practical fully secure inner product functional
play

Practical Fully Secure Inner Product Functional Encryption modulo p - PowerPoint PPT Presentation

Apr 19, 2023 •201 likes •1.22k views

Practical Fully Secure Inner Product Functional Encryption modulo p Guilhem Castagnos 1 Fabien Laguillaumie 2 Ida Tucker 2 1 Universit de Bordeaux, INRIA, CNRS, IMB UMR 5251, F-33405 Talence, France. 2 Univ Lyon, CNRS, Universit Claude Bernard

  1. K surjection where Ker p of order p . Instantiation in class groups of an imaginary quadratic fjeld • 4 a Z b 2 N b represented by a b ; for a Z and 2 b a Z can be written as ideal of h K p p • Implies h C p C p • 13 • K = Q ( √ ∆ K ) , ∆ K < 0 and ∆ K ≡ 1 mod 4 • O ∆ K and O ∆ p s.t. ∆ K = − pq , ∆ p = − qp 3 with p , q primes

  2. Instantiation in class groups of an imaginary quadratic fjeld b 4 a Z b 2 N b represented by a b ; for a Z and 2 a Z can be written as ideal of • 13 • K = Q ( √ ∆ K ) , ∆ K < 0 and ∆ K ≡ 1 mod 4 • O ∆ K and O ∆ p s.t. ∆ K = − pq , ∆ p = − qp 3 with p , q primes • φ p : C ( O ∆ p ) �→ C ( O ∆ K ) surjection where Ker ( φ p ) of order p . • Implies h ( O ∆ p ) = p × h ( O ∆ K )

  3. 2 Instantiation in class groups of an imaginary quadratic fjeld 13 • K = Q ( √ ∆ K ) , ∆ K < 0 and ∆ K ≡ 1 mod 4 • O ∆ K and O ∆ p s.t. ∆ K = − pq , ∆ p = − qp 3 with p , q primes • φ p : C ( O ∆ p ) �→ C ( O ∆ K ) surjection where Ker ( φ p ) of order p . • Implies h ( O ∆ p ) = p × h ( O ∆ K ) √ • a ideal of O ∆ can be written as a = ( a Z + − b + ∆ Z ) and represented by ( a , b ) ; for a ∈ N , b ∈ Z , b 2 ≡ ∆ mod 4 a

  4. K . g p f and G p K 1 p s 1 • g p 1 g • p C p • Set g g of order ps p h Instantiation in class groups of an imaginary quadratic fjeld 14 • To build G p : 2 of order s h Z • g C K • t = ( p 2 , p ) ∈ O ∆ p , set f = [ t ] ⇒ f generates Ker ( φ p ) (subgroup of order p of C ( O ∆ p ) ), and � � � p 2 Z + − L ( m ) p + ∆ p f m = L ( m ) : odd integer in [ − p , p ] s.t. L ( m ) = 1 / m mod p F = < f > cyclic group of order p , and DL easy

  5. g p f and G Instantiation in class groups of an imaginary quadratic fjeld Z of order ps g • Set g g • To build G p : 14 2 • t = ( p 2 , p ) ∈ O ∆ p , set f = [ t ] ⇒ f generates Ker ( φ p ) (subgroup of order p of C ( O ∆ p ) ), and � � � p 2 Z + − L ( m ) p + ∆ p f m = L ( m ) : odd integer in [ − p , p ] s.t. L ( m ) = 1 / m mod p F = < f > cyclic group of order p , and DL easy $ • ˆ ← − C ( O ∆ K ) of order s | h ( O ∆ K ) . • gcd( p , h ( O ∆ K )) = 1 ⇒ gcd( p , s ) = 1 g )) p ∈ C ( O ∆ p ) p (ˆ • g p = ( φ − 1

  6. Instantiation in class groups of an imaginary quadratic fjeld 2 g • To build G p : Z 14 • t = ( p 2 , p ) ∈ O ∆ p , set f = [ t ] ⇒ f generates Ker ( φ p ) (subgroup of order p of C ( O ∆ p ) ), and � � � p 2 Z + − L ( m ) p + ∆ p f m = L ( m ) : odd integer in [ − p , p ] s.t. L ( m ) = 1 / m mod p F = < f > cyclic group of order p , and DL easy $ • ˆ ← − C ( O ∆ K ) of order s | h ( O ∆ K ) . • gcd( p , h ( O ∆ K )) = 1 ⇒ gcd( p , s ) = 1 g )) p ∈ C ( O ∆ p ) p (ˆ • g p = ( φ − 1 • Set g = g p · f and G = < g > of order ps

