smooth projective hash function and its applications
TRANSCRIPT
![Page 1: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/1.jpg)
Smooth Projective Hash Function andIts Applications
Rongmao ChenUniversity of Wollongong
November 21, 2014
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 2: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/2.jpg)
Literature
Ronald Cramer and Victor Shoup.Universal Hash Proofs and a Paradigm for Adaptive ChosenCiphertext Secure Public-Key Encryption.In EUROCRYPT, pages 13–25, 2002.
Ronald Cramer and Victor Shoup.A practical public key cryptosystems provably secure againstadaptive chosen ciphertext attack.In CRYPTO, pages 13–25, 1998.
Shai Halevi and Yael Tauman Kalai.Smooth Projective Hashing and Two-Message ObliviousTransfer.In Journal of Cryptology , pages 158-193, 2012.
Rosario Gennaro and Yehuda Lindell.A Framework for Password-Based Authenticated KeyExchange.In EUROCRYPT, pages 524-543, 2003.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 3: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/3.jpg)
Outline
1 Part I: A Case Study
2 Part II: Smooth Projective Hash Function
3 Part III: Applications of SPHF
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 4: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/4.jpg)
Part I: A Case Study-ECP Problem
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 5: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/5.jpg)
Case Study–Exponentiations Consistency Proving (ECP)
ECP-Problem
Problem: Given g1, g2,X1,X2, the prover wants to prove to theverifier that there is an r where X1 = g r
1 , X2 = g r2 without leaking
the value of r to the verifier.
Solution:
Correctness: if X1 = g r1 ,X2 = g r
2 , then
X b11 X b2
2 = g rb11 g rb2
2 = (gb11 gb2
2 )r = Z r
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 6: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/6.jpg)
Case Study–Exponentiations Consistency Proving (ECP)
ECP-Problem
Problem: Given g1, g2,X1,X2, the prover wants to prove to theverifier that there is an r where X1 = g r
1 , X2 = g r2 without leaking
the value of r to the verifier.
Solution:
Correctness: if X1 = g r1 ,X2 = g r
2 , then
X b11 X b2
2 = g rb11 g rb2
2 = (gb11 gb2
2 )r = Z r
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 7: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/7.jpg)
Case Study–Exponentiations Consistency Proving (ECP)
ECP-Problem
Problem: Given g1, g2,X1,X2, the prover wants to prove to theverifier that there is an r where X1 = g r
1 , X2 = g r2 without leaking
the value of r to the verifier.
Solution:
Correctness: if X1 = g r1 ,X2 = g r
2 , then
X b11 X b2
2 = g rb11 g rb2
2 = (gb11 gb2
2 )r = Z r
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 8: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/8.jpg)
Case Study–Exponentiations Consistency Proving (ECP)
ECP-Problem
Problem: Given g1, g2,X1,X2, the prover wants to prove to theverifier that there is an r where X1 = g r
1 , X2 = g r2 without leaking
the value of r to the verifier.
Solution:
Correctness: if X1 = g r1 ,X2 = g r
2 , then
X b11 X b2
2 = g rb11 g rb2
2 = (gb11 gb2
2 )r = Z r
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 9: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/9.jpg)
Case Study–ECP Problem (cont’d)
Soundness? What if X1 = g r11 ,X2 = g r2
2 , where r1 6= r2?
(Denote log = logg1 and suppose that log(g2) = w)
Note that Z = gb11 gb2
2 = gb1+wb21 which constraints (b1, b2) to
satisfyb1 + wb2 = log(Z ) (1)
If X1 = g r11 ,X2 = g r2
2 , where r1 6= r2, then
X b11 X b2
2 = g r1b11 g r2b2
2 = g r1b1+r2wb21 .
So, for any h ∈ G, we have X b11 X b2
2 = h iff
r1b1 + r2wb2 = log(h) (2)
Equations (1), (2) are linearly independent regarding b1, b2. Hence,
Pr[X b11 X b2
2 = h] = 1/G
The distribution of X b11 X b2
2 is uniform in G.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 10: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/10.jpg)
Case Study–ECP Problem (cont’d)
Soundness? What if X1 = g r11 ,X2 = g r2
2 , where r1 6= r2?
(Denote log = logg1 and suppose that log(g2) = w)
Note that Z = gb11 gb2
2 = gb1+wb21 which constraints (b1, b2) to
satisfyb1 + wb2 = log(Z ) (1)
If X1 = g r11 ,X2 = g r2
2 , where r1 6= r2, then
X b11 X b2
2 = g r1b11 g r2b2
2 = g r1b1+r2wb21 .
