Smooth Projective Hash Function and Its Applications

Transcription

1 Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014

2 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. In EUROCRYPT, pages 13 25, Ronald Cramer and Victor Shoup. A practical public key cryptosystems provably secure against adaptive chosen ciphertext attack. In CRYPTO, pages 13 25, Shai Halevi and Yael Tauman Kalai. Smooth Projective Hashing and Two-Message Oblivious Transfer. In Journal of Cryptology, pages , Rosario Gennaro and Yehuda Lindell. A Framework for Password-Based Authenticated Key Exchange. In EUROCRYPT, pages , 2003.

3 Outline 1 Part I: A Case Study 2 Part II: Smooth Projective Hash Function 3 Part III: Applications of SPHF

4 Part I: A Case Study-ECP Problem

5 Case Study Exponentiations Consistency Proving (ECP) ECP-Problem

6 Case Study Exponentiations Consistency Proving (ECP) ECP-Problem Problem: Given g 1, g 2, X 1, X 2, the prover wants to prove to the verifier that there is an r where X 1 = g1 r, X 2 = g2 r without leaking the value of r to the verifier.

7 Case Study Exponentiations Consistency Proving (ECP) ECP-Problem Problem: Given g 1, g 2, X 1, X 2, the prover wants to prove to the verifier that there is an r where X 1 = g1 r, X 2 = g2 r without leaking the value of r to the verifier. Solution:

8 Case Study Exponentiations Consistency Proving (ECP) ECP-Problem Problem: Given g 1, g 2, X 1, X 2, the prover wants to prove to the verifier that there is an r where X 1 = g1 r, X 2 = g2 r without leaking the value of r to the verifier. Solution: Correctness: if X 1 = g r 1, X 2 = g r 2, then X b 1 1 X b 2 2 = g rb 1 1 g rb 2 2 = (g b 1 1 g b 2 2 )r = Z r

9 Case Study ECP Problem (cont d) Soundness? What if X 1 = g r 1 1, X 2 = g r 2 2, where r 1 r 2? (Denote log = log g1 and suppose that log(g 2 ) = w)

10 Case Study ECP Problem (cont d) Soundness? What if X 1 = g r 1 1, X 2 = g r 2 2, where r 1 r 2? (Denote log = log g1 and suppose that log(g 2 ) = w) Note that Z = g b 1 1 g b 2 2 = g b 1+wb 2 1 which constraints (b 1, b 2 ) to satisfy b 1 + wb 2 = log(z) (1)

11 Case Study ECP Problem (cont d) Soundness? What if X 1 = g r 1 1, X 2 = g r 2 2, where r 1 r 2? (Denote log = log g1 and suppose that log(g 2 ) = w) Note that Z = g b 1 1 g b 2 2 = g b 1+wb 2 1 which constraints (b 1, b 2 ) to satisfy b 1 + wb 2 = log(z) (1) If X 1 = g r 1 1, X 2 = g r 2 2, where r 1 r 2, then X b 1 1 X b 2 2 = g r 1b 1 1 g r 2b 2 2 = g r 1b 1 +r 2 wb 2 1. So, for any h G, we have X b 1 1 X b 2 2 = h iff r 1 b 1 + r 2 wb 2 = log(h) (2) Equations (1), (2) are linearly independent regarding b 1, b 2. Hence, Pr[X b 1 1 X b 2 2 = h] = 1/G The distribution of X b 1 1 X b 2 2 is uniform in G.

12 Case Study ECP Problem Several Observations from ECP 1 Designated Verifier. Only the verifier who has the trapdoor key (b 1, b 2 ) can do the verification. 2 Correctness Assurance. The proof can be computed in two different ways by the prover (Z r ) and the verifier (X b 1 respectively. 1 X b 2 2 ) 3 Soundness Assurance. The prover can only convince the verifier with negligible probability if the statement is false.

13 Case Study ECP Problem Several Observations from ECP 1 Designated Verifier. Only the verifier who has the trapdoor key (b 1, b 2 ) can do the verification. 2 Correctness Assurance. The proof can be computed in two different ways by the prover (Z r ) and the verifier (X b 1 respectively. 1 X b 2 2 ) 3 Soundness Assurance. The prover can only convince the verifier with negligible probability if the statement is false. Designated Verifier Non-Interactive Zero-Knowledge Proof, where the language is as follow, L DDH = {(u 1, u 2 ) : r Z p s.t.u 1 = g r 1, u 2 = g r 2}, where g 1, g 2 G, (G) = p.

