the$magicof$elfs - princeton university computer …mzhandry/docs/talks/elfs.slides.pdf ·...
TRANSCRIPT
![Page 1: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/1.jpg)
The Magic of ELFs
Mark Zhandry – Princeton University(Work done while at MIT)
![Page 2: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/2.jpg)
Enc(m) = ( TDP(r), H(r) ⊕ m )
(CPA security, many-‐bit messages, arbitrary TDP)
Prove this secure:
![Page 3: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/3.jpg)
Random Oracles
![Page 4: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/4.jpg)
Random Oracle Model [BR’93]
OModel H as random oracle O
EncO(m) =( TDP(r), O(r) ⊕ m )
![Page 5: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/5.jpg)
Power of Random Oracles
• Great extractors, even for comp. unpredictability
• Hard to find outputs with trapdoors
• Selective to adaptive security for Sigs, IBE
(x,O(x)) with trapdoor T for O(x)
O(x) pseudorandom given OWF(x)
Sign(m) ⇒ Sign( O( m ) )
![Page 6: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/6.jpg)
Limitations of Random Oracles
• Random oracles don’t exist!
• RO “proof” = heuristic security argument
• Heuristic known to fail in some cases [CGH’98,BBP’03,BFM’14]
![Page 7: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/7.jpg)
Standard-‐model defs
![Page 8: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/8.jpg)
Standard-‐model Security Defs for H
Standard defs: Assume H is a OWF, PRG, CRHF, etc• Simple, easy to state definitions• Can base on standard, plausible assumptions• Limited usefulness for instantiating RO’s
![Page 9: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/9.jpg)
Standard-‐model Security Defs for H
Standard defs: Assume H is a OWF, PRG, CRHF, etc• Simple, easy to state definitions• Can base on standard, plausible assumptions• Limited usefulness for instantiating RO’s
Exotic defs: UCE’s [BHK’15], “strong” OWF/PRG, etc• Useful for some RO constructions• Usually require “tautological assumptions”
![Page 10: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/10.jpg)
Assumption Families
Ex: Strong PRG (strengthens strong OWF of [BP’11,Wee’05])• Parameterized by sampler S() à (x, aux)• Assume x is “computationally unpredictable” given aux• Security requirement: H(x) pseudorandom given aux
![Page 11: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/11.jpg)
Assumption Families
Ex: Strong PRG (strengthens strong OWF of [BP’11,Wee’05])• Parameterized by sampler S() à (x, aux)• Assume x is “computationally unpredictable” given aux• Security requirement: H(x) pseudorandom given aux
How to gain confidence in assumption?• Attempt cryptanalysis, post challenges, etc.• Problem: which S to target?
Similar weaknesses for UCEs and other exotic assumptions
![Page 12: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/12.jpg)
Security Properties vs Assumptions
UCE’s, strong OWF/PRGs are useful as security properties
However, highly undesirable as security assumptions
Ideal scenario: Single, simple, well-‐studied assumption
Strong security properties
![Page 13: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/13.jpg)
This Work: Extremely Lossy Functions
(ELFs)
![Page 14: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/14.jpg)
Standard Lossy Functions [PW’08]
Notes:• Lossy Mode image size typically exponential• Generally also include trapdoor in injective mode
Injective Mode Lossy Mode
≈c
![Page 15: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/15.jpg)
Extremely Lossy Functions (ELFs)Injective Mode: Lossy Mode:
| Img | = polynomial
≈c
![Page 16: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/16.jpg)
Extremely Lossy Functions (ELFs)Injective Mode: Lossy Mode:
| Img | = polynomial
Problem: | Img |-‐ time attack• Query on | Img |+1 points• Look for collision
≈c
![Page 17: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/17.jpg)
Extremely Lossy Functions (ELFs)Injective Mode: Lossy Modes:
…
![Page 18: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/18.jpg)
Extremely Lossy Functions (ELFs)
Rough* security statement:
∀ ∃ s.t.
???
