1 / 28

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols. Seung Geol Choi Columbia University. joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia Univ.), and Hoeteck Wee (CUNY, Queens College). Outline. Motivation Our Work Our Contribution

edith
Download Presentation

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved Non-Committing Encryption with Application to Adaptively Secure Protocols Seung Geol Choi Columbia University joint work withDana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia Univ.), andHoeteck Wee (CUNY, Queens College)

  2. Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion

  3. Semi-honest vs. Malicious corrupted parties behave honestly or arbitrarily # corrupted parties Honest majority vs. dishonest majority. Static vs. Adaptive [CFGN96] corrupts parties are determined at the outset or during the protocol adaptively Adversarial corruption in MPC More Realistic Assumption on the Adversary te

  4. Black-box construction of Adaptively secure MPC with Dishonest Majority (Aug.) NC-PKE • Q: What are the assumptions achieving black-box construction of MPC (NC-PKE)? • - Of theoretical interest- More efficient: avoid general NP reductions incurred by ZK proofs. [CLOS02, CDMW09] Adaptively secureoblivious transfer [IPS08] MPC

  5. Non-Committing Encryption (NCE) [CFGN96] • Encryption that realizes a secure channel against an adaptive adversary • (Possibly interactive) encryption: (Gen, Enc, Dec) • with additional property: SIM • SIM generates pairs of (e, c) that opens to 0 and to 1.(sender equivocal & receiver equivocal) Enc(1) Enc(0)

  6. Non-Committing Public Key Encryption (NC-PKE) • Two-round NCE • Bob sends his pk to Alice • Alice sends an encryption under pk to Bob • Desirable

  7. Goal (Aug.) NC-PKE • Construct (Aug.) NC-PKE from lower primitives in a black-box manner. [CLOS02, CDMW09] Adaptively secureoblivious transfer [IPS08] MPC

  8. Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion

  9. Known NCE Constructions [CFGN96] NC-PKE Simulatable common domain TDP CDHRSA [B97,DN00] 3-round NCE DDH Simulatable PKE [GPV08] LWE

  10. NC-PKE Simulatable common domain TDP CDHRSA 3-round NCE DDH LWE Simulatable PKE Main Result • Construct NC-PKE from trapdoor Simulatable PKE • Relaxed notion of simulatable PKE • First NC-PKE from LWE • Construct trapdoor simulatable PKE from hardness of factoring • First NC-PKE from Factoring Factoring Trapdoor simulatable PKE

  11. Factoring LWE TrapdoorSimulatable PKE (Aug.) NC-PKE [CLOS02,CDMW09] Oblivious Transfer [IPS08] MPC Our Contribution From LWE and factoring, first black box constructions of • NC-PKE • Adaptively secure OT • Adaptively secure MPC with dishonest majority

  12. Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion

  13. Simulatable PKE [DN00] • PKE (Gen, Enc, Dec) with additional properties • Property 1: Oblivious Sampling • oGen: generates a random pk w/o learning about its sk • oRndEnc: generates a random ciphertext w/o learning about its plaintext • E.g. ElGamal: • key: (y = gx, x)  Pick random y in G • Enc: (gr, m*yr)  pick random (c1, c2) from G

  14. Simulatable PKE [DN00] Trapdoor Trapdoor • Property 2: Invertibility • rGen • Input: a normally-generated pub-key e, • Output: randomness rG s.t. oGen(rG) = e • rRndEnc • Input: a normally-generated key and ciphertext (e,c) • Output: randomness rE s.t. oRndEnc(e,rE) = c • E.g. ElGamal: • key: y from (y = gx, x)  Output y • Enc: y and (c1, c2) from (y,x) and (gr, m*yr)  Output (c1, c2) • Property 1: Oblivious Sampling • oGen: generates a random pk w/o learning about its sk • oRndEnc: generates a random ciphertext w/o learning about its plaintext • E.g. ElGamal: • key: (y = gx, x)  Pick random e in G • Enc: (gr, m*yr)  pick random (c1, c2) from G + randomness for Gen + randomness for Gen,End & plaintext

  15. NCE from (trapdoor) simulatable PKE • Need to construct SIM that generates ciphertexts that open to both 0 and 1. • General Idea: SIM lies about obliviousness. • Protocol specifies some pk’s and ciphertexts should be generated obliviously. • SIM knows everything (all the pk’s and ciphertexts are generated by normal Gen, Enc). • SIM: clever lies on the set of obliviously generated pk’s and ciphertexts (via rGen, rRndEnc) lead to opening to both 0 and 1.

