Threshold Trapdoor Functions and Their Applications
aa r X i v : . [ c s . CR ] A ug Threshold Trapdoor Functions and Their Applications
Binbin Tu , , , , Yu Chen , , , , and Xueli Wang , , Westone Cryptologic Research Center, Westone Information Industry Inc, Beijing 100070, China State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy ofSciences, Beijing, China School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China Ant Financial, Beijing, China tubinbin,chenyu,[email protected]
Abstract.
We introduce a new cryptographic primitive named threshold trapdoor functions (TTDFs),from which we give generic constructions of threshold and revocation encryptions under adaptivecorruption model. Then, we show TTDFs can be instantiated under the decisional Diffie-Hellman(DDH) assumption and the learning with errors (LWE) assumption. By combining the instanti-ations of TTDFs with the generic constructions, we obtain threshold and revocation encryptionswhich compare favorably over existing schemes. The experimental results show that our proposedschemes are practical.
Threshold public-key encryption.
TPKE [1,2,3,4] can distribute the decryption poweramong many servers in order to ensure threshold servers can decrypt ciphertexts, while anyprobabilistic polynomial-time (PPT) adversary corrupting less than threshold servers is unableto obtain the message. TPKE itself provides useful functionalities, and it is also a significantbuilding block in other cryptographic primitives, such as mix-net (anonymous channel) [5],public key encryption with non-interactive opening [6,7].Generally speaking, a ( n, t )-TPKEscheme consists of a combiner and n decryption servers. The combiner sends the ciphertext toall servers, any subset of t servers compute the decryption shares and reply, and the combinercombines the replies to obtain the plaintext. However, in the securty model of TPKE, not onlythe servers may be corrupted, but also the decryption shares could be eavesdropped. Therefore,constructing TPKE schemes by splitting the secret key of public-key encrytion (PKE) directlydoes not work. Following the generic construction of PKE from trapdoor function (TDF), wetry to design a threshold version of TDF for constructing the TPKE scheme, by splitting themaster trapdoor into n shares and storing each share on a different server and any subset of t servers can use the shared trapdoors to invert the function, without reconstructing the mastertrapdoor. Revocation public-key encryption.
RPKE [8,10,9] enables a sender to broadcast cipher-texts and all but some revoked users can do the decryption. It is a special kind of broadcastencryption [11] which enables a sender to encrypt messages and transmit ciphertexts to userson a broadcast channel in order to the chosen users can decrypt ciphertexts. RPKE has manyapplications, including pay-TV systems, streaming audio/video and many others.Naor and Pinkas [8] considered the revocation scenario: a group controller (GC) controls thedecryption capabilities of users. If a subgroup of users is disallowed to do the decryption, theGC needs to generate a new key which should be known to other users and be used to encryptin the further group communication. We observe that the threshold version of TDF remainsone-way, even if exposing part of shared trapdoors. Therefore, we can revoke this part of sharedtrapdoors and ensure that any revoked users cannot decrypt the ciphertext. .1 Related Work
Designing generic construction of TPKE has proved to be a highly non-trivial task. Dodis andKatz [12] gave a generic construction of TPKE from multiple encryption technique. Wee [9]introduced a new primitive called threshold extractable hash proofs and presented a genericconstruction of TPKE from it. However, both of above constructions are only secure under thestatic corruption model where the adversary can corrupt the servers before the scheme is set up.Following the work of Wee [9], Libert and Yung [13] introduced a primitive named all-but-oneperfectly sound threshold hash proof systems, from which they gave a generic construction ofTPKE under adaptive corruption model where the adversary can corrupt the servers at anytime. The results are important since the adaptive adversary is strictly stronger than the staticone [14,15]. But they only showed concrete instantiations under number-theoretic assumptionsin bilinear groups which are vulnerable to quantum attacks. Recently, lattices have been rec-ognized as a viable foundation for quantum-resistant cryptography. Bendlin and Damg˚ard [16]gave the first lattice-based TPKE based on a variant of Regev’s scheme [17]. Xie et al. [18]designed the first chosen-ciphertext secure (IND-CCA) TPKE based on the LWE assumption.However, both of above TPKEs are only statically secure, and the size of the public key andthe ciphertext is at least linear in the number of servers. Bendlin et al. [19] converted IdentityBased Encryption (IBE) [20] into threshold one, which can be transformed into a TPKE viathe generic transformation in [21]. However, in an offline phase, their scheme needs the partiesto perform lots of interactive precomputation. In summary, the state-of-the-art TPKE is notentirely satisfactory. On one hand, existing generic constructions of TPKE are designed in thelimited static corruption model which fails to capture realistic attacks. On the other hand, mostexisting TPKE schemes are based on number-theoretic assumptions which are insecure againstquantum attacks.As for RPKE, Naor and Pinkas [8] considered a revocation scenario with a group controllerand constructed a RPKE scheme under the DDH assumption. Unlike the scenario of [8], Dodisand Fazio [10] designed a RPKE in which every user who knows the revoked identities canencrypt messages and every non-revoked user can decrypt ciphertexts. Then, they constructedIND-CCA RPKE under the DDH assumption. Wee [9] presented a generic construction of RPKEin static corruption model and instantiated the construction under the DDH assumption andfactoring assumption respectively. However, all of aforementioned schemes are designed underthe number-theoretic assumptions which are insecure against quantum attack.
A central goal in cryptography is to construct cryptosystems in strong security models whichcan resist lots of possible attacks. Another goal is to build cryptosystems under intractabilityassumptions which are as general as possible; in this way, we can replace the underlying assump-tion, if some assumption is vulnerable to a new attack or if another yields better performance.Therefore, generic constructions of TPKE and RPKE in stronger adaptive corruption model areadvantageous. Meanwhile, with the development of quantum computer, designing the quantum-resistant TPKE and RPKE is also necessary. Last but not least, constructing cryptosystemsbased on the same cryptographic primitive brings additional advantages such as reducing thefootprint of cryptographic code and easily embedding into systems.Motivated by above discussions, we ask the following challenging questions:
Can we construct TPKE and RPKE under adaptive corruption model from one cryp-tographic primitive? Can we instantiate this primitive based on quantum-resistant as-sumptions? .3 Our Contributions We introduce a cryptographic primitive named TTDF, and derive generic constructions ofTPKE and RPKE under adaptive corruption model from it. Along the way to instantiateTTDF, we propose a notion called threshold lossy trapdoor function (TLTDF) and prove thatTTDF is implied by TLTDF, while the latter can be instantiated based on the DDH assumptionand the LWE assumption. Moreover, we show a relaxation of TTDF called threshold trapdoorrelation (TTDR), which enables the same applications of TPKE and RPKE, and admits moreefficient instantiation based on the DDH assumption. An overview of our contributions is givenin Figure 1. TTDF TTDRTPKE RPKETLTDF TLTDRLWE DDH
Sec. 7.2 Sec. 7.1 Sec. 8Sec. 6 Sec. 8Sec. 8 Sec. 8Sec. 4 Sec. 5
Fig. 1.
Overview of the results in this work.
Threshold Trapdoor Function.
Informally, TTDF is a threshold version of trapdoor func-tion. It is parameterized by the threshold value t and the number of identities n . ( n, t )-TTDFsplits the master trapdoor into n shared trapdoors. Every shared trapdoor can be used to com-pute a piece of inversion share. Then, by collecting more than t inversion shares, the combinercan recover the preimage. Especially, it can even compute inversion shares of any other iden-tity with the help of the preimage. We formalize security notion for TTDF, namely thresholdone-wayness, which requires that the function remains one-way even when the adversary canadaptively obtain less than t shared trapdoors. TPKE and RPKE from TTDF. ( n, t )-TTDF gives rise to a simple construction of ( n, t )-TPKE and ( n, t − n, t )-TPKE follows constructingpublic-key encryption from trapdoor function. In particular, the sharing algorithm splits themaster secret key into n shared secret keys, every shared secret key can be used to compute apiece of inversion share, and collecting at least t inversion shares can extracts message. For thesecurity, TTDF holds threshold one-wayness which prevents any PPT adversary who can obtainless than t shared secret keys from decrypting ciphertext, especially under adaptive corruptionmodel. Generally speaking, an adaptive adversary can make the decision of which parties tocorrupt at any time during the run of the scheme, in particular, based on the information like theshared trapdoors of corrupted parties gathered. Providing this information is typically the maindifficulty in proving adaptive security [22]. TTDF holds a shared trapdoor oracle that given aninput of any identity, and outputs a shared trapdoor of this identity. Any PPT adversary canget the information of any corrupted parties by querying the oracle adaptively and obtains atmost t − n, t )-TPKE, we observes that ( n, t )-TPKE holds thesecurity even if exposing t − t − Instantiation.
