regular lossy functions and applications in leakage
play

Regular Lossy Functions and Applications in Leakage-Resilient - PowerPoint PPT Presentation

Feb 15, 2024 •761 likes •1.92k views

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography CT-RSA 2018 April 20th, 2018 1 / 41 Yu Chen 1 Baodong Qin 2 Haiyang Xue 1 1 SKLOIS, IIE, Chinese Academy of Sciences 2 Xian University of Posts and Telecommunication

  1. Concrete Construction from the DDH Assumption DDH . . . . . . . e . e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n   2     g r n s 1 g r n s 2 g r n s m . . .

  2. Concrete Construction from the DDH Assumption e . . . . . . . e . e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

  3. Concrete Construction from the DDH Assumption . . . . . . . . . e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m )   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

  4. Concrete Construction from the DDH Assumption . . . . . . . . . . To ensure invertible property input space is restricted to (a.k.a. ) column dimension . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

  5. Concrete Construction from the DDH Assumption . To ensure invertible property . . . . . . . . . . . 16 / 41 Matrix approach for ABO-LTFs f ek,b ( x ) → y due to Peikert and Waters Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V  g r 1 s 1 g r 1 s 2 g r 1 s m  . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   2     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m input space is restricted to Z n 2 (a.k.a. { 0 , 1 } n ) column dimension m = n + 1

  6. (ABO)-RLFs do not require invertible or even injective I . . . . Lemma 3 The above construction constitutes log -ABO-RLF. , rank Y and #(solution space) for every . is . , rank Y I and thus the image size is at most . Pseudorandomness of C V hidden lossy branch . 17 / 41 . . . . . . Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V g r 1 s 1 g r 1 s 2 g r 1 s m   . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   p     g r n s 1 g r n s 2 g r n s m . . . DDH ⇒≈ c U G n × m

  7. (ABO)-RLFs do not require invertible or even injective I . . . . Lemma 3 The above construction constitutes log -ABO-RLF. , rank Y and #(solution space) for every . is . , rank Y I and thus the image size is at most . Pseudorandomness of C V hidden lossy branch . 17 / 41 . . . . . . Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V m ≪ n g r 1 s 1 g r 1 s 2 g r 1 s m   . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   p     ≫ Z n g r n s 1 g r n s 2 g r n s m . . . 2 DDH ⇒≈ c U G n × m

  8. (ABO)-RLFs do not require invertible or even injective . Lemma 3 . . . . . . . . . . . 17 / 41 Gen ( λ, b ∗ ) → ek GenConceal ( n, m ) = g V m ≪ n g r 1 s 1 g r 1 s 2 g r 1 s m   . . . g r 2 s 1 g r 2 s 2 g r 2 s m . . .   x ∈ Z n − b ∗ ( e 1 , . . . , e m ) + b ( e 1 , . . . , e m ) → y ∈ G m ×   p     ≫ Z n g r n s 1 g r n s 2 g r n s m . . . 2 DDH ⇒≈ c U G n × m The above construction constitutes ( p n − m , log p ) -ABO-RLF. ∀ b ̸ = b ∗ , rank ( Y + b I ′ ) = m and #(solution space) for every y ∈ G m is p n − m . b = b ∗ , rank ( Y + b I ′ ) = 1 and thus the image size is at most p . Pseudorandomness of C = g V ⇒ hidden lossy branch

  9. Summary and Comparison DDH 1 Exp DCR ABO-LF 1 Exp DCR DDH ABO-RLF 18 / 41 ABO-LTF[PW08] Input Effjciency Key We have a more effjcient and direct DCR-based construction ABO-LTF/RLF Assump. Lossiness Our DDH construction applies to extended DDH � generalize DDH, QR, DCR 2 n n − log p nm | G | nm Add p n ( n − 1) log p nm | G | nm (Exp+Add) | Z ∗ ABO-LTF[FGK + 13] N 2 log N N 3 | N 2 /4 | Z ∗ N 2 | log N

  10. We show HPS Generic Construction from HPS dual HPS: HPS satisfjng strong property No effjcient ABO construction is known ABO-RLF exploit algebra property of the underlying SMP 19 / 41 Wee (Eurocrypt 2012): dual HPS ⇒ LTF

