Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting

Transcription

1 Better Seurity for Deterministi Publi-Key Enryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Abstrat Deterministi publi-key enryption, introdued by Bellare, Boldyreva, and O Neill CRYPTO 07, provides an alternative to randomized publi-key enryption in various senarios where the latter exhibits inherent drawbaks. A deterministi enryption algorithm, however, annot satisfy any meaningful notion of seurity when the plaintext is distributed over a small set. Bellare et al. addressed this diffiulty by requiring semanti seurity to hold only when the plaintext has high min-entropy from the adversary s point of view. In many appliations, however, an adversary may obtain auxiliary information that is related to the plaintext. Speifially, when deterministi enryption is used as a building blok of a larger system, it is rather likely that plaintexts do not have high min-entropy from the adversary s point of view. In suh ases, the framework of Bellare et al. might fall short from providing robust seurity guarantees. We formalize a framework for studying the seurity of deterministi publi-key enryption shemes with respet to auxiliary inputs. Given the trivial requirement that the plaintext should not be effiiently reoverable from the auxiliary input, we fous on hard-to-invert auxiliary inputs. Within this framework, we propose two shemes: the first is based on the deisional Diffie- Hellman and, more generally, on the d-linear assumption, and the seond is based on a rather general lass of subgroup indistinguishability assumptions inluding, in partiular, quadrati residuosity and Paillier s omposite residuosity. Our shemes are seure with respet to any auxiliary input that is subexponentially hard to invert assuming the standard hardness of the underlying omputational assumptions. In addition, our first sheme is seure even in the multiuser setting where related plaintexts may be enrypted under multiple publi keys. Construting a sheme that is seure in the multi-user setting even without onsidering auxiliary inputs was identified by Bellare et al. as an important open problem. Keywords: Publi-key enryption, deterministi enryption, auxiliary inputs, omposable seurity. Department of Computer Siene and Applied Mathematis, Weizmann Institute of Siene, Rehovot 76100, Israel. zvika.brakerski@weizmann.a.il. Mirosoft Researh, Mountain View, CA 94043, USA. gil.segev@mirosoft.om.

2 1 Introdution Publi-key enryption is one of the most basi ryptographi tasks. A publi-key enryption sheme onsists of three algorithms: a key-generation algorithm that produes a seret key and a orresponding publi key, an enryption algorithm that uses the publi key for mapping plaintexts into iphertexts, and a deryption algorithm that uses the seret key for reovering plaintexts from iphertexts. For modeling the seurity of publi-key enryption shemes, the fundamental notion of semanti seurity was introdued in the seminal work of Goldwasser and Miali [GM84]. Semanti seurity asks that it should be infeasible to gain any effetive information on the plaintext by seeing the iphertext and the publi key. More speifially, whatever an be omputed effiiently from the iphertext, the publi key and possibly some auxiliary information, an essentially be omputed effiiently from the publi key and the auxiliary information alone. Together with its rigorous, robust, and meaningful modeling of seurity, semanti seurity inherently arries the requirement for a randomized enryption algorithm. In some ases, however, a randomized enryption algorithm may suffer from various drawbaks. In terms of effiieny, iphertexts are not length preserving and might be signifiantly longer than their orresponding plaintexts, and are in general not effiiently searhable. These properties severely limit the deployment of publi-key enryption shemes in appliations involving, for example, massive data sets where the iphertext expansion is ruial, or global dedupliation-based storage systems where searhes are highly frequent e.g., [ZLP08]. In addition, in terms of seurity, the seurity guarantees provided by randomized publi-key enryption, and by randomized ryptographi primitives in general, are typially highly dependant on the availability of true and fresh random bits see, for example, [BBN + 09] and the referenes therein. Deterministi publi-key enryption. For dealing with these kind of drawbaks, Bellare, Boldyreva, and O Neill [BBO07] initiated the study of deterministi publi-key enryption shemes. These are publi-key enryption shemes in whih the enryption algorithm is deterministi 1. In this setting, where full-fledged semati seurity is out of reah, Bellare et al. put forward the goal of formalizing a notion of seurity that aptures semanti seurity as muh as possible. An immediate onsequene of having a deterministi enryption algorithm, however, is that essentially no meaningful notion of seurity an be satisfied if the plaintext is distributed over a set of polynomial size. Indeed, in suh a ase an adversary who is given a publi key pk and an enryption of some plaintext m under the publi key pk, an simply enrypt all possible plaintexts, ompare eah of them to the given iphertext, and thus reover the plaintext m. Bellare et al. addressed this problem by requiring seurity to hold only when the plaintext is sampled from a distribution of high min-entropy. Subjet to this restrition, they adapted semanti seurity to the setting of deterministi enryption: For any high-entropy plaintext distribution, whatever an be omputed effiiently from the iphertext and the publi key, an also be omputed effiiently from the publi key alone. Construtions of deterministi publi-key enryption shemes satisfying this and similar notions of seurity were proposed in the random orale model by Bellare et al. [BBO07], and then in the standard model by Bellare, Fishlin, O Neill, and Ristenpart [BFO + 08a], by Boldyreva, Fehr, and O Neill [BFO08b], and by O Neill [O N10]. We refer the reader to Setion 1.2 for an elaborated disussion of these onstrutions. 1 Note that this is effetively a olletion of injetive trapdoor funtions assuming the deryption algorithm is deterministi as well. 1 mipan.info