  7. Security in class groups of an imaginary quadratic fjeld this work secret key 6144 2084 4096 1572 • Security from hardness of class number computation and DL DCR 15 DCR size • Best known algos use index calculus method • Shorter keys! this work problem in C ( O ∆ K ) . ⇒ L ( 1 / 2 ) complexity λ = 112 λ = 128 ( p , ˜ s ) ( 112 , 684 ) ( 1024 , 2046 ) ( 128 , 924 ) ( 1536 , 3070 ) el t of G 112 ( ℓ + 1 ) + 684 2048 ( ℓ + 2 ) 128 ( ℓ + 1 ) + 924 3072 ( ℓ + 2 )

  8. p s.t. g x x p x p folded gaussian distributions with large G standard deviation. and • In practice: G p p and g x Sampling exponents Problem and • Use s to instantiate distributions upper bound s for s K • Bound on h Solution 16 s unknown , so orders of G p and G unknown ⇒ Cannot sample uniformly from G or G p !

  9. Sampling exponents s for s standard deviation. Problem 16 Solution s unknown , so orders of G p and G unknown ⇒ Cannot sample uniformly from G or G p ! • Bound on h ( O ∆ K ) ⇒ upper bound ˜ • Use ˜ s to instantiate distributions D and D p s.t. { g x , x ← ֓ D} ≈ U ( G ) , and { g x p , x ← ֓ D p } ≈ U ( G p ) • In practice: D and D p folded gaussian distributions with large

  10. Linearly Homomorphic Public Key Encryption mod p from HSM

  11. p f m h r C 0 C 1 From C 0 C 1 and sk C 0 C t Homomorphic PKE scheme mod p from HSM p m DL 1 t : Dec g r Ciphertext: KeyGen p Sample randomness r Z p Z Plaintext: m Enc p 17 h = g t Sample t ← ֓ D p and compute sk = t and pk = h

  12. From C 0 C 1 and sk C 0 C t Homomorphic PKE scheme mod p from HSM KeyGen p m DL 1 t : Dec Ciphertext: Enc p 17 h = g t Sample t ← ֓ D p and compute sk = t and pk = h Plaintext: m ∈ Z / p Z Sample randomness r ← ֓ D p p , f m · h r ) ( C 0 , C 1 ) = ( g r

  13. Homomorphic PKE scheme mod p from HSM KeyGen DL 1 Dec Ciphertext: 17 Enc p h = g t Sample t ← ֓ D p and compute sk = t and pk = h Plaintext: m ∈ Z / p Z Sample randomness r ← ֓ D p p , f m · h r ) ( C 0 , C 1 ) = ( g r From ( C 0 , C 1 ) and sk = t : m mod p C 0 / C t

  14. Security This scheme is semantically secure under the HSM assumption. 17

  15. Game 0: the original security experiment p Game 0 is the original security experiment. b pk Adv 18 Challenger Setup sk = t ← ֓ D p pk = h = g t m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p ( C 0 , C 1 ) p , C 1 = f m b ∗ · h r ) ( C 0 , C 1 )= ( g r Output ( b = b ∗ )

  16. 19 p Challenger b pk Adv Game 1: sample t from D sk = t ← ֓ D pk = h = g t m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p ( C 0 , C 1 ) p , C 1 = f m b ∗ · h r ) ( C 0 , C 1 )= ( g r Output ( b = b ∗ ) From A ’s view, Games 0 and 1 are identical.

  17. 20 p Challenger b pk Adv Game 2: use sk to compute ( C 0 , C 1 ) sk = t ← ֓ D pk = h = g t m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p ( C 0 , C 1 ) p , f m b ∗ · C t ( C 0 , C 1 )= ( g r 0 ) Output ( b = b ∗ ) From A ’s view, Games 1 and 2 are identical.

  18. p f u f m b u t h r C 0 C 1 21 reveals m b s and u p g r u t Adv s fjxes t p p pk b Challenger fjxes r Game 3: compute C 0 ∈ G \ G p sk = t ← ֓ D pk = h = g t m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p and u ← ֓ Z / p Z ( C 0 , C 1 ) p · f u , f m b ∗ · C t ( C 0 , C 1 ) = ( g r 0 ) Output ( b = b ∗ ) Games 2 and 3 are undistinguishable to A under the HSM assumption.

