Lossy trapdoor functions and their applications
Proceedings of the fourtieth annual ACM symposium on Theory of computing - STOC 08
We propose a general cryptographic primitive called lossy trapdoor functions (lossy TDFs), and use it to develop new approaches for constructing several important cryptographic tools, including (injective) trapdoor functions, collision-resistant hash functions, oblivious transfer, and chosen ciphertext-secure cryptosystems (in the standard model). All of these constructions are simple, efficient, and black-box. We realize lossy TDFs based on a variety of cryptographic assumptions, including the
... hardness of the decisional Diffie-Hellman (DDH) problem, and the hardness of the "learning with errors" problem (which is implied by the worst-case hardness of various lattice problems). Taken together, our results resolve some long-standing open problems in cryptography. They give the first injective trapdoor functions based on problems not directly related to integer factorization, and provide the first chosen ciphertext-secure cryptosystem based solely on worst-case complexity assumptions. * A preliminary version of this work appeared in the 40th ACM Symposium on Theory of Computing (STOC 2008). † A majority of this work was performed while at SRI International. A central goal in cryptography is to realize a variety of security notions based on plausible and concrete computational assumptions. Historically, such assumptions have typically been concerned with problems from three broad categories: those related to factoring integers, those related to computing discrete logarithms in cyclic groups, and more recently, those related to computational problems on lattices. For several reasons, it is important to design cryptographic schemes based on all three categories: first, to act as a hedge against advances in cryptanalysis, e.g., improved algorithms for one class of problems or the construction of a practical quantum computer; second, to justify the generality of abstract notions; and third, to develop new outlooks and techniques that can cross-pollinate and advance cryptography as a whole. In public-key cryptography in particular, two important notions are trapdoor functions (TDFs) and security under chosen ciphertext attack (CCA security) [47, 55, 23] . Trapdoor functions, which (informally) are hard to invert unless one possesses some secret 'trapdoor' information, conceptually date back to the seminal paper of Diffie and Hellman  and were first realized in the RSA function of Rivest, Shamir, and Adelman  . Chosen-ciphertext security, which (again informally) guarantees confidentiality of encrypted messages even in the presence of a decryption oracle, has become the de facto notion of security for public key encryption under active attacks. Known constructions of TDFs all rely upon the particular algebraic properties of the functions. For CCA security, the main construction paradigm in the existing literature relies upon noninteractive zero-knowledge (NIZK) proofs [10, 26] (either for general NP statements or for specific number-theoretic problems). Such proofs allow the decryption algorithm to check that a ciphertext is 'well-formed,' and (informally speaking) force the adversary to produce only ciphertexts for which it already knows the underlying messages, making its decryption oracle useless. Unfortunately, it is still not known how to realize TDFs and CCA security (in the standard model) based on all the types of assumptions described above. Using NIZK proofs, CCA-secure cryptosystems have been constructed based on problems related to factoring and discrete logs [47, 23, 60, 19, 20] , but not lattices. For trapdoor functions, the state of the art is even less satisfactory: though TDFs are widely viewed as a general primitive, they have so far been realized only from problems related to factoring [58, 54, 48] . In this paper, we make the following contributions: • We introduce a new general primitive called lossy trapdoor functions, and give realizations based on the conjectured hardness of the decisional Diffie-Hellman (DDH) problem in cyclic groups, and the conjectured worst-case hardness of certain well-studied lattice problems. • We show that lossy trapdoor functions imply injective (one-to-one) trapdoor functions in the traditional sense. This yields the first known trapdoor functions based on computational problems that are not directly related to integer factorization. • We present a conceptually simple black-box construction of a CCA-secure cryptosystem based on lossy TDFs. In contrast to prior approaches, the decryption algorithm in our scheme is witness-recovering, i.e., along with the message it also recovers the randomness that was used to create the ciphertext. It then checks well-formedness simply by re-encrypting the message under the retrieved randomness, and comparing the result to the original ciphertext. Until now, witness-recovering CCA-secure cryptosystems were known to exist only in the random oracle model [8, 28] . Our approach has two main benefits: first, the cryptosystem uses its underlying primitive (lossy TDFs) as a "black-box," making it more efficient and technically simpler than those that follow the general 2 NIZK paradigm [47, 23, 60]. 