14 Part II: Smooth Projective Hash Function

15 Smooth Projective Hash Function (SPHF) Definition of SPHF Roughly speaking, the definition of SPHF requires the existence of a domain X and an underlying NP language L X. And SPHF consists of a keyed hash pair Hash hk : X Π, ProjHash hp : L Π L. Informally, SPHF is defined by the following algorithms: HashKG(L): generates a hashing key hk for the language L; ProjKG(hk, L): derives the projection key hp from the hashing key hk; 1 Hash(hk, L, C): outputs the hash value of the world C from the hashing key hk; ProjHash(hp, L, C, w): outputs the hash value of the world C from the projection key hp, and the witness w that C L. 1 In some special SPHF, the projection key may depend on the word C L.

16 Smooth Projective Hash Function (SPHF) Properties of SPHF Normally, a SPHF has the following two properties: Projection: If a word C L with w the witness, then Hash(hk, L, C)=ProjHash(hp, L, C, w); Smoothness: If a word C X /L, then (hp, Hash(hk, L, C)) s (hp, R) where s means statistically indistinguishable, and R $ Π (hash value space). Extension of the Smoothness Property: Smoothness 2 : If there is another word C X /L, then (hp, Hash(hk, L, C), Hash(hk, L, C )) s (hp, R, R ) where R, R $ Π.

17 Example: SPHF-1 for ECP Problem SPHF-1 for ECP Problem

18 Example: SPHF-1 for ECP Problem SPHF-1 for ECP Problem Domain X DDH : Language L DDH : X DDH = {u 1, u 2 : r 1, r 2 s.t. u 1 = g r 1 1, u 2 = g r 2 2 } L DDH = {u 1, u 2 : r s.t. u 1 = g r 1, u 2 = g r 2}

19 Example: SPHF-1 for ECP Problem SPHF-1 for ECP Problem Domain X DDH : Language L DDH : X DDH = {u 1, u 2 : r 1, r 2 s.t. u 1 = g r 1 1, u 2 = g r 2 2 } L DDH = {u 1, u 2 : r s.t. u 1 = g r 1, u 2 = g r 2} Suppose the word C = (X 1, X 2 ), then the SPHF on L DDH is: HashKG(L DDH ): hk = (b 1, b 2 ) $ Z 2 p; ProjKG(hk, L DDH ): hp = g b 1 1 g b 2 2 ; Hash(hk, L DDH, C): π hk = X b 1 1 X b 2 2 ; ProjHash(hp, L DDH, C, r): π hp = hp r = (g b 1 1 g b 2 2 )r.

20 Example: SPHF-1 for ECP Problem (Cont d) SPHF-1 for ECP Problem One can see that (from the analysis of ECP): Projection (for correctness): If C = (X 1, X 2 ) L DDH with r the witness, i.e., C = (g r 1, g r 2 ) then π hk = X b 1 1 X b 2 2 = g b 1r 1 g b 2r 2 = π hp ; Smoothness (for soundness): If C X DDH /L DDH, then (hp, π hk ) s (hp, R).

21 Smoothness 2 of SPHF-1? Smoothness 2 of SPHF-1?

22 Smoothness 2 of SPHF-1? Smoothness 2 of SPHF-1? Now, suppose there is another word C X DDH /L DDH, and π hk Hash(hk, L DDH, C ). Question: (hp, π hk, π hk ) s (hp, R, R )?

23 Smoothness 2 of SPHF-1? Smoothness 2 of SPHF-1? Now, suppose there is another word C X DDH /L DDH, and π hk Hash(hk, L DDH, C ). Question: Answer: No smoothness 2! (hp, π hk, π hk ) s (hp, R, R )? (hp, π hk, π hk ) s (hp, R, R )

24 New SPHF-2 for ECP Problem SPHF-2 for ECP Problem Suppose that H : {0, 1} Z p, a collision-resistant hash function. HashKG(L DDH ): hk = (a 1, a 2, b 1, b 2 ) $ Z 4 p; ProjKG(hk, L DDH ): hp = (hp 1, hp 2 ) = (g a 1 1 g a 2 2, g b 1 1 g b 2 2 ); Hash(hk, L DDH, C): π hk = X a 1+αb 1 1 X a 2+αb 2 2, where α = H(X 1, X 2 ); ProjHash(hp, L DDH, C, r): π hp = hp r 1 hpαr 2.