  19. p f u f m b u t h r C 0 C 1 21 Adv b pk p u t reveals m b g r p s and u fjxes r p Challenger Game 3: compute C 0 ∈ G \ G p sk = t ← ֓ D pk = h = g t fjxes t mod s m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p and u ← ֓ Z / p Z ( C 0 , C 1 ) p · f u , f m b ∗ · C t ( C 0 , C 1 ) = ( g r 0 ) Output ( b = b ∗ ) Games 2 and 3 are undistinguishable to A under the HSM assumption.

  20. p f u f m b u t h r C 0 C 1 21 Adv Challenger b pk p p u t reveals m b g r Game 3: compute C 0 ∈ G \ G p sk = t ← ֓ D pk = h = g t fjxes t mod s m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p and u ← ֓ Z / p Z fjxes r mod s and u mod p ( C 0 , C 1 ) p · f u , f m b ∗ · C t ( C 0 , C 1 ) = ( g r 0 ) Output ( b = b ∗ ) Games 2 and 3 are undistinguishable to A under the HSM assumption.

  21. p f u f m b C 0 C 1 21 b pk 0 C t Adv g r p Challenger Game 3: compute C 0 ∈ G \ G p sk = t ← ֓ D pk = h = g t fjxes t mod s m 0 , m 1 $ b ∗ ← − { 0 , 1 } r ← ֓ D p and u ← ֓ Z / p Z fjxes r mod s and u mod p ( C 0 , C 1 ) p · f u , f m b ∗ + u · t · h r ) ( C 0 , C 1 )= ( g r reveals m b ∗ + u · t mod p Output ( b = b ∗ ) Games 2 and 3 are undistinguishable to A under the HSM assumption.

  22. Inner Product Functional Encryption mod p from HSM

  23. f y 1 f y p C 1 Dec From C x and sk x : KeyDer h r 1 C h r IPFE scheme mod p from HSM (simplifjed) Input: x x Z p Z Output key: sk x t x x y mod p x 1 g r Setup y 1 compute C 0 Plaintext: y Enc y Z p Z Sample randomness r Ciphertext: C 22 Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ )

  24. Dec From C x and sk x : IPFE scheme mod p from HSM (simplifjed) Ciphertext: x y mod p t x Output key: sk x Z p Z x x 1 Input: x KeyDer Setup 22 Sample randomness r Enc compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ )

  25. Dec From C x and sk x : IPFE scheme mod p from HSM (simplifjed) Enc x y mod p KeyDer Setup Ciphertext: Sample randomness r 22 compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk �

  26. IPFE scheme mod p from HSM (simplifjed) Enc KeyDer Setup Ciphertext: Sample randomness r 22 compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � C ,� x and sk � x : � � x ,� y � mod p

  27. IPFE scheme mod p from HSM (simplifjed) Enc i KeyDer Setup Ciphertext: Sample randomness r 22 compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � � ℓ C ,� x and sk � i = 1 C x i x : � � x ,� y � mod p

  28. IPFE scheme mod p from HSM (simplifjed) Enc Setup Ciphertext: Sample randomness r KeyDer 22 compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � � ℓ i = � ( f y i · h r C ,� i ) x i x and sk � i = 1 C x i x : � � x ,� y � mod p

  29. IPFE scheme mod p from HSM (simplifjed) Enc p Setup Ciphertext: Sample randomness r KeyDer 22 compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � � ℓ � y i x i · g r · � t i x i C ,� i = f x and sk � i = 1 C x i x : � � x ,� y � mod p

  30. IPFE scheme mod p from HSM (simplifjed) Enc p Setup KeyDer Ciphertext: Sample randomness r 22 compute Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � � Dec From � � ℓ x � · g r ·� t ,� x � C ,� i = f � � y ,� x and sk � i = 1 C x i x : � � x ,� y � mod p

  31. IPFE scheme mod p from HSM (simplifjed) Sample randomness r p 0 x C sk and p Setup KeyDer Ciphertext: 22 compute Enc Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � � � Dec From � � ℓ x � · g r ·� t ,� t ,� x � = g r ·� x � C ,� i = f � � y ,� � x and sk � i = 1 C x i x : � � x ,� y � mod p

  32. IPFE scheme mod p from HSM (simplifjed) KeyDer DL 0 x Such that: p 0 x C sk and p Setup 22 Sample randomness r compute Ciphertext: Enc Sample � t = ( t 1 , . . . , t ℓ ) h i = g t i p for i = 1 , . . . , ℓ msk = � t and mpk = ( h 1 , . . . , h ℓ ) y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Plaintext: � � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � � � Dec From � � ℓ x � · g r ·� t ,� t ,� x � = g r ·� x � C ,� i = f � � y ,� � x and sk � i = 1 C x i x : � ℓ = f � � x ,� � � x ,� y � y � mod p i / C sk � i = 1 C x i