  11. Generic Construction from HPS dual HPS: HPS satisfjng strong property No effjcient ABO construction is known exploit algebra property of the underlying SMP 19 / 41 Wee (Eurocrypt 2012): dual HPS ⇒ LTF We show HPS ⇒ ABO-RLF

  12. 1 Let 2 For each (Algebra) Subset Membership Problem The quotient group for , . constitute a partition of , the co-sets be a generator of for some two useful facts Algebraic properties is cyclic with order forms a subgroup of Task: distinguish forms an Abelian group, Algebra SMP (mild & natural) 20 / 41 U X ≈ c U L Solution: { 0 , 1 } SampAll ( λ ) X R L SampYes ( λ ) L W SampNo ( λ ) SampR ( λ )

  13. 1 Let 2 For each (Algebra) Subset Membership Problem Algebraic properties for , . constitute a partition of , the co-sets be a generator of for some two useful facts 20 / 41 Task: distinguish Algebra SMP (mild & natural) U X ≈ c U L Solution: { 0 , 1 } SampAll ( λ ) X R L SampYes ( λ ) L W SampNo ( λ ) SampR ( λ ) X forms an Abelian group, L forms a subgroup of X The quotient group H = X / L is cyclic with order p = | X | / | L |

  14. (Algebra) Subset Membership Problem Task: distinguish Algebra SMP (mild & natural) 20 / 41 U X ≈ c U L Solution: { 0 , 1 } SampAll ( λ ) X R L SampYes ( λ ) L W SampNo ( λ ) SampR ( λ ) X forms an Abelian group, L forms a subgroup of X The quotient group H = X / L is cyclic with order p = | X | / | L | Algebraic properties ⇒ two useful facts 1 Let ¯ a = aL for some a ∈ X \ L be a generator of H , the co-sets ( aL, 2 aL, . . . , ( p − 1) aL, paL = L ) constitute a partition of X . 2 For each x ∈ L , ia + x / ∈ L for 1 ≤ i < p

  15. Hash Proof System Projective: . and is uniquely determined by , 21 / 41 L ⊂ X — language defjned by R L where SMP holds. HPS equips L ⊂ X with Gen , Priv , Pub . α (projection) Gen ( λ ) → ( pk, sk ) SK PK s.t. α ( sk ) = pk Priv ( sk, x ) X Λ sk ( x ) Π L SampR ( r ) Pub ( pk, x, w ) W

  16. Hash Proof System 21 / 41 L ⊂ X — language defjned by R L where SMP holds. HPS equips L ⊂ X with Gen , Priv , Pub . α (projection) Gen ( λ ) → ( pk, sk ) SK PK s.t. α ( sk ) = pk Priv ( sk, x ) X Λ sk ( x ) Π L SampR ( r ) Pub ( pk, x, w ) W Projective: ∀ x ∈ L , Λ sk ( x ) is uniquely determined by x and pk ← α ( sk ) .

  17. ABO-RLF from HPS for ASMP if . R where : Hidden lossy branch. For any ASMP lossy by the projective property if -regular -ABO-RLF under ASMP. log Img is . The above construction -regular for any is Assume Lemma 4 below: 22 / 41 Let aL be a generator for H = X / L , we build ABO-RLF from HPS for ASMP as Gen ( λ, b ∗ ) : ( x, w ) ← SampYes ( λ ) , output ek = − b ∗ a + x f ek,b ( sk ) : output α ( sk ) || Λ sk ( ek + ba )

  18. ABO-RLF from HPS for ASMP if . R where : Hidden lossy branch. For any ASMP lossy by the projective property -regular if Lemma 4 below: 22 / 41 Let aL be a generator for H = X / L , we build ABO-RLF from HPS for ASMP as Gen ( λ, b ∗ ) : ( x, w ) ← SampYes ( λ ) , output ek = − b ∗ a + x f ek,b ( sk ) : output α ( sk ) || Λ sk ( ek + ba ) Assume g x ( sk ) := α ( sk ) || Λ sk ( x ) is v -regular for any x / ∈ L . The above construction is ( v, log | Img α | ) -ABO-RLF under ASMP.

