Upload
brent
View
38
Download
0
Embed Size (px)
DESCRIPTION
A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy. Adam O’Neill Leonid Reyzin Boston University. Benjamin Fuller Boston University & MIT Lincoln Lab. Public Key Encryption ( PKE ). m. Enc. $. c. PK. - PowerPoint PPT Presentation
Citation preview
1
Adam O’Neill Leonid ReyzinBoston University
A Unified Approach to Deterministic Encryption
and a Connection to
Computational Entropy
Benjamin FullerBoston University& MIT Lincoln Lab
Public Key Encryption (PKE)
2
PK
m
Need randomness to achieve semantic security
$
Enc
c
Public Key Encryption (PKE)
3
PK
m
$
What can be achieved without randomness?
Enc
Why deterministic PKE?• The question of deterministic symmetric key encryption
is well understood:Key: kMessages: m1, …, mn
Encryption: pad1 || … || padn = prg(k)ci = padi mi
• Deterministic PKE is difficult but has important applications:– Supporting devices with limited/no randomness– Enabling encrypted search– E.g. spam filtering by keyword on encrypted email
4
prg – pseudorandom generatorEach bit appears random tobounded distinguisher
Deterministic PKE• PKE scheme where encryption is deterministic
– Introduced by [BellareBoldyrevaO’Neill07]
• Need source of randomness messages are only hope
• Security defined w.r.t. high entropy message distribution M– H∞(M)≥μ for all m, Pr[M=m] ≤ (1/2)μ
• Even most likely message is hard to guess• E.g.: Uniform with first bit 1, Network packet with fixed header
– Message distribution must be independent of public key
• An approach: fake coins to chosen plaintext-secure (CPA) scheme[Bellare BoldyrevaO’Neill07, BelllareFischlinO’NeillRistenpart08]
5
Results• Deterministic PKE from:
– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF
• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:– Improved Equivalence between Indistinguishability & Semantic Security– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters
6
Results• Deterministic PKE from:
– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF
• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:– Improved Equivalence between Indistinguishability & Semantic Security– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters
7
Focus of the talk
Our Scheme: Encrypt with hardcore Enc hc
8
$
PK
m Enc
Our Scheme−Enc hc
9
PK
m Enc
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
hc
TDF
Ext
TDF: Easy to compute, hard to invert without keyhc: Pseudorandom given output of TDFExt: Converts high entropy distributions to uniform
Our Scheme−Enc hc
10
PK
m Enc
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
hc
TDF
Ext
Question: Why is this semantically secure?
11
Indistinguishability
Semantic Security For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
General Definitional Equivalence
Compute f from ciphertext
Semantic Security for Deterministic PKE
12
Adversary Challenger
DetEnc
b
DetEnc(mb), pk
A
M – message distributionf – test function
Semantic Security for Deterministic PKE
13
Adversary Challenger
DetEnc
b
DetEnc(mb), pk
A
M – message distributionf – test function
Compute f from ciphertext Compute f from random ciphertext
Indistinguishability for Deterministic PKE
14
b
DetEnc(m), pk
Adversary Challenger
A DetEnc
M0 – message distributionM1 – message distribution
15
Indistinguishability:
Semantic Security: For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
c
General Definitional Equivalence
16
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
c
General Definitional Equivalence
Our Scheme−Enc hc
17
PK
m Enc
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
hc
TDF
Ext
Question: Why is this secure?
Our Scheme−Enc hc
18
PK
m Enc
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
hc
TDF
Ext
Question: Why is this secure indistinguishable?
To gain intuition we will try removing the extractor.
Toy Scheme−Enc hc
Question: Is this scheme indistinguishable?NO: hc can reveal the first bit of m. Enc can reveal its first coin.
19
PK
hc
TDFm Enc
Toy Scheme−Enc hc
Question: Is this scheme indistinguishable?NO: hc can reveal the first bit of m. Enc can reveal its first coin.
