lossy trapdoor functions and their applications
play

Lossy Trapdoor Functions and Their Applications Chris Peikert - PowerPoint PPT Presentation

Feb 08, 2023 •195 likes •925 views

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing

  1. Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15

  2. On Losing Information 2 / 15

  3. On Losing Information 2 / 15

  4. On Losing Information 2 / 15

  5. On Losing Information 2 / 15

  6. On Losing Information 2.3 MB → 0.4 MB 2 / 15

  7. On Losing Information 2 / 15

  8. On Losing Information Lossy object indistinguishable from original 2 / 15

  9. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 3 / 15

  10. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 / 15

  11. This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions 3 / 15

  12. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15

  13. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F F ( x ) { 0 , 1 } N 4 / 15

  14. Public Key Cryptography 1-1 Trapdoor Functions ( F , F − 1 ) ← S { 0 , 1 } n x F − 1 F F ( x ) { 0 , 1 } N 4 / 15

  15. Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15

  16. Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F , F − 1 ) ← S ( E , D ) ← S { 0 , 1 } n x m r F − 1 F D F ( x ) E ( m ; r ) { 0 , 1 } N { 0 , 1 } N 4 / 15

  17. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? 5 / 15

  18. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Lattice-Based Crypto: ◮ Simple & parallelizable ◮ Resist quantum algorithms (so far) ◮ Security from worst-case assumptions [Ajtai,. . . ] 5 / 15

  19. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ?? ✔ [DDN,. . . ,CS2] ✔ [CS1] TDF ✔ [RSA,R,P] ?? ?? Black-Box Separations: PKE [GMR] [GMM] TDF CCA 5 / 15

  20. Realizing Public Key Crypto Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ✔ TDF ✔ [RSA,R,P] ✔ ✔ This Work: Factoring TDF Disc log Lossy TDF CCA Lattices CRHF , OT, . . . 5 / 15

  21. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj { 0 , 1 } n x F − 1 F { 0 , 1 } N 6 / 15

  22. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  23. Lossy Trapdoor Functions ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  24. Lossy Trapdoor Functions c ≈ F F ( F , F − 1 ) ← S inj F ← S loss { 0 , 1 } n { 0 , 1 } n x x F − 1 F F | Im ( F ) | = 2 r ≪ 2 n { 0 , 1 } N { 0 , 1 } N 6 / 15

  25. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . 7 / 15

  26. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S inj x ? F I = x 7 / 15

  27. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x 7 / 15

  28. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). 7 / 15

  29. Lossy TDFs ⇒ 1-1 Trapdoor Functions Theorem ◮ S inj generates 1-1 trapdoor functions ( F , F − 1 ) . ◮ Efficient I wants to invert F . { 0 , 1 } n S loss x ✗ F I = x ◮ F ( x ) has 2 n − r preimages (on average). Main Technique ◮ Swapping F with F yields statistically secure system. 7 / 15

  30. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. 8 / 15

  31. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . 8 / 15

  32. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15

  33. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F H ( x ) H 8 / 15

  34. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H 8 / 15

  35. Lossy TDFs ⇒ Public-Key Encryption ◮ Hard-core functions [GoldreichLevin] — the lazy way. • Pairwise independent H : { 0 , 1 } n → { 0 , 1 } k for k ≈ n − r . x F ( x ) F k unif bits entropy k [ILL,DRS] H ( x ) H ◮ Public key ( F , H ) , secret key F − 1 . Encrypt m ∈ { 0 , 1 } k as ( F ( x ) , m ⊕ H ( x )) . 8 / 15

  36. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle 9 / 15

  37. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] 9 / 15

  38. Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] ◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty ◮ Verify ciphertext is “well-formed” ◮ Usually via zero-knowledge proof ◮ Our approach: recover randomness 9 / 15

  39. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . 10 / 15

  40. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . 10 / 15

  41. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · 10 / 15

  42. All-But-One TDFs ◮ G ( b , x ) has extra parameter: branch b ∈ { 0 , 1 } n . ◮ Generate ( G , G − 1 ) with hidden lossy branch ℓ . G · · · G ( 0 , · ) G ( ℓ + 1 , · ) G ( 1 , · ) G ( ℓ, · ) · · · ◮ Lossy TDFs ⇔ all-but-one TDFs. 10 / 15

  43. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 KeyGen ( F , G , H ) 11 / 15

  44. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen m ( F , G , H ) y 1 = F ( x ) y 2 = G ( b , x ) c = H ( x ) ⊕ m 11 / 15

  45. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt m ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15

  46. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c 11 / 15

  47. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Encrypt KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( b , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  48. Lossy TDFs ⇒ CCA-Secure Encryption F − 1 Challenge KeyGen Decrypt Recover x = F − 1 ( y 1 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  49. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  50. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ 11 / 15

  51. Lossy TDFs ⇒ CCA-Secure Encryption G − 1 Challenge KeyGen Decrypt Recover x = G − 1 ( y 2 ) . m Reencrypt & check. ( F , G , H ) y 1 = F ( x ) y 1 y 2 = G ( ℓ , x ) y 2 c = H ( x ) ⊕ m c ⊕ H ( x ) c or ⊥ ◮ Challenge ciphertext hides m statistically. 11 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