  33. Security This scheme is secure under the HSM assumption. 22

  34. p f u C 1 f y b f y b f y b f y b p C 1 • Game 1 use secret key to compute challenge ciphertext • Game 2 indistinguishable from Game 1 under the HSM ’s view b is statistically hidden , given • the challenge ciphertext 1 C t 1 0 C 0 C t • the public key • key derivation queries assumption. In Game 2, from Proof technique g r 23 C t 1 C C 0 g r C 0 1 0 C C t 0 C � p , C 1 = f y b ∗ , 1 · h r 1 , . . . , C ℓ = f y b ∗ ,ℓ · h r C = ( C 0 = g r ℓ ) • Game 0 original security game

  35. p f u C 1 f y b f y b f y b f y b p C 1 • Game 2 indistinguishable from Game 1 under the HSM ’s view b is statistically hidden , given • the challenge ciphertext • the public key In Game 2, from assumption. • key derivation queries 0 C t C 0 C t 1 1 Proof technique g r C h r C 0 g r 1 h r 1 C 23 C 0 C � p , C 1 = f y b ∗ , 1 · C t 1 0 , . . . , C ℓ = f y b ∗ ,ℓ · C t ℓ C = ( C 0 = g r 0 ) • Game 0 original security game • Game 1 use secret key to compute challenge ciphertext

  36. f y b f y b f y b f y b p C 1 p C 1 ’s view b is statistically hidden , given C C t 0 Proof technique assumption. C • the public key • the challenge ciphertext • key derivation queries In Game 2, from 0 C t 1 1 C 0 g r 1 h r 1 C 23 C h r C 0 g r � p f u , C 1 = f y b ∗ , 1 · C t 1 0 , . . . , C ℓ = f y b ∗ ,ℓ · C t ℓ C = ( C 0 = g r 0 ) • Game 0 original security game • Game 1 use secret key to compute challenge ciphertext • Game 2 indistinguishable from Game 1 under the HSM

  37. f y b f y b f y b f y b p C 1 p C 1 Proof technique • key derivation queries • the challenge ciphertext • the public key assumption. 0 C t C C C t 1 0 1 g r C 0 g r 1 h r 23 C 1 h r C C 0 � p f u , C 1 = f y b ∗ , 1 · C t 1 0 , . . . , C ℓ = f y b ∗ ,ℓ · C t ℓ C = ( C 0 = g r 0 ) • Game 0 original security game • Game 1 use secret key to compute challenge ciphertext • Game 2 indistinguishable from Game 1 under the HSM In Game 2, from A ’s view b ∗ is statistically hidden , given

  38. Effjciency comparison 40ms 964ms 193ms 301ms 110ms Dec time 85ms 78ms 27ms Enc time 36876 2340 24592 1920 [ALS16] this work [ALS16] this work 24 λ = 112 , ℓ = 10 λ = 128 , ℓ = 10 sk F bitsize Dependency in ℓ is linear.

  39. Last slide! Conclusion • Most effjcient IPFE schemes to date • First IPFE mod a prime that recover the result whatever its size. • Interesting framework, can be applied to other primitives. Ongoing work • Chosen Ciphertext Attack Secure schemes • Threshold ECDSA using our underlying framework 25

  40. Questions? 25

  41. M. Abdalla, F. Bourse, A. D. Caro, and D. Pointcheval. CCA-secure inner-product functional encryption from projective April 2015. In CT-RSA 2015 , LNCS 9048, pages 487–505. Springer, Heidelberg, Linearly homomorphic encryption from DDH . G. Castagnos and F. Laguillaumie. 2011. In TCC 2011 , LNCS 6597, pages 253–273. Springer, Heidelberg, March Functional encryption: Defjnitions and challenges. D. Boneh, A. Sahai, and B. Waters. March 2017. In PKC 2017, Part II , LNCS 10175, pages 36–66. Springer, Heidelberg, hash functions. F. Benhamouda, F. Bourse, and H. Lipmaa. Better security for functional encryption for inner product Heidelberg, August 2016. In CRYPTO 2016, Part III , LNCS 9816, pages 333–362. Springer, standard assumptions. Fully secure functional encryption for inner products, from S. Agrawal, B. Libert, and D. Stehlé. March / April 2015. In PKC 2015 , LNCS 9020, pages 733–751. Springer, Heidelberg, Simple functional encryption schemes for inner products. M. Abdalla, F. Bourse, A. De Caro, and D. Pointcheval. http://eprint.iacr.org/2016/011 . Cryptology ePrint Archive, Report 2016/011, 2016. evaluations. 26

