Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Published byParis Tatton Modified over 10 years ago

Similar presentations

Presentation on theme: "Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton."— Presentation transcript:

1 Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA To appear in CRYPTO 09

2 Learning Noisy Linear Functions Problem: find s s Z q n = +noise aiai bibi Z q n A s x n m + = b iid noise vector of rate

3 Learning-Parity-with-Noise (LPN): - q=2, Noise: Bernoulli with = ¼ Learning-with-Errors (LWE) [Reg05] : - q(n)=poly(n) typically prime - Gaussian noise w/mean 0 and std sqrt(q) Learning Noisy Linear Functions A s x n m + = b iid noise vector of rate Problem: find s -(q-1)/2 (q-1)/2 0

4 Assumption: Problem is computationally hard for all m=poly(n) Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93, Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…] LPN is easy major breakthrough in Coding Theory LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09] Pros: Hardness of search problem, resists sub-exp & quantum attacks Learning Noisy Linear Functions A s x n m + = b Problem: find s

5 Problem has simple algebraic structure: almost linear function - exploited by [BFKL94, AIK07, D-TK-L09] Computable by simple (bit) operations (low hardware complexity) - exploited by [HB01,AIK04,JW05] Message of this talk: Very useful combination Why LWE/LPN ? rare combination A s x + = b

6 Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Fast pseudorandom objects from LPN - Pseudorandom generator in quasi-linear time - Oblivious weak randomized pseudorandom function Main Results

7 Thm.[BFKL94] LPN pseudorandomness (A,As+x) (A,U m ) Proof: [AIK07] Assume LPN By [GL89] cant approximate for a random r Use distinguisher D to compute hardcore bit given a random r -Given (A,b) and r {0,1} n choose v U m and apply D to (C=A-v·r T, b) b=As+x=Cs+vr T s+x=Cs+x+v = Pseudorandomness A s x + = b U m if =1 Cs+xif =0 r v vv + C

8 E key ( message;random )= ciphertext D key ( ciphertext )= message Security: Even if Adv gets information cannot break scheme. - CPA [GM82] :given oracle to E key () cant distinguish E k (m 1 ) from E k (m 2 ) What if Adv sees E k (msg) where msg depends on the key (KDM attack)? -E.g., E key (key) or E key (f(key)) or E k1 (k 2 ) and E k2 (k 1 ) Encryption Scheme message Enc ciphertext key randomness Enc key message

9 F-KDM Security [BRS02] : Adv can ask for E k (f(k)) for some f F Circular security [CL01] : Adv can ask for E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08] Motivation: - disk encryption or key-management systems - anonymous credential systems via key cycles [CL01] - axiomatic security (reasoning about security via formal logic) [ABHS05] What about previous/standard schemes? - KDM attack lead to practical attacks (IEEE P1619) - Random oracle construction/text-book constructions are bad [HU08, HK07] - Black box separation of general KDM from trapdoor permutation [HH08] KDM / circular security

10 F-KDM Security [BRS02] : Adv can ask for E k (f(k)) for some f F Circular security [CL01] : Adv can ask for E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) [BHHO08] First circular public-key encryption under DDH - Get clique security + KDM for affine functions - But large computational/communication overhead - t-bit message requires t exponentiations (compare to El-Gamal) - ciphertext length: t group elements Our schemes: circular encryption under LPN/LWE - Get clique security + KDM for affine functions for free from standard schemes - Efficiency comparable to standard LWE/LPN schemes - t-bit message – Length O(t); Time: t·polylog(t) sym; t 2 ·polylog(t) public-key - Proofs of security follow the [BHHO08] approach KDM / circular security

11 Let G be a good linear error-correcting code with decoder for noise +0.1 Enc s (mes; A, err)= (A, As+err + G·mes) Dec s (A,y)= decoder(y-As) Semantic security follows from pseudorandomness Simple scheme originally from [Gilbert Robshaw Seurin08] - independently discovered by [A08,Dodis Tauman-Kalai Lovet 09] Scheme has nice statistical properties - entropic-security [DodisSmith05], weak leakage-resilient, error-correction Symmetric Scheme A S err + A, + G m

