, e)

where e = E(pk, 0, r) in Lossy Mode and E(pk, 1, r) in injective mode.

◮ Encryption of m is just em · E(pk, 0, r).

Brett Hemenway and Rafail Ostrovsky

For Homomorphic Encryption

◮ If (G, E, D) is homomorphic and E(pk, 0, r) is statistically

close to uniform on the set of encryptions of 0, then

◮ We can make lossy encryption, simply by setting PK = (pk, e)

where e = E(pk, 0, r) in Lossy Mode and E(pk, 1, r) in injective mode.

◮ Encryption of m is just em · E(pk, 0, r). ◮ Decryption is the same.

Brett Hemenway and Rafail Ostrovsky

Oblivious Transfer Implies Lossy Encryption

Receiver Sender

Brett Hemenway and Rafail Ostrovsky

Oblivious Transfer Implies Lossy Encryption

Receiver Sender x0 x1 b

Brett Hemenway and Rafail Ostrovsky

Oblivious Transfer Implies Lossy Encryption

Receiver Sender x0 x1 b Qb(·, ·; ·)

Brett Hemenway and Rafail Ostrovsky

Oblivious Transfer Implies Lossy Encryption

Receiver Sender x0 x1 b Qb(·, ·; ·) Qb(x0, x1; r)

Brett Hemenway and Rafail Ostrovsky

Oblivious Transfer Implies Lossy Encryption

Receiver Sender x0 x1 b Qb(·, ·; ·) Qb(x0, x1; r) PKinj: Q0 PKlossy: Q1 E(m, r) ≡ Qb(m, 0; r)

Brett Hemenway and Rafail Ostrovsky

Oblivious Transfer Implies Lossy Encryption

Receiver Sender x0 x1 b Qb(·, ·; ·) Qb(x0, x1; r) PKinj: Q0 PKlossy: Q1 E(m, r) ≡ Qb(m, 0; r) Computational receiver privacy implies indistinguishability of modes Statistical sender privacy implies lossiness of lossy branch

Brett Hemenway and Rafail Ostrovsky

Chosen Ciphertext Security

Chosen Ciphertext Security in the Selective Opening Setting

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary Decryption Queries

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary Decryption Queries Selective Opening Query

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary Decryption Queries Selective Opening Query Decryption Queries Output b

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary c D(c) . . . Selective Opening Query Decryption Queries

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary c D(c) . . . E(m1, r1), . . . , E(mn, rn) I {mi, ri}i∈I, {m′

j}j∈I

Decryption Queries

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA2: Definitions

Challenger Adversary c D(c) . . . E(m1, r1), . . . , E(mn, rn) I {mi, ri}i∈I, {m′

j}j∈I

c D(c) . . . Output b

Brett Hemenway and Rafail Ostrovsky

Lossy Trapdoor Functions [PW08]

FI ≈ Fℓ FI F−1

I

Injective Mode Lossy Mode Fℓ

Brett Hemenway and Rafail Ostrovsky

Lossy Trapdoor Functions in Detail

(s, t) GLTDF(1λ, inj)

Brett Hemenway and Rafail Ostrovsky

Lossy Trapdoor Functions in Detail

(s, t) GLTDF(1λ, inj) (s, ⊥) GLTDF(1λ, lossy)

Brett Hemenway and Rafail Ostrovsky

Lossy Trapdoor Functions in Detail

(s, t) GLTDF(1λ, inj) (s, ⊥) GLTDF(1λ, lossy) Trapdoor: F −1(t, F(s, x)) = x

Brett Hemenway and Rafail Ostrovsky

Lossy Trapdoor Functions in Detail

(s, t) GLTDF(1λ, inj) (s, ⊥) GLTDF(1λ, lossy) Trapdoor: F −1(t, F(s, x)) = x Lossiness: |imF(s, ·)| ≤ 2r

Brett Hemenway and Rafail Ostrovsky

Lossy Trapdoor Functions in Detail

(s, t) GLTDF(1λ, inj) (s, ⊥) GLTDF(1λ, lossy) Trapdoor: F −1(t, F(s, x)) = x Lossiness: |imF(s, ·)| ≤ 2r The first outputs of GLTDF(1λ, inj), and GLTDF(1λ, lossy) are computationally indistinguishable

Brett Hemenway and Rafail Ostrovsky

All-But-One Functions [PW08]

