Toward Fine-Grained Blackbox Separations
Between Semantic and Circular-Security Notions
Mohammad Hajiabadi (University College London)
Bruce Kapron (University of Victoria)
May 3, 2017
1 / 21
1-Circular security
Figure: 1-circular security
2 / 21
Versions of 1-circular
Two extreme cases:
I
Extreme 1: bit circular security: sk is encrypted bit-by-bit
I
Intermediate: sk encrypted block-by-block
I
Extreme 2: full-length circular security: sk is encrypted as
a whole.
3 / 21
t-Circular security
Figure: t-circular security
4 / 21
t-circular security from minimal CPA security?
5 / 21
t-circular security from minimal CPA security?
t = 1: easy (full-length case)
Figure: 1-circular construct
G : 1-1 X
5 / 21
t-circular security from minimal CPA security?
t = 1: easy (full-length case)
Figure: 1-circular construct
G : 1-1 X
I
Hard to extend to bit case.
I
Hard to extend to t > 1.
5 / 21
Background
I
I
Applications: FHE constructions
Positive results Circular-secure schemes under DDH, LWE,
QR/DCR etc (BHHO08,ACPS’09,BG10)
I
I
for multiple-key case: t-circular: Epk1 (sk2 ), . . . , Epkt (sk1 ) ,
Negative results
I
I
I
NO BB reduction can prove any CPA bit-by-bit PKE is also
circular secure (Rothblum’13)
Concrete CPA-secure schemes that are circular insecure
(Koppula-Waters’16, Alamati-Peikert’16, etc.)
TDP 6→BB full-KDM PKE (Haitner-Holenstein’09).
6 / 21
Our results
Lingering questions:
1. 1-circular secure bit encryption from CPA encryption?
2. t-circular secure encryption (bit or full length) from CPA
encryption? (t > 1)
7 / 21
Our results
Lingering questions:
1. 1-circular secure bit encryption from CPA encryption?
2. t-circular secure encryption (bit or full length) from CPA
encryption? (t > 1)
We address (1) and (2) for seed-circular security.
I
encrypting the seed of G .
I
Seed circular encryption ⇒ circular encryption
7 / 21
Our results
Lingering questions:
1. 1-circular secure bit encryption from CPA encryption?
2. t-circular secure encryption (bit or full length) from CPA
encryption? (t > 1)
We address (1) and (2) for seed-circular security.
I
encrypting the seed of G .
I
Seed circular encryption ⇒ circular encryption
I
CPA encryption 6−→ 1-seed-circular bit encryption
blackbox
blackbox
I
CPA encryption 6−→ (c log n)-seed-circular bit encryption
blackbox
I
t-seed circular bit encryption 6−→ (t + 1)-full-length
seed-circular encryption
7 / 21
Fully blackbox reductions
Q ⇒FBB P: construction and security proof
8 / 21
Fully blackbox reductions
Q ⇒FBB P: construction and security proof
8 / 21
Two Templates for BB separation proofs
Q 6⇒FBB P
9 / 21
Two Templates for BB separation proofs
Q 6⇒FBB P
I
Give an ideal oracle O for Q;
I
Any G O for P can be broken by small number of queries to O.
Used in [IR’89: OWP 6⇒FBB KA], [BPRVW’08: TDP 6⇒ IBE], etc
9 / 21
Two Templates for BB separation proofs
Q 6⇒FBB P
I
Give an ideal oracle O for Q;
I
Any G O for P can be broken by small number of queries to O.
Used in [IR’89: OWP 6⇒FBB KA], [BPRVW’08: TDP 6⇒ IBE], etc
Second template: Give an ideal oracle O for Q plus some
weakening component W :
I
No AO,W can break Q security of O
I
Any G O for P can be broken by some B O,W
Used in [Simon’98: OWP 6⇒ CRHF], [HR’04 secret-coin CRHF 6⇒
public-coin CRHF], [GMM’07 CPA PKE 6⇒shielding CCA PKE], etc
These templates do not work for our case.
9 / 21
Separation model [GMR’01]
CPA PKE 6⇒FBB 1-seed circular bit PKE
Fix En = (Gen◦ , Enc ◦ , Dec ◦ )
Define T in such a way that for random (g , e, d):
10 / 21
Details of oracles
I
On :
I
I
I
gn : {0, 1}n → {0, 1}5n random injective.
en : {0, 1}5n × {0, 1} × {0, 1}n → {0, 1}7n random injective
dn : {0, 1}n × {0, 1}7n → {0, 1} ∪ {⊥} agrees with g and e.
I
un : {0, 1}5n × {0, 1}7n → ({0, 1} × {0, 1}n ) ∪ {⊥} decrypting
relative to public keys, returning also the randomness.
I
wn : {0, 1}5n → {⊥, >}: public-key validity check.
11 / 21
Fix (Geng ,e,d , Enc g ,e,d , Dec g ,e,d ). naive try T (PK , C1 , . . . , Cn )
I Decrypt (C1 , ..., Cn ) relative to PK to get S.
I if Geng ,e,d (S) = (PK , ∗) return S
12 / 21
Fix (Geng ,e,d , Enc g ,e,d , Dec g ,e,d ). naive try T (PK , C1 , . . . , Cn )
I Decrypt (C1 , ..., Cn ) relative to PK to get S.
I if Geng ,e,d (S) = (PK , ∗) return S
Several problems:
1. What if PK isn’t valid?
2. How to simulate?
12 / 21
Fix (Geng ,e,d , Enc g ,e,d , Dec g ,e,d ). naive try T (PK , C1 , . . . , Cn )
I Decrypt (C1 , ..., Cn ) relative to PK to get S.
