determiniscpublickeyencryponfor adap)vely+chosen+plaintext ...ananthr/docs/adpke.pdf ·...

Determinis)c Public-‐Key Encryp)on for Adap)vely Chosen Plaintext Distribu)ons

Ananth Raghunathan

Gil Segev

Salil Vadhan

Stanford Stanford Harvard

EUROCRYPT 2013 DPKE for Adap<vely Chosen Plaintext Distribu<ons

Determinis)c Public-‐Key Encryp)on

Enc(pk,m)

Alice Bob

(sk,pk) pk

•  Func<onality: efficiently searchable encryp<on –  Easy to check whether c is Enc(pk,m) –  Applica<ons: encrypted keyword search, secure deduplica<on [BKR13, ABMRS13]

•  Ciphertexts may be shorter than in randomized schemes


•  Security for unpredictable messages [BBO07,BS11] –  Inspired by [RW02] and [DS05] in the symmetric-‐key seXng

–  Exci<ng line of research [BFO08, BFOR08, BBNRSSY09, O’N10, BS11, MPRS12, Wee12]

– Meaningful for various applica<ons (eg., key encapsula<on)

What About Security?

Inherent limita)on: •  Easy to check whether c is Enc(pk,m) •  Cannot sa<sfy seman1c security


•  Security for unpredictable messages [BBO07,BS11] –  Inspired by [RW02] and [DS05] in the symmetric-‐key seXng

–  Exci<ng line of research [BFO08, BFOR08, BBNRSSY09, O’N10, BS11, MPRS12, Wee12]

– Meaningful for various applica<ons (eg., key encapsula<on)

Enc(pk,key), AES(key,0), AES(key,1), …

What About Security?

Inherent limita)on: •  Easy to check whether c is Enc(pk,m) •  Cannot sa<sfy seman1c security


Security Defini)on [BBO07 simplified] M0 , M1

m0 ß M0 m1 ß M1 b ß {0,1} Guess b c = Enc(pk,mb)

pk

In this talk, H∞(Mb) is not too small: no message is very likely to occur


Security Defini)on [BBO07 simplified]

•  Good reason why this was not allowed

M0 , M1 m0 ß M0 m1 ß M1 b ß {0,1} Guess b c = Enc(pk,mb)

pk

Can we capture adap)ve adversaries?

M0: Sample m0 uniformly from all messages subject to Enc(pk, m) = 0xxxxx

M1: Sample m1 uniformly from all messages subject to Enc(pk, m) = 1xxxxx

Output first bit of c as guess


Security Defini)on [BBO07 simplified]

M0 , M1 m0 ß M0 m1 ß M1 b ß {0,1} Guess b c = Enc(pk,mb)

pk

Can we capture adap)ve adversaries?

Are there realis<c security no<ons that capture adap<vely chosen plaintext distribu<ons?

Would like to allow adversaries to choose M0 and M1 aber seeing pk


•  Adversary can choose M0 and M1 in set X adap4vely based on pk.

•  General no4on –  p=1 implies [BBO07] –  p=O(s·log(s)) : all circuits of size s

•  Easily extends to CCA security •  Equivalent to a “mul<-‐shot” defini<on:

repeated ciphertext queries allowed. Now M0 and M1 can depend on ciphertexts

Defining Adap)ve DPKE Dec(sk, ·)

M0 , M1 m0 ß M0 m1 ß M1 Guess b

c = Encpk(mb)

Fix random bß {0,1}

pk

Belong to a set of distribu)ons X of size 2p

X is fixed per adversary


•  Adversary can choose M0 and M1 in set X adap4vely based on pk.

•  General no4on –  p=1 implies [BBO07] –  p=O(s·log(s)) : all circuits of size s

•  Easily extends to CCA security •  Equivalent to a “mul<-‐shot” defini<on:

repeated ciphertext queries allowed. Now M0 and M1 can depend on ciphertexts

Security no<on only depends on p.

