A Unified Approach to
Deterministic Encryption:
New Constructions
and
a Connection to
Computational Entropy
Benjamin Fuller Adam O’Neill Leonid Reyzin
Boston University
& MIT Lincoln Lab
Boston University
August 16, 2012
Work from Theory of Crypto 2012
1
Public Key Encryption (PKE)
m
Enc
$
c
PK
Need randomness to achieve semantic security
2
Public Key Encryption (PKE)
What can be achieved without randomness?
m
$
Enc
c
PK
3
Why deterministic PKE?
• The question of deterministic stateful symmetric key
prg – pseudorandom generator
encryption is well understood:
Key:
Messages:
Encryption:
Each bit appears random to
k
bounded distinguisher
m1, …, mn
pad1 || … || padn = prg(k)
ci = padi  mi
• Deterministic PKE is more difficult but has important applications:
– Supporting devices with limited/no randomness
– Enabling encrypted search
– E.g. Spam filtering by keyword on encrypted email
4
Deterministic PKE
• PKE scheme where encryption is deterministic
– Introduced by [BellareBoldyrevaO’Neill07]
• Need source of randomness
 messages are only hope
• Security defined w.r.t. high min-entropy message distribution M
– H∞(M)≥ μ

for all m, Pr[M=m] ≤ (1/2)μ
• Even most likely message is hard to guess:
Network packet w/ fixed header
All Strings of Even Parity
U conditioned on a high probability event
– Message distribution must be independent of public key
• An approach: fake coins to chosen plaintext-secure (CPA) scheme
[BellareBoldyrevaO’Neill07, BelllareFischlinO’NeillRistenpart08]
5
Results
• Deterministic PKE:
– General: from arbitrary TDF with enough hardcore bits
– Efficient: uses only a single application of TDF
• Framework yields constructions from RSA, Paillier, & Niederreiter
– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:
– Improved Equivalence between Indistinguishability & Semantic Security
– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages
– Extension of LHL to correlated sources using 2q-wise indep. hash
– Extension of crooked LHL to improve parameters
6
Results
• Deterministic PKE:
– General: from arbitrary TDF with enough hardcore bits
– Efficient: uses only a single application of TDF
Focus of
the talk
• Framework yields constructions from RSA, Paillier, & Niederreiter
– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:
– Improved Equivalence between Indistinguishability & Semantic Security
– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages
– Extension of LHL to correlated sources using 2q-wise indep. hash
– Extension of crooked LHL to improve parameters
7
Our Scheme: Encrypt with hardcore Enc hc
Enc
m
$
PK
8
Our Scheme−Enc hc
TDF: Easy to compute, hard to invert without key
hc: Pseudorandom given output of TDF
Ext: Converts high entropy distributions to uniform
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
TDF
m
Enc
TDF(m)
hc
hc(m)
Ext
Ext(hc(m))
PK
9
Our Scheme−Enc hc
Question: Why is this semantically secure?
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
TDF
m
Enc
TDF(m)
hc
hc(m)
Ext
Ext(hc(m))
PK
10
Indistinguishability
Semantic Security
Definitional Equivalence
[BellareFischlin
O’NeillRistenpart08]
Distributions
of entropy μ-2
Distributions
of entropy μ
This Work
Indistinguishability on
all pairs of msg. distributions
of entropy μ-2
Indistinguishability of all pairs on
conditional msg. distributions,
M|e, of entropy μ-2
Semantic security
on
all msg. distributions
of entropy μ
Semantic security on
a msg. distribution M
(of entropy μ)
M
11
Indistinguishability
Semantic Security
Definitional Equivalence
M|e, Pr[e]≥1/4
[BellareFischlin
O’NeillRistenpart08]
Distributions
of entropy μ-2
Distributions
of entropy μ
This Work
Indistinguishability on
all pairs of msg. distributions
of entropy μ-2
Indistinguishability of all pairs on
conditional msg. distributions,
M|e, of entropy μ-2
or equivalently
M|e, where Pr[e] ≥ 1/4
Semantic security
on
all msg. distributions
of entropy μ
Semantic security on
a msg. distribution M
(of entropy μ)
M
12
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
PK
Enc
Ext
Ext(hc(m))
General Definitional Equivalence
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
13
Our Scheme−Enc hc
TDF – Trapdoor function
hc – Hardcore function
Ext – Randomness extractor
Enc – Randomized Encrypt Alg.
Question: Why is this secure?
TDF
m
Enc
TDF(m)
hc
hc(m)
Ext
Ext(hc(m))
PK
14
Our Scheme−Enc hc
Question: Why is this secure indistinguishable? TDF – Trapdoor function
hc – Hardcore function
To gain intuition we will try removing the
Ext – Randomness extractor
extractor.
Enc – Randomized Encrypt Alg.
TDF
m
Enc
TDF(m)
hc
hc(m)
Ext
Ext(hc(m))
PK
15
Toy Scheme
Question: Is this scheme indistinguishable?
NO: hc can reveal the first bit of m.