I if Geng ,e,d (S) = (PK , ∗) return S
Several problems:
1. What if PK isn’t valid?
2. How to simulate?
Solution to 1: T perform Dec O (SK 0 , C1 ...Cn ):
e
(A) (PK , SK 0 ) ∈ GenO
e close to O = (g , e, d): w.h.p.
(B) O
e
Enc O (PK , b; R) = Enc O (PK , b, R) for b = 0, 1.
implication: (PK , SK ) ← Gen(S), (C1 , ..., Cn ) ← Enc(PK , S) ⇒
e
Dec O (SK 0 , C1 ...Cn ) = S.
e
12 / 21
One step of T: CPA PKE 6⇒FBB circular bit PKE.
Type-1 case: (Geng , Enc e , Dec d ). Let O = (g , e, d) and
T(PK , C1 ...Cn ) a query.
e = (e
e that is:
Goal: define O
g , ee, d)
1. (PK , SK 0 ) ∈ G O ;
e
2. Enc O (PK , b; R) = Enc O (PK , b, R) for b = 0, 1.
e
13 / 21
One step of T: CPA PKE 6⇒FBB circular bit PKE.
Type-1 case: (Geng , Enc e , Dec d ). Let O = (g , e, d) and
T(PK , C1 ...Cn ) a query.
e = (e
e that is:
Goal: define O
g , ee, d)
1. (PK , SK 0 ) ∈ G O ;
e
2. Enc O (PK , b; R) = Enc O (PK , b, R) for b = 0, 1.
e
Idea:
I
Sample set of query/response pairs Qg such that
(PK , ∗) ∈ GenQg ;
I
ge: Super-impose Qg on g .
ee = e
e will define later
d:
13 / 21
Superimposing g queries
e where Qg : g -type query/answer pairs
(g , e, d) ⇒Qg (e
g , ee, d),
ee = e
(
d(sk, c), if sk ∈
/ {sk1 , . . . , skn }
e
d(sk,
c) =
u(pki , c), if sk = ski
14 / 21
Simple case: (Geng , Enc e , Dec d ). Let O = (g , e, d) and
T(PK , C1 ...Cn ) a query.
High-level operations of T:
(A) Sample set of query/response pairs Qg such that
(PK , SK 0 ) ∈ G Qg ;
(B) Superimpose Qg = {sk1 → pk1 , . . . , skm → pkm } on O to get
e
O;
(C) S = D O (SK 0 , C1 ...Cn )
e
(D) Release S subject to check: Return S if
15 / 21
Main Theorems
Theorem
(Breaking 1-seed circularity of (G g , E e , D d ))
Pr [T(PK , C1 , . . . , Cn ) = S] ≥ 1 −
Env,T
1
,
22n
(1)
for random (g , e, d), S ← {0, 1}n , (PK , SK ) = G g (S),
(C1 , . . . , Cn ) ← E e (PK , S).
Theorem
(Not Breaking CPA of (g , e, d))
A at most 2n/8 queries:
Pr
O,T,b,pk,c
[AO,T (1n , pk, c) = b] ≤
1
1
+ n/4 ,
2 2
(2)
O ← Ψ, b ← {0, 1}, sk ← {0, 1}n , pk = g(sk) and c ← e(pk, b).
16 / 21
Theorem
(Breaking 1-seed circularity of (G g , E e , D d ))
Pr [T(PK , C1 , . . . , Cn ) = S] ≥ 1 −
Env,T
1
,
22n
(3)
for random (g , e, d), S ← {0, 1}n , (PK , SK ) = G g (S),
(C1 , . . . , Cn ) ← E e (PK , S).
Proof main idea: If T (PK , C1 , ..., Cn ) 6= S ⇒ check in Step (D)
didn’t hold ⇒ we can forge some pk ∈ {0, 1}3n w/o calling
g −1 (pk)
g : {0, 1}n → {0, 1}3n
17 / 21
Theorem
(Not Breaking CPA of (g , e, d))
A at most 2n/8 queries:
Pr
O,T,b,pk,c
[AO,T (1n , pk, c) = b] ≤
1
1
+ n/4 ,
2 2
(4)
O ← Ψ, b ← {0, 1}, sk ← {0, 1}n , pk = g(sk) and c ← e(pk, b).
Proof main idea: AO,T (1n , pk, c) can be simulated by B O,u
where u ∗ (pk, c) = ⊥.
∗ ,w
,
I
u : {0, 1}5n × {0, 1}7n → ({0, 1} × {0, 1}n ) ∪ {⊥} decrypting
relative to public keys, returning also the randomness.
I
w : {0, 1}5n → {⊥, >}: public-key validity check.
18 / 21
General case
Main difficulties:
I
I
The idea of superimposing for other types of queries
e close to O is much more difficult.
Making O
I
Requiring to learn heavy queries during key generation.
19 / 21
t-seed circular 6⇒ (t + 1)-seed circular
t = 1: 1-seed circularity cannot be extended to 2-seed circularity.
We define T that breaks 1-seed circularity of (g , e, d) but not
2-seed circularity of E g ,e,d . Main ideas T (PK1 , PK2 , C1 , C2 ):
I
I
I
We learn likely public keys pk embedded in a random
execution G g (1n ).
e to decrypt C1 and C2 to get S1 and S2 .
Define O
T makes sure the set of un-learned public keys embedded in
S1 and S2 be disjoint.
20 / 21
Conclusions and Open Problems
Summary of results:
blackbox
I
CPA encryption 6−→ 1-seed-circular bit encryption
blackbox
I
CPA encryption 6−→ (c log n)-seed-circular bit encryption
blackbox
I
t-seed circular bit encryption 6−→ (t + 1)-full-length
seed-circular encryption
Open problems:
1. Separating circular from CPA PKE.
2. FHE ⇒ circular PKE? NOTE: non-blackbox techniques
21 / 21