Improved NonCommitting Encryption with Application to Adaptively Secure Protocols - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Improved NonCommitting Encryption with Application to Adaptively Secure Protocols

Description:

Need to construct SIM that generates ciphertexts that open to both 0 and 1. ... QRN = {y : y = x2 , x ZN*} Rabin TDP. f:QRN QRN. f(x) = x2 mod N ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 29
Provided by: csCol
Category:

less

Transcript and Presenter's Notes

Title: Improved NonCommitting Encryption with Application to Adaptively Secure Protocols


1
Improved Non-Committing Encryption with
Application to Adaptively Secure Protocols
Seung Geol Choi Columbia University
  • joint work withDana Dachman-Soled (Columbia
    Univ.), Tal Malkin (Columbia Univ.), andHoeteck
    Wee (CUNY, Queens College)

2
Outline
  • Motivation
  • Our Work
  • Our Contribution
  • NC-PKE from Trapdoor Simulatable PKE
  • Trapdoor Simulatable PKE from Factoring
  • Conclusion

3
Adversarial corruption in MPC
  • Semi-honest vs. Malicious
  • corrupted parties behave honestly or
  • arbitrarily
  • corrupted parties
  • Honest majority vs. dishonest majority.
  • Static vs. Adaptive CFGN96
  • corrupts parties are determined at the outset or
  • during the protocol adaptively

te
4
Black-box construction of Adaptively secure MPC
with Dishonest Majority
(Aug.) NC-PKE
Q What are the assumptions achieving black-box
construction of MPC (NC-PKE)? - Of theoretical
interest- More efficient avoid general NP
reductions incurred by ZK proofs.
CLOS02, CDMW09
Adaptively secureoblivious transfer
IPS08
MPC
5
Non-Committing Encryption (NCE) CFGN96
  • Encryption that realizes a secure channel against
    an adaptive adversary
  • (Possibly interactive) encryption (Gen, Enc,
    Dec)
  • with additional property SIM
  • SIM generates pairs of (e, c) that opens to 0 and
    to 1.(sender equivocal receiver equivocal)

Enc(1)
Enc(0)
6
Non-Committing Public Key Encryption (NC-PKE)
  • Two-round NCE
  • Bob sends his pk to Alice
  • Alice sends an encryption under pk to Bob
  • Desirable

7
Goal
(Aug.) NC-PKE
Construct (Aug.) NC-PKE from lower primitives
in a black-box manner.
CLOS02, CDMW09
Adaptively secureoblivious transfer
IPS08
MPC
8
Outline
  • Motivation
  • Our Work
  • Our Contribution
  • NC-PKE from Trapdoor Simulatable PKE
  • Trapdoor Simulatable PKE from Factoring
  • Conclusion

9
Known NCE Constructions
CFGN96
NC-PKE
Simulatable common domain TDP
CDHRSA
B97,DN00
3-round NCE
Simulatable PKE
DDH
GPV08
LWE
10
Main Result
  • Construct NC-PKE from trapdoor Simulatable PKE
  • Relaxed notion of simulatable PKE
  • First NC-PKE from LWE
  • Construct trapdoor simulatable PKE from hardness
    of factoring
  • First NC-PKE from Factoring

Trapdoor simulatable PKE
Factoring
11
Our Contribution
  • From LWE and factoring, first black box
    constructions of
  • NC-PKE
  • Adaptively secure OT
  • Adaptively secure MPC with dishonest majority

12
Outline
  • Motivation
  • Our Work
  • Our Contribution
  • NC-PKE from Trapdoor Simulatable PKE
  • Trapdoor Simulatable PKE from Factoring
  • Conclusion

13
Simulatable PKE DN00
  • PKE (Gen, Enc, Dec) with additional properties
  • Property 1 Oblivious Sampling
  • oGen generates a random pk w/o learning about
    its sk
  • oRndEnc generates a random ciphertext w/o
    learning about its plaintext
  • E.g. ElGamal
  • key (y gx, x) ? Pick random y in G
  • Enc (gr, myr) ? pick random (c1, c2) from G