25 New SPHF-2 for ECP Problem SPHF-2 for ECP Problem Suppose that H : {0, 1} Z p, a collision-resistant hash function. HashKG(L DDH ): hk = (a 1, a 2, b 1, b 2 ) $ Z 4 p; ProjKG(hk, L DDH ): hp = (hp 1, hp 2 ) = (g a 1 1 g a 2 2, g b 1 1 g b 2 2 ); Hash(hk, L DDH, C): π hk = X a 1+αb 1 1 X a 2+αb 2 2, where α = H(X 1, X 2 ); ProjHash(hp, L DDH, C, r): π hp = hp r 1 hpαr 2. One can see that : Projection: If C = (X 1, X 2 ) L DDH, then π hk = π hp ; Smoothness 2 : If C X DDH /L DDH, C X DDH /L DDH, then (hp, π hk, π hk ) s (hp, R, R )

26 New SPHF-2 for ECP Problem Proof for Smoothness 2 of SPHF-2: (Denote log = log g1 and suppose that log(g 2 ) = w, C = (X 1, X 2 ) = (g r 1 1, g r 2 2 ), C = (X 1, X 2 ) = (g r 1 1, g r 2 2 ), r 1 r 2, r 1 r 2.)

27 New SPHF-2 for ECP Problem Proof for Smoothness 2 of SPHF-2: (Denote log = log g1 and suppose that log(g 2 ) = w, C = (X 1, X 2 ) = (g r 1 1, g r 2 2 ), C = (X 1, X 2 ) = (g r 1 1, g r 2 2 ), r 1 r 2, r 1 r 2.) Note that hp = (hp 1, hp 2 ) = (g a 1 1 g a 2 2, g b 1 (a 1, a 2, b 1, b 2 ) to satisfy 1 g b 2 2 ) which constraints a 1 + wa 2 = log(hp 1 ) (3) b 1 + wb 2 = log(hp 2 ) (4)

28 New SPHF-2 for ECP Problem Proof for Smoothness 2 of SPHF-2: (Denote log = log g1 and suppose that log(g 2 ) = w, C = (X 1, X 2 ) = (g r 1 1, g r 2 2 ), C = (X 1, X 2 ) = (g r 1 1, g r 2 2 ), r 1 r 2, r 1 r 2.) Note that hp = (hp 1, hp 2 ) = (g a 1 1 g a 2 2, g b 1 (a 1, a 2, b 1, b 2 ) to satisfy 1 g b 2 2 ) which constraints a 1 + wa 2 = log(hp 1 ) (3) b 1 + wb 2 = log(hp 2 ) (4) Moreover, π hk, π hk constraint (a 1, a 2, b 1, b 2 ) to satisfy r 1 a 1 + r 2 wa 2 + αr 1 b 1 + αr 2 wb 2 = log(π hk ) (5) r 1a 1 + r 2wa 2 + α r 1b 1 + α r 2wb 2 = log(π hk ) (6) Equations (3),(4),(5),(6) are linearly independent regarding a 1, a 2, b 1, b 2. Hence, the distribution of (π hk, π hk ) is uniform in G.

29 Membership Indistinguishable Language Membership Indistinguishable Language Let X be a set and a language L X. Suppose that word C $ L and word C $ X /L. Then we say L is a membership indistinguishable language if, (C) c (C ) where c means computationally indistinguishable.

30 Membership Indistinguishable Language Membership Indistinguishable Language Let X be a set and a language L X. Suppose that word C $ L and word C $ X /L. Then we say L is a membership indistinguishable language if, (C) c (C ) where c means computationally indistinguishable. Language L DDH : L DDH = {u 1, u 2 : r s.t. u 1 = g r 1, u 2 = g r 2} It is easy to see that the language L DDH is a membership indistinguishable language following the DDH assumption.

31 Part III: Applications of SPHF

32 Construction of CCA-secure PKE from SPHF CCA-Secure PKE from SPHFs Suppose that, HF 1 =(HashKG 1,ProjKG 1,Hash 1,ProjHash 1 ):a smooth projective hash function; HF 2 =(HashKG 2,ProjKG 2,Hash 2, ProjHash 2 ): a smooth projective hash function; (smoothness 2 ) Both SPHFs are for the same language L which is a membership indistinguishable language.

33 Construction of CCA-secure PKE from SPHF (Cont d) Generic Construction KeyGen(λ): HashKG 1 (L) hk 1, ProjKG 1 (hk 1, L) hp 1, HashKG 2 (L) hk 2, ProjKG 2 (hk 2, L) hp 2 and set pk = (hp 1, hp 2 ), sk = (hk 1, hk 2 ) Enc(m): Pick y $ L together with a witness w. Compute π hp1 = ProjHash 1 (hp 1, L, y, w) c = π hp1 m π hp2 = ProjHash 2 (hp 2, L, (y, c), w) Set the ciphertext as (y, c, π hp2 ). Dec(y, c, π hp2 ): If Hash 2 (hk 2, L, (y, c)) π hp2, output. Otherwise, output m = c Hash 1 (hk 1, L, y)

34 Construction of CCA-secure PKE from SPHF(Cont d) Security Analysis 1. Correctness: c Hash 1 (hk 1, L, y) = c ProjHash 1 (hp 1, L, y, w) = c π hp1 = m 2. Security against CCA Hard Problem: Given the language L and y, decide whether y L or not.

