public-key encryption with lazy parties kenji yasunaga institute of systems, information...
TRANSCRIPT
![Page 1: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/1.jpg)
Public-Key Encryption withLazy Parties
Kenji Yasunaga
Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan
Presented at SCN 2012IMI Crypto Seminar 2012.12.17
![Page 2: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/2.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
![Page 3: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/3.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
The class “Introduction to Cryptography”
![Page 4: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/4.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
The class “Introduction to Cryptography”
The final exam has finished.
![Page 5: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/5.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
Do you understandpublic-key encryption ?
![Page 6: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/6.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
Yes !
Yes !
Yes !
Do you understandpublic-key encryption ?
![Page 7: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/7.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
Good ! So, I’ll send your grades by PKE.
![Page 8: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/8.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
Good ! So, I’ll send your grades by PKE.
Please send me your public keys. All right ?
![Page 9: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/9.jpg)
One day in a class,
Alice Student 1 Student 2 Student 3
・・・
・・・
Yes !
Yes !
Yes ! Good ! So, I’ll send your grades by PKE.
Please send me your public keys. All right ?
![Page 10: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/10.jpg)
One day in a class,
Alice
![Page 11: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/11.jpg)
One day in a class,
Alice
Although I said so, it is troublesome to encrypt all the grades.
![Page 12: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/12.jpg)
One day in a class,
Alice
But, since I promised to use PKE, I have to do…
Although I said so, it is troublesome to encrypt all the grades.
![Page 13: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/13.jpg)
One day in a class,
Alice
But, since I promised to use PKE, I have to do…
What happened ?
Although I said so, it is troublesome to encrypt all the grades.
![Page 14: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/14.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
Grades: m1, m2, m3, …
![Page 15: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/15.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
![Page 16: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/16.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
![Page 17: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/17.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
It’s troublesome to encrypt honestly…
![Page 18: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/18.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
It’s troublesome to encrypt honestly…
Wait !
![Page 19: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/19.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
The grades are personal information for students. Their security is not my concern.
![Page 20: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/20.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
Want to cut corners…
The grades are personal information for students. Their security is not my concern.
![Page 21: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/21.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
![Page 22: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/22.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
Encrypt by using all-zero string as randomness
CTs: c1, c2, c3, …
![Page 23: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/23.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
Encrypt by using all-zero string as randomness
CTs: c1, c2, c3, … c1 c2 c3 ・・・
![Page 24: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/24.jpg)
What happened is …
Alice Student 1 Student 2 Student 3
・・・
・・・
pk1 pk2 pk3・・・
Grades: m1, m2, m3, …
PKs: pk1, pk2, pk3, …
Grades were not sent securely !
Encrypt by using all-zero string as randomness
CTs: c1, c2, c3, … c1 c2 c3 ・・・
![Page 25: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/25.jpg)
The lesson from this example
![Page 26: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/26.jpg)
The lesson from this example
If some party in cryptographic protocols (PKE)
1. is not concerned about the security
2. is not willing to do a costly task (generating randomness)
The security can be compromised
![Page 27: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/27.jpg)
The lesson from this example
If some party in cryptographic protocols (PKE)
1. is not concerned about the security
2. is not willing to do a costly task (generating randomness)
The security can be compromised
The reason is that Alice is “lazy”
![Page 28: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/28.jpg)
The lesson from this example
If some party in cryptographic protocols (PKE)
1. is not concerned about the security
2. is not willing to do a costly task (generating randomness)
The security can be compromised
The reason is that Alice is “lazy”
Traditional crypto did not consider lazy parties
![Page 29: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/29.jpg)
The lesson from this example
If some party in cryptographic protocols (PKE)
1. is not concerned about the security
2. is not willing to do a costly task (generating randomness)
The security can be compromised
The reason is that Alice is “lazy”
Traditional crypto did not consider lazy parties
Many people tend to be lazy in the real life… Need secure protocols even for lazy parties
![Page 30: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/30.jpg)
Our results
Define the security of PKE for lazy parties
Lazy parties as rational players
Construct secure PKEs for lazy parties
![Page 31: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/31.jpg)
Lazy parties in PKE
Sender (S) and Receiver (R) are lazy
Lazy S (and R)
(1) wants to securely transmit msgs in MS (and MR)
(2) doesn’t want to generate costly randomness Choose
(a) Costly true randomness (Good randomness) or (b) Zero-cost fixed string (Bad randomness)
Define a game between S, R, and an adversary (Adv)
A variant of usual CPA game
Lazy parties behave to maximize their payoffs
The goal is to design PKE secure for m M∈ S M∪ R
![Page 32: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/32.jpg)
CPA Game
Challenge Dealer Adv.