* Must also consider adversary’s success probability
![Page 19: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/19.jpg)
Constructing ELFs
![Page 20: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/20.jpg)
Step 1: Bounded-‐adversary ELFs
Only one
Security against a priori bounded =
![Page 21: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/21.jpg)
Step 1: Bounded-‐adversary ELFs
Use standard lossy functions based on elliptic curves
x∈Zpn gA・x = (gA)・x
Injective mode: A random full rank matrixLossy mode: A random rank-‐1 matrix
Lossy image size p ⇒ Set p to be some polynomial
Hand out gA as description of function
[PW’08, FGKRS’10]
Thm [Adapt FGKRS’10]: Exponential DDH assumption ⇒modes indistinguishable to pc-‐time adversaries (0<c<1)
![Page 22: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/22.jpg)
Plausibility of Exponential DDH
Non-‐standard assumption• Not truly falsifiable in the sense of [Naor’03]
However, still very “reasonable”• “Complexity assumption” [GK’15]• On elliptic curves, best known attack: p½
• “Generic attack”, essentially no non-‐trivial attacks known• In practice, parameters set assuming p½ is optimal
If exponential DDH is false, much more to worry about
![Page 23: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/23.jpg)
Step 2: Bounded to Unbounded
Iterate at many security levels
…x
ith lossy mode image size at most 2i, security against (2i)c-‐time adversaries
![Page 24: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/24.jpg)
Step 2: Bounded to Unbounded
Iterate at many security levels
…x
ith lossy mode image size at most 2i, security against (2i)c-‐time adversaries
Given t-‐time , invoke lossiness at i such that t < 2ic ≤ 2t⇒ Image size at most (2t)1/c
![Page 25: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/25.jpg)
Step 2: Bounded to Unbounded
Iterate at many security levels
…x
ith lossy mode image size at most 2i, security against (2i)c-‐time adversaries
Given t-‐time , invoke lossiness at i such that t < 2ic ≤ 2t⇒ Image size at most (2t)1/c
Problem: output size grows too fast!
![Page 26: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/26.jpg)
Step 2: Bounded to Unbounded
Keep output small by pairwise-‐independent hashing
x …
= Pairwise independent function
![Page 27: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/27.jpg)
Using ELFs
![Page 28: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/28.jpg)
A Strong PRG
0
x
(R1・ ) (R2・ ) (R3・ ) (R4・ )
H(x)
![Page 29: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/29.jpg)
Security Proof Sketch
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ ) (R4・ )
y
Guarantee: x computationally unpredictable, given aux
![Page 30: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/30.jpg)
Step 1: Invoke ELF Magic
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ ) (R4・ )
y
![Page 31: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/31.jpg)
Step 1: Invoke ELF Magic
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ ) (R4・ )
y
![Page 32: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/32.jpg)
Step 2: Invoke Goldreich-‐Levin
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ ) (R4・ )
y
![Page 33: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/33.jpg)
Step 2: Invoke Goldreich-‐Levin
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ ) (R4・ )
y
![Page 34: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/34.jpg)
Step 2: Invoke Goldreich-‐Levin
x, aux ß S()
(R4・ )
yL
![Page 35: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/35.jpg)
Step 2: Invoke Goldreich-‐Levin
x, aux ß S()
(R4・ )
yL
Lemma: x still unpredictable, given aux, L(x)
Poly image size!
![Page 36: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/36.jpg)
Step 2: Invoke Goldreich-‐Levin
x, aux ß S()
(R4・ )
yL
Lemma: x still unpredictable, given aux, L(x)
Poly image size!
GL
![Page 37: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/37.jpg)
Step 2: Invoke Goldreich-‐Levin
x, aux ß S()
b4 ß {0,1}
yL
Lemma: x still unpredictable, given aux, L(x)
Poly image size!
