SLIDE 1
On the Circular Security
- f Bit Encryption
On the Circular Security of Bit Encryption Ron Rothblum Weizmann - - PowerPoint PPT Presentation
On the Circular Security of Bit Encryption Ron Rothblum Weizmann - - PowerPoint PPT Presentation
On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security Circular Security Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09] ) yes but in general No! Circular
SLIDE 2
SLIDE 3
Circular Security
Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09]) yes but in general No!
SLIDE 4
Circular Security
SLIDE 5
Public Key Example Public Key Example
SLIDE 6
Circular Security of Bit Encryption
Since general case is false, focus on interesting special case of bit-encryption. Why bit-encryption? 1. Most candidate FHE are bit-encryption whose semantic-security relies on their circular security (which is not understood). 2. Seems most natural way to foil the previous counterexample and get circular security for “free”.
SLIDE 7
Bit-Encryption Conjecture
Conjecture: [Folklore] Every semantically-secure bit-encryption scheme is circular secure. Focus of this work is showing obstacles to proving the conjecture.
SLIDE 8
Our Results
1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.
SLIDE 9
Our Results
1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.
SLIDE 10
Our Assumption
An extension of an assumption made on groups with bilinear maps to groups with multilinear maps.
SLIDE 11
Multilinear Maps
SLIDE 12
Multilinear Maps
There exist trivial multilinear maps unconditionally but for crypto, need computational problems such as discrete-log to be hard. Do there exist multilinear groups on which discrete-log (and friends) are hard? [BS03]
SLIDE 13
(Silly) Example (Silly) Example
SLIDE 14
SXDH Assumption [BGMM05, ACHM05]
c
SLIDE 15
SLIDE 16
Theorem
SLIDE 17
El-Gamal Variant
Key Generation: Decrypt(c,d):
SLIDE 18
Our Scheme
Key Generation:
SLIDE 19
Our Scheme
Key Generation:
SLIDE 20
Circular Security Attack
… … … … … … …
SLIDE 21
Circular Security Attack
…. …
SLIDE 22
Circular Security Attack
…. …
SLIDE 23
Circular Security Attack
…. …
SLIDE 24
Circular Security Attack
With overwhelming probability
SLIDE 25
Our Results
1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.
SLIDE 26
Blackbox Impossibility Result
No blackbox reduction from circular-security of bit-encryption scheme to semantic-security (or even CCA security) of the same scheme. Blackbox access to encryption-scheme and adversary. Incomparable to [HH09] KDM blackbox separation.
SLIDE 27
[HH09] KDM Blackbox Impossibility [HH09] KDM Blackbox Impossibility
SLIDE 28
A Blackbox Reduction A Blackbox Reduction
Circular Security Encryption Scheme Circular Security Adversary
Challenger
Scheme
Challenger
Reduction (Semantic Security (Semantic Security Adversary)
SLIDE 29
Our Results
1. A scheme that is circular insecure but is semantically secure based on multilinear maps. 2. Cannot prove the conjecture via a blackbox reduction. 3. Equivalence of different security notions for circular security of bit- encryption.
SLIDE 30
Circular Security Definitions
SLIDE 31
Equivalence Result
SLIDE 32
Open Problems
SLIDE 33