3 Seurity with respet to auxiliary information. In typial appliations, a deterministi publi-key enryption sheme is used as building blok of a larger system. In suh a setting, an adversary usually has additional information that it an use when trying to break the seurity of the sheme. This danger beomes even more ritial when suh additional information is related to the enrypted plaintext. In general, seurity with respet to auxiliary information is essential towards obtaining omposable seurity see, for example, [Can01] and the referenes therein. More losely related to our approah are the studies of seurity with respet to auxiliary information in the ontexts of perfet one-way funtions [Can97], program obfusation [GK05], and leakage-resilient enryption [DKL09, DGK + 10, BG10]. For example, when using a deterministi publi-key enryption sheme for enabling effiient searhes on enrypted databases, as suggested by Bellare et al. [BBO07], it is not unlikely that the same plaintext belongs to more than one database, and is therefore enrypted under several publi keys; or that various statistis of the database are publily available. A more aute example is when using a deterministi publi-key enryption sheme for a key-enapsulation mehanism that hedges against bad randomness [BBN + 09]. In suh a ase an adversary that observes the usage of the enapsulated key say, as a key to a symmetri-key enryption sheme may in fat obtain a huge amount of additional information on the enapsulated key. In this light, the notion of seurity proposed by Bellare et al. [BBO07] might fall short of apturing the likely ase where auxiliary information is available. That is, although a plaintext may be sampled from a distribution with high min-entropy to begin with, it might still have no entropy, from the point of view of an adversary, in many realisti senarios. We note that already in the setting of deterministi symmetri-key enryption of high-entropy messages, Dodis and Smith [DS05] observed that the main weakness of an approah that does not take into aount auxiliary information, is the lak of omposable seurity. It is thus a highly desirable task to model and to onstrut seure deterministi enryption shemes in the setting of auxiliary information, as a ruial and essential step towards obtaining more realisti seurity guarantees. 1.1 Our Contributions In this paper we introdue a framework for modeling the seurity of deterministi publi-key enryption shemes with respet to auxiliary inputs. Within this framework we propose onstrutions that are based on standard ryptographi assumptions in the standard model i.e., without random orales. Our framework is a generalization of the one formalized by Bellare et al. [BBO07] and further studied in [BFO + 08a, BFO08b, O N10] to the auxiliary-input setting, in whih an adversary possibly obtains additional information that is related to the enrypted plaintext, and might even fully determine the enrypted plaintext information theoretially. Modeling auxiliary information. An immediate onsequene of having a deterministi enryption algorithm is that no meaningful notion of seurity an be satisfied if the plaintext an be reovered from the adversary s auxiliary information see Setion 4 for a disussion of this inherent onstraint 2. Thus, we fous our attention on the ase of hard-to-invert auxiliary inputs, where the soure of hardness may be any ombination of information-theoreti hardness where the auxiliaryinput funtion is many-to-one and omputational hardness where the auxiliary input funtion is injetive, but is hard to invert by effiient algorithms. 2 This is somewhat similar to the observation that seurity is impossible to ahieve when the plaintext is distributed over a small set. 2 mipan.info

4 Notions of seurity. Following [BBO07, BFO + 08a, BFO08b] we formalize three notions of seurity with respet to auxiliary inputs, and prove that all three are equivalent. The first is a simulation-based notion, apturing the intuitive meaning of semanti seurity: whatever an be omputed effiiently given a publi key, an enryption of a message, and hard-to-invert auxiliary input, an be omputed effiiently given only the publi key and the auxiliary input. The seond is a omparison-based notion, whih essentially serves as an intermediate notion towards an indistinguishability-based one that is somewhat easier to handle in proofs of seurity. The high-level approah of the equivalene proofs is motivated by those of [BFO + 08a, BFO08b], but the existene of auxiliary inputs that may fully determine the enrypted messages introdues various diffiulties that our tehniques overome. Construtions. We propose two onstrutions in the standard model satisfying our notions of seurity. At a first glane, one might hope that the onstrutions proposed in [BBO07, BFO + 08a, BFO08b, O N10] an be naturally extended to the auxiliary-input setting by replaing the notion of statistial min-entropy with an appropriate notion of omputational min-entropy. This, however, does not seem to be the ase at least without relying on random orales, as these onstrutions seem to heavily rely on information-theoreti properties that might not have natural omputational analogues 3. Our first onstrution is based on the deisional Diffie-Hellman assumption, and more generally, on any of the d-linear assumptions, and our seond onstrution is based on a rather general lass of subgroup indistinguishability assumptions as defined in [BG10] inluding, in partiular, the quadrati residuosity assumption, and Paillier s omposite residuosity assumption [Pai99]. The resulting shemes are seure with respet to any auxiliary input that is subexponentially hard to invert 4. In addition, our first sheme is seure even in the multi-user setting where related messages may be enrypted under multiple publi keys. In this setting we obtain seurity with respet to auxiliary inputs for any polynomial number of messages and users as long as the messages are related by invertible linear transformations. Construting a sheme that is seure is the multi-user setting even without onsidering auxiliary inputs was identified as an important open problem by Bellare et al. [BBO07]. Finally, we note that this sheme also exhibits an interesting homomorphi property: it allows homomorphi additions and one multipliation, in the spirit of [BGN05, GHV10]. This property may be found espeially useful in light of the possible appliations of deterministi publi-key enryption shemes in database systems [BBO07]. 1.2 Related Work Exploiting the entropy of messages to prove otherwise-impossible seurity was first proposed by Russell and Wang [RW06], followed by Dodis and Smith [DS05]. These works ahieved informationtheoreti seurity for symmetri-key enryption with short keys. In the setting of publi-key enryption, deterministi enryption for high min-entropy messages was proposed by Bellare, Boldyreva, and O Neill [BBO07] who formalized a definitional framework, whih was later refined and extended by Bellare, Fishlin, O Neill, and Ristenpart [BFO + 08a], by Boldyreva, Fehr, and O Neill [BFO08b], and by O Neill [O N10]. Bellare et at. [BBO07] presented two onstrutions in the random orale model: The first relies on any semantially-seure publi-key 3 A prime example is the generalized rooked leftover hash lemma [BFO08b], for whih a omputational analogue may seem somewhat hallenging to devise. 4 We emphasize that in this paper we rely on standard omputational assumptions i.e., d-linear or quadrati residuosity, and only the auxiliary inputs are assumed to have subexponential hardness. 3 mipan.info

