A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy

1

Adam O’Neill Leonid ReyzinBoston University

A Unified Approach to Deterministic Encryption

and a Connection to

Computational Entropy

Benjamin FullerBoston University& MIT Lincoln Lab

Public Key Encryption (PKE)

2

PK

m

Need randomness to achieve semantic security

$

Enc

c

Public Key Encryption (PKE)

3

PK

m

$

What can be achieved without randomness?

Enc

Why deterministic PKE?• The question of deterministic symmetric key encryption

is well understood:Key: kMessages: m1, …, mn

Encryption: pad1 || … || padn = prg(k)ci = padi mi

• Deterministic PKE is difficult but has important applications:– Supporting devices with limited/no randomness– Enabling encrypted search– E.g. spam filtering by keyword on encrypted email

4

prg – pseudorandom generatorEach bit appears random tobounded distinguisher

Deterministic PKE• PKE scheme where encryption is deterministic

– Introduced by [BellareBoldyrevaO’Neill07]

• Need source of randomness messages are only hope

• Security defined w.r.t. high entropy message distribution M– H∞(M)≥μ for all m, Pr[M=m] ≤ (1/2)μ

• Even most likely message is hard to guess• E.g.: Uniform with first bit 1, Network packet with fixed header

– Message distribution must be independent of public key

• An approach: fake coins to chosen plaintext-secure (CPA) scheme[Bellare BoldyrevaO’Neill07, BelllareFischlinO’NeillRistenpart08]

5

Results• Deterministic PKE from:

– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF

• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under

non-decisional (search) assumptions

• Tools of independent interest:– Improved Equivalence between Indistinguishability & Semantic Security– Conditional Computational Entropy

• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters

6

Results• Deterministic PKE from:

– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF

• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under

non-decisional (search) assumptions

• Tools of independent interest:– Improved Equivalence between Indistinguishability & Semantic Security– Conditional Computational Entropy

• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters

7

Focus of the talk

Our Scheme: Encrypt with hardcore Enc hc

8

$

PK

m Enc

Our Scheme−Enc hc

9

PK

m Enc

TDF – Trapdoor function

hc – Hardcore function

Ext – Randomness extractor

Enc – Randomized Encrypt Alg.

hc

TDF

Ext

TDF: Easy to compute, hard to invert without keyhc: Pseudorandom given output of TDFExt: Converts high entropy distributions to uniform

Our Scheme−Enc hc

10

PK

m Enc

TDF – Trapdoor function

hc – Hardcore function

Ext – Randomness extractor

Enc – Randomized Encrypt Alg.

hc

TDF

Ext

Question: Why is this semantically secure?

11

Indistinguishability

Semantic Security For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

General Definitional Equivalence

Compute f from ciphertext

Semantic Security for Deterministic PKE

12

Adversary Challenger

DetEnc

b

DetEnc(mb), pk

A

M – message distributionf – test function

Semantic Security for Deterministic PKE

13

Adversary Challenger

DetEnc

b

DetEnc(mb), pk

A

M – message distributionf – test function

Compute f from ciphertext Compute f from random ciphertext

Indistinguishability for Deterministic PKE

14

b

DetEnc(m), pk

Adversary Challenger

A DetEnc

M0 – message distributionM1 – message distribution

15

Indistinguishability:

Semantic Security: For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

c

General Definitional Equivalence

16

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

c

General Definitional Equivalence

Our Scheme−Enc hc

17

PK

m Enc

TDF – Trapdoor function

hc – Hardcore function

Ext – Randomness extractor

Enc – Randomized Encrypt Alg.

hc

TDF

Ext

Question: Why is this secure?

Our Scheme−Enc hc

18

PK

m Enc

TDF – Trapdoor function

hc – Hardcore function

Ext – Randomness extractor

Enc – Randomized Encrypt Alg.

hc

TDF

Ext

Question: Why is this secure indistinguishable?

To gain intuition we will try removing the extractor.

Toy Scheme−Enc hc

Question: Is this scheme indistinguishable?NO: hc can reveal the first bit of m. Enc can reveal its first coin.