TDF
m
TDF(m)
hc
Enc
hc(m)
PK
16
Toy Scheme
Question: Is this scheme indistinguishable?
NO: hc can reveal the first bit of m.
Enc can reveal its first coin.
TDF
m
TDF(m)
hc
Enc
m0 ||...
m0 ||...
PK
17
Outline of Security Proof
m
TDF(m)
TDF
hc hc(m)
Enc
c
PK
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
18
Outline of Security Proof
m
TDF(m)
TDF
Enc
hc hc(m)
c
PK
Robust hardcore function:
hc is hardcore on M|e
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
19
Outline of Security Proof
m
TDF(m)
TDF
hc hc(m)
Enc
c
PK
Robust hardcore function:
hc(M|e) is pseudorandom given TDF(M|e)
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
20
Robustness: Implicit in Prior Work
TDF
Robust hc function
[Bellare
Fischlin
O’Neill
Ristenpart08]
Iterated trapdoor
permutation
[GL89] hc bit at each
iteration ([BM84] prg)
[Boldyreva
Fehr
O’Neill 08]
Lossy trapdoor
function
Pairwise independent
hash function
Single
iteration
of
This work
arbitrary trapdoor
function
Any function with
enough hc bits +
extractor Ext
21
Outline of Security Proof
m
TDF(m)
TDF
Enc
hc hc(m)
c
PK
Hardcore function:
Robust hardcore function:
hc(M) is pseudorandom
given TDF(M)
Ext( hc(M|e)) is pseudorandom given TDF(M|e)
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
22
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
PK
Hardcore function:
Robust hardcore function:
Enc
Ext
Ext(hc(m))
hc(M) is pseudorandom
given TDF(M)
Rest of
the talk
Ext( hc(M|e)) is pseudorandom given TDF(M|e)
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
23
Key Theorem
• Know: hc produces pseudorandom bits on M
• Want: hc produces pseudorandom bits on M|e
M
hc
hc(M)≈U
24
Key Theorem
• Know: hc produces pseudorandom bits on M
• Want: hc produces pseudorandom bits on M|e
M|e
hc
hc(M)≈U
(hc(M|e))≈U
Problem: hc(M|e) cannot be pseudorandom
For example, event e can fix the first bit of hc(M)
Solution: Use HILL entropy!
25
Key Theorem
• Know: hc produces pseudorandom bits on M
• Want: HHILL( M | E ) is high
M|e
hc
26
Key Theorem
• Know: hc produces pseudorandom bits on M
• Want: HHILL( hc(M|e) ) is high
HHILL(X) ≥ μ if
Y, H∞ (Y) ≥ μ
X≈Y
M|e
hc
How is HHILL( hc(M|e) ) related to HHILL( hc(M) )?
General question:
How is HHILL( X|e ) related to HHILL( X )?
Key Theorem:
HILL
HeHILL
(X
|
e)
³
H
',s'
e ,s (X) - log1/ Pr[e]
27
Tangent: Avg Case Cond. Entropy
Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04]:
Distribution not a single event!
H¥ (X | E) ³ H¥ (X)- log | E |
Our Lemma:
He /|E|,s (X | E) ³ He,s (X)- log | E |
•
•
•
We can apply the lemma multiple times to measure H(M |E1,E2)
Cannot measure entropy when original distribution is conditional
Average case conditioning useful for leakage resilience
28
Related Work
• Unconditional: HHILL( X|E=e ) related to HHILL( X )?
– [DziembowskiPietrzak08]
• Entropy drop depended on resulting quality (ε’)
– [ReingoldTrevisanTulsianiVadhan08]:
• Improved parameters, entropy drop only depends on e
(we use similar techniques, improve on repeated conditioning)
• Conditional: HHILL( X|E1,E2 ) related to HHILL( X|E1 )?
