1

Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption

Ananth Raghunathan

(joint work with Gil Segev and Salil Vadhan)

Public-Key Encryption

3

m

Alice Bob

c

Learns nothing!

Semantic Security [Goldwasser-Micali ‘82]Encpk(m0) and Encpk(m1) are computationally indistinguishable for any m0 and m1

Encryption must be randomized

m

5

Randomness is difficult• Weak sources in practice (keystrokes, timing)• Incorrect implementations – [Heninger et al. ‘12, Lenstra et al. ‘12] on RSA public

keys– Sony PS3 master signing key broken due to reuse of

randomness across different EC-DSA key pairs• Weak randomization attacks against RSA-OAEP

[Brown ’05]• many many more …

7

Deterministic Public-Key Encryption“Theory meets practice”• Efficiently searchable encryption– Encrypted keyword search– Deduplication over encrypted data

• Can get short ciphertexts– Easier to use in legacy systems

Can we formalize and realize meaningful notions of security for deterministic public key

encryption?

BBO ’07BFO ’08

BFOR ’08BBNRSSY ’09

BS ’11MPRS ’12FOR ’12

…3 B’s, 3 F’s, 2 S’s

9

Security of Det. PKE (attempt 1)

m0 , m1 b {0,1}

Guess b

pk

c = Encpk(mb)

• What happens if Enc is deterministic?

Is c = Encpk(m0) ?If so, guess b=0Else, guess b=1

Security cannot hold if adversary

knows (or can predict) m0 or m1!

10

Security of Det. PKE (attempt 2)

M0 , M1 m0 M0

m1 M1

b {0,1}Guess b c = Encpk(mb)

* H∞(Mb) is not too small: no message is very likely to occur

*

• Is this restriction sufficient?

M0: sample a random message m such that c = Encpk(m) starts with a 0

M1: sample a random message m such that c = Encpk(m) starts with a 1

If M allowed to depend on pk and arbitrary then the

encryption has subliminal channels

NO

pk

11

Security of Det. PKE [BBO ’07]

M0 , M1 m0 M0

m1 M1

b {0,1}Guess b c = Encpk(mb)

*pk

• Not realistic assumption in practice– malicious adversary will use the pk in his attack– does not model what information will be leaked when

there are accidental dependencies on the public key

Question: Realistic security notions that allow the adversary to choose M after seeing pk

14

Our Work• Formalize notions of adaptive security – Attackers given access to pk– Extensions

• Generic constructions in the random-oracle model– Based on any off-the-shelf (randomized) PKE

• Constructions in the standard model– Connection to deterministic randomness extractors– New techniques to deterministically extract via a “high-

moment crooked” leftover hash lemma– New cryptographic tools (R-lossy trapdoor functions)

15

Dec(sk,.)Defining Adaptive Det. PKE

M0 , M1

m0 M0

m1 M1Guess bc = Encpk(mb)

*

Set of distributions X of size 2p

X is fixed apriori

Fix random b {0,1}

• Adversary can choose M adaptively based on pk and on answers c as long as M remains in set X.

• General notion– p=0 : independent of pk– p=O(s.log(s)) : all circuits of size s

• “Multi-shot”• Easily extends to CCA (chosen ciphertext-

attack) security

(what a surprise!)

Security notion only depends on p.

Holds for all X of size 2p

pk

17

domain

f

f-1

• Injective• Efficiently

invertible(trapdoor)

Two families of functions: injective and lossy

range

• Lossy• Cannot be

inverted(informationtheoretically)

g

Security

The descriptions of f and g are “computationally indistinguishable”

Much smaller than domain

Tool: Lossy Trapdoor Functions [PW08]

18

f( ) π( )

Our Basic Scheme

Let f be an injective member of a LTDF familyLet π be a “sufficiently independent” random permutation *

pk = f , π sk = f-1

=Enc:

=Dec: π-1( ) f-1( )* π chosen randomly from a t-wise δ-dependent family of

permutations [KNR09]

19

Proof (by pictures)

f π

f π

g π

g π

f π g π

g πf π

security of

LTDFs

M0

M1

security of

LTDFs

Basic scheme is adaptively secure

f ≈ g

High-moment Crooked Leftover Hash Lemma: Extracting randomness even if M0 and M1 can depend on (g, π)

20

Extracting randomness (LHL)

Original LHLf is universal, X is independent of f

( f, f(X) ) ≈ ( f, U )

Crooked LHLf is lossy, π is pairwise

independent, X is independent of f( f, π, f(π(X)) ) ≈ ( f, π, f(U) )

High-Moment LHLf is t-wise independent,

X can depend on f but bounded( f, f(X) ) ≈ ( f, f(U) )

High-Moment Crooked LHLf is lossy, π is t-wise independent, X can depend on f

( f, π, f(π(X)) ) ≈ ( f, π, f(U) )

[DS05] [TV00]

Set of distributions of

size 2p

g π g π g π g π≈

21

High-Moment Crooked LHL• Generalizes the Leftover Hash Lemma [HILL89] and

its “crooked” variant [DS05]• Lemma– Let f:{0,1}n {0,1}n such that |Im(f)|≤2n-ℓ

– Let X be a set of sources such that for each X in X,

H∞(X) ≥ (n-ℓ) + 3log(log(|X|)) + 2log(1/ϵ) + θ(1)

– Let Π is a family of t-wise independent permutations with

t ≈ log(|X|) + (n-ℓ)

– Then, with probability 1-ϵ over the choice of π in Π for

every X in X we have SD(f(π(X)), f(U)) < ϵ

• Choice of X can depend on f and π

Conclusions

• This work– Defining adaptive deterministic PKE– Constructions secure in the random oracle and standard model– New tools for deterministic extraction

• Going forward: New directions for research (a.k.a. help me write papers!)– Shorter public keys?

• In general, public-key needs to be longer than p• In our paper: short public-key only for s-circuit size distributions in

the random-oracle model– Technical questions related to extraction (work-in-progress)– Other paradigms to construct deterministic PKE schemes

22

24

Thank you!

Any questions?