19

PK

hc

TDFm Enc

Toy Scheme−Enc hc

Question: Is this scheme indistinguishable?NO: hc can reveal the first bit of m. Enc can reveal its first coin.

20

PK

hc

TDFm Enc

21

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

c

22

Robust hardcore function: hc is hardcore on M|e for all e, Pr[e] ≥ 1/4

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

c

23

Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

c

Q: Is any hc robust? A: NO! Define event e: fix first bit(previous example!)

24

Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M

Outline of Security Proof

PK

m Enc

hc

TDF

Q: Is any hc robust? A: NO! Define event e: fix first bit(previous example!)

Robustness: Implicit in Prior Work

25

Iterated trapdoor permutation

Lossy trapdoor function

Arbitrary trapdoor function

[GL89] hc bit at each iteration ([BM84] PRG)

TDF Robust hc function[BelllareFischlinO’NeillRistenpart08]

[Boldyreva Fehr O’Neill 08]

This work

Pairwise Independent Hash Function

Any function with enough hc bits + extractor Ext

Hardcore function: hc(M) is pseudorandom given TDF(M)

Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M26

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext( )

Hardcore function: hc(M) is pseudorandom given TDF(M)

Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4

Indistinguishability: For all pairs M|e0 , M|e1

e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4

Semantic Security: For a message distribution M27

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

Rest ofthe talk

Ext( )

Hardcore function

Robust hardcore function

Indistinguishability

Semantic Security28

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

29

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

1.Hardcore function: hc(M) is pseudorandom given TDF(M)

2.Comp. Entropy: hc(M|e) high computationalentropy

3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom

4.Robust hc function: Ext( hc(M|e) ) | TDF( M|e ) pseudorandom

Hardcore function

Robust hardcore function

Indistinguishability

Semantic Security

(1) Hc function (2) Comp. Entropy

30

• Know: hc produces pseudorandom bits on M• Want: hc produces pseudorandom bits on M|e

M hc(M)≈Uhc

31

• Know: hc produces pseudorandom bits on M• Want: hc produces pseudorandom bits on M|e

hc(M)≈U

Problem: hc(M|e) cannot be pseudorandom

For example, event e can fix the first bit of hc(M)

Solution: Use HILL entropy!

MM|e (hc(M|e))≈Uhc

(1) Hc function (2) Comp. Entropy

32

• Know: hc produces pseudorandom bits on M• Want: HHILL( M | E ) is high

M|e hc

(1) Hc function (2) Comp. Entropy

33

• Know: hc produces pseudorandom bits on M• Want: HHILL( hc(M|e) ) is high

M|e hc

(1) Hc function (2) Comp. Entropy

HHILL(X)≥μ if Y, H∞ (Y)≥μ X≈ε,sY

DistinguisherAdvantage

DistinguisherSize

34

• Know: hc produces pseudorandom bits on M• Want: HHILL( hc(M|e) ) is high

M|e

How is HHILL( hc(M|e) ) related to HHILL( hc(M) )?

General question:How is HHILL( X|E=e ) related to HHILL( X )?

hc

(1) Hc function (2) Comp. Entropy

HHILL(X)≥μ if Y, H∞ (Y)≥μ X≈ε,sY

ε,s

DistinguisherAdvantage

DistinguisherSize

Conditional Computational Entropy

35

Our Lemma:

Info-Theoretic Case:

Warning: this is not HHILL!• Different Y (that has true entropy) for each distinguisher (“metric*”)• Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08]

Conditional Computational Entropy

36

Our Lemma:

Info-Theoretic Case:

Warning: this is not HHILL!• Can be converted to HILL entropy with a loss in circuit size

[BSW03, ReingoldTrevisanTulsianiVadhan08]

Our Theorem:

Tangent: Avg Case Cond. Entropy

37

Our Lemma:

Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04]:

• We can apply the lemma multiple times to measure H(M |E1,E2)• Cannot measure entropy when original distribution is conditional• Average case conditioning useful for leakage resilience

Works on conditional computational entropy:[ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08],[ChungKalaiLiuRaz11],[GentryWichs10]

Distribution not a single event!