– [ChungKalaiLiuRaz11]:
• Asymptotic formulation, worst-case cond. min-entropy,
Conditions E1 that have efficient sampling algorithm for X,
|E2|≤ log |sec param.|
– [GentryWichs11]:
• Both X, E1 are replaced by X’, E’1: produces incomparable result 29
Key Theorem
H HILL (hc(M | e)) ³ H HILL (hc(M)) - log1/ Pr[e]
H HILL (hc(M)) ³ n
Pr[e] ³1/ 4
M|e
H
HILL
(hc(M | e)) ³ n - 2
hc
HILL
entropy
30
Key Theorem
H HILL (hc(M | e)) ³ H HILL (hc(M)) - log1/ Pr[e]
H HILL (hc(M)) ³ n
Pr[e] ³1/ 4
M|e
H
HILL
(hc(M | e)) ³ n - 2
hc
HILL
entropy
Ext
pseudorandom
Extractors convert distributions
w/ min-entropy to uniform
w/ HHILL to pseudorandom
31
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
PK
Hardcore function:
Robust hardcore function:
Enc
Ext
Ext(hc(m))
hc(M) is pseudorandom
given TDF(M)
Rest of
the talk
Ext( hc(M|e)) is pseudorandom given TDF(M|e)
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all conditional pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0], Pr[e1] ≥ 1/4
Semantic Security:
For a message distribution M
32
Results
• Enc hc , deterministic PKE:
– General: from arbitrary TDF with enough hardcore bits
– Efficient: uses only a single application of TDF
• Framework yields constructions from RSA, Paillier, & Niederreiter
– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:
– Improved Definitional Equivalence
– Conditional Computational Entropy
• Allows encryption of messages from block sources
– Each message has entropy conditioned on previous msgs:
H∞(Mi | M1,…, Mi-1) is high
33
Results
• Enc hc , deterministic PKE:
– General: from arbitrary TDF with enough hardcore bits
– Efficient: uses only a single application of TDF
• Framework yields constructions from RSA, Paillier, & Niederreiter
– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:
– Improved Definitional Equivalence
– Conditional Computational Entropy
Briefly
• First deterministic PKE for q arbitrarily correlated messages
– Extension of LHL to correlated sources using 2q-wise indep. hash
– Extension of crooked LHL to improve parameters
34
Extending to multiple messages
• We need an extractor that “decorrelates” messages:
• Use a 2q-wise independent hash function
35
Extending to multiple messages
• We need an extractor that “decorrelates” messages:
• Use a 2q-wise independent hash function
m
TDF
hc hc(m)
TDF(m)
Enc
c
Ext
Ext(hc(m))
PK
36
Extending to multiple messages
• We need an extractor that “decorrelates” messages:
• Use a 2q-wise independent hash function
• First scheme for q-arbitrarily correlated messages
m
TDF
hc hc(m)
TDF(m)
Enc
c
Hash Hash(hc(m))
PK
37
Results
• Enc hc , deterministic PKE:
– General: from arbitrary TDF with enough hardcore bits
– Efficient: using single application of TDF
• Framework yields constructions from RSA, Paillier, & Niederreiter
– These TDFs have many hardcore bits under
non-decisional (search) assumptions
• Tools of independent interest:
– Improved Definitional Equivalence
– Conditional Computational Entropy
• First deterministic PKE for q arbitrarily correlated messages
– Extension of LHL to correlated sources using 2q-wise indep. hash
– Extension of crooked LHL to improve parameters
38
Thank you!
BACKUPS
40
Extending to multiple messages
Lemma (Extension of LHL):
Let M1 ,…, Mq be high entropy,
arbitrarily correlated random variables (Mi ≠ Mj ),
Hash family of 2q-wise indep. hash functions (keyed by K)
1
| range(Hash) |q (q 2 2 H¥ (Mi ) + 3 / 4)
2
K, Hash(K, M1) ,…, Hash(K, Mq)
K,
U1
≈
,…,
Uq
41
Semantic Security for Deterministic PKE
Adversary
Challenger
M – message distribution
f – test function
A
b
M
DetEnc(mb), pk
$
m0 , m1 ¬ M
DetEnc
mb
g
Adv(A) = Pr[g = f (m1 ) | b =1]
Compute f from ciphertext
42
Semantic Security for Deterministic PKE
Adversary
Challenger
M – message distribution
f – test function
A
b
M
DetEnc(mb), pk
$
m0 , m1 ¬ M
DetEnc
mb
g
Adv(A) = Pr[g = f (m1 ) | b =1]- Pr[g = f (m1 ) | b = 0]
Compute f from ciphertext
Compute f from random ciphertext
43
Indistinguishability for Deterministic PKE
Adversary
Challenger
M0 – message distribution
M1 – message distribution
A
M 0, M1
b
$
m¬ M b
DetEnc
DetEnc(m), pk
b'
Adv(A) = Pr[b' = b]-1/ 2
44
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
PK
Enc
Ext
Ext(hc(m))
General Definitional Equivalence
Indistinguishability:
Semantic Security:
For a message distribution M
45
Outline of Security Proof
m
TDF(m)
TDF
hc hc(m)
Enc
c
PK
Q: Is any hc robust? A: NO! Define event e: fix first bit(previous example!)
Robust hardcore function:
hc(M|e) is pseudorandom given TDF(M|e)
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security:
For a message distribution M
46
Outline of Security Proof
m
TDF
hc
TDF(m)
Enc
m0 ||...
m0 ||...
PK
Q: Is any hc robust? A: NO! Define event e: fix first bit(previous example!)
Robust hardcore function:
hc(M|e) is pseudorandom given TDF(M|e)
for all e, Pr[e] ≥ 1/4
Indistinguishability:
For all pairs M|e0 , M|e1
e0, e1 are events s.t. Pr[e0],Pr[e1]≥1/4
Semantic Security:
For a message distribution M
47
Outline of Security Proof
m
TDF
TDF(m)
c
hc hc(m)
PK
Enc
Ext
Ext(hc(m))
Hardcore function
Robust hardcore function
Indistinguishability
Semantic Security
48
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
Ext
PK
Enc
Ext(hc(m))
Hardcore function
1.
Hardcore function:
hc(M) is pseudorandom
given TDF(M)
Robust hardcore function
2.
Comp. Entropy:
hc(M|e) high computational
entropy
3.
