Slide 1

1 Adam ONeill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller Boston University & MIT Lincoln Lab Slide 2 Public Key Encryption (PKE) 2 PK m Need randomness to achieve semantic security $ Enc c Slide 3 Public Key Encryption (PKE) 3 PK m $ What can be achieved without randomness? Enc Slide 4 Why deterministic PKE? The question of deterministic symmetric key encryption is well understood: Key: k Messages: m 1, , m n Encryption: pad 1 || || pad n = prg(k) c i = pad i m i Deterministic PKE is difficult but has important applications: Supporting devices with limited/no randomness Enabling encrypted search E.g. spam filtering by keyword on encrypted email 4 prg pseudorandom generator Each bit appears random to bounded distinguisher Slide 5 Deterministic PKE PKE scheme where encryption is deterministic Introduced by [BellareBoldyrevaONeill07] Need source of randomness messages are only hope Security defined w.r.t. high entropy message distribution M H (M) for all m, Pr[M=m] (1/2) Even most likely message is hard to guess E.g.: Uniform with first bit 1, Network packet with fixed header Message distribution must be independent of public key An approach: fake coins to chosen plaintext-secure (CPA) scheme [Bellare BoldyrevaONeill07, BelllareFischlinONeillRistenpart08] 5 Slide 6 Results Deterministic PKE from: General: Arbitrary TDF with enough hardcore bits Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : Improved Equivalence between Indistinguishability & Semantic Security Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages Extension of LHL to correlated sources using 2q -wise indep. hash Extension of crooked LHL to improve parameters 6 Slide 7 Results Deterministic PKE from: General: Arbitrary TDF with enough hardcore bits Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : Improved Equivalence between Indistinguishability & Semantic Security Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages Extension of LHL to correlated sources using 2q -wise indep. hash Extension of crooked LHL to improve parameters 7 Focus of the talk Slide 8 Our Scheme: Encrypt with hardcore Enc hc 8 $ PK m Enc Slide 9 Our Scheme Enc hc 9 PK m Enc TDF Trapdoor function hc Hardcore function Ext Randomness extractor Enc Randomized Encrypt Alg. hc TDF Ext TDF : Easy to compute, hard to invert without key hc : Pseudorandom given output of TDF Ext : Converts high entropy distributions to uniform Slide 10 Our Scheme Enc hc 10 PK m Enc TDF Trapdoor function hc Hardcore function Ext Randomness extractor Enc Randomized Encrypt Alg. hc TDF Ext Question: Why is this semantically secure? Slide 11 11 Indistinguishability Semantic SecurityFor a message distribution M Outline of Security Proof PK m Enc hc TDF c Ext General Definitional Equivalence Slide 12 Compute f from ciphertext Semantic Security for Deterministic PKE 12 AdversaryChallenger DetEnc b DetEnc(m b ), pk A M message distribution f test function Slide 13 Semantic Security for Deterministic PKE 13 AdversaryChallenger DetEnc b DetEnc(m b ), pk A M message distribution f test function Compute f from ciphertextCompute f from random ciphertext Slide 14 Indistinguishability for Deterministic PKE 14 b DetEnc(m), pk AdversaryChallenger A DetEnc M 0 message distribution M 1 message distribution Slide 15 15 Indistinguishability: Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c General Definitional Equivalence Slide 16 16 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c General Definitional Equivalence Slide 17 Our Scheme Enc hc 17 PK m Enc TDF Trapdoor function hc Hardcore function Ext Randomness extractor Enc Randomized Encrypt Alg. hc TDF Ext Question: Why is this secure? Slide 18 Our Scheme Enc hc 18 PK m Enc TDF Trapdoor function hc Hardcore function Ext Randomness extractor Enc Randomized Encrypt Alg. hc TDF Ext Question: Why is this secure indistinguishable? To gain intuition we will try removing the extractor. Slide 19 Toy Scheme Enc hc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enc can reveal its first coin. 19 PK hc TDF m Enc Slide 20 Toy