38

M|e

hc

(1) Hc function (2) Comp. Entropy

HILL entropy

Our Theorem:

39

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

1.Hardcore function: hc(M) is pseudorandom given TDF(M)

2.Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4

3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom for e, Pr[e]≥1/4

4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom

Hardcore function

Robust hardcore function

Indistinguishability

Semantic Security

40

M|eExt

HILL entropy pseudorandom

Extractors convert distributions w/ min-entropy to uniformw/ HHILL to pseudorandom

hc

(2) Cond. Comp. Entropy (3) Unif. Ext Output

41

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

1.Hardcore function: hc(M) is pseudorandom given TDF(M)

2.Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4

3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom for e, Pr[e]≥1/4

4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom

Hardcore function

Robust hardcore function

Indistinguishability

Semantic Security

42

(3) Unif. Ext Output (4) Robust hc function

TDFM

pseudorandomhc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)

43

(3) Unif. Ext Output (4) Robust hc function

TDFM

pseudorandomhc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

M|e

44

(3) Unif. Ext Output (4) Robust hc function

TDF

pseudorandomhc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

45

(3) Unif. Ext Output (4) Robust hc function

TDF

hc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))

HILL entropy

M|e

46

(3) Unif. Ext Output (4) Robust hc function

TDF

ExtHILL

entropyhc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))• Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom

M|e

pseudorandom

(3) Unif. Ext Output (4) Robust hc function

TDF

ExtHILL

entropy pseudorandomhc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))• Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom

Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) )Condition on e to measure entropy of ( hc(M|e), TDF(M|e) )

47

M|e

48

(3) Unif. Ext Output (4) Robust hc function

TDF

ExtHILL

entropy pseudorandomhc

• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))• Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom

Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) )Condition on e to measure entropy of ( hc(M|e), TDF(M|e) )M|e

49

Outline of Security Proof

PK

m Enc

hc

TDF

c

Ext

1.Hardcore function: hc(M) is pseudorandom given TDF(M)

2.Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4

3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom for e, Pr[e]≥1/4

4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e)pseudorandom

Hardcore function

Robust hardcore function

Indistinguishability

Semantic Security

Our Scheme−Enc hc

If hc is hardcore on M

50

PK

m Enc

Ext

Enc hc is secure on M

hc

TDF

• Enc hc , deterministic PKE from: – General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF

• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under

non-decisional (search) assumptions

• Tools of independent interest: – Improved Definitional Equivalence– Conditional Computational Entropy

• Allows encryption of messages from block sources– Each message has entropy conditioned on previous msgs:

H∞(Mi | M1,…, Mi-1) is high

Results

51

Results• Enc hc , deterministic PKE from:

– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF

• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under

non-decisional (search) assumptions

• Tools of independent interest: – Improved Definitional Equivalence– Conditional Computational Entropy

• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters

52

Briefly

Extending to multiple messages

53

• Enc hc does not extend when multiple arbitrarily correlated messages are encrypted

• We need an extractor that “decorrelates” messages:• Use a 2q-wise independent hash function

Extending to multiple messages

54

• Enc hc does not extend when multiple arbitrarily correlated messages are encrypted

• We need an extractor that “decorrelates” messages:• Use a 2q-wise independent hash function

PK

m Enc

hc

TDF

c

Ext

Extending to multiple messages

55

• Enc hc does not extend when multiple arbitrarily correlated messages are encrypted

• We need an extractor that “decorrelates” messages:• Use a 2q-wise independent hash function• First scheme for q-arbitrarily correlated messages

PK

m Enc

hc

TDF

c

Hash

Extending to multiple messages

56

Lemma (Extension of LHL):Let M1 ,…, Mq be high entropy, arbitrarily correlated random variables (Mi ≠ Mj ),Hash family of 2q-wise indep. hash functions (keyed by K)

K, Hash(K, M1) ,…, Hash(K, Mq)

≈ K, U1 ,…, Uq

Results• Enc hc , deterministic PKE from:

– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF

• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under

non-decisional (search) assumptions

• Tools of independent interest:– Improved Definitional Equivalence– Conditional Computational Entropy

• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters

57

Thank you!