Regular Lossy Functions and Applications in Leakage-Resilient - - PowerPoint PPT Presentation

Regular Lossy Functions and Applications in Leakage-Resilient Cryptography

Yu Chen1 Baodong Qin2 Haiyang Xue1

1SKLOIS, IIE, Chinese Academy of Sciences 2Xi’an University of Posts and Telecommunication

CT-RSA 2018 April 20th, 2018

1 / 41

Outline

1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs

Concrete Construction Generic Construction

4 Applications of RLFs

Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM

2 / 41

Outline

1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs

Concrete Construction Generic Construction

4 Applications of RLFs

Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM

3 / 41

Lossy Trapdoor Functions Lossy object indistinguishable from original STOC 2008 Peikert and Waters: Lossy Trapdoor Functions and Their Applications

4 / 41

Lossy TDFs injective Gen(λ) → (ek, td) X Y fek f−1

ek

≈c Gen(λ) → (ek, ⊥) lossy X Y fek 2n ≫ 2τ = 2n−ℓ

5 / 41

Extension of LTFs: ABO LTFs Gen(λ, b∗) has extra input: branch b∗ ∈ B. Gen(λ, b∗) → (ek, td) . . . fek,b1(·) fek,b2(·) fek,b∗(·) fek,bi(·) b∗ is hidden from ek fek,b(·) = { lossy b = b∗ injective and invertible b ̸= b∗ LTFs ⇔ ABO LTFs

6 / 41

Constructions and Applications (ABO)-LTF DDH QR/DCR LWE Homo/Dual HPS TDF CRHF CCA PKE CP-TDF ATDF OT Lossy PKE D-PKE ABM-LTF

7 / 41

Constructions and Applications (ABO)-LTF DDH QR/DCR LWE Homo/Dual HPS TDF CRHF CCA PKE CP-TDF ATDF OT Lossy PKE D-PKE ABM-LTF

7 / 41

Constructions and Applications (ABO)-LTF DDH QR/DCR LWE Homo/Dual HPS TDF CRHF CCA PKE CP-TDF ATDF OT Lossy PKE D-PKE ABM-LTF

7 / 41

Constructions and Applications (ABO)-LTF DDH QR/DCR LWE Homo/Dual HPS TDF CRHF CCA PKE CP-TDF ATDF OT Lossy PKE D-PKE ABM-LTF

7 / 41

Constructions and Applications (ABO)-LTF DDH QR/DCR LWE Homo/Dual HPS TDF CRHF CCA PKE CP-TDF ATDF OT Lossy PKE D-PKE ABM-LTF

7 / 41

Motivations In all applications of LTF: normal mode: injective+trapdoor fulfjll functionality lossy mode: establish security However, the full power of LTF is expensive: large key size/high computation cost

• verkill: some applications (e.g., injective OWF, CRHF) do not require a

trapdoor, but only normal lossy

8 / 41

Motivations In all applications of LTF: normal mode: injective+trapdoor fulfjll functionality lossy mode: establish security However, the full power of LTF is expensive: large key size/high computation cost

• verkill: some applications (e.g., injective OWF, CRHF) do not require a

trapdoor, but only normal ≈c lossy

8 / 41

A central goal in cryptography is to base cryptosystems on primitives that are as weak as possible. Peikert and Waters conjectured “the weaker notion LF could be achieved more simply and effjciently than LTF”. They left the investigation of this question as an interesting problem. We are motivated to consider the following problems: How to realize LF effjciently? Are there any other applications of LF? Can we further weaken the notion of LF?

9 / 41

A central goal in cryptography is to base cryptosystems on primitives that are as weak as possible. Peikert and Waters conjectured “the weaker notion LF could be achieved more simply and effjciently than LTF”. They left the investigation of this question as an interesting problem. We are motivated to consider the following problems: How to realize LF effjciently? Are there any other applications of LF? Can we further weaken the notion of LF?

9 / 41

Outline

1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs

Concrete Construction Generic Construction

4 Applications of RLFs

Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM

10 / 41

A Simple But Important Observation When trapdoor is not required for normal mode, the injective property may also be unnecessary. This observation leads to our further relaxation of LFs Regular Lossy Functions Intuition: the output should preserves much min-entropy of input In RLFs, functions of normal mode could also be lossy, but has to lose in a regular manner.

