Title: Improved NonCommitting Encryption with Application to Adaptively Secure Protocols
1Improved Non-Committing Encryption with
Application to Adaptively Secure Protocols
Seung Geol Choi Columbia University
- joint work withDana Dachman-Soled (Columbia
Univ.), Tal Malkin (Columbia Univ.), andHoeteck
Wee (CUNY, Queens College)
2Outline
- Motivation
- Our Work
- Our Contribution
- NC-PKE from Trapdoor Simulatable PKE
- Trapdoor Simulatable PKE from Factoring
- Conclusion
3Adversarial corruption in MPC
- Semi-honest vs. Malicious
- corrupted parties behave honestly or
- arbitrarily
- corrupted parties
- Honest majority vs. dishonest majority.
- Static vs. Adaptive CFGN96
- corrupts parties are determined at the outset or
- during the protocol adaptively
te
4Black-box construction of Adaptively secure MPC
with Dishonest Majority
(Aug.) NC-PKE
Q What are the assumptions achieving black-box
construction of MPC (NC-PKE)? - Of theoretical
interest- More efficient avoid general NP
reductions incurred by ZK proofs.
CLOS02, CDMW09
Adaptively secureoblivious transfer
IPS08
MPC
5Non-Committing Encryption (NCE) CFGN96
- Encryption that realizes a secure channel against
an adaptive adversary - (Possibly interactive) encryption (Gen, Enc,
Dec) - with additional property SIM
- SIM generates pairs of (e, c) that opens to 0 and
to 1.(sender equivocal receiver equivocal)
Enc(1)
Enc(0)
6Non-Committing Public Key Encryption (NC-PKE)
- Two-round NCE
- Bob sends his pk to Alice
- Alice sends an encryption under pk to Bob
- Desirable
7Goal
(Aug.) NC-PKE
Construct (Aug.) NC-PKE from lower primitives
in a black-box manner.
CLOS02, CDMW09
Adaptively secureoblivious transfer
IPS08
MPC
8Outline
- Motivation
- Our Work
- Our Contribution
- NC-PKE from Trapdoor Simulatable PKE
- Trapdoor Simulatable PKE from Factoring
- Conclusion
9Known NCE Constructions
CFGN96
NC-PKE
Simulatable common domain TDP
CDHRSA
B97,DN00
3-round NCE
Simulatable PKE
DDH
GPV08
LWE
10Main Result
- Construct NC-PKE from trapdoor Simulatable PKE
- Relaxed notion of simulatable PKE
- First NC-PKE from LWE
- Construct trapdoor simulatable PKE from hardness
of factoring - First NC-PKE from Factoring
Trapdoor simulatable PKE
Factoring
11Our Contribution
- From LWE and factoring, first black box
constructions of - NC-PKE
- Adaptively secure OT
- Adaptively secure MPC with dishonest majority
12Outline
- Motivation
- Our Work
- Our Contribution
- NC-PKE from Trapdoor Simulatable PKE
- Trapdoor Simulatable PKE from Factoring
- Conclusion
13Simulatable PKE DN00
- PKE (Gen, Enc, Dec) with additional properties
- Property 1 Oblivious Sampling
- oGen generates a random pk w/o learning about
its sk - oRndEnc generates a random ciphertext w/o
learning about its plaintext - E.g. ElGamal
- key (y gx, x) ? Pick random y in G
- Enc (gr, myr) ? pick random (c1, c2) from G
14 Simulatable PKE DN00
Trapdoor
Trapdoor
- Property 2 Invertibility
- rGen
- Input a normally-generated pub-key e,
- Output randomness rG s.t. oGen(rG) e
- rRndEnc
- Input a normally-generated key and ciphertext
(e,c) - Output randomness rE s.t. oRndEnc(e,rE) c
- E.g. ElGamal
- key y from (y gx, x) ? Output y
- Enc y and (c1, c2) from (y,x) and (gr, myr) ?
Output (c1, c2) - Property 1 Oblivious Sampling
- oGen generates a random pk w/o learning about
its sk - oRndEnc generates a random ciphertext w/o
learning about its plaintext - E.g. ElGamal
- key (y gx, x) ? Pick random e in G
- Enc (gr, myr) ? pick random (c1, c2) from G
randomness for Gen
randomness for Gen,End plaintext
15NCE from (trapdoor) simulatable PKE
- Need to construct SIM that generates ciphertexts
that open to both 0 and 1. - General Idea SIM lies about obliviousness.
