Add to collection(s) Add to saved
  1. No category

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols Seung Geol Choi

advertisement 
Improved Non-Committing
Encryption with Application to
Adaptively Secure Protocols
Seung Geol Choi
Columbia University
joint work with
Dana Dachman-Soled (Columbia Univ.),
Tal Malkin (Columbia Univ.), and
Hoeteck Wee (CUNY, Queens College)
Outline
• Motivation
• Our Work
– Our Contribution
– NC-PKE from Trapdoor Simulatable PKE
– Trapdoor Simulatable PKE from Factoring
• Conclusion
2
Adversarial corruption in MPC
• Semi-honest vs. Malicious
– corrupted parties behave honestly or
More Realistic
– arbitrarily
• # corrupted parties
Assumption on
the Adversary
– Honest majority vs. dishonest majority.
• Static vs. Adaptive [CFGN96]
– corrupts parties are determined at the outset
or
– during the protocol adaptively
Black-box construction of Adaptively
secure MPC with Dishonest Majority
(Aug.) NC-PKE
[CLOS02,
CDMW09]
Adaptively secure
oblivious transfer
[IPS08]
MPC
Q: What are the
assumptions achieving
black-box construction of
MPC (NC-PKE)?
- Of theoretical interest
- More efficient: avoid
general NP reductions
incurred by ZK proofs.
Non-Committing Encryption
(NCE) [CFGN96]
• Encryption that realizes a secure channel
against an adaptive adversary
– (Possibly interactive) encryption: (Gen, Enc, Dec)
– with additional property: SIM
• SIM generates pairs of (e, c) that opens to 0 and to 1.
(sender equivocal & receiver equivocal)
Enc(0)
Enc(1)
Non-Committing
Public Key Encryption (NC-PKE)
• Two-round NCE
– Bob sends his pk to Alice
– Alice sends an encryption under pk to Bob
– Desirable
Goal
(Aug.) NC-PKE
[CLOS02,
CDMW09]
Adaptively secure
oblivious transfer
[IPS08]
MPC
Construct (Aug.) NC-PKE
from lower primitives
in a black-box manner.
Outline
• Motivation
• Our Work
– Our Contribution
– NC-PKE from Trapdoor Simulatable PKE
– Trapdoor Simulatable PKE from Factoring
• Conclusion
8
Known NCE Constructions
[CFGN96]
CDH
RSA
Simulatable
common domain TDP
NC-PKE
[B97,DN00]
DDH
LWE
Simulatable PKE
3-round
NCE
Main Result
• Construct NC-PKE from trapdoor Simulatable
PKE
– Relaxed notion of simulatable PKE
– First NC-PKE from LWE
• Construct trapdoor simulatable PKE from
hardness of factoring
– First NC-PKE from Factoring
CDH
RSA
DDH
LWE
Factoring
Simulatable
common domain TDP
Simulatable PKE
Trapdoor simulatable PKE
NC-PKE
3-round
NCE
Our Contribution
Factoring
LWE
Trapdoor
Simulatable PKE
(Aug.) NC-PKE
[CLOS02,CDMW09]
Oblivious Transfer
[IPS08]
MPC
From LWE and factoring, first
black box constructions of
– NC-PKE
– Adaptively secure OT
– Adaptively secure MPC with
dishonest majority
Outline
• Motivation
• Our Work
– Our Contribution
– NC-PKE from Trapdoor Simulatable PKE
– Trapdoor Simulatable PKE from Factoring
• Conclusion
12
Simulatable PKE [DN00]
• PKE (Gen, Enc, Dec) with additional
properties
– Property 1: Oblivious Sampling
• oGen: generates a random pk w/o learning about its
sk
• oRndEnc: generates a random ciphertext w/o
learning about its plaintext
• E.g. ElGamal:
– key: (y = gx, x)  Pick random y in G
– Enc: (gr, m*yr)  pick random (c1, c2) from G
Trapdoor
Simulatable PKE [DN00]
Trapdoor
• Property 2: Invertibility
– rGen
+ randomness for Gen
• Input: a normally-generated pub-key e,
• Output: randomness rG s.t. oGen(rG) = e
– rRndEnc
+ randomness for Gen,End & plaintext
• Input: a normally-generated key and ciphertext (e,c)
• Output: randomness rE s.t. oRndEnc(e,rE) = c
– E.g. ElGamal:
• key: y from (y = gx, x)  Output y
• Enc: y and (c1, c2) from (y,x) and (gr, m*yr) 
Output (c1, c2)
NCE from
(trapdoor) simulatable PKE
• Need to construct SIM that generates
ciphertexts that open to both 0 and 1.
• General Idea: SIM lies about obliviousness.
– Protocol specifies some pk’s and ciphertexts
should be generated obliviously.