Defjnition 1

is

• to-1 (or
• regular) if max

.

11 / 41

A Simple But Important Observation When trapdoor is not required for normal mode, the injective property may also be unnecessary. This observation leads to our further relaxation of LFs Regular Lossy Functions Intuition: the output should preserves much min-entropy of input In RLFs, functions of normal mode could also be lossy, but has to lose in a regular manner.

Defjnition 1

is

• to-1 (or
• regular) if max

.

11 / 41

A Simple But Important Observation When trapdoor is not required for normal mode, the injective property may also be unnecessary. This observation leads to our further relaxation of LFs Regular Lossy Functions Intuition: the output should preserves much min-entropy of input In RLFs, functions of normal mode could also be lossy, but has to lose in a regular manner.

Defjnition 1

is

• to-1 (or
• regular) if max

.

11 / 41

A Simple But Important Observation When trapdoor is not required for normal mode, the injective property may also be unnecessary. This observation leads to our further relaxation of LFs Regular Lossy Functions Intuition: the output should preserves much min-entropy of input In RLFs, functions of normal mode could also be lossy, but has to lose in a regular manner.

Defjnition 1

f is v-to-1 (or v-regular) if maxy |f−1(y)| ≤ v.

11 / 41

Regular Lossy Functions normal Gen(λ) → ek X Y v-regular ≈c Gen(λ) → ek lossy X Y fek 2n ≫ 2τ = 2n−ℓ When v = 1, RLFs specialize to standard LFs

12 / 41

Remarks Why we choose regularity but not image size to capture normal mode? image size is a global characterization, which only suffjces to give the lower bound of H by the chain rule. In contrast, regularity is a local characterization, which suffjces to give the lower bound of H . The following technical lemma establishes the relation between the min-entropy of and :

Lemma 2

Let be a

• to-1 function and

be a random variable over the domain: H H log

13 / 41

Remarks Why we choose regularity but not image size to capture normal mode? image size is a global characterization, which only suffjces to give the lower bound of ˜ H∞(x|f(x)) by the chain rule. In contrast, regularity is a local characterization, which suffjces to give the lower bound of H . The following technical lemma establishes the relation between the min-entropy of and :

Lemma 2

Let be a

• to-1 function and

be a random variable over the domain: H H log

13 / 41

Remarks Why we choose regularity but not image size to capture normal mode? image size is a global characterization, which only suffjces to give the lower bound of ˜ H∞(x|f(x)) by the chain rule. In contrast, regularity is a local characterization, which suffjces to give the lower bound of H∞(f(x)). The following technical lemma establishes the relation between the min-entropy of and :

Lemma 2

Let be a

• to-1 function and

be a random variable over the domain: H H log

13 / 41

Remarks Why we choose regularity but not image size to capture normal mode? image size is a global characterization, which only suffjces to give the lower bound of ˜ H∞(x|f(x)) by the chain rule. In contrast, regularity is a local characterization, which suffjces to give the lower bound of H∞(f(x)). The following technical lemma establishes the relation between the min-entropy of x and f(x):

Lemma 2

Let f be a v-to-1 function and x be a random variable over the domain: H∞(f(x)) ≥ H∞(x) − log v

13 / 41

All-But-One Regular Lossy Functions Gen(λ, b∗) has an extra input: branch b∗ ∈ B. Gen(λ, b∗) → ek . . . fek,b1(·) fek,b2(·) fek,b∗(·) fek,bi(·) b∗ is hidden from ek fek,b(·) = { lossy b = b∗ regular b ̸= b∗ RLF ⇔ ABO-RLF

14 / 41

Outline

1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs

Concrete Construction Generic Construction

4 Applications of RLFs

Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM

15 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters Gen GenConceal

V

. . . . . . . . . . . . DDH e e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen GenConceal

V

. . . . . . . . . . . . DDH e e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen(λ, b∗) → ek GenConceal

V

. . . . . . . . . . . . DDH e e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH e e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m e e e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m −b∗(e1, . . . , em) e e To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m −b∗(e1, . . . , em) × +b(e1, . . . , em) → y ∈ Gm To ensure invertible property input space is restricted to (a.k.a. ) column dimension

16 / 41

Concrete Construction from the DDH Assumption Matrix approach for ABO-LTFs fek,b(x) → y due to Peikert and Waters x ∈ Zn

2

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m −b∗(e1, . . . , em) × +b(e1, . . . , em) → y ∈ Gm To ensure invertible property input space is restricted to Zn

2 (a.k.a. {0, 1}n)

column dimension m = n + 1

16 / 41

(ABO)-RLFs do not require invertible or even injective x ∈ Zn

p

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m −b∗(e1, . . . , em) × +b(e1, . . . , em) → y ∈ Gm

Lemma 3

The above construction constitutes log

• ABO-RLF.