5 enryption sheme; whereas the seond relies on the RSA funtion and is in fat length preserving. Construtions in the standard model i.e., without random orales, were then presented in [BFO + 08a, BFO08b]. Bellare et al. [BFO + 08a] presented a onstrution based on trapdoor permutations, whih is seure as long as the messages are almost uniformly distributed. Boldyreva et al. [BFO08b] presented a onstrution based on lossy trapdoor funtions, whih is seure as long as its n-bit messages have min-entropy at least n ϵ for some onstant 0 < ϵ < 1. These onstrutions, however, fall short in two interesting ases: In the multi-message setting, where arbitrarily related messages are enrypted under the same publi key; and in the multi-user setting where the same message is enrypted under several independently hosen publi keys. Reently, O Neill [O N10] made a step towards addressing the former, by presenting a sheme that an seurely enrypt any fixed number q of messages, but whose parameters depend polynomially on q. The latter ase remained unexplored until this work. Deterministi publi-key enryption was used by Bellare et al. [BBN + 09] who defined and onstruted hedged publi-key enryption shemes. These are shemes that are semantially seure in the standard sense, and maintain a meaningful and realisti notion of seurity even when orrupt randomness is used for the enryption, so long as the joint message-randomness pair has suffiient min-entropy. The definition of seurity in the latter ase takes after that of deterministi publi-key enryption. The tools underlying our onstrutions in this paper are inspired by the line of researh on enryption in the presene of auxiliary input, initiated by Dodis, Kalai, and Lovett [DKL09] in the ontext of symmetri-key enryption, and then extended in [DGK + 10, BG10] to publi-key enryption. These works onsider enryption shemes where the adversary may obtain a hard-toinvert funtion of the seret key extending the frameworks of bounded leakage [AGV09] and noisy leakage [NS09]. 1.3 Overview of Our Approah In this setion we provide a high-level overview of our approah and tehniques. We begin with a brief desription of the notions of seurity that we onsider in the auxiliary-input setting, and then desribe the main ideas underlying our two onstrutions. For simpliity, in what follows we onsider the ase where one message is enrypted under one publi key, and refer the reader to the relevant setions for the more general ase. Defining seurity with respet to auxiliary inputs. Towards desribing our notions of seurity, we first disuss our notion of hard-to-invert auxiliary inputs. We onsider any auxiliary input fx from whih it is hard to reover the input x. The soure of hardness may be any ombination of information-theoreti hardness where the funtion f is many-to-one, and omputational hardness where fx fully determines x, but x is hard to reover by effiient algorithms. Informally, we say that a funtion f is ϵ-hard-to-invert with respet to a distribution D, if for every effiient algorithm A it holds that Afx = x with probability at most ϵ, over the hoie of x D and the internal oin tosses of A. As disussed in Setion 1.1, we formalize three notions of seurity with respet to auxiliary inputs, and prove that all three are equivalent. For onreteness we fous here on the simulation-based definition, whih aptures the intuitive meaning of semanti seurity: Whatever an be omputed effiiently given a publi key, an enryption of a message, and hard-to-invert auxiliary input, an be omputed effiiently given only the publi key and the auxiliary input. A bit more formally, we say that a sheme is seure with respet to ϵ-hard-to-invert auxiliary inputs if for any probabilisti polynomial-time adversary A, and for any effiiently samplable plaintext distribution M, there exists 4 mipan.info

6 a probabilisti polynomial-time simulator S, suh that for any effiiently omputable funtion f that is ϵ-hard-to-invert with respet to M, and for any funtion g {0, 1} {0, 1}, the probabilities of the events A pk, En pk m, fm = gm and S pk, fm = gm are negligibly lose, where m M. We note that the funtions f and g may be arbitrary related 5. This is a generalization of the definitions onsidered in [BBO07, BFO + 08a, BFO08b, O N10]. The [BFO08b] sheme. Our starting point is the sheme of Boldyreva et al. [BFO08b] that is based on lossy trapdoor funtions. This is in fat the only known onstrution in the standard model i.e., without random orales that is seure for arbitrary plaintext distributions with high but not nearly full min-entropy. In their onstrution, the publi key onsists of a funtion h that is sampled from the injetive mode of the olletion of lossy trapdoor funtions, and a pair-wise independent permutation π. The seret key onsists of the trapdoor for inverting h we assume that π is effiiently invertible. The enryption of a message m is defined as En pk m = hπm, and deryption is naturally defined. In a high level, the proof of seurity in [BFO08b] onsiders the joint distribution of the publi key and the iphertext pk, En pk m, and argues that it is omputationally indistinguishable from a distribution that is independent of the plaintext m. This is done by onsidering a distribution of malformed publi keys, that is omputationally indistinguishable from the real distribution. Speifially, the injetive funtion h is replaed with a lossy funtion h to obtain an indistinguishable publi key pk. The next step is to show that the iphertext = m an be desribed by the En pk following two-step proess. First, an analogue of a strong extrator is applied to m where the seed is the permutation π that lies in pk to obtain v = m. Then, the output of the extrator ext pk is used to ompute the iphertext = g pk, v. From this point of view, it is evident that so long as the plaintext m is drawn from a distribution with high min-entropy, it holds that v = ext pk m is statistially lose to a uniform distribution over some domain. This holds even given the malformed publi key, and does not depend on the distribution of m. This methodology of using an analog of a strong extrator relies on the rooked leftover hash lemma of Dodis and Smith [DS05], that enables to base the onstrution on any olletion of lossy trapdoor funtions. Our onstrutions. In our setting, we wish to adapt this methodology to rely on omputational hardness instead of min-entropy. However, there is urrently no known analog of the rooked leftover hash lemma in the omputational setting. This is an interesting open problem. We overome this diffiulty by relying of speifi olletions of lossy trapdoor funtions, for whih we are in fat able to extrat pseudorandomness from omputational hardness. We do this by replaing the strong extrator omponent with a hard-ore funtion of the message with respet to the auxiliary input. Speifially, our enryption algorithm when using the malformed publi key an be interpreted as taking an inner produt between our message m viewed as a vetor of bits and a random vetor a, where the resulting iphertext depends only on a, m, a. This is similar to the Goldreih- Levin hard-ore prediate [GL89], exept that the vetor a is not binary and the inner produt is performed over some large Z-module and not over the binary field. We thus require the generalized Goldreih-Levin theorem of Dodis et al. [DGK + 10] to obtain that even given the auxiliary input, the distributions a, m, a and a, u are omputationally indistinguishable, where u is uniformly distributed and does not depend on the distribution of m. To be more onrete, let us onsider our DDH-based sheme formally presented in Setion 6 whih is based on the lossy trapdoor funtions of Freeman et al. [FGK + 10]. The sheme is instanti- 5 In fat, the target funtion g is allowed to take as input also the randomness that is used for sampling m, and any other publi randomness see Setion 4. 5

