Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Mol, Petros; Yilek, Scott

doi:10.1007/978-3-642-13013-7_18

Cited by 38 publications

(28 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If B |R| = ω(λ), then we obtain strong lossy trapdoor functions, as required for the constructions in [PW08]. If we only have B/|R| > 1 + 1/poly(λ), then we obtain slightly lossy trapdoor functions as defined by Mol and Yilek [MY09]. The results of Mol and Yilek show that this is in fact sufficient for constructing Correlated Product Secure Functions [RS09], and IND-CCA secure cryptosystems.…”

Section: Fig 1: Generalizing the Dcr-based Ltdfsmentioning

confidence: 92%

“…This is not a serious restriction, however, since one-wayness only makes sense when applying a function to a high min-entropy input. Unfortunately, this is not enough to apply the constructions of IND-CCA secure encryption from LTDFs given in [PW08,RS09,MY09]. Although these constructions require applying F ltdf (s, ·) on a random input, the decryption algorithm requires inverting one function and then evaluating the All-ButOne function to the recovered input.…”

Section: Fig 1: Generalizing the Dcr-based Ltdfsmentioning

confidence: 99%

“…In [PW08], Peikert and Waters created lossy trapdoor functions (LTDFs) as a method for constructing IND-CCA secure encryption. The notion of lossy trapdoor functions has since been relaxed to correlated product secure functions [RS09], and slightly lossy trapdoor functions [MY09], and both relaxations were shown to still be sufficient to construct IND-CCA secure encryption.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On Homomorphic Encryption and Chosen-Ciphertext Security

Hemenway

Ostrovsky

2012

Public Key Cryptography – PKC 2012

View full text Add to dashboard Cite

Abstract. Chosen-Ciphertext (IND-CCA) security is generally considered the right notion of security for a cryptosystem. Because of its central importance much effort has been devoted to constructing IND-CCA secure cryptosystems. In this work, we consider constructing IND-CCA secure cryptosystems from (group) homomorphic encryption. Our main results give natural and efficient constructions of IND-CCA secure cryptosystems from any homomorphic encryption scheme that satisfies weak cyclic properties, either in the plaintext, ciphertext or randomness space. Our results have the added benefit of being simple to describe and analyze.

show abstract

Section: Fig 1: Generalizing the Dcr-based Ltdfsmentioning

confidence: 92%

Section: Fig 1: Generalizing the Dcr-based Ltdfsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On Homomorphic Encryption and Chosen-Ciphertext Security

Hemenway

Ostrovsky

2012

Public Key Cryptography – PKC 2012

View full text Add to dashboard Cite

show abstract

“…Mol and Yilek [MY10] gave a construction whose security relies on an assumption close in spirit (though more involved) to the 2-Φ/4-Hiding assumption. Freeman et al [FGK + 10] gave a construction relying on the Quadratic Residuosity problem.…”

Section: Related and Future Workmentioning

confidence: 99%

On the Lossiness of the Rabin Trapdoor Function

Seurin

2014

Public-Key Cryptography – PKC 2014

View full text Add to dashboard Cite

Abstract. Lossy trapdoor functions, introduced by Peikert and Waters (STOC '08), are functions that can be generated in two indistinguishable ways: either the function is injective, and there is a trapdoor to invert it, or the function is lossy, meaning that the size of its range is strictly smaller than the size of its domain. Kakvi and Kiltz (EUROCRYPT 2012) proved that the Full Domain Hash signature scheme based on a lossy trapdoor function has a tight security reduction from the lossiness of the trapdoor function. Since Kiltz, O'Neill, and Smith (CRYPTO 2010) showed that the RSA trapdoor function is lossy under the Φ-Hiding assumption of Cachin, Micali, and Stadler (EUROCRYPT '99), this implies that the RSA Full Domain Hash signature scheme has a tight security reduction from the Φ-Hiding assumption (for public exponents e < N 1/4 ). In this work, we consider the Rabin trapdoor function, i.e. modular squaring over Z * N . We show that when adequately restricting its domain (either to the set QR N of quadratic residues, or to (JN ) + , the set of positive integers 1 ≤ x ≤ (N − 1)/2 with Jacobi symbol +1) the Rabin trapdoor function is lossy, the injective mode corresponding to Blum integers N = pq with p, q ≡ 3 mod 4, and the lossy mode corresponding to what we call pseudo-Blum integers N = pq with p, q ≡ 1 mod 4. This lossiness result holds under a natural extension of the Φ-Hiding assumption to the case e = 2 that we call the 2-Φ/4-Hiding assumption. We then use this result to prove that deterministic variants of Rabin-Williams Full Domain Hash signatures have a tight reduction from the 2-Φ/4-Hiding assumption. We also show that these schemes are unlikely to have a tight reduction from the factorization problem by extending a previous "meta-reduction" result by Coron (EUROCRYPT 2002), later corrected by Kakvi and Kiltz (EUROCRYPT 2012

show abstract

“…In the injective mode the function f pk (·) is an injective function and we can even sample pk along with a secret trapdoor key sk that allows us to invert it efficiently. In the lossy mode, the function f pk (·) is "many-to-one" and f pk (s) statistically loses information about the input s. LTDFs have many amazing applications in cryptography, such as allowing us to output many hardcore bits, construct CCA-2 public-key encryption [23,24], and deterministic encryption [25]. We construct very simple and efficient LTDFs using the LWR problem: the public key is a matrix pk = A and the function is defined as f A (s) = A · s p .…”

Section: Applicationsmentioning

confidence: 99%

Learning with Rounding, Revisited

Alwen

Krenn

Pietrzak

et al. 2013

Advances in Cryptology – CRYPTO 2013

118

View full text Add to dashboard Cite

Abstract. The learning with rounding (LWR) problem, introduced by Banerjee, Peikert and Rosen at EUROCRYPT '12, is a variant of learning with errors (LWE), where one replaces random errors with deterministic rounding. The LWR problem was shown to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error ratio are super-polynomial. In this work we resolve the main open problem and give a new reduction that works for a larger range of parameters, allowing for a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater security, which now follows from the worst-case hardness of GapSVP with polynomial (rather than superpolynomial) approximation factors.As a tool in the reduction, we show that there is a "lossy mode" for the LWR problem, in which LWR samples only reveal partial information about the secret. This property gives us several interesting new applications, including a proof that LWR remains secure with weakly random secrets of sufficient min-entropy, and very simple constructions of deterministic encryption, lossy trapdoor functions and reusable extractors.Our approach is inspired by a technique of Goldwasser et al. from ICS '10, which implicitly showed the existence of a "lossy mode" for LWE. By refining this technique, we also improve on the parameters of that work to only requiring a polynomial (instead of super-polynomial) modulus and modulus-to-error ratio.

show abstract

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Cited by 38 publications

References 19 publications

On Homomorphic Encryption and Chosen-Ciphertext Security

On Homomorphic Encryption and Chosen-Ciphertext Security

On the Lossiness of the Rabin Trapdoor Function

Learning with Rounding, Revisited

Contact Info

Product

Resources

About