Definition and applications

Lossy Trapdoor Functions

2

3

Lossy Trapdoor Functions

Definition [PW08]

(·)pkFD R

' (·)pkFD 'R R

( , ) (1 )kpk sk Gen

( ') '(1 )kpk Gen

1( ,·)pkF sk

'cpk pk

Invertible

Lossy

4

Lossy Trapdoor Functions

Implications

LTDF[PW08]

TDF

IND-CPA

Det. Enc. [BFO08](New!)

Hedged Enc.

[BB+09](New!)

Others …

[BKPW12] What about the IB setting?

5

Lossy Trapdoor Functions

Constructing a primitive

Setup Encrypt Decrypt

Gen Evalpk Invert

Setup Encrypt Decrypt?

Gen’ Evalpk’

Ga

me

1G

am

e 2

Secure!

C hides M!

IND

Working towards a definition

Identity-Based Lossy Trapdoor Function[BKPW12]

6

7

Identity-Based Lossy Trapdoor Functions

IBE - Functionality

( , )mpk msk MKGen

( , )IDsk KGen msk ID

C ( , , )Enc mpk ID M

( ,sk ,C)IDM Dec mpk

,(·)

mpk IDF

( , )IDsk KGen msk ID

( , )mpk msk MKGen

Constructed with an IB-LTDF uses:

1

,( ,·)IDmpk ID

F sk

IBE [Sha84,BF01] consists of:

8

Identity-Based Lossy Trapdoor Functions

Functional requirements

D

Invertible

, 1(·)mpk IDF

1, 1 1( ,·)mpk ID IDF sk

( , )IDsk KGen msk ID

( , ) (1 )kmpk msk MKGen

R, 3(·)mpk IDF

1, 3 3( ,·)mpk ID IDF sk

, 2 (·)mpk IDF

1, 2 2( ,·)mpk ID IDF sk

9

Identity-Based Lossy Trapdoor Functions

IBE – Security Game / Reduction

*IDmpk

IDIDsk

1 2,M M

( , *, )bC Enc mpk ID M0,1Rb

*b

( ) Pr[ *] 1/ 2Adv b b

IDIDsk

can try to invert .

should be lossy', *

(·)mpk IDF

',(·)

mpk IDF

( , )mpk msk MKGen

( , )IDsk KGen msk ID

Using IB-LTDF

( ', ') 'mpk msk MKGen

' '( ', )IDsk KGen msk ID

(·)*,IDmpk

F (·)*,' IDmpk

F

10

Identity-Based Lossy Trapdoor Functions

Towards defining sec. requirements

D

D'R R

Sec. Requirement?

Invertible

Lossy

, (·)mpk IDF

1, ( ,·)mpk ID IDF sk

R

', 1(·)mpk IDF', 3(·)mpk IDF

', 2 (·)mpk IDF

1', 2 2( ,·)mpk ID IDF sk

R

( , )IDsk KGen msk ID

( , )mpk msk MKGen

'( ', )IDsk KGen msk ID

( ', ') 'mpk msk MKGen

11

Identity-Based Lossy Trapdoor Functions

[BKPW12] limitations

LTDF[PW08]

IB-LTDF (S)[BKPW12]

TDF (New!)

IND-CPA

Det. Enc. [BFO08](New!)

(New!)

Hedged Enc.

[BB+09](New!)

(New!)

Others … hopefully

12

Identity-Based Lossy Trapdoor Functions

[BKPW12] limitations

LTDF[PW08]

IB-LTDF (S)[BKPW12]

IB-LTDF (A)[BKPW12]

TDF (New!) (New!)

IND-CPA ?

Det. Enc. [BFO08](New!)

(New!) ?

Hedged Enc.

[BB+09](New!)

(New!) ?

Others … hopefully ?

New Definition and Hierarchical Extension

Identity-Based Lossy Trapdoor Function

13

14

Identity-Based Lossy Trapdoor Functions

Our definition (I)

*ID

ID

*b

ID

[ ]mpk I

[ ]IDsk I

[ ]IDsk I

Real Experiment

Outputs 1 iff * 1 * is lossy are injectiveb ID ID

I( [ ], [ ])mpk I msk I L( [ ], [ ])mpk L msk L

[ ] [ ]IDsk L KGen L[ ] [ ]IDsk I KGen I

[ ] [ ]IDsk I KGen I [ ] [ ]IDsk L KGen L

has small range[ ],ID*(·)mpk LF has full range[ ],ID (·)mpk LF

mpk

IDsk

IDsk

[ ]mpk L

[ ]IDsk L

[ ]IDsk L

Lossy Experiment

( ) Pr[RealEXP 1] Pr[LossyEXP 1]Adv

15

Identity-Based Lossy Trapdoor Functions

Our definition (II)

* is lossy are injectiveID ID

Extra Cond. #1:

Pr[ * is lossy are injective]ID ID big enough

Extra Cond. #2:

indep. from guess

16

Identity-Based Lossy Trapdoor Functions

[EHLR14] implications

LTDF[PW08]

IB-LTDF (S)[EHLR14]

IB-LTDF (A)[EHLR14]

TDF

IND-CPA

Det. Enc. [BFO08](New!)

(New!)*

Hedged Enc.

[BB+09](New!)

(New!)

Others … hopefully hopefully

*Also in [XXZ12]

17

*Also in [XXZ12]

Identity-Based Lossy Trapdoor Functions

[EHLR14] implications

LTDF[PW08]

IB-LTDF (S)[EHLR14]

IB-LTDF (A)[EHLR14]

HIB-LTDF (S,A)[EHLR14]

TDF (New!)

IND-CPA

Det. Enc. [BFO08](New!)

(New!)* (New!)

Hedged Enc.

[BB+09](New!)

(New!) (New!)

Others … hopefully hopefully hopefullyUsing [CHK03]…

[EHLR14] Forward Secure Det. Enc. (New!)

[EHLR14] Forward Secure Hedged Enc. (New!)

Construction

Identity-Based Lossy Trapdoor Function

18

19

Identity-Based Lossy Trapdoor Functions

• Construction similar to [PW08]

o Matrix-vector paradigm

• Building block: a new Hierarchical Predicate Encryption

o Hidden Predicate defines Injective or Lossy

• To evaluate the function for an identity:

1. Homomorphically evaluate the Predicate for the Identity

2. Obtain a matrix of HIBE ciphertexts

3. Compute the matrix-vector product in the exponent

Our construction

Conclusion

Identity-Based Lossy Trapdoor Function

20

21

Identity-Based Lossy Trapdoor Functions

• We give a new definition

• We give a hierarchical extension of the definition

• Our definition implies new primitives with adaptive security:

o One-way HIB Trapdoor Functions

o HIB Deterministic Encryption

o HIB Hedged Encryption

o Forward Secure Deterministic Encryption

o Forward Secure Hedged Encryption

• We give a construction which satisfies the extended definition

Our contributions

THANK YOU!