slides
advertisement
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland Deniable Public Key Encryption [Canetti, Dwork, Naor, Ostrovsky, 97] ππ π = πΈππππ (π; π) Sender Receiver sπ Outputs: π·πππ π π = π For any π′ in the message space, can produce a fake opening (π′, π π′) explaining the transcript as an encryption of π′ . Sender-Deniable Public Key Encryption [Canetti, Dwork, Naor, Ostrovsky, 97] ππ π = πΈππππ (π; π) Sender Receiver sπ Outputs: π·πππ π π = π Applications: definition Receiver-Deniable Key For Analogous any π′ in the messageforspace, can produce aPublic fake opening • After the fact incoercibility Encryption π′ explaining the transcript as an encryption of π′ . • Adaptive security What is known? • Receiver-Deniable PKE and thus Deniable PKE is impossible [Bendlin, Nielsen, Nordholt, Orlandi, 11]. • Sender-Deniable encryption with weak security from standard assumptions [Canetti, Dwork, Naor, Ostrovsky, 97]. • Bi-Deniable encryption in the multi-distributional model constructed by [O’Neill, Peikert, Waters, 11] • [Sahai, Waters 14] achieve Sender-Deniable public key encryption from indistinguishability obfuscation (IO). – Non-black box use of underlying primitives. – Requires strong assumptions (FHE + multilinear maps). Our Goal • Understand minimal assumptions necessary for sender-deniable public key encryption. • Necessity of non-black-box techniques. Is there a black-box construction of senderdeniable public key encryption from simulatable public key encryption? Underlying primitive we consider Simulatable Public Key Encryption Algorithms (ππΊππ, ππΊππ), (ππΈππ, ππΈππ) (ππΊ , pk) s.t. ππΊππ ππΊ = ππ “Oblivious” (ππ, ππΈ , π) s.t. ππΈππ ππ, ππΈ = π ≈ (π ′ πΊ , pk) s.t. πΊππ ππΊ = ππ π ′ πΊ = ππΊππ ππ (ππ, π ′ πΈ , π) s.t. πΈππ ππ, ππΈ = π π ′ πΈ = ππΈππ ππ, π Why this primitive? Simulatable PKE is sufficient for related primitives: Intuition: • Bi-deniable Can generate encryption a public in the key/ciphertext multi-distributional honestly model and claim [OPW11] that it • 1/poly-secure was sender-deniable generated obliviously. encryption [CDNO97] • Non-committing encryption [CFGN96]. Weak Sender-Deniable PKEfrom Simulatable PKE Simplification of [CDNO97] construction: πΈππ (0π ) Obliv. Obliv Obliv πΈππ (0π ) Obliv. ... πΈππ (0π ) Obliv Obliv k ciphertexts ToToencrypt a 0, setsay odd number of ciphertexts to oblivious. deny, lie and that an honestly generated ciphertext was generated To encrypt a 1, set an even number of ciphertexts to oblivious. obliviously. Polynomial security: Real and Fake openings can be distinguished with 1/poly Problem: Cannot lie and claim that an obliviously generated ciphertext was advantage generated non-obliviously. Super-polynomial security: Real and Fake openings can only be distinguished with Only achieves O(k) security, where k is the number of queries made by encryption. negligible advantage Our Results Theorem: There is no black-box construction of sender-deniable public key encryption with super-polynomial security from simulatable public key encryption. More specifically: Every black-box construction of a senderdeniable PKE scheme from simulatable PKE which makes π queries to the simulatable PKE cannot achieve security better than O(π4 ). Nearly tight with [CDNO97] construction. Some Proof Intuition Oracle separation: Oracle relative to which Simulatable PKE exists, Sender-Deniable PKE does not exist. Our oracle: Important: random string is unlikely to be in the range • πΊ: 0,1 π → 0,1 3π takes inputs π π and outputs ππ.of πΊ or πΉ ππ,∗ . • πΉ: 0,1 4π → 0,1 12π takes inputs (ππ, π₯) and outputs π¦. • πΉ −1 : 0,1 13π → 0,1 π takes inputs (π π, π¦ )and returns π₯ if πΊ(π π) = ππ and πΉ(ππ, π₯) = π¦ and ⊥ otherwise. Simulatable PKE relative to oracle: • First π bits of input