So, for any h ∈ G, we have X b11 X b2
2 = h iff
r1b1 + r2wb2 = log(h) (2)
Equations (1), (2) are linearly independent regarding b1, b2. Hence,
Pr[X b11 X b2
2 = h] = 1/G
The distribution of X b11 X b2
2 is uniform in G.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 11: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/11.jpg)
Case Study–ECP Problem (cont’d)
Soundness? What if X1 = g r11 ,X2 = g r2
2 , where r1 6= r2?
(Denote log = logg1 and suppose that log(g2) = w)
Note that Z = gb11 gb2
2 = gb1+wb21 which constraints (b1, b2) to
satisfyb1 + wb2 = log(Z ) (1)
If X1 = g r11 ,X2 = g r2
2 , where r1 6= r2, then
X b11 X b2
2 = g r1b11 g r2b2
2 = g r1b1+r2wb21 .
So, for any h ∈ G, we have X b11 X b2
2 = h iff
r1b1 + r2wb2 = log(h) (2)
Equations (1), (2) are linearly independent regarding b1, b2. Hence,
Pr[X b11 X b2
2 = h] = 1/G
The distribution of X b11 X b2
2 is uniform in G.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 12: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/12.jpg)
Case Study–ECP Problem
Several Observations from ECP
1 Designated Verifier. Only the verifier who has the trapdoorkey (b1, b2) can do the verification.
2 Correctness Assurance. The proof can be computed in twodifferent ways by the prover (Z r ) and the verifier (X b1
1 X b22 )
respectively.
3 Soundness Assurance. The prover can only convince theverifier with negligible probability if the statement is false.
Designated Verifier Non-Interactive Zero-Knowledge Proof, wherethe language is as follow,
LDDH = {(u1, u2) : ∃r ∈ Zp s.t.u1 = g r1 , u2 = g r
2},
where g1, g2 ∈ G, ](G) = p.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 13: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/13.jpg)
Case Study–ECP Problem
Several Observations from ECP
1 Designated Verifier. Only the verifier who has the trapdoorkey (b1, b2) can do the verification.
2 Correctness Assurance. The proof can be computed in twodifferent ways by the prover (Z r ) and the verifier (X b1
1 X b22 )
respectively.
3 Soundness Assurance. The prover can only convince theverifier with negligible probability if the statement is false.
Designated Verifier Non-Interactive Zero-Knowledge Proof, wherethe language is as follow,
LDDH = {(u1, u2) : ∃r ∈ Zp s.t.u1 = g r1 , u2 = g r
2},
where g1, g2 ∈ G, ](G) = p.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 14: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/14.jpg)
Part II: Smooth Projective Hash Function
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 15: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/15.jpg)
Smooth Projective Hash Function (SPHF)
Definition of SPHF
Roughly speaking, the definition of SPHF requires the existence ofa domain X and an underlying NP language L ⊆ X . And SPHFconsists of a keyed hash pairHashhk : X → Π,ProjHashhp : L→ ΠL.
Informally, SPHF is defined by the following algorithms:
HashKG(L): generates a hashing key hk for the language L;
ProjKG(hk, L): derives the projection key hp from thehashing key hk; 1
Hash(hk, L,C ): outputs the hash value of the world C fromthe hashing key hk;
ProjHash(hp, L,C ,w): outputs the hash value of the world Cfrom the projection key hp, and the witness w that C ∈ L.
1In some special SPHF, the projection key may depend on the word C ∈ L.Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 16: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/16.jpg)
Smooth Projective Hash Function (SPHF)
Properties of SPHF
Normally, a SPHF has the following two properties:
Projection: If a word C ∈ L with w the witness, then
Hash(hk, L,C )=ProjHash(hp, L,C ,w);
Smoothness: If a word C ∈ X/L, then
(hp,Hash(hk, L,C ))s≡ (hp,R)
wheres≡ means ’statistically indistinguishable’, and R
$← Π(hash value space).
