Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski - - PowerPoint PPT Presentation

Gil Segev

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting

Microsoft Research Silicon Valley

Zvika Brakerski

Weizmann Institute

2

Enc𝑞𝑙 𝑛

Probabilistic Encryption

Semantic Security [GM82]:

No adversary can learn any meaningful information on 𝑛

Encryption algorithm must be randomized

3

Deterministic Encryption

Efficiency: short ciphertexts

 Each 𝑞𝑙 may even define a permutation

Functionality: searchable encryption

 Each 𝑞𝑙 defines a one-to-one mapping  Easy to check whether 𝑑 encrypts 𝑛 relative to 𝑞𝑙

4

What About Security?

Inherent limitation:

 Each 𝑞𝑙 defines a one-to-one mapping  Easy to check whether 𝑑 encrypts 𝑛 relative to 𝑞𝑙

Security for high-entropy messages [BBO07]

 Inspired by [RW02, DS05] in the symmetric-key setting  Exciting line of research [BFO08, BFOR08, BBNRSSY09, O’N10,…]  Meaningful for various applications (e.g., key encapsulation)

Enc𝑞𝑙 𝑙𝑓𝑧 , AES𝑙𝑓𝑧 0 , AES𝑙𝑓𝑧 1 , …

5

𝒝

𝑞𝑙 Enc𝑞𝑙 𝑛

𝒯

High-entropy message source ℳ

Notion of Security ([BBO07] simplified)

6

The Auxiliary-Input Setting

Encryption as a building block of a larger system

 Additional information is available  Does 𝑙𝑓𝑧 have any entropy given (AES𝑙𝑓𝑧 0 , AES𝑙𝑓𝑧 1 , … )?  No security guarantees from current models and schemes

(noticed already by [DS05, BBO07])

Enc𝑞𝑙 𝑙𝑓𝑧 , AES𝑙𝑓𝑧 0 , AES𝑙𝑓𝑧 1 , …

7

This Talk: Better Security

Model

 Deterministic encryption in the auxiliary-input setting  Hard-to-invert auxiliary inputs

 Generalizes the high-entropy setting

Constructions

 Security w.r.t all auxiliary inputs that are sub-exponentially hard  Based on standard hardness assumptions

 𝑒-Linear for any 𝑒 ≥ 1 (Decisional Diffie-Hellman,…)  Subgroup indistinguishability [BG10] (Quadratic Residuosity, Composite Residuosity,…)

8

Outline

 Hard-to-invert auxiliary inputs  Security in the auxiliary-input setting  Construction based on 𝒆-Linear

9

Hard-to-Invert Auxiliary Inputs

Definition

A function 𝑔 is 𝜗-hard-to-invert relative to 𝒴 if for any efficient algorithm 𝐵 it holds that

Pr

𝑦←𝒴 𝐵 𝑔 𝑦

= 𝑦 ≤ 𝜗

 𝐵 is required to output the exact same 𝑦

(and not any 𝑦′ ∈ 𝑔−1 𝑔 𝑦 as with one-wayness)

 The source of hardness may be any combination of:

 Information-theoretic hardness (𝑔 has many collisions)  Computational hardness (𝑔 is injective)

𝑔 𝑙𝑓𝑧 = AES𝑙𝑓𝑧 0 , AES𝑙𝑓𝑧 1 , …

10

𝒝

𝑞𝑙 Enc𝑞𝑙 𝑛

𝑔 𝑛

𝒯

𝑔 𝑛

𝑔 is hard-to-invert relative to ℳ

Our Notion of Security (simplified)

11

Construction Based on 𝑒-Linear

 Given 𝑛 ∈ 0,1 𝑜 output 𝑕𝐵𝑛 ∈ 𝔿𝑜  Given 𝑕𝑤 ∈ 𝔿𝑜 compute 𝑕𝑛 = 𝑕𝐵−1𝑤 ∈ 𝔿𝑜  Output 𝑛 ∈ 0,1 𝑜  Based on the lossy trapdoor function of [FGKRS10]  𝔿 - group of order 𝑞 generated by 𝑕  Sample 𝐵 ← ℤ𝑞

𝑜×𝑜

 Output 𝑡𝑙 = 𝐵−1 and 𝑞𝑙 = 𝑕𝐵 ∈ 𝔿𝑜×𝑜

𝑕𝐵 𝑗𝑘 = 𝑕𝑏𝑗𝑘 Key generation Encryption Decryption 𝑕𝐵𝑛

𝑗 = 𝑕 𝑏𝑗𝑘𝑛𝑘

𝑘

= 𝑕𝐵

𝑗𝑘 𝑛𝑘 𝑘

12

Proof of Security

 [BHHO08,NS09]: 𝑒-Linear ⇒ 𝑕𝐵 ≈𝑑 𝑕𝐶 where 𝑠𝑏𝑜𝑙 𝐶 = 𝑒  [GL89,DGKPV10]: 𝑔 is 𝜗-hard-to-invert relative to ℳ

⇒ 𝑠 , 𝑠 , 𝑛 is pseudorandom Independent of 𝑛

𝒝

𝑞𝑙

𝑔 𝑛

𝑠 𝛽2𝑠 ⋮ 𝛽𝑜𝑠 𝛾 𝛽2𝛾 ⋮ 𝛽𝑜𝛾 𝑠 , 𝑛 𝛽2 𝑠 , 𝑛 ⋮ 𝛽𝑜 𝑠 , 𝑛

𝑕𝐵

𝑕𝐵𝑛 Enc𝑞𝑙 𝑛

𝐶

𝐶𝑛

13

Additional Features of Our Schemes

Security for multiple users & related messages

 Any number of users, linearly-related messages  Without requiring sub-exponential hardness

Enc𝑞𝑙1 𝑛1 , … , Enc𝑞𝑙𝑜 𝑛𝑜 Homomorphic properties

 Additions and one multiplication

𝑕𝐵𝑛1 ⋅ 𝑕𝐵𝑛2 = 𝑕𝐵 𝑛1+𝑛2 𝑓 𝑕𝐵𝑛1, 𝑕 𝐵𝑛2 𝑈 = 𝑓 𝑕, 𝑕 𝐵𝑛1𝑛2

𝑈𝐵𝑈

14

Conclusions and Open Problems

 Deterministic encryption in the auxiliary-input setting  Meaningful security for hard-to-invert auxiliary inputs

Open problems

 Eliminating sub-exponential hardness requirement  Security beyond linearly-related messages  Dealing with 𝑞𝑙-dependent messages and auxiliary inputs

Thank you!