  19. ABO-RLF from HPS for ASMP Lemma 4 R 22 / 41 below: Let aL be a generator for H = X / L , we build ABO-RLF from HPS for ASMP as Gen ( λ, b ∗ ) : ( x, w ) ← SampYes ( λ ) , output ek = − b ∗ a + x f ek,b ( sk ) : output α ( sk ) || Λ sk ( ek + ba ) Assume g x ( sk ) := α ( sk ) || Λ sk ( x ) is v -regular for any x / ∈ L . The above construction is ( v, log | Img α | ) -ABO-RLF under ASMP. ∈ L if b ̸ = b ∗ ⇒ v -regular ek + ba = x + ( b − b ∗ ) a / ek + ba = x + ( b − b ∗ ) a ∈ L if b = b ∗ ⇒ lossy by the projective property ASMP ⇒ Hidden lossy branch. For any b ∗ 0 , b ∗ 1 ∈ Z p : ( − b ∗ 0 a + x ) ≈ c ( b ∗ 0 a + u ) ≡ ( b ∗ 1 a + u ) ≈ c ( b ∗ 1 a + x ) ← − X . where u

  20. Outline Concrete Construction Generic Construction Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM 23 / 41 1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs 4 Applications of RLFs

  21. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  22. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  23. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  24. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  25. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  26. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  27. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  28. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  29. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption leak 24 / 41 x sk F ( sk, x )

  30. Leakage-Resilient Cryptography F Sign Dec leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption 24 / 41 x leak ( sk ) sk F ( sk, x )

  31. Bounded Leakage Model In this work, we focus on a simple yet general leakage model called Bounded Leakage Model F 25 / 41 g i g i ( sk ) sk ∑ | g i ( sk ) | ≤ | sk |

  32. Leakage-Resilient OWFs R Theorem 5 The normal mode of -RLFs (i.e., LFs) over domain constitutes a family of -leakage-resilient injective OWFs, for any log . 26 / 41

  33. Leakage-Resilient OWFs R Theorem 5 The normal mode of -RLFs (i.e., LFs) over domain constitutes a family of -leakage-resilient injective OWFs, for any log . 26 / 41 ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ )

  34. Leakage-Resilient OWFs R Theorem 5 The normal mode of -RLFs (i.e., LFs) over domain constitutes a family of -leakage-resilient injective OWFs, for any log . 26 / 41 ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i

  35. Leakage-Resilient OWFs Theorem 5 . log family of -leakage-resilient injective OWFs, for any constitutes a -RLFs (i.e., LFs) over domain The normal mode of 26 / 41 R ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i g i ( x ∗ )

  36. Leakage-Resilient OWFs Theorem 5 . log family of -leakage-resilient injective OWFs, for any constitutes a -RLFs (i.e., LFs) over domain The normal mode of 26 / 41 R ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i g i ( x ∗ ) x x =? x ∗

  37. Leakage-Resilient OWFs R Theorem 5 26 / 41 ( f, y ∗ ) x ∗ − { 0 , 1 } n ← y ∗ ← f ( x ∗ ) g i g i ( x ∗ ) x x =? x ∗ The normal mode of (1 , τ ) -RLFs (i.e., LFs) over domain { 0 , 1 } n constitutes a family of ℓ -leakage-resilient injective OWFs, for any ℓ ≤ n − τ − ω ( log λ ) .

  38. Game 0: real game Game 1: same as Game 0 except that: even w.r.t. unbounded adversary 27 / 41 R 1 Setup: CH generates f ← RLF . GenNormal ( λ ) , picks x ∗ − { 0 , 1 } n and sends ← ( f, y ∗ = f ( x ∗ )) to A . → g i , CH responds with g i ( x ∗ ) . 2 Leakage queries: A ֒ 3 Invert: A outputs x and wins if x = x ∗ . Adv A ( λ ) = Pr [ S 0 ] 1 Setup: CH generates f ← RLF . GenLossy ( λ ) . Security of RLFs ⇒ | Pr [ S 1 ] − Pr [ S 0 ] | ≤ negl ( λ ) In Game 1, ˜ H ∞ ( x ∗ | ( y ∗ , leak )) ≥ n − τ − ℓ . By the parameter choice, ˜ H ∞ ( x ∗ | ( y ∗ , leak )) ≥ ω ( log λ ) ⇒ Pr [ S 1 ] ≤ negl ( λ )

