Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition

Size: px

Start display at page:

Download "Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition"

Sarah Holland
5 years ago
Views:

1 Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1

2 2

3 Puncture! 3

4 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key

5 5 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key Puncture(K, x*) => K{x*} s.t. Fk(x*) is pseudorandom, give the K{x*} that preserve the original outputs elsewhere.

6 6 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key Puncture(K, x*) => K{x*} s.t. Fk(x*) is pseudorandom, give the K{x*} that preserve the original outputs elsewhere. In general: Constrain(K, C) => K{C}

7 7 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key Puncture(K, x*) => K{x*} s.t. Fk(x*) is pseudorandom, give the K{x*} that preserve the original outputs elsewhere. In general: Constrain(K, C) => K{C} They have many applications (broadcast encryption, identity-based KE), best known for being good friends of io

8 Puncturable PRF from GGM [Goldreich, Goldwasser, Micali 84] 8

9 Puncturable PRF from GGM [Goldreich, Goldwasser, Micali 84] original fresh random 9

10 Puncturable PRF from GGM [Goldreich, Goldwasser, Micali 84] original fresh random The constrained key reveals the point x* 10

11 Constraint-hiding Constrained PRF 11

12 Constraint-hiding Constrained PRF hide 12

13 Constraint-hiding Constrained PRF?? 13

14 Constraint-hiding Constrained PRF? = secret?? 14

15 Constraint-hiding Constrained PRF? = secret?? = key?? 15

16 Constraint-hiding Constrained PRF? = secret?? = key??=?? #faketenniscourtoath 16

17 Boneh, Lewi, Wu (PKC 17, eprint 2015/1167) What are Constraint-Hiding CPRFs: - An indistinguishability-based definition 17

18 Boneh, Lewi, Wu (PKC 17, eprint 2015/1167) What are Constraint-Hiding CPRFs: - An indistinguishability-based definition Where to find them (secure for many keys): - io(pprf) is CHCPRF - Bit-fixing from multilinear DDH, puncturing from multilinear subgroup-hiding 18

19 Boneh, Lewi, Wu (PKC 17, eprint 2015/1167) What are Constraint-Hiding CPRFs: - An indistinguishability-based definition Where to find them (secure for many keys): - io(pprf) is CHCPRF - Bit-fixing from multilinear DDH, puncturing from multilinear subgroup-hiding How to use them: - Private-key deniable encryption, - Privately-detectable watermarking, - Searchable encryption - 19

20 This work: Canetti, Chen (Eurocrypt 17) What are Constraint-Hiding CPRFs: - A simulation-based definition of CHCPRF 20

21 This work: Canetti, Chen (Eurocrypt 17) What are Constraint-Hiding CPRFs: - A simulation-based definition of CHCPRF Where to find them: - Simulation-based 1-key CHCPRFs for NC1 from Learning With Errors 21

22 This work: Canetti, Chen (Eurocrypt 17) What are Constraint-Hiding CPRFs: - A simulation-based definition of CHCPRF Where to find them: - Simulation-based 1-key CHCPRFs for NC1 from Learning With Errors How to use them: - 1-key CHCPRF implies 1-key private-key functional encryption (reusable garbled circuits) - 2-key CHCPRF implies obfuscation* 22

23 Concurrent work: Boneh, Kim, Montgomery (Eurocrypt 17) 1-key puncturable CHCPRFs from LWE. Both root from previous lattices-based PRFs, but different method to constrain and hide. 23

24 Plan for the talk: Part 1: Definition, implications to obfuscation, functional encryption Part 2: How to construct CHCPRFs for NC1 24

25 Defining constraint-hiding constraint PRF (CHCPRF) 25

26 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) definition of CHCPRF 26

27 Simulation-based CHCPRF [CC 17] for all p.p.t. adv, there s a simulator, s.t. the outputs of the real and simulated distributions are indistinguishable. adv Real Simulator 27

28 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C Real adv Simulation-based definition of CHCPRF 28

29 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Cons(MSK, C) -> K[C] Real Constraint query C adv Simulation-based definition of CHCPRF 29

30 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Cons(MSK, C) -> K[C] Constraint query C Input query x Real adv Simulation-based definition of CHCPRF 30

31 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Cons(MSK, C) -> K[C] Eval(MSK, x) -> FK(x) Real Constraint query C Input query x adv Simulation-based definition of CHCPRF 31

32 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C adv Simulator Simulation-based definition of CHCPRF 32

33 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C adv KS <- Sim(MSKS, 1 C ) Simulator Simulation-based definition of CHCPRF 33

34 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C KS <- Sim(MSKS, 1 C ) Input query x adv Simulator Simulation-based definition of CHCPRF 34

35 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C Input query x adv KS <- Sim(MSKS, 1 C ) ys <- Sim(MSKS, x, C(x)) Simulator Simulation-based definition of CHCPRF 35

36 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. Cons(MSK, C) -> K[C] Eval(MSK, x) -> FK(x) Real Constraint query C Input query x adv KS <- Sim(MSKS, 1 C ) ys <- Sim(MSKS, x, C(x)) Simulator Simulation-based definition of CHCPRF 36

37 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. Pseudorandom & Constraint-hiding: K[C], FK(x) c KS, ys Cons(MSK, C) -> K[C] Eval(MSK, x) -> FK(x) Constraint query C Input query x (when C(x)=0, ys is from random) KS <- Sim(MSKS, 1 C ) ys <- Sim(MSKS, x, C(x)) adv Real Simulator Simulation-based definition of CHCPRF 37

38 Theorem [CC17] For 1-constrained key in the selective setting sim-based = ind-based sim ind 38

39 Sim-based definition for many constrained keys adv Real Simulator 39

40 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. Constraint-hiding: K[C1], K[C2] c K1S, K2S MSKS Master KeyGen MSK Cons(MSK, C1) -> K[C1] Constraint query C1 K1S <- Sim(MSKS, 1 C ) Cons(MSK, C2) -> K[C2] Constraint query C2 K2S <- Sim(MSKS, 1 C ) adv Simulator Real Sim-based definition for 2 keys 40

41 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. K[C1], K[C2] c K1S, K2S Constraint-hiding: MSKS Master KeyGen MSK Cons(MSK, C1) -> K[C1] Constraint query C1 K1S <- Sim(MSKS, 1 C ) Cons(MSK, C2) -> K[C2] Constraint query C2 K2S <- Sim(MSKS, 1 C ) adv Hey Jude, C1(x)? C2(x)? Real Relaxed Sim-based definition for 2 keys Simulator 41

42 Reminiscent of obfuscation...

43 Theorem [ CC 17 ]: Two-key CHCPRF (for function class C) implies obfuscation (for C) - Two-key relaxed sim-chcprf implies strong VBB obfuscation - Two-key ind-chcprf implies io Obfuscation C Z 43

44 Theorem [ CC 17 ]: Two-key CHCPRF (for function class C) implies obfuscation (for C) - Two-key relaxed sim-chcprf implies strong VBB obfuscation - Two-key ind-chcprf implies io Construction: Obf = ( K[C], K[Z] ) Eval(x) = Eval( K[C], x) - Eval( K[Z], x) Obfuscation Idea implicit from the [GGHRSW13] candidate obfuscation C Z 44

45 Pope: wait you haven t achieved 2-key security

46 Pope: wait you haven t achieved 2-key security In the rest of the talk, we will focus on: 1-key simulation-based definition for CHCPRF.

47 De cr yp t th en Ev al CHCPRF => Functional encryption

48 Theorem [ CC 17 ] 1-key sim-based CHCPRF implies 1-key private-key functional encryption (reusable garbled circuits).

49 Theorem [ CC 17 ] 1-key sim-based CHCPRF implies 1-key private-key functional encryption (reusable garbled circuits). Construction: from normal encryption Sym and CHCPRF F Enc(m;r): ct = EncSym.K(m;r); tag = F[K](ct) FSK[Sym.K, F.K, C]: constrained key for the decryption and eval functionality C(DecSym.K(. )) Eval: compute F[C(DecSym.K(. ))](ct), and compare with tag

50 De nia b le Wa term En cry pti on arki n g? ion t p y r c n E l a Function How to construct CHCPRF? 50

51 Main construction: 1-key sim-based CHCPRFs for NC1 from Learning With Errors. 51

52 Main construction: 1-key sim-based CHCPRFs for NC1 from Learning With Errors. Combine: - Lattices-based PRFs - Barrington s theorem to embed functionality - GGH15 encoding to provide a public constrained mode Demonstrate a proof methodology of GGH15-based applications. 52

53 Banerjee, Peikert, Rosen 12 Subset-product & rounding Key: s1,1 s2,1... s1,0 s2,0... Eval: sn,1 sn,0 A mod q F(x) = { si,xi A }2 si,b are LWE secrets from low-norm distributions 53