  42. p with proba p p with proba p p with proba p (1) u , folded gaussian, (almost) uniform mod s p u t perfectly masks m b mod p 27 (1) u 0 1 p 1 (2) t sampled from and s , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s Where: Distribution of t (almost) uniform mod p and mod s p independent of t (1) u Where: 0 1 p 1 Where: 0 and t 1 p 1 and (2) t sampled from Information A gets on b ∗ in PKE m b ∗ + u · t mod p

  43. p with proba p p with proba p , folded gaussian, (almost) uniform mod s p u t perfectly masks m b mod p and 0 1 p 1 27 Where: (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s (1) u p independent of t s 0 Where: p Where: (1) u 1 p 1 and (2) t sampled from Distribution of t (almost) uniform mod p and mod s and t Information A gets on b ∗ in PKE m b ∗ + u · t mod p (1) u � = 0 mod p with proba p − 1 ≈ 1

  44. p with proba p p with proba p (1) u u t perfectly masks m b mod p 27 and 0 1 p 1 , folded gaussian, (almost) uniform mod s p (2) t sampled from Where: Distribution of t (almost) uniform mod p and mod s and t p independent of t s (1) u p independent of t s and t Distribution of t (almost) uniform mod p and mod s and p Where: 1 p 1 0 Where: Information A gets on b ∗ in PKE m b ∗ + u · t mod p (1) u � = 0 mod p with proba p − 1 ≈ 1 (2) t sampled from D , folded gaussian, (almost) uniform mod s · p

  45. p with proba p p with proba p (1) u u t perfectly masks m b mod p 27 and t (2) t sampled from and 1 p 1 0 (1) u Where: and Distribution of t (almost) uniform mod p and mod s p independent of t Distribution of t (almost) uniform mod p and mod s s p Where: 1 p 1 0 Where: , folded gaussian, (almost) uniform mod s p Information A gets on b ∗ in PKE m b ∗ + u · t mod p (1) u � = 0 mod p with proba p − 1 ≈ 1 (2) t sampled from D , folded gaussian, (almost) uniform mod s · p and ( t mod p ) independent of ( t mod s )

  46. p with proba p p with proba p (1) u , folded gaussian, (almost) uniform mod s p 27 (2) t sampled from Distribution of t (almost) uniform mod p and mod s and p Where: s p independent of t and t Distribution of t (almost) uniform mod p and mod s and 1 0 p 1 0 (1) u Where: 1 p Where: 1 Information A gets on b ∗ in PKE m b ∗ + u · t mod p (1) u � = 0 mod p with proba p − 1 ≈ 1 (2) t sampled from D , folded gaussian, (almost) uniform mod s · p and ( t mod p ) independent of ( t mod s ) u · t perfectly masks m b ∗ mod p

  47. Game 0: the original security experiment KeyDer Game 0 is the original security experiment. b y 1 mpk 28 t Setup Oracle Adv Challenger msk = � � x 1 ,� x 2 . . . mpk = ( h 1 , . . . , h ℓ ) x 1 , sk � x 2 . . . sk � � y 0 ,� $ b ∗ ← − { 0 , 1 } r ← ֓ D p C ∗ = ( C 0 = g r � p , C 1 = f y 1 · h r 1 , � C ∗ � x i ,� x i + 1 . . . . . . , C ℓ = f y ℓ · h r ℓ ) x i , sk � x i + 1 . . . sk � Output ( b = b ∗ )

  48. 29 p KeyDer Oracle Adv Challenger b t y 1 mpk Game 1: use msk to compute � C ∗ msk = � � x 1 ,� x 2 . . . mpk = ( h 1 , . . . , h ℓ ) h i = g t i x 1 , sk � x 2 . . . sk � � y 0 ,� $ b ∗ ← − { 0 , 1 } r ← ֓ D p C ∗ = ( C 0 = g r � p , C 1 = f y 1 · C t 1 0 , � C ∗ � x i ,� x i + 1 . . . . . . , C ℓ = f y ℓ · C t ℓ 0 ) x i , sk � x i + 1 . . . sk � Output ( b = b ∗ ) From A ’s view, Games 0 and 1 are identical.

