Improved NonCommitting Encryption with Application to Adaptively Secure Protocols

1
Improved Non-Committing Encryption with
Application to Adaptively Secure Protocols
Seung Geol Choi Columbia University

• joint work withDana Dachman-Soled (Columbia
  Univ.), Tal Malkin (Columbia Univ.), andHoeteck
  Wee (CUNY, Queens College)

2
Outline

• Motivation
• Our Work
• Our Contribution
• NC-PKE from Trapdoor Simulatable PKE
• Trapdoor Simulatable PKE from Factoring
• Conclusion

3
Adversarial corruption in MPC

• Semi-honest vs. Malicious
• corrupted parties behave honestly or
• arbitrarily
• corrupted parties
• Honest majority vs. dishonest majority.
• Static vs. Adaptive CFGN96
• corrupts parties are determined at the outset or
• during the protocol adaptively

te
4
Black-box construction of Adaptively secure MPC
with Dishonest Majority
(Aug.) NC-PKE
Q What are the assumptions achieving black-box
construction of MPC (NC-PKE)? - Of theoretical
interest- More efficient avoid general NP
reductions incurred by ZK proofs.
CLOS02, CDMW09
Adaptively secureoblivious transfer
IPS08
MPC
5
Non-Committing Encryption (NCE) CFGN96

• Encryption that realizes a secure channel against
  an adaptive adversary
• (Possibly interactive) encryption (Gen, Enc,
  Dec)
• with additional property SIM
• SIM generates pairs of (e, c) that opens to 0 and
  to 1.(sender equivocal receiver equivocal)

Enc(1)
Enc(0)
6
Non-Committing Public Key Encryption (NC-PKE)

• Two-round NCE
• Bob sends his pk to Alice
• Alice sends an encryption under pk to Bob
• Desirable

7
Goal
(Aug.) NC-PKE
Construct (Aug.) NC-PKE from lower primitives
in a black-box manner.
CLOS02, CDMW09
Adaptively secureoblivious transfer
IPS08
MPC
8
Outline

• Motivation
• Our Work
• Our Contribution
• NC-PKE from Trapdoor Simulatable PKE
• Trapdoor Simulatable PKE from Factoring
• Conclusion

9
Known NCE Constructions
CFGN96
NC-PKE
Simulatable common domain TDP
CDHRSA
B97,DN00
3-round NCE
Simulatable PKE
DDH
GPV08
LWE
10
Main Result

• Construct NC-PKE from trapdoor Simulatable PKE
• Relaxed notion of simulatable PKE
• First NC-PKE from LWE
• Construct trapdoor simulatable PKE from hardness
  of factoring
• First NC-PKE from Factoring

Trapdoor simulatable PKE
Factoring
11
Our Contribution

• From LWE and factoring, first black box
  constructions of
• NC-PKE
• Adaptively secure OT
• Adaptively secure MPC with dishonest majority

12
Outline

• Motivation
• Our Work
• Our Contribution
• NC-PKE from Trapdoor Simulatable PKE
• Trapdoor Simulatable PKE from Factoring
• Conclusion

13
Simulatable PKE DN00

• PKE (Gen, Enc, Dec) with additional properties
• Property 1 Oblivious Sampling
• oGen generates a random pk w/o learning about
  its sk
• oRndEnc generates a random ciphertext w/o
  learning about its plaintext
• E.g. ElGamal
• key (y gx, x) ? Pick random y in G
• Enc (gr, myr) ? pick random (c1, c2) from G

14
Simulatable PKE DN00
Trapdoor
Trapdoor

• Property 2 Invertibility
• rGen
• Input a normally-generated pub-key e,
• Output randomness rG s.t. oGen(rG) e
• rRndEnc
• Input a normally-generated key and ciphertext
  (e,c)
• Output randomness rE s.t. oRndEnc(e,rE) c
• E.g. ElGamal
• key y from (y gx, x) ? Output y
• Enc y and (c1, c2) from (y,x) and (gr, myr) ?
  Output (c1, c2)
• Property 1 Oblivious Sampling
• oGen generates a random pk w/o learning about
  its sk
• oRndEnc generates a random ciphertext w/o
  learning about its plaintext
• E.g. ElGamal
• key (y gx, x) ? Pick random e in G
• Enc (gr, myr) ? pick random (c1, c2) from G

randomness for Gen
randomness for Gen,End plaintext
15
NCE from (trapdoor) simulatable PKE

• Need to construct SIM that generates ciphertexts
  that open to both 0 and 1.
• General Idea SIM lies about obliviousness.
• Protocol specifies some pks and ciphertexts
  should be generated obliviously.
• SIM knows everything (all the pks and
  ciphertexts are generated by normal Gen, Enc).
• SIM clever lies on the set of obliviously
  generated pks and ciphertexts (via rGen,
  rRndEnc) lead to opening to both 0 and 1.