7 ated by a DDH-hard group G of prime order q that is generated by g. The message spae is {0, 1} n where n is polynomial in the seurity parameter and the publi key is g A, for a random n n matrix A over Z q. Enryption is done by omputing En g Am = g A m and deryption is performed using sk = A 1. 6 For analyzing the seurity of the sheme, we onsider the joint distribution of the publi key, iphertext and auxiliary input pk, En pk m, fm = g A, g A m, fm. The malformed distribution pk is obtained by taking A to be a random rank-1 matrix rather than ompletely random. DDH implies that pk and pk are omputationally indistinguishabile. Suh a low-rank matrix takes the form A = r b T, and therefore A m = r b T m, for random vetors r and b. Thus, our iphertext depends only on b, b, m whih is indistinguishable from b, u, for a uniformly random u, even given fm, by the generalized Goldreih-Levin theorem [DGK + 10]. Our initial distribution is therefore indistinguishable from the distribution g r bt, g r u, fm as required. In the multi-user setting, we observe that any polynomial number of publi keys g A 1,..., g A l are omputationally indistinguishable, by DDH, from having joint rank-1. Namely, in this ase the distributions g A 1,..., g A l and g r 1 b T,..., g r l b T are omputationally indistinguishable, where the same vetor b is used for all keys. Enrypting a message m under all suh l publi keys results in a set of iphertexts g r 1 b T m,..., g r l b T m, where all elements depend on b, b, m. This enables to apply the above approah, and we show that it in fat extends to linearly-related messages. Our seond sheme based on subgroup indistinguishability assumptions is analyzed quite similarly. We rely on the lossy trapdoor funtions of [HO09] and an again show that our publi key distribution is indistinguishable from one over rank-1 matries. However, the groups under onsideration might be non-yli. This adds additional ompliations into the analysis. In addition, this sheme does not seem to allow a joint rank argument as above, and we leave it as an open problem to onstrut an analogous sheme that is seure in the multi-user setting. 1.4 Paper Organization In Setion 2 we introdue some notation and preliminary tools. In Setion 3 we formalize a general notion for hard-to-invert auxiliary inputs that is onsidered in this paper. In Setion 4 we introdue a framework for modeling the seurity of deterministi publi-key enryption shemes with respet to auxiliary inputs, onsisting of three main notions of seurity. In Setion 5 we prove that these three notions are in fat equivalent. In Setion 6 we present a onstrution based on the Deisional Diffie-Hellman assumption and, more generally, on any of the d-linear assumptions, and in Setion 7 we present a onstrution based on subgroup indistinguishability assumptions. 2 Preliminaries For a distribution X we denote by x X the proess of sampling a value x from the distribution X. Similarly, for a set X we denote by x X the proess of sampling a value x from the uniform distribution over X. The min-entropy of a distribution X over a set X is defined as H X def = log max x X Pr[X = x]. The statistial distane total variation distane between X and Y is denoted SDX, Y. A real funtion over the naturals is negligible if it vanishes faster than any inverse polynomial, we use fk = neglk to denote that f is a negligible funtion. Two distribution ensembles {X k } k N, {Y k } k N are statistially indistinguishable if SDX k, Y k = neglk, we denote 6 We overload the notation g x to matries as follows: for X Z k n q, we let g X G k n denote the matrix defined as g X i,j = g X i,j. 6

8 this by X s Y. They are omputationally indistinguishable if for any polynomial time algorithm A, it holds that Prx Xk [A1 k, x = 1] Pr y Yk [A1 k, y = 1] is negligible, we denote this by X Y. All omputational hardness in this work is stated with regards to non-uniform adversaries. However, adapting to the uniform setting is immediate and in most ases requires no hanges at all. We denote salars in plain lowerase letters x {0, 1}. We use the term vetor both in the algebrai sense, where it indiates an element in a vetor spae and denoted by bold lowerase letters x {0, 1} k ; and in the ombinatorial sense, indiating an ordered set of elements not neessarily having any algebrai properties for whih we use the notation x. We denote a ombinatorial vetor whose elements are algebrai vetors by x, ombinatorial vetor of ombinatorial vetors by x, and ombinatorial vetor of ombinatorial vetors of algebrai vetors by x. Matries always algebrai are denoted in bold upperase X {0, 1} k n. The k k identity matrix is denoted I k. All vetors are olumn vetors by default, and a row vetor is denoted by x T. For a ommutative multipliative group G and an isomorphi Z-module M, the isomorphism M G is denoted by y g x where y G and x M. In a sense, g an be thought of as a symboli representation of a generating set of G. If G is yli then this isomorphism orresponds to atual exponentiation, with g being a generator of G. In suh ase M = Z q where q is the order of G. We overload the notation g x to matries as follows: for X M k n, we let g X G k n denote the matrix defined as g X i,j = g X i,j. 2.1 Computational Assumptions The quadrati residuosity assumption. Let GroupGen be a probabilisti polynomial-time algorithm that takes as input a seurity parameter 1 k, and outputs an integer N = P Q, where P and Q are k-bit prime numbers, and P mod 4 = Q mod 4 = 3 i.e., N is a Blum integer. For suh an integer N, we denote by J N the group of elements modulo N with Jaobi symbol 1, and by QR N the group of quadrati residues modulo N. Note that QR N is not always yli, and that 1 J N \ QR N. In addition, we fix M = M QRN to be a Z-module that is isomorphi to QR N, so that eah element in QR N an be represented as g x for some x M. 7 The quadrati residuosity assumption [GM84] is that a uniformly hosen quadrati residue is omputationally indistinguishable from a uniformly hosen quadrati non-residue with Jaobi symbol 1. More formally, the distributions {N, x : N GroupGen1 k, x QR N } k N and {N, 1 x : N GroupGen1 k, x QR N } k N are omputationally indistinguishable. We use the following lemma proven in [HO09] and impliitly extended in [BG10] to moduli that are not produts of safe primes. Lemma 2.1 [HO09, BG10]. Under the QR assumption, for any polynomial n = nk it holds that { } { g wt, 1 In g r wt } g wt, g r wt, k N k N where N GroupGen1 k, g wt QR n N, and r [N 2 ] n. The deisional Diffie-Hellman and d-linear assumptions. Let GroupGen be a probabilisti polynomial-time algorithm that takes as input a seurity parameter 1 k, and outputs a triplet G, q, g where G is a group of prime order q that is generated by g G, and q is a k-bit prime number. In this paper we rely on the following matrix form of the d-linear assumption due to 7 We advise a reader who does not want to get into the algebrai details to think of the simple ase where P and Q are safe primes i.e., P = 2P + 1 and Q = 2Q + 1, where P and Q are primes. In suh ase, the group QR N is yli and g x orresponds to an atual exponentiation where g is a generator for QR N and M = Z P Q. 7