- Protocol specifies some pks and ciphertexts
should be generated obliviously. - SIM knows everything (all the pks and
ciphertexts are generated by normal Gen, Enc). - SIM clever lies on the set of obliviously
generated pks and ciphertexts (via rGen,
rRndEnc) lead to opening to both 0 and 1.
16Toy Construction DN00,KO04 - 1
- Key Gen (pk0, pk1)
- For a random x, pkx ? Gen()pk1-x ? oGen()
- Encrypt. of a bit b (c0, c1)
- For a random y,cy ? Enc(b), c1-y ? oEnc()
- Decryption of (c0, c1)
- Output Dec(skx, cx)
pk1
pk0
c1
c0
x y
b?
x ? y
Decryption error ¼
( Can reduce by repetitions)
17Toy Construction DN00,KO04 - 2
- Secure for adaptive corruption for one party
- Disclaimer Need to handle decryption error ¼
- If both corrupted?
Corrupt S m 1
Corrupt R m 0
Corrupt R
Corrupt S
18The Idea to achieve NC-PKE
- Summary of the toy construction
- R knows half of secret keys
- Handles adaptive corruption of one party KO04
- Cannot handle corruption of both parties
- lack of freedom to simulate the secondly
corrupted parties. - To handle corruption of both parties
- Raise the fraction of obliviousness
- ¾ is good enough
19The Construction
- KeyGen (e1,,e4k)
- T random set of size kif x?T, ex ? Gen()else
ex ? oGen() - Enc of b (c1,,c4k)
- S random set of size k,if y?S, cy ? Enc(bk),
else cy ? oEnc()
k 2
- Dec of (c1,,c4k) If Dec(skT, cT) contains 0k
output 0. Else output 1
20Summary NCE-PK from (trapdoor) simulatable PKE
- Obliviousness
- ¾ of keys and ciphertexts are generated
obliviously. - Still, we get negligible decryption error by
repetitions. - SIM can generate a (e,c) pair that opens to 0 and
1 - Keys and ciphertexts are generated normally.
- Using (trapdoor) invertibility, fake on
obliviously generated sets.
21Outline
- Motivation
- Our Work
- Our Contribution
- NC-PKE from Trapdoor Simulatable PKE
- Trapdoor Simulatable PKE from Factoring
- Conclusion
22Trapdoor Simulatable PKE from Factoring
- There is a standard construction that achieves
PKE from trapdoor one-way permutation (TDP) using
hard-core bits. I.e., for a TDP f, - Gen() ? (e, d) e f, d f-1
- Enc(b) ? (f(x), r, (x r) ? b) where r, x is
random. - Construct TDP from hardness of factoring Blum
Integers (BI) with oblivious sampling and
trapdoor invertibility
23Rabins TDP for Blum Integers
- Quadratic Residues on a Bl integer N QRN y
y x2 , x ? ZN - Rabin TDP
- fQRN ? QRN
- f(x) x2 mod N
- Is based on hardness of factoring assumption
24Basic Idea for Keys
- Key Generation sample k3 k-bit integers w/
factoring Bach 88 - Encryption of b given keys (N1, , Nk3)
- EncN1(b1), ., EncNk3(bk3) where b b1 ? ?
bk3 - WHP, at least one Ni is BI.
- Oblivious sampling easy (sample k3 integers)
- Trapdoor Invertibility easy
25Basic Idea for Ciphertexts
- Change TDP description slightly
- QN a2k a ? ZN where k N
- f QN ? QN , f(x) x2k1 mod N
- Oblivious sampling easy (sample from QN)
- Trapdoor Invertibility find random 2k-th root w/
factoring
26Outline
- Motivation
- Our Work
- Our Contribution
- NC-PKE from Trapdoor Simulatable PKE
- Trapdoor Simulatable PKE from Factoring
- Conclusion
27Conclusion
- From LWE and factoring, first black box
constructions of - NC-PKE
- Adaptively secure OT
- Adaptively secure MPC with honest minority
28Thank you