Extension of the ’Smoothness’ Property:Smoothness2: If there is another word C ′ ∈ X/L, then
(hp,Hash(hk, L,C ),Hash(hk, L,C ′))s≡ (hp,R,R ′)
where R,R ′$← Π.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 17: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/17.jpg)
Example: SPHF-1 for ECP Problem
SPHF-1 for ECP Problem
Domain XDDH :
XDDH = {u1, u2 : ∃r1, r2 s.t. u1 = g r11 , u2 = g r2
2 }
Language LDDH :
LDDH = {u1, u2 : ∃r s.t. u1 = g r1 , u2 = g r
2}
Suppose the word C = (X1,X2), then the SPHF on LDDH is:
HashKG(LDDH): hk = (b1, b2)$← Z2
p;
ProjKG(hk, LDDH): hp = gb11 gb2
2 ;
Hash(hk, LDDH ,C ): πhk = X b11 X b2
2 ;
ProjHash(hp, LDDH ,C , r): πhp = hpr = (gb11 gb2
2 )r .
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 18: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/18.jpg)
Example: SPHF-1 for ECP Problem
SPHF-1 for ECP Problem
Domain XDDH :
XDDH = {u1, u2 : ∃r1, r2 s.t. u1 = g r11 , u2 = g r2
2 }
Language LDDH :
LDDH = {u1, u2 : ∃r s.t. u1 = g r1 , u2 = g r
2}
Suppose the word C = (X1,X2), then the SPHF on LDDH is:
HashKG(LDDH): hk = (b1, b2)$← Z2
p;
ProjKG(hk, LDDH): hp = gb11 gb2
2 ;
Hash(hk, LDDH ,C ): πhk = X b11 X b2
2 ;
ProjHash(hp, LDDH ,C , r): πhp = hpr = (gb11 gb2
2 )r .
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 19: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/19.jpg)
Example: SPHF-1 for ECP Problem
SPHF-1 for ECP Problem
Domain XDDH :
XDDH = {u1, u2 : ∃r1, r2 s.t. u1 = g r11 , u2 = g r2
2 }
Language LDDH :
LDDH = {u1, u2 : ∃r s.t. u1 = g r1 , u2 = g r
2}
Suppose the word C = (X1,X2), then the SPHF on LDDH is:
HashKG(LDDH): hk = (b1, b2)$← Z2
p;
ProjKG(hk, LDDH): hp = gb11 gb2
2 ;
Hash(hk, LDDH ,C ): πhk = X b11 X b2
2 ;
ProjHash(hp, LDDH ,C , r): πhp = hpr = (gb11 gb2
2 )r .
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 20: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/20.jpg)
Example: SPHF-1 for ECP Problem (Cont’d)
SPHF-1 for ECP Problem
One can see that (from the analysis of ECP):
Projection (for correctness): If C = (X1,X2) ∈ LDDH with rthe witness, i.e., C = (g r
1 , gr2) then
πhk = X b11 X b2
2 = gb1r1 gb2r
2 = πhp;
Smoothness (for soundness): If C ∈ XDDH/LDDH , then
(hp, πhk)s≡ (hp,R).
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 21: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/21.jpg)
Smoothness2 of SPHF-1?
Smoothness2 of SPHF-1?
Now, suppose there is another word C ′ ∈ XDDH/LDDH , and
π′hk ← Hash(hk , LDDH ,C′).
Question:(hp, πhk , π
′hk)
s≡ (hp,R,R ′) ?
Answer:(hp, πhk , π
′hk)
s≡ (hp,R,R ′) ×
No smoothness2!
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 22: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/22.jpg)
Smoothness2 of SPHF-1?
Smoothness2 of SPHF-1?
Now, suppose there is another word C ′ ∈ XDDH/LDDH , and
π′hk ← Hash(hk , LDDH ,C′).
Question:(hp, πhk , π
′hk)
s≡ (hp,R,R ′) ?
Answer:(hp, πhk , π
′hk)
s≡ (hp,R,R ′) ×
No smoothness2!
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 23: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/23.jpg)
Smoothness2 of SPHF-1?
Smoothness2 of SPHF-1?
Now, suppose there is another word C ′ ∈ XDDH/LDDH , and
π′hk ← Hash(hk , LDDH ,C′).
Question:(hp, πhk , π
′hk)
s≡ (hp,R,R ′) ?
Answer:(hp, πhk , π
′hk)
s≡ (hp,R,R ′) ×
No smoothness2!
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 24: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/24.jpg)
New SPHF-2 for ECP Problem
SPHF-2 for ECP Problem
Suppose that H : {0, 1}∗ → Zp, a collision-resistant hash function.
HashKG(LDDH): hk = (a1, a2, b1, b2)$← Z4
p;
ProjKG(hk, LDDH): hp = (hp1, hp2) = (ga11 ga2
2 , gb11 gb2
2 );
Hash(hk, LDDH ,C ): πhk = X a1+αb11 X a2+αb2
2 , whereα = H(X1,X2);
ProjHash(hp, LDDH ,C , r): πhp = hpr1 · hpαr2 .
One can see that :
Projection: If C = (X1,X2) ∈ LDDH , then
πhk = πhp;
Smoothness2: If C ∈ XDDH/LDDH ,C′ ∈ XDDH/LDDH , then
(hp, πhk , π′hk)
s≡ (hp,R,R ′)
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 25: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/25.jpg)
New SPHF-2 for ECP Problem
SPHF-2 for ECP Problem
Suppose that H : {0, 1}∗ → Zp, a collision-resistant hash function.
HashKG(LDDH): hk = (a1, a2, b1, b2)$← Z4
p;
ProjKG(hk, LDDH): hp = (hp1, hp2) = (ga11 ga2
2 , gb11 gb2
2 );
Hash(hk, LDDH ,C ): πhk = X a1+αb11 X a2+αb2
2 , whereα = H(X1,X2);
ProjHash(hp, LDDH ,C , r): πhp = hpr1 · hpαr2 .
One can see that :
Projection: If C = (X1,X2) ∈ LDDH , then
πhk = πhp;
Smoothness2: If C ∈ XDDH/LDDH ,C′ ∈ XDDH/LDDH , then
(hp, πhk , π′hk)
s≡ (hp,R,R ′)
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 26: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/26.jpg)
New SPHF-2 for ECP Problem
Proof for ’Smoothness2’ of SPHF-2:
(Denote log = logg1 and suppose that log(g2) = w ,C =
(X1,X2) = (g r11 , g
r22 ),C ′ = (X ′1,X
′2) = (g
r ′11 , g
r ′22 ), r1 6= r2, r
′1 6= r ′2.)
Note that hp = (hp1, hp2) = (ga11 ga2
2 , gb11 gb2
2 ) which constraints(a1, a2, b1, b2) to satisfy
a1 + wa2 = log(hp1) (3)
b1 + wb2 = log(hp2) (4)
Moreover, πhk , π′hk constraint (a1, a2, b1, b2) to satisfy
r1a1 + r2wa2 + αr1b1 + αr2wb2 = log(πhk) (5)
r ′1a1 + r ′2wa2 + α′r ′1b1 + α′r ′2wb2 = log(π′hk) (6)
Equations (3),(4),(5),(6) are linearly independent regarding a1, a2,b1, b2. Hence, the distribution of (πhk , π
′hk) is uniform in G.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 27: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/27.jpg)
New SPHF-2 for ECP Problem
Proof for ’Smoothness2’ of SPHF-2:
(Denote log = logg1 and suppose that log(g2) = w ,C =
(X1,X2) = (g r11 , g
r22 ),C ′ = (X ′1,X
′2) = (g
r ′11 , g
r ′22 ), r1 6= r2, r
′1 6= r ′2.)
Note that hp = (hp1, hp2) = (ga11 ga2
2 , gb11 gb2
2 ) which constraints(a1, a2, b1, b2) to satisfy
a1 + wa2 = log(hp1) (3)
b1 + wb2 = log(hp2) (4)
Moreover, πhk , π′hk constraint (a1, a2, b1, b2) to satisfy
r1a1 + r2wa2 + αr1b1 + αr2wb2 = log(πhk) (5)
r ′1a1 + r ′2wa2 + α′r ′1b1 + α′r ′2wb2 = log(π′hk) (6)
Equations (3),(4),(5),(6) are linearly independent regarding a1, a2,b1, b2. Hence, the distribution of (πhk , π
′hk) is uniform in G.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 28: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/28.jpg)
New SPHF-2 for ECP Problem
Proof for ’Smoothness2’ of SPHF-2:
(Denote log = logg1 and suppose that log(g2) = w ,C =
(X1,X2) = (g r11 , g
r22 ),C ′ = (X ′1,X
′2) = (g
r ′11 , g
r ′22 ), r1 6= r2, r
′1 6= r ′2.)