Uniform Ext Output:
Ext( hc(M|e) )
pseudorandom
4.
Robust hc function:
Ext( hc(M|e) ) | TDF( M|e )
pseudorandom
49
Indistinguishability
Semantic Security
(1) Hc function
(2) Comp. Entropy
• Know: hc produces pseudorandom bits on M
• Want: HHILL( hc(M|e) ) is high
HHILL(X)≥μ if
 Y, H∞ (Y)≥μ
X≈ε,sY
Distinguisher
Advantage
M|e
hc
Distinguisher
Size
50
Conditional Computational Entropy
Info-Theoretic Case:
H¥ (X | E = e) ³ H¥ (X)- log1/ Pr[e]
Our Lemma:
He /Pr[e],s (X | E = e) ³ He,s (X) - log1/ Pr[e]
Warning: this is not HHILL!
•
•
Different Y (that has true entropy) for each distinguisher (“metric*”)
Notion used in [Barak Shaltiel Widgerson03] [DziembowskiPietrzak08]
51
Conditional Computational Entropy
Info-Theoretic Case:
H¥ (X | E = e) ³ H¥ (X)- log1/ Pr[e]
Our Lemma:
He /Pr[e],s (X | E = e) ³ He,s (X) - log1/ Pr[e]
Warning: this is not HHILL!
•
Can be converted to HILL entropy with a loss in circuit size
[BSW03, ReingoldTrevisanTulsianiVadhan08]
Our Theorem:
H
e ' = e / Pr[e]+ 3 log | M | /s, s' = 3 s / log | M |
(X | E = e) ³ H
HILL
e ',s'
HILL
e,s
(X) - log1/ Pr[e]
52
Tangent: Avg Case Cond. Entropy
Info-Theoretic Case [Dodis Ostrovsky Reyzin Smith 04]:
Distribution not a single event!
H¥ (X | E) ³ H¥ (X)- log | E |
Our Lemma:
He /|E|,s (X | E) ³ He,s (X)- log | E |
•
•
•
We can apply the lemma multiple times to measure H(M |E1,E2)
Cannot measure entropy when original distribution is conditional
Average case conditioning useful for leakage resilience
Works on conditional computational entropy:
[ReingoldTrevisanTulsianiVadhan08], [DziembowskiPietrzak08],
[ChungKalaiLiuRaz11],[GentryWichs10]
53
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
Ext
PK
Enc
Ext(hc(m))
Hardcore function
1.
Hardcore function:
hc(M) is pseudorandom
given TDF(M)
Robust hardcore function
2.
Cond. Comp Entropy:
hc(M|e) high computational
entropy for e, Pr[e]≥1/4
3.
Uniform Ext Output:
Ext( hc(M|e) )
pseudorandom for e, Pr[e]≥1/4
4.
Robust hc function:
Ext( hc(M|e) ) | TDF(M|e)
pseudorandom
Indistinguishability
Semantic Security
54
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
Ext
PK
Enc
Ext(hc(m))
Hardcore function
1.
Hardcore function:
hc(M) is pseudorandom
given TDF(M)
Robust hardcore function
2.
Cond. Comp Entropy:
hc(M|e) high computational
entropy for e, Pr[e]≥1/4
3.
Uniform Ext Output:
Ext( hc(M|e) )
pseudorandom for e, Pr[e]≥1/4
4.
Robust hc function:
Ext( hc(M|e) ) | TDF(M|e)
pseudorandom
Indistinguishability
Semantic Security
55
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
M
TDF
hc
pseudorandom
56
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
M
TDF
hc
pseudorandom
57
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
M|e
TDF
hc
pseudorandom
58
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
M|e
TDF
hc
HILL
entropy
59
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
• Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom
M|e
TDF
hc
HILL
entropy
Ext
pseudorandom
60
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
• Want: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom
M|e
TDF
hc
Unfortunately our entropy theorem does not work
if the starting point is conditional
Solution: Consider the joint distribution ( hc(M), TDF(M) )
Condition on e to measure entropy of ( hc(M|e), TDF(M|e) )
HILL
entropy
Ext
pseudorandom
61
(3) Unif. Ext Output
(4) Robust hc function
• Know: hc(M) | TDF(M) is pseudorandom (hc is hardcore)
• Know: Ext( hc(M|e) ) is pseudorandom ((1) (3))
• Lemma: (Ext( hc(M|e) ) | TDF(M|e) ) is pseudorandom
M|e
TDF
hc
Unfortunately our entropy theorem does not work
if the starting point is conditional
Solution: Consider the joint distribution ( hc(M), TDF(M) )
Condition on e to measure entropy of ( hc(M|e), TDF(M|e) )
HILL
entropy
Ext
pseudorandom
62
Outline of Security Proof
m
TDF(m)
TDF
c
hc hc(m)
Ext
PK
Enc
Ext(hc(m))
Hardcore function
1.
Hardcore function:
hc(M) is pseudorandom
given TDF(M)
Robust hardcore function
2.
Cond. Comp Entropy:
hc(M|e) high computational
entropy for e, Pr[e]≥1/4
3.
