incremental deterministic public-key encryption
DESCRIPTION
Ilya Mironov, Omkant Pandey, Omer Reingold, Gil Segev Microsoft Research. Incremental Deterministic Public-Key Encryption. Incremental Deterministic Public-Key Encryption. Deterministic Public-Key Encryption. -source adversary. min-entropy. min-entropy. - PowerPoint PPT PresentationTRANSCRIPT
INCREMENTAL DETERMINISTIC PUBLIC-
KEY ENCRYPTIONIlya Mironov, Omkant Pandey,
Omer Reingold, Gil Segev
Microsoft Research
Incremental Deterministic Public-Key Encryption
Deterministic Public-Key Encryption
-source adversary
𝑀 𝑁
min-entropy min-entropy
min-entropy : Probability of any output
Deterministic Public-Key Encryption: PRIV1-IND
𝑀 𝑁
[Bellare, Boldyreva, O’Neill CRYPTO’07]
min-entropy min-entropy
Epk[ ] Epk[ ]𝑐
and are independent of PK
Is It Secure?
Computational assumptions
Min-entropy of the source
Secure Deterministic Encryption
Long, unpredictable plaintext:- digital photograph- MS Word document- entire database- full disk
- search- de-duplication- deterministic KEM
security
efficiencyLength of the plaintext
Incrementality
- Incrementality with access to plaintext: setting bit- Incrementality without access to plaintext: flipping bit
degree
Incremental Deterministic Public-Key Encryption
Our results Lower bound: Two schemes
1. Generic Solution
2. DDH-based solution
tight up to polylog factors
incrementality
min-entropy
Deterministic Encryption
Incremental Deterministic Encryption
Naïve Generic Solutionmin-entropy
?
E E E…
E: deterministic encryption scheme
Sample-then-extract
[Nisan,Zuckerman’96] [Vadhan’04]
min-entropy
similar min-entropy rate
Generic Solutionmin-entropy
Partition input into random subsets
PRIV-IND PRIV1-IND with Incrementality
Standard Model
DDH PRIV1-IND with Incrementality
Lossy Trapdoor Functions
[Peikert, Waters STOC’08]
𝑓 w/ trapdoor
𝑐
Injective mode:
Lossy mode:
𝑓
Smooth Trapdoor Functions
𝑓 w/ trapdoor
𝑐
Injective mode:
Smooth mode:
𝑓 statisticallyclose
min-entropy
Smooth Trapdoor Functions PRIV1-IND
Security
𝑓 (𝑀 ) 𝑓 (𝑁 )injective mode:
𝑓 (𝑀 ) 𝑓 (𝑁 )smooth mode:
𝑐 𝑐
min-entropy min-entropy
Construction of PRIV1-IND
𝑓 ∘𝜋
Lossy Trapdoor Function Pairwise-independent permutation
Smooth Trapdoor Function
[Boldyreva, Fehr, O’Neill CRYPTO’08]
Deterministic Public-Key Encryption
Construction of PRIV1-IND
𝑓 ∘𝜋
Lossy Trapdoor Function Pairwise-independent permutation
Smooth Trapdoor Function
[Boldyreva, Fehr, O’Neill CRYPTO’08]
Deterministic Public-Key EncryptionIncremental
Construction of Lossy TDF
[Freeman, Goldreich, Kiltz, Rosen, Segev PKC’10] [Brakerski, Segev CRYPTO’11]
Given output
Given compute Output
Sample Output and
(𝑔𝐴 ) 𝑖𝑗=(𝑔𝑎𝑖𝑗 )Key generation
Encryption
Decryption
- group of order generated by
Security Argument: Lossy TDF
𝑔𝐴≈𝑐𝑔𝐵
rank rank 1
— injective — bits
Towards Incremental Smooth TDF
𝑔𝐴≈𝑐𝑔𝐵
rank sparse
rank ℓsparse
— injective if has min-entropy , statistically close to the uniform over its range
Towards Incremental Smooth TDF
𝑎11×𝑎12×𝑎13×
𝑎21×𝑎22×𝑎23×
Sample-then-extract + Leftover Hash Lemma
ℓ
Towards Incremental Smooth TDF
𝑎11×𝑎12×𝑎13×
𝑎21×𝑎22×𝑎23×
Towards Incremental Smooth TDF
𝑎11×𝑎12×𝑎13×
𝑎21×𝑎22×𝑎23×
Smooth vs Injective Mode
𝑐
rank full rank
𝑔 𝑔
𝑎11×𝑎12×𝑎13×
𝑎21×𝑎22×𝑎23×
Incrementality
𝑎11×𝑎12×𝑎13×
𝑎21×𝑎22×𝑎23×
Open Problems
Incremental Deterministic Encryption: Stronger security: PRIV-IND (multiple
messages) Length-preserving in the standard model
Deterministic Encryption: Relaxing the definition to allow dependency
on the public key