  39. Leakage-Resilient MAC Setup Tag Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41

  40. Leakage-Resilient MAC Tag Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ )

  41. Leakage-Resilient MAC Tag Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i

  42. Leakage-Resilient MAC Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i )

  43. Vefy Leakage-Resilient MAC Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i

  44. Leakage-Resilient MAC Vefy Strong unforgeability can be relaxed in several ways: One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k )

  45. Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i )

  46. Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC One-time: only makes one tag query Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i )

  47. Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC Selective: commits the target message before seeing 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i ) One-time: A only makes one tag query

  48. Strong unforgeability can be relaxed in several ways: Leakage-Resilient MAC 28 / 41 pp ( pp, k ) ← Setup ( λ ) m i t i ← Tag ( k, m i ) g i g i ( k ) ( m ∗ , t ∗ ) Vefy ( k, m ∗ , t ∗ ) = 1 ( m ∗ , t ∗ ) ̸ = ( m i , t i ) One-time: A only makes one tag query Selective: A commits the target message before seeing pp

  49. Construction Ingredient KeyGen ABORLF Gen R Tag - input - branch - output Vefy 29 / 41 ( v, τ ) -ABORLF

  50. Construction Ingredient KeyGen R Tag - input - branch - output Vefy 29 / 41 ( v, τ ) -ABORLF ek ← ABORLF . Gen ( λ, 0 d ) − { 0 , 1 } n k ←

  51. Construction R Vefy Tag Ingredient 29 / 41 KeyGen ( v, τ ) -ABORLF ek ← ABORLF . Gen ( λ, 0 d ) − { 0 , 1 } n k ← k - input m m - branch t - output t ← f ek,m ( k )

  52. Construction R Vefy Ingredient Tag 29 / 41 KeyGen ( v, τ ) -ABORLF ek ← ABORLF . Gen ( λ, 0 d ) − { 0 , 1 } n k ← m k - input m t m - branch t - output t ← f ek,m ( k ) t =? f ek,m ( k )

  53. Theorem 6 Game 0: (real game) R 30 / 41 The above MAC is ℓ -leakage-resilient seletively one-time sUF for any ℓ ≤ n − τ − log v − ω ( log λ ) . 1 Setup: A ↬ m ∗ , CH generates ek ← ABORLF . Gen ( λ, 0 d ) , picks k − { 0 , 1 } n , ← computes t ∗ ← f ek,m ∗ ( k ) and then sends ( ek, t ∗ ) to A . 2 Leakage queries: A ↬ g i , CH responds with g i ( k ) . 3 Forge: A → ( m, t ) and wins if m ̸ = m ∗ ∧ t = f ek,m ( k ) . Adv A ( λ ) = Pr [ S 0 ]

  54. Game 1: same as Game 0 except that w.r.t. unbounded adversary. 31 / 41 1 Setup: CH generates ek ← ABORLF . Gen ( λ, m ∗ ) . Hidden lossy branch ⇒ | Pr [ S 1 ] − Pr [ S 0 ] | ≤ negl ( λ ) In Game 1, A ’s view includes ( ek, leak, t ∗ ) . We have: ˜ ˜ H ∞ ( t | ek, leak, t ∗ ) H ∞ ( t | view ) = ˜ ≥ H ∞ ( t | ek ) − ℓ − τ ˜ ≥ H ∞ ( k | ek ) − log v − ℓ − τ = n − log v − ℓ − τ By the parameter choice, ˜ H ∞ ( t | view ) ≥ ω ( log λ ) ⇒ Pr [ S 1 ] ≤ negl ( λ ) even