Along the way to instantiate TTDF, we introduce a new notion called TLTDF,which is a threshold version of lossy trapdoor function (LTDF) [23]. It is parameterized bythe threshold value t and the number of identities n . Informally, LTDF has two modes. Inthe injective mode, it is an injective trapdoor function. In the lossy mode, it statistically losesan amount of information about the input. Both of the modes of LTDF are computationallyindistinguishable. However, in both modes of TLTDF, the master trapdoor can be split into n shared trapdoors and every shared trapdoor can be used to compute an inversion share, and inthe injective mode any t inversion shares can be used to retrieve the preimage. Moreover, anyPPT adversary cannot distinguish both modes, even when the adversary can adaptively obtainless than t shared trapdoors.We prove that TTDF is implied by TLTDF and instantiate TLTDF under the DDH assump-tion and the LWE assumption respectively. DDH-based TLTDF is easy to design, while buildingLWE-based TLTDF is a non-trivial task. Intuitively, we transform the inversion algorithm ofLTDF into threshold version by using ( n, t )-threshold secret sharing scheme [24]. Every usergets a shared trapdoor td i , i ∈ [ n ], and computes the inversion share h a, td i i + e i . Then thecombiner obtains t inversion shares to compute the Lagrangian coefficients L i for any identityset of size t and recombines the h a, td i by computing L ( h a, td i + e ) + · · · + L t ( h a, td t i + e t ) = h a, t X i =1 L i · td i i + t X i =1 L i · e i = h a, td i + t X i =1 L i · e i Unfortunately, choosing identities in a large identity space causes the norm of errors outof control and prevents correct inversion. To resolve this problem, we take advantage of thetechnique of “clearing out the denominator” [25,26,27]. Note that since the Lagrangian coeffi-cients are rational numbers and the identity is chosen in [ n ], we can scale them to be integersby computing ( n !) L i . By instantiating appropriate parameters, we prove that the quantity oferrors preserves bounded, which does not affect the correctness of inversion. Optimization.
We show a relaxation of TTDF called TTDR, and prove that TTDR maintainssame applications of constructing TPKE and RPKE. Informally, TTDR replaces the evaluationalgorithm of TTDF with a relation sampling algorithm which can generate a random input withits image of a function, while the function need not be efficiently computable. We also formalizesecurity notion named threshold one-wayness for TTDR following TTDF.Similarly to instantiating TTDF from TLTDF, we instantiate TTDR by introducing thenotion of threshold lossy trapdoor relation (TLTDR), which is a threshold version of lossytrapdoor relation (LTDR) [28]. We prove TTDR is naturally implied by TLTDR. Moreover,we instantiate TLTDR based on the DDH assumption to obtain an instantiation of TTDR,which is more efficient than TTDF. We give a refined definition of LTDR in Section 8, which is more simple and intuitive than the one introducedin [28]. Preliminaries
We denote the natural numbers by N , the integers by Z , the real numbers by R . We use lower-case bold letters and upper-case bold letters to denote vectors and matrices (e.g. x and X ). Let x T and X T denote transpositions of vector x and matrix X . For n ∈ N , 1 n denotes the stringof n ones, and [ n ] denotes the set { , · · · , n } . We use standard asymptotic ( O, o, Ω, ω ) notationto denote the growth of positive functions. We denote a negligible function by negl ( λ ), whichis an f ( λ ) such that f ( λ ) = o ( λ − c ) for every fixed constant c , and we let poly ( λ ) denote anunspecified function f ( λ ) = O ( λ c ) for some constant c . If S is a set then s ← S denotes theoperation of sampling an element s of S at random.Let X and Y be two random variables over some countable set S . The statistical distancebetween X and Y is defined as △ ( X, Y ) = 12 X s ∈ S | Pr[ X = s ] − Pr[ Y = s ] | . The generation algorithm
Gen takes as input a security parameter 1 λ andoutputs ( p, G , g ), where G is a cyclic group of order p , p is a prime and g is a generator of G .The DDH assumption [29] is that the ensemble { ( G , g a , g b , g ab ) } λ ∈ N and { ( G , g a , g b , g c ) } λ ∈ N arecomputationally indistinguishable, where a, b, c ← Z p . LWE Assumption.
Let d be the dimension of lattice, an integer q = poly ( d ) and all operationsbe performed in Z q . For an integer dimension d ∈ Z + , a vector z ∈ Z dq and an error distribution χ : Z q → R + . A z ,χ is the distribution of the variable ( a , h a , z i + e ) on Z dq × Z q , where a ← Z dq and e ← χ . The LWE assumption [17] is that for some secret z ∈ Z dq independent samples fromthe LWE distribution A z ,χ , and independent samples from the uniform distribution on Z dq × Z q are computationally indistinguishable. We use the notion of average min-entropy [30], that captures the remaining unpredictability of X conditioned on the value of Y : e H ∞ ( X | Y ) = − lg( E y ← Y [2 − H ∞ ( X | Y = y ) ])We review the following lemmas from [30]. Lemma 1. If Y takes at most r values and Z is any random variable, then e H ∞ ( X | ( Y, Z )) ≥ e H ∞ ( X | Z ) − r . Lemma 2.
Let X , Y be random variables such that X ∈ { , } l and e H ∞ ( X | Y ) ≥ k . Let H bea family of pairwise independent hash functions from { , } l to { , } l ′ . Then for h ← H , wehave △ (( Y, h, h ( X )) , ( Y, h, U l ′ )) ≤ ǫ as long as l ′ ≤ k − /ǫ ) . .4 Threshold Secret Sharing We now recall the threshold secret sharing scheme [24]. It can be parameterized by the numberof identities n and the threshold value t , and denotes as ( n, t )-threshold secret sharing scheme.Let F be a finite field, | F | > n . Let id i ∈ F , i = 1 , · · · , n be distinct, nonzero elements that arefixed and publicly known. The scheme works as follows: • Share ( s, id i ) → s i : On input a secret s ∈ F , and any identity id i , i ∈ [ n ]. It chooses a , · · · , a t − ∈ F , and defines the polynomial p ( x ) = s + P t − i =1 a i x i . This is a uniformdegree-( t −
1) polynomial with constant term s . The share of user id i is s i = p ( id i ) ∈ F . • Combine (( id i , s i ) , · · · , ( id i t , s i t )) → s : On input any t identities id i j , j = 1 , · · · , t , andassociated shares s i j , j = 1 , · · · , t . Using polynomial interpolation, it computes the uniquedegree-( t −
1) polynomial p for which p ( id i j ) = s i j , j = 1 , · · · , t . The combining algorithmoutputs the secret s = p (0). Correctness.
It is clear that the combining algorithm works since the secret p (0) = s can beconstructed from any t shares. More precisely, by the Lagrange interpolation formula, given any t points ( id i j , p ( id i j )), j = 1 , · · · , t , p ( x ) = t X j =1 p ( id i j ) t Y l =1 ,l = j x − id i l id i j − id i l , we can compute all points ( id i v , p ( id i v )), id i v ∈ F , where the secret is a special point (0 , s = p (0)). Security.
The sharing algorithm
Share has perfect privacy, that is, any t − s from their shares. For any t − id i j , j = 1 , · · · , t − s (namely, p (0)), the distributions of t − s are perfectly indistin-guishable from t − n !) · L j isan integer, where L j , j = 1 , · · · , t are Lagrangian coefficients. Lemma 3. ([27], Lemma 2.2). For any t identities id i j = i j , i j ∈ [ n ] , j = 1 , · · · , t , the product ( n !) · L j is an integer, and | ( n !) · L j | ≤ ( n !) . We now recall the definition of TPKE from [9]. A ( n, t )-TPKE consists of five algorithms asfollows: • Gen (1 λ ) → ( pk, msk ): On input the security parameter 1 λ , the key generation algorithmoutputs a public key pk and a master secret key msk . • Share ( msk, id i ) → sk i : On input the master secret key msk and a new identity id associatedwith the user, the sharing algorithm outputs the shared secret key sk i . • Enc ( pk, m ) → c : On input the public key pk and a message m , the encryption algorithmoutputs a ciphertext c . • Dec ( sk i , c ) → δ i : On input a shared secret key sk i , i ∈ [ n ] and the ciphertext c , the decryptionalgorithm outputs a decryption share δ i . • Combine ( δ i , · · · , δ i t , c ) → m : On input any t decryption shares δ i j , j = 1 , · · · , t and theciphertext c , the combining algorithm outputs the message m .6 orrectness. For any message m , c ← Enc ( pk, m ), and any t decryption shares δ i , · · · , δ i t , wehave Combine ( δ i , · · · , δ i t , c ) = m . Security.
