Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Published byJayce Hockley Modified over 10 years ago

Similar presentations

Presentation on theme: "Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton."— Presentation transcript:

1 Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA CRYPTO 2009

2 Learning Noