Trapdoor Hash Functions and Their Applications Nico Döttling CISPA Helmholtz Center Sanjam Garg UC Berkeley Yuval Ishai Technion Giulio Malavolta Carnegie Mellon University Tamer Mour Weizmann Institute Rafail Ostrovsky UC Los Angeles TPMPC 2019, Bar Ilan University 1
33
Embed
Trapdoor Hash Functions and Their Applicationsu.cs.biu.ac.il/~lindell/TPMPC2019/Tamer_Mour_TPMPC2019.pdf · 2019-07-14 · Trapdoor Hash Functions and Their Applications Nico Döttling
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Trapdoor Hash Functionsand Their Applications
Nico Döttling
CISPA Helmholtz Center
Sanjam Garg
UC Berkeley
Yuval Ishai
Technion
Giulio Malavolta
Carnegie Mellon University
Tamer Mour
Weizmann Institute
Rafail Ostrovsky
UC Los Angeles
TPMPC 2019, Bar Ilan University1
Trapdoor Hash Functionsand Their Applications
Nico Döttling
CISPA Helmholtz Center
Sanjam Garg
UC Berkeley
Yuval Ishai
Technion
Giulio Malavolta
Carnegie Mellon University
Tamer Mour
Weizmann Institute
Rafail Ostrovsky
UC Los Angeles
TPMPC 2019, Bar Ilan University2
Setting: Sender-Receiver Computation
Sender Receiver
𝒚 ∈ 𝒀 𝒙 ∈ 𝑿
Output:𝒇 𝒙, 𝒚
communication
𝒇:𝑿 × 𝒀 → 𝒁
3
Sender Receiver
Input: 𝒚 ∈ 𝒀 Input: 𝒙 ∈ 𝑿Output: 𝒇 𝒙, 𝒚
Ideal World:Simple and optimal solutions.
Real World (semi-honest security):Sender and receiver do not trust each other, and want to keep their inputs private.Main question in this work:
receiver message
sender message
Focus: two-message protocols with minimum communication.
Can Secure Protocols be as Efficient as Ideal-World Solutions?
Setting: Sender-Receiver Computation
4
Setting I.Sender input is larger than receiver input
|𝒚| ≫ |𝒙|
Example:
String Oblivious Transfer (OT)
In Ideal World, communication dominated by length of second message 𝑓 𝑥, 𝑦 = 𝑛.
GoalOptimize length of second message, i.e.
download rate = |𝑓(𝑥,𝑦)|
|𝑆𝑒𝑐𝑜𝑛𝑑 𝑀𝑒𝑠𝑠𝑎𝑔𝑒|
Can Secure Protocols be as Efficient as Ideal-World Solutions?
𝑦0, 𝑦1 ∈ 0,1 𝑛 𝑥 ∈ {0,1}Output: 𝑦𝑥
Ideal-World Solution:download rate = 1
Negative AnswerSecure protocols with exact rate 1 do not exist.(even with correlated randomness)
For 2𝜆 security,𝒔𝒆𝒄𝒐𝒏𝒅𝒎𝒆𝒔𝒔𝒂𝒈𝒆 > 𝒏 + 𝟐𝝀
Best we can hope for:download rate → 𝟏
when 𝑛 → ∞.
Positive AnswerProtocols with rate approaching 1 using Trapdoor Hash. 5
Results in Setting I: Rate-1 Oblivious Transfer and MoreLife before Trapdoor Hash- Rate - ½ OT is easy to achieve.- Only known solution for higher rate uses high-rate homomorphic encryption.- Only rate-1 homomorphic encryption scheme: Damgård-Jurik scheme based on DCR.Exception: [Gentry-Halevi’19]
DCR LWE QR DDH
Oblivious Transfer (OT) rate-1 [DJ00] rate-½ rate-½ rate-½
Life after Trapdoor Hash
DCR LWE QR DDH
Oblivious Transfer (OT) rate-1 rate-1 rate-1 rate-1
Results in Setting I: Application of Rate-1 OT1. Single-Server Private Information Retrieval [Kushilevitz-Ostrovsky’97]First rate-1 PIR protocols with polylogarithmic communication [Ishai-Paskin’07].
𝑥[𝑖𝑗] ← D(trapdoorj, ℎ, 𝑒𝑗)Efficiency: small hints, i.e. high rate
𝒉
15
Defining Trapdoor Hash
input 𝒙 ∈ 𝟎, 𝟏 𝒏 hash 𝒉 ∈ 𝟎, 𝟏 𝝀
The Hash Function:H Input Privacy: ℎ hides 𝑥.
Index Privacy: key hides 𝑖.
Key Generation:(key, trapdoor)← G(𝑖)
input 𝒙 ∈ 𝟎, 𝟏 𝒏 hint 𝒆
The “Hinting” Function:E(key)
Decoding:𝑥[𝑖] ← D(trapdoor, ℎ, 𝑒)
TDH = (H,G,E,D)
Rate:𝟏
|𝒆|
Optimally, rate = 1.
Main technical contribution:Rate-1 TDH from DDH,QR,LWE,DCR
We also consider TDH for general functions of 𝑥. 16
Trapdoor Hash from DDH
Similar technique used to construct IBE [DG17], laconic OT [CDGGMP17] andTrapdoor Functions [GH18,GGH19].
- Multiplicative abelian group 𝔾 of prime order 𝑝, with a public generator 𝒈 ∈ 𝔾.For all 𝑔1, 𝑔2 ∈ 𝔾,
𝒈𝟏 ⋅ 𝒈𝟐 = 𝒈𝟐 ⋅ 𝒈𝟏 ∈ 𝔾
- The DDH (Decisional Diffie-Hellman) assumptionFor uniform a, b, c ∈ ℤ𝑝 and an element 𝑔 ∈ 𝔾,
𝒈𝒂, 𝒈𝒃, 𝒈𝒂𝒃 ≡ (𝒈𝒂, 𝒈𝒃, 𝒈𝒄)
17
Trapdoor Hash from DDH
Alice Bob𝑔1,0 𝑔2,0 𝑔3,0 … 𝑔𝑛,0𝑔1,1 𝑔2,1 𝑔3,1 … 𝑔𝑛,1
∈ 𝔾2×𝑛
public parameters2 × 𝑛 uniform group elements
input 𝒙 ∈ 𝟎, 𝟏 𝒏
18
Trapdoor Hash from DDH
Alice Bob
𝐻 𝑥 =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]ℎ = 𝐻 𝑥
Hash Function:
𝑔1,0 𝑔2,0 𝑔3,0 … 𝑔𝑛,0𝑔1,1 𝑔2,1 𝑔3,1 … 𝑔𝑛,1
public parameters
1 0 0 ⋅⋅⋅ 1
input 𝒙 ∈ 𝟎, 𝟏 𝒏
𝑔1,0 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝑔𝑛,0𝒈𝟏,𝟏 𝑔2,1 𝑔3,1 … 𝒈𝒏,𝟏
H ℎ ∈ 𝔾
Input Privacy: statistical*.
19
Trapdoor Hash from DDH
Alice Bob
“I want to learn 𝑥[𝑖]”
𝑘𝑒𝑦 =𝒈𝟏,𝟎 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝒏,𝟎𝒈𝟏,𝟏 𝒈𝟐,𝟏 𝒈𝟑,𝟏 … 𝒈𝒏,𝟏
ℎ = 𝐻 𝑥
𝒌𝒆𝒚 =𝑔1,0𝑡 … 𝑔𝑖,0
𝑡 … 𝑔𝑛,0𝑡
𝑔1,1𝑡 … 𝒈𝒊,𝟏
𝒕 ⋅ 𝒈 … 𝑔𝑛,1𝑡
trapdoor: uniform 𝒕 ∈ ℤ𝒑
Hash Function:Key Generation:
Index Privacy: assuming DDH,
𝒈𝟏,𝟎 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝒏,𝟎𝒈𝟏,𝟏 𝒈𝟐,𝟏 𝒈𝟑,𝟏 … 𝒈𝒏,𝟏
≡ uniform matrix in 𝔾2×𝑛
𝑔1,0 𝑔2,0 𝑔3,0 … 𝑔𝑛,0𝑔1,1 𝑔2,1 𝑔3,1 … 𝑔𝑛,1
public parameters
𝐻 𝑥 =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]
20
Trapdoor Hash from DDH
Alice Bob
“I want to learn 𝑥[𝑖]”
𝑒 = 𝐸(𝑘𝑒𝑦, 𝑥)
𝑘𝑒𝑦 =𝒈𝟏,𝟎 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝒏,𝟎𝒈𝟏,𝟏 𝒈𝟐,𝟏 𝒈𝟑,𝟏 … 𝒈𝒏,𝟏
ℎ = 𝐻 𝑥
𝐸 𝑘𝑒𝑦, 𝑥 =ෑ
𝑗
𝒈𝑗,𝑥[𝑗]
𝒌𝒆𝒚 =𝑔1,0𝑡 … 𝑔𝑖,0
𝑡 … 𝑔𝑛,0𝑡
𝑔1,1𝑡 … 𝒈𝒊,𝟏
𝒕 ⋅ 𝒈 … 𝑔𝑛,1𝑡
trapdoor: uniform 𝒕 ∈ ℤ𝒑
Hash Function:
Hinting:
Key Generation:
Rate:1
𝑒=1
𝜆
𝑔1,0 𝑔2,0 𝑔3,0 … 𝑔𝑛,0𝑔1,1 𝑔2,1 𝑔3,1 … 𝑔𝑛,1
public parameters
1 0 0 ⋅⋅⋅ 1
input 𝒙 ∈ 𝟎, 𝟏 𝒏
𝒈1,0 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝑛,0𝒈𝟏,𝟏 𝒈2,1 𝒈3,1 … 𝒈𝒏,𝟏
E 𝑒 ∈ 𝔾
𝐻 𝑥 =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]
21
Trapdoor Hash from DDH
Alice Bob
“I want to learn 𝑥[𝑖]”
𝑒 = 𝐸(𝑘𝑒𝑦, 𝑥)
𝑘𝑒𝑦 =𝒈𝟏,𝟎 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝒏,𝟎𝒈𝟏,𝟏 𝒈𝟐,𝟏 𝒈𝟑,𝟏 … 𝒈𝒏,𝟏
ℎ = 𝐻 𝑥
𝐸 𝑘𝑒𝑦, 𝑥 =ෑ
𝑗
𝒈𝑗,𝑥[𝑗]
𝒌𝒆𝒚 =𝑔1,0𝑡 … 𝑔𝑖,0
𝑡 … 𝑔𝑛,0𝑡
𝑔1,1𝑡 … 𝒈𝒊,𝟏
𝒕 ⋅ 𝒈 … 𝑔𝑛,1𝑡
trapdoor: uniform 𝒕 ∈ ℤ𝒑
Hash Function:
Hinting:
Key Generation:
How to recover 𝑥[𝑖] given- The hash ℎ- The hint 𝑒- The trapdoor 𝑡 ?
𝑔1,0 𝑔2,0 𝑔3,0 … 𝑔𝑛,0𝑔1,1 𝑔2,1 𝑔3,1 … 𝑔𝑛,1
public parameters
1 0 0 ⋅⋅⋅ 1
input 𝒙 ∈ 𝟎, 𝟏 𝒏
𝒈1,0 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝑛,0𝒈𝟏,𝟏 𝒈2,1 𝒈3,1 … 𝒈𝒏,𝟏
E 𝑒 ∈ 𝔾
𝐻 𝑥 =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]
22
Trapdoor Hash at The Bar: DecodingObservation: given that
1 0 0 ⋅⋅⋅ 1
input 𝒙 ∈ 𝟎, 𝟏 𝒏
𝒈1,0 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝑛,0𝒈𝟏,𝟏 𝒈2,1 𝒈3,1 … 𝒈𝒏,𝟏
E 𝑒 =ෑ
𝑗
𝒈𝑗,𝑥[𝑗] =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]𝑡 ⋅ 𝑔𝑥 𝑖 = ℎ𝑡 ⋅ 𝑔𝑥[𝑖]
1 0 0 ⋅⋅⋅ 1
input 𝒙 ∈ 𝟎, 𝟏 𝒏
𝑔1,0 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝑔𝑛,0𝒈𝟏,𝟏 𝑔2,1 𝑔3,1 … 𝒈𝒏,𝟏
H ℎ =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]
𝒈𝟏,𝟎 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝒏,𝟎𝒈𝟏,𝟏 𝒈𝟐,𝟏 𝒈𝟑,𝟏 … 𝒈𝒏,𝟏
=𝑔1,0𝑡 … 𝑔𝑖,0
𝑡 … 𝑔𝑛,0𝑡
𝑔1,1𝑡 … 𝒈𝒊,𝟏
𝒕 ⋅ 𝒈 … 𝑔𝑛,1𝑡
23
Trapdoor Hash from DDH
Alice Bob
“I want to learn 𝑥[𝑖]”
𝑒 = 𝐸(𝑘𝑒𝑦, 𝑥)𝒆 = 𝒉𝒕 → 𝒙 𝒊 = 𝟎
𝒆 = 𝒉𝒕 ⋅ 𝒈 → 𝒙 𝒊 = 𝟏
𝑘𝑒𝑦 =𝒈𝟏,𝟎 𝒈𝟐,𝟎 𝒈𝟑,𝟎 … 𝒈𝒏,𝟎𝒈𝟏,𝟏 𝒈𝟐,𝟏 𝒈𝟑,𝟏 … 𝒈𝒏,𝟏
ℎ = 𝐻 𝑥
𝒌𝒆𝒚 =𝑔1,0𝑡 … 𝑔𝑖,0
𝑡 … 𝑔𝑛,0𝑡
𝑔1,1𝑡 … 𝒈𝒊,𝟏
𝒕 ⋅ 𝒈 … 𝑔𝑛,1𝑡
trapdoor: uniform 𝒕 ∈ ℤ𝒑
Decoding: using hash ℎ and trapdoor 𝑡
Hash Function:
Hinting:
Key Generation:
𝑔1,0 𝑔2,0 𝑔3,0 … 𝑔𝑛,0𝑔1,1 𝑔2,1 𝑔3,1 … 𝑔𝑛,1
public parameters
𝐸 𝑘𝑒𝑦, 𝑥 =ෑ
𝑗
𝒈𝑗,𝑥[𝑗]
𝐻 𝑥 =ෑ
𝑗
𝑔𝑗,𝑥[𝑗]
24
Rate-𝟏/𝝀 Trapdoor Hash
- For applications in Setting II (Sublinear Secure RAM Computation): Rate-1/𝜆 TDH is sufficient*.
- For applications in Setting I (Rate-1 OT): We need Rate-1 TDH, i.e. TDH where the hint is a single bit.
25
Rate-1 Trapdoor Hash from DDH
Alice Bob
𝑒 = 𝐸(𝑘𝑒𝑦, 𝑥)𝑒 =ෑ
𝑖
𝒈𝑖,𝑥[𝑖]
Decoding: using hash ℎ and trapdoor 𝑡Hinting:
𝒉𝒕 ∈ 𝔾 𝒉𝒕 ⋅ 𝒈 ∈ 𝔾
𝑥 𝑖 = 0 𝑥 𝑖 = 1
𝑒
𝒙 𝒊 = 𝟎
= ℎ𝑡 ? = ℎ𝑡 ⋅ 𝑔 ?
𝒙 𝒊 = 𝟏
26
Rate-1 Trapdoor Hash from DDH
Alice Bob
𝐿𝑆𝐵(𝑒)𝑒 =ෑ
𝑖
𝒈𝑖,𝑥[𝑖]
Decoding: using hash ℎ and trapdoor 𝑡Hinting:
𝒉𝒕 ∈ 𝔾 𝒉𝒕 ⋅ 𝒈 ∈ 𝔾
𝑥 𝑖 = 0 𝑥 𝑖 = 1
Attempt I:Send LSB of 𝑒.Fails when 𝐿𝑆𝐵 ℎ𝑡 = 𝐿𝑆𝐵(ℎ𝑡𝑔) is equal: happens with probability 1/2.
𝐿𝑆𝐵(𝑒)
𝒙 𝒊 = 𝟎
= 𝐿𝑆𝐵(ℎ𝑡) ? = 𝐿𝑆𝐵(ℎ𝑡𝑔 )?