Let A be a PPT adversary against IND-CPA security of TPKE scheme with adaptivecorruption. Its advantage function Adv ind-cpaTPKE , A ( λ ) is defined as Adv ind-cpaTPKE , A ( λ ) = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr b = b ′ : ( pk, msk ) ← Gen (1 λ );( m , m ) ← A Share ( msk, · ) ( pk ); b ← { , } , c ∗ ← Enc ( pk, m b ); b ′ ← A Dec ( · , Enc ( pk )) ( pk, sk i j , c ∗ ); − (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Here,
Share ( msk, · ) denotes a shared secret key oracle that given an input of any identity id ,and outputs a shared secret key sk id . The adversary can query the oracle at most t − Dec ( · , Enc ( pk )) denotes an oracle that given an input of any identity id , computesa fresh ciphertext c using Enc ( pk ) and returns a decryption share Dec ( sk id , c ). This capturesthat the adversary may obtain decryption shares of fresh encryptions of known messages. The( n, t )-TPKE scheme is IND-CPA secure, if for all PPT adversary the advantage function isnegligible. We recall the definition of RPKE from [8]. A ( n, r )-RPKE consists of four algorithms as follows: • Gen (1 λ , r ) → ( pk, msk ): On input the security parameter 1 λ , and the revocation threshold r , the key generation algorithm outputs a public key pk and a master secret key msk . • Reg ( msk, id i ) → sk i : On input the master secret key msk and a new identity id associatedwith the user, the registration algorithm outputs the shared secret key sk i . • Enc ( pk, S, s ) → c : On input the public key pk , a set S of revoked users (with | S | ≤ r ) anda session key s , the encryption algorithm outputs a ciphertext c . • Dec ( sk i , c ) → s : On input a shared secret key sk i of user id i and the ciphertext c , the de-cryption algorithm outputs the session key s , if id i is a legitimate user when c is constructed. Correctness.
For any id i , i ∈ [ n ], ( pk, msk ) ← Gen (1 λ ), any s , and any set S , c ← Enc ( pk, S, s ),we require that for any non-revoked secret key sk i , s = Dec ( sk i , c ). Security.
Let A be a PPT adversary against IND-CPA security of RPKE scheme with adaptivecorruption. Its advantage function Adv ind-cpaRPKE , A ( λ ) is defined as Adv ind-cpaRPKE , A ( λ ) = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr b = b ′ : ( pk, msk ) ← Gen (1 λ );( s , s ) ← A Reg ( msk, · ) ( pk ); b ← { , } , c ∗ ← Enc ( pk, S, s b ); b ′ ← A ( pk, sk i j , c ∗ ) , j ∈ [ r ]; − (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Here,
Reg ( msk, · ) denotes an oracle that given an input of any identity id , and outputs a sharedsecret key sk id . The adversary can query the oracle at most r times adaptively. If for all PPTadversary the advantage function is negligible, the ( n, r )-RPKE scheme is IND-CPA secure. The set S contains the identities and shared secret keys of revoked users. Threshold Trapdoor Function
We give the definition and the security of TTDF as follows.
Definition 1.
A collection of ( n, t ) -TTDFs is a tuple of polynomial-time algorithms defined asfollows: • Gen (1 λ ) → ( ek, mtd ) : The generation algorithm is a probabilistic algorithm that on input thesecurity parameter λ , outputs a function index ek and a master trapdoor mtd . • Share ( mtd, id i ) → td i : The sharing algorithm is a deterministic algorithm that on input themaster trapdoor mtd and any identity id i , i ∈ [ n ] , outputs the shared trapdoor td i , i ∈ [ n ] . • F ( ek, x ) → y : On input the function index ek and x ∈ { , } l , the evaluation algorithmoutputs y . • F − ( td i , y ) → δ i : On input any shared trapdoor td i and an image y , the partial inversionalgorithm outputs the inversion share δ i . • CombineF − ( ek, x, δ i , · · · , δ i t − , id i t ) → δ i t : On input ek , x ∈ { , } l , any t − inversionshares δ i , · · · , δ i t − of the image of x , and identity id i t , the combining inversion algorithmoutputs the inversion share δ i t of identity id i t . • Combine ( δ i , · · · , δ i t , y ) → x : On input any t inversion shares δ i j , j = 1 , · · · , t and the image y , the combining algorithm outputs x . Note that we require that in the partial inversion algorithm and the combining algorithm, if avalue y is not in the image, the behavior of the algorithms are unspecified. Correctness.
For any id i , ( ek, mtd ) ← Gen (1 λ ), td i ← Share ( mtd , id i ), i ∈ [ n ], x ← { , } l , y = F ( ek, x ), we require that for any t shared trapdoors td i , · · · , td i t , we have x = Combine ( F − ( td i , y ) , · · · , F − ( td i t , y ) , y ) . Security.
Let A be a PPT adversary against ( n, t )-TTDF and define its advantage function Adv towTTDF , A ( λ ) as Adv towTTDF , A ( λ ) = Pr x = x ′ : ( ek, mtd ) ← Gen (1 λ ); x ← { , } l , y = F ( ek, x ); x ′ ← A Share ( mtd, · ) ( ek, y ) Here,
Share ( mtd, · ) denotes a shared trapdoor oracle that given an input of any identity id , andoutputs a shared trapdoor td id . The adversary can query the oracle at most t − n, t )-TTDF is threshold one-way. De Santis et al. [2] introduced the notion of function sharing (FS) parameterized by the thresholdvalue t and the number of identities n . ( n, t )-FS can split the master trapdoor into n sharedtrapdoors, where n is a fixed polynomial of the security parameter. The function is easy to invertwhen given t shared trapdoors, while any PPT adversary cannot invert the function even if itobtains any t − H that contains partial inversion sharesof polynomial many random images. Then they constructed threshold cryptosystems based onFS and instantiated it under the RSA assumption. However, the number of identities of theirFS and TPKE is limited in a fixed polynomial of security parameter.Our notion of TTDF differs from FS as follows: TTDF can support exponential number ofidentities and the generation algorithm and the sharing algorithm of TTDF are independent of8he number of identities. Moreover, in the security experiment of TTDF, it omits the complicatedhistory tape defined in the security experiment of FS. More precisely, ( n, t )-TTDF has anadditional combining inversion algorithm that given the function index ek , any preimage x andany t − x , can compute the inversion share of any other identity.In the security experiment of ( n, t )-TTDF, any adversary given any t − n, t )-FS, the adversary can only look up the history tape H to obtaininversion shares of some identities contained in H , and the length of H is a fixed polynomialof the security parameter. Therefore, ( n, t )-TTDF implies ( n, t )-FS, and ( n, t )-TTDF can beused to construct TPKE scheme [9] which supports ad-hoc groups (i.e., exponential number ofidentities and the generation algorithm is independent of the number of identities), the reasonis that the reduction algorithm who holds any t − Let (
Gen , Share , F , F − , CombineF − , Combine ) be a ( n, t )-TTDF and hc ( · ) be a hardcore func-tion. We construct a TPKE as follows: • Gen (1 λ ) → ( pk, msk ): On input the security parameter 1 λ , the generation algorithm runs( ek, mtd ) ← TTDF.
Gen (1 λ ) and outputs a public key pk = ek and a master secret key msk = mtd . • Share ( msk, id i ) → sk i : On input the master secret key msk and any identity id i , i ∈ [ n ],the sharing algorithm runs td i ← TTDF.
Share ( msk, id i ) and outputs the shared secret key sk i = td i , i ∈ [ n ]. • Enc ( pk, m ) → c : On input the public key pk and a message m , the encryption algorithmchooses x ← { , } l , computes c = TTDF. F ( pk, x ), c = hc ( x ) ⊕ m , and outputs theciphertext c = ( c , c ). • Dec ( sk i , c ) → δ i : On input a secret key sk i and a ciphertext c , the decryption algorithmcomputes δ i = TTDF. F − ( sk i , c ), and outputs a decryption share δ i . • Combine ( δ i , · · · , δ i t , c ) → m : On input any t decryption shares δ i j , j = 1 , · · · , t and the ci-phertext c = ( c , c ), the combining algorithm computes x = TTDF. Combine ( δ i , · · · , δ i t , c ), m = hc ( x ) ⊕ c . It outputs the message m . Theorem 1.
If the TTDF is threshold one-way, then the TPKE is IND-CPA secure.Proof.