35 Security Proof for CCA-Secure PKE from SPHF Reduction Map:

36 Security Proof for CCA-Secure PKE from SPHF Proof Analysis: Case 1: y L. The simulation is indistinguishable from the actual attack; Case 2: y X /L. For any decryption query input (y, c, π) where y / L, we should consider the following two cases: (y, c) = (y, c ) but π π : Being rejected. (y, c) (y, c ): By the smoothness 2 property of HF 2, the value π is random and independent to the adversary. That is, the adversary can only output the correct π with negligible probability. Due to the smoothness property of HF 1, the value Hash 1 (hk 1, L, y ) for y X /L is uniformly random and hence perfectly hides the encrypted messages. (one-time pad)

37 An Instance: Cramer-Shoup Encryption Cramer-Shoup Encryption Let G = p, g 1, g 2 G and H : {0, 1} Z p. KeyGen: sk = (α 1, α 2, β 1, β 2, γ 1, γ 2 ) Z 6 p, pk = (g, h, u, v) where h = g α 1 1 g α 2 2, u = g β 1 1 g β 2 2, v = g γ 1 1 g γ 2 2. Enc pk (m): r R Z p, output CT =< C 1, C 2, C 3, C 4 >=< g r 1, g r 2, h r m, u r v rθ >, where θ = H(C 1, C 2, C 3 ). Dec sk (C 1, C 2, C 3, C 4 ): If C 4 = C β 1+θγ 1 θ = H(C 1, C 2, C 3 ), output otherwise output. 1 C β 2+θγ 2 m = C 3 /(C α 1 1 C α 2 2 ), 2, where

38 An Instance: Cramer-Shoup Encryption Cramer-Shoup Encryption Let G = p, g 1, g 2 G and H : {0, 1} Z p. KeyGen: sk = (α 1, α 2, β 1, β 2, γ 1, γ 2 ) Z 6 p, pk = (g, h, u, v) where h = g α 1 1 g α 2 2, u = g β 1 1 g β 2 2, v = g γ 1 1 g γ 2 2. Enc pk (m): r R Z p, output CT =< C 1, C 2, C 3, C 4 >=< g r 1, g r 2, h r m, u r v rθ >, where θ = H(C 1, C 2, C 3 ). Dec sk (C 1, C 2, C 3, C 4 ): If C 4 = C β 1+θγ 1 θ = H(C 1, C 2, C 3 ), output otherwise output. 1 C β 2+θγ 2 m = C 3 /(C α 1 1 C α 2 2 ), 2, where Follow the framework using SPHF-1 and SPHF-2 on L DDH!

39 SPHF for Oblivious Transfer Construction 2-Message Oblivious Transfer Protocol from SPHF

40 SPHF for Oblivious Transfer Construction 2-Message Oblivious Transfer Protocol from SPHF Suppose that the sender takes as input a pair of strings γ 0, γ 1 and the receiver takes as input a choice bit b. Here, the SPHF is on the language L X which is a membership indistinguishable language.

41 SPHF for Oblivious Transfer Construction Security Analysis Receiver Security. Membership indistinguishable language; (x b is indistinguishable from x 1 b ) Sender Security. Smoothness property; (y 1 b gives no information about γ 1 b ) Malicious Receivers. Might choose x 0, x 1 L? By requiring special word pair from L DDH. (verifiable smoothness)

42 SPHF for Password-based Authenticated Key Exchange A Framework for PAKE from SPHF

43 SPHF for Password-based Authenticated Key Exchange A Framework for PAKE from SPHF Suppose that the parties take as input a shared password w. Here, C ρ (w, r) is a commitment to w using random-coins r (witness) and common string ρ.

44 SPHF for Password-based Authenticated Key Exchange Security Analysis Membership Indistinguishable Language. Implied by the hiding property of commitment; Passive Adversary. Given (c 1, hp 1, c 2, hp 2 ), (Hash(hk 2, L, (c 2, w)), Hash(hk 1, L, (c 1, w)) c (R 1, R 2 ), where (R 1, R 2 ) $ Π 2. Adaptive Adversary. Generates a commitment c to a guessing password w, then (c, w ) X /L and thus from the view of adversary (who only see hp and not hk) where R $ Π. (Hash(hk, L, (c, w )) s R,

45 More on SPHF More about SPHF Construction Quadratic Assumption; N-Residuosity Assumption; Derived from CPA-PKE, CCA-PKE;... More applications Extractable commitment; Leakage-resilient PKE; Lossy encryption; Lossy trapdoor hash functions (LTDF);...

46 Thank you

47 Thank you Any questions?