KDM-Security via Homomorphic Smooth Projective Hashing [chapter]

Hoeteck Wee
2016 Lecture Notes in Computer Science  
We present new frameworks for constructing public-key encryption schemes satisfying key-dependent message (KDM) security and that yield efficient, universally composable oblivious transfer (OT) protocols via the dual-mode cryptosystem framework of Peikert, Waters and Vaikuntanathan (Crypto 2008). -Our first framework yields a conceptually simple and unified treatment of the KDM-secure schemes of Boneh et al. (Crypto 2008), Brakerski and Goldwasser (Crypto 2010) and Brakerski, Goldwasser and
more » ... i (TCC 2011) in the single-key setting. -Using our second framework, we obtain new dual-mode cryptosystems based on the d -linear, quadratic residuocity and decisional composite residuocity assumptions. Both of these frameworks build on the notion of smooth projective hashing introduced by Cramer and Shoup (Eurocrypt 2002), with the additional requirement that the hash function is homomorphic, as is the case for all known instantiations. The most basic security guarantee we require of a public key encryption scheme is that of semantic security against chosen-plaintext attacks (CPA) [21] : it is infeasible to learn anything about the plaintext from the ciphertext. However, a series of increasingly sophisticated use of encryption -both directly in the case of practical applications, and indirectly as a cryptographic building block in more theoretical work -call for encryption schemes with much stronger security guarantees. In this work, we consider two such security notions. Key -dependent message (KDM) security. The standard CPA security definition does not provide any guarantee where the plaintext depends on the secret key (as pointed out in [21]), as may be the case in disk encryption. It was later observed that this situation is not so unlikely and may sometimes even be desirable [12, 1]. Black, Rogaway and Shrimpton [7] formally defined key-dependent message (KDM) security: roughly speaking, we want to guarantee semantic security even against an adversary that can obtain encryptions of (efficient) functions of its choosing, taken from some specified class of functions F, applied to the secret key. Several years ago, Boneh et al. (BHHO) [9] presented a public-key encryption scheme that is KDMsecure w.r.t. the class of affine functions under the decisional Diffie-Hellman (DDH) assumption. Since then, Applebaum et al. [4] presented a scheme under the LWE assumption (which is itself a variant of Regev's cryptosystem [33] ) and Brakerski and Goldwasser [10] presented a BHHO-like scheme based on the quadratic residuocity (QR) and decisional composite residuocity (DCR) assumptions. All of these schemes achieve KDM-security w.r.t. the class of affine functions, which can in turn be "boosted" to the class of circuits of a-priori bounded size [5, 3] . In spite of the fact that many of these schemes inherit the BHHO algebraic structure, there does not seem to be a general principle that explains the design or analysis of these schemes: the BHHO analysis uses an intermediate notion of an "expanded system", whereas that of Brakerski and Goldwasser rely on an incomparable "interactive vector" game. Dual-mode cryptosystems. Dual-mode cryptosystems were put forth by Peikert, Vaikuntanathan and Waters [32] as a tool for constructing efficient and universally composable oblivious transfer (OT) protocols. Oblivious transfer is a fundamental two-party cryptographic primitive for secure two-party and multi-party computation [35, 20, 28] : it allows one party, called the receiver, to obtain exactly one of two values from another party, called the sender. The receiver remains oblivious to the other value, and the sender is oblivious to which value was received. A natural approach towards realizing OT is to have the receiver generate a pair of public keys, and have the sender encrypt both of its input values under the respective public keys [17, 19] . In order to provide security against a malicious sender, we can simply generate a pair of "normal" public keys along with the corresponding secret keys and we can then decrypt the ciphertexts sent by the sender to extract both its inputs. On the other hand, if the receiver is malicious, we need to ensure that (at least) one of the two public keys be "messy", namely it carries no information about the ciphertext encrypted under the key. A dual-mode cryptosystem provides exactly both of these guarantees in the common reference string (CRS) model. The cryptosystem admits two types of public keys, "normal" keys that enable correct decryption, and "messy" keys that carries no information statistically about the ciphertext. Moreover, a simulator can generate the CRS in one of two indistinguishable modes: a "messy" mode which ensures
doi:10.1007/978-3-662-49387-8_7 fatcat:uidr6j6yf5chjof46lmsg7acmu