14
Simulatable PKE DN00
Trapdoor
Trapdoor
  • Property 2 Invertibility
  • rGen
  • Input a normally-generated pub-key e,
  • Output randomness rG s.t. oGen(rG) e
  • rRndEnc
  • Input a normally-generated key and ciphertext
    (e,c)
  • Output randomness rE s.t. oRndEnc(e,rE) c
  • E.g. ElGamal
  • key y from (y gx, x) ? Output y
  • Enc y and (c1, c2) from (y,x) and (gr, myr) ?
    Output (c1, c2)
  • Property 1 Oblivious Sampling
  • oGen generates a random pk w/o learning about
    its sk
  • oRndEnc generates a random ciphertext w/o
    learning about its plaintext
  • E.g. ElGamal
  • key (y gx, x) ? Pick random e in G
  • Enc (gr, myr) ? pick random (c1, c2) from G

randomness for Gen
randomness for Gen,End plaintext
15
NCE from (trapdoor) simulatable PKE
  • Need to construct SIM that generates ciphertexts
    that open to both 0 and 1.
  • General Idea SIM lies about obliviousness.
  • Protocol specifies some pks and ciphertexts
    should be generated obliviously.
  • SIM knows everything (all the pks and
    ciphertexts are generated by normal Gen, Enc).
  • SIM clever lies on the set of obliviously
    generated pks and ciphertexts (via rGen,
    rRndEnc) lead to opening to both 0 and 1.

16
Toy Construction DN00,KO04 - 1
  • Key Gen (pk0, pk1)
  • For a random x, pkx ? Gen()pk1-x ? oGen()
  • Encrypt. of a bit b (c0, c1)
  • For a random y,cy ? Enc(b), c1-y ? oEnc()
  • Decryption of (c0, c1)
  • Output Dec(skx, cx)

pk1
pk0



c1
c0
x y


b?
x ? y
Decryption error ¼
( Can reduce by repetitions)
17
Toy Construction DN00,KO04 - 2
  • Secure for adaptive corruption for one party
  • Disclaimer Need to handle decryption error ¼
  • If both corrupted?

Corrupt S m 1
Corrupt R m 0
Corrupt R
Corrupt S
18
The Idea to achieve NC-PKE
  • Summary of the toy construction
  • R knows half of secret keys
  • Handles adaptive corruption of one party KO04
  • Cannot handle corruption of both parties
  • lack of freedom to simulate the secondly
    corrupted parties.
  • To handle corruption of both parties
  • Raise the fraction of obliviousness
  • ¾ is good enough

19
The Construction
  • KeyGen (e1,,e4k)
  • T random set of size kif x?T, ex ? Gen()else
    ex ? oGen()
  • Enc of b (c1,,c4k)
  • S random set of size k,if y?S, cy ? Enc(bk),
    else cy ? oEnc()

k 2
  • Dec of (c1,,c4k) If Dec(skT, cT) contains 0k
    output 0. Else output 1

20
Summary NCE-PK from (trapdoor) simulatable PKE
  • Obliviousness
  • ¾ of keys and ciphertexts are generated
    obliviously.
  • Still, we get negligible decryption error by
    repetitions.
  • SIM can generate a (e,c) pair that opens to 0 and
    1
  • Keys and ciphertexts are generated normally.
  • Using (trapdoor) invertibility, fake on
    obliviously generated sets.

21
Outline
  • Motivation
  • Our Work
  • Our Contribution
  • NC-PKE from Trapdoor Simulatable PKE
  • Trapdoor Simulatable PKE from Factoring
  • Conclusion

22
Trapdoor Simulatable PKE from Factoring
  • There is a standard construction that achieves
    PKE from trapdoor one-way permutation (TDP) using
    hard-core bits. I.e., for a TDP f,
  • Gen() ? (e, d) e f, d f-1
  • Enc(b) ? (f(x), r, (x r) ? b) where r, x is
    random.
  • Construct TDP from hardness of factoring Blum
    Integers (BI) with oblivious sampling and
    trapdoor invertibility

23
Rabins TDP for Blum Integers
  • Quadratic Residues on a Bl integer N QRN y
    y x2 , x ? ZN
  • Rabin TDP
  • fQRN ? QRN
  • f(x) x2 mod N
  • Is based on hardness of factoring assumption

24
Basic Idea for Keys
  • Key Generation sample k3 k-bit integers w/
    factoring Bach 88
  • Encryption of b given keys (N1, , Nk3)
  • EncN1(b1), ., EncNk3(bk3) where b b1 ? ?
    bk3
  • WHP, at least one Ni is BI.
  • Oblivious sampling easy (sample k3 integers)
  • Trapdoor Invertibility easy

25
Basic Idea for Ciphertexts
  • Change TDP description slightly
  • QN a2k a ? ZN where k N
  • f QN ? QN , f(x) x2k1 mod N
  • Oblivious sampling easy (sample from QN)
  • Trapdoor Invertibility find random 2k-th root w/
    factoring

26
Outline
  • Motivation
  • Our Work
  • Our Contribution
  • NC-PKE from Trapdoor Simulatable PKE
  • Trapdoor Simulatable PKE from Factoring
  • Conclusion

27
Conclusion
  • From LWE and factoring, first black box
    constructions of
  • NC-PKE
  • Adaptively secure OT
  • Adaptively secure MPC with honest minority

28
Thank you
Write a Comment
User Comments (0)
About PowerShow.com