Scheme Enc hc Question: Is this scheme indistinguishable? NO: hc can reveal the first bit of m. Enc can reveal its first coin. 20 PK hc TDF m Enc Slide 21 21 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c Slide 22 22 Robust hardcore function: hc is hardcore on M|e for all e, Pr[e] 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c Slide 23 23 Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF c Q: Is any hc robust? A: NO! Define event e : fix first bit(previous example!) Slide 24 24 Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M Outline of Security Proof PK m Enc hc TDF Q: Is any hc robust? A: NO! Define event e : fix first bit(previous example!) Slide 25 Robustness: Implicit in Prior Work 25 Iterated trapdoor permutation Lossy trapdoor function Arbitrary trapdoor function [GL89] hc bit at each iteration ([BM84] PRG) TDF Robust hc function [Belllare Fischlin ONeill Ristenpart08] [Boldyreva Fehr ONeill 08] This work Pairwise Independent Hash Function Any function with enough hc bits + extractor Ext Slide 26 Hardcore function: hc(M) is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M 26 Outline of Security Proof PK m Enc hc TDF c Ext( ) Slide 27 Hardcore function: hc(M) is pseudorandom given TDF(M) Robust hardcore function: hc(M|e) is pseudorandom given TDF(M|e) for all e, Pr[e] 1/4 Indistinguishability: For all pairs M|e 0, M|e 1 e 0, e 1 are events s.t. Pr[e 0 ],Pr[e 1 ]1/4 Semantic Security:For a message distribution M 27 Outline of Security Proof PK m Enc hc TDF c Ext Rest of the talk Ext( ) Slide 28 Hardcore function Robust hardcore function Indistinguishability Semantic Security 28 Outline of Security Proof PK m Enc hc TDF c Ext Slide 29 29 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Comp. Entropy: hc(M|e) high computational entropy 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom 4.Robust hc function: Ext( hc(M|e) ) | TDF( M|e ) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security Slide 30 (1) Hc function (2) Comp. Entropy 30 Know: hc produces pseudorandom bits on M Want: hc produces pseudorandom bits on M|e M hc(M)U hc Slide 31 31 Know: hc produces pseudorandom bits on M Want: hc produces pseudorandom bits on M|e hc(M)U Problem: hc(M|e) cannot be pseudorandom For example, event e can fix the first bit of hc(M) Solution: Use HILL entropy! M M|e (hc(M|e))U hc (1) Hc function (2) Comp. Entropy Slide 32 32 Know: hc produces pseudorandom bits on M Want: H HILL ( M | E ) is high M|e hc (1) Hc function (2) Comp. Entropy Slide 33 33 Know: hc produces pseudorandom bits on M Want: H HILL ( hc(M|e) ) is high M|e hc (1) Hc function (2) Comp. Entropy H HILL (X) if Y, H (Y) X ,s Y Distinguisher Advantage Distinguisher Size Slide 34 34 Know: hc produces pseudorandom bits on M Want: H HILL ( hc(M|e) ) is high M|e How is H HILL ( hc(M|e) ) related to H HILL ( hc(M) ) ? General question: How is H HILL ( X|E=e ) related to H HILL ( X ) ? hc (1) Hc function (2) Comp. Entropy H HILL (X) if Y, H (Y) X ,s Y ,s Distinguisher Advantage Distinguisher Size Slide 35 Conditional Computational Entropy 35 Our Lemma: Info-Theoretic Case: Warning: this is not H HILL ! Different Y (that has true entropy) for each distinguisher (metric*) Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08] Slide 36 Conditional Computational Entropy 36 Our Lemma: Info-Theoretic Case: Warning: this is not H HILL ! Can be converted to HILL entropy with a loss in circuit size [BSW03, ReingoldTrevisanTulsianiVadhan08] Our Theorem: Slide 37 Tangent: Avg Case Cond. Entropy 37 Our Lemma: Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04] : We can apply the lemma multiple times to measure H(M |E 1,E 2 ) Cannot measure entropy when original distribution is conditional Average case conditioning useful for leakage resilience Works on conditional computational entropy: [ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08], [ChungKalaiLiuRaz11],[GentryWichs10] Distribution not a single event! Slide 38 38 M|e hc (1) Hc function (2) Comp. Entropy HILL entropy Our Theorem: Slide 39 39 