9 Naor and Segev [NS09] generalizing [BHH + 08]. For d = 1 this variant is equivalent to the DDH assumption, and for d > 1 it is implied by the d-linear assumption see [NS09]. We denote by Rk i Z a b q the set of all a b matries over Z q with rank i. The matrix form of the d-linear assumption is that for any integers a and b, and for any d i < j min{a, b} the distributions {G, q, g, g X } X Rki Z a b q,k N and {G, q, g, gy } Y Rkj Z a b q,k N are omputationally indistinguishable, where G, q, g GroupGen1 k. A rather useful impliation of the matrix form of the d-linear assumption is that the distributions {G, q, g, g X } X Z a b and {G, q, g, g R S } q R Z a d q,s Z d b q,k N are omputationally indistinguishable, where G, q, g GroupGen1 k Hard Core Funtions Hard-ore funtions play a entral tool in our approah for reduing a hard searh problem the hardness of inverting the auxiliary input into a deision problem the hardness of distinguishing enryptions of messages sampled from different distributions. We present two hard-ore funtion theorems, both are extensions of the well known Goldreih-Levin theorem [GL89]. Theorem 2.2 is essentially taken from [DGK + 10], and Theorem 2.3 extends Theorem 2.2 to the ase where the domain under onsideration is not a field, and appears, in a slightly less general form, in [BG10]. Theorem 2.2 [DGK + 10, Theorem 1]. There exists a uniform orale mahine B suh that for all n N, for any possibly randomized funtion f : {0, 1} n {0, 1}, any distribution D over {0, 1} n, any nontrivial finite field F = F n and funtion A suh that Pr [Afx, r, r, x = 1] Pr[Afx, r, α = 1] ϵ, x D where x D {0, 1} n F n, r F n, α F and the inner produt is over F, it holds that B A runs in polynomial time and Pr[B A 1 n, 1/ϵ, fx = x] ϵ n F 2. Furthermore, B only needs to sample uniformly in F and to add two elements in F, and does not use any other property of the field. Theorem 2.3. There exists a uniform orale mahine B suh that for all n N, for any possibly randomized funtion f : {0, 1} n {0, 1}, any distribution D over {0, 1} n, any nontrivial Z- module M = M n and funtion A suh that Pr[Afx, r, r, x = 1] Pr[Afx, r, α = 1] ϵ, where x D {0, 1} n Z n, r M n, α M and the inner produt is over the module, it holds that B A runs in polynomial time and Pr[B A 1 n, 1/ϵ, fx = x] ϵ 8 M 1+log8n/ϵ2. Furthermore, B only needs to sample uniformly in M and to add two elements in M, and does not use any other property of the module. 8 The equivalene follows by defining R Rk d Z a d q and S Rk d Z d b q and notiing that sine q is superpolynomial then S, R s S, R, and that R S is distributed uniformly in Rk d Z a b q. 8

10 2.3 Deterministi Publi-Key Enryption Sheme A deterministi publi-key enryption sheme over a message spae ensemble M = {M k } is a triplet Π = KeyGen, En, De of polynomial-time algorithms with the following properties. The key-generation algorithm KeyGen is a randomized algorithm that takes the seurity parameter 1 k as input and outputs a key pair sk, pk KeyGen1 k ontaining a seret key and a publi key. The enryption algorithm En is a deterministi algorithm that takes as input a publi key pk and a message m M k where k is the seurity parameter, and outputs a iphertext = En pk m. The deryption algorithm is a possibly randomized algorithm that takes as input a seret key sk and a iphertext and outputs a message m De sk suh that m M k. For simpliity in this paper we assume perfet deryption: For every k N and m M k m it holds that Pr [De sk En pk m = m] = 1, where the probability is taken over the hoie of sk, pk KeyGen1 k and also over the internal randomness of De if the latter algorithm is randomized. 3 Hard-to-Invert Auxiliary Inputs In this work we onsider any auxiliary input fx from whih it is hard to reover the input x. The soure of hardness may be any ombination of information-theoreti hardness where the funtion f is many-to-one and omputational hardness where fx fully determines x, but x is hard to reover by effiient algorithms. Informally, we say that a funtion f is ϵ-hard-to-invert with respet to a distribution D, if for every effiient algorithm A it holds that Afx = x with probability at most ϵ over the hoie of x D and the internal oin tosses of A. For our purposes, we formalize a slightly more general notion in whih D is a distribution over vetors of inputs x = x 1,..., x t, and for every i {1,..., t} it should be hard to effiiently reover x i when given f x. In addition, we also onsider a blokwise variant of this notion, in whih it should be hard to effiiently reover x i when given x 1,..., x i 1, f x. Definition 3.1. An effiiently omputable funtion F = {f k } k N is ϵk-hard-to-invert with respet to an effiiently samplable distribution D = {D k } k N over vetors of tk inputs, if for every probabilisti polynomial-time algorithm A and for every i {1,..., tk} it holds that [ Pr A 1 k, f k x = x i ϵk, for all suffiiently large k, where the probability is taken over the hoie of x = x 1,..., x tk D k, and over the internal oin tosses of A. Definition 3.2. An effiiently omputable funtion F = {f k } k N is ϵk-blokwise-hard-to-invert with respet to an effiiently samplable distribution D = {D k } k N over vetors of tk inputs, if for every probabilisti polynomial-time algorithm A and for every i {1,..., tk} it holds that [ Pr A 1 k, x 1,..., x i 1, f k x = x i ϵk, for all suffiiently large k, where the probability is taken over the hoie of x = x 1,..., x tk D k, and over the internal oin tosses of A. 9