(s, t) GABO(1λ, b∗) Trapdoor: For b = b∗ F −1(t, b, F(s, b, x)) = x Lossiness: |imF(s, b∗, ·)| ≤ 2r The first outputs of GABO(1λ, b0), and GABO(1λ, b1) are computationally indistinguishable

Brett Hemenway and Rafail Ostrovsky

All-But-n Functions

(s, t) GABN(1λ, B) with |B| = n Trapdoor: For b ∈ B F −1(t, b, F(s, b, x)) = x Lossiness: For b ∈ B |imF(s, b, ·)| ≤ 2r The first outputs of GABN(1λ, B0), and GABN(1λ, B1) are computationally indistinguishable.

All-But-n Functions

(s, t) GABN(1λ, B) with |B| = n Trapdoor: For b ∈ B F −1(t, b, F(s, b, x)) = x Lossiness: For b ∈ B |imF(s, b, ·)| ≤ 2r The first outputs of GABN(1λ, B0), and GABN(1λ, B1) are computationally indistinguishable. Can be constructed from LTDFs

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA Construction

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA Construction

◮ KeyGen:

(s0, t0) ← GLTDF(1λ, inj) (s1, t1) ← GABN(1λ, {1, . . . , n}) pk = (s0, s1) and sk = (t0, t1).

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA Construction

◮ KeyGen:

(s0, t0) ← GLTDF(1λ, inj) (s1, t1) ← GABN(1λ, {1, . . . , n}) pk = (s0, s1) and sk = (t0, t1).

◮ Encryption:

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA Construction

◮ KeyGen:

(s0, t0) ← GLTDF(1λ, inj) (s1, t1) ← GABN(1λ, {1, . . . , n}) pk = (s0, s1) and sk = (t0, t1).

◮ Encryption:

rsig ← coins(Sign), x ← X (vk, sk) = G(rsig).

Brett Hemenway and Rafail Ostrovsky

IND-SO-CCA Construction

◮ KeyGen:

(s0, t0) ← GLTDF(1λ, inj) (s1, t1) ← GABN(1λ, {1, . . . , n}) pk = (s0, s1) and sk = (t0, t1).

◮ Encryption:

rsig ← coins(Sign), x ← X (vk, sk) = G(rsig). For a message m, calculate (FLTDF(s0, x), FABN(s1, vk, x), h(x) ⊕ m) sig = Signsk(FLTDF(s0, x), FABN(s1, vk, x), h(x) ⊕ m),

• utput the ciphertext:

(vk, FLTDF(s0, x), FABN(s1, vk, x), h(x) ⊕ m, sig)

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Secure Encryption

A SEM-SO-CCA Secure Construction

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

◮ To construct SEM-SO-CCA encryption we follow the

Naor-Yung paradigm.

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

◮ To construct SEM-SO-CCA encryption we follow the

Naor-Yung paradigm.

◮ There are difficulties:

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

◮ To construct SEM-SO-CCA encryption we follow the

Naor-Yung paradigm.

◮ There are difficulties:

◮ An encryption query is actually a query for n encryptions, so

we need a NIZK which remains secure even after seeing n simulated proofs.

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

◮ To construct SEM-SO-CCA encryption we follow the

Naor-Yung paradigm.

◮ There are difficulties:

◮ An encryption query is actually a query for n encryptions, so

we need a NIZK which remains secure even after seeing n simulated proofs. Unduplicatable set selection [S99]

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

◮ To construct SEM-SO-CCA encryption we follow the

Naor-Yung paradigm.

◮ There are difficulties:

◮ An encryption query is actually a query for n encryptions, so

we need a NIZK which remains secure even after seeing n simulated proofs. Unduplicatable set selection [S99]

◮ After we make n simulated proofs, for |I| of them, we are

forced to reveal the randomness.

Brett Hemenway and Rafail Ostrovsky

Intuition of our SEM-SO-CCA construction

◮ To construct SEM-SO-CCA encryption we follow the

Naor-Yung paradigm.

◮ There are difficulties:

◮ An encryption query is actually a query for n encryptions, so

we need a NIZK which remains secure even after seeing n simulated proofs. Unduplicatable set selection [S99]

◮ After we make n simulated proofs, for |I| of them, we are

forced to reveal the randomness.

◮ The statistically hiding property of lossy encryption allows us

to prove IND-SO security. Statistical NIZKs should allow us to prove IND-SO-CCA security.

