Trapdoor functions from the Computational Diffie-Hellman Assumption

Size: px

Start display at page:

Download "Trapdoor functions from the Computational Diffie-Hellman Assumption"

Helen Potter
5 years ago
Views:

1 Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, / 18

2 Classical Public-Key Crypto 2 / 18

3 Classical Public-Key Crypto 2 / 18

4 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk 3 / 18

5 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk Security: m 0, m 1 : (pk, E(pk, m 0 ; r 0 )) c (pk, E(pk, m 1 ; r 1 )) 3 / 18

6 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk Security: m 0, m 1 : (pk, E(pk, m 0 ; r 0 )) c (pk, E(pk, m 1 ; r 1 )) TDF ik ik 1 k G x F y y F 1 x tk tk 3 / 18

7 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk Security: m 0, m 1 : (pk, E(pk, m 0 ; r 0 )) c (pk, E(pk, m 1 ; r 1 )) TDF ik ik 1 k G x F y y F 1 x tk One-wayness Security: (ik, F(ik, x))? x is hard for random ik, x. tk 3 / 18

8 TDF vs PKE Main Difference No randomness used in the evaluation algorithm of TDF. 4 / 18

9 TDF vs PKE Main Difference No randomness used in the evaluation algorithm of TDF. Relations TDF implies the existence of PKE. [Yao 82, GM 82]. 4 / 18

10 TDF vs PKE Main Difference No randomness used in the evaluation algorithm of TDF. Relations TDF implies the existence of PKE. [Yao 82, GM 82]. TDF impossible from PKE w.r.t. black-box techniques [GMR 01]. 4 / 18

11 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 5 / 18

12 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) 5 / 18

13 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) Prove that x 1 = x 2 5 / 18

14 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) Prove that x 1 = x 2 Bob: Compute x 1 = F 1 (tk 1, y 1 ) and check if y 2 = F(ik 2, x 1 ). Application: black-box constructions of CCA-secure PKE ([PW 08,RS 09, etc]). 5 / 18

). Application: black-box constructions of CCA-secure PKE ([PW 08,RS 09, etc]).

15 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) Prove that x 1 = x 2 Bob: Compute x 1 = F 1 (tk 1, y 1 ) and check if y 2 = F(ik 2, x 1 ). Application: black-box constructions of CCA-secure PKE ([PW 08,RS 09, etc]). PKE instead of TDF Consistency check: require some kind of proof (e.g., NIZK). [BFY90,NY90] 5 / 18

16 What assumptions are sufficient for TDFs? Factoring DDH and LWE [PW08] 6 / 18

17 What assumptions are sufficient for TDFs? Factoring DDH and LWE [PW08] Big gap from PKE! 6 / 18

18 What assumptions are sufficient for TDFs? Factoring DDH and LWE [PW08] Big gap from PKE! This talk: We can do it from CDH. 6 / 18

19 CDH and DDH G: group of order p and generator g. 7 / 18

20 CDH and DDH G: group of order p and generator g. Computational Diffie-Hellman (CDH) Hard to compute g xy from (g, g x, g y ), where x, y Z p. 7 / 18

21 CDH and DDH G: group of order p and generator g. Computational Diffie-Hellman (CDH) Hard to compute g xy from (g, g x, g y ), where x, y Z p. Decisional Diffie-Hellman (DDH) (g, g x, g y, g xy ) c (g, g x, g y, g z ), where x, y, z Z p 7 / 18

22 Why is CDH Preferable? 8 / 18

23 Why is CDH Preferable? CDH is a weaker assumption. There are groups in which CDH is conjectured to be hard but DDH is easy (e.g., Z p, groups with pairings). 8 / 18

24 Main Challenge in Building TDF from DH-Related Assumptions Why is constructing TDF from Diffie-Hellman assumptions difficult? 9 / 18

25 Main Challenge in Building TDF from DH-Related Assumptions Why is constructing TDF from Diffie-Hellman assumptions difficult? It doesn t naturally offer trapdoors! 9 / 18

26 TDF from DDH (Failed Idea Using ElGamal Encryption) 10 / 18

27 TDF from DDH (Failed Idea Using ElGamal Encryption) (G, g), G = p. pk = g α pk c = (g r, pk r m) r? 1 k G m E c D sk = α r sk = α m 10 / 18

28 TDF from DDH (Failed Idea Using ElGamal Encryption) (G, g), G = p. pk = g α pk c = (g r, pk r m) r? 1 k G m E c D sk = α r sk = α m Main bottleneck in designing TDFs Recovering r: solving the Discrete Log! 10 / 18