20
PK
hc
TDFm Enc
21
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
c
22
Robust hardcore function: hc is hardcore on M|e for all e, Pr[e] ≥ 1/4
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
c
23
Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
c
Q: Is any hc robust? A: NO! Define event e: fix first bit(previous example!)
24
Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M
Outline of Security Proof
PK
m Enc
hc
TDF
Q: Is any hc robust? A: NO! Define event e: fix first bit(previous example!)
Robustness: Implicit in Prior Work
25
Iterated trapdoor permutation
Lossy trapdoor function
Arbitrary trapdoor function
[GL89] hc bit at each iteration ([BM84] PRG)
TDF Robust hc function[BelllareFischlinO’NeillRistenpart08]
[Boldyreva Fehr O’Neill 08]
This work
Pairwise Independent Hash Function
Any function with enough hc bits + extractor Ext
Hardcore function: hc(M) is pseudorandom given TDF(M)
Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M26
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext( )
Hardcore function: hc(M) is pseudorandom given TDF(M)
Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] ≥ 1/4
Indistinguishability: For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security: For a message distribution M27
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
Rest ofthe talk
Ext( )
Hardcore function
Robust hardcore function
Indistinguishability
Semantic Security28
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
29
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
1.Hardcore function: hc(M) is pseudorandom given TDF(M)
2.Comp. Entropy: hc(M|e) high computationalentropy
3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom
4.Robust hc function: Ext( hc(M|e) ) | TDF( M|e ) pseudorandom
Hardcore function
Robust hardcore function
Indistinguishability
Semantic Security
(1) Hc function (2) Comp. Entropy
30
• Know: hc produces pseudorandom bits on M• Want: hc produces pseudorandom bits on M|e
M hc(M)≈Uhc
31
• Know: hc produces pseudorandom bits on M• Want: hc produces pseudorandom bits on M|e
hc(M)≈U
Problem: hc(M|e) cannot be pseudorandom
For example, event e can fix the first bit of hc(M)
Solution: Use HILL entropy!
MM|e (hc(M|e))≈Uhc
(1) Hc function (2) Comp. Entropy
32
• Know: hc produces pseudorandom bits on M• Want: HHILL( M | E ) is high
M|e hc
(1) Hc function (2) Comp. Entropy
33
• Know: hc produces pseudorandom bits on M• Want: HHILL( hc(M|e) ) is high
M|e hc
(1) Hc function (2) Comp. Entropy
HHILL(X)≥μ if Y, H∞ (Y)≥μ X≈ε,sY
DistinguisherAdvantage
DistinguisherSize
34
• Know: hc produces pseudorandom bits on M• Want: HHILL( hc(M|e) ) is high
M|e
How is HHILL( hc(M|e) ) related to HHILL( hc(M) )?
General question:How is HHILL( X|E=e ) related to HHILL( X )?
hc
(1) Hc function (2) Comp. Entropy
HHILL(X)≥μ if Y, H∞ (Y)≥μ X≈ε,sY
ε,s
DistinguisherAdvantage
DistinguisherSize
Conditional Computational Entropy
35
Our Lemma:
Info-Theoretic Case:
Warning: this is not HHILL!• Different Y (that has true entropy) for each distinguisher (“metric*”)• Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08]
Conditional Computational Entropy
36
Our Lemma:
Info-Theoretic Case:
Warning: this is not HHILL!• Can be converted to HILL entropy with a loss in circuit size
[BSW03, ReingoldTrevisanTulsianiVadhan08]
Our Theorem:
Tangent: Avg Case Cond. Entropy
37
Our Lemma:
Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04]:
• We can apply the lemma multiple times to measure H(M |E1,E2)• Cannot measure entropy when original distribution is conditional• Average case conditioning useful for leakage resilience
Works on conditional computational entropy:[ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08],[ChungKalaiLiuRaz11],[GentryWichs10]
Distribution not a single event!