, rank Y I and #(solution space) for every is . , rank Y I and thus the image size is at most . Pseudorandomness of C

V

hidden lossy branch

17 / 41

(ABO)-RLFs do not require invertible or even injective x ∈ Zn

p

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m −b∗(e1, . . . , em) × +b(e1, . . . , em) → y ∈ Gm ≫ Zn

2

m ≪ n

Lemma 3

The above construction constitutes log

• ABO-RLF.

, rank Y I and #(solution space) for every is . , rank Y I and thus the image size is at most . Pseudorandomness of C

V

hidden lossy branch

17 / 41

(ABO)-RLFs do not require invertible or even injective x ∈ Zn

p

Gen(λ, b∗) → ek GenConceal(n, m) = gV      gr1s1 gr1s2 . . . gr1sm gr2s1 gr2s2 . . . gr2sm . . . . . . . . . . . . grns1 grns2 . . . grnsm      DDH ⇒≈c UGn×m −b∗(e1, . . . , em) × +b(e1, . . . , em) → y ∈ Gm ≫ Zn

2

m ≪ n

Lemma 3

The above construction constitutes (pn−m, log p)-ABO-RLF. ∀b ̸= b∗, rank(Y + bI′) = m and #(solution space) for every y ∈ Gm is pn−m. b = b∗, rank(Y + bI′) = 1 and thus the image size is at most p. Pseudorandomness of C = gV ⇒ hidden lossy branch

17 / 41

Summary and Comparison Our DDH construction applies to extended DDH generalize DDH, QR, DCR We have a more effjcient and direct DCR-based construction ABO-LTF/RLF Assump. Input Lossiness Key Effjciency ABO-LTF[PW08] DDH 2n n − log p nm|G| nm Add ABO-RLF DDH pn (n − 1) log p nm|G| nm (Exp+Add) ABO-LTF[FGK+13] DCR N2 log N |Z∗

N3|

1 Exp ABO-LF N2/4 DCR log N |Z∗

N2|

1 Exp

18 / 41

Generic Construction from HPS Wee (Eurocrypt 2012): dual HPS ⇒ LTF dual HPS: HPS satisfjng strong property No effjcient ABO construction is known We show HPS ABO-RLF exploit algebra property of the underlying SMP

19 / 41

Generic Construction from HPS Wee (Eurocrypt 2012): dual HPS ⇒ LTF dual HPS: HPS satisfjng strong property No effjcient ABO construction is known We show HPS ⇒ ABO-RLF exploit algebra property of the underlying SMP

19 / 41

(Algebra) Subset Membership Problem Task: distinguish UX ≈c UL Solution: {0, 1} X L W RL SampR(λ) SampAll(λ) SampYes(λ) SampNo(λ) Algebra SMP (mild & natural) forms an Abelian group, forms a subgroup of The quotient group is cyclic with order Algebraic properties two useful facts

1 Let

for some be a generator of , the co-sets constitute a partition of .

2 For each

, for

20 / 41

(Algebra) Subset Membership Problem Task: distinguish UX ≈c UL Solution: {0, 1} X L W RL SampR(λ) SampAll(λ) SampYes(λ) SampNo(λ) Algebra SMP (mild & natural) X forms an Abelian group, L forms a subgroup of X The quotient group H = X/L is cyclic with order p = |X|/|L| Algebraic properties two useful facts

1 Let

for some be a generator of , the co-sets constitute a partition of .

2 For each

, for

20 / 41

(Algebra) Subset Membership Problem Task: distinguish UX ≈c UL Solution: {0, 1} X L W RL SampR(λ) SampAll(λ) SampYes(λ) SampNo(λ) Algebra SMP (mild & natural) X forms an Abelian group, L forms a subgroup of X The quotient group H = X/L is cyclic with order p = |X|/|L| Algebraic properties ⇒ two useful facts

1 Let ¯

a = aL for some a ∈ X\L be a generator of H, the co-sets (aL, 2aL, . . . , (p − 1)aL, paL = L) constitute a partition of X.