Uniform Ext Output:
Ext( hc(M|e) )
pseudorandom for e, Pr[e]≥1/4
4.
Robust hc function:
Ext( hc(M|e) ) | TDF(M|e)
pseudorandom
Indistinguishability
Semantic Security
63
Our Scheme−E hc
F
m
F(m)
E
hc
PK
65
Previous Schemes
•
•
•
•
Random Oracle [Bellare Boldyreva O’Neill 07]
Iterated TDP w/ GL Hardcore bit [Bellare Fischlin O’Neill Ristenpart 08]
Lossy TDF, 2-wise independent hash [Boldyreva Fehr O’Neill 08]
Correlated Product TDFs [Hemenway Lu Ostrovsky 10]
Schemes all use trapdoor functions
Can we find a simple and efficient construction
for arbitrary trapdoor and hardcore function pair?
66
(5) Indistinguishability
(6) Security
Theorem [BFOR08]:
Fix message distribution M
E ( M1 ) ≈ E ( M2 ) for all distributions with a little less entropy
H ( M1 ), H( M2 ) ≥ H ( M ) − 2
E is secure on M
It is difficult to consider security for all M1, M2
We will consider only conditional distributions
68
(5) Indistinguishability
(6) Security
Proof:
Fix adversary A with function f
If g ¹ tb , g, r ¹ tb , r
With probability 1/2 over a random r
f
$B, 2Adv(B) ³ Adv(A)
B outputs a 1-bit test vector
We can consider adversaries with binary f
69
(5) Indistinguishability
(6) Security
Proof:
Fix adversary B with binary function f
We can balance f by combining it with a
random coin at the cost of advantage
f
æ 2
ö
+1÷ Adv(C) = 81Adv(C) ³ Adv(B)
ç
è1 4 ø
Pr[1¬ C], Pr[0 ¬ C] ³ 1 4
2
We can consider adversaries with balanced binary f
70
(5) Indistinguishability
(6) Security
Proof:
Fix adversary C with balanced binary function f
f induces two high entropy distributions
M | f ( M )=1, M | f ( M )=0
f
C distinguishes M | f ( M )=1, M | f ( M )=0
If E (M | E) ≈ E (M | E’), then E is secure on M
71
Outline
• Prior work:
Turns out their “coins” hide partial information
• Generalization:
We show hiding partial information
is sufficient in general
• Construction:
We show how to augment any hardcore
function so it hides all partial information
72
E hc Security Notion
Necessary for security: hc hides partial information about m
F
m
F(m)
hc
E
hc(m)
PK
73
Deterministic PKE with RO
[Bellare Boldyreva O’Neill 07]
m
E
$
PK
74
Deterministic PKE with RO [BBO07]
Want construction in standard model
m
E
RO
RO
(m || PK)
PK
75
Deterministic PKE w/o RO
[Bellare Fischlin O’Neill Ristenpart 08]
F
m
E
m
F 0 (m)
GL
PK
76
Deterministic PKE w/o RO [BFOR08]
F
m
F 0 (m)
GL
F1 (m)
E
0
bF0 (m), s
PK
77
Deterministic PKE w/o RO [BFOR08]
F
m
F1 (m)
E
b0
GL
b1
PK
78
Deterministic PKE w/o RO [BFOR08]
F
m
F n-1 (m)
E
b0
GL
b1
…
PK
bn-1
79
Deterministic PKE w/o RO [BFOR08]
F
m
GL
PK
F n (m)
E
b0
…
bn-1
80
Security Proof of [BFOR08]
Construction hides partial information about m in M
E ( M1 ) ≈ E ( M2 ) for all distributions with a little less entropy
H ( M1 ), H( M2 ) ≥ H ( M ) − 2
[BM84] generator with GL is pseudorandom on M1, M2
81
Security Proof
E hc hides partial information about m in M
E ( M1 ) ≈ E ( M2 ) for all distributions with a little less entropy
H ( M1 ), H( M2 ) ≥ H ( M ) − 2
[BM84] generator with GL is pseudorandom on M1, M2
82
Security Proof
E hc hides partial information about m in M
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc (M | E) ≈ E hc (M | E’) for events E, E’
[BM84] generator with GL is pseudorandom on M1, M2
83
Security Proof
E hc hides partial information about m in M
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc (M | E) ≈ E hc (M | E’) for events E, E’
Proof shows it is sufficient to consider
high probability E, Pr[E] ≥ 1/4
hc ( M | E ) ≈ hc ( M | E’ ) for events E, E’
84
Security Proof
E hc hides partial information about m in M
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc (M | E) ≈ E hc (M | E’) for events E, E’
Proof shows it is sufficient to consider
high probability E, Pr[E] ≥ 1/4
hc ( M | E ) ≈ hc ( M | E’ ) where Pr[E] ≥ 1/4, Pr[E’] ≥ 1/4
85
Security Proof
E hc hides partial information about m in M
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc (M | E) ≈ E hc (M | E’) for events E, E’
Proof shows it is sufficient to consider
high probability E, Pr[E] ≥ 1/4
hc is robust on message distribution M
hc is hardcore on all M|E, Pr[E]≥1/4
86
Security Proof
E hc hides partial information about m in M
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc (M | E) ≈ E hc (M | E’) for events E, E’
hc is robust on message distribution M
hc is hardcore on all M|E, Pr[E]≥1/4
87
Security Proof
E hc hides partial information about m in M
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc (M | E) ≈ E hc (M | E’) for events E, E’
Can
we find
Shown
usingor construct
standard
robust
hctechniques
functions?