  49. 30 KeyDer Oracle Adv Challenger b t y 1 mpk p Game 2: compute C 0 ∈ G \ G p msk = � � x 1 ,� x 2 . . . mpk = ( h 1 , . . . , h ℓ ) h i = g t i x 1 , sk � x 2 . . . sk � � y 0 ,� $ b ∗ ← − { 0 , 1 } r ← ֓ D p and u ← ֓ Z / p Z C ∗ = ( C 0 = g r p · f u , C 1 = f y 1 · C t 1 � 0 , � C ∗ � x i ,� x i + 1 . . . . . . , C ℓ = f y ℓ · C t ℓ 0 ) x i , sk � x i + 1 . . . sk � Output ( b = b ∗ ) Games 1 and 2 are undistinguishable to A under the HSM assumption.

  50. Leaked Information in Game 2 • the public key • the challenge ciphertext • key derivation queries 31 We consider the information leaked on b ∗ by:

  51. Information fjxed by public key p Fixes t 1 t mod s t 1 t mod p is still uniformly distributed to . 32 mpk = { h i = g t i mod s } i ∈ [ ℓ ]

  52. Information fjxed by public key p Fixes t 1 t mod p is still uniformly distributed to . 32 mpk = { h i = g t i mod s } i ∈ [ ℓ ] ( t 1 , . . . , t ℓ ) mod s

  53. Information fjxed by public key p Fixes 32 mpk = { h i = g t i mod s } i ∈ [ ℓ ] ( t 1 , . . . , t ℓ ) mod s ( t 1 , . . . , t ℓ ) mod p is still uniformly distributed to A .

  54. g r t i f y b u t i Information fjxed by challenge ciphertext ut mod p y b Fixes p i p s C i Reveals 33 C ∗ = ( C 0 = g r � p · f u , { C i = f y b ∗ , i · C 0 t i } i ∈ [ ℓ ] )

  55. Information fjxed by challenge ciphertext Reveals p Fixes y b ut mod p 33 C ∗ = ( C 0 = g r � p · f u , { C i = f y b ∗ , i · C 0 t i } i ∈ [ ℓ ] ) C i = g r · t i mod s · f y b ∗ , i + u · t i mod p

  56. Information fjxed by challenge ciphertext Reveals p Fixes 33 C ∗ = ( C 0 = g r � p · f u , { C i = f y b ∗ , i · C 0 t i } i ∈ [ ℓ ] ) C i = g r · t i mod s · f y b ∗ , i + u · t i mod p y b ∗ + u � � t mod p

  57. Reveals all the information on t for directions Information fjxed by key derivation oracle y 1 Remaining entropy on t contained in t y 0 x i t y 0 y 1 y 1 . to y 0 34 For � x such that � � x ,� y 0 � = � � x ,� y 1 � mod p : x = � � t ,� x � mod p sk �

  58. Information fjxed by key derivation oracle y 1 . y 1 Remaining entropy on t contained in t y 0 x i t y 0 34 For � x such that � � x ,� y 0 � = � � x ,� y 1 � mod p : x = � � t ,� x � mod p sk � Reveals all the information on � t for directions ⊥ to � y 0 − � � y 1 − � � �

  59. Information fjxed by key derivation oracle y 1 . x i t y 0 34 For � x such that � � x ,� y 0 � = � � x ,� y 1 � mod p : x = � � t ,� x � mod p sk � Reveals all the information on � t for directions ⊥ to � y 0 − � � y 1 − � � � Remaining entropy on � t contained in � � t , � y 0 − � y 1 �

  60. u t y 0 y 1 mod p 35 y 0 negl 1 2 cannot guess b with proba y 1 y b The information on b is contained in: ut mod p y b The ciphertext reveals: A ’s success probability From A ’s view, � � t ,� y 0 − � y 1 � follows a distribution ≈ U ( Z / p Z ) .

  61. u t y 0 y 1 mod p 35 y b negl 1 2 cannot guess b with proba y 1 y 0 The information on b is contained in: The ciphertext reveals: A ’s success probability From A ’s view, � � t ,� y 0 − � y 1 � follows a distribution ≈ U ( Z / p Z ) . y b ∗ + u � � t mod p

  62. 35 The ciphertext reveals: negl 1 2 cannot guess b with proba A ’s success probability From A ’s view, � � t ,� y 0 − � y 1 � follows a distribution ≈ U ( Z / p Z ) . y b ∗ + u � � t mod p The information on b ∗ is contained in: y 1 � + u � � � � y b ∗ ,� y 0 − � t ,� y 0 − � y 1 � mod p

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Fully Secure Inner Product Functional Encryption modulo p Guilhem Castagnos 1 Fabien

Practical Fully Secure Inner Product Functional Encryption modulo p Guilhem Castagnos 1 Fabien

Practical Fully Secure Inner Product Functional Encryption modulo p Guilhem Castagnos 1 Fabien Laguillaumie 2 Ida Tucker 2 1 Universit de Bordeaux, INRIA, CNRS, IMB UMR 5251, F-33405 Talence, France. 2 Univ Lyon, CNRS, Universit Claude Bernard

1.12k views • 59 slides
Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents Introduction Functional Encryption Security definitions Notations The Power of Inner Products Descriptive statistics Machine Learning Practical

930 views • 65 slides
Who tells you that your secure product is actually secure?