54 Banerjee, Peikert, Rosen 12 Subset-product & rounding Key: s1,1 s2,1... s1,0 s2,0... Eval: sn,1 sn,0 A mod q F(x) = { si,xi A }2 What we need in addition to build a CHCPRF: + A proper public mode of the function (GGH15 encoding) + Embed structures in the secret terms to perform functionality (Barrington s theorem) 54

55 Tool 1: GGH15 encoding [Gentry, Gorbunov, Halevi 15] 55

56 A with Trapdoor Trapdoor [Ajtai 99, Alwen, Peikert 09, Micciancio, Peikert 12] Can sample A with a trapdoor T. Can sample small preimage from Gaussian [ Klein 00, GPV 08 ] 56

57 GGH15 encoding for the ith hop: Si,1 Ai Si,0 Ai+1 57

58 GGH15 encoding for the ith hop: Yi,1 = si,1 Ai+1+Ei,1 Si,1 Ai Si,0 Ai+1 Yi,0 = si,0 Ai+1+Ei,0 Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b 58

59 GGH15 encoding for the ith hop: Ai Di,1 Di,0 Yi,1 = si,1 Ai+1+Ei,1 Si,1 Si,0 Ai+1 Yi,0 = si,0 Ai+1+Ei,0 Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b 2. Sample (by the trapdoor of Ai) small Di,b s.t. AiDi,b=Yi,b Di,b = Encoding( Si,b ) 59

60 GGH15 for L hops: A1 A2 AL AL+1 60

61 GGH15 for L hops: S1,1 A1 S1,0 A2 SL,1 AL SL,0 AL+1 Encode(si,b): 2 steps 61

62 GGH15 for L hops: Y1,1 = s1,1 A2+E1,1 S1,1 A1 S1,0 A2 Y1,0 = s1,0 A2+E1,0 AL Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b YL,1 = sl,1 AL+1+EL,1 SL,1 SL,0 AL+1 YL,0 = sl,0 AL+1+EL,0 62

63 GGH15 for L hops: A1 D1,1 D1,0 Y1,1 = s1,1 A2+E1,1 S1,1 S1,0 A2 Y1,0 = s1,0 A2+E1,0 AL DL,1 DL,0 YL,1 = sl,1 AL+1+EL,1 SL,1 SL,0 AL+1 YL,0 = sl,0 AL+1+EL,0 Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b 2. Sample (by the trapdoor of Ai) small Di,b s.t. AiDi,b=Yi,b Let Di,b be Encoding(si,b) 63

64 GGH15 for L hops: A1 D1,1 A2 D1,0 AL DL,1 AL+1 DL,0 Review: What are public 64

65 Understanding the functionality of GGH15 65

66 Evaluation of GGH15 (prove by example): A1 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 Eval(0110) = A1D1,0D2,1D3,1D4,0 66

67 Evaluation of GGH15 (prove by example): ( S1,1 S1,0 A2 + E1,1 + E1,0 ) D2,1 D3,1 D4,1 D2,0 D3,0 D4,0 Eval(0110) = A1D1,0D2,1D3,1D4,0 = (s1,0a2+e1,0)d2,1d3,1d4,0 67

68 Evaluation of GGH15 (prove by example): S1,1 S1,0 A2 Eval(0110) D2,1 D3,1 D4,1 D2,0 D3,0 D4,0 + small = A1D1,0D2,1D3,1D4,0 = (s1,0a2+e1,0)d2,1d3,1d4,0 = s1,0a2d2,1d3,1d4,0 + small 68

69 Evaluation of GGH15 (prove by example): S1,1 S1,0 ( S2,1 S2,0 A3 + E2,1 + E2,0 Eval(0110) = = = = ) D3,1 D4,1 D3,0 D4,0 + small A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small 69

70 Evaluation of GGH15 (prove by example): S1,1 S1,0 S2,1 S2,0 Eval(0110) = = = = = A3 D3,1 D4,1 D3,0 D4,0 + small A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small s1,0s2,1a3d3,1d4,0 + still small 70

71 Evaluation of GGH15 (prove by example): S1,1 S1,0 Eval(0110) = = = = = = S2,1 S2,0 S3,1 S3,0 A4 D4,1 D4,0 + small A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small s1,0s2,1a3d3,1d4,0 + still small s1,0s2,1s3,1a4d4,0 + still smallish 71

