Trapdoor Functions and Applications
LOSSY Identity-based (Lossy) Trapdoor Functions and Applications
Mihir Bellare, Eike Kiltz, Chris Peikert, Brent Waters Friday, April 20, 12
Injective trapdoor function n {0,1}
Friday, April 20, 12
fpk
R
Injective trapdoor function n {0,1}
fpk f-1 hard sk: easy
Friday, April 20, 12
R
Injective trapdoor function n {0,1}
fpk
R
f-1 hard sk: easy
• Example: RSA [RSA 78] • TDF: most fundamental crypto primitive • History: 6 years before encryption [GM 84] Friday, April 20, 12
Security notions
Friday, April 20, 12
Security notions • One-wayness: Gen → (pk, sk)
pk, fpk(x) → x hard (random x)
Friday, April 20, 12
Security notions • One-wayness: Gen → (pk, sk)
pk, fpk(x) → x hard (random x)
• Lossiness [PW08]: exists Gen’ → “fake” pk: 1. pk≈c pk
Lossy pk
2. Range(fpk) ≪ 2n
Friday, April 20, 12
{0,1}n
fpk ≪
n 2
Lossy trapdoor functions
Friday, April 20, 12
Lossy trapdoor functions • Basic primitives:
One-way TDFs, CR hashing
Friday, April 20, 12
Lossy trapdoor functions • Basic primitives:
One-way TDFs, CR hashing
• Advanced encryption:
CCA security, selective opening security, deterministic PKE, hedged PKE
Friday, April 20, 12
Lossy trapdoor functions • Basic primitives:
One-way TDFs, CR hashing
• Advanced encryption:
CCA security, selective opening security, deterministic PKE, hedged PKE
• Constructions:
DDH, QR, Paillier, LWE, Phi-Hiding, ...
Friday, April 20, 12
Our paper Trapdoor functions in ID-based framework 1. Definitions 2. Applications 3. Constructions
• From bilinear maps • From lattices Friday, April 20, 12
ID-based encryption (IBE) •Gen → (pk,sk) n Enc(pk,ID,m) → c for ID∈{0,1} • •Extract(sk,ID) → trapdoor skID •Dec(skID,ID,c) = m
Friday, April 20, 12
ID-based encryption (IBE) •Gen → (pk,sk) n Enc(pk,ID,m) → c for ID∈{0,1} • •Extract(sk,ID) → trapdoor skID •Dec(skID,ID,c) = m History:
• IBE [S84, BF03] • ID-based signatures, ... Friday, April 20, 12
ID-based trapdoor functions •Gen → (pk,sk) n → R for ID∈{0,1}n Eval(pk,ID,・) = f : {0,1} • ID •Extract(sk,ID) → trapdoor skID •Invert(skID,・) = fID-1(・) {0,1}n
fID1 fID2 fID3 ...
Friday, April 20, 12
R
ID-based trapdoor functions •Gen → (pk,sk) n → R for ID∈{0,1}n Eval(pk,ID,・) = f : {0,1} • ID •Extract(sk,ID) → trapdoor skID l a r u t a N •Invert(skID,・) = fID-1(・) ! t c e j b o {0,1}n
fID1
fID2 fID3 ...