Sender Receiverc Encpk(mb; rS)
3. b R {0,1}
pk
pk
cmb
Enc Dealer Gen Dealer
1. G/B
pk, sk
4. G/B
c
1-b. If R chose B, rR A(1k)
c
m0, m1
mb
2. (m0, m1) A(pk)
5. Output b’ A(c)
(pk, sk) Gen(1k; rR)
1-a. If R chose G, rR Samp(Gen)
4-a. If S chose G, rS Samp(Enc)
4-b. If S chose B rR A
![Page 33: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/33.jpg)
Remarks on CPA Game
We define the game more generally
Sender may run Gen algorithm
Encryption may be interactive
Output of the Game:Out = (Win, ValS, ValR, NumS, NumR)
Win = 1 if b = b’, 0 otherwise
Valw = 1 if m M∈ w , 0 otherwise
Numw : #{ G output by w : w {S, R} }∈
![Page 34: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/34.jpg)
Payoff function
Payoff when the output of CPA game is Out = (Win, ValS, ValR, NumS, NumR)
uw(Out) = (-αw)•Win•Valw + (-βw)•Numw
αw, βw > 0 are real numbers
αw /2 > qw• βw is assumed. qw : Maximum of Numw
Costly good randomness is worth for achieving the security
Payoff when following the pair of strategies (σS, σR)
Uw(σS, σR) = min E[uw(Out)]
min is taken over all Advs, message spaces MS, MR
![Page 35: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/35.jpg)
Security of PKE for lazy parties
For PKE scheme Π, strategies (σS, σR), (Π, σS, σR) is CPA secure with (strict) Nash equilibrium
1. If players follow (σS, σR), thenfor any adversary, message spaces MS, MR,
Pr[Win•(ValS + ValR) ≠ 0] ≤ 1/2 + negl(k)
2. (σS, σR) is a (strict) Nash equilibrium
![Page 36: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/36.jpg)
Solution concepts
(σS, σR) is a Nash equilibrium :
For any w {S, R} and σ∈ w’, Uw(σS
*, σR*) ≤ Uw(σS, σR) + negl(k)
where (σS*, σR
*) = (σS’, σR) if w = S (σS, σR’) otherwise
(σS, σR) is a strict Nash equilibrium :
1. (σS, σR) is a Nash equilibrium
2. For any w {S, R} and σ∈ w’ ≠ σw , Uw(σS
*, σR*) ≤ Uw(σS, σR) – 1/kc
where c is a constant
![Page 37: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/37.jpg)
First observation (Impossibility results) Sender must generate a secret key
A game for distinguishing m0, m1 M∈ R \ MS
S uses Bad randomness
Adv can correctly distinguish since Adv knows all the inputs to S except mb
Encryption must be interactive
A game for distinguishing (m0, m0) and (m0, m1)for m0, m1 M∈ R \ MS
S uses Bad randomness
Adv can correctly distinguish if two msgs were encrypted by same randomness
![Page 38: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/38.jpg)
Secure PKE for lazy parties(1. Basic setting)
Two-round PKE Πtwo
Idea: R generates randomness for encryptionR follows since doesn’t know whether m M∈ R
Sender Receiver
c2
Encryption
(pkS, skS) Gen(1k; r1S)
pkS
c1 Enc(pkS, r2R; r3
R)c1
r2R Dec(skS, c1)
c2 = m r2R m = c2 r2
R
Key Generation
r2R R U
![Page 39: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/39.jpg)
A problem of Πtwo :
If R knows that m M∈ R, R uses Bad randomness ( m M∈ S \ MR is not sent securely )
Secure PKE for lazy parties(1. Basic setting)
![Page 40: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/40.jpg)
R may know whether m M∈ R
Secure PKE for lazy parties(2. R knows additional information)
![Page 41: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/41.jpg)
R may know whether m M∈ R
Three-round PKE Πthree
Idea:
Key agreement to share randomness Shared randomness is Good if S or R uses Good
Use the shared randomness for encryption
Secure PKE for lazy parties(2. R knows additional information)
![Page 42: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/42.jpg)
Three-round PKE Πthree
Sender Receiver
c2, c3
Encryption
r = r2R r2
S (= rL ◦ rR)
(pkR, skR) Gen(1k; r1R)
pkR
(pkS, skS) Gen(1k; r1S)
pkS
c1 Enc(pkS, r2R; r3
R)
c1
r2R Dec(skS, c1)
c2 Enc(pkR, r2S; r3
S)
r2S Dec(skR, c2)
r = r2R r2
S (= rL ◦ rR)
c4 Enc(pkS, m; rR)c4
c3 Enc(pkR, m; rL)m Dec(skR, c3)
Key Generation
r2R R U
r2S R U
![Page 43: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/43.jpg)
Non-interactive PKE for lazy parties
![Page 44: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/44.jpg)
Non-interactive PKE for lazy parties
Additional assumption:Players don’t want to reveal their secret keys
![Page 45: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/45.jpg)
Non-interactive PKE for lazy parties
Additional assumption:Players don’t want to reveal their secret keys
Singcryption scheme is secure for lazy partiesif signing key (secret key) can be computed from ciphertext and randomness
S uses Good to avoid revealing secret key
![Page 46: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/46.jpg)
Conclusions
“Lazy parties” may compromise the security
An example of protocols that may not workif players behave in their own interests
Our results
Define the security of PKE for lazy parties
Construct secure PKEs for lazy parties
![Page 47: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/47.jpg)
Conclusions
“Lazy parties” may compromise the security
An example of protocols that may not workif players behave in their own interests
Our results
Define the security of PKE for lazy parties
Construct secure PKEs for lazy parties
Thank you
![Page 48: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/48.jpg)
Lazy parties
(1) They are not concerned about the security in a certain situation
(2) They are unwilling to do a costly task, although they behave in an honest-looking way
Costly task:
Ex. random generation (computation is costly) increasing # rounds to finish (time is costly)
Honest-looking behavior:
Ex. using all-zero string as randomness
![Page 49: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/49.jpg)
A problem of Πthree
If both S and R knows that m M∈ S ∩ MR,it’s difficult to determine which of S/R uses Good
Exits two different (strict) Nash strategies
![Page 50: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/50.jpg)
A problem of Πthree
If both S and R knows that m M∈ S ∩ MR,it’s difficult to determine which of S/R uses Good
Exits two different (strict) Nash strategies
Solution: R uses the all-zero string as randomness in Encif R knows m M∈ S ∩ MR
All-zero string is a signal to R
![Page 51: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/51.jpg)
The security proof of Πthree
(a) r = r2R r2
S is Good if S or R uses Good
(b) m M∈ S MR can be guessed from c4
(c) m M∈ R MS can be guessed from c3
Key Gen( S)
Key Gen( R)
Enc( S)
Enc( R) Security
Good Good Good - ✓Good Good - Good ✓Bad - - - No
- Bad - - No
(a)
(b)
(c)
![Page 52: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/52.jpg)
CPA Game
Challenge Dealer Adv.
Sender Receiver
c Encpk(mb; rS)
3. b R {0,1}
pk
pk
cmb
Enc Deale Gen Dealer
1. G/B
pk, sk
4. G/B
c
auxRauxS
c
m0, m1
mb
⊥ if GrS if B
auxS=
2. (m0, m1) A1(pk, auxR)
5. Output b’ A2(c, auxS)
Pr[ b = b’ ] ≤ 1/2 + negl(k)
(pk, sk) Gen(1k; rR)
⊥ if GrR if B
auxR=
![Page 53: Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN](https://reader035.vdocuments.site/reader035/viewer/2022062516/56649e1c5503460f94b0a2cc/html5/thumbnails/53.jpg)
Impossibility results
Proposition 1.If Sender does not have a secret key,then the scheme is not CPA secure with Nash equilibrium
A game for distinguishing m0, m1 M∈ R \ MS
S uses Bad randomness
Adv can correctly distinguish since Adv knows all the inputs to S except mb
Sender must generate a secret key