1 Second, it yields the first known CCA-secure cryptosystem based entirely on (worst-case) lattice assumptions, resolving a problem that has remained open since the pioneering work of Ajtai  and Ajtai and Dwork . 2 • We further demonstrate the utility of lossy TDFs by constructing pseudorandom generators, collisionresistant hash functions, and oblivious transfer (OT) protocols, in a black-box manner and with simple and tight security reductions. Using standard (but non-black box) transformations [34, 35] , our OT protocols additionally imply general secure multiparty computation for malicious adversaries. Trapdoor Functions and Witness-Recovering Decryption Trapdoor functions are certainly a powerful and useful primitive in cryptography. Because they generically yield passively secure (i.e., chosen plaintext-secure) cryptosystems that are witness-recovering, it is tempting to think that they might also yield efficient CCA-secure encryption via witness recovery. Indeed, this approach has borne some fruit [6, 8, 28] , but so far only with the aid of the random oracle heuristic. A related long-standing question is whether it is possible to construct (a collection of) trapdoor functions from any cryptosystem that is secure under a chosen-plaintext attack (CPA-secure)  . A tempting approach is to generate the function description as a public encryption key pk, letting its trapdoor be the matching secret decryption key sk, and defining f pk (x) = E pk (x; x). That is, encrypt the input x, also using x itself as the random coins for encryption (for simplicity we ignore the possibility that encryption may require more random bits than the message length). The cryptosystem's completeness ensures that decrypting the ciphertext with the secret key (i.e., the function's trapdoor) returns x. The only remaining question is whether this function is one-way, assuming that the cryptosystem is CPA-secure. Unfortunately, we have no reason to think that the above function (or anything like it) is hard to invert, because CPA security is guaranteed only if the randomness is chosen independently of the encrypted message. For example, consider a (pathological, but CPA-secure) encryption algorithm E , which is built from another (CPA-secure) encryption algorithm E: the encryption algorithm E (m; r) normally returns E(m; r), except if m = r it simply outputs r. Then our candidate trapdoor function f pk (x) = E (x; x) is simply the identity function, which is trivial to invert. While the above is just a contrived counterexample for one particular attempt, Gertner, Malkin, and Reingold  demonstrated a black-box separation between injective (or even poly-to-one) trapdoor functions and CPA-secure encryption. Intuitively, the main difference is that inverting a trapdoor function requires the recovery of its entire input, whereas a decryption algorithm only needs to recover the input message, but not necessarily the encryption randomness. For similar reasons, there is also some evidence that achieving CCA security from CPA security (in a black-box manner) would be difficult  . Perhaps for these reasons, constructions of CCA-secure encryption in the standard model [47, 23, 60, 19, 20] have followed a different approach. As explained in  , all the techniques used so far have employed a "many-key" construction, where the well-formedness of a ciphertext is guaranteed by a (simulation-sound) non-interactive zero knowledge (NIZK) proof that the same message is encrypted under two or more public keys. A primary benefit of zero-knowledge is that the decryption algorithm can ensure that a ciphertext is well-formed without needing to know a witness to that fact (e.g., the input randomness). The twokey/NIZK paradigm has led to CCA-secure encryption based on general assumptions, such as trapdoor permutations , as well as efficient systems based on specific number-theoretic problems [19, 20] , such as 1 We note that Cramer and Shoup [19, 20] gave efficient CCA-secure constructions based on NIZK proofs for specific numbertheoretic problems. 2 We also note that while NIZK proofs for certain lattice problems are known , they do not appear to suffice for CCA security.