1 / 58

A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy

A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy. Adam O’Neill Leonid Reyzin Boston University. Benjamin Fuller Boston University & MIT Lincoln Lab. Public Key Encryption ( PKE ). m. Enc. $. c. PK.

brent
Download Presentation

A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Adam O’Neill Leonid ReyzinBoston University Benjamin FullerBoston University& MIT Lincoln Lab

  2. Public Key Encryption (PKE) m Enc $ c PK Need randomness to achieve semantic security

  3. Public Key Encryption (PKE) m Enc $ PK What can be achieved without randomness?

  4. Why deterministic PKE? • The question of deterministic symmetric key encryption is well understood: Key: k Messages: m1, …, mn Encryption: pad1 || … || padn = prg(k) ci = padimi • Deterministic PKE is difficult but has important applications: • Supporting devices with limited/no randomness • Enabling encrypted search • E.g. spam filtering by keyword on encrypted email prg – pseudorandom generatorEach bit appears random tobounded distinguisher

  5. Deterministic PKE • PKE scheme where encryption is deterministic • Introduced by [BellareBoldyrevaO’Neill07] • Need source of randomness  messages are only hope • Security defined w.r.t. high entropy message distribution M • H∞(M)≥μ  for all m, Pr[M=m] ≤ (1/2)μ • Even most likely message is hard to guess • E.g.: Uniform with first bit 1, Network packet with fixed header • Message distribution must be independent of public key • An approach: fake coins to chosen plaintext-secure (CPA) scheme[Bellare BoldyrevaO’Neill07, BelllareFischlinO’NeillRistenpart08]

  6. Results • Deterministic PKE from: • General: Arbitrary TDF with enough hardcore bits • Efficient: Single application of TDF • Framework yields constructions from NiederreiterRSA & Paillier • These TDFs have many hardcore bits under non-decisional (search) assumptions • Tools of independent interest: • Improved Equivalence between Indistinguishability & Semantic Security • Conditional Computational Entropy • First deterministic PKE for qarbitrarily correlatedmessages • Extension of LHL to correlated sources using 2q-wise indep. hash • Extension of crooked LHL to improve parameters

  7. Results • Deterministic PKE from: • General: Arbitrary TDF with enough hardcore bits • Efficient: Single application of TDF • Framework yields constructions from Niederreiter RSA & Paillier • These TDFs have many hardcore bits under non-decisional (search) assumptions • Tools of independent interest: • Improved Equivalence between Indistinguishability & Semantic Security • Conditional Computational Entropy • First deterministic PKE for qarbitrarily correlatedmessages • Extension of LHL to correlated sources using 2q-wise indep. hash • Extension of crooked LHL to improve parameters Focus of the talk

  8. Our Scheme: Encrypt with hardcore Enchc Enc m $ PK

  9. Our Scheme−Enchc TDF–Trapdoor function hc– Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. TDF: Easy to compute, hard to invert without key hc: Pseudorandom given output of TDF Ext: Converts high entropy distributions to uniform Enc TDF m Ext hc PK

  10. Our Scheme−Enchc TDF–Trapdoor function hc– Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. Enc TDF m Ext hc PK Question: Why is this semantically secure?

  11. Outline of Security Proof Indistinguishability Semantic Security For a message distribution M m c Enc Ext PK TDF hc General Definitional Equivalence

  12. Semantic Security for Deterministic PKE Adversary Challenger DetEnc M – message distribution f – test function b A DetEnc(mb), pk Compute f from ciphertext

  13. Semantic Security for Deterministic PKE Adversary Challenger DetEnc M – message distribution f – test function b A DetEnc(mb), pk Compute f from ciphertext Compute f from random ciphertext

  14. Indistinguishability for Deterministic PKE Adversary Challenger M0– message distribution M1– message distribution b A DetEnc DetEnc(m), pk

  15. Outline of Security Proof Indistinguishability: Semantic Security: For a message distribution M m Enc c PK TDF hc General Definitional Equivalence

  16. Outline of Security Proof Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M m Enc c PK TDF hc General Definitional Equivalence

  17. Our Scheme−Enchc TDF–Trapdoor function hc– Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. Enc TDF m Ext hc PK Question: Why is this secure?

  18. Our Scheme−Enchc TDF–Trapdoor function hc– Hardcore function Ext – Randomness extractor Enc – Randomized Encrypt Alg. Question: Why is this secure indistinguishable? To gain intuition we will try removing the extractor. Enc TDF m Ext hc PK

  19. Toy Scheme−Enchc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enccan reveal its first coin. TDF Enc m hc PK

  20. Toy Scheme−Enchc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m.Enc can reveal its first coin. TDF Enc m hc PK

  21. Outline of Security Proof Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M m Enc c PK TDF hc

  22. Outline of Security Proof Robust hardcore function: hc is hardcore on M|efor all e, Pr[e] ≥ 1/4 Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M m Enc c PK TDF hc

  23. Outline of Security Proof Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e)for all e, Pr[e] ≥ 1/4 Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M m Enc c PK TDF hc Q: Is any hcrobust? A: NO! Define event e: fix first bit(previous example!)

  24. Outline of Security Proof Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e)for all e, Pr[e] ≥ 1/4 Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M m Enc PK TDF hc Q: Is any hcrobust? A: NO! Define event e: fix first bit(previous example!)