hc is robust on message distribution M
hc is hardcore on all M|E, Pr[E]≥1/4
88
Our Scheme−E hc
• Problem: coins shouldn’t reveal info about m
• Achieved: coins are pseudorandom given F(m)
Coins can still reveal part of the message m
F
m
F(m)
hc
E
hc(m)
PK
89
Our Scheme−E hc
• Problem: hc and E can both reveal the first bit of m.
F
m
F(m)
hc
E
hc(m)
PK
90
Our Scheme−E hc
• Problem: hc and E can both reveal the first bit of m.
• Necessary for security: hc hides “everything” about m.
F
m
F(m)
hc
E
m0 ||...
m0 ||...
PK
91
Ext ( hc() ) is hardcore on M | E
Proof:
(hc(M), f (M)) »e,s (U, f (M))
H
HILL
e ,s
(hc(M ), f (M)) ³ hc + H¥ (M)
By computational
entropy theorem
H
HILL
e ',s'
(hc(M), f (M) | E) ³ hc + H¥ (M) - 2
92
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(hc(M ), f (M )) | E
»e ',s'
(A, B)
93
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(hc(M
| E) | E
(hc(M
), f ),(Mf (M
),U))
|seed|
»e ',s'
(A,(A,
B,UB)
|seed| )
Add independent uniform
random variable
94
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(Ext(hc(M
), f |seed|
(M)),U
(hc(M ),),U
f (M
| E|seed| ) | E
|seed|),U
»e ',s'
',s'-sext
(A, B,U
) |seed| )
(Ext(A,U
), B,U
|seed|
|seed|
Deterministic function can
only help distinguisher
by its size
95
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(Ext(hc(M ),U|seed| ), f (M ),U|seed| ) | E
»e ',s'-sext
(Ext(A,U|seed| ), B,U|seed| )
»eExt
(U, B,U|seed| )
96
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(Ext(hc(M ),U|seed| ), f (M ),U|seed| ) | E
»e ',s'-sext
(Ext(A,U|seed| ), B,U|seed| )
»eExt
(U, B,U|seed| )
Extractor input has
enough entropy
97
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(Ext(hc(M ),U|seed| ), f (M ),U|seed| ) | E
»e ',s'-sext
(Ext(A,U|seed| ), B,U|seed| )
»eExt
(U, B,U|seed| )
»e ',t '
(U, f (X | E),U|seed| )
98
Ext ( hc() ) is hardcore on M | E
Proof:
H¥ ((A, B)) ³ hc + H¥ (M)- 2
(Ext(hc(M ),U|seed| ), f (M ),U|seed| ) | E
»e ',s'-sext
(Ext(A,U|seed| ), B,U|seed| )
»eExt
(U, B,U|seed| )
»e ',t '
(U, f (X | E),U|seed| )
hc( M ), f( M ) | E
≈ε’,s’
(A , B)
implies
f(M)
≈ε’,s’
B
99
Ext ( hc() ) is hardcore on M | E
Theorem:
(hc(M), f (M)) »t,e (U, f (M))
(Ext(hc(M ),U|seed| ), f (M ),U|seed| ) | E
» 2e '+2eExt ,s'-sext
(U, f (M ),U|seed| ) | E
100
Indistinguishability
Security
Theorem:
If E (M | E) ≈ E (M | E’),
E (m)
0001001110001
0 00
M|E
101
Indistinguishability
Theorem:
If E (M | E) ≈ E (M | E’),
M | E’
E (m)
M|E
001001110001
0
001001110001
00
102
Indistinguishability
Security
Theorem:
If E (M | E) ≈ E (M | E’),
Encryption scheme E secure on M
E (m)
M
f
f(m)=???
103
Outline of Security Proof
hc is robust on message distribution M
Pr[E] ³1/ 4, Pr[E '] ³1/ 4, hc(M) | E » hc(M) | E'
Standard argument
E hc (M | E) » E hc (M | E ')
Improve definitional
equivalences of
[BFOR08,BFO08]
E hc is secure for distribution M
Can we find or construct robust hc functions?