29 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. 11 / 18

30 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 11 / 18

31 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) 11 / 18

32 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) Can solve discrete-log as x 1... x n {0, 1}! 11 / 18

33 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) Can solve discrete-log as x 1... x n {0, 1}! One-wayness Matrix pseudorandomness [NR97]: DDH implies g M c g M, where M is a random invertible matrix and M is a random rank-one matrix. 11 / 18

34 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) Can solve discrete-log as x 1... x n {0, 1}! One-wayness Matrix pseudorandomness [NR97]: DDH implies g M c g M, where M is a random invertible matrix and M is a random rank-one matrix. CDH is not known to imply rank indistinguishability. 11 / 18

35 1 Background Introduction Main Challenges 2 Our TDF Construction Our Methodology Base Primitive: Recyclable Targeting KEM TDF from Recyclable Targeting KEM 3 Summary and Future Work 12 / 18

36 Our Methodology for building TDF from CDH Derandomizing a class of PKE 13 / 18

37 Our Methodology for building TDF from CDH Derandomizing a class of PKE TDFs from recyclable targeted key-encapsulation schemes (Recyclable Targeted KEMs) [DG 17, BBS 03] 13 / 18

38 Our Methodology for building TDF from CDH Derandomizing a class of PKE TDFs from recyclable targeted key-encapsulation schemes (Recyclable Targeted KEMs) [DG 17, BBS 03] Plan for the Rest of the talk Define Recyclable Targeted KEM CDH Recyclable Targeted KEM (Not discussed. See [DG 17].) Recyclable Targeted KEM TDF 13 / 18

39 Key-Encapsulation Mechanism pk pk e e 1 k G m E c c D m sk e is always a single bit. r sk 14 / 18

40 Recyclable Targetted KEM 15 / 18

41 Recyclable Targetted KEM Targeting Property [DG 17] E(pk, (i, b); r) = (ct, e) D(sk, ct) = e if (pk, sk) K(1 λ ) and sk i = b. 15 / 18

42 Recyclable Targetted KEM Targeting Property [DG 17] E(pk, (i, b); r) = (ct, e) D(sk, ct) = e if (pk, sk) K(1 λ ) and sk i = b. Security: (pk, sk, ct, e) c (pk, sk, ct, e ), where (ct, e) $ E(pk, (i, 1 sk i ); r) and e $ {0, 1}. 15 / 18

43 Recyclable Targetted KEM Targeting Property [DG 17] E(pk, (i, b); r) = (ct, e) D(sk, ct) = e if (pk, sk) K(1 λ ) and sk i = b. Security: (pk, sk, ct, e) c (pk, sk, ct, e ), where (ct, e) $ E(pk, (i, 1 sk i ); r) and e $ {0, 1}. Recyclability ct does not depend on pk. So E(pk, (i, b); r) = (E 1 ((i, b); r), E 2 (pk, (i, b); r)) = (ct, e) 15 / 18

44 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b 16 / 18

45 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = = 1 ) E 1 ((i=1,b=1);r 1 ) ct 1 16 / 18

46 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): 16 / 18

47 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). 16 / 18

48 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) 16 / 18

49 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). 16 / 18

50 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) 16 / 18

51 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) Can recover sk 1 with probability 1/2. This can be boosted via repetition. 16 / 18

52 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) Can recover sk 1 with probability 1/2. This can be boosted via repetition. Not clear how to prove security! 16 / 18

53 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) Can recover sk 1 with probability 1/2. This can be boosted via repetition. Not clear how to prove security! Fix: Put a random bit in the place you cannot apply D. 16 / 18

54 Recovering the First Bit Gen(1 λ ): tk = ( r1 r 1 ) and ik = ( ct1 ct 1 ) = F(ik, sk b 1 ): let pk = G(sk). Then: ( ) D(sk, ct1 ) if sk1 = 0 then M 1 := b ( 1 ) b if sk1 = 1 then M 1 := 1 D(sk, ct 1 ) Return Y = (pk, M 1 ). F 1 (tk, Y): M 1 = ( ) E1 ((i=1,b=0);r 1 ) E 1 ((i=1,b=1);r 1 ) ( ) E2 (pk, (1, 0); r 1 ) E 2 (pk, (1, 1); r 1 ) 17 / 18

55 Summary and Future Work Summary A Construction of TDFs from CDH. Future Work Extended forms of TDFs from CDH (e.g., lossy trapdoor functions) Trapdoor Permutations from CDH/DDH? 18 / 18

Lossy Trapdoor Functions and Their Applications

1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information