  25. Robustness: Implicit in Prior Work TDF Robust hcfunction Iterated trapdoor permutation Lossy trapdoor function Arbitrary trapdoor function [GL89] hc bit at each iteration ([BM84] PRG) [BelllareFischlinO’NeillRistenpart08] Pairwise Independent Hash Function [BoldyrevaFehr O’Neill 08] Any function with enough hc bits + extractor Ext This work

  26. Outline of Security Proof Hardcore function: hc(M)is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e)for all e, Pr[e] ≥ 1/4 Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M m Enc c PK TDF hc Ext( )

  27. Outline of Security Proof m c Enc Ext PK TDF Rest ofthe talk Hardcore function: hc(M)is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e)for all e, Pr[e] ≥ 1/4 Indistinguishability:For all pairs M|e0 , M|e1e0, e1 are events s.t.Pr[e0],Pr[e1]≥1/4 Semantic Security: For a message distribution M hc Ext( )

  28. Outline of Security Proof Hardcore function Robust hardcore function Indistinguishability Semantic Security m c Enc Ext PK TDF hc

  29. Outline of Security Proof Hardcore function Robust hardcore function Indistinguishability Semantic Security m c Enc Ext PK TDF • Hardcore function: hc(M)is pseudorandom given TDF(M) • Comp. Entropy: hc(M|e) high computationalentropy • Uniform Ext Output:Ext( hc(M|e)) pseudorandom • Robust hc function:Ext(hc(M|e) ) | TDF( M|e) pseudorandom hc

  30. (1) Hc function (2) Comp. Entropy • Know: hc produces pseudorandom bits on M • Want: hc produces pseudorandom bits on M|e M hc(M)≈U hc

  31. (1) Hc function (2) Comp. Entropy • Know: hc produces pseudorandom bits on M • Want: hc produces pseudorandom bits on M|e M|e M hc(M)≈U (hc(M|e))≈U hc Problem: hc(M|e) cannot be pseudorandom For example, event e can fix the first bit of hc(M) Solution: Use HILL entropy!

  32. (1) Hc function (2) Comp. Entropy • Know: hc produces pseudorandom bits on M • Want: HHILL( M | E ) is high M|e hc

  33. (1) Hc function (2) Comp. Entropy • Know: hc produces pseudorandom bits on M • Want: HHILL( hc(M|e) ) is high Distinguisher Advantage Distinguisher Size M|e HHILL(X)≥μ if Y, H∞ (Y)≥μX≈ε,sY hc

  34. (1) Hc function (2) Comp. Entropy • Know: hc produces pseudorandom bits on M • Want: HHILL( hc(M|e) ) is high ε,s Distinguisher Advantage Distinguisher Size M|e HHILL(X)≥μ if Y, H∞ (Y)≥μX≈ε,sY hc How is HHILL( hc(M|e) ) related to HHILL( hc(M) )? General question: How is HHILL( X|E=e ) related to HHILL( X )?

  35. Conditional Computational Entropy Info-Theoretic Case: Our Lemma: Warning: this is not HHILL! • Different Y (that has true entropy) for each distinguisher (“metric*”) • Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08]

  36. Conditional Computational Entropy Info-Theoretic Case: Our Lemma: Warning: this is not HHILL! • Can be converted to HILL entropy with a loss in circuit size[BSW03, ReingoldTrevisanTulsianiVadhan08] Our Theorem:

  37. Tangent: Avg Case Cond. Entropy Info-Theoretic Case [DodisOstrovskyReyzin Smith 04]: Distribution not a single event! Our Lemma: • We can apply the lemma multiple times to measure H(M |E1,E2) • Cannot measure entropy when original distribution is conditional • Average case conditioning useful for leakage resilience Works on conditional computational entropy: [ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08],[ChungKalaiLiuRaz11],[GentryWichs10]

  38. (1) Hc function (2) Comp. Entropy Our Theorem:  HILL entropy M|e hc

  39. Outline of Security Proof Hardcore function Robust hardcore function Indistinguishability Semantic Security m c Enc Ext PK TDF • Hardcore function: hc(M)is pseudorandom given TDF(M) • Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4 • Uniform Ext Output:Ext( hc(M|e)) pseudorandom for e, Pr[e]≥1/4 • Robust hc function:Ext(hc(M|e) ) | TDF(M|e) pseudorandom hc

  40. (2) Cond. Comp. Entropy (3) Unif. Ext Output  HILL entropy M|e Ext pseudorandom hc Extractors convert distributions w/ min-entropy to uniform w/ HHILL to pseudorandom

  41. Outline of Security Proof Hardcore function Robust hardcore function Indistinguishability Semantic Security m c Enc Ext PK TDF • Hardcore function: hc(M)is pseudorandom given TDF(M) • Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4 • Uniform Ext Output:Ext( hc(M|e)) pseudorandom for e, Pr[e]≥1/4 • Robust hc function:Ext(hc(M|e) ) | TDF(M|e) pseudorandom hc

  42. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) TDF M hc pseudorandom

  43. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) • Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) TDF M hc pseudorandom

  44. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) • Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) TDF M|e hc pseudorandom

  45. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) • Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) TDF M|e hc HILL entropy

  46. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) • Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) • Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom TDF Ext M|e hc HILL entropy pseudorandom

  47. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) • Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) • Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) TDF Ext M|e hc HILL entropy pseudorandom

  48. (3) Unif. Ext Output (4) Robust hcfunction • Know: hc(M) | TDF(M)is pseudorandom (hcis hardcore) • Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) • Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) TDF Ext M|e hc HILL entropy pseudorandom

  49. Outline of Security Proof Hardcore function Robust hardcore function Indistinguishability Semantic Security m c Enc Ext PK TDF • Hardcore function: hc(M)is pseudorandom given TDF(M) • Cond. Comp Entropy: hc(M|e) high computationalentropy for e, Pr[e]≥1/4 • Uniform Ext Output:Ext( hc(M|e)) pseudorandom for e, Pr[e]≥1/4 • Robust hc function:Ext(hc(M|e) ) | TDF(M|e) pseudorandom hc

  50. Our Scheme−Enchc If hc is hardcore on M  Enchcis secure on M Enc TDF m Ext hc PK

More Related