Brett Hemenway and Rafail Ostrovsky

Statistical NIZKs [GOS06]

Brett Hemenway and Rafail Ostrovsky

Statistical NIZKs [GOS06]

◮ Completeness: All true statements can be proven.

Brett Hemenway and Rafail Ostrovsky

Statistical NIZKs [GOS06]

◮ Completeness: All true statements can be proven. ◮ Soundness: False statements (with witnesses to their

falseness) cannot be proven.

Brett Hemenway and Rafail Ostrovsky

Statistical NIZKs [GOS06]

◮ Completeness: All true statements can be proven. ◮ Soundness: False statements (with witnesses to their

falseness) cannot be proven.

◮ Zero-Knowledge: Nothing beyond the truth of the

statement is revealed.

Brett Hemenway and Rafail Ostrovsky

Statistical NIZKs [GOS06]

◮ Completeness: All true statements can be proven. ◮ Soundness: False statements (with witnesses to their

falseness) cannot be proven.

◮ Zero-Knowledge: Nothing beyond the truth of the

statement is revealed.

◮ Proof of Knowledge: There exists a simulator that can

extract a witness from a valid proof.

Brett Hemenway and Rafail Ostrovsky

Statistical NIZKs [GOS06]

◮ Completeness: All true statements can be proven. ◮ Soundness: False statements (with witnesses to their

falseness) cannot be proven.

◮ Zero-Knowledge: Nothing beyond the truth of the

statement is revealed.

◮ Proof of Knowledge: There exists a simulator that can

extract a witness from a valid proof.

◮ Honest-Prover State Reconstruction: There exists a

simulator that can create a proof P without a witness, then, given a witness w can produce randomness r such that P appears to have been generated with w and r.

Brett Hemenway and Rafail Ostrovsky

Tools

Brett Hemenway and Rafail Ostrovsky

Tools

◮ Unduplicatable Set Selector g.

Brett Hemenway and Rafail Ostrovsky

Tools

◮ Unduplicatable Set Selector g. ◮ SEM-SO-ENC secure encryption (Gso, E, D).

Brett Hemenway and Rafail Ostrovsky

Tools

◮ Unduplicatable Set Selector g. ◮ SEM-SO-ENC secure encryption (Gso, E, D). ◮ Statistical NIZKs (Prover, Verifier, Ext, SR).

Brett Hemenway and Rafail Ostrovsky

Tools

◮ Unduplicatable Set Selector g. ◮ SEM-SO-ENC secure encryption (Gso, E, D). ◮ Statistical NIZKs (Prover, Verifier, Ext, SR). ◮ Strongly Unforgeable One-Time Signatures (Sign, Ver).

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Construction

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Construction

◮ KeyGen:

(pk0, sk0), (pk1, sk1) ← Gso(1λ), (σi, τi) ← Ext1(1λ) for i ∈ L pk = (pk0, pk1, {σi}i∈L) and sk = (sk0, sk1, {τi}i∈L).

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Construction

◮ KeyGen:

(pk0, sk0), (pk1, sk1) ← Gso(1λ), (σi, τi) ← Ext1(1λ) for i ∈ L pk = (pk0, pk1, {σi}i∈L) and sk = (sk0, sk1, {τi}i∈L).

◮ Encryption:

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Construction

◮ KeyGen:

(pk0, sk0), (pk1, sk1) ← Gso(1λ), (σi, τi) ← Ext1(1λ) for i ∈ L pk = (pk0, pk1, {σi}i∈L) and sk = (sk0, sk1, {τi}i∈L).

◮ Encryption:

rsig ← coins(Sign), r0, r1 ← coins(E), {rnizk

i

}ℓ

i=1 ← coins(Prover).

(vk, sk) = G(rsig).

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Construction

◮ KeyGen:

(pk0, sk0), (pk1, sk1) ← Gso(1λ), (σi, τi) ← Ext1(1λ) for i ∈ L pk = (pk0, pk1, {σi}i∈L) and sk = (sk0, sk1, {τi}i∈L).

◮ Encryption:

rsig ← coins(Sign), r0, r1 ← coins(E), {rnizk

i

}ℓ

i=1 ← coins(Prover).

(vk, sk) = G(rsig). For a message m, calculate e0 = E(pk0, m, r0), e1 = E(pk1, m, r1) set w = (m, r0, r1).