2 For each x ∈ L, ia + x /

∈ L for 1 ≤ i < p

20 / 41

Hash Proof System L ⊂ X — language defjned by RL where SMP holds. HPS equips L ⊂ X with Gen, Priv, Pub. Gen(λ) → (pk, sk) s.t. α(sk) = pk SK PK α (projection) X L W SampR(r) Π Λsk(x) Priv(sk, x) Pub(pk, x, w) Projective: , is uniquely determined by and .

21 / 41

Hash Proof System L ⊂ X — language defjned by RL where SMP holds. HPS equips L ⊂ X with Gen, Priv, Pub. Gen(λ) → (pk, sk) s.t. α(sk) = pk SK PK α (projection) X L W SampR(r) Π Λsk(x) Priv(sk, x) Pub(pk, x, w) Projective: ∀x ∈ L, Λsk(x) is uniquely determined by x and pk ← α(sk).

21 / 41

ABO-RLF from HPS for ASMP Let aL be a generator for H = X/L, we build ABO-RLF from HPS for ASMP as below: Gen(λ, b∗): (x, w) ← SampYes(λ), output ek = −b∗a + x fek,b(sk): output α(sk)||Λsk(ek + ba)

Lemma 4

Assume is

• regular for any

. The above construction is log Img

• ABO-RLF under ASMP.

if

• regular

if lossy by the projective property ASMP Hidden lossy branch. For any : where

R

.

22 / 41

ABO-RLF from HPS for ASMP Let aL be a generator for H = X/L, we build ABO-RLF from HPS for ASMP as below: Gen(λ, b∗): (x, w) ← SampYes(λ), output ek = −b∗a + x fek,b(sk): output α(sk)||Λsk(ek + ba)

Lemma 4

Assume gx(sk) := α(sk)||Λsk(x) is v-regular for any x / ∈ L. The above construction is (v, log |Imgα|)-ABO-RLF under ASMP. if

• regular

if lossy by the projective property ASMP Hidden lossy branch. For any : where

R

.

22 / 41

ABO-RLF from HPS for ASMP Let aL be a generator for H = X/L, we build ABO-RLF from HPS for ASMP as below: Gen(λ, b∗): (x, w) ← SampYes(λ), output ek = −b∗a + x fek,b(sk): output α(sk)||Λsk(ek + ba)

Lemma 4

Assume gx(sk) := α(sk)||Λsk(x) is v-regular for any x / ∈ L. The above construction is (v, log |Imgα|)-ABO-RLF under ASMP. ek + ba = x + (b − b∗)a / ∈ L if b ̸= b∗ ⇒ v-regular ek + ba = x + (b − b∗)a ∈ L if b = b∗ ⇒ lossy by the projective property ASMP ⇒ Hidden lossy branch. For any b∗

0, b∗ 1 ∈ Zp:

(−b∗

0a + x) ≈c (b∗ 0a + u) ≡ (b∗ 1a + u) ≈c (b∗ 1a + x)

where u

R

← − X.

22 / 41

Outline

1 Backgrounds 2 Regular Lossy Functions 3 Constructions of ABO RLFs

Concrete Construction Generic Construction

4 Applications of RLFs

Leakage-Resilient OWFs Leakage-Resilient MAC Leakage-Resilient CCA-secure KEM

23 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak

24 / 41

Leakage-Resilient Cryptography F sk x F(sk, x) Sign Dec

leakage proof black-box leakage prone leakage attacks (since 1996) invalidate this idealized assumption

leak(sk)

24 / 41

Bounded Leakage Model In this work, we focus on a simple yet general leakage model called Bounded Leakage Model F sk gi gi(sk) ∑ |gi(sk)| ≤ |sk|

25 / 41

Leakage-Resilient OWFs

R

Theorem 5

The normal mode of

• RLFs (i.e., LFs) over domain

constitutes a family of -leakage-resilient injective OWFs, for any log .

