Trapdoor functions from the Computational Diffie-Hellman Assumption - - PowerPoint PPT Presentation

Trapdoor functions from the Computational Diffie-Hellman Assumption

Sanjam Garg1 Mohammad Hajiabadi1,2

1University of California, Berkeley 2University of Virginia

August 22, 2018

1 / 18

Classical Public-Key Crypto

2 / 18

Classical Public-Key Crypto

2 / 18

PKE and TDF PKE

1k G pk sk m E pk r c c D sk m

3 / 18

PKE and TDF PKE

1k G pk sk m E pk r c c D sk m

Security: ∀m0, m1 : (pk, E(pk, m0; r0))

c

≡ (pk, E(pk, m1; r1))

3 / 18

PKE and TDF PKE

1k G pk sk m E pk r c c D sk m

Security: ∀m0, m1 : (pk, E(pk, m0; r0))

c

≡ (pk, E(pk, m1; r1))

TDF

1k G ik tk x F ik y y F −1 tk x

3 / 18

PKE and TDF PKE

1k G pk sk m E pk r c c D sk m

Security: ∀m0, m1 : (pk, E(pk, m0; r0))

c

≡ (pk, E(pk, m1; r1))

TDF

1k G ik tk x F ik y y F −1 tk x

One-wayness Security: (ik, F(ik, x))

?

→ x is hard for random ik, x.

3 / 18

TDF vs PKE Main Difference

◮ No randomness used in the evaluation algorithm of TDF.

4 / 18

TDF vs PKE Main Difference

◮ No randomness used in the evaluation algorithm of TDF.

Relations

◮ TDF implies the existence of PKE. [Yao’82, GM’82].

4 / 18

TDF vs PKE Main Difference

◮ No randomness used in the evaluation algorithm of TDF.

Relations

◮ TDF implies the existence of PKE. [Yao’82, GM’82]. ◮ TDF impossible from PKE w.r.t. black-box techniques

[GMR’01].

4 / 18

TDF Usefulness

ik1, ik2 ik1, ik2 and tk1

5 / 18

TDF Usefulness

ik1, ik2 ik1, ik2 and tk1 y1 = F(ik1, x1), y2 = F(ik2, x2)

5 / 18

TDF Usefulness

ik1, ik2 ik1, ik2 and tk1 y1 = F(ik1, x1), y2 = F(ik2, x2) Prove that x1 = x2

5 / 18

TDF Usefulness

ik1, ik2 ik1, ik2 and tk1 y1 = F(ik1, x1), y2 = F(ik2, x2) Prove that x1 = x2 Bob: Compute x1 = F−1(tk1, y1) and check if y2 = F(ik2, x1).

◮ Application: black-box constructions of CCA-secure PKE

([PW’08,RS’09, etc]).

5 / 18

TDF Usefulness

ik1, ik2 ik1, ik2 and tk1 y1 = F(ik1, x1), y2 = F(ik2, x2) Prove that x1 = x2 Bob: Compute x1 = F−1(tk1, y1) and check if y2 = F(ik2, x1).

◮ Application: black-box constructions of CCA-secure PKE

([PW’08,RS’09, etc]).

PKE instead of TDF

◮ Consistency check: require some kind of proof (e.g., NIZK).

[BFY90,NY90]

5 / 18

What assumptions are sufficient for TDFs?

◮ Factoring ◮ DDH and LWE [PW08]

6 / 18

What assumptions are sufficient for TDFs?

◮ Factoring ◮ DDH and LWE [PW08]

Big gap from PKE!

6 / 18

What assumptions are sufficient for TDFs?

◮ Factoring ◮ DDH and LWE [PW08]

Big gap from PKE!

This talk: We can do it from CDH.

6 / 18

CDH and DDH

G: group of order p and generator g.

7 / 18

CDH and DDH

G: group of order p and generator g.

Computational Diffie-Hellman (CDH)

◮ Hard to compute gxy from (g, gx, gy), where x, y ← Zp.

7 / 18

CDH and DDH

G: group of order p and generator g.

Computational Diffie-Hellman (CDH)

◮ Hard to compute gxy from (g, gx, gy), where x, y ← Zp.

Decisional Diffie-Hellman (DDH)

◮ (g, gx, gy, gxy) c

≡ (g, gx, gy, gz), where x, y, z ← Zp

7 / 18

Why is CDH Preferable?

8 / 18

Why is CDH Preferable?

◮ CDH is a weaker assumption.