We define two hybrid experiments Game , Game . • Game : The game is identical to the IND-CPA experiment. At the beginning, the challengerruns Gen to obtain pk and msk . The challenger sends pk to A . A can query the sharedsecret key oracle Share ( msk, · ) adaptively. Then the challenger runs the sharing algorithmto answer A . Upon receiving the messages m , m from A , the challenger chooses b ∈ { , } at random and returns c ∗ = Enc ( pk, m b ) to A . A is still able to have access to the oracle Dec ( · , Enc ( pk )). At the end of the game, A outputs b ′ ∈ { , } as the guess of b . If b ′ = b , A wins this game, otherwise fails. • Game : The game is identical to Game , except that when the challenger generates thechallenge ciphertext c ∗ = ( c , c ), it replaces c = m b ⊕ hc ( x ) with c = m b ⊕ r .For i ∈ { , } , let Pr[ A Game i = b ] be the probability that A outputs the bit b when executedin Game i . We claim that if there is an adversary A against the TPKE such that Pr[ A Game = b ] − Pr[ A Game = b ] is non-negligible, we can construct a distinguisher D against the hardcore9unction. On input ( ek, y, r ), where ek is a function index, y = F ( ek, x ) with x ← { , } l and r is either hc ( x ) or a random string, D works as follows:1. D runs A on input pk = ek . D can simulate the shared secret key oracle by querying theshared trapdoor oracle Share ( mtd, · ) adaptively.2. Upon receiving two messages m , m from A , D chooses b ∈ { , } at random, let c = y , c = m b ⊕ r , and returns c = ( c , c ) to A . A is able to have access to the oracle Dec ( · , Enc ( pk )). D chooses x ′ in the domain at random, fixes the corrupted secret keys, andcomputes the decryption share by the combining inversion algorithm to simulate the oracle Dec ( · , Enc ( pk )). More precisely, D computes c ′ = TTDF. F ( pk, x ′ ), δ i =TTDF. F − ( td i , c ), · · · , δ i t − =TTDF. F − ( td i t − , c ), δ ′ =TTDF. CombineF − ( x ′ , c , δ i , · · · , δ i t − , id ′ ), then D returns δ ′ to A . At last D outputs what A outputs.3. if b = b ′ , D returns “1” to denote r is the output of the hardcore function, otherwise returns“0” to denote r is a random string.The distinguisher D can give a perfect simulation of either Game or Game . The advantage of D is non-negligible, which is a contradiction of the threshold one-wayness. Therefore, | Pr[ A Game = b ] − Pr[ A Game = b ] | ≤ negl ( λ ).Finally, in Game the output of hardcore function has been replaced with a random string,so Pr[ A Game = b ] = 1 /
2. We have:Pr[ A Game = b ] ≤ | Pr[ A Game = b ] − Pr[ A Game = b ] | + Pr[ A Game = b ] ≤
12 + negl ( λ )Therefore, the TPKE is IND-CPA secure. Let (
Gen , Share , F , F − , CombineF − , Combine ) be a ( n, t )-TTDF and hc ( · ) be a hardcore func-tion. We construct a ( n, t − • Gen (1 λ ) → ( pk, msk ): On input the security parameter 1 λ , the generation algorithm runs( ek, mtd ) ← TTDF.
Gen (1 λ ) and outputs a public key pk = ek and a master secret key msk = mtd . • Reg ( msk, id i ) → sk i : On input the master secret key msk and any identity id i , i ∈ [ n ], theregistration algorithm runs td i ← TTDF.
Share ( mtd, id i ) and outputs the shared secret key sk i = td i , i ∈ [ n ]. • Enc ( pk, sk i , · · · , sk i t − , s ) → c : On inputs the public key pk , a set of t − sk i j , j = 1 , · · · , t − s , the encryption algorithm chooses x ← { , } l ,computes c = TTDF. F ( pk, x ), c = hc ( x ) ⊕ s and δ i j = TTDF. F − ( sk i j , c ) , j = 1 , · · · , t − c = ( c , c , δ i , · · · , δ i t − ). • Dec ( sk i j , c ) → s : On inputs a secret key sk i j , j = 1 , · · · , t − c , the decryp-tion algorithm computes δ i j = TTDF. F − ( sk i j , c ) , j = 1 , · · · , t − x = TTDF. Combine ( δ i , · · · , δ i t − , δ i j , c ) and s = hc ( x ) ⊕ c . It outputs session key s . Theorem 2.
If the TTDF is threshold one-way, then the RPKE is IND-CPA secure.Proof.
We define two hybrid experiments Game , Game . The preimage x ′ is chosen by D , so it can computes decryption share of any identity. Game : The game is identical to the IND-CPA experiment. At the beginning, the challengerruns ( pk, msk ) ← Gen (1 λ ) and gives the pk to the adversary A , A can query the sharedsecret key oracle Reg ( msk, · ) adaptively. Then the challenger runs the registration algorithmto answer A . Upon receiving two session keys s , s from A , the challenger chooses b ∈ { , } at random and returns c ∗ = Enc ( pk, sk i , · · · , sk i t − , s b ) to A . At the end of the game, A outputs b ′ ∈ { , } as the guess of b . If b ′ = b , A wins this game, otherwise fails. • Game : The game is identical to Game , except when the challenger generates the challengeciphertext c ∗ = ( c , c , δ i , · · · , δ i t − ), it replaces c = s b ⊕ hc ( x ) with c = s b ⊕ r , where r isa random string.For i ∈ { , } , let Pr[ A Game i = b ] be the probability that A outputs the bit b when executed inGame i . We claim that if there is an adversary A such that Pr[ A Game = b ] − Pr[ A Game = b ]is non-negligible, we can construct a distinguisher D against the hardcore function. On input( ek, y, r ), where ek is a function index, y = F ( ek, x ) with x ← { , } l and r is either hc ( x ) or arandom string, D works as follows:1. D runs A on input pk = ek . D can simulate the shared secret key oracle by querying theshared trapdoor oracle Share ( mtd, · ) adaptively.2. Upon receiving two session keys s , s . D chooses b ∈ { , } at random, let c = y , c = s b ⊕ r ,computes δ i j = F − ( sk i j , c ) , j = 1 , · · · , t −
1, returns c = ( c , c , δ i , · · · , δ i t − ) to A andgets a bit b ′ output by A .3. if b = b ′ , D returns “1” to denote r is the output of the hardcore function, otherwise returns“0” to denote r is a random string.The distinguisher D can give a perfect simulation of either Game or Game . The advantage of D is non-negligible, which is a contradiction of the threshold one-wayness. Therefore, | Pr[ A Game = b ] − Pr[ A Game = b ] | ≤ negl ( λ ).Finally, in Game the output of hardcore function has been replaced with a random string,so Pr[ A Game = b ] = 1 /
2. We have:Pr[ A Game = b ] ≤ | Pr[ A Game = b ] − Pr[ A Game = b ] | + Pr[ A Game = b ] ≤
12 + negl ( λ )Therefore, the RPKE is IND-CPA secure. In this section, we introduce a new cryptographic primitive called TLTDF which is a thresholdversion of LTDF [23] and prove that TLTDF implies TTDF.Let l ( λ ) = poly ( λ ) denote the input length of the function, k ( λ ) ≤ l ( λ ) and r ( λ ) = l ( λ ) − k ( λ )denote the lossiness and the residual leakage. For notational convenience, we often omit thedependence on λ , and define the sampling algorithm Samp inj ( · ) := Samp ( · ,
1) samples injectivemode and
Samp loss ( · ) := Samp ( · ,
0) samples lossy mode.
Definition 2.
A collection of ( n, t, l, k ) -TLTDFs is a tuple of polynomial-time algorithms de-fined as follows. • Samp inj (1 λ ) → ( ek, mtd ) : The sampling algorithm is a probabilistic algorithm that on inputthe security parameter λ , outputs a function index ek and a master trapdoor mtd . • Samp loss (1 λ ) → ( ek, mtd ) : The sampling algorithm is a probabilistic algorithm that on inputthe security parameter λ , outputs a function index ek and a master trapdoor mtd . Share ( mtd, id i ) → td i : The sharing algorithm is a deterministic algorithm that on input themaster trapdoor mtd and any identity id i , i ∈ [ n ] , outputs the shared trapdoor td i , i ∈ [ n ] inboth modes. • F ( ek, x ) → y : On input the function index ek and x ∈ { , } l , the evaluation algorithmoutputs y in both modes, but the image has size at most r = 2 l − k in the lossy mode. • F − ( td i , y ) → δ i : On input any shared trapdoor td i , i ∈ [ n ] and an image y , the partialinversion algorithm outputs an inversion share δ i . • CombineF − ( ek, x, δ i , · · · , δ i t − , id i t ) → δ i t : On input ek , x ∈ { , } l , any t − inversionshares δ i , · · · , δ i t − of the image of x , and identity id i t , the combining inversion algorithmoutputs the inversion share δ i t of identity id i t . • Combine ( δ i , · · · , δ i t , y ) → x : On input any t inversion shares δ i j , j = 1 , · · · , t and the image y , in injective mode the combining algorithm outputs x . Note that we require that the shared trapdoors in both modes have the same space, and thebehavior of the partial inversion algorithm and the combining algorithm is unspecified, if a value y is not in the image. Security.
Let A be a PPT adversary against TLTDF and define its advantage function as Adv indTLTDF , A ( λ ) = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Pr b = b ′ : b ← { , } ;( ek, mtd ) ← Samp (1 λ , b ); b ′ ← A Share ( mtd, · ) ( ek ) − (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Here,
Share ( mtd, · ) denotes a shared trapdoor oracle that given an input of any identity id ,and outputs a shared trapdoor td id . The adversary can query the oracle at most t − Adv indTLTDF , A ( λ )is negligible for all adversary. Theorem 3.
If the sharing algorithm holds perfect privacy and the injective and lossy modes ofLTDF are indistinguishable, then the TLTDF described above is also hard to distinguish injectivefrom lossy.Proof.