Note that hp = (hp1, hp2) = (ga11 ga2
2 , gb11 gb2
2 ) which constraints(a1, a2, b1, b2) to satisfy
a1 + wa2 = log(hp1) (3)
b1 + wb2 = log(hp2) (4)
Moreover, πhk , π′hk constraint (a1, a2, b1, b2) to satisfy
r1a1 + r2wa2 + αr1b1 + αr2wb2 = log(πhk) (5)
r ′1a1 + r ′2wa2 + α′r ′1b1 + α′r ′2wb2 = log(π′hk) (6)
Equations (3),(4),(5),(6) are linearly independent regarding a1, a2,b1, b2. Hence, the distribution of (πhk , π
′hk) is uniform in G.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 29: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/29.jpg)
Membership Indistinguishable Language
Membership Indistinguishable Language
Let X be a set and a language L ⊆ X . Suppose that word C$← L
and word C$← X/L. Then we say L is a membership
indistinguishable language if,
(C )c≡ (C ′)
wherec≡ means ’computationally indistinguishable’.
Language LDDH :
LDDH = {u1, u2 : ∃r s.t. u1 = g r1 , u2 = g r
2}
It is easy to see that the language LDDH is a membershipindistinguishable language following the DDH assumption.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 30: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/30.jpg)
Membership Indistinguishable Language
Membership Indistinguishable Language
Let X be a set and a language L ⊆ X . Suppose that word C$← L
and word C$← X/L. Then we say L is a membership
indistinguishable language if,
(C )c≡ (C ′)
wherec≡ means ’computationally indistinguishable’.
Language LDDH :
LDDH = {u1, u2 : ∃r s.t. u1 = g r1 , u2 = g r
2}
It is easy to see that the language LDDH is a membershipindistinguishable language following the DDH assumption.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 31: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/31.jpg)
Part III: Applications of SPHF
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 32: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/32.jpg)
Construction of CCA-secure PKE from SPHF
CCA-Secure PKE from SPHFs
Suppose that,
HF1=(HashKG1,ProjKG1,Hash1,ProjHash1):a smoothprojective hash function;
HF2=(HashKG2,ProjKG2,Hash2, ProjHash2): a smoothprojective hash function; (smoothness2)
Both SPHFs are for the same language L which is amembership indistinguishable language.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 33: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/33.jpg)
Construction of CCA-secure PKE from SPHF (Cont’d)
Generic Construction
KeyGen(λ): HashKG1(L)→ hk1,ProjKG1(hk1, L)→hp1,HashKG2(L)→ hk2,ProjKG2(hk2, L)→ hp2 and set
pk = (hp1, hp2), sk = (hk1, hk2)
Enc(m): Pick y$← L together with a witness w . Compute
πhp1 = ProjHash1(hp1, L, y ,w)
c = πhp1 ⊕m
πhp2 = ProjHash2(hp2, L, (y , c),w)
Set the ciphertext as (y , c , πhp2).Dec(y , c, πhp2): If Hash2(hk2, L, (y , c)) 6= πhp2 , output ⊥.Otherwise, output
m = c ⊕Hash1(hk1, L, y)
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 34: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/34.jpg)
Construction of CCA-secure PKE from SPHF(Cont’d)
Security Analysis
1. Correctness:
c⊕Hash1(hk1, L, y) = c⊕ProjHash1(hp1, L, y ,w) = c⊕πhp1 = m
2. Security against CCA
Hard Problem: Given the language L and y∗, decide whethery∗ ∈ L or not.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 35: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/35.jpg)
Security Proof for CCA-Secure PKE from SPHF
Reduction Map:
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 36: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/36.jpg)
Security Proof for CCA-Secure PKE from SPHF
Proof Analysis:
Case 1: y∗ ∈ L. The simulation is indistinguishable from theactual attack;Case 2: y∗ ∈ X/L. For any decryption query input (y , c , π) wherey /∈ L, we should consider the following two cases:
(y , c) = (y∗, c∗) but π 6= π∗: Being rejected.
(y , c) 6= (y∗, c∗): By the smoothness2 property of HF2, thevalue π is random and independent to the adversary. That is,the adversary can only output the correct π with negligibleprobability.
Due to the smoothness property of HF1, the valueHash1(hk1, L, y
∗) for y∗ ∈ X/L is uniformly random and henceperfectly hides the encrypted messages. (one-time pad)
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 37: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/37.jpg)
An Instance: Cramer-Shoup Encryption
Cramer-Shoup Encryption
Let ]G = p, g1, g2 ∈ G and H : {0, 1}∗ → Zp.
KeyGen: sk = (α1, α2, β1, β2, γ1, γ2) ∈ Z6p, pk = (g , h, u, v)
where h = gα11 gα2
2 , u = gβ11 gβ2
2 , v = gγ11 gγ2
2 .