◮ There are groups in which CDH is conjectured to be hard but

DDH is easy (e.g., Z∗

p, groups with pairings).

8 / 18

Main Challenge in Building TDF from DH-Related Assumptions

Why is constructing TDF from Diffie-Hellman assumptions difficult?

9 / 18

Main Challenge in Building TDF from DH-Related Assumptions

Why is constructing TDF from Diffie-Hellman assumptions difficult? It doesn’t naturally offer trapdoors!

9 / 18

TDF from DDH (Failed Idea Using ElGamal Encryption)

10 / 18

TDF from DDH (Failed Idea Using ElGamal Encryption)

(G, g), |G| = p.

1k G pk = gα sk = α m E pk r c = (gr, pkr · m) c D sk = α m r?

10 / 18

TDF from DDH (Failed Idea Using ElGamal Encryption)

(G, g), |G| = p.

1k G pk = gα sk = α m E pk r c = (gr, pkr · m) c D sk = α m r?

Main bottleneck in designing TDFs

◮ Recovering r: solving the Discrete Log!

10 / 18

DDH-Based TDF [Peikert-Waters’08]

(G, g), |G| = p.

11 / 18

DDH-Based TDF [Peikert-Waters’08]

(G, g), |G| = p.

◮ ik = gM where M ∈ Zn×n p

(and invertible) and tk = M−1

11 / 18

DDH-Based TDF [Peikert-Waters’08]

(G, g), |G| = p.

◮ ik = gM where M ∈ Zn×n p

(and invertible) and tk = M−1

x ∈ {0, 1}n F gM y = gMxT y F −1 tk = M−1 (gx1, . . . , gxn)

11 / 18

DDH-Based TDF [Peikert-Waters’08]

(G, g), |G| = p.

◮ ik = gM where M ∈ Zn×n p

(and invertible) and tk = M−1

x ∈ {0, 1}n F gM y = gMxT y F −1 tk = M−1 (gx1, . . . , gxn)

◮ Can solve discrete-log as x1 . . . xn ∈ {0, 1}!

11 / 18

DDH-Based TDF [Peikert-Waters’08]

(G, g), |G| = p.

◮ ik = gM where M ∈ Zn×n p

(and invertible) and tk = M−1

x ∈ {0, 1}n F gM y = gMxT y F −1 tk = M−1 (gx1, . . . , gxn)

◮ Can solve discrete-log as x1 . . . xn ∈ {0, 1}!

One-wayness

◮ Matrix pseudorandomness [NR97]: DDH implies gM c

≡ gM′, where M is a random invertible matrix and M′ is a random rank-one matrix.

11 / 18

DDH-Based TDF [Peikert-Waters’08]

(G, g), |G| = p.

◮ ik = gM where M ∈ Zn×n p

(and invertible) and tk = M−1

x ∈ {0, 1}n F gM y = gMxT y F −1 tk = M−1 (gx1, . . . , gxn)

◮ Can solve discrete-log as x1 . . . xn ∈ {0, 1}!

One-wayness

◮ Matrix pseudorandomness [NR97]: DDH implies gM c

≡ gM′, where M is a random invertible matrix and M′ is a random rank-one matrix.

◮ CDH is not known to imply rank indistinguishability.

11 / 18

1 Background

Introduction Main Challenges

2 Our TDF Construction

Our Methodology Base Primitive: Recyclable Targeting KEM TDF from Recyclable Targeting KEM

3 Summary and Future Work

12 / 18

Our Methodology for building TDF from CDH

◮ Derandomizing a class of PKE

13 / 18

Our Methodology for building TDF from CDH

◮ Derandomizing a class of PKE

◮ TDFs from recyclable targeted key-encapsulation schemes

(Recyclable Targeted KEMs) [DG’17, BBS’03]

13 / 18

Our Methodology for building TDF from CDH

◮ Derandomizing a class of PKE

◮ TDFs from recyclable targeted key-encapsulation schemes

(Recyclable Targeted KEMs) [DG’17, BBS’03]

Plan for the Rest of the talk

◮ Define Recyclable Targeted KEM ◮ CDH ⇒ Recyclable Targeted KEM (Not discussed. See

[DG’17].)

◮ Recyclable Targeted KEM ⇒ TDF

13 / 18

Key-Encapsulation Mechanism

1k G pk sk

✚ ✚ ❩ ❩

m E pk r c e c D sk

✚ ✚ ❩ ❩

m e

e is always a single bit.

14 / 18

Recyclable Targetted KEM

15 / 18

Recyclable Targetted KEM Targeting Property [DG’17]

◮ E(pk, (i, b); r) = (ct, e) ◮ D(sk, ct) = e if (pk, sk) ∈ K(1λ) and ski = b.

15 / 18

Recyclable Targetted KEM Targeting Property [DG’17]

◮ E(pk, (i, b); r) = (ct, e) ◮ D(sk, ct) = e if (pk, sk) ∈ K(1λ) and ski = b. ◮ Security: (pk, sk, ct, e) c

≡ (pk, sk, ct, e′), where (ct, e)

$

← − E(pk, (i, 1 − ski); r) and e′

$

← − {0, 1}.

15 / 18

Recyclable Targetted KEM Targeting Property [DG’17]

◮ E(pk, (i, b); r) = (ct, e) ◮ D(sk, ct) = e if (pk, sk) ∈ K(1λ) and ski = b. ◮ Security: (pk, sk, ct, e) c

≡ (pk, sk, ct, e′), where (ct, e)

$

← − E(pk, (i, 1 − ski); r) and e′

$

← − {0, 1}.

Recyclability

ct does not depend on pk. So E(pk, (i, b); r) = (E1((i, b); r), E2(pk, (i, b); r)) = (ct, e)

15 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• 16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk):

16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

◮ if sk1 = 0, then return (pk, D(sk, ct1)) 16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

◮ if sk1 = 0, then return (pk, D(sk, ct1)) = (pk, E2(pk; r1)). ◮ if sk1 = 1, then return (pk, D(sk, ct′

1)) = (pk, E2(pk; r ′ 1)).

16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

◮ if sk1 = 0, then return (pk, D(sk, ct1)) = (pk, E2(pk; r1)). ◮ if sk1 = 1, then return (pk, D(sk, ct′

1)) = (pk, E2(pk; r ′ 1)).

◮ F−1: Check for a match: E2(pk; r1)

E2(pk; r′

1)

• 16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

◮ if sk1 = 0, then return (pk, D(sk, ct1)) = (pk, E2(pk; r1)). ◮ if sk1 = 1, then return (pk, D(sk, ct′

1)) = (pk, E2(pk; r ′ 1)).

◮ F−1: Check for a match: E2(pk; r1)

E2(pk; r′

1)

• ◮ Can recover sk1 with probability 1/2. This can be boosted via

repetition.

16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

◮ if sk1 = 0, then return (pk, D(sk, ct1)) = (pk, E2(pk; r1)). ◮ if sk1 = 1, then return (pk, D(sk, ct′

1)) = (pk, E2(pk; r ′ 1)).

◮ F−1: Check for a match: E2(pk; r1)

E2(pk; r′

1)

• ◮ Can recover sk1 with probability 1/2. This can be boosted via

repetition.

◮ Not clear how to prove security!

16 / 18

E1 (i ∈ [n], b ∈ {0, 1}) r ct pk E2 r e sk D ct e if pk = G(sk) and ski = b

Simple construction for recovering the first bit of the input.

◮ tk =

r1

r′

1

• and ik =

ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk): let pk = G(sk).

◮ if sk1 = 0, then return (pk, D(sk, ct1)) = (pk, E2(pk; r1)). ◮ if sk1 = 1, then return (pk, D(sk, ct′

1)) = (pk, E2(pk; r ′ 1)).

◮ F−1: Check for a match: E2(pk; r1)

E2(pk; r′

1)

• ◮ Can recover sk1 with probability 1/2. This can be boosted via

repetition.

◮ Not clear how to prove security!

◮ Fix: Put a random bit in the place you cannot apply D. 16 / 18

Recovering the First Bit

◮ Gen(1λ): tk =

r1

r′

1

• and

ik = ct1

ct′

1

• =

E1((i=1,b=0);r1)

E1((i=1,b=1);r′

1)

• ◮ F(ik, sk||b1): let pk = G(sk). Then:

◮ if sk1 = 0 then M1 :=

D(sk, ct1) b1

• ◮ if sk1 = 1 then M1 :=
• b1

D(sk, ct′

1)

• Return Y = (pk, M1).

◮ F−1(tk, Y):

M′

1 =

E2(pk, (1, 0); r1) E2(pk, (1, 1); r′

1)

• 17 / 18

Summary and Future Work Summary

◮ A Construction of TDFs from CDH.

Future Work

◮ Extended forms of TDFs from CDH (e.g., lossy trapdoor

functions)

◮ Trapdoor Permutations from CDH/DDH?

18 / 18