  55. Leakage-Resilient CCA-secure KEM Setup Decaps Encap R R Pr negl 32 / 41

  56. Leakage-Resilient CCA-secure KEM Decaps Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ )

  57. Leakage-Resilient CCA-secure KEM Decaps Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i

  58. Leakage-Resilient CCA-secure KEM Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i )

  59. Encap Leakage-Resilient CCA-secure KEM R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i

  60. Leakage-Resilient CCA-secure KEM Encap R R Pr negl 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i g i ( sk )

  61. Leakage-Resilient CCA-secure KEM R negl Pr R 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i ( c ∗ , k ∗ 0 ) ← Encap ( pk ) g i ( sk ) k ∗ ← − K 1 ( c ∗ , k ∗ β ) β ← − { 0 , 1 }

  62. Leakage-Resilient CCA-secure KEM R negl Pr R 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i ( c ∗ , k ∗ 0 ) ← Encap ( pk ) g i ( sk ) k ∗ ← − K 1 ( c ∗ , k ∗ β ) β ← − { 0 , 1 } β ′ β ′ = β

  63. Leakage-Resilient CCA-secure KEM R R 32 / 41 pk ( pk, sk ) ← Setup ( λ ) c i k i ← Decaps ( sk, c i ) g i ( c ∗ , k ∗ 0 ) ← Encap ( pk ) g i ( sk ) k ∗ ← − K 1 ( c ∗ , k ∗ β ) β ← − { 0 , 1 } β ′ β ′ = β | Pr [ β ′ = β ] − 1/2 | ≤ negl ( λ )

  64. Construction ext or ext Priv Decaps authenticate & derive to: use R Ingredients Pub SampYes Encaps ABORLF Gen HPS Gen KeyGen strong extractor ABORLF HPS 33 / 41

  65. Construction ext or ext Priv Decaps authenticate & derive to: use R Ingredients Pub SampYes Encaps KeyGen strong extractor ABORLF HPS 33 / 41 ( pk, sk ) ← HPS . Gen ( λ ) ek ← ABORLF . Gen ( λ, 0 m + d )

  66. Construction R or ext Priv Decaps Ingredients 33 / 41 Encaps KeyGen HPS ABORLF strong extractor ( pk, sk ) ← HPS . Gen ( λ ) ek ← ABORLF . Gen ( λ, 0 m + d ) ek pk c = ( x, s, t ) use π to: ( x, w ) ← SampYes ( λ ) derive k & π ← Pub ( pk, x, w ) authenticate x || s − { 0 , 1 } d ← s t ← f ek,x || s ( π ) k ← ext ( π, s )

  67. Construction Encaps Decaps Ingredients R 33 / 41 strong extractor KeyGen HPS ABORLF ( pk, sk ) ← HPS . Gen ( λ ) ek ← ABORLF . Gen ( λ, 0 m + d ) ek pk sk c = ( x, s, t ) use π to: π ← Priv ( sk, x ) ( x, w ) ← SampYes ( λ ) derive k & t =? f ek,x || s ( π ) π ← Pub ( pk, x, w ) authenticate x || s k ← ext ( π, s ) or ⊥ − { 0 , 1 } d ← s t ← f ek,x || s ( π ) k ← ext ( π, s )

  68. Theorem 7 Game 0: (real game) 34 / 41 Suppose SMP for L ⊂ { 0 , 1 } m is hard, HPS is ϵ 1 -universal 1 and n = log (1/ ϵ 1 ) , ABORLF is ( v, τ ) -regularly-lossy, ext is ( n − τ − ℓ, κ, ϵ 2 ) -strong extractor, then the above KEM is ℓ -LR CCA secure for any ℓ ≤ n − τ − log v − ω ( log λ ) . 1 Setup: CH generates ( pk, sk ) ← HPS . Gen ( λ ) , ek ← ABORLF . Gen ( λ, 0 m + d ) , sends ( pk, ek ) to A . 2 Leakage queries ⟨ g i ⟩ : CH responds with g i ( sk ) . 3 Challenge: CH picks β ∈ { 0 , 1 } , s ∗ ← { 0 , 1 } d , ( x ∗ , w ∗ ) ← SampYes ( λ ) , computes π ∗ ← Pub ( pk, x ∗ , w ∗ ) , t ∗ ← f ek,x ∗ || s ∗ ( π ∗ ) , k ∗ 0 ← ext ( π ∗ , s ∗ ) , picks 1 ← { 0 , 1 } κ , sends c ∗ = ( x ∗ , s ∗ , t ∗ ) and k ∗ k ∗ β to A 4 Decaps queries ⟨ c = ( x, s, t ) ̸ = c ∗ ⟩ : CH computes π ← Λ sk ( x ) , output k ← ext ( π, s ) if t = f ek,x || s ( π ) and ⊥ otherwise. Adv A ( λ ) = Pr [ S 0 ] − 1/2