![Page 38: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/38.jpg)
Step 2: Invoke Goldreich-‐Levin
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 39: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/39.jpg)
Step 3: Undo ELF Magic
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 40: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/40.jpg)
Step 3: Undo ELF Magic
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 41: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/41.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 42: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/42.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 43: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/43.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 44: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/44.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}
![Page 45: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/45.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) (R3・ )
y
b4 ß {0,1}GL
![Page 46: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/46.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) b3 ß {0,1}
y
b4 ß {0,1}
![Page 47: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/47.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) b3 ß {0,1}
y
b4 ß {0,1}
![Page 48: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/48.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) b3 ß {0,1}
y
b4 ß {0,1}
![Page 49: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/49.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) (R2・ ) b3 ß {0,1}
y
b4 ß {0,1}
![Page 50: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/50.jpg)
Step 4: Repeat
0
x, aux ß S()
(R1・ ) b2 ß {0,1} b3 ß {0,1}
y
b4 ß {0,1}
![Page 51: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/51.jpg)
Step 4: Repeat
0
x, aux ß S()
b1 ß {0,1} b2 ß {0,1} b3 ß {0,1}
y
b4 ß {0,1}
![Page 52: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/52.jpg)
Step 4: Repeat
0
x, aux ß S()
b1 ß {0,1} b2 ß {0,1} b3 ß {0,1}
y
b4 ß {0,1}
Independent of x!
![Page 53: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/53.jpg)
Step 5: Randomness of y
0
b1 ß {0,1} b2 ß {0,1} b3 ß {0,1}
y
b4 ß {0,1}
Lemma: If bi are uniform, y is statistically close to random, given all the s and s (w.h.p.)
Independent of x!
![Page 54: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/54.jpg)
Theorem: For any computationally unpredictable (x,aux),
(H, H(x), aux) ≈c (H, random, aux)
Also:
Theorem: H is injective w.h.p.
![Page 55: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/55.jpg)
Applications
• (Injective) one-‐way function satisfying [BP’11]
• Auxiliary Input Point Obfuscation (AIPO)
• Poly-‐many hardcore bits for any computationally unpredictable source
• Enc(m) = ( TDP(r), H(r) ⊕ m ) is CPA secure
Obf(Ix) = H, H(x)
![Page 56: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/56.jpg)
Applications
• (Injective) one-‐way function satisfying [BP’11]
Previous constructions:• Tautological assumption [BP’11]• Assumption “family”
• Canetti’s strong variant of DDH [Can’97]• Assumption “family”• Incompatible with certain forms of obfuscation [BST’15]
![Page 57: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/57.jpg)
Applications
• Auxiliary Input Point Obfuscation (AIPO)
Obf(Ix) = H, H(x)
Previous constructions:• Canetti’s strong variant of DDH [Can’97]• [BP’11]-‐one-‐way permutations
(our H is not a permutation)
![Page 58: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/58.jpg)
Applications
• Poly-‐many hardcore bits for any computationally unpredictable source
Previous constructions:• UCE’s [BHK’13]
• “Tautological” assumption “family”• Differing inputs obfuscation [BST’14] or
extractable witness PRFs [Zha’14]• Only for OWF (for injective OWF, can use iO)• Assumption “family”• Believed to implausible in general [GGHW’14]• Extraordinarily inefficient
![Page 59: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/59.jpg)
Applications
• Enc(m) = ( TDP(r), H(r) ⊕ m ) is CPA secure
Follows from hardcore bits for injective OWF
![Page 60: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/60.jpg)
Other Results
• Selective to Adaptive security in Sigs/IBE
Signm σ
![Page 61: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/61.jpg)
Other Results
• Selective to Adaptive security in Sigs/IBE
Signm σ
Signm σ Signm σ Guess (m), incur poly loss
Proof:
![Page 62: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/62.jpg)
Other Results
• Output intractable hash functions (captures using hash functions to generate crs’s)
• For proofs and more results, see paper
![Page 63: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/63.jpg)
Interesting Applications
Conclusion
Exponential DDH
Open questions:• ELFs from other assumptions• Post-‐quantum ELFs• More applications
This work:
![Page 64: The$Magicof$ELFs - Princeton University Computer …mzhandry/docs/talks/ELFs.slides.pdf · How&to&gain&confidence&in&assumption? • Attempt&cryptanalysis,&post&challenges,&etc. •](https://reader031.vdocuments.mx/reader031/viewer/2022020214/5ac3b5797f8b9aae1b8cb393/html5/thumbnails/64.jpg)
Interesting Applications
Conclusion
Exponential DDH
Open questions:• ELFs from other assumptions• Post-‐quantum ELFs• More applications
This work:
Thanks!