Brett Hemenway and Rafail Ostrovsky

SEM-SO-CCA Construction

◮ KeyGen:

(pk0, sk0), (pk1, sk1) ← Gso(1λ), (σi, τi) ← Ext1(1λ) for i ∈ L pk = (pk0, pk1, {σi}i∈L) and sk = (sk0, sk1, {τi}i∈L).

◮ Encryption:

rsig ← coins(Sign), r0, r1 ← coins(E), {rnizk

i

}ℓ

i=1 ← coins(Prover).

(vk, sk) = G(rsig). For a message m, calculate e0 = E(pk0, m, r0), e1 = E(pk1, m, r1) set w = (m, r0, r1). π = (π1, . . . , πℓ) = (Prover(σi, (e0, e1), w), rnizk

i

)i∈g(vk) sig = Sign(e0, e1, π),

• utput the ciphertext: c = (vk, e0, e1, π, sig).

Brett Hemenway and Rafail Ostrovsky

Theorem This construction is SEM-SO-CCA2 Secure

Brett Hemenway and Rafail Ostrovsky

Our Results

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption

◮ CCA2 Selective Opening Secure definitions and constructions

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption

◮ CCA2 Selective Opening Secure definitions and constructions

◮ Constructions from statistically-hiding NIZKs in the

simulation-based model

Brett Hemenway and Rafail Ostrovsky

Our Results

◮ ReRandomizable Encryption “is” Lossy Encryption

◮ A framework for creating Lossy Encryption: ◮ Applying the results of [BHY09] gives: ◮ Goldwasser-Micali ◮ El-Gamal ◮ Paillier / Damg˚

ard-Jurik

◮ The first proof that Paillier/Damg˚

ard-Jurik is SEM-SO-ENC secure. This is the most efficient known SEM-SO-ENC cryptosystem.

◮ Statistically Hiding-OT implies Lossy Encryption

◮ PIR implies Lossy Encryption ◮ Homomorphic Encryption implies Lossy Encryption

◮ CCA2 Selective Opening Secure definitions and constructions

◮ Constructions from statistically-hiding NIZKs in the

simulation-based model

◮ Constructions from Lossy-Trapdoor Functions in the

indistinguishability-based model

Brett Hemenway and Rafail Ostrovsky

Open Questions

Brett Hemenway and Rafail Ostrovsky

Open Questions

◮ Can we construct an IND-CPA secure system that is not

IND-SO secure?

Brett Hemenway and Rafail Ostrovsky

Open Questions

◮ Can we construct an IND-CPA secure system that is not

IND-SO secure?

◮ Can we remove the dependence on n in the CCA

constructions.

Brett Hemenway and Rafail Ostrovsky

Open Questions

◮ Can we construct an IND-CPA secure system that is not

IND-SO secure?

◮ Can we remove the dependence on n in the CCA

constructions.

◮ What about receiver corruption?

Brett Hemenway and Rafail Ostrovsky

Open Question: Receiver Corruption

Recall: Sender Corruption Game

Brett Hemenway and Rafail Ostrovsky

Open Question: Receiver Corruption

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri) Sender Corruptions

Brett Hemenway and Rafail Ostrovsky

Open Question: Receiver Corruption

R S1 S2 S3 S4 S5 S6 S7 e1 e2 e3 e4 e5 e6 e7 ei = E(pk, mi, ri) Sender Corruptions S3 S4 S6 m4, r4 m3, r3 m6, r6

Brett Hemenway and Rafail Ostrovsky

Open Question: Receiver Corruption

S R1 R2 R3 R4 R5 R6 R7 e1 e2 e3 e4 e5 e6 e7 ei = E(pki, mi, ri) Receiver Corruptions

Brett Hemenway and Rafail Ostrovsky

Open Question: Receiver Corruption

S R1 R2 R3 R4 R5 R6 R7 e1 e2 e3 e4 e5 e6 e7 ei = E(pki, mi, ri) Receiver Corruptions R3 R4 R6 sk4 sk3 sk6

Brett Hemenway and Rafail Ostrovsky

Open Question: Receiver Corruption

S R1 R2 R3 R4 R5 R6 R7 e1 e2 e3 e4 e5 e6 e7 ei = E(pki, mi, ri) Receiver Corruptions R3 R4 R6 sk4 sk3 sk6

Brett Hemenway and Rafail Ostrovsky

Thanks!

Brett Hemenway and Rafail Ostrovsky