– SIM knows everything (all the pk’s and
ciphertexts are generated by normal Gen,
Enc).
– SIM: clever lies on the set of obliviously
generated pk’s and ciphertexts (via rGen,
rRndEnc) lead to opening to both 0 and 1.
Toy Construction [DN00,KO04] - 1
• Key Gen: (pk0, pk1)
– For a random x,
pkx  Gen()
pk1-x  oGen()
• Encrypt. of a bit b: (c0, c1)
– For a random y,
cy  Enc(b),
c1-y  oEnc()
• Decryption of (c0, c1):
– Output Dec(skx, cx)
pk1
pk0
c1
c0
x=y
b?
xy
Decryption error = ¼
( Can reduce by repetitions)
Toy Construction [DN00,KO04] - 2
• Secure for adaptive corruption for one party
1
0
1
0
1
0
Corrupt S: m = 1 Corrupt R: m = 0
– Disclaimer: Need to handle decryption error ¼
• If both corrupted?
1
0
Corrupt S
x is fixed ( x = y ).
No events such as
1
0
Corrupt R
1
0
The Idea to achieve NC-PKE
• Summary of the toy construction
– R knows half of secret keys
– Handles adaptive corruption of one party
[KO04]
– Cannot handle corruption of both parties:
lack of freedom to simulate the secondly
corrupted parties.
• To handle corruption of both parties
– Raise the fraction of obliviousness
– ¾ is good enough
The Construction
• KeyGen: (e1,…,e4k)
– T: random set of size k
if x∈T, ex  Gen()
else ex  oGen()
• Enc of b: (c1,…,c4k)
– S: random set of size k,
if y∈S, cy  Enc(bk),
else cy  oEnc()
k=2
Decryption error
=
+
• Dec of (c1,…,c4k):
If Dec(skT, cT) contains 0k output 0. Else output 1
Summary: NCE-PK from
(trapdoor) simulatable PKE
• Obliviousness
– ¾ of keys and ciphertexts are generated
obliviously.
– Still, we get negligible decryption error by
repetitions.
– SIM can generate a (e,c) pair that opens to 0
and 1
• Keys and ciphertexts are generated normally.
• Using (trapdoor) invertibility, fake on obliviously
generated sets.
Outline
• Motivation
• Our Work
– Our Contribution
– NC-PKE from Trapdoor Simulatable PKE
– Trapdoor Simulatable PKE from Factoring
• Conclusion
21
Trapdoor Simulatable PKE
from Factoring
• There is a standard construction that achieves
PKE from trapdoor one-way permutation (TDP)
using hard-core bits. I.e., for a TDP f,
– Gen()  (e, d) : e = f, d = f-1
– Enc(b)  (f(x), r, (x · r)  b): where r, x is random.
• Construct TDP from hardness of factoring
Blum Integers (BI) with oblivious sampling and
trapdoor invertibility
Rabin’s TDP for Blum Integers
• Quadratic Residues on a Bl integer N:
QRN = {y : y = x2 , x ∈ ZN*}
• Rabin TDP
– f:QRN  QRN
– f(x) = x2 mod N
– Is based on hardness of factoring assumption
Basic Idea: for Keys
• Key Generation: sample k3 k-bit integers w/
factoring [Bach ’88]
• Encryption of b given keys (N1, …, Nk3)
– EncN1(b1), …., EncNk3(bk3)
where b = b1  …  bk3
– WHP, at least one Ni is BI.
• Oblivious sampling: easy (sample k3 integers)
• Trapdoor Invertibility: easy
Basic Idea : for Ciphertexts
• Change TDP description slightly
– QN = {a2k : a ∈ ZN*} where k = |N|
– f: QN  QN , f(x) = x2k+1 mod N
• Oblivious sampling: easy (sample from QN)
• Trapdoor Invertibility: find random 2k-th
root w/ factoring
Outline
• Motivation
• Our Work
– Our Contribution
– NC-PKE from Trapdoor Simulatable PKE
– Trapdoor Simulatable PKE from Factoring
• Conclusion
26
Conclusion
Factoring
Trapdoor
Simulatable PKE
(Aug.) NC-PKE
[CLOS02,CDMW09]
Oblivious Transfer
[IPS08]
MPC
LWE
From LWE and factoring, first
black box constructions of
– NC-PKE
– Adaptively secure OT
– Adaptively secure MPC with
honest minority
Thank you
Related documents
Factoring Methods Overview
Factoring Methods Overview
I Jh of IJeslyn
I Jh of IJeslyn
Slides
Slides
ppt
ppt
4.6 Reasoning About Factoring Polynomials
4.6 Reasoning About Factoring Polynomials
Factoring by Using the Distributive Property and Grouping Notes
Factoring by Using the Distributive Property and Grouping Notes
factoring q & a
factoring q & a
Download
advertisement