INCREMENTAL DETERMINISTIC PUBLIC-

KEY ENCRYPTIONIlya Mironov, Omkant Pandey,

Omer Reingold, Gil Segev

Microsoft Research

Incremental Deterministic Public-Key Encryption

Deterministic Public-Key Encryption

-source adversary

𝑀 𝑁

min-entropy min-entropy

min-entropy : Probability of any output

Deterministic Public-Key Encryption: PRIV1-IND

𝑀 𝑁

[Bellare, Boldyreva, O’Neill CRYPTO’07]

min-entropy min-entropy

Epk[ ] Epk[ ]𝑐

and are independent of PK

Is It Secure?

Computational assumptions

Min-entropy of the source

Secure Deterministic Encryption

Long, unpredictable plaintext:- digital photograph- MS Word document- entire database- full disk

- search- de-duplication- deterministic KEM

security

efficiencyLength of the plaintext

Incrementality

- Incrementality with access to plaintext: setting bit- Incrementality without access to plaintext: flipping bit

degree

Incremental Deterministic Public-Key Encryption

Our results Lower bound: Two schemes

1. Generic Solution

2. DDH-based solution

tight up to polylog factors

incrementality

min-entropy

Deterministic Encryption

Incremental Deterministic Encryption

Naïve Generic Solutionmin-entropy

?

E E E…

E: deterministic encryption scheme

Sample-then-extract

[Nisan,Zuckerman’96] [Vadhan’04]

min-entropy

similar min-entropy rate

Generic Solutionmin-entropy

Partition input into random subsets

PRIV-IND PRIV1-IND with Incrementality

Standard Model

DDH PRIV1-IND with Incrementality

Lossy Trapdoor Functions

[Peikert, Waters STOC’08]

𝑓 w/ trapdoor

𝑐

Injective mode:

Lossy mode:

𝑓

Smooth Trapdoor Functions

𝑓 w/ trapdoor

𝑐

Injective mode:

Smooth mode:

𝑓 statisticallyclose

min-entropy

Smooth Trapdoor Functions PRIV1-IND

Security

𝑓 (𝑀 ) 𝑓 (𝑁 )injective mode:

𝑓 (𝑀 ) 𝑓 (𝑁 )smooth mode:

𝑐 𝑐

min-entropy min-entropy

Construction of PRIV1-IND

𝑓 ∘𝜋

Lossy Trapdoor Function Pairwise-independent permutation

Smooth Trapdoor Function

[Boldyreva, Fehr, O’Neill CRYPTO’08]

Deterministic Public-Key Encryption

Construction of PRIV1-IND

𝑓 ∘𝜋

Lossy Trapdoor Function Pairwise-independent permutation

Smooth Trapdoor Function

[Boldyreva, Fehr, O’Neill CRYPTO’08]

Deterministic Public-Key EncryptionIncremental

Construction of Lossy TDF

[Freeman, Goldreich, Kiltz, Rosen, Segev PKC’10] [Brakerski, Segev CRYPTO’11]

Given output

Given compute Output

Sample Output and

(𝑔𝐴 ) 𝑖𝑗=(𝑔𝑎𝑖𝑗 )Key generation

Encryption

Decryption

- group of order generated by

Security Argument: Lossy TDF

𝑔𝐴≈𝑐𝑔𝐵

rank rank 1

— injective — bits

Towards Incremental Smooth TDF

𝑔𝐴≈𝑐𝑔𝐵

rank sparse

rank ℓsparse

— injective if has min-entropy , statistically close to the uniform over its range

Towards Incremental Smooth TDF

𝑎11×𝑎12×𝑎13×

𝑎21×𝑎22×𝑎23×

Sample-then-extract + Leftover Hash Lemma

ℓ

Towards Incremental Smooth TDF

𝑎11×𝑎12×𝑎13×

𝑎21×𝑎22×𝑎23×

Towards Incremental Smooth TDF

𝑎11×𝑎12×𝑎13×

𝑎21×𝑎22×𝑎23×

Smooth vs Injective Mode

𝑐

rank full rank

𝑔 𝑔

𝑎11×𝑎12×𝑎13×

𝑎21×𝑎22×𝑎23×

Incrementality

𝑎11×𝑎12×𝑎13×

𝑎21×𝑎22×𝑎23×

Open Problems

Incremental Deterministic Encryption: Stronger security: PRIV-IND (multiple

messages) Length-preserving in the standard model

Deterministic Encryption: Relaxing the definition to allow dependency

on the public key