280 likes | 407 Views
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols. Seung Geol Choi Columbia University. joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia Univ.), and Hoeteck Wee (CUNY, Queens College). Outline. Motivation Our Work Our Contribution
E N D
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols Seung Geol Choi Columbia University joint work withDana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia Univ.), andHoeteck Wee (CUNY, Queens College)
Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion
Semi-honest vs. Malicious corrupted parties behave honestly or arbitrarily # corrupted parties Honest majority vs. dishonest majority. Static vs. Adaptive [CFGN96] corrupts parties are determined at the outset or during the protocol adaptively Adversarial corruption in MPC More Realistic Assumption on the Adversary te
Black-box construction of Adaptively secure MPC with Dishonest Majority (Aug.) NC-PKE • Q: What are the assumptions achieving black-box construction of MPC (NC-PKE)? • - Of theoretical interest- More efficient: avoid general NP reductions incurred by ZK proofs. [CLOS02, CDMW09] Adaptively secureoblivious transfer [IPS08] MPC
Non-Committing Encryption (NCE) [CFGN96] • Encryption that realizes a secure channel against an adaptive adversary • (Possibly interactive) encryption: (Gen, Enc, Dec) • with additional property: SIM • SIM generates pairs of (e, c) that opens to 0 and to 1.(sender equivocal & receiver equivocal) Enc(1) Enc(0)
Non-Committing Public Key Encryption (NC-PKE) • Two-round NCE • Bob sends his pk to Alice • Alice sends an encryption under pk to Bob • Desirable
Goal (Aug.) NC-PKE • Construct (Aug.) NC-PKE from lower primitives in a black-box manner. [CLOS02, CDMW09] Adaptively secureoblivious transfer [IPS08] MPC
Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion
Known NCE Constructions [CFGN96] NC-PKE Simulatable common domain TDP CDHRSA [B97,DN00] 3-round NCE DDH Simulatable PKE [GPV08] LWE
NC-PKE Simulatable common domain TDP CDHRSA 3-round NCE DDH LWE Simulatable PKE Main Result • Construct NC-PKE from trapdoor Simulatable PKE • Relaxed notion of simulatable PKE • First NC-PKE from LWE • Construct trapdoor simulatable PKE from hardness of factoring • First NC-PKE from Factoring Factoring Trapdoor simulatable PKE
Factoring LWE TrapdoorSimulatable PKE (Aug.) NC-PKE [CLOS02,CDMW09] Oblivious Transfer [IPS08] MPC Our Contribution From LWE and factoring, first black box constructions of • NC-PKE • Adaptively secure OT • Adaptively secure MPC with dishonest majority
Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion
Simulatable PKE [DN00] • PKE (Gen, Enc, Dec) with additional properties • Property 1: Oblivious Sampling • oGen: generates a random pk w/o learning about its sk • oRndEnc: generates a random ciphertext w/o learning about its plaintext • E.g. ElGamal: • key: (y = gx, x) Pick random y in G • Enc: (gr, m*yr) pick random (c1, c2) from G
Simulatable PKE [DN00] Trapdoor Trapdoor • Property 2: Invertibility • rGen • Input: a normally-generated pub-key e, • Output: randomness rG s.t. oGen(rG) = e • rRndEnc • Input: a normally-generated key and ciphertext (e,c) • Output: randomness rE s.t. oRndEnc(e,rE) = c • E.g. ElGamal: • key: y from (y = gx, x) Output y • Enc: y and (c1, c2) from (y,x) and (gr, m*yr) Output (c1, c2) • Property 1: Oblivious Sampling • oGen: generates a random pk w/o learning about its sk • oRndEnc: generates a random ciphertext w/o learning about its plaintext • E.g. ElGamal: • key: (y = gx, x) Pick random e in G • Enc: (gr, m*yr) pick random (c1, c2) from G + randomness for Gen + randomness for Gen,End & plaintext
NCE from (trapdoor) simulatable PKE • Need to construct SIM that generates ciphertexts that open to both 0 and 1. • General Idea: SIM lies about obliviousness. • Protocol specifies some pk’s and ciphertexts should be generated obliviously. • SIM knows everything (all the pk’s and ciphertexts are generated by normal Gen, Enc). • SIM: clever lies on the set of obliviously generated pk’s and ciphertexts (via rGen, rRndEnc) lead to opening to both 0 and 1.