11 Note that Definition 3.1 implies in partiular that the distribution D is suh that eah x i has min-entropy at least log1/ϵk. Furthermore, Definition 3.2 implies that the distribution D is a blok soure in whih eah blok x i has average min-entropy at least log1/ϵk onditioned on the previous bloks x 1,..., x i 1. 4 Modeling Seurity in the Auxiliary-Input Setting In this setion we present a framework for modeling the seurity of deterministi publi-key enryption shemes with respet to auxiliary inputs. Our framework is obtained as a generalization of those onsidered in [BBO07, BFO + 08a, BFO08b] to a setting in whih the enrypted plaintexts may be fully determined by some auxiliary information that is available to the adversary. Following [BBO07, BFO + 08a, BFO08b] we formalize three notions of seurity with respet to auxiliary inputs, and prove that all three are equivalent. The first is a simulation-based semanti seurity notion PRIV-SSS, apturing the intuitive meaning of semanti seurity: whatever an be omputed given an enryption of a message and auxiliary input, an also be omputed given only the auxiliary input. The seond is a omparison-based semanti-seurity notion PRIV-CSS, whih essentially serves as an intermediate notion towards an indistinguishability-based one PRIV-IND that is somewhat easier to handle in proofs of seurity. In the remainder of this paper we use the following notation. For a deterministi publi-key enryption sheme Π = KeyGen, En, De, a publi key pk, and a vetor of messages m = m 1,..., m t we denote by En pk m the vetor En pk m 1,..., En pk m t. When onsidering a distribution M over vetors of messages m = m 1,..., m t all of whih are enrypted under the same publi key, then for the ase of hard-to-invert auxiliary inputs we make in this paper the simplifying assumption that m i m j for every i j a bit more formally, one should require that all distributions have idential equality patterns see [BBO07]. In the ase of blokwise-hard-to-invert auxiliary inputs this assumption is not neessary. In addition, for simpliity we present our definitions for the ase of hard-to-invert auxiliary inputs, and note that they naturally extend to the ase of blokwise-hardto-invert auxiliary inputs. Definition 4.1 Simulation-based seurity. A deterministi publi-key enryption sheme Π = KeyGen, En, De is PRIV-SSS-seure with respet to ϵ-hard-to-invert auxiliary inputs if for any probabilisti polynomial-time algorithm A and for any effiiently samplable distribution M = {M k } k N, there exists a probabilisti polynomial-time algorithm S, suh that for any effiiently omputable funtion F = {f k } k N that is ϵ-hard-to-invert with respet to M, and for any funtion g {0, 1} {0, 1}, there exists a negligible funtion νk suh that Adv PRIV SSS def Π,A,M,S,F,g k = Real PRIV SSS Π,A,M,F,g k IdealPRIV SSS Π,S,M,F,g k νk for all suffiiently large k, where Real PRIV SSS Π,A,M,F,g [A k = Pr 1 k, pk, Enpk m, f k m = g m Ideal PRIV SSS Π,S,M,F,g [S k = Pr 1 k, pk, f k m = g m, and the probabilities are taken over the hoies of m M k, sk, pk KeyGen1 k, and over the internal oin tosses of A and S. Definition 4.2 Comparison-based seurity. A deterministi publi-key enryption sheme Π = KeyGen, En, De is PRIV-CSS-seure with respet to ϵ-hard-to-invert auxiliary inputs if for any 10

12 probabilisti polynomial-time algorithm A, for any effiiently samplable distribution M = {M k } k N, for any effiiently omputable funtion F = {f k } k N that is ϵ-hard-to-invert with respet to M, and for any funtion g {0, 1} {0, 1}, there exists a negligible funtion νk suh that Adv PRIV CSS def Π,A,M,F,g k = Adv PRIV CSS Π,A,M,F,g k, 0 AdvPRIV CSS Π,A,M,F,g k, 1 νk for all suffiiently large k, where Adv PRIV CSS Π,A,M,F,g [A k, b = Pr 1 k, pk, Enpk m b, f k m 0 = g m 0, and the probability is taken over the hoies of m 0 M k, m 1 M k, sk, pk KeyGen1 k, and over the internal oin tosses of A. Definition 4.3 Indistinguishability-based seurity. A deterministi publi-key enryption sheme Π = KeyGen, En, De is PRIV-IND-seure with respet to ϵ-hard-to-invert auxiliary inputs if for any probabilisti polynomial-time algorithm A, for any two effiiently samplable distributions M 0 = {M 0,k } k N and M 1 = {M 1,k } k N, and for any effiiently omputable funtion F = {f k } k N that is ϵ-hard-to-invert with respet to both M 0 and M 1, there exists a negligible funtion νk suh that Adv PRIV IND def Π,A,M 0,M 1,Fk = Adv PRIV IND Π,A,M 0,M 1,Fk, 0 AdvPRIV IND Π,A,M 0,M 1,F k, 1 νk for all suffiiently large k, where Adv PRIV IND Π,A,M 0,M 1,F [A k, b = Pr 1 k, pk, Enpk m b, f k m 0 = 1 and the probability is taken over the hoies of m 0 M 0,k, m 1 M 1,k, sk, pk KeyGen1 k, and over the internal oin tosses of A. The hard-to-invert requirement. We emphasize that in the setting of deterministi publi-key enryption the requirement that the enrypted messages annot be effiiently reovered from the auxiliary input is essential unlike in the setting of randomized enryption, where the notion of semanti seurity takes into aount any auxiliary input see, for example, [Gol04, Ch. 5]. This is easily observed using our indistinguishability-based formulation Definition 4.3: an algorithm that on input f k m 0 where m 0 = m 0,1,..., m 0,tk an reover one of the m 0,i values an then enrypt this value under pk, ompare the resulting iphertext with the i-th omponent of Enpk m b, and thus learn the bit b. Relation to previous notions. We note that any onstant funtion is ϵ-hard-to-invert with respet to any message distribution of min-entropy at least log1/ϵ. Thus, our notion of auxiliaryinput seurity stritly generalizes previous seurity notions, in whih auxiliary input is not onsidered, and the message distributions need to have suffiient min-entropy [BBO07, BFO + 08a, BFO08b, O N10]. Aess to the publi key. As observed by Bellare et al. [BBO07] it is essential that the target funtion g does not take the publi key as input. Speifially, with a deterministi enryption algorithm the iphertext itself is a non-trivial information that it leaked about the plaintext, and an learly be omputed effiiently using the publi key. We refer the reader to [BBO07] for a more elaborated disussion. 11,