72 Evaluation of GGH15 (prove by example): S1,1 S2,1 S3,1 S4,1 S1,0 S2,0 S3,0 S4,0 A5 + small Eval(0110) = = = = = = = A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small s1,0s2,1a3d3,1d4,0 + still small s1,0s2,1s3,1a4d4,0 + still smallish s1,0s2,1s3,1s4,0a5 + small 72

73 Evaluation of GGH15 (prove by example): S1,1 S2,1 S3,1 S4,1 S1,0 S2,0 S3,0 S4,0 A5 Ev al ua te + small A1 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 73

74 Tool 2: Barrington s theorem (used to embed a circuit into the key) 74

75 Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 0 P -1 Q -1 P Q I I I I Input wire 1 Input wire 2 Input wire 1 Input wire 2 Our construction only work for certain representation of Barrington (e.g. S 5) 75

76 Representation of the constraint predicate: branching program 1 B1,1 B2,1 B3,1... BL,1 0 B1,0 B2,0 B3,0... BL,0 Steps 1 2 Eval: Bz(i),x_z(i) = I or C 3... L 76

77 We set the secrets like: S S1,1 S2,1 S3,1 S4,1 S1,0 S2,0 S3,0 S4,0 S S S S Representation of secrets (to be encoded by GGH15): Bi,b si,b S S S e.g. I s= S P s= S S S S S S 77

78 NC1-CHCPRF from GGH15 Master public key: A1 AL+1 (L = #steps in BP) Master secret key: trapdoors of A1 AL, s1,0, s1,1,..., sl,0, sl,1, & J Constrained key gen: let Si,b:=Bi,b si,b, sample GGH15 encodings for Si,b Eval: F(x) = { JA1 Di,x_z(i) }2 (z: [L]->[n] is the step-to-input mapping) GGH15(Bi,b si,b) Constrained key: D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E

79 NC1-CHCPRF from GGH15 Master public key: A1 AL+1 (L = #steps in BP) Master secret key: trapdoors of A1 AL, s1,0, s1,1,..., sl,0, sl,1, & J Constrained key gen: let Si,b:=Bi,b si,b, sample GGH15 encodings for Si,b Eval: F(x) = { JA1 Di,x_z(i) }2 (z: [L]->[n] is the step-to-input mapping) Functionality check: when C(x)=1, F(x) = { JA1 Di,x_z(i) }2 = { J( I si,x_z(i) ) AL+1 + small noise }2 s{ J( I si,x_z(i) ) AL+1 }2 when C(x)=0, F(x) = { JA1 Di,x_z(i) }2 = { J( C si,x_z(i) ) AL+1 + small noise }2 s{ J( C si,x_z(i) ) AL+1 }2 79

80 NC1-CHCPRF from GGH15 * D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E Compare to GGM 80

81 NC1-CHCPRF from GGH15 * Bi,b si,b D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E original Our CHCPRF Compare to GGM fresh random 81

82 NC1-CHCPRF from GGH15 * Example: C(x)=0 iff x1=x2=1 query x=11 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E { I (s1,1s2,1s3,1s4,1 )A5 }2 Real What are we trying to simulate? Simulator 82

83 NC1-CHCPRF from GGH15 * Example: C(x)=0 iff x1=x2=1 query x=11 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E { I (s1,1s2,1s3,1s4,1 )A5 }2 Real AJ D1,1 D2,1 D3,1 D4,1 D1,0 { Uniform }2 D2,0 D3,0 D4,0 Proof by example with 1 input query Simulator 83

$D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E D1,1 D2,1 D3,1 AJ D1,0 D2,0 D3,0 { J(I ( sz(x),x_z(x)))al+1 }2 Real Eval =.$

84 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E D1,1 D2,1 D3,1 AJ D1,0 D2,0 D3,0 { J(I ( sz(x),x_z(x)))al+1 }2 Real Eval =... D4,1 { (JC-1A +E) D } c 1 z(x),x_z(x) 2 c { U Dz(x),x_z(x) }2 D4,0 c { Uniform }2 Simulator Proof of NC1-CHCPRF: - LWE with permutation-structured secrets + GPV sampling lemma - Close the trapdoor from the right to the left 84

85 Thanks for your time More in 85

Cryptography with Updates

Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU Garbled Circuits C Offline: slow Online: fast x C(x) Garbled Circuits C Offline: