Lossy Trapdoor Functions and Their Applications Chris Peikert - - PowerPoint PPT Presentation

Lossy Trapdoor Functions and Their Applications

Chris Peikert Brent Waters

SRI International

1 / 15

On Losing Information

2 / 15

On Losing Information

2 / 15

On Losing Information

2 / 15

On Losing Information

2 / 15

On Losing Information

2.3 MB → 0.4 MB

2 / 15

On Losing Information

2 / 15

On Losing Information

Lossy object indistinguishable from original

2 / 15

This Talk

1 Trapdoor functions without factoring: discrete log & lattices

3 / 15

This Talk

1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery

3 / 15

This Talk

1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions

3 / 15

Public Key Cryptography

1-1 Trapdoor Functions ( F , F−1 ) ← S {0, 1}n {0, 1}N x F(x) F

4 / 15

Public Key Cryptography

1-1 Trapdoor Functions ( F , F−1 ) ← S {0, 1}n {0, 1}N x F(x) F

4 / 15

Public Key Cryptography

1-1 Trapdoor Functions ( F , F−1 ) ← S {0, 1}n {0, 1}N x F(x) F F−1

4 / 15

Public Key Cryptography

1-1 Trapdoor Functions Public Key Encryption ( F , F−1 ) ← S {0, 1}n {0, 1}N x F(x) F F−1 ( E , D) ← S {0, 1}N m r E(m ; r)

4 / 15

Public Key Cryptography

1-1 Trapdoor Functions Public Key Encryption ( F , F−1 ) ← S {0, 1}n {0, 1}N x F(x) F F−1 ( E , D) ← S {0, 1}N m r E(m ; r) D

4 / 15

Realizing Public Key Crypto

Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ?? TDF ✔ [RSA,R,P] ?? ??

5 / 15

Realizing Public Key Crypto

Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ?? TDF ✔ [RSA,R,P] ?? ?? Lattice-Based Crypto: ◮ Simple & parallelizable ◮ Resist quantum algorithms (so far) ◮ Security from worst-case assumptions [Ajtai,. . . ]

5 / 15

Realizing Public Key Crypto

Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ?? TDF ✔ [RSA,R,P] ?? ?? Black-Box Separations: PKE TDF CCA

[GMR] [GMM]

5 / 15

Realizing Public Key Crypto

Factoring Discrete log Lattices PKE ✔ [RSA,. . . ] ✔ [ElGamal] ✔ [AD,R1,R2] CCA ✔ [DDN,. . . ,CS2] ✔ [CS1] ✔ TDF ✔ [RSA,R,P] ✔ ✔ This Work: Lossy TDF Factoring Disc log Lattices TDF CCA CRHF , OT, . . .

5 / 15

Lossy Trapdoor Functions

( F , F−1 ) ← Sinj {0, 1}n {0, 1}N x F F−1

6 / 15

Lossy Trapdoor Functions

( F , F−1 ) ← Sinj {0, 1}n {0, 1}N x F F−1 F ← Sloss {0, 1}n {0, 1}N |Im(F)| = 2r ≪ 2n x F

6 / 15

Lossy Trapdoor Functions

( F , F−1 ) ← Sinj {0, 1}n {0, 1}N x F F−1 F ← Sloss {0, 1}n {0, 1}N |Im(F)| = 2r ≪ 2n x F

6 / 15

Lossy Trapdoor Functions

F

c

≈ F ( F , F−1 ) ← Sinj {0, 1}n {0, 1}N x F F−1 F ← Sloss {0, 1}n {0, 1}N |Im(F)| = 2r ≪ 2n x F

6 / 15

Lossy TDFs ⇒ 1-1 Trapdoor Functions

Theorem ◮ Sinj generates 1-1 trapdoor functions (F, F−1).

7 / 15

Lossy TDFs ⇒ 1-1 Trapdoor Functions

Theorem ◮ Sinj generates 1-1 trapdoor functions (F, F−1). ◮ Efficient I wants to invert F. {0, 1}n x F Sinj I

?

= x

7 / 15

Lossy TDFs ⇒ 1-1 Trapdoor Functions

Theorem ◮ Sinj generates 1-1 trapdoor functions (F, F−1). ◮ Efficient I wants to invert F. {0, 1}n x F Sloss I

✗

= x

7 / 15

Lossy TDFs ⇒ 1-1 Trapdoor Functions

Theorem ◮ Sinj generates 1-1 trapdoor functions (F, F−1). ◮ Efficient I wants to invert F. {0, 1}n x F Sloss I

✗

= x ◮ F(x) has 2n−r preimages (on average).

7 / 15

Lossy TDFs ⇒ 1-1 Trapdoor Functions

Theorem ◮ Sinj generates 1-1 trapdoor functions (F, F−1). ◮ Efficient I wants to invert F. {0, 1}n x F Sloss I

✗

= x ◮ F(x) has 2n−r preimages (on average). Main Technique ◮ Swapping F with F yields statistically secure system.

7 / 15

Lossy TDFs ⇒ Public-Key Encryption

◮ Hard-core functions [GoldreichLevin] — the lazy way.

8 / 15

Lossy TDFs ⇒ Public-Key Encryption

◮ Hard-core functions [GoldreichLevin] — the lazy way.

• Pairwise independent H : {0, 1}n → {0, 1}k for k ≈ n − r.

8 / 15

Lossy TDFs ⇒ Public-Key Encryption

◮ Hard-core functions [GoldreichLevin] — the lazy way.

• Pairwise independent H : {0, 1}n → {0, 1}k for k ≈ n − r.

x F H F(x) H(x)

8 / 15

Lossy TDFs ⇒ Public-Key Encryption

◮ Hard-core functions [GoldreichLevin] — the lazy way.

• Pairwise independent H : {0, 1}n → {0, 1}k for k ≈ n − r.

x F H F(x) H(x)

8 / 15

Lossy TDFs ⇒ Public-Key Encryption

◮ Hard-core functions [GoldreichLevin] — the lazy way.

• Pairwise independent H : {0, 1}n → {0, 1}k for k ≈ n − r.

x F H F(x) H(x) entropy k k unif bits

[ILL,DRS]

8 / 15

Lossy TDFs ⇒ Public-Key Encryption

◮ Hard-core functions [GoldreichLevin] — the lazy way.

• Pairwise independent H : {0, 1}n → {0, 1}k for k ≈ n − r.

x F H F(x) H(x) entropy k k unif bits

[ILL,DRS]

◮ Public key (F, H), secret key F−1. Encrypt m ∈ {0, 1}k as (F(x), m ⊕ H(x)).

8 / 15

Chosen Ciphertext-Secure Encryption

Intuitive Definition

[DDN,NY,RS]

◮ Encryption hides message, even with decryption oracle

9 / 15

Chosen Ciphertext-Secure Encryption

Intuitive Definition

[DDN,NY,RS]

◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS]

9 / 15

Chosen Ciphertext-Secure Encryption

Intuitive Definition

[DDN,NY,RS]

◮ Encryption hides message, even with decryption oracle Why It Matters ◮ “Correct” security notion for active adversaries ◮ Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty ◮ Verify ciphertext is “well-formed” ◮ Usually via zero-knowledge proof ◮ Our approach: recover randomness

9 / 15

All-But-One TDFs

◮ G(b, x) has extra parameter: branch b ∈ {0, 1}n.

10 / 15

All-But-One TDFs

◮ G(b, x) has extra parameter: branch b ∈ {0, 1}n. ◮ Generate (G, G−1) with hidden lossy branch ℓ.

10 / 15

All-But-One TDFs

◮ G(b, x) has extra parameter: branch b ∈ {0, 1}n. ◮ Generate (G, G−1) with hidden lossy branch ℓ. G G(0, ·) G(1, ·) · · · G(ℓ, ·) G(ℓ + 1, ·) · · ·

10 / 15

All-But-One TDFs

◮ G(b, x) has extra parameter: branch b ∈ {0, 1}n. ◮ Generate (G, G−1) with hidden lossy branch ℓ. G G(0, ·) G(1, ·) · · · G(ℓ, ·) G(ℓ + 1, ·) · · · ◮ Lossy TDFs ⇔ all-but-one TDFs.

10 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) F−1

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) F−1 Encrypt m y1 = F(x) y2 = G(b , x) c = H(x) ⊕ m

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) F−1 Encrypt m y1 = F(x) y2 = G(b , x) c = H(x) ⊕ m Decrypt y1 y2 c

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) F−1 Encrypt m y1 = F(x) y2 = G(b , x) c = H(x) ⊕ m Decrypt Recover x = F−1(y1). Reencrypt & check. y1 y2 c

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) F−1 Encrypt m y1 = F(x) y2 = G(b , x) c = H(x) ⊕ m Decrypt Recover x = F−1(y1). Reencrypt & check. y1 y2 c c ⊕ H(x)

• r ⊥

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) F−1 Challenge m y1 = F(x) y2 = G(ℓ , x) c = H(x) ⊕ m Decrypt Recover x = F−1(y1). Reencrypt & check. y1 y2 c c ⊕ H(x)

• r ⊥

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) G−1 Challenge m y1 = F(x) y2 = G(ℓ , x) c = H(x) ⊕ m Decrypt Recover x = G−1(y2). Reencrypt & check. y1 y2 c c ⊕ H(x)

• r ⊥

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) G−1 Challenge m y1 = F(x) y2 = G(ℓ , x) c = H(x) ⊕ m Decrypt Recover x = G−1(y2). Reencrypt & check. y1 y2 c c ⊕ H(x)

• r ⊥

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) G−1 Challenge m y1 = F(x) y2 = G(ℓ , x) c = H(x) ⊕ m Decrypt Recover x = G−1(y2). Reencrypt & check. y1 y2 c c ⊕ H(x)

• r ⊥

◮ Challenge ciphertext hides m statistically.

11 / 15

Lossy TDFs ⇒ CCA-Secure Encryption

KeyGen ( F , G , H ) G−1 Challenge m y1 = F(x) y2 = G(ℓ , x) c = H(x) ⊕ m Decrypt Recover x = G−1(y2). Reencrypt & check. y1 y2 c c ⊕ H(x)

• r ⊥

◮ Challenge ciphertext hides m statistically. ◮ (One-time signature for CCA2 security. [DolevDworkNaor])

11 / 15

Realizing Lossy TDFs

◮ Use any (additively) homomorphic cryptosystem.

12 / 15

Realizing Lossy TDFs

◮ Use any (additively) homomorphic cryptosystem. ◮ Encrypted n × n matrix: I for F, 0 for F. F−1 is decryption key.

12 / 15

Realizing Lossy TDFs

◮ Use any (additively) homomorphic cryptosystem. ◮ Encrypted n × n matrix: I for F, 0 for F. F−1 is decryption key. ◮ F(x) computed by “encrypted linear algebra.”

12 / 15

Realizing Lossy TDFs

◮ Use any (additively) homomorphic cryptosystem. ◮ Encrypted n × n matrix: I for F, 0 for F. F−1 is decryption key. ◮ F(x) computed by “encrypted linear algebra.”       1 · · · 1 . . . ... 1            x1 x2 . . . xn      =       x1 x2 . . . xn      

12 / 15

Realizing Lossy TDFs

◮ Use any (additively) homomorphic cryptosystem. ◮ Encrypted n × n matrix: I for F, 0 for F. F−1 is decryption key. ◮ F(x) computed by “encrypted linear algebra.”       · · · . . . ...            x1 x2 . . . xn      =       . . .      

12 / 15

Realizing Lossy TDFs

◮ Use any (additively) homomorphic cryptosystem. ◮ Encrypted n × n matrix: I for F, 0 for F. F−1 is decryption key. ◮ F(x) computed by “encrypted linear algebra.”       · · · . . . ...            x1 x2 . . . xn      =       . . .       ◮ Randomness in each 0 leaks information!

12 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

       0 ; r1 0 ; r1 . . . 0 ; r1       

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

       0 ; r1 0 ; r2 0 ; r1 0 ; r2 . . . 0 ; r1 0 ; r2       

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

       0 ; r1 0 ; r2 · · · 0 ; rn 0 ; r1 0 ; r2 0 ; rn . . . ... 0 ; r1 0 ; r2 0 ; rn       

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

       0 ; r1 0 ; r2 · · · 0 ; rn 0 ; r1 0 ; r2 0 ; rn . . . ... 0 ; r1 0 ; r2 0 ; rn             x1 x2 . . . xn      =        0 ; R 0 ; R . . . 0 ; R       

13 / 15

Realizing Lossy TDFs (Really)

◮ Homomorphic cryptosystem with special properties:

1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

       0 ; r1 0 ; r2 · · · 0 ; rn 0 ; r1 0 ; r2 0 ; rn . . . ... 0 ; r1 0 ; r2 0 ; rn             x1 x2 . . . xn      =        0 ; R 0 ; R . . . 0 ; R        ◮ Just need n > |R| for lossiness.

13 / 15

Concrete Assumptions

1 Decisional Diffie-Hellman (DDH) on cyclic groups

• Additive homomorphism in ElGamal: message in the exponent
• Reusing randomness [NaorReingold,Kurosawa,. . . ]

14 / 15

Concrete Assumptions

1 Decisional Diffie-Hellman (DDH) on cyclic groups

• Additive homomorphism in ElGamal: message in the exponent
• Reusing randomness [NaorReingold,Kurosawa,. . . ]

2 Learning With Errors (LWE) on lattices [Regev]

• Bounded homomorphism
• Reuse most randomness — but not the error terms

14 / 15

Future Directions

◮ Other applications of lossy TDFs (NIZK, PIR, . . . ?)

15 / 15

Future Directions

◮ Other applications of lossy TDFs (NIZK, PIR, . . . ?) ◮ “Natural” trapdoors for lattices [GPV]

15 / 15

Future Directions

◮ Other applications of lossy TDFs (NIZK, PIR, . . . ?) ◮ “Natural” trapdoors for lattices [GPV] ◮ Other indistinguishable properties of “huge” objects?

15 / 15