Key Gen: (pk0, pk1) For a random x, pkx Gen()pk1-x oGen() Encrypt. of a bit b: (c0, c1) For a random y,cy Enc(b), c1-y oEnc() Decryption of (c0, c1): Output Dec(skx, cx) Toy Construction [DN00,KO04] - 1 pk1 pk0 c1 c0 x = y b? x y Decryption error = ¼ ( Can reduce by repetitions)
1 0 1 0 1 0 x is fixed ( x = y ). No events such as 1 0 1 0 1 0 Toy Construction [DN00,KO04] - 2 • Secure for adaptive corruption for one party • Disclaimer: Need to handle decryption error ¼ • If both corrupted? Corrupt S: m = 1 Corrupt R: m = 0 Corrupt R Corrupt S
The Idea to achieve NC-PKE • Summary of the toy construction • R knows half of secret keys • Handles adaptive corruption of one party [KO04] • Cannot handle corruption of both parties: lack of freedom to simulate the secondly corrupted parties. • To handle corruption of both parties • Raise the fraction of obliviousness • ¾ is good enough
KeyGen: (e1,…,e4k) T: random set of size kif x∈T, ex Gen()else ex oGen() Enc of b: (c1,…,c4k) S: random set of size k,if y∈S, cy Enc(bk), else cy oEnc() Dec of (c1,…,c4k): If Dec(skT, cT) contains 0k output 0. Else output 1 Decryption error = + The Construction k = 2
Summary: NCE-PK from (trapdoor) simulatable PKE • Obliviousness • ¾ of keys and ciphertexts are generated obliviously. • Still, we get negligible decryption error by repetitions. • SIM can generate a (e,c) pair that opens to 0 and 1 • Keys and ciphertexts are generated normally. • Using (trapdoor) invertibility, fake on obliviously generated sets.
Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion
Trapdoor Simulatable PKE from Factoring • There is a standard construction that achieves PKE from trapdoor one-way permutation (TDP) using hard-core bits. I.e., for a TDP f, • Gen() (e, d) : e = f, d = f-1 • Enc(b) (f(x), r, (x · r) b): where r, x is random. • Construct TDP from hardness of factoring Blum Integers (BI) with oblivious sampling and trapdoor invertibility
Rabin’s TDP for Blum Integers • Quadratic Residues on a Bl integer N: QRN = {y : y = x2 , x ∈ ZN*} • Rabin TDP • f:QRN QRN • f(x) = x2 mod N • Is based on hardness of factoring assumption
Basic Idea: for Keys • Key Generation: sample k3 k-bit integers w/ factoring [Bach ’88] • Encryption of b given keys (N1, …, Nk3) • EncN1(b1), …., EncNk3(bk3) where b = b1 … bk3 • WHP, at least one Ni is BI. • Oblivious sampling: easy (sample k3 integers) • Trapdoor Invertibility: easy
Basic Idea : for Ciphertexts • Change TDP description slightly • QN = {a2k: a ∈ ZN*} where k = |N| • f: QN QN , f(x) = x2k+1 mod N • Oblivious sampling: easy (sample from QN) • Trapdoor Invertibility: find random 2k-th root w/ factoring
Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion
Factoring LWE TrapdoorSimulatable PKE (Aug.) NC-PKE [CLOS02,CDMW09] Oblivious Transfer [IPS08] MPC Conclusion From LWE and factoring, first black box constructions of • NC-PKE • Adaptively secure OT • Adaptively secure MPC with honest minority