Friday, April 20, 12
R
Security? Intuition: fID*(.) “secure” even given skID for ID≠ID*
Friday, April 20, 12
secure
Selective
Adaptive
one-way
ID-OW-S
ID-OW-A
lossy
ID-LS-S
ID-LS-A
One-wayness Exp ID-OW-S
Selective adversary ID*
Friday, April 20, 12
chose ID*
One-wayness Exp ID-OW-S (pk,sk)←Gen
Friday, April 20, 12
Selective adversary ID* pk
chose ID*
One-wayness Exp ID-OW-S (pk,sk)←Gen
Selective adversary ID* pk IDi≠ID* skIDi
Friday, April 20, 12
chose ID*
One-wayness Exp ID-OW-S (pk,sk)←Gen
Selective adversary ID* pk
chose ID*
IDi≠ID* skIDi
x Win: x=x’ ∈{0,1}n
Def: One-way Friday, April 20, 12
fID*(x) x’ Pr[Adversay wins] = negl
One-wayness Exp ID-OW-S ID-OW-A (pk,sk)←Gen
Adaptive Selective adversary pk IDi≠ID* skIDi ID*
x Win: x=x’ ∈{0,1}n
Def: One-way Friday, April 20, 12
fID*(x) x’
adaptively chose ID*
Pr[Adversay wins] = negl
Selective lossiness Exp ID-LS-S
Friday, April 20, 12
ID*
Selective adversary
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
Friday, April 20, 12
ID* pk
Selective adversary
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
Friday, April 20, 12
ID* pk IDi≠ID* skIDi
Selective adversary
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
ID* pk
Selective adversary
IDi≠ID* skIDi
b=0/1 Def: Lossy Friday, April 20, 12
Pr[A(pk)=1] - Pr[A(pk)=1 ∧ Range(fID*) ≪ 2n] = negl
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
ID* pk
Selective adversary
IDi≠ID* skIDi lossy identity ID* b=0/1
Def: Lossy Friday, April 20, 12
Pr[A(pk)=1] - Pr[A(pk)=1 ∧ Range(fID*) ≪ 2n] = negl
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
Def: Lossy Friday, April 20, 12
pk
---
IDi≠ID* skIDi
e v i t p a d A ? ? ? y t i r u c e s
ID*
Selective adversary
lossy identity ID*
b=0/1
Pr[A(pk)=1] - Pr[A(pk)=1 ∧ Range(fID*) ≪ 2n] = negl
Adaptive lossiness Exp ID-LS-A (pk,sk)←Gen vs. pk←Gen’
pk IDi≠ID* skIDi ID* b=0/1
Friday, April 20, 12
Adversary Adaptive adversary
Adaptive lossiness Exp ID-LS-A (pk,sk)←Gen vs. pk←Gen’
pk
IDi≠ID* hidden d-fraction skIDi identities lossy ID* b=0/1
Friday, April 20, 12
Adversary Adaptive adversary
Adaptive lossiness Exp ID-LS-A (pk,sk)←Gen vs. pk←Gen’
pk
Adversary Adaptive adversary
IDi≠ID* hidden d-fraction skIDi identities lossy ID* b=0/1
Def: d-lossy for scaling parameter 0
Mihir Bellare, Eike Kiltz, Chris Peikert, Brent Waters Friday, April 20, 12
Injective trapdoor function n {0,1}
Friday, April 20, 12
fpk
R
Injective trapdoor function n {0,1}
fpk f-1 hard sk: easy
Friday, April 20, 12
R
Injective trapdoor function n {0,1}
fpk
R
f-1 hard sk: easy
• Example: RSA [RSA 78] • TDF: most fundamental crypto primitive • History: 6 years before encryption [GM 84] Friday, April 20, 12
Security notions
Friday, April 20, 12
Security notions • One-wayness: Gen → (pk, sk)
pk, fpk(x) → x hard (random x)
Friday, April 20, 12
Security notions • One-wayness: Gen → (pk, sk)
pk, fpk(x) → x hard (random x)
• Lossiness [PW08]: exists Gen’ → “fake” pk: 1. pk≈c pk
Lossy pk
2. Range(fpk) ≪ 2n
Friday, April 20, 12
{0,1}n
fpk ≪
n 2
Lossy trapdoor functions
Friday, April 20, 12
Lossy trapdoor functions • Basic primitives:
One-way TDFs, CR hashing
Friday, April 20, 12
Lossy trapdoor functions • Basic primitives:
One-way TDFs, CR hashing
• Advanced encryption:
CCA security, selective opening security, deterministic PKE, hedged PKE
Friday, April 20, 12
Lossy trapdoor functions • Basic primitives:
One-way TDFs, CR hashing
• Advanced encryption:
CCA security, selective opening security, deterministic PKE, hedged PKE
• Constructions:
DDH, QR, Paillier, LWE, Phi-Hiding, ...