We define four hybrid experiments Game , Game , Game , Game . • Game : The challenger runs ( ek, mtd ) ← Samp inj (1 λ ), and gives ek to A . A can adaptivelyquery the shared trapdoor oracle Share ( mtd, · ) at most t − A . • Game : The game is identical to Game , except that the challenger generates the corruptedtrapdoors by choosing r i , i = 1 , · · · , t − A . • Game : The game is identical to Game , except that the challenger runs ( ek, mtd ) ← Samp loss (1 λ ) instead of running ( ek, mtd ) ← Samp inj (1 λ ). • Game : The game is identical to Game , except that the challenger runs the sharing algo-rithm to generate the shared trapdoor and gives the shared trapdoors to A .The adversary’s view is perfectly indistinguishable in Game and Game with the replacementof the shared trapdoors, since the sharing algorithm has the perfect privacy. Similarly, the ad-versary’s view is perfectly indistinguishable in Game and Game . The only difference betweenGame and Game is the sampling algorithm. So the adversary’s view is computationally indis-tinguishable in Game and Game , the fact follows that the injective and lossy modes of LTDFare indistinguishable [23]. Therefore, the adversary’s view is computationally indistinguishablein Game and Game and the TLTDF described above is hard to distinguish injective fromlossy, even if the adversary can obtains any t − heorem 4. Let TLTDF = (
Samp inj , Samp loss , Share , F , F − , CombineF − , Combine ) give acollection of ( n, t, l, k ) -TLTDFs with k = ω (log λ ) . Then TTDF = ( Samp inj , Share , F , F − , CombineF − , Combine ) give a collection of ( n, t ) -TTDFs.Proof. By definition, for any id i , i ∈ [ n ], ( ek , mtd ) ← Samp inj (1 λ ), td i ← Share ( mtd, id i ), x ←{ , } l , y = F ( ek, x ), for any t − δ i = F − ( td i , y ) , · · · , δ i t − = F − ( td i t − , y )and identity id i t , we have δ i t = F − ( td i t , y ) = CombineF − ( x , y , δ i , · · · , δ i t − , id i t ) , and forany t shared trapdoors td i , · · · , td i t , we have x = Combine ( F − ( td i , y ) , · · · , F − ( td i t , y ) , y ) . Therefore, the correctness condition holds. We prove that the function also holds the thresholdone-wayness:Suppose A is a PPT inverter, if A can break the threshold one-wayness with non-negligibleprobability, we can build an adaptive distinguisher D between injective modes and lossy ones. D is given a function index ek as input. Its goal is to distinguish ek is generated in the injectiveor lossy mode. D works as follows:1. D runs inverter A on input the function index ek and gets identities output by A .2. D chooses these identities to corrupt and obtains associated trapdoors, then D chooses x ← { , } l , computes y = F ( ek, x ), gives the value y and the associated trapdoors to A ,and then obtains the value x ′ output by A .3. if x ′ = x , D returns “1” to denote ek is generated in the injective mode, otherwise returns“0” to denote ek is generated in the lossy mode.First, by the assumption on A , if ek is generated by Samp inj (1 λ ), we have x ′ = x with non-negligible probability and D outputs “1”. Suppose ek is generated by Samp loss (1 λ ). The proba-bility that even an unbounded algorithm A predicts x is given by the average min-entropy of x conditioned on ( ek, td i , · · · , td i t − , F ( ek, · )), Because F ( ek, · ) takes at most 2 l − k values, ek and x are independent. By ([23], Lemma 2.1) e H ∞ ( x | ek, td i , · · · , td i t − , F ( ek, x )) ≥ e H ∞ ( x | ek, td i , · · · , td i t − ) − ( l − k )= l − ( l − k ) = k where by the perfect privacy of the sharing algorithm, td i j , j = 1 , · · · , t − k = ω (log λ ), the probability that A outputs x and D outputs “0” is negl ( λ ). D distinguishes injective mode from lossy mode, a contradiction of the hypothesis. Remarks.
In our applications of TPKE and RPKE, we use the pairwise independent hashfunction [31] as a hardcore function. Let H : { , } l → { , } l ′ be a family of pairwise indepen-dent hash functions, where l ′ ≤ k − /ǫ ) for some negligible ǫ = negl ( λ ), and we choose hc ← H . Following the Theorem 4, e H ∞ ( x | ek, td i , · · · , td i t − , F ( ek, x )) ≥ k . By the hypothesisthat l ′ ≤ k − /ǫ ) and Lemma 2, we have that hc ( x ) is ǫ -close to uniform. In this section, we give instantiations of TLTDF based on the DDH assumption and the LWEassumption.
By using the ElGamal-like encryption primitive in [23], we generate a ciphertext C by encrypt-ing the identity matrix I in the injective mode and generate a ciphertext C by encrypting theall-zeros matrix in the lossy mode. 13 emma 4. ([23], Lemma 5.1). The matrix encryption scheme produces indistinguishable ci-phertexts under the DDH assumption. Construction.
We now describe a DDH-based TLTDF as follows. The identity space is givenby Z p \{ } . • Samp inj : On input 1 λ , it chooses ( p, G , g ) ← Gen (1 λ ), samples r i , s i , b ij ← Z p , i = 1 , · · · , l , j = 1 , · · · , t − C = g r g r s g · · · g r s l g r g r s · · · g r s l ... ... . . . ... g r l g r l s · · · g r l s l g The function index is ek = C and the master trapdoor is mtd = (( s i ) , D = ( b ij )). • Samp loss : On input 1 λ , it chooses ( p, G , g ) ← Gen (1 λ ), samples r i , s i , b ij ← Z p , i = 1 , · · · , l , j = 1 , · · · , t − C = g r g r s · · · g r s l g r g r s · · · g r s l ... ... . . . ... g r l g r l s · · · g r l s l The function index is ek = C and the master trapdoor is mtd = (( s i ) , D = ( b ij )). • Share : On input the master trapdoor mtd and any identity id i , i = 1 , · · · , n , it sets f j ( x ) = s j + b j x + · · · + b j ( t − x t − , j ∈ [ l ] . and outputs td Ti = ( f ( id i ) , · · · , f l ( id i )). • F : On input a function index ek =( c ij ) l × ( l +1) and x ∈ { , } l , x = ( x , · · · , x l ), it outputs y =( y , · · · , y ( l +1) ), y i = c x i c x i · · · c x l li , i = 1 , · · · , l + 1. • F − : On input any shared trapdoor td i and the value y . It outputs δ Ti = ( y f ( id i )1 , · · · , y f l ( id i )1 ). • CombineF − : On input ek , x ∈ { , } l , any t − δ i j , j = 1 , · · · , t − id i t . Because of f j ( id i t ) = P t − v =0 L v f j ( id i v ), j = 1 , · · · , l , where L v , v =0 , , · · · , t − id i = 0 , id i , · · · , id i t − ), it computes y = F ( ek, x ), and y f i ( id i )1 = y s i = y i +1 /x i , y f i ( id it )1 = Q t − v =0 (cid:16) y f i ( id iv )1 (cid:17) L v , i = 1 , · · · , l , and outputs δ Ti t = ( y f ( id it )1 , · · · , y f l ( id it )1 ). • Combine : On input any t inversion shares δ i j , j = 1 , · · · , t and the value y . Because of f j (0) = P tv =1 L v f j ( id i v ), j = 1 , · · · , l , where L v , v = 1 , · · · , t are the Lagrangian coefficients whichmay be efficiently computed given ( id i , · · · , id i t ), it computes y s i = Q tv =1 (cid:16) y f i ( id iv )1 (cid:17) L v , i =1 , · · · , l and outputs x = ( x , · · · , x l ), where x i = 1, if y i +1 /y s i = g , i = 1 , · · · , l , and x i = 0,if y i +1 /y s i = 1, i = 1 , · · · , l . Lemma 5.
The algorithms give a collection of ( n, t, l, l − lg p ) -TLTDFs under the DDH as-sumption.Proof. The ( n, t )-threshold secret sharing scheme holds the perfect privacy. Both modes ofLTDF are computationally indistinguishable. Therefore, we can show the indistinguishabilitybetween injective and lossy mode of TLTDF.We transform the inversion algorithm into threshold version which does not change the lossymode. In the lossy mode, the number of possible function outputs is at most p , the residualleakage r ≤ lg p , and the lossiness is k = n − r ≥ l − lg p .14 .2 Instantiation of TLTDF Based on the LWE Assumption We recall a variant of LWE-based symmetric key cryptosystem [23] which has a small messagespace. Let T = R / Z , η ∈ N . For every message m ∈ Z p , we define the “offset” c m = m/p ∈ T .The secret key is z ← Z dq . To encrypt m ∈ Z p , we choose a ← Z dq and an error term e ← χ . Theciphertext is E z ( m, u ; a , e ) = ( a , h a , z i + qc m + u + e ) ∈ Z dq × Z q where the rounding error u = ⌊ qc m ⌉ − qc m ∈ [ − / , / c = ( a , c ′ ), thedecryption algorithm computes t = η ( c ′ − h a , z i ) /q and outputs m ∈ Z p , such that t − ηc m isclosest to 0. Note that for any ciphertext, as long as the absolute total error | ηe + ηu | ≤ ηq/ p ,the decryption is correct.We use “matrix encryption” mechanism in [23] to generate the ciphertext C = E Z ( M , U ; A , E )where M = ( m i,j ) ∈ Z h × wp is a message matrix, U = ( u i,j ) is a matrix of rounding errors, E = ( e i,j ) ∈ Z h × wq is error matrix, e i,j ← χ , choose independent z j ← Z dq , Z = ( z , · · · , z w ), foreach row i ∈ [ h ] of the random matrix A ∈ Z h × dq , choose independent a i ← Z dq .In the injective mode, the message matrix M is a matrix B , which is the tensor product I ⊗ b , where I ∈ Z w × wp is the identity and b = (1 , · · · , l − ) T ∈ Z lp , l = ⌊ log p ⌋ , w = h/l . Inthe lossy mode, the message matrix M is all-zeros matrix . Lemma 6. ([23], Lemma 6.2). For h, w = poly ( d ) , the matrix encryption scheme producesindistinguishable ciphertexts under the assumption that LWE q,χ is hard. Construction.
We describe a LWE-based TLTDF as follows. By using the technique of clearingout the denominator to bound the quantity of errors, we require that the identity space ID = [ n ], n ∈ N and set η = ( n !) . • Samp inj : On input 1 d , it generates C = E Z ( B , U ; A , E ) and outputs the function index C and the master trapdoor mtd = ( z i , D i ), where z i = ( z ( i ) j ), D i = ( b ( i ) jk ), z ( i ) j , b ( i ) jk ← Z q , i = 1 , · · · , w, j = 1 , · · · , d, k = 1 , · · · , t − • Samp loss : On input 1 d , it generates C = E Z ( , U ; A , E ) and outputs the function index C and the master trapdoor mtd = ( z i , D i ), where z i = ( z ( i ) j ), D i = ( b ( i ) jk ), z ( i ) j , b ( i ) jk ← Z q , i = 1 , · · · , w, j = 1 , · · · , d, k = 1 , · · · , t − • Share : On input the master trapdoor mtd and any identity id i v = i v ∈ [ n ], it sets f ij ( x ) = z ( i ) j + b ( i ) j x + · · · + b ( i ) j ( t − x t − , j = 1 , · · · , d and outputs td i v = f (1)1 ( i v ) f (2)1 ( i v ) · · · f ( w )1 ( i v )... ... . . . ... f (1) d ( i v ) f (2) d ( i v ) · · · f ( w ) d ( i v ) • F : On input the function index C and x ∈ { , } h , it outputs the vector a = xA and y = xC . • F − : On input any shared trapdoor td i v and a = xA , it outputs the inversion share δ ( i ) i v = * a , f ( i )1 ( i v )... f ( i ) d ( i v ) + + e ( i ) i v where i = 1 , · · · , w . 15 CombineF − : On input ek , x ∈ { , } h , any t − δ i v , v = 1 , · · · , t − id i t . Because of f ( i ) j ( i t ) = P t − v =0 L v f ( i ) j ( i v ), j = 1 , · · · , d, i = 1 , · · · , w , where L v , v = 0 , , · · · , t − i = 0 , i , · · · , i t − , it computes the image y = ( y , · · · , y w ) of x and xB = ( m , · · · , m w ).For every i = 1 , · · · , w , δ ( i ) i = h a , z i i + e i = y i − ⌊ qc m i ⌉ = h a , z i i + ( xE ) i . It outputs theinversion share δ i t = P t − v =0 L v δ i v . • Combine : On input any t inversion shares δ i , · · · , δ i t . Because of f ( i ) j (0) = P tv =1 L v f ( i ) j ( i v ), j = 1 , · · · , d, i = 1 , · · · , w , where L v , v = 1 , · · · , t are Lagrangian coefficients which can beefficiently computed given any t identities i , · · · , i t , it computes L v δ ( i ) i v = * a , L v f ( i )1 ( i v )... f ( i ) d ( i v ) + + L v e ( i ) i v , where v = 1 , · · · , t . y ′ i = t X v =1 L v δ ( i ) i v = * a , L f ( i )1 ( i ) + · · · + L t f ( i )1 ( i t )... L f ( i ) d ( i ) + · · · + L t f ( i ) d ( i t ) + + t X v =1 L v e ( i ) i v = h a , z i i + t X v =1 L v e ( i ) i v where i = 1 , · · · , w and gets y ′ = ( y ′ , · · · , y ′ w ), then it computes y ′′ i = η ( y i − y ′ i ) /q, i =1 , · · · , w and obtains m i ∈ Z p such that y ′′ − ηc m i is closest to 0. Finally, it outputs x ∈{ , } h , so that xB = ( m , · · · , m w ).We show correctness and lossy properties of our TLTDF as follows.We recall some probability distributions in [23]. For α ∈ R + , let Ψ α be a normal variablewith mean 0 and standard deviation α √ π on T . For any probability φ : T → R + and q ∈ Z + ,let its discretization ¯ φ : Z q → R + be the discrete distribution over Z q of the random variable ⌊ q · X φ ⌉ mod q , where X φ is the distribution φ . Lemma 7.
Let q ≥ p ( h + γ ) , α ≤ / (16 p ( h + g )) for g ≥ γ , γ = P tv =1 ηL v , where L v , v = 1 , · · · , t is the Lagrangian coefficient. The error matrix E = ( e i,j ) ∈ Z h × wq is generated bychoosing independent error terms e i,j ← χ = ¯ Ψ α and e i v ← χ , v = 1 , · · · , t . Every entry of xE + P tv =1 ηL v e i v has absolute value less than q/ p for all x ∈ { , } h , except with probabilityat most w · − g over the choice of E and e i v .Proof. By definition, e i = ⌊ qs i ⌉ mod q , e i v = ⌊ qs i v ⌉ mod q where s i , s i v are independent nor-mal variables with mean 0 and variance α for each i ∈ [ h ], v ∈ [ t ]. Let s ′ = h x , e i + P tv =1 ηL v e i v , where e = ( e , · · · , e h ) T . Then s ′ is at most ( h + γ ) / ≤ q/ p away from q (( h x , s i + P tv =1 ηL v s i v ) mod 1).Since the s i , s i v are independent, h x , s i + P tv =1 ηL v s i v is distributed as a normal variablewith mean 0 and variance at most ( h + γ ) α ≤ ( h + g ) α , where γ > P tv =1 ( ηL v ) , hence astandard deviation of at most ( √ h + g ) α . Then by the tail inequality on normal variables andthe hypothesis on α , 16r[ |h x , s i + t X v =1 ηL v s i v | ≥ / p ] ≤ Pr[ |h x , s i + t X v =1 ηL v s i v | ≥ p h + g ( p h + g ) α ] ≤ exp( − h + g ))2 √ h + g < − ( h + g ) . We show that for any fixed x ∈ { , } h , Pr[ | s ′ | ≥ q/ p ] ≤ − ( h + g ) . Taking a union boundover all x ∈ { , } h , we can conclude that | s ′ | < q/ p for all x ∈ { , } h except with probabilityat most 2 − g .Therefore, for each column e of E and e i v , v = 1 , · · · , t , | s ′ | < q/ p , for all x except withprobability at most 2 − g over the choice of e and e i v , v = 1 , · · · , t . The lemma follows by a unionbound over all w columns of E . Parameters.
Instantiate the parameters: let p = h c for constant c > h = d c for constant c > γ = P tv =1 ηL v , where L v is the Lagrangian coefficient, e i v ← χ, v = 1 , · · · , t , let χ = ¯ Ψ α where α ≤ / (32 ph ) and let q ∈ [2 √ d/α, O ( ph c )] for constant c > A ∈ Z h × dq , the size of the function index is hd log q = d c +1 log q = Ω ( d log d )and for ( xA , xC ) ∈ Z dq × Z wq , the size of the image is ( h + w ) log q = ( d c + d c / ⌊ log p ⌋ ) log q = Ω ( d log d ). Correctness.
We now show correctness of the above TLTDF by proving the following theorem.
Theorem 5.
The TLTDF with above parameters instantiated satisfies the correctness.Proof.
The combining algorithm computes y ′ = ( y ′ , · · · , y ′ w ) as follows: y ′ i = h a , z i i + t X v =1 L v e ( i ) i v = h a , z i i + t X v =1 L v e ( i ) i v . We have y ′′ i = | η ( y i − y ′ i ) | q = | ηc m i q + η ( xU ) i + η ( xE ) i − P tv =1 ηL v e ( i ) i v | q . Let g = h ≥ γ in above Lemma 7, the absolute total error | ( xU ) i + ( xE ) i − t X v =1 ηL v e ( i ) i v | ≤ | ( xU ) i | + ( | ( xE ) i | + | t X v =1 ηL v e ( i ) i v | ) ≤ q p + q p < q p . We have | η ( xU ) i + η ( xE ) i − t X v =1 ηL v e ( i ) i v | ≤ η | ( xU ) i | + ( η | ( xE ) i | + η | t X v =1 ηL v e ( i ) i v | ) < ηq p . Therefore, the inversion is correct. 17 heorem 6.
The TLTDF with above parameters produces indistinguishable function indexesunder the
LW E q,χ assumption. Moreover, the algorithms give a collection of ( n, t, h, k ) -TLTDFsunder the LW E q,χ assumption is hard. The residual leakage r = h − k is r ≤ (cid:18) c c + o (1) (cid:19) · h. Proof.
The ( n, t )-threshold secret sharing scheme holds the perfect privacy and the injective andlossy modes of LTDF are indistinguishable [23]. Therefore, we can show the indistinguishabilitybetween injective and lossy mode of TLTDF.We transform the inversion algorithm into threshold version which does not change the lossymode. In the lossy mode, as in the correctness argument, | ( xU ) i | + ( | ( xE ) i | + | P tv =1 ηL v e ( i ) i v | ) < q p . Therefore, for i ∈ [ w ], the function output y i = h xA , z i i + | ( xU ) i | + 0 + ( | ( xE ) i | + | P tv =1 ηL v e ( i ) i v | ) can take at most q/p possible values. Then the number of possible functionoutputs is at most q d ( q/p ) w . The proof follows ([23], Theorem 6.4), we omit the details. We show a relaxation of TTDF called TTDR and prove that TTDR maintains same applicationsof constructing TPKE and RPKE.
Definition 3.
A collection of ( n, t ) -TTDRs is a tuple of polynomial-time algorithms as follows: • Gen (1 λ ) → ( ek, mtd ) : The generation algorithm is a probabilistic algorithm that on input thesecurity parameter λ , outputs a function index ek and a master trapdoor mtd . • Share ( mtd, id i ) → td i : The sharing algorithm is a deterministic algorithm that on input themaster trapdoor mtd and any identity id i , i ∈ [ n ] , outputs the shared trapdoor td i , i ∈ [ n ] . • Samp ( ek ) → ( x, y ) : On input the function index ek , the relation sampling algorithm samplesa relation ( x, y = F ( ek, x )) . • F − ( td i , y ) → δ i : On input any shared trapdoor td i and an image y , the partial inversionalgorithm outputs the inversion share δ i . • CombineF − ( x, y, δ i , · · · , δ i t − , id i t ) → δ i t : On input x ∈ { , } l , its image y , any t − inversion shares δ i , · · · , δ i t − , and identity id i t , the combining inversion algorithm outputsthe inversion share δ i t of identity id i t . • Combine ( δ i , · · · , δ i t , y ) → x : On input any t inversion shares δ i j , j = 1 , · · · , t and the image y , the combining algorithm outputs x . we require that in the partial inversion algorithm, the combining inversion algorithm and thecombining algorithm, the behavior of the algorithms is unspecified, if the y is not in the image. Correctness.
For any id i , i ∈ [ n ], ( ek, mtd ) ← Gen (1 λ ), td i ← Share ( mtd, id i ), any relation( x, y = F ( ek, x )), we require that for any t shared trapdoors td i , · · · , td i t , we have x = Combine ( F − ( td i , y ) , · · · , F − ( td i t , y ) , y ) . Security.
Let A be a PPT adversary and define its advantage function Adv towTTDR , A ( λ ) as Adv towTTDR , A ( λ ) = Pr x = x ′ : ( ek, mtd ) ← Gen (1 λ );( x, y ) ← Samp ( ek ); x ′ ← A Share ( mtd, · ) ( ek, y ) Share ( mtd, · ) denotes a shared trapdoor oracle that given an input of any identity id ,and outputs a shared trapdoor td id . The adversary can query the oracle at most t − n, t )-TTDR is threshold one-way if for any PPT adversary the advantage functionis negligible.Following the constructions of TPKE and RPKE from TTDF, we can show generic construc-tions of TPKE and RPKE from TTDR by running the relation sampling algorithm of TTDRinstead of the evaluation algorithm of TTDF in the encryption algorithm. The threshold one-wayness ensures that both of TPKE and RPKE are IND-CPA secure. Threshold Lossy Trapdoor Relation.
Following the definitions of TTDR and TLTDF, byrelaxing the evaluation algorithm of TLTDF into relation sampling algorithm, we present thedefinition of TLTDR and show that TLTDR also produces indistinguishable function indexes.Similarly, we can prove TLTDR implies TTDR.We propose a refined definition of the relation by omitting the public computable injectivemap in LTDR [28]. Informally, the function index ek is a composite function description whichconsists of the inverse map of the public computable injective map. The relation samplingalgorithm outputs a relation ( x, y = F ( ek, x )). The inversion algorithm takes in the trapdoorand the image y = F ( ek, x ), outputs x . Instantiations of TLTDR.
Following the instantiation of TLTDF under the DDH assumptionand the instantiation of LTDR [28], we give an efficient instantiation under the DDH assumptionby relaxing evaluation algorithm into relation sampling algorithm. We constructs the TLTDRby using 2 × C = (cid:18) g r g r s g r s g r g r s g r s (cid:19) , C = (cid:18) g r g r s g g r s g r g r s g r s g (cid:19) For C = ( c ij ) × and ( x , x ) ← Z p , the relation sampling algorithm outputs a relation( x = ( g x , g x ), F ( ek, x ) =( c x c x , c x c x , c x c x )). The combining algorithm computes x bytaking as input any t inversion shares and the image F ( ek, x ). It is not hard to show a collectionof ( n, t, p, log p )-TLTDRs under the DDH assumption. Table 1.
Comparisons Among TPKE SchemesScheme pk size ciphertext size Enc Dec assumption adaptive generic IND-CCAcorruption constructionBD10 d d × × × XXZ11 2 nd log d nd log d n TBE 1Inv
LTDF
LWE × √ √
BKP13 d log d d log d PSF
LWE √ × √
Ours d log d d log d √ √ × Ours l | G | l | G | l Exp 1Exp DDH √ √ ×
Ours | G | | G | √ √ × ‡ n and d denotes the number of users and the dimension of lattice respectively. Mvp, SS, OTS, TBE, Inv LTDF ,Inv
PSF and Exp denote the cost of a matrix-vector product, a secret sharing, a one-time signature, a tag-basedencryption, inverting an image of LTDF, sampling a preimage of preimage sampleable function and a modularexponentiation respectively. We construct the scheme of Ours and Ours from TTDF where l denotes inputlength of function and the scheme of Ours from TTDR. able 2. Comparisons Among RPKE SchemesScheme pk size ciphertext size assumption adaptive generic IND-CCAcorruption constructionNP00 | G | t | G | DDH √ × ×
DF03 ( t + 2) | G | t + 1) | G | DDH √ × √
Wee11 t | G | ( t + 2) | G | DDH × √ √
Wee11 t | Z ∗ N | ( t + 2) | Z ∗ N | factoring × √ √ Ours | G | (2 t + 3) | G | DDH √ √ ×
Ours l | G | (2 t + l ) | G | DDH √ √ ×
Ours d log d d log d LWE √ √ × ‡ t and d denote the threshold value and the dimension of lattice, respectively. We construct the scheme of Ours and Ours from TTDF where l denotes input length of function and the scheme of Ours from TTDR. Table 1 compares the communicationcosts and computational costs of our lattice-based TPKE schemes with that in [16], [18], [19].For lattice-based TPKE, the communication cost of our scheme is less than [16], in which theyneed to use a large modulus which causes larger ciphertexts. Compared with [18], they splitthe message into many pieces and encrypt every piece by a different tag-based encryption, thatcause the size of the public key and the ciphertext is at least linear in the number of users, whileour scheme splits the master secret key directly and shows the size of the public key and theciphertext is independent of the number of users. What’s more, the computational cost of ourTPKE is also less than [16], [18], [19], especially during the encryption and decryption phase, ourTPKE scheme only requires to compute a simple matrix-vector product respectively. However,in [16], the decryption algorithm requires every user computes a sharing by a pseudorandomsecret sharing and a matrix-vector product. In [18], the encryption algorithm needs to run asecret sharing scheme to split a message into n pieces, n times tag-based encryption to encryptevery piece and a one-time signature. Moreover, the decryption algorithm require to check thesignature and invert an image of lossy trapdoor function to obtain a decryption share. Comparedwith [19], their encryption algorithm requires every user runs a one-time signature and computetwice matrix-vector product, and the decryption algorithm needs to run the inversion algorithmof preimage sampleable function [20].Table 2 compares the communication costs of our RPKE schemes with that in [8], [10], [9].The size of the public key of our DDH-based RPKE is a 2 × In order to evaluate the practical performance of our schemes, we implement the TTDF inSection 3, TPKE in Section 4 and RPKE in Section 5 based on the NTL library. The programis executed on an Intel Core i7-2600 CPU 3.4GHz and 4GB RAM running Linux Deepin 15.4.164-bit system.
Experiment Setting and Computation Time.
As depicted in Table 3 and Table 4, weset the security parameter λ = 128 , ,
512 respectively, and the dimension of lattice d =2012 , , h = d c , c > p = h c , c > l = ⌊ lg p ⌋ , w = m = h/l , α ≤ / (32 ph ) and q > √ d/α . What’s more,we set the number of users is n = 4 and the threshold value is t = 3 in TPKE, and the numberof revoked users is r = 2 in RPKE.As depicted in Table 3 and Table 4, we show the average running times of all algorithmsin our TPKE and RPKE schemes. For different security levels, we set the security parameter λ = 128 , ,
512 respectively. The average running times of all algorithms in both DDH-basedTPKE and RPKE are the level of milliseconds. Therefore, our schemes are efficient and practical.Meanwhile, we set the dimension of lattice d = 512 , , Table 3.
Experiment Setting and Computation Time of DDH-Based TPKE and RPKEParameter TPKE Time (ms) RPKE Time (ms) λ n t r
KeyGen Encrypt Decrypt Combine KeyGen Encrypt Decrypt128 4 3 2 2.184 0.263 0.145 0.309 4.978 0.390 0.467256 4 3 2 9.499 0.517 0.312 0.566 11.59 0.839 0.770512 4 3 2 68.08 1.311 0.797 1.318 34.53 1.890 1.786 ‡ λ , n , t and r indicate the security parameter, the number of users, the threshold value, and the number ofrevoked users, respectively. Table 4.
Experiment Setting and Computation Time of LWE-Based TPKE and RPKEParameter TPKE Time (s) RPKE Time (s) d h p w n t r
KeyGen Encrypt Decrypt Combine KeyGen Encrypt Decrypt512 2200 2063 200 4 3 2 2.178 0.076 0.005 2.273 2.299 0.092 2.146768 3260 6029 280 4 3 2 4.451 0.167 0.012 8.949 4.215 0.209 9.0321024 4420 9859 340 4 3 2 7.724 0.293 0.021 17.554 7.367 0.382 17.962 ‡ d , h , p , w , n , t and r indicate the dimension of lattice, the number of rows of matrix A of the public key, thesize of the message space Z p , the number of columns of matrix Z of the master secret key, the number of users,the threshold value, and the number of revoked users, respectively. Acknowledgements.
This work is supported by the National Natural Science Foundation ofChina (Grant No. 61772522), Youth Innovation Promotion Association CAS, and Key ResearchProgram of Frontier Sciences, CAS (Grant No. QYZDB-SSW-SYS035).
References
1. Y. Desmedt, “Society and group oriented cryptography: a new concept,” in
Advances in Cryptology —CRYPTO ’87 , C. Pomerance, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1988, pp. 120–127. We use the technique of “clearing out the denominator” to preserve correct decryption and limit the numberof extra errors in ( n !) . In order to run the LWE-based TPKE and RPKE practically, we set the number ofusers n = 4. . A. De Santis, Y. Desmedt, and Y. Frankel et al, “How to share a function securely,” in Proceedings of theTwenty-sixth Annual ACM Symposium on Theory of Computing , ser. STOC ’94. New York, NY, USA:ACM, 1994, pp. 522–533.3. V. Shoup and R. Gennaro, “Securing threshold cryptosystems against chosen ciphertext attack,” in
Advancesin Cryptology - EUROCRYPT ’98, International Conference on the Theory and Application of CryptographicTechniques, Espoo, Finland, May 31 - June 4, 1998, Proceeding , ser. Lecture Notes in Computer Science,vol. 1403. Springer, 1998, pp. 1–16.4. R. Canetti and S. Goldwasser, “An efficient threshold public key cryptosystem secure against adaptivechosen ciphertext attack (extended abstract),” in
Advances in Cryptology — EUROCRYPT ’99 , J. Stern,Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1999, pp. 90–106.5. D. L. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,”
Commun. ACM ,vol. 24, no. 2, pp. 84–90, 1981.6. I. Damg˚ard, D. Hofheinz, and E. Kiltz et al, “Public-key?encryption?with non-interactive?opening,” in
Topicsin Cryptology – CT-RSA 2008 , T. Malkin, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp.239–255.7. D. Galindo, B. Libert, and M. Fischlin et al,“Public-key encryption with non-interactive opening: Newconstructions and stronger definitions,” in
Progress in Cryptology – AFRICACRYPT 2010 , D. J. Bernsteinand T. Lange, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 333–350.8. M. Naor and B. Pinkas, “Efficient trace and revoke schemes,” in
Financial Cryptography , Y. Frankel, Ed.Berlin, Heidelberg: Springer Berlin Heidelberg, 2001, pp. 1–20.9. H. Wee, “Threshold and revocation cryptosystems via extractable hash proofs,” in
Advances in Cryptology –EUROCRYPT 2011 , K. G. Paterson, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 589–609.10. Y. Dodis and N. Fazio, “Public key trace and revoke scheme secure against adaptive chosen ciphertextattack,” in
Public Key Cryptography — PKC 2003 , Y. G. Desmedt, Ed. Berlin, Heidelberg: Springer BerlinHeidelberg, 2002, pp. 100–115.11. A. Fiat and M. Naor, “Broadcast encryption,” in
Advances in Cryptology — CRYPTO’ 93 , D. R. Stinson,Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1994, pp. 480–491.12. Y. Dodis and J. Katz, “Chosen-ciphertext security of multiple encryption,” in
Theory of Cryptography ,J. Kilian, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 188–209.13. B. Libert and M. Yung, “Non-interactive cca-secure threshold cryptosystems with adaptive security: Newframework and constructions,” in
Theory of Cryptography , R. Cramer, Ed. Berlin, Heidelberg: SpringerBerlin Heidelberg, 2012, pp. 75–93.14. R. Canetti, U. Feige, and O. Goldreich et al, “Adaptively secure multi-party computation,”
In Proceedingsof the 28th Annual ACM Symposium on Theory of Computing , pp. 639–648, 1996.15. R. Canetti, “Security and composition of multiparty cryptographic protocols,”
Journal of Cryptology , vol. 13,no. 1, pp. 143–202, Jan 2000.16. R. Bendlin and I. Damg˚ard, “Threshold decryption and zero-knowledge proofs for lattice-based cryptosys-tems,” in
Theory of Cryptography , D. Micciancio, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010,pp. 201–218.17. O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in
Proceedings of theThirty-seventh Annual ACM Symposium on Theory of Computing , ser. STOC ’05. New York, NY, USA:ACM, 2005, pp. 84–93.18. X. Xie, R. Xue, and R. Zhang, “Efficient threshold encryption from lossy trapdoor functions,” in
Post-Quantum Cryptography , B.-Y. Yang, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 163–178.19. R. Bendlin, S. Krehbiel, and C. Peikert, “How to share a lattice trapdoor: Threshold protocols for signaturesand (h)ibe,” in
Applied Cryptography and Network Security , M. Jacobson, M. Locasto, P. Mohassel, andR. Safavi-Naini, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 218–236.20. C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic con-structions,” in
Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing , ser. STOC ’08.New York, NY, USA: ACM, 2008, pp. 197–206.21. D. Boneh, X. Boyen, and S. Halevi, “Chosen ciphertext secure public key threshold encryption withoutrandom oracles,” in
Topics in Cryptology – CT-RSA 2006 , D. Pointcheval, Ed. Berlin, Heidelberg: SpringerBerlin Heidelberg, 2006, pp. 226–243.22. R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, “Adaptive Security for Threshold Cryptosys-tems,” in
Advances in Cryptology — CRYPTO’ 99 . Lecture Notes in Computer Science, vol 1666. Springer,Berlin, Heidelberg23. C. Peikert and B. Waters, “Lossy trapdoor functions and their applications,” in
Proceedings of the FortiethAnnual ACM Symposium on Theory of Computing , ser. STOC ’08. New York, NY, USA: ACM, 2008, pp.187–196.24. A. Shamir, “How to share a secret,”
Commun. ACM , vol. 22, no. 11, pp. 612–613, 1979.
5. V. Shoup, “Practical threshold signatures,” in
Advances in Cryptology — EUROCRYPT 2000 , B. Preneel,Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2000, pp. 207–220.26. S. Agrawal, X. Boyen, and V. Vaikuntanathan et al, “Functional encryption for threshold functions (or fuzzyibe) from lattices,” in
Public Key Cryptography – PKC 2012 , M. Fischlin, J. Buchmann, and M. Manulis,Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 280–297.27. D. Boneh, R. Gennaro, and S. Goldfeder et al, “A lattice-based universal thresholdizer for cryptographicsystems,” https://eprint.iacr.org/2017/251 , 2017.28. H. Xue, X. Lu, and B. Li et al, “Lossy trapdoor relation and its applications to lossy encryption and adaptivetrapdoor relation,” in
Provable Security , S. S. M. Chow, J. K. Liu, L. C. K. Hui, and S. M. Yiu, Eds. Cham:Springer International Publishing, 2014, pp. 162–177.29. W. Diffie and M. E. Hellman, “New directions in cryptography,”
IEEE Transactions on Information Theory ,vol. 22, no. 6, pp. 644–654, 1976.30. Y. Dodis, R. Ostrovsky, and L. Reyzin et al, “Fuzzy extractors: How to generate strong keys from biometricsand other noisy data,”
SIAM J.Comput , pp. 97–139, 2008.31. M. N. Wegman and J. Carter, “New hash functions and their use in authentication and set equality,”
Journalof Computer and System Sciences , vol. 22, no. 3, pp. 265 – 279, 1981., vol. 22, no. 3, pp. 265 – 279, 1981.