Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski - PowerPoint PPT Presentation

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research Weizmann Institute Silicon Valley

Probabilistic Encryption Enc 𝑞𝑙 𝑛 Semantic Security [GM82]: No adversary can learn any meaningful information on 𝑛 Encryption algorithm must be randomized 2

Deterministic Encryption Efficiency: short ciphertexts  Each 𝑞𝑙 may even define a permutation Functionality: searchable encryption  Each 𝑞𝑙 defines a one-to-one mapping  Easy to check whether 𝑑 encrypts 𝑛 relative to 𝑞𝑙 3

What About Security? Inherent limitation:  Each 𝑞𝑙 defines a one-to-one mapping  Easy to check whether 𝑑 encrypts 𝑛 relative to 𝑞𝑙 Security for high-entropy messages [BBO07]  Inspired by [RW02, DS05] in the symmetric-key setting  Exciting line of research [BFO08, BFOR08, BBNRSSY09 , O’N 10 ,…]  Meaningful for various applications (e.g., key encapsulation) Enc 𝑞𝑙 𝑙𝑓𝑧 , AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … 4

Notion of Security ([BBO07] simplified) 𝒝 𝑞𝑙 Enc 𝑞𝑙 𝑛 High-entropy message source ℳ 𝒯 5

The Auxiliary-Input Setting Enc 𝑞𝑙 𝑙𝑓𝑧 , AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … Encryption as a building block of a larger system  Additional information is available  Does 𝑙𝑓𝑧 have any entropy given (AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , … ) ?  No security guarantees from current models and schemes (noticed already by [DS05, BBO07]) 6

This Talk: Better Security Model  Deterministic encryption in the auxiliary-input setting  Hard-to-invert auxiliary inputs  Generalizes the high-entropy setting Constructions  Security w.r.t all auxiliary inputs that are sub-exponentially hard  Based on standard hardness assumptions  𝑒 -Linear for any 𝑒 ≥ 1 (Decisional Diffie- Hellman,…)  Subgroup indistinguishability [BG10] ( Quadratic Residuosity, Composite Residuosity ,…) 7

Outline  Hard-to-invert auxiliary inputs  Security in the auxiliary-input setting  Construction based on 𝒆 -Linear 8

Hard-to-Invert Auxiliary Inputs Definition A function 𝑔 is 𝜗 -hard-to-invert relative to 𝒴 if for any efficient algorithm 𝐵 it holds that 𝑦←𝒴 𝐵 𝑔 𝑦 Pr = 𝑦 ≤ 𝜗 𝑔 𝑙𝑓𝑧 = AES 𝑙𝑓𝑧 0 , AES 𝑙𝑓𝑧 1 , …  𝐵 is required to output the exact same 𝑦 (and not any 𝑦′ ∈ 𝑔 −1 𝑔 𝑦 as with one-wayness)  The source of hardness may be any combination of:  Information-theoretic hardness ( 𝑔 has many collisions)  Computational hardness ( 𝑔 is injective) 9

Our Notion of Security (simplified) 𝒝 𝑞𝑙 Enc 𝑞𝑙 𝑛 𝑔 𝑛 𝑔 is hard-to-invert relative to ℳ 𝒯 𝑔 𝑛 10

Construction Based on 𝑒 -Linear  Based on the lossy trapdoor function of [FGKRS10]  𝔿 - group of order 𝑞 generated by 𝑕 𝑕 𝐵 𝑗𝑘 = 𝑕 𝑏 𝑗𝑘 𝑜×𝑜  Sample 𝐵 ← ℤ 𝑞 Key generation  Output 𝑡𝑙 = 𝐵 −1 and 𝑞𝑙 = 𝑕 𝐵 ∈ 𝔿 𝑜×𝑜  Given 𝑛 ∈ 0,1 𝑜 output 𝑕 𝐵𝑛 ∈ 𝔿 𝑜 Encryption 𝑛 𝑘 𝑗 = 𝑕 𝑏 𝑗𝑘 𝑛 𝑘 𝑕 𝐵𝑛 = 𝑕 𝐵 𝑘  Given 𝑕 𝑤 ∈ 𝔿 𝑜 compute 𝑕 𝑛 = 𝑕 𝐵 −1 𝑤 ∈ 𝔿 𝑜 𝑗𝑘 Decryption 𝑘  Output 𝑛 ∈ 0,1 𝑜 11

Proof of Security 𝑠 𝛽 2 𝑠 𝒝 𝑕 𝐵 𝑞𝑙 𝐶 ⋮ 𝛽 𝑜 𝑠 𝛾 𝑠 , 𝑛 𝛽 2 𝛾 𝛽 2 𝑠 , 𝑛 𝑕 𝐵 𝑛 Enc 𝑞𝑙 𝑛 𝐶 𝑛 ⋮ ⋮ 𝛽 𝑜 𝛾 𝛽 𝑜 𝑠 , 𝑛 𝑔 𝑛 Independent of 𝑛  [BHHO08,NS09]: 𝑒 -Linear ⇒ 𝑕 𝐵 ≈ 𝑑 𝑕 𝐶 where 𝑠𝑏𝑜𝑙 𝐶 = 𝑒  [GL89,DGKPV10]: 𝑔 is 𝜗 -hard-to-invert relative to ℳ ⇒ 𝑠 , 𝑠 , 𝑛 is pseudorandom 12

Additional Features of Our Schemes Security for multiple users & related messages  Any number of users, linearly-related messages  Without requiring sub-exponential hardness Enc 𝑞𝑙 1 𝑛 1 , … , Enc 𝑞𝑙 𝑜 𝑛 𝑜 Homomorphic properties  Additions and one multiplication 𝑕 𝐵𝑛 1 ⋅ 𝑕 𝐵𝑛 2 = 𝑕 𝐵 𝑛 1 +𝑛 2 𝑓 𝑕 𝐵𝑛 1 , 𝑕 𝐵𝑛 2 𝑈 𝑈 𝐵 𝑈 = 𝑓 𝑕, 𝑕 𝐵𝑛 1 𝑛 2 13

Conclusions and Open Problems  Deterministic encryption in the auxiliary-input setting  Meaningful security for hard-to-invert auxiliary inputs Open problems  Eliminating sub-exponential hardness requirement  Security beyond linearly-related messages  Dealing with 𝑞𝑙 -dependent messages and auxiliary inputs Thank you! 14