13 The randomness of sampling. For our notions of seurity we in fat allow the auxiliary-input funtion f and the target funtion g to take as input not only the vetor of message m, but also the random string r {0, 1} that was used for sampling m from the distribution D k. When this aspet plays a signifiant role we expliitly inlude r as part of the input for f and g, and denote by m D k r the fat that m is sampled using the random string r. When this aspet does not play a signifiant role we omit it for ease of readability in partiular, we omitted it from the above definitions. PRIV-CSS for balaned prediates. Whereas Definition 4.2 onsiders arbitrary effiiently omputable funtions g : {0, 1} {0, 1}, we note that it is in fat equivalent to its seemingly simpler variant that onsiders only δ-balaned prediates g : {0, 1} {0, 1} where we say that a prediate g is δ-balaned on a distribution M if Pr [g m = 1] 1/2 δ. Moreover, it even suffies to onsider only the ase δ = 1/4. The proof of this fat is idential to the orresponding proof of Bellare et al. [BFO + 08a], as the aspet of having an auxiliary input does not play any role in this setting. We will rely on this fat in Setion 5 when showing that PRIV-IND implies PRIV-CSS. PRIV1: fousing on a single message. As in [BFO08b] we also onsider the PRIV1-variants of our notion of seurity that fous on a single message instead of vetors of any polynomial number of messages. In Setion 5.5 we then prove that seurity for a vetor of messages with respet to a blokwise-hard-to-invert auxiliary input is in fat equivalent to seurity for a single message with respet to a hard-to-invert auxiliary input. An even stronger notion of seurity. Note that in Definition 4.3 the algorithm A is given as input the vetor 1 k, pk, Enpk m b, f k m 0, and that a seemingly stronger definition would even onsider 1 k, pk, Enpk m b, Enpk m 1 b, f k m 0, f k m 1 as its input. As indiated by the equivalene of our three definitions, suh a stronger variant is not needed for apturing the intuitive meaning of semanti seurity as in Definition 4.1. Nevertheless, our shemes in this paper in fat satisfy this stronger variant. We refer to this notion as strong indistinguishability PRIV-sIND, formally defined as follows: Definition 4.4. A deterministi publi-key enryption sheme Π = KeyGen, En, De is PRIVsIND-seure with respet to ϵ-hard-to-invert auxiliary inputs if for any probabilisti polynomialtime algorithm A, for any two effiiently samplable distributions M 0 = {M 0,k } k N and M 1 = {M 1,k } k N, and for any effiiently omputable funtion F = {f k } k N that is ϵ-hard-to-invert with respet to both M 0 and M 1, there exists a negligible funtion νk suh that Adv PRIV sind def Π,A,M 0,M 1,Fk = Adv PRIV sind Π,A,M 0,M 1,Fk, 0 AdvPRIV sind Π,A,M 0,M 1,F k, 1 νk for all suffiiently large k, where Adv PRIV sind Π,A,M 0,M 1,F [A k, b = Pr 1 k, pk, Enpk m b, Enpk m 1 b, f k m 0, f k m 1 = 1, and the probability is taken over the hoies of m 0 M 0,k, m 1 M 1,k, sk, pk KeyGen1 k, and over the internal oin tosses of A. 12

14 The multi-user setting. So far our notions of seurity onsidered vetors of messages that are enrypted under the same publi key. We now present a natural generalization to the multi-user setting, where there are multiple publi keys, eah of whih is used for enrypting a vetor of messages. For simpliity we fous here on an indistinguishability-based definition, and note that our equivalene proofs see Setion 5 easily extend to this more general setting. For the following definition we fix integer funtions lk and tk of the seurity parameter k, indiating the number of publi keys and the number of messages enrypted under eah key, respetively. In addition we use the notation pk = pk 1,..., pk lk, m = m 1,..., m lk where eah m i is a vetor of tk messages, and En pk m = En pk1 m 1,..., Enpklk m lk. Note that in the following definition the adversary reeives lk publi keys and lk tk iphertexts. Definition 4.5. A deterministi publi-key enryption sheme Π = KeyGen, En, De is PRIV- IND-MU-seure setting with respet to ϵ-hard-to-invert auxiliary inputs if for any probabilisti polynomial-time algorithm A, for any two effiiently samplable distributions M 0 = {M 0,k } k N and M 1 = {M 1,k } k N, and for any effiiently omputable funtion F = {f k } k N that is ϵ-hard-to-invert with respet to both M 0 and M 1, there exists a negligible funtion νk suh that Adv PRIV IND MU def Π,A,M 0,M 1,F k = Adv PRIV IND MU Π,A,M 0,M 1,F k, 0 AdvPRIV IND MU Π,A,M 0,M 1,F k, 1 νk for all suffiiently large k, where Adv PRIV IND MU Π,A,M 0,M 1,F [A k, b = Pr 1 k, pk, En pk m b, f k m 0 = 1, and the probability is taken over the hoies of m 0 M 0,k, m 1 M 1,k, sk i, pk i KeyGen1 k for all i {1,..., lk}, and over the internal oin tosses of A. 5 Equivalenes Between Our Notions of Seurity In this setion we prove that our simulation-based PRIV-SSS, omparison-based PRIV-CSS, and indistinguishability-based PRIV-IND notions of seurity are equivalent. The high-level approah of the equivalene proofs in this setion is motivated by [BBO07, BFO + 08a, BFO08b], but the existene of auxiliary inputs introdues various additional diffiulties that our proofs overome. As disussed in Setion 4, our omparison-based notion serves essentially as an intermediate notion between the two other notions: we first prove that PRIV-IND and PRIV-CSS are equivalent, and then prove that PRIV-CSS and PRIV-SSS are equivalent. These proofs are presented in Setions , stated for hard-to-invert auxiliary inputs, and we note that they immediately extend to blokwise-hard-to-invert auxiliary inputs. In Setion 5.5 we then prove that for our notions of seurity, seurity for a vetor of messages with respet to a blokwise-hard-to-invert auxiliary input is in fat equivalent to seurity for a single message with respet to a hard-to-invert auxiliary input. 5.1 PRIV-CSS = PRIV-IND The following lemma shows that any sheme whih is seure aording to the omparison-based definition Definition 4.2 is also seure aording to the indistinguishability-based one Definition 4.3. Lemma 5.1. Let Π be a deterministi publi-key enryption sheme. Then, for any probabilisti polynomial-time algorithm A, for any two effiiently samplable distributions M 0 and M 1, and for 13