Encpk(m): r ←R Zp, output
CT =< C1,C2,C3,C4 >=< g r1 , g
r2 , h
rm, urv rθ >,
where θ = H(C1,C2,C3).
Decsk(C1,C2,C3,C4): If C4 = Cβ1+θγ11 Cβ2+θγ2
2 , whereθ = H(C1,C2,C3), output
m = C3/(Cα11 · C
α22 ),
otherwise output ⊥.
Follow the framework using SPHF-1 and SPHF-2 on LDDH !
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 38: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/38.jpg)
An Instance: Cramer-Shoup Encryption
Cramer-Shoup Encryption
Let ]G = p, g1, g2 ∈ G and H : {0, 1}∗ → Zp.
KeyGen: sk = (α1, α2, β1, β2, γ1, γ2) ∈ Z6p, pk = (g , h, u, v)
where h = gα11 gα2
2 , u = gβ11 gβ2
2 , v = gγ11 gγ2
2 .
Encpk(m): r ←R Zp, output
CT =< C1,C2,C3,C4 >=< g r1 , g
r2 , h
rm, urv rθ >,
where θ = H(C1,C2,C3).
Decsk(C1,C2,C3,C4): If C4 = Cβ1+θγ11 Cβ2+θγ2
2 , whereθ = H(C1,C2,C3), output
m = C3/(Cα11 · C
α22 ),
otherwise output ⊥.
Follow the framework using SPHF-1 and SPHF-2 on LDDH !
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 39: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/39.jpg)
SPHF for Oblivious Transfer Construction
2-Message Oblivious Transfer Protocol from SPHF
Suppose that the sender takes as input a pair of strings γ0, γ1 andthe receiver takes as input a choice bit b.
Here, the SPHF is on the language L ⊆ X which is a membershipindistinguishable language.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 40: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/40.jpg)
SPHF for Oblivious Transfer Construction
2-Message Oblivious Transfer Protocol from SPHF
Suppose that the sender takes as input a pair of strings γ0, γ1 andthe receiver takes as input a choice bit b.
Here, the SPHF is on the language L ⊆ X which is a membershipindistinguishable language.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 41: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/41.jpg)
SPHF for Oblivious Transfer Construction
Security Analysis
Receiver Security. Membership indistinguishable language;(xb is indistinguishable from x1−b)
Sender Security. Smoothness property; (y1−b gives noinformation about γ1−b)
Malicious Receivers. Might choose x0, x1 ∈ L? By requiringspecial word pair from LDDH . (verifiable smoothness)
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 42: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/42.jpg)
SPHF for Password-based Authenticated Key Exchange
A Framework for PAKE from SPHF
Suppose that the parties take as input a shared password w .
Here, Cρ(w , r) is a commitment to w using random-coins r(witness) and common string ρ.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 43: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/43.jpg)
SPHF for Password-based Authenticated Key Exchange
A Framework for PAKE from SPHF
Suppose that the parties take as input a shared password w .
Here, Cρ(w , r) is a commitment to w using random-coins r(witness) and common string ρ.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 44: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/44.jpg)
SPHF for Password-based Authenticated Key Exchange
Security Analysis
Membership Indistinguishable Language. Implied by thehiding property of commitment;
Passive Adversary. Given (c1, hp1, c2, hp2),
(Hash(hk2, L, (c2,w)),Hash(hk1, L, (c1,w))c≡ (R1,R2),
where (R1,R2)$← Π2.
Adaptive Adversary. Generates a commitment c ′ to aguessing password w ′, then (c ′,w ′) ∈ X/L and thus from theview of adversary (who only see hp and not hk)
(Hash(hk, L, (c ′,w ′))s≡ R,
where R$← Π.
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 45: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/45.jpg)
More on SPHF
More about SPHF
ConstructionQuadratic Assumption;N-Residuosity Assumption;Derived from CPA-PKE, CCA-PKE;...
More applicationsExtractable commitment;Leakage-resilient PKE;Lossy encryption;Lossy trapdoor hash functions (LTDF);...
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 46: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/46.jpg)
Thank you
Any questions?
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications
![Page 47: Smooth Projective Hash Function and Its Applications](https://reader030.vdocuments.mx/reader030/viewer/2022032804/623e572353c2cc162a2dd8a0/html5/thumbnails/47.jpg)
Thank youAny questions?
Rongmao Chen University of Wollongong Smooth Projective Hash Function and Its Applications