104
Outline of Security Proof
hc is robust on message distribution M
Pr[E] ³1/ 4, Pr[E '] ³1/ 4, hc(M) | E » hc(M) | E'
EncwHC(M | E) » EncwHC(M | E ')
EncwHC is secure for distribution M
105
Outline of Security Proof
hc is robust on message distribution M
Pr[E] ³1/ 4, Pr[E '] ³1/ 4, hc(M) | E » hc(M) | E'
Standard techniques
EncwHC(M | E) » EncwHC(M | E ')
Improve definitional
equivalences of
[BFOR08,BFO08]
EncwHC is secure for distribution M
106
hc functions that hide partial information
Necessary for security: hc hides partial information about m
Necessary for security: hc(M | E) ≈ hc(M | E’)
• These are also sufficient conditions
• It is also sufficient to consider only
high probability E, Pr[E] ≥ ¼
107
hc functions that hide partial information
Sufficient for security: hc hides partial information about m
Sufficient for security: hc(M | E) ≈ hc(M | E’)
Pr[E] ≥ ¼, Pr[E’] ≥ ¼
• These are also sufficient conditions
• It is also sufficient to consider only
high probability E, Pr[E] ≥ ¼
108
Outline of Security Proof
1
1
Pr[E] ³ , Pr[E '] ³ , hc(M ) | E » hc(M ) | E '
4
4
109
Making HC functions robust
• Know: hc produces pseudorandom bits on M
• Want: HHILL(M|PI=p) is high
M|PI=p
hc
Theorem:
Hε/Pr[p],s (M | PI = p)  Hε,s (M)  log 1/Pr[p]
Warning: this is not HHILL!
•
Can be converted to HILL entropy with a loss in circuit size
[BSW03, RTTV08]
110
Making HC functions robust
• Know: hc produces pseudorandom bits on M
• Want: HHILL(M|PI=p) is high
M|PI=p
hc
Theorem:
Hε’/Pr[p],s’ (M | PI = p)  Hε’,s’ (M)  log 1/Pr[p]
Warning: this is not HHILL!
•
Can be converted to HILL entropy with a loss in circuit size
[BSW03, RTTV08]
111
Making HC functions robust
• Know: hc produces pseudorandom bits on M
• Want: HHILL(M|PI=p) is high
M|PI=p
hc
Theorem:
Hε/Pr[p],s (M | PI = p)  Hε,s (M)  log 1/Pr[p]
Warning: this is not HHILL!
•
•
Universal, deterministic distinguisher for all Z (“metric*”)
Notion used in [BSW03] and [DP08]
112
EncwHC Lemma
If hc is hardcore on M1 and M2
EncwHC(M1)≈EncwHC(M2)
m
F(m)
F
hc
E
DE
hc(m)
PK
113
Security of EncwHC
Improve definitional
equivalences of
[BFOR08,BFO08]
EncwHC is secure for distribution X
All distributions X|E=e are indistinguishable
hc is hardcore for all X|E=e
***Pr[E=e]≥¼
114
Security of EncwHC
EncwHC is secure for distribution X
All distributions X|E=e are indistinguishable
hc is hardcore for all X|E=e
Can
hc functions?
Canwewefind
findororconstruct
constructrobust
hc functions
secure on X|E=e?
***Pr[E=e]≥¼
115
Making HC functions robust
• Randomness Extractors produce pseudorandom output
if input has conditional computational entropy
• Theorem:
If hc is hardcore
hc
Ext
ext(hc(X)) is robust
Proof requires measuring conditional entropy
116
Conditional computational entropy
H∞(M | E = e)  H∞(M)  log 1/Pr[e]
Extract from conditional entropy to get uniform distribution
HILL(hc(M))
H,s
(hc(M) | =n
E = e) ???
E.g.
H HILL (hc(m) | m0 =1) = ????
Theorem:
H/Pr[e],s (M | E = e)  H,s (M)  log 1/Pr[e]
Warning: this is not HHILL!
•
•
•
Universal, deterministic distinguisher for all Z (“metric*”)
Notion used in [BSW03] and [DP08]
Cannot extract directly
117
Conditional computational entropy
Theorem:
H/Pr[e],s (M | E = e)  H,s (M)  log 1/Pr[e]
Warning: this is not HHILL!
Can be converted to HHILL with a loss in circuit size
[BSW03, RTTV08]
Theorem:
HILL
HeHILL
(M
|
E
=
e)
³
H
',s'
e,s (M) - log1/ Pr[E = e]
Related work on conditional computational entropy:
[RTTV08, DP08, GW10, CKLR11]
118
EncwHC
• Problem: need independent and statistically random coins
DE
m
F(m)
F
hc
E
hc(m)
PK
119
EncwHC
• Problem: need independent and statistically random coins
• While hc(m) is hard to predict from F(m) doesn’t need to hide m
DE
m
F(m)
F
hc
E
hc(m)
PK
120
EncwHC
EncwHC, single message deterministic PKE scheme, from
F, family of trapdoor functions,
hc, sufficiently long hardcore function
Π=(K, E, D), CPA-secure PKE scheme
DE
m
F(m)
F
hc
E
hc(m)
PK
121
Security of Det PKE [BBO07]
K
x0
pk
A1
DE
t0
122
Security of Det PKE [BBO07]-PRIV
[BBO07]
K
x0 , x1
A1
pk
b=$
DE
E(xb, pk)
A2
t’
priv
P,A
Adv
(k) = Pr[t1 = t ' | b =1]- Pr[t1 = t ' | b = 0]
t0, t1
123
Security of Det PKE [BFOR08]
PRIV
• Adversary cannot
communicate using
ciphertext (semantic
security)
IND
• Adversary cannot
distinguish between two
high entropy distributions
IND-security for all pairs of message distributions,
X1, X2, where H∞(X1)≥ μ-ε and H∞(X2)≥ μ-ε
implies
PRIV-security for all message distributions,
X, of H∞(X)≥μ
124
EncwHC PRIV-Lemma
• Call hc robust for distribution X if hc is hardcore for all
X|E=e where Pr[E=e]≥¼.