26 / 41

Leakage-Resilient OWFs x∗

R

← − {0, 1}n y∗ ← f(x∗) (f, y∗)

Theorem 5

The normal mode of

• RLFs (i.e., LFs) over domain

constitutes a family of -leakage-resilient injective OWFs, for any log .

26 / 41

Leakage-Resilient OWFs x∗

R

← − {0, 1}n y∗ ← f(x∗) (f, y∗) gi

Theorem 5

The normal mode of

• RLFs (i.e., LFs) over domain

constitutes a family of -leakage-resilient injective OWFs, for any log .

26 / 41

Leakage-Resilient OWFs x∗

R

← − {0, 1}n y∗ ← f(x∗) (f, y∗) gi gi(x∗)

Theorem 5

The normal mode of

• RLFs (i.e., LFs) over domain

constitutes a family of -leakage-resilient injective OWFs, for any log .

26 / 41

Leakage-Resilient OWFs x∗

R

← − {0, 1}n y∗ ← f(x∗) (f, y∗) gi gi(x∗) x x =?x∗

Theorem 5

The normal mode of

• RLFs (i.e., LFs) over domain

constitutes a family of -leakage-resilient injective OWFs, for any log .

26 / 41

Leakage-Resilient OWFs x∗

R

← − {0, 1}n y∗ ← f(x∗) (f, y∗) gi gi(x∗) x x =?x∗

Theorem 5

The normal mode of (1, τ)-RLFs (i.e., LFs) over domain {0, 1}n constitutes a family of ℓ-leakage-resilient injective OWFs, for any ℓ ≤ n − τ − ω(log λ).

26 / 41

Game 0: real game

1 Setup: CH generates f ← RLF.GenNormal(λ), picks x∗ R

← − {0, 1}n and sends (f, y∗ = f(x∗)) to A.

2 Leakage queries: A ֒

→ gi, CH responds with gi(x∗).

3 Invert: A outputs x and wins if x = x∗.

AdvA(λ) = Pr[S0] Game 1: same as Game 0 except that:

1 Setup: CH generates f ← RLF.GenLossy(λ) .

Security of RLFs ⇒ | Pr[S1] − Pr[S0]| ≤ negl(λ) In Game 1, ˜ H∞(x∗|(y∗, leak)) ≥ n − τ − ℓ. By the parameter choice, ˜ H∞(x∗|(y∗, leak)) ≥ ω(log λ) ⇒ Pr[S1] ≤ negl(λ) even w.r.t. unbounded adversary

27 / 41

Leakage-Resilient MAC Setup Tag Vefy Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp Tag Vefy Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi Tag Vefy Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) Vefy Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) gi Vefy Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) gi gi(k) Vefy Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) gi gi(k) (m∗, t∗) Vefy(k, m∗, t∗) = 1 (m∗, t∗) ̸= (mi, ti) Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) gi gi(k) (m∗, t∗) Vefy(k, m∗, t∗) = 1 (m∗, t∗) ̸= (mi, ti) Strong unforgeability can be relaxed in several ways: One-time:

• nly makes one tag query

Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) gi gi(k) (m∗, t∗) Vefy(k, m∗, t∗) = 1 (m∗, t∗) ̸= (mi, ti) Strong unforgeability can be relaxed in several ways: One-time: A only makes one tag query Selective: commits the target message before seeing

28 / 41

Leakage-Resilient MAC (pp, k) ← Setup(λ) pp mi ti ← Tag(k, mi) gi gi(k) (m∗, t∗) Vefy(k, m∗, t∗) = 1 (m∗, t∗) ̸= (mi, ti) Strong unforgeability can be relaxed in several ways: One-time: A only makes one tag query Selective: A commits the target message before seeing pp

28 / 41

Construction Ingredient (v, τ)-ABORLF KeyGen ABORLF Gen

R

Tag

• input
• branch
• output

Vefy

29 / 41

Construction Ingredient (v, τ)-ABORLF KeyGen ek ← ABORLF.Gen(λ, 0d) k

R

← − {0, 1}n Tag

• input
• branch
• output

Vefy

29 / 41

Construction Ingredient (v, τ)-ABORLF KeyGen ek ← ABORLF.Gen(λ, 0d) k

R

← − {0, 1}n Tag m t ← fek,m(k) k - input m - branch t - output Vefy

29 / 41

Construction Ingredient (v, τ)-ABORLF KeyGen ek ← ABORLF.Gen(λ, 0d) k

R

← − {0, 1}n Tag m t ← fek,m(k) k - input m - branch t - output Vefy m t t =?fek,m(k)

29 / 41

Theorem 6

The above MAC is ℓ-leakage-resilient seletively one-time sUF for any ℓ ≤ n − τ − log v − ω(log λ). Game 0: (real game)

1 Setup: A ↬ m∗, CH generates ek ← ABORLF.Gen(λ, 0d), picks k R

← − {0, 1}n, computes t∗ ← fek,m∗(k) and then sends (ek, t∗) to A.