1.92k views • 115 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and Examplar-Based Generation of Color LUTs D. Tschumperl C. Porquet A. Mahboubi Normandie Univ, UNICAEN, ENSICAEN, CNRS GREYC, F-14000 Caen,

751 views • 32 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of

A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of

A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of Electrical Engineering Princeton University Joint work with: Paul Cuff and H. Vincent Poor November 9, 2015 Overview 1 compression/source coding 1 2

134 views • 12 slides
New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

954 views • 60 slides
Applications of exponential functions Applications of exponential functions abound throughout the

Applications of exponential functions Applications of exponential functions abound throughout the

Applications of exponential functions Applications of exponential functions abound throughout the sciences. Exponential functions are the primary functions that scientists work with. Here are some examples. Elementary Functions Exponential

241 views • 7 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Typical Applications Map functions on data structures Scheduling functions PolyTest

Typical Applications Map functions on data structures Scheduling functions PolyTest

Typical Applications Map functions on data structures Scheduling functions PolyTest polymorphic testing monomorphic testing over functions Many, many more...? Today: quantification over functions is avoided No Show

329 views • 16 slides
Asymptotics of symmetric functions with applications to Setup Asymptotics of statistical

Asymptotics of symmetric functions with applications to Setup Asymptotics of statistical

Asymptotics of symmetric functions with applications to statistical mechanics and representation theory Greta Panova (UCLA) Normalized Schur functions S Asymptotics of symmetric functions with applications to Setup Asymptotics of

661 views • 40 slides
Reducing Checkpoint Size in PlasComCM with Lossy Compression 14th Annual Workshop on Charm++ and

Reducing Checkpoint Size in PlasComCM with Lossy Compression 14th Annual Workshop on Charm++ and

Reducing Checkpoint Size in PlasComCM with Lossy Compression 14th Annual Workshop on Charm++ and its Applications Jon Calhoun 1 , Franck Cappello 1 , 2 , Luke Olson 1 , and Marc Snir 1 , 2 , Sheng Di 2 1 University of Illinois at Urbana-Champaign

653 views • 22 slides
Inside the black - box children rights in the digital age Conceio Costa Jos Rogado

Inside the black - box children rights in the digital age Conceio Costa Jos Rogado

Inside the black - box children rights in the digital age Conceio Costa Jos Rogado Carla Sousa Sara Henriques Children Rights in the Digital Age The United Nations Convention on the Rights of the Child (1989) Children have

507 views • 17 slides
Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas Format Preserving Encryption Example: Existing database with millions of US social security numbers 9 digit numbers First 3 digits

881 views • 73 slides
MRSO Update Gerry Halligan 13 May 2015 Market Message 010 40,000 2013 2014 2015 35,000

MRSO Update Gerry Halligan 13 May 2015 Market Message 010 40,000 2013 2014 2015 35,000

MRSO Update Gerry Halligan 13 May 2015 Market Message 010 40,000 2013 2014 2015 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 Septembe January February March April May June July August October November December r 2013

350 views • 14 slides
Privacy & Information Security Tackling Trends & Threats December 12, 2014 Norma A.

Privacy & Information Security Tackling Trends & Threats December 12, 2014 Norma A.

Privacy & Information Security Tackling Trends & Threats December 12, 2014 Norma A. Chitvanni RHIT, CHPS nchitvan@bidmc.harvard.edu Agenda Omnibus Rule Pay Out of Pocket 2013 Mobile clinical equipment Email security

102 views • 8 slides
+- zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA A B. THE LATEST FASHION

+- zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA A B. THE LATEST FASHION

ALL OUR PROBLEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA COMPLEXITY THEORY: THE SIMPLE ANSWER TO Peter Gminger, UKMOD 16ISMOIc September1998 +- zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA A B. THE LATEST FASHION

52 views • 3 slides
Innovative Biological Solutions Oklahoma State University BAE 4012 Dec. 4, 2003 Steven Fowler

Innovative Biological Solutions Oklahoma State University BAE 4012 Dec. 4, 2003 Steven Fowler

Innovative Biological Solutions Oklahoma State University BAE 4012 Dec. 4, 2003 Steven Fowler Derek Storm Travis Guy Project Introduction Scott Pet Products One of the nations leaders in the pet food and treat industry Final destination

488 views • 23 slides
Choose Your Own (Battle of the Books) Adventure! QSLiN Symposium Pointe-Claire, QC March 28,

Choose Your Own (Battle of the Books) Adventure! QSLiN Symposium Pointe-Claire, QC March 28,

Choose Your Own (Battle of the Books) Adventure! QSLiN Symposium Pointe-Claire, QC March 28, 2019 WELCOME! Alissa Rosellini (EMSB Board Librarian) & Amelia Crerar (English and French Literacy Consultant, LBPSB) 2 3 BEGINNINGS

445 views • 30 slides
Gender, migra,on and poverty pay in the precarious English social care sector Dr. Shereen Hussein

Gender, migra,on and poverty pay in the precarious English social care sector Dr. Shereen Hussein

Gender, migra,on and poverty pay in the precarious English social care sector Dr. Shereen Hussein Principal Research Fellow Kings College London 09/08/16 Social Policy Research Centre, University of New South Wales 1 The formal BriMsh LTC

526 views • 38 slides

More recommend