  69. 35 / 41 . Defjne Pr Pr negl Game 5: directly rejects if : via SampNo rather than SampYes . makes an invalid but well-formed decaps queries, i.e., and . Pr Pr Pr SMP samples Game 3: Game 4: ABORLF Gen . Hidden lossy branch Pr Pr negl computes Game 2: via Priv . Correctness of HPS Pr Pr . generates Game 1: CH samples ( x ∗ , w ∗ ) and s ∗ at Setup. Pr [ S 0 ] = Pr [ S 1 ]

  70. 35 / 41 Pr Pr Pr Pr . and but well-formed decaps queries, i.e., makes an invalid : . Defjne if directly rejects Game 5: negl Pr SMP via SampNo rather than SampYes . samples Game 4: . Pr Pr Correctness of HPS . via Priv computes Game 3: Game 1: CH samples ( x ∗ , w ∗ ) and s ∗ at Setup. Pr [ S 0 ] = Pr [ S 1 ] Game 2: CH generates ek ← ABORLF . Gen ( λ, x ∗ || s ∗ ) . Hidden lossy branch ⇒ | Pr [ S 2 ] − Pr [ S 1 ] | ≤ negl ( λ )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and

Reconstruction of Smooth 3D Color Functions from Keypoints: Application to Lossy Compression and Examplar-Based Generation of Color LUTs D. Tschumperl C. Porquet A. Mahboubi Normandie Univ, UNICAEN, ENSICAEN, CNRS GREYC, F-14000 Caen,

751 views • 32 slides
Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing

925 views • 71 slides
Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of

A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of

A New Approach to Lossy Compression and Applications to Security Eva C. Song Department of Electrical Engineering Princeton University Joint work with: Paul Cuff and H. Vincent Poor November 9, 2015 Overview 1 compression/source coding 1 2

134 views • 12 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Applications of exponential functions Applications of exponential functions abound throughout the

Applications of exponential functions Applications of exponential functions abound throughout the

Applications of exponential functions Applications of exponential functions abound throughout the sciences. Exponential functions are the primary functions that scientists work with. Here are some examples. Elementary Functions Exponential

241 views • 7 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital &lt; HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
3.15: Applications of Finite Automata and Regular Expressions In this section we consider three

3.15: Applications of Finite Automata and Regular Expressions In this section we consider three

3.15: Applications of Finite Automata and Regular Expressions In this section we consider three applications of the material from Chapter 3: searching for regular expressions in files; lexical analysis; and the design of finite state

574 views • 35 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
Typical Applications Map functions on data structures Scheduling functions PolyTest

Typical Applications Map functions on data structures Scheduling functions PolyTest

Typical Applications Map functions on data structures Scheduling functions PolyTest polymorphic testing monomorphic testing over functions Many, many more...? Today: quantification over functions is avoided No Show

329 views • 16 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
Asymptotics of symmetric functions with applications to Setup Asymptotics of statistical

Asymptotics of symmetric functions with applications to Setup Asymptotics of statistical

Asymptotics of symmetric functions with applications to statistical mechanics and representation theory Greta Panova (UCLA) Normalized Schur functions S Asymptotics of symmetric functions with applications to Setup Asymptotics of

661 views • 40 slides
Bent functions, difference sets and strongly regular graphs Wilfried Meidl Sabanc University

Bent functions, difference sets and strongly regular graphs Wilfried Meidl Sabanc University

Bent functions, difference sets and strongly regular graphs Wilfried Meidl Sabanc University December 1, 2013 Bent Functions, Definition, Properties Bent Functions and Difference Sets Strongly Regular Graphs A Construction