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security Slide 40 40 M|e Ext HILL entropy pseudorandom Extractors convert distributions w/ min-entropy to uniform w/ H HILL to pseudorandom hc (2) Cond. Comp. Entropy (3) Unif. Ext Output Slide 41 41 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security Slide 42 42 (3) Unif. Ext Output (4) Robust hc function TDF M pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Slide 43 43 (3) Unif. Ext Output (4) Robust hc function TDF M pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Slide 44 M|e 44 (3) Unif. Ext Output (4) Robust hc function TDF pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Slide 45 45 (3) Unif. Ext Output (4) Robust hc function TDF hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) HILL entropy M|e Slide 46 46 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom M|e pseudorandom Slide 47 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) 47 M|e Slide 48 48 (3) Unif. Ext Output (4) Robust hc function TDF Ext HILL entropy pseudorandom hc Know: hc(M) | TDF(M) is pseudorandom ( hc is hardcore) Know: Ext( hc(M|e) ) is pseudorandom ((1) (3)) Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom Unfortunately our entropy theorem does not work if the starting point is conditional Solution: Consider the joint distribution ( hc(M), TDF(M) ) Condition on e to measure entropy of ( hc(M|e), TDF(M|e) ) M|e Slide 49 49 Outline of Security Proof PK m Enc hc TDF c Ext 1.Hardcore function: hc(M) is pseudorandom given TDF(M) 2.Cond. Comp Entropy: hc(M|e) high computational entropy for e, Pr[e]1/4 3.Uniform Ext Output: Ext( hc(M|e) ) pseudorandom for e, Pr[e]1/4 4.Robust hc function: Ext( hc(M|e) ) | TDF(M|e) pseudorandom Hardcore function Robust hardcore function Indistinguishability Semantic Security Slide 50 Our Scheme Enc hc If hc is hardcore on M 50 PK m Enc Ext Enc hc is secure on M hc TDF Slide 51 Enc hc, deterministic PKE from: General: Arbitrary TDF with enough hardcore bits Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : Improved Definitional Equivalence Conditional Computational Entropy Allows encryption of messages from block sources Each message has entropy conditioned on previous msgs: H (M i | M 1,, M i-1 ) is high Results 51 Slide 52 Results Enc hc, deterministic PKE from: General: Arbitrary TDF with enough hardcore bits Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : Improved Definitional Equivalence Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages Extension of LHL to correlated sources using 2q -wise indep. hash Extension of crooked LHL to improve parameters 52 Briefly Slide 53 Extending to multiple messages 53 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that decorrelates messages: Use a 2 q -wise independent hash function Slide 54 Extending to multiple messages 54 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that decorrelates messages: Use a 2 q -wise independent hash function PK m Enc hc TDF c Ext Slide 55 Extending to multiple messages 55 Enc hc does not extend when multiple arbitrarily correlated messages are encrypted We need an extractor that decorrelates messages: Use a 2 q -wise independent hash function First scheme for q -arbitrarily correlated messages PK m Enc hc TDF c Hash Slide 56 Extending to multiple messages 56 Lemma (Extension of LHL): Let M 1,, M q be high entropy, arbitrarily correlated random variables (M i M j ), Hash family of 2q -wise indep. hash functions (keyed by K ) K, Hash(K, M 1 ),, Hash(K, M q ) K, U 1,, U q Slide 57 Results Enc hc, deterministic PKE from: General: Arbitrary TDF with enough hardcore bits Efficient: Single application of TDF Framework yields constructions from Niederreiter RSA & Paillier These TDF s have many hardcore bits under non-decisional (search) assumptions Tools of independent interest : Improved Definitional Equivalence Conditional Computational Entropy First deterministic PKE for q arbitrarily correlated messages Extension of LHL to correlated sources using 2q -wise indep. hash Extension of crooked LHL to improve parameters 57 Slide 58 Thank you!