  16. Key Gen: (pk0, pk1) For a random x, pkx  Gen()pk1-x  oGen() Encrypt. of a bit b: (c0, c1) For a random y,cy  Enc(b), c1-y  oEnc() Decryption of (c0, c1): Output Dec(skx, cx) Toy Construction [DN00,KO04] - 1 pk1 pk0 c1 c0 x = y b? x  y Decryption error = ¼ ( Can reduce by repetitions)

  17. 1 0 1 0 1 0 x is fixed ( x = y ). No events such as 1 0 1 0 1 0 Toy Construction [DN00,KO04] - 2 • Secure for adaptive corruption for one party • Disclaimer: Need to handle decryption error ¼ • If both corrupted? Corrupt S: m = 1 Corrupt R: m = 0 Corrupt R Corrupt S

  18. The Idea to achieve NC-PKE • Summary of the toy construction • R knows half of secret keys • Handles adaptive corruption of one party [KO04] • Cannot handle corruption of both parties: lack of freedom to simulate the secondly corrupted parties. • To handle corruption of both parties • Raise the fraction of obliviousness • ¾ is good enough

  19. KeyGen: (e1,…,e4k) T: random set of size kif x∈T, ex  Gen()else ex  oGen() Enc of b: (c1,…,c4k) S: random set of size k,if y∈S, cy  Enc(bk), else cy  oEnc() Dec of (c1,…,c4k): If Dec(skT, cT) contains 0k output 0. Else output 1 Decryption error = + The Construction k = 2

  20. Summary: NCE-PK from (trapdoor) simulatable PKE • Obliviousness • ¾ of keys and ciphertexts are generated obliviously. • Still, we get negligible decryption error by repetitions. • SIM can generate a (e,c) pair that opens to 0 and 1 • Keys and ciphertexts are generated normally. • Using (trapdoor) invertibility, fake on obliviously generated sets.

  21. Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion

  22. Trapdoor Simulatable PKE from Factoring • There is a standard construction that achieves PKE from trapdoor one-way permutation (TDP) using hard-core bits. I.e., for a TDP f, • Gen()  (e, d) : e = f, d = f-1 • Enc(b)  (f(x), r, (x · r)  b): where r, x is random. • Construct TDP from hardness of factoring Blum Integers (BI) with oblivious sampling and trapdoor invertibility

  23. Rabin’s TDP for Blum Integers • Quadratic Residues on a Bl integer N: QRN = {y : y = x2 , x ∈ ZN*} • Rabin TDP • f:QRN QRN • f(x) = x2 mod N • Is based on hardness of factoring assumption

  24. Basic Idea: for Keys • Key Generation: sample k3 k-bit integers w/ factoring [Bach ’88] • Encryption of b given keys (N1, …, Nk3) • EncN1(b1), …., EncNk3(bk3) where b = b1 … bk3 • WHP, at least one Ni is BI. • Oblivious sampling: easy (sample k3 integers) • Trapdoor Invertibility: easy

  25. Basic Idea : for Ciphertexts • Change TDP description slightly • QN = {a2k: a ∈ ZN*} where k = |N| • f: QN  QN , f(x) = x2k+1 mod N • Oblivious sampling: easy (sample from QN) • Trapdoor Invertibility: find random 2k-th root w/ factoring

  26. Outline • Motivation • Our Work • Our Contribution • NC-PKE from Trapdoor Simulatable PKE • Trapdoor Simulatable PKE from Factoring • Conclusion

  27. Factoring LWE TrapdoorSimulatable PKE (Aug.) NC-PKE [CLOS02,CDMW09] Oblivious Transfer [IPS08] MPC Conclusion From LWE and factoring, first black box constructions of • NC-PKE • Adaptively secure OT • Adaptively secure MPC with honest minority

  28. Thank you

More Related