15 any effiiently omputable funtion F that is ϵ-hard-to-invert with respet to both M 0 and M 1, there exist a probabilisti polynomial-time algorithm A, an effiiently samplable distribution M, an effiiently omputable funtion F that is ϵ-hard-to-invert with respet to M, and two funtions g, g {0, 1} {0, 1}, suh that for any k N Adv PRIV IND Π,A,M 0,M 1,Fk AdvPRIV CSS Π,A,M 0,F,gk + 2 AdvPRIV CSS Π,A,M,F,g k. Proof. For any algorithm A, two distributions M 0 and M 1, and funtion F, it holds that Adv PRIV IND Pr Π,A,M 0,M 1,F k = m0 M 0 [A 1 k, pk, Enpk m 0, f k m 0 = 1 [ Pr m 0 M 0 A 1 k, pk, Enpk m 1, f k m 0 = 1] m 1 M 1 Pr m0 M 0 [A 1 k, pk, Enpk m 0, f k m 0 = 1 [ Pr m 0 M 0 A 1 k, pk, Enpk m 1, f k m 0 = 1] m 1 M 0 [ + Pr m 0 M 0 A 1 k, pk, Enpk m 1, f k m 0 = 1 m 1 M 0 [ Pr m 0 M 0 A 1 k, pk, Enpk m 1, f k m 0 = 1] m 1 M 1 = Adv PRIV CSS Π,A,M 0,F,g k + Pr m1 M 0 [A 1 k, pk, Enpk m 1 = Pr m1 M 1 [A 1 k, pk, Enpk m 1 = 1], 5.3 where Eq. 5.1 follows by triangle inequality with Pr m 0 M 0 A 1 k, pk, Enpk m 1, f k m 0 = 1 m 1 M 0 [ and where g 1 i.e., g is the funtion that evaluates to 1 on all inputs, and A is an algorithm that on input 1 k, pk, samples m 0 M 0 and invokes A on input 1 k, pk,, f k m 0. Note that the expressions in Equations 5.2 and 5.3 orrespond to the advantage of A in distinguishing between an enryption resulting from M 0 and an enryption resulting from M 1 without auxiliary input. For bounding this advantage, let M be the balaned onvex ombination of M 0 and M 1 that is, M samples from M b for a uniformly hosen b {0, 1}, and let g be the indiator to whether M samples from M 0 or M 1. The assumption that F is ϵ-hard-to-invert with respet to both M 0 and M 1 implies in partiular that by letting F be any onstant funtion we learly have that F is ϵ-hard-to-invert with respet M. In addition, it holds that and Adv PRIV CSS Π,A,M,F,g k, 0 = 1 2 Adv PRIV CSS Π,A,M,F,g k, 1 = Pr m M 1 Pr m M0 [ A 1 k, pk, Pr m M 1 [A 1 k, pk, Enpk m m M 5.1 Enpk m = 1 = 1, 5.4 [ A 1 k, pk, Enpk m = g m = Combining Equations 5.4 and 5.5 implies that Adv PRIV CSS Π,A,M,F,g k = 1 2 Pr m M0 [A 1 k, pk, Enpk m Pr m M1 [A 1 k, pk, Enpk m ] = 1 = 1], 14

16 and therefore Adv PRIV IND Π,A,M 0,M 1,Fk AdvPRIV CSS Π,A,M 0,F,gk + 2 AdvPRIV CSS Π,A,M,F,g k. 5.2 PRIV-IND = PRIV-CSS The following lemma shows that any sheme whih is seure aording to the indistinguishabilitybased definition Definition 4.3 is also seure aording to the omparison-based one Definition 4.2. As disussed in Setion 4, reall that for the omparison-based definition it suffies to onsider δ-balaned prediates g : {0, 1} {0, 1} for δ = 1/4. Lemma 5.2. Let Π be a deterministi publi-key enryption sheme. Then, for any probabilisti polynomial-time algorithm A, for any effiiently samplable distribution M, for any effiiently omputable funtion F that is ϵ-hard-to-invert with respet to M, for any prediate g : {0, 1} {0, 1} that is δ-balaned on M where 0 < δ < 1/2, and for any polynomial pk, there exist two effiiently samplable distributions M 0 and M 1 for whih F is ϵk 1/2 δ -hard-to-invert, + 1/2 + δpk suh that for any k N { } 1 pk Adv PRIV CSS Π,A,M,F,g k max Adv PRIV IND Π,A,M 0,M,Fk, AdvPRIV IND Π,A,M 1,M,F k δ. Proof. Given a distribution M = {M k } k N and a prediate g : {0, 1} {0, 1} that is δ-balaned on M, we let α 0,k = Pr m Mk [g m = 0] α 1,k = Pr m Mk [g m = 1], and denote by M k g=0 and M k g=1 the onditional distributions of M k given that gm k = 0 and gm k = 1, respetively. Note that these onditional distributions are not always effiiently samplable, and therefore we would like to approximate them by two effiiently samplable distributions to within a negligible statistial distane. For this purpose for eah b {0, 1} we define the distribution M b = {M b,k } k N as the onvex ombination M b,k = α pk 1 b,k M k + 1 α pk 1 b,k M k g=b. That is, the distribution M b,k samples from M k with probability α pk 1 b,k and samples from M k g=b with probability 1 α pk 1 b,k. The definition of M b,k diretly implies that the statistial distane between M b,k and M k g=b is at most α pk 1 b,k 1/2 + δpk. In addition, the distribution M b,k is samplable by the following effiient algorithm: 1 sample m 1,..., m pk+1 M, 2 if there exists an index i {1,..., pk} suh that g m i = b then output m i for the minimal suh i, and otherwise output m pk+1. Finally, note that for any funtion F = {f k } k N that is ϵ-hard-to-invert with respet to M, for any effiient algorithm I, and for any i {1,..., tk} it holds that ϵk Pr x Mk [I 1 k, f k x = x i = x i α b,k Pr x Mk g=b [I [ α b,k Pr x Mb,k I 1 k, f k x 1 k, f k x = x i SD M k g=b, M b,k, 15