12 Use many different ss with the same A Quasi-linear Implementation A S err + A, + G m

13 Use many different ss with the same A Preserves pseudorandomness since A is public -Proof via Hybrid argument If matrices are very rectangular can multiply in quasi-linear time [Cop82] -E.g., t=n and m=n 6 Use fast ECC (e.g., [spielman95]) to get quasi-linear time encryption/decryption Quasi-linear Implementation A S Err + A n m, n t + G Mes

14 Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given M and E s (M) can compute E s (M+M) - Key homomorphic: Given S and E s (M) can compute E s+s (M) - Self referential: Given E s (0) can compute E s (S) - Proof: (A,y=As+err) (A-G,y)=(A,As+err+Gs) = E s (S) Clique Security

15 Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given M and E s (M) can compute E s (M+M) - Key homomorphic: Given S and E s (M) can compute E s+s (M) - Self referential: Given E s (0) can compute E s (S) Suppose that Adv break clique security (can ask for E Si (S k ) for all 1 i,k t) Construct B that breaks standard CPA security (w/r to single key S). B simulates Adv: choose t offsets 1,…, t and pretend that S i =S+ i - Simulate E si (S k ): get E s (0) E s (S) E s+ i (S) E s+ i (S+ k ) Clique Security

16 Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Rest of the talk

17 Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz To Decrypt (u,c): compute c- =f(z)+ and decode Security [R05,GPV08] : If b was truly random then (u,v) is random and get OTP Want: Plaintext Homomorphic, Self Referential, Key Homomorphic PH: let mes space be linear-subspace of Z q by taking q=p 2 so Z q =Z p Z p (Pseudorandomness holds as long as noise is sufficiently low) Regevs PKE A s x + = b A b r parity-check matrix = u v noise v= + + f(z) [GentryPeikertVaikuntanathan P V Waters08]

18 Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz Can we convert E(0) to E(s 1 ) ? Given (u,c= + ) (u,c) where u=u-(g,0,…,0) and c= + +s 1 g Problem: (u,c) is not distributed properly: c= +err(u)+f(s 1 ) Sol: smoothen the ciphertext distribution s Self Reference A x + = b A b r parity-check matrix = u v + f(z) v= + noise e + + +e +err err

19 Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz Can we convert E(0) to E(s 1 ) ? Given (u,c= + ) (u,c) where u=u-(g,0,…,0) and c= + +s 1 g Problem: s 1 may not be in Z p Sol: Choose s with entries in Z p by sampling from Gaussian around (0 p/2) Security? s Self Reference A x + = b A b r parity-check matrix = u v + f(z) v= + noise e + + +e +err err s

20 Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise 1.Get (A,b) s.t A is invertible A b

21 Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x Proof: = + = +e + + +e + - A -1 x Noise

22 Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x If (, ) are uniform then (, ) also uniform Hence distinguisher for LWE x yields a distinguisher for LWE s +e + - A -1 x Noise

23 Hardness of LWE with s Noise s Z q n A s x + = b Reduction generates invertible linear mapping f A,b :s x x Noise (A,b)

24 Hardness of LWE with s Noise s Z q n Reduction generates invertible linear mapping f A,b :s x Key Hom: get pks whose sks x 1,..,x k satisfy known linear-relation Together with prev properties get circular (clique) security Improve efficiency via amortized version of [PVW08] x 1 Noise (A 1,b 1 ) x k Noise (A k,b k )

25 LWE vs. LPN ? - LWE follows from worst-case lattice assumptions [Regev05, Peikert09] - LWE many important crypto applications [GPV08,PVW08,PW08,CPS09] - LWE can be broken in NP co-NP unknown for LPN - LPN central in learning (complete for learning via Fourier) [FGKP06] Circular Security vs. Leakage Resistance ? - Current constructions coincident - LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09] - common natural ancestor? Open Questions

Download ppt "Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton."

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.

Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Similar presentations

Ads by Google