580 views • 38 slides
Reconstruction and identification of hadronic tau at 13 TeV Aniello Spiezia, Taozhe YU CLHCP

Reconstruction and identification of hadronic tau at 13 TeV Aniello Spiezia, Taozhe YU CLHCP

Reconstruction and identification of hadronic tau at 13 TeV Aniello Spiezia, Taozhe YU CLHCP 2018.12.20-22, WuHan Performance of reconstruction and identification of leptons decaying to hadrons and v in pp collisions at s=13

226 views • 10 slides
Sinking Fund Sinking Fund Millage In 2016 Voters Approved 5-Year Sinking Fund Millage of 1.6

Sinking Fund Sinking Fund Millage In 2016 Voters Approved 5-Year Sinking Fund Millage of 1.6

Hopkins Public Schools Sinking Fund Sinking Fund Millage In 2016 Voters Approved 5-Year Sinking Fund Millage of 1.6 Mills This generated about $450,000 per year High School Kiln Room High School Kiln Room Corridor High School

382 views • 22 slides
An Asymmetric Multi-core Architecture for Accelerating Critical Sections M. Aater Suleman

An Asymmetric Multi-core Architecture for Accelerating Critical Sections M. Aater Suleman

An Asymmetric Multi-core Architecture for Accelerating Critical Sections M. Aater Suleman Advisor: Yale Patt HPS Research Group The University of Texas at Austin 1 Acknowledgements Moinuddin Qureshi (IBM Research, HPS) Onur Mutlu (Microsoft

348 views • 18 slides
Introd u ction to E x plorator y Data Anal y sis STATISTIC AL TH IN K IN G IN P YTH ON ( PAR T 1

Introd u ction to E x plorator y Data Anal y sis STATISTIC AL TH IN K IN G IN P YTH ON ( PAR T 1

Introd u ction to E x plorator y Data Anal y sis STATISTIC AL TH IN K IN G IN P YTH ON ( PAR T 1 ) J u stin Bois Lect u rer at the California Instit u te of Technolog y E x plorator y data anal y sis The process of organi z ing , plo ing ,

734 views • 45 slides
Uranium Medical Research Center Washington, New York, Toronto, London www.umrc.net The

Uranium Medical Research Center Washington, New York, Toronto, London www.umrc.net The

Uranium Medical Research Center Washington, New York, Toronto, London www.umrc.net The Quantitative Analysis of Uranium Isotopes in the Urine of Civilians after Operation Enduring Freedom in Jalalabad, Afghanistan A. Durakovic, R. Parrish,

427 views • 19 slides
Performance analysis with Periscope M. Gerndt, V. Petkov, Y. Oleynik, S. Benedict Technische

Performance analysis with Periscope M. Gerndt, V. Petkov, Y. Oleynik, S. Benedict Technische

Technische Universitt Mnchen Performance analysis with Periscope M. Gerndt, V. Petkov, Y. Oleynik, S. Benedict Technische Universitt Mnchen September 2010 Technische Universitt Mnchen Outline Motivation Periscope architecture

337 views • 22 slides
Interval-Based Memory Reclamation Haosen Wen , Joseph Izraelevitz, Wentao Cai, H. Alan Beadle and

Interval-Based Memory Reclamation Haosen Wen , Joseph Izraelevitz, Wentao Cai, H. Alan Beadle and

Interval-Based Memory Reclamation Haosen Wen , Joseph Izraelevitz, Wentao Cai, H. Alan Beadle and Michael L. Scott University of Rochester PPoPP18 Background Unlike lock-based concurrent data Thread 2 structures, non-blocking ones

355 views • 19 slides
Questions of Reality Gone Wrong: The Philosophical Importance of Force Composition Corey Dethier

Questions of Reality Gone Wrong: The Philosophical Importance of Force Composition Corey Dethier

Introduction The Principle of Composition A Role for HPS HPS and Realism Questions of Reality Gone Wrong: The Philosophical Importance of Force Composition Corey Dethier University of Notre Dame Philosophy Department corey.dethier@gmail.com

351 views • 17 slides

More recommend