𝒙 𝒊 = 𝟏
27
Rate-1 Trapdoor Hash from DDH
Alice Bob
Φ(𝑒)𝑒 =ෑ
𝑖
𝒈𝑖,𝑥[𝑖]
Decoding: using hash ℎ and trapdoor 𝑡Hinting:
𝒉𝒕 ∈ 𝔾 𝒉𝒕 ⋅ 𝒈 ∈ 𝔾
𝑥 𝑖 = 0 𝑥 𝑖 = 1
Attempt I:Send LSB of 𝑒.Fails when 𝐿𝑆𝐵 ℎ𝑡 = 𝐿𝑆𝐵(ℎ𝑡𝑔) is equal: happens with probability 1/2.
Φ(𝑒)
𝒙 𝒊 = 𝟎
= Φ(ℎ𝑡) ? = Φ(ℎ𝑡𝑔 )?
𝒙 𝒊 = 𝟏
Goal: an encoding Φ:𝔾 → {0,1} such that with high probability
Φ ℎ𝑡 ≠ Φ ℎ𝑡𝑔28
Rate-1 Trapdoor Hash from DDH
Goal: an encoding Φ:𝔾 → {0,1} such that with high probability
Φ ℎ𝑡 ≠ Φ ℎ𝑡𝑔
𝔾1 𝑔 𝑔2 𝑒 ∈ 𝔾
Attempt II:Φ 𝑒 = LSB of number of steps to reach 𝟏
29
Rate-1 Trapdoor Hash from DDH
Goal: an encoding Φ:𝔾 → {0,1} such that with high probability
Φ ℎ𝑡 ≠ Φ ℎ𝑡𝑔
Attempt II:Φ 𝑒 = LSB of number of steps to reach 𝟏
Clearly, Φ ℎ𝑡 ≠ Φ(ℎ𝑡𝑔) for all 𝑡 ∈ ℤ𝑝.
Problem: not efficient (this is DLOG).
𝔾1 𝑔 𝑔2 ℎ𝑡 ℎ𝑡𝑔
30
Rate-1 Trapdoor Hash from DDH
Goal: an encoding Φ:𝔾 → {0,1} such that with high probability
Φ ℎ𝑡 ≠ Φ ℎ𝑡𝑔
Idea: distributed discrete log [BGI16,DKK18]
𝔾1 𝑔 𝑔2
Attempt III: using a PRF, define many random “reference points”: 𝒛 s.t. 𝑷𝑹𝑭 𝒛 = 𝟎.
Φ 𝑒 = LSB of number of steps to reach the closest reference point
𝑧1 𝑧2 𝑧3𝑒 ∈ 𝔾
31
Rate-1 Trapdoor Hash from DDH
Goal: an encoding Φ:𝔾 → {0,1} such that with high probability
Φ ℎ𝑡 ≠ Φ ℎ𝑡𝑔
Idea: distributed discrete log [BGI16,DKK18]
𝔾1 𝑔 𝑔2
Attempt III: using a PRF, define many random “reference points”: 𝒛 s.t. 𝑷𝑹𝑭 𝒛 = 𝟎.
Φ 𝑒 = LSB of number of steps to reach the closest reference point
If the reference points are dense enough, this is efficient.If the reference points are sparse enough, Φ ℎ𝑡 ≠ Φ(ℎ𝑡𝑔) with high probability.
𝑧1 𝑧2 𝑧3ℎ𝑡 ℎ𝑡𝑔
32
Conclusion and Further Research
We introduce Trapdoor Hash:- Simple primitive with constructions from various standard assumption.- Powerful primitive with significant applications in communication-efficient protocols.
Applications in Setting I: Rate-Optimal Protocols for OT and Other Functions:- Constructions from new standard assumptions.- More general functionalities?- Constructions from general assumptions?
Applications in Setting II: Sublinear Protocols for Secure RAM Computation:- First constructions from number-theoretic assumptions.- Can we get constructions as efficient as lattice-based schemes?
Other applications of trapdoor hash or similar techniques?Thanks for Listening!33