INCREMENTAL DETERMINISTIC PUBLIC- KEY ENCRYPTION Ilya Mironov, Omkant Pandey, Omer Reingold, Gil Segev Microsoft Research
Jan 07, 2016
INCREMENTAL DETERMINISTIC PUBLIC-
KEY ENCRYPTIONIlya Mironov, Omkant Pandey,
Omer Reingold, Gil Segev
Microsoft Research
Incremental Deterministic Public-Key Encryption
Deterministic Public-Key Encryption
-source adversary
๐ ๐
min-entropy min-entropy
min-entropy : Probability of any output
Deterministic Public-Key Encryption: PRIV1-IND
๐ ๐
[Bellare, Boldyreva, OโNeill CRYPTOโ07]
min-entropy min-entropy
Epk[ ] Epk[ ]๐
and are independent of PK
Is It Secure?
Computational assumptions
Min-entropy of the source
Secure Deterministic Encryption
Long, unpredictable plaintext:- digital photograph- MS Word document- entire database- full disk
- search- de-duplication- deterministic KEM
security
efficiencyLength of the plaintext
Incrementality
- Incrementality with access to plaintext: setting bit- Incrementality without access to plaintext: flipping bit
degree
Incremental Deterministic Public-Key Encryption
Our results Lower bound: Two schemes
1. Generic Solution
2. DDH-based solution
tight up to polylog factors
incrementality
min-entropy
Deterministic Encryption
Incremental Deterministic Encryption
Naรฏve Generic Solutionmin-entropy
?
E E Eโฆ
E: deterministic encryption scheme
Sample-then-extract
[Nisan,Zuckermanโ96] [Vadhanโ04]
min-entropy
similar min-entropy rate
Generic Solutionmin-entropy
Partition input into random subsets
PRIV-IND PRIV1-IND with Incrementality
Standard Model
DDH PRIV1-IND with Incrementality
Lossy Trapdoor Functions
[Peikert, Waters STOCโ08]
๐ w/ trapdoor
๐
Injective mode:
Lossy mode:
๐
Smooth Trapdoor Functions
๐ w/ trapdoor
๐
Injective mode:
Smooth mode:
๐ statisticallyclose
min-entropy
Smooth Trapdoor Functions PRIV1-IND
Security
๐ (๐ ) ๐ (๐ )injective mode:
๐ (๐ ) ๐ (๐ )smooth mode:
๐ ๐
min-entropy min-entropy
Construction of PRIV1-IND
๐ โ๐
Lossy Trapdoor Function Pairwise-independent permutation
Smooth Trapdoor Function
[Boldyreva, Fehr, OโNeill CRYPTOโ08]
Deterministic Public-Key Encryption
Construction of PRIV1-IND
๐ โ๐
Lossy Trapdoor Function Pairwise-independent permutation
Smooth Trapdoor Function
[Boldyreva, Fehr, OโNeill CRYPTOโ08]
Deterministic Public-Key EncryptionIncremental
Construction of Lossy TDF
[Freeman, Goldreich, Kiltz, Rosen, Segev PKCโ10] [Brakerski, Segev CRYPTOโ11]
Given output
Given compute Output
Sample Output and
(๐๐ด ) ๐๐=(๐๐๐๐ )Key generation
Encryption
Decryption
- group of order generated by
Security Argument: Lossy TDF
๐๐ดโ๐๐๐ต
rank rank 1
โ injective โ bits
Towards Incremental Smooth TDF
๐๐ดโ๐๐๐ต
rank sparse
rank โsparse
โ injective if has min-entropy , statistically close to the uniform over its range
Towards Incremental Smooth TDF
๐11ร๐12ร๐13ร
๐21ร๐22ร๐23ร
Sample-then-extract + Leftover Hash Lemma
โ
Towards Incremental Smooth TDF
๐11ร๐12ร๐13ร
๐21ร๐22ร๐23ร
Towards Incremental Smooth TDF
๐11ร๐12ร๐13ร
๐21ร๐22ร๐23ร
Smooth vs Injective Mode
๐
rank full rank
๐ ๐
๐11ร๐12ร๐13ร
๐21ร๐22ร๐23ร
Incrementality
๐11ร๐12ร๐13ร
๐21ร๐22ร๐23ร
Open Problems
Incremental Deterministic Encryption: Stronger security: PRIV-IND (multiple
messages) Length-preserving in the standard model
Deterministic Encryption: Relaxing the definition to allow dependency
on the public key