Holds for all X of size 2p

Unlike previous defini)ons, we can allow mul)ple adap)ve queries to the

challenger

Defining Adap)ve DPKE Dec(sk, ·)

M0 , M1 m0 ß M0 m1 ß M1 Guess b

c = Encpk(mb)

Fix random bß {0,1}

pk

Belong to a set of distribu)ons X of size 2p

X is fixed per adversary


Our Work •  Formalize meaningful no<ons of adap)ve security –  Agackers given access to pk ahead of 1me –  Consider both CPA and CCA security

•  Generic construc<ons in the random-‐oracle model –  Based on any off-‐the-‐shelf (randomized) PKE

•  Construc<ons in the standard model –  Connec<on to determinis<c randomness extractors –  New techniques to determinis<cally extract via a “High-‐Moment Crooked” Lebover Hash Lemma

–  A new cryptographic tool (R-‐lossy trapdoor func<ons) to achieve CCA security


Tool: Lossy Trapdoor Func)ons [PW08]

domain

f

f-1

•  Injec<ve •  Efficiently

inver<ble (trapdoor)

Two families of func<ons: injec)ve and lossy

range

Security The descrip<ons of f and g are computa<onally indis<nguishable


Tool: Lossy Trapdoor Func)ons [PW08]

domain

Two families of func<ons: injec)ve and lossy

range

•  Lossy •  Cannot be

inverted (informa<on theore<cally)

g

Security The descrip<ons of f and g are computa<onally indis<nguishable

|domain| 2ℓ


Our Basic Scheme

f( ) π( )

Let f be an injec)ve member of a LTDF family Let π be chosen randomly from a t-‐wise (almost) independent family of permuta<ons (for eg., [KNR09])

pk = f π sk = f-1

= Enc:

= Dec: π-1( ) f-1( )

π is pairwise-‐independent à [BFO08] scheme π is t-‐wise almost-‐independent à our scheme

c

m

m

c

t ≈ log|X|


g π g( ) π( ) M1

f π

security of

LTDFs M1: f( ) π( ) M1

f π g π

M0: M0

security of

LTDFs

Proof Overview Theorem: Basic scheme is adap)vely CPA secure

f( ) π( ) M0 g( ) π( )


g π g( ) π( ) M1

f π

security of

LTDFs M1: f( ) π( ) M1

f π g π

M0: M0

security of

LTDFs

Proof Overview Theorem: Basic scheme is adap)vely CPA secure

f( ) π( ) M0 g( ) π( ) High-‐Moment Crooked Le>over Hash Lemma:

SD(g(π(M)), g(U )) is negligible even if M depends on (g,π)


High-‐Moment Crooked LHL •  Generalizes the Lebover Hash Lemma [HILL89] and its “crooked” variants [DS05,BFO08,…] using the approach of [TV00,Dod00]

•  Lemma –  Let g:{0,1}n à {0,1}n such that |Im(g)|≤2n-ℓ –  Let X be any set of sources such that for each M in X, H∞(M) ≥ n-ℓ + 3loglog|X| + 2log(1/ϵ) + θ(1)

–  Let Π be a family of t-‐wise almost-‐independent permuta<ons with t ≈ log|X| + n-ℓ

–  Then, with probability 1-ϵ over the choice of π in Π for every M in X we have SD(g(π(M)), g(U)) < ϵ

•  In par<cular, choice of M can depend on g and π


CCA-‐Secure Scheme (Overview) pk = h, f1, f2, π1, π2 sk = f1

-1

Admissible hash func)on [BB04, CHK+10]

Lossy trapdoor func)on in

injec)ve mode

t-‐wise δ-‐dependent

permuta)ons

f2(T, ·)

Chosen from an R-‐lossy trapdoor func<on family (f2, f2

-1) ß Gen(1k, S) If (S,T) in R, then f2(T, ·) is lossy If (S,T) not in R, then f2(T, ·) is injec)ve Descrip<on of f2 computa<onally hides S



-1

Enc(pk,m): h(π1(m)), f1( π2(m) ), f2( h(π1(m)), π2(m) )



Tag determines whether f2 is lossy or injec)ve on its second input—used in

proof of security


-1



-1


Dec(sk,c1,c2,c3): m ß π2-1( f1

-1(c2) ) Re-‐encrypt m and output ⊥ if it does not match

•  Inspired by [BFO08,BSW11] •  Main technical challenge: Adversary’s challenge

distribu<on M is not known in advance when seXng up the public key



Tag determines whether f2 is lossy or injec)ve on its second input – used in

proof of security


-1

Rela<on R and hash func<on h designed such that with a non-‐negligible probability: 1.  The challenge message is mapped to a lossy tag 2.  All valid decryp<on queries contain injec)ve tags

Can apply high-‐moment crooked LOHL

Can answer Dec queries using f2

-1

Thank You! Any Ques)ons?

eprint.iacr.org/2013/125

([email protected])

determiniscpublickeyencryponfor adap)vely+chosen+plaintext ...ananthr/docs/adpke.pdf ·...

Documents