2 Leakage queries: A ↬ gi, CH responds with gi(k). 3 Forge: A → (m, t) and wins if m ̸= m∗ ∧ t = fek,m(k).

AdvA(λ) = Pr[S0]

30 / 41

Game 1: same as Game 0 except that

1 Setup: CH generates ek ← ABORLF.Gen(λ, m∗) .

Hidden lossy branch ⇒ | Pr[S1] − Pr[S0]| ≤ negl(λ) In Game 1, A’s view includes (ek, leak, t∗). We have: ˜ H∞(t|view) = ˜ H∞(t|ek, leak, t∗) ≥ ˜ H∞(t|ek) − ℓ − τ ≥ ˜ H∞(k|ek) − log v − ℓ − τ = n − log v − ℓ − τ By the parameter choice, ˜ H∞(t|view) ≥ ω(log λ) ⇒ Pr[S1] ≤ negl(λ) even w.r.t. unbounded adversary.

31 / 41

Leakage-Resilient CCA-secure KEM Setup Decaps Encap

R R

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk Decaps Encap

R R

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci Decaps Encap

R R

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci ki ← Decaps(sk, ci) Encap

R R

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci ki ← Decaps(sk, ci) gi Encap

R R

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci ki ← Decaps(sk, ci) gi gi(sk) Encap

R R

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci ki ← Decaps(sk, ci) gi gi(sk) (c∗, k∗

0) ← Encap(pk)

k∗

1

R

← − K β

R

← − {0, 1} (c∗, k∗

β)

Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci ki ← Decaps(sk, ci) gi gi(sk) (c∗, k∗

0) ← Encap(pk)

k∗

1

R

← − K β

R

← − {0, 1} (c∗, k∗

β)

β′ β′ = β Pr negl

32 / 41

Leakage-Resilient CCA-secure KEM (pk, sk) ← Setup(λ) pk ci ki ← Decaps(sk, ci) gi gi(sk) (c∗, k∗

0) ← Encap(pk)

k∗

1

R

← − K β

R

← − {0, 1} (c∗, k∗

β)

β′ β′ = β | Pr[β′ = β] − 1/2| ≤ negl(λ)

32 / 41

Construction Ingredients HPS ABORLF strong extractor KeyGen HPS Gen ABORLF Gen Encaps SampYes Pub

R

ext use to: derive & authenticate Decaps Priv ext

• r

33 / 41

Construction Ingredients HPS ABORLF strong extractor KeyGen (pk, sk) ← HPS.Gen(λ) ek ← ABORLF.Gen(λ, 0m+d) Encaps SampYes Pub

R

ext use to: derive & authenticate Decaps Priv ext

• r

33 / 41

Construction Ingredients HPS ABORLF strong extractor KeyGen (pk, sk) ← HPS.Gen(λ) ek ← ABORLF.Gen(λ, 0m+d) Encaps (x, w) ← SampYes(λ) π ← Pub(pk, x, w) s

R

← − {0, 1}d t ← fek,x||s(π) k ← ext(π, s) ek pk c = (x, s, t) use π to: derive k & authenticate x||s Decaps Priv ext

• r

33 / 41

Construction Ingredients HPS ABORLF strong extractor KeyGen (pk, sk) ← HPS.Gen(λ) ek ← ABORLF.Gen(λ, 0m+d) Encaps (x, w) ← SampYes(λ) π ← Pub(pk, x, w) s

R

← − {0, 1}d t ← fek,x||s(π) k ← ext(π, s) ek pk c = (x, s, t) use π to: derive k & authenticate x||s Decaps π ← Priv(sk, x) t =?fek,x||s(π) k ← ext(π, s) or ⊥ sk

33 / 41

Theorem 7

Suppose SMP for L ⊂ {0, 1}m is hard, HPS is ϵ1-universal1 and n = log(1/ϵ1), ABORLF is (v, τ)-regularly-lossy, ext is (n − τ − ℓ, κ, ϵ2)-strong extractor, then the above KEM is ℓ-LR CCA secure for any ℓ ≤ n − τ − log v − ω(log λ). Game 0: (real game)

1 Setup: CH generates (pk, sk) ← HPS.Gen(λ), ek ← ABORLF.Gen(λ, 0m+d),

sends (pk, ek) to A.