Who tells you that your secure product is actually secure?

Who tells you that your secure product is actually secure? Think about the 6me it stays on the field It went through a security evalua6on

866 views • 28 slides
ACOS6S Secure Access Module Card (SAM) www.acs.com.hk 1. Product Overview 2. Product Features

ACOS6S Secure Access Module Card (SAM) www.acs.com.hk 1. Product Overview 2. Product Features

ACOS6S Secure Access Module Card (SAM) www.acs.com.hk 1. Product Overview 2. Product Features 3. Comparison Charts 4. Product Applications 5. Sample Application 6. Related Products 7. Q &amp; A 2 ACOS6S-B (32 KB E E PROM) Secure

479 views • 18 slides
An approach to fully coupled FBSDEs via functional differential equations Matteo Casserini

An approach to fully coupled FBSDEs via functional differential equations Matteo Casserini

Brownian FBSDEs as functional differential equations Fully coupled forwardbackward stochastic dynamics Existence and uniqueness of solutions Related discretization algorithms for Brownian FBSDEs An approach to fully coupled FBSDEs via

760 views • 44 slides
CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

Introduction CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi Sakurai and Jian Weng 1 / 26 Introduction Outline Background Related Work CCA-Secure Keyed-Fully Homomorphic Encryption Conclusion

686 views • 26 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Developing an RPN Calculator ...on what was once a fully functional financial calculator Dimitri

Developing an RPN Calculator ...on what was once a fully functional financial calculator Dimitri

Developing an RPN Calculator ...on what was once a fully functional financial calculator Dimitri Dyatlov, Nick Duckwiler, Kevin Roark ENGI E1112 Professor Edwards Overview Concept Platform Methods Goals Lab 1-Scrolling Lab

366 views • 8 slides
Getting Started with The Azure Data Platform How to Set Up a Fully-Functional Azure Data &amp;

Getting Started with The Azure Data Platform How to Set Up a Fully-Functional Azure Data &amp;

Getting Started with The Azure Data Platform How to Set Up a Fully-Functional Azure Data &amp; Analytics Environment in Just 30-Days 10/21/2020 CONFI DENTI AL | 2020 | 1 Todays Presenter Rob Carek Director, Global Solution Development

349 views • 31 slides
Practical Pain Relief Joshua Graner M.S., L.Ac (Functional and Integrative Pain Specialist) Who

Practical Pain Relief Joshua Graner M.S., L.Ac (Functional and Integrative Pain Specialist) Who

Practical Pain Relief Joshua Graner M.S., L.Ac (Functional and Integrative Pain Specialist) Who am I? Ive always been interested in helping superheroes Why Study Pain? 20 years of chronic neck pain and headaches What is A Functional and

566 views • 27 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
A Professionals Guide to an Economical, Secure, and Functional Computing Environment Florin

A Professionals Guide to an Economical, Secure, and Functional Computing Environment Florin

A Professionals Guide to an Economical, Secure, and Functional Computing Environment Florin B. Manolache florin@andrew.cmu.edu Carnegie Mellon University Pittsburgh, Pennsylvania, USA RoEduNet Second International Conference 2003

611 views • 21 slides
Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval Ecole Normale Sup erieure INRIA June 6, 2019 Table of Contents Background Functional Encryption ABDP Applications of Inner

970 views • 51 slides
Hudson Bay Mining and Smelting Co., Limited (HBMS) has operated a fully-functional mine and base

Hudson Bay Mining and Smelting Co., Limited (HBMS) has operated a fully-functional mine and base

Hudson Bay Mining and Smelting Co., Limited (HBMS) has operated a fully-functional mine and base metal smelting complex in Flin Flon, Manitoba, since the 1930s. Mining and smelting activities have gradually led to a build-up of naturally

591 views • 25 slides
PRODUCT NUMBER: C6K CANNON 6K Product Number: C6K FASTER Two pullers in one 3K / 6K with a