• Intuitively, hc hides partial information about X.
Can we find or construct robust hc functions?
Theorem:
Suppose Π=(K, E, D ) is CPA secure,
F is a TDF family,
hc is robust on distribution M,
then,
EncwHC is PRIV-secure on M.
125
Whirlwind Entropy Review
• Min-Entropy
guessing probability
H∞(X) = log max Pr[x]
X over {0, 1}n
xX
= log guessing prob(X)
•
•
[HILL99] generalized pseudorandomness to
distributions with entropy:
HILL(X)  k if Z such that H(Z) = k and X  Z
H,s
Two more parameters relating to what  means
• maximum size s of distinguishing circuit D
• maximum advantage  with which D will distinguish
126
Outline
• Previous deterministic PKE schemes
• Hardcore functions that hide partial information
• Making hardcore functions tolerate correlation
– Pseudorandomness from conditional computational entropy
127
Security of Det PKE [BFOR07]-IND
b=$
K
x0b
A1
pk
DE
E(xb, pk)
A2
d
ind
P,A
Adv
1
(k) = Pr[d = b]2
128
EncwHC IND-Lemma
If hc is hardcore on X1 and X2
Then EncwHC is IND-secure for X1, X2
Issues
How to show hc is hardcore for input distribution?:
Want to work with PRIV (semantic security)
This means showing hc is hardcore for X, H∞(X)≥μ
129
Lemma
• For any family of trapdoor functions, F, with sufficiently
many hardcore bits, hc, and a CPA-secure PKE
scheme Π=(K, E, D), EncwHC is IND-secure
DE
m
Φ
F
FF (m)
hc(m)
hc
c
E
PK
130
Lemma
• For any family of trapdoor functions, F, with sufficiently
many hardcore bits, hc, and a CPA-secure PKE
scheme Π=(K, E, D), EncwHC is IND-secure
DE
m
Φ
F
FF (m)
hc(m)
hc
c
E
PK
131
IND-Security
PRIV-Security
• The equivalence of [BFOR08] showed
IND-security of all message distributions,
X’, where H∞(X’)≥ μ-ε,
implies
PRIV-security for all message distributions,
X, of H∞(X)≥μ.
• This is a hard condition to satisfy, would like to argue
about a single message distribution X.
• Scheme “should” be PRIV secure for X it hides all
partial information about X.
132
Conditional computational entropy
Theorem:
H/Pr[y],s (X | Y = y)  H,s (X )  log 1/Pr[y]
Warning: this is not HHILL!
But it can be converted to HHILL with a loss in circuit size
[BSW03, RTTV08]
Theorem:
where
HILL
HeHILL
(X
|Y
=
y)
³
H
',s'
e ,s (X)- log1/ Pr[Y = y]
e ' = e / Pr[Y = y]+ 3
log | X |
, s' = W( 3 s / log | X | )
s
133
Comparison with Dense Model Thm
Let R be a distribution and
let D be a δ-dense
distribution.
Suppose that for every h
|E h(R) – E h(U) | < ε’
Then there exists a δ-dense
distribution M of U such
that for all f:
Let R be a distribution and
let Pr[D=d]=δ.
Suppose that
|E f(D) – E f(M) | < ε
H,s (R|D=d )> k – log 1/δ
H,s (R ) >k
Then
134
Average Case Conditional
[DORS08]: H∞(X | Y )  H∞(X)  log |Y|
E.g. H∞(X | wt (X))  H∞(X)  log (length of X)
Our Theorems:
H|Y|,s (X | Y )  H,s (X )  log |Y|
H|Y2|,s (X | Y1, Y2 )  H,s (X |Y1)  log |Y2| *
*Requires the original entropy to be “decomposable”
Related work on conditional computational entropy:
[RTTV08, DP08, GW10, CKLR11]
135
Main Result
• We can extract from a distribution with
conditional computational entropy.
• This allows us to make any hc robust
m
Φ
F
E
FF (m)
DE
ext(hc(m), s)
hc
s
ext
PK
136
Main Result
• EncwHCExt, from
any family of TDFs, F, with
sufficiently many hardcore bits, hc,
CPA-secure PKE (K, E, D),
and strong average-case extractor ext.
m
Φ
F
E
FF (m)
DE
ext(hc(m), s)
hc
s
ext
PK
137
Additional Results/Directions
• Multi-message security from block source
• Bounded multi-message security using extension to
Crooked Leftover Hash Lemma
• Future Directions:
– General multi-message security w/o RO
– Full chain rule for computational entropy
138