x is plaintext. • Public keys and ciphertexts are indistinguishable from random strings: ππΊππ(ππΊ ), ππΈππ(ππΈ ) output ππΊ , ππΈ . ππΊππ(ππ), ππΈππ(ππ, π) output ππ and π itself. Some Proof Intuition Impossibility of Sender-Deniable Encryption: In a super-polynomially-secure scheme, should be able to run deny an unbounded polynomial π number of times and have that: • π0 , π = πΈππππ π; π0 original randomness • π1 = π·πππ¦ππ π0 , 1 − π , π looks fresh • (π2 = π·πππ¦ππ π1 , π , π) looks fresh ... • (ππ = π·πππ¦ππ ππ−1 , 1 − π , π) looks fresh In the oracle case: We consider sequences of Sender views ππππ€π0 , ππππ€π1 , … , ππππ€ππ . Each view contains the input bit, random tape, oracle queries + responses. Some Proof Intuition • Correctness of encryption guarantees: – If Sender’s view is an encryption of a bit b, then Receiver’s view sampled conditioned on Sender’s view will be a decryption of the same bit b w.h.p. ππππ€π | ππππ€π – Using [Impagliazzo, Rudich, 89]-type techniques: π is the set of likely intersection • π can use Eve algorithm to findqueries set π of likely intersection between π, π given π’squeries view. between π and π : ππππ€π ππππ€π , π ≈ ππππ€π ππ, π, π – Note that (ππ, π) are fixed. – The only way to change the distribution of ππππ€π | ππππ€π , π is to change the set π. – Distribution must change in each iteration. A First Attempt Consider the set π0 generated by π from its real ππππ€π0 . Let ππ be the set corresponding to fake ππππ€ππ . “Claim”: Q π ⊆ π0 Therefore, in order to change distribution over Receiver’s view, queries must be removed each time. • There are at most poly number of queries in real π0 so deny can be run at most a polynomial number of times before it fails. So cannot get super-polynomial security. • “Claim”: Intuitively, this is what happens in [CDNO97] construction. • • • • Problem • “Claim” is false! It is possible that ππ β π0 ≠ ∅. • Toy Example: 12n encryptions To encrypt a 0: πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) Obliv πΈ(ππ, 0π ) To encrypt a 1: Compute π ∗ = πΉ(ππ, π ∗ ); Say π ∗ = 01. . .10, length 12π bits. πΈ(ππ, 0π ) Obliv π ; π . 0. Decrypt: Note:Decrypt In 0 case, 12n intersection ciphertexts.queries If theywill all consist output of 0π 0 , output π ∗ ∗ ∗ Otherwise, In 1 case, compute intersection π and queries decrypt will to get contain π . Output π . 1. Problem • “Claim” is false! It is possible ππ β π0 ≠ ∅. • Toy Example: Can claim an encryption of 0 is an encryption of 1: In the process will add an arbitrary query to set of intersection queries. πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) Obliv πΈ(ππ, 0π ) Compute π ∗ = πΉ(ππ, π ∗ ); Say π ∗ = 01. . .10 πΈ(ππ, 0π ) Obliv Note: Intersection queries now include, π ∗ . Some Proof Intuition • Main technical part of proof is to deal with the case that ππ β π0 ≠ ∅. • Use an information compression argument to show that w.h.p. over choice of oracle, we cannot have a sequence of openings with too many new queries. Some Proof Intuition • Since Eve makes a polynomial number of queries: Can encode a sequence of openings with a short string. So total possible number of encodings is small. – Intuition: To encode a query π ∈ ππ , use its index in the Eve algorithm. • For a fixed encoding, probability randomly chosen oracle is consistent with the encoded sequence of openings is small. – Follows from property of oracle that a random string is unlikely to be in image of πΉ(ππ,∗). • Since number of encodings is small, prob. a randomly chosen oracle is consistent with any sequence is small. Open Problems • Extend impossibility result to trapdoor permutations. • Extend impossibility results to multiple round encryption schemes. • Construct sender-deniable public key encryption without relying on IO? Thank you!