PRODUCT NUMBER: C6K CANNON 6K Product Number: C6K FASTER Two pullers in one 3K / 6K with a

PRODUCT NUMBER: C6K CANNON 6K Product Number: C6K FASTER Two pullers in one 3K / 6K with a 6,000 lb. pulling capacity SAFER No anchoring required. SMARTER Fully collapsible for easy storage and mobility. CANNON 6K Product Number: C6K

615 views • 7 slides
Developing Skill-Based Interventions Following Practical Functional Assessments of Problem

Developing Skill-Based Interventions Following Practical Functional Assessments of Problem

Developing Skill-Based Interventions Following Practical Functional Assessments of Problem Behavior Joshua Jessel PhD, BCBA-D National Autism Conference Workshop 7/31/2017 Aut Autism sm is is cha haracterized by 1. Impairments in

1.47k views • 99 slides
Welcome to The Inner Workings of Forntites shaders. We are going to talk about some of the

Welcome to The Inner Workings of Forntites shaders. We are going to talk about some of the

Welcome to The Inner Workings of Forntites shaders. We are going to talk about some of the challenges we faced on Fortnite and vertex shaders provided efficient solutions due to their unique capabilities. 1 My name is Jonathan Lindquist and

763 views • 62 slides
An invitation to inner model theory Grigor Sargsyan Department of Mathematics, UCLA 03.25.2011

An invitation to inner model theory Grigor Sargsyan Department of Mathematics, UCLA 03.25.2011

An invitation to inner model theory An invitation to inner model theory Grigor Sargsyan Department of Mathematics, UCLA 03.25.2011 Young Set Theory Meeting An invitation to inner model theory Grigor Sargsyan An invitation to inner model

1.24k views • 90 slides
The Beauty and Joy of The Beauty and Joy of Computing Computing Lectur Lecture #16 e #16

The Beauty and Joy of The Beauty and Joy of Computing Computing Lectur Lecture #16 e #16

The Beauty and Joy of The Beauty and Joy of Computing Computing Lectur Lecture #16 e #16 Computational Game Theory Computational Game Theory UC Berkeley EECS UC Berkeley EECS Sr Lecturer SOE Sr Lectur er SOE Midterm tonight @ 8-10pm in

558 views • 18 slides
A Non-Prenex, Non-Clausal QBF Solver with Game-State Learning Will Klieber , Samir Sapra, Sicun

A Non-Prenex, Non-Clausal QBF Solver with Game-State Learning Will Klieber , Samir Sapra, Sicun

A Non-Prenex, Non-Clausal QBF Solver with Game-State Learning Will Klieber , Samir Sapra, Sicun Gao, Edmund Clarke Carnegie Mellon University July 13, 2010 1/19 Preview Non-prenex, non-clausal QBF solver (DPLL-based). Game-state

389 views • 35 slides
Data Structures in Java Session 24 Instructor: Bert Huang

Data Structures in Java Session 24 Instructor: Bert Huang

Data Structures in Java Session 24 Instructor: Bert Huang http://www.cs.columbia.edu/~bert/courses/3134 Announcements Homework 6 due Dec. 10, last day of class Final exam Thursday, Dec. 17 th , 4-7 PM, Hamilton 602 (this room) same

690 views • 67 slides
The interplay between inner model theory and descriptive set theory in a nutshell Sandra M

The interplay between inner model theory and descriptive set theory in a nutshell Sandra M

The interplay between inner model theory and descriptive set theory in a nutshell Sandra M uller Universit at Wien June 2019 Logic Fest in the Windy City Sandra M uller (Universit at Wien) Inner model theory and determinacy June

1.01k views • 82 slides
Housekeeping Aims To enable participants to understand what coaching is To establish the

Housekeeping Aims To enable participants to understand what coaching is To establish the

Essentials of Leadership and Management Programme Coaching Skills Workshop 27 th February 2019 Helen Campbell People Development Advisor Housekeeping Aims To enable participants to understand what coaching is To establish the benefits

710 views • 48 slides
Game Graphics &amp; Real-time Rendering CMPM 163, W2018 Prof. Angus Forbes (instructor)

Game Graphics &amp; Real-time Rendering CMPM 163, W2018 Prof. Angus Forbes (instructor)

Game Graphics &amp; Real-time Rendering CMPM 163, W2018 Prof. Angus Forbes (instructor) angus@ucsc.edu Lucas Ferreira (TA) lferreira@ucsc.edu creativecoding.soe.ucsc.edu/courses/cmpm163 github.com/CreativeCodingLab Last week Homework #2

439 views • 27 slides

More recommend