16
Toy Construction DN00,KO04 - 1

• Key Gen (pk0, pk1)
• For a random x, pkx ? Gen()pk1-x ? oGen()
• Encrypt. of a bit b (c0, c1)
• For a random y,cy ? Enc(b), c1-y ? oEnc()
• Decryption of (c0, c1)
• Output Dec(skx, cx)

pk1
pk0



c1
c0
x y


b?
x ? y
Decryption error ¼
( Can reduce by repetitions)
17
Toy Construction DN00,KO04 - 2

• Secure for adaptive corruption for one party
• Disclaimer Need to handle decryption error ¼
• If both corrupted?

Corrupt S m 1
Corrupt R m 0
Corrupt R
Corrupt S
18
The Idea to achieve NC-PKE

• Summary of the toy construction
• R knows half of secret keys
• Handles adaptive corruption of one party KO04
• Cannot handle corruption of both parties
• lack of freedom to simulate the secondly
  corrupted parties.
• To handle corruption of both parties
• Raise the fraction of obliviousness
• ¾ is good enough

19
The Construction

• KeyGen (e1,,e4k)
• T random set of size kif x?T, ex ? Gen()else
  ex ? oGen()
• Enc of b (c1,,c4k)
• S random set of size k,if y?S, cy ? Enc(bk),
  else cy ? oEnc()

k 2

• Dec of (c1,,c4k) If Dec(skT, cT) contains 0k
  output 0. Else output 1

20
Summary NCE-PK from (trapdoor) simulatable PKE

• Obliviousness
• ¾ of keys and ciphertexts are generated
  obliviously.
• Still, we get negligible decryption error by
  repetitions.
• SIM can generate a (e,c) pair that opens to 0 and
  1
• Keys and ciphertexts are generated normally.
• Using (trapdoor) invertibility, fake on
  obliviously generated sets.

21
Outline

• Motivation
• Our Work
• Our Contribution
• NC-PKE from Trapdoor Simulatable PKE
• Trapdoor Simulatable PKE from Factoring
• Conclusion

22
Trapdoor Simulatable PKE from Factoring

• There is a standard construction that achieves
  PKE from trapdoor one-way permutation (TDP) using
  hard-core bits. I.e., for a TDP f,
• Gen() ? (e, d) e f, d f-1
• Enc(b) ? (f(x), r, (x r) ? b) where r, x is
  random.
• Construct TDP from hardness of factoring Blum
  Integers (BI) with oblivious sampling and
  trapdoor invertibility

23
Rabins TDP for Blum Integers

• Quadratic Residues on a Bl integer N QRN y
  y x2 , x ? ZN
• Rabin TDP
• fQRN ? QRN
• f(x) x2 mod N
• Is based on hardness of factoring assumption

24
Basic Idea for Keys

• Key Generation sample k3 k-bit integers w/
  factoring Bach 88
• Encryption of b given keys (N1, , Nk3)
• EncN1(b1), ., EncNk3(bk3) where b b1 ? ?
  bk3
• WHP, at least one Ni is BI.
• Oblivious sampling easy (sample k3 integers)
• Trapdoor Invertibility easy

25
Basic Idea for Ciphertexts

• Change TDP description slightly
• QN a2k a ? ZN where k N
• f QN ? QN , f(x) x2k1 mod N
• Oblivious sampling easy (sample from QN)
• Trapdoor Invertibility find random 2k-th root w/
  factoring

26
Outline

• Motivation
• Our Work
• Our Contribution
• NC-PKE from Trapdoor Simulatable PKE
• Trapdoor Simulatable PKE from Factoring
• Conclusion

27
Conclusion

• From LWE and factoring, first black box
  constructions of
• NC-PKE
• Adaptively secure OT
• Adaptively secure MPC with honest minority

28
Thank you