2 Leakage queries ⟨gi⟩: CH responds with gi(sk). 3 Challenge: CH picks β ∈ {0, 1}, s∗ ← {0, 1}d, (x∗, w∗) ← SampYes(λ),

computes π∗ ← Pub(pk, x∗, w∗), t∗ ← fek,x∗||s∗(π∗), k∗

0 ← ext(π∗, s∗), picks

k∗

1 ← {0, 1}κ, sends c∗ = (x∗, s∗, t∗) and k∗ β to A

4 Decaps queries ⟨c = (x, s, t) ̸= c∗⟩: CH computes π ← Λsk(x), output

k ← ext(π, s) if t = fek,x||s(π) and ⊥ otherwise. AdvA(λ) = Pr[S0] − 1/2

34 / 41

Game 1: CH samples (x∗, w∗) and s∗ at Setup. Pr[S0] = Pr[S1] Game 2: generates ABORLF Gen . Hidden lossy branch Pr Pr negl Game 3: computes via Priv . Correctness of HPS Pr Pr . Game 4: samples via SampNo rather than SampYes. SMP Pr Pr negl Game 5: directly rejects if . Defjne : makes an invalid but well-formed decaps queries, i.e., and . Pr Pr Pr

35 / 41

Game 1: CH samples (x∗, w∗) and s∗ at Setup. Pr[S0] = Pr[S1] Game 2: CH generates ek ← ABORLF.Gen(λ, x∗||s∗). Hidden lossy branch ⇒ | Pr[S2] − Pr[S1]| ≤ negl(λ) Game 3: computes via Priv . Correctness of HPS Pr Pr . Game 4: samples via SampNo rather than SampYes. SMP Pr Pr negl Game 5: directly rejects if . Defjne : makes an invalid but well-formed decaps queries, i.e., and . Pr Pr Pr

35 / 41

Game 1: CH samples (x∗, w∗) and s∗ at Setup. Pr[S0] = Pr[S1] Game 2: CH generates ek ← ABORLF.Gen(λ, x∗||s∗). Hidden lossy branch ⇒ | Pr[S2] − Pr[S1]| ≤ negl(λ) Game 3: CH computes π∗ ← Λsk(x∗) via Priv(sk, x∗). Correctness of HPS ⇒ Pr[S3] = Pr[S2]. Game 4: samples via SampNo rather than SampYes. SMP Pr Pr negl Game 5: directly rejects if . Defjne : makes an invalid but well-formed decaps queries, i.e., and . Pr Pr Pr

35 / 41

Game 1: CH samples (x∗, w∗) and s∗ at Setup. Pr[S0] = Pr[S1] Game 2: CH generates ek ← ABORLF.Gen(λ, x∗||s∗). Hidden lossy branch ⇒ | Pr[S2] − Pr[S1]| ≤ negl(λ) Game 3: CH computes π∗ ← Λsk(x∗) via Priv(sk, x∗). Correctness of HPS ⇒ Pr[S3] = Pr[S2]. Game 4: CH samples x∗ via SampNo rather than SampYes. SMP ⇒ | Pr[S4] − Pr[S3]| ≤ negl(λ) Game 5: directly rejects if . Defjne : makes an invalid but well-formed decaps queries, i.e., and . Pr Pr Pr

35 / 41

Game 1: CH samples (x∗, w∗) and s∗ at Setup. Pr[S0] = Pr[S1] Game 2: CH generates ek ← ABORLF.Gen(λ, x∗||s∗). Hidden lossy branch ⇒ | Pr[S2] − Pr[S1]| ≤ negl(λ) Game 3: CH computes π∗ ← Λsk(x∗) via Priv(sk, x∗). Correctness of HPS ⇒ Pr[S3] = Pr[S2]. Game 4: CH samples x∗ via SampNo rather than SampYes. SMP ⇒ | Pr[S4] − Pr[S3]| ≤ negl(λ) Game 5: CH directly rejects ⟨c = (x, s, t)⟩ if x / ∈ L. Defjne E: A makes an invalid but well-formed decaps queries, i.e., fek,x||s(Λsk(x)) = t and x ∈ L ∧ (x, s, t) ̸= (x∗, s∗, t∗). | Pr[S5] − Pr[S4]| ≤ Pr[E]

35 / 41

To calculate Pr[E], it suffjce to bound ˜ H∞(t|view). view: (pk, ek, leak, x∗, s∗, t∗, k∗

β)

t = fek,x||s(Λsk(x)) We bound ˜ H∞(t|view) via ˜ H∞(Λsk(x)|view) as below: (x∗, s∗) determines a lossy branch ⇒ τ only reveal partial info about sk ⇒ ˜ H∞(Λsk(x)|view) ≥ n − ℓ − τ − κ We must have (x, s) ̸= (x∗, s∗), which determines a v-regular branch ⇒ ˜ H∞(t|view) ≥ ˜ H∞(Λsk(x)|view) − log v By the parameter choice, ˜ H∞(t|view) ≥ ω(log λ), thus we have: Pr[E] ≤ negl(λ)

36 / 41

Game 6: CH samples k∗

0 ← {0, 1}κ rather than k∗ 0 ← ext(Λsk(x∗)). Next, we

analysis ∆[view5, view6]. defjne view′ = (pk, ek, leak, x∗, s∗, t∗), chain rule ⇒ ˜ H∞(Λsk(x∗)|view′) ≥ n − ℓ − τ randomness extractor ⇒ ∆[(view′, k∗

5,0), (view′, k∗ 6,0)] ≤ ϵ2.

responses to all decaps queries in Game 5 and 6 are determined by the same function of (view′, k∗

5,0) and (view′, k∗ 6,0) resp.

∆[view5, view6] ≤ ϵ2/2 ≤ negl(λ) Putting all the above together, AdvA(λ) = negl(λ).

37 / 41

Signifjcance Universal1 HPS + ABO-RLF ⇒ LR-CCA KEM proper parameter choice ⇒ ℓ/|sk| = 1 − o(1) HPS ⇒ ABO-RLF CCA-secure KEM with optimal leakage rate based solely on universal HPS go beyond the upper bound posed by Dodis et al. (Asiacrypt 2010) extend to identity-based setting as well

38 / 41

Signifjcance Universal1 HPS + ABO-RLF ⇒ LR-CCA KEM proper parameter choice ⇒ ℓ/|sk| = 1 − o(1) HPS ⇒ ABO-RLF CCA-secure KEM with optimal leakage rate based solely on universal1 HPS go beyond the upper bound posed by Dodis et al. (Asiacrypt 2010) extend to identity-based setting as well

38 / 41

Conclusion (ABO)-RLFs eDDH DCR HPS Algebra SMP LR OWF LR MAC LR-CCA PKE

39 / 41

Conclusion (ABO)-RLFs eDDH DCR HPS Algebra SMP LR OWF LR MAC LR-CCA PKE

39 / 41

Conclusion (ABO)-RLFs eDDH DCR HPS Algebra SMP LR OWF LR MAC LR-CCA PKE

39 / 41

Conclusion (ABO)-RLFs eDDH DCR HPS Algebra SMP LR OWF LR MAC LR-CCA PKE

39 / 41

Conclusion (ABO)-RLFs eDDH DCR HPS Algebra SMP LR OWF LR MAC LR-CCA PKE

39 / 41

Conclusion (ABO)-RLFs eDDH DCR HPS Algebra SMP LR OWF LR MAC LR-CCA PKE

39 / 41

Thanks for Your Attention! Any Questions?

40 / 41

Reference

[FGK+13] David Mandell Freeman, Oded Goldreich, Eike Kiltz, Alon Rosen, and Gil Segev. More constructions of lossy and correlation-secure trapdoor functions. J. Cryptology, 26(1):39–74, 2013. [PW08] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, STOC 2008, pages 187–196. ACM, 2008.

41 / 41