Friday, April 20, 12
Our paper Trapdoor functions in ID-based framework 1. Definitions 2. Applications 3. Constructions
• From bilinear maps • From lattices Friday, April 20, 12
ID-based encryption (IBE) •Gen → (pk,sk) n Enc(pk,ID,m) → c for ID∈{0,1} • •Extract(sk,ID) → trapdoor skID •Dec(skID,ID,c) = m
Friday, April 20, 12
ID-based encryption (IBE) •Gen → (pk,sk) n Enc(pk,ID,m) → c for ID∈{0,1} • •Extract(sk,ID) → trapdoor skID •Dec(skID,ID,c) = m History:
• IBE [S84, BF03] • ID-based signatures, ... Friday, April 20, 12
ID-based trapdoor functions •Gen → (pk,sk) n → R for ID∈{0,1}n Eval(pk,ID,・) = f : {0,1} • ID •Extract(sk,ID) → trapdoor skID •Invert(skID,・) = fID-1(・) {0,1}n
fID1 fID2 fID3 ...
Friday, April 20, 12
R
ID-based trapdoor functions •Gen → (pk,sk) n → R for ID∈{0,1}n Eval(pk,ID,・) = f : {0,1} • ID •Extract(sk,ID) → trapdoor skID l a r u t a N •Invert(skID,・) = fID-1(・) ! t c e j b o {0,1}n
fID1
fID2 fID3 ...
Friday, April 20, 12
R
Security? Intuition: fID*(.) “secure” even given skID for ID≠ID*
Friday, April 20, 12
secure
Selective
Adaptive
one-way
ID-OW-S
ID-OW-A
lossy
ID-LS-S
ID-LS-A
One-wayness Exp ID-OW-S
Selective adversary ID*
Friday, April 20, 12
chose ID*
One-wayness Exp ID-OW-S (pk,sk)←Gen
Friday, April 20, 12
Selective adversary ID* pk
chose ID*
One-wayness Exp ID-OW-S (pk,sk)←Gen
Selective adversary ID* pk IDi≠ID* skIDi
Friday, April 20, 12
chose ID*
One-wayness Exp ID-OW-S (pk,sk)←Gen
Selective adversary ID* pk
chose ID*
IDi≠ID* skIDi
x Win: x=x’ ∈{0,1}n
Def: One-way Friday, April 20, 12
fID*(x) x’ Pr[Adversay wins] = negl
One-wayness Exp ID-OW-S ID-OW-A (pk,sk)←Gen
Adaptive Selective adversary pk IDi≠ID* skIDi ID*
x Win: x=x’ ∈{0,1}n
Def: One-way Friday, April 20, 12
fID*(x) x’
adaptively chose ID*
Pr[Adversay wins] = negl
Selective lossiness Exp ID-LS-S
Friday, April 20, 12
ID*
Selective adversary
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
Friday, April 20, 12
ID* pk
Selective adversary
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
Friday, April 20, 12
ID* pk IDi≠ID* skIDi
Selective adversary
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
ID* pk
Selective adversary
IDi≠ID* skIDi
b=0/1 Def: Lossy Friday, April 20, 12
Pr[A(pk)=1] - Pr[A(pk)=1 ∧ Range(fID*) ≪ 2n] = negl
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
ID* pk
Selective adversary
IDi≠ID* skIDi lossy identity ID* b=0/1
Def: Lossy Friday, April 20, 12
Pr[A(pk)=1] - Pr[A(pk)=1 ∧ Range(fID*) ≪ 2n] = negl
Selective lossiness Exp ID-LS-S (pk,sk)←Gen vs. pk←Gen’(ID*)
Def: Lossy Friday, April 20, 12
pk
---
IDi≠ID* skIDi
e v i t p a d A ? ? ? y t i r u c e s
ID*
Selective adversary
lossy identity ID*
b=0/1
Pr[A(pk)=1] - Pr[A(pk)=1 ∧ Range(fID*) ≪ 2n] = negl
Adaptive lossiness Exp ID-LS-A (pk,sk)←Gen vs. pk←Gen’
pk IDi≠ID* skIDi ID* b=0/1
Friday, April 20, 12
Adversary Adaptive adversary
Adaptive lossiness Exp ID-LS-A (pk,sk)←Gen vs. pk←Gen’
pk
IDi≠ID* hidden d-fraction skIDi identities lossy ID* b=0/1
Friday, April 20, 12
Adversary Adaptive adversary
Adaptive lossiness Exp ID-LS-A (pk,sk)←Gen vs. pk←Gen’
pk
Adversary Adaptive adversary
IDi≠ID* hidden d-fraction skIDi identities lossy ID* b=0/1
Def: d-lossy for scaling parameter 0