38
M|e
hc
(1) Hc function (2) Comp. Entropy
HILL entropy
Our Theorem:
39
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
1.Hardcore function: hc(M) is pseudorandom given TDF(M)
2.Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4
3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom for e, Pr[e]≥1/4
4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom
Hardcore function
Robust hardcore function
Indistinguishability
Semantic Security
40
M|eExt
HILL entropy pseudorandom
Extractors convert distributions w/ min-entropy to uniformw/ HHILL to pseudorandom
hc
(2) Cond. Comp. Entropy (3) Unif. Ext Output
41
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
1.Hardcore function: hc(M) is pseudorandom given TDF(M)
2.Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4
3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom for e, Pr[e]≥1/4
4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom
Hardcore function
Robust hardcore function
Indistinguishability
Semantic Security
42
(3) Unif. Ext Output (4) Robust hc function
TDFM
pseudorandomhc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
43
(3) Unif. Ext Output (4) Robust hc function
TDFM
pseudorandomhc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
M|e
44
(3) Unif. Ext Output (4) Robust hc function
TDF
pseudorandomhc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
45
(3) Unif. Ext Output (4) Robust hc function
TDF
hc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
HILL entropy
M|e
46
(3) Unif. Ext Output (4) Robust hc function
TDF
ExtHILL
entropyhc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))• Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom
M|e
pseudorandom
(3) Unif. Ext Output (4) Robust hc function
TDF
ExtHILL
entropy pseudorandomhc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))• Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom
Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) )Condition on e to measure entropy of ( hc(M|e), TDF(M|e) )
47
M|e
48
(3) Unif. Ext Output (4) Robust hc function
TDF
ExtHILL
entropy pseudorandomhc
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))• Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom
Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) )Condition on e to measure entropy of ( hc(M|e), TDF(M|e) )M|e
49
Outline of Security Proof
PK
m Enc
hc
TDF
c
Ext
1.Hardcore function: hc(M) is pseudorandom given TDF(M)
2.Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4
3.Uniform Ext Output: Ext( hc(M|e) )pseudorandom for e, Pr[e]≥1/4
4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e)pseudorandom
Hardcore function
Robust hardcore function
Indistinguishability
Semantic Security
Our Scheme−Enc hc
If hc is hardcore on M
50
PK
m Enc
Ext
Enc hc is secure on M
hc
TDF
• Enc hc , deterministic PKE from: – General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF
• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest: – Improved Definitional Equivalence– Conditional Computational Entropy
• Allows encryption of messages from block sources– Each message has entropy conditioned on previous msgs:
H∞(Mi | M1,…, Mi-1) is high
Results
51
Results• Enc hc , deterministic PKE from:
– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF
• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest: – Improved Definitional Equivalence– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters
52
Briefly
Extending to multiple messages
53
• Enc hc does not extend when multiple arbitrarily correlated messages are encrypted
• We need an extractor that “decorrelates” messages:• Use a 2q-wise independent hash function
Extending to multiple messages
54
• Enc hc does not extend when multiple arbitrarily correlated messages are encrypted
• We need an extractor that “decorrelates” messages:• Use a 2q-wise independent hash function
PK
m Enc
hc
TDF
c
Ext
Extending to multiple messages
55
• Enc hc does not extend when multiple arbitrarily correlated messages are encrypted
• We need an extractor that “decorrelates” messages:• Use a 2q-wise independent hash function• First scheme for q-arbitrarily correlated messages
PK
m Enc
hc
TDF
c
Hash
Extending to multiple messages
56
Lemma (Extension of LHL):Let M1 ,…, Mq be high entropy, arbitrarily correlated random variables (Mi ≠ Mj ),Hash family of 2q-wise indep. hash functions (keyed by K)
K, Hash(K, M1) ,…, Hash(K, Mq)
≈ K, U1 ,…, Uq
Results• Enc hc , deterministic PKE from:
– General: Arbitrary TDF with enough hardcore bits– Efficient: Single application of TDF
• Framework yields constructions from Niederreiter RSA & Paillier– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:– Improved Definitional Equivalence– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages– Extension of LHL to correlated sources using 2q-wise indep. hash– Extension of crooked LHL to improve parameters
57
Thank you!