determiniscpublickeyencryponfor adap)vely+chosen+plaintext ...ananthr/docs/adpke.pdf ·...
TRANSCRIPT
Determinis)c Public-‐Key Encryp)on for Adap)vely Chosen Plaintext Distribu)ons
Ananth Raghunathan
Gil Segev
Salil Vadhan
Stanford Stanford Harvard
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Determinis)c Public-‐Key Encryp)on
Enc(pk,m)
Alice Bob
(sk,pk) pk
• Func<onality: efficiently searchable encryp<on – Easy to check whether c is Enc(pk,m) – Applica<ons: encrypted keyword search, secure deduplica<on [BKR13, ABMRS13]
• Ciphertexts may be shorter than in randomized schemes
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
• Security for unpredictable messages [BBO07,BS11] – Inspired by [RW02] and [DS05] in the symmetric-‐key seXng
– Exci<ng line of research [BFO08, BFOR08, BBNRSSY09, O’N10, BS11, MPRS12, Wee12]
– Meaningful for various applica<ons (eg., key encapsula<on)
What About Security?
Inherent limita)on: • Easy to check whether c is Enc(pk,m) • Cannot sa<sfy seman1c security
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
• Security for unpredictable messages [BBO07,BS11] – Inspired by [RW02] and [DS05] in the symmetric-‐key seXng
– Exci<ng line of research [BFO08, BFOR08, BBNRSSY09, O’N10, BS11, MPRS12, Wee12]
– Meaningful for various applica<ons (eg., key encapsula<on)
Enc(pk,key), AES(key,0), AES(key,1), …
What About Security?
Inherent limita)on: • Easy to check whether c is Enc(pk,m) • Cannot sa<sfy seman1c security
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Security Defini)on [BBO07 simplified] M0 , M1
m0 ß M0 m1 ß M1 b ß {0,1} Guess b c = Enc(pk,mb)
pk
In this talk, H∞(Mb) is not too small: no message is very likely to occur
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Security Defini)on [BBO07 simplified]
• Good reason why this was not allowed
M0 , M1 m0 ß M0 m1 ß M1 b ß {0,1} Guess b c = Enc(pk,mb)
pk
Can we capture adap)ve adversaries?
M0: Sample m0 uniformly from all messages subject to Enc(pk, m) = 0xxxxx
M1: Sample m1 uniformly from all messages subject to Enc(pk, m) = 1xxxxx
Output first bit of c as guess
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Security Defini)on [BBO07 simplified]
M0 , M1 m0 ß M0 m1 ß M1 b ß {0,1} Guess b c = Enc(pk,mb)
pk
Can we capture adap)ve adversaries?
Are there realis<c security no<ons that capture adap<vely chosen plaintext distribu<ons?
Would like to allow adversaries to choose M0 and M1 aber seeing pk
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
• Adversary can choose M0 and M1 in set X adap4vely based on pk.
• General no4on – p=1 implies [BBO07] – p=O(s·log(s)) : all circuits of size s
• Easily extends to CCA security • Equivalent to a “mul<-‐shot” defini<on:
repeated ciphertext queries allowed. Now M0 and M1 can depend on ciphertexts
Defining Adap)ve DPKE Dec(sk, ·)
M0 , M1 m0 ß M0 m1 ß M1 Guess b
c = Encpk(mb)
Fix random bß {0,1}
pk
Belong to a set of distribu)ons X of size 2p
X is fixed per adversary
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
• Adversary can choose M0 and M1 in set X adap4vely based on pk.
• General no4on – p=1 implies [BBO07] – p=O(s·log(s)) : all circuits of size s
• Easily extends to CCA security • Equivalent to a “mul<-‐shot” defini<on:
repeated ciphertext queries allowed. Now M0 and M1 can depend on ciphertexts
Security no<on only depends on p.
Holds for all X of size 2p
Unlike previous defini)ons, we can allow mul)ple adap)ve queries to the
challenger
Defining Adap)ve DPKE Dec(sk, ·)
M0 , M1 m0 ß M0 m1 ß M1 Guess b
c = Encpk(mb)
Fix random bß {0,1}
pk
Belong to a set of distribu)ons X of size 2p
X is fixed per adversary
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Our Work • Formalize meaningful no<ons of adap)ve security – Agackers given access to pk ahead of 1me – Consider both CPA and CCA security
• Generic construc<ons in the random-‐oracle model – Based on any off-‐the-‐shelf (randomized) PKE
• Construc<ons in the standard model – Connec<on to determinis<c randomness extractors – New techniques to determinis<cally extract via a “High-‐Moment Crooked” Lebover Hash Lemma
– A new cryptographic tool (R-‐lossy trapdoor func<ons) to achieve CCA security
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Tool: Lossy Trapdoor Func)ons [PW08]
domain
f
f-1
• Injec<ve • Efficiently
inver<ble (trapdoor)
Two families of func<ons: injec)ve and lossy
range
Security The descrip<ons of f and g are computa<onally indis<nguishable
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Tool: Lossy Trapdoor Func)ons [PW08]
domain
Two families of func<ons: injec)ve and lossy
range
• Lossy • Cannot be
inverted (informa<on theore<cally)
g
Security The descrip<ons of f and g are computa<onally indis<nguishable
|domain| 2ℓ
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Our Basic Scheme
f( ) π( )
Let f be an injec)ve member of a LTDF family Let π be chosen randomly from a t-‐wise (almost) independent family of permuta<ons (for eg., [KNR09])
pk = f π sk = f-1
= Enc:
= Dec: π-1( ) f-1( )
π is pairwise-‐independent à [BFO08] scheme π is t-‐wise almost-‐independent à our scheme
c
m
m
c
t ≈ log|X|
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
g π g( ) π( ) M1
f π
security of
LTDFs M1: f( ) π( ) M1
f π g π
M0: M0
security of
LTDFs
Proof Overview Theorem: Basic scheme is adap)vely CPA secure
f( ) π( ) M0 g( ) π( )
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
g π g( ) π( ) M1
f π
security of
LTDFs M1: f( ) π( ) M1
f π g π
M0: M0
security of
LTDFs
Proof Overview Theorem: Basic scheme is adap)vely CPA secure
f( ) π( ) M0 g( ) π( ) High-‐Moment Crooked Le>over Hash Lemma:
SD(g(π(M)), g(U )) is negligible even if M depends on (g,π)
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
High-‐Moment Crooked LHL • Generalizes the Lebover Hash Lemma [HILL89] and its “crooked” variants [DS05,BFO08,…] using the approach of [TV00,Dod00]
• Lemma – Let g:{0,1}n à {0,1}n such that |Im(g)|≤2n-ℓ – Let X be any set of sources such that for each M in X, H∞(M) ≥ n-ℓ + 3loglog|X| + 2log(1/ϵ) + θ(1)
– Let Π be a family of t-‐wise almost-‐independent permuta<ons with t ≈ log|X| + n-ℓ
– Then, with probability 1-ϵ over the choice of π in Π for every M in X we have SD(g(π(M)), g(U)) < ϵ
• In par<cular, choice of M can depend on g and π
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
CCA-‐Secure Scheme (Overview) pk = h, f1, f2, π1, π2 sk = f1
-1
Admissible hash func)on [BB04, CHK+10]
Lossy trapdoor func)on in
injec)ve mode
t-‐wise δ-‐dependent
permuta)ons
f2(T, ·)
Chosen from an R-‐lossy trapdoor func<on family (f2, f2
-1) ß Gen(1k, S) If (S,T) in R, then f2(T, ·) is lossy If (S,T) not in R, then f2(T, ·) is injec)ve Descrip<on of f2 computa<onally hides S
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
CCA-‐Secure Scheme (Overview) pk = h, f1, f2, π1, π2 sk = f1
-1
Enc(pk,m): h(π1(m)), f1( π2(m) ), f2( h(π1(m)), π2(m) )
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Enc(pk,m): h(π1(m)), f1( π2(m) ), f2( h(π1(m)), π2(m) )
Tag determines whether f2 is lossy or injec)ve on its second input—used in
proof of security
CCA-‐Secure Scheme (Overview) pk = h, f1, f2, π1, π2 sk = f1
-1
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
CCA-‐Secure Scheme (Overview) pk = h, f1, f2, π1, π2 sk = f1
-1
Enc(pk,m): h(π1(m)), f1( π2(m) ), f2( h(π1(m)), π2(m) )
Dec(sk,c1,c2,c3): m ß π2-1( f1
-1(c2) ) Re-‐encrypt m and output ⊥ if it does not match
• Inspired by [BFO08,BSW11] • Main technical challenge: Adversary’s challenge
distribu<on M is not known in advance when seXng up the public key
EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons
Enc(pk,m): h(π1(m)), f1( π2(m) ), f2( h(π1(m)), π2(m) )
Tag determines whether f2 is lossy or injec)ve on its second input – used in
proof of security
CCA-‐Secure Scheme (Overview) pk = h, f1, f2, π1, π2 sk = f1
-1
Rela<on R and hash func<on h designed such that with a non-‐negligible probability: 1. The challenge message is mapped to a lossy tag 2. All valid decryp<on queries contain injec)ve tags
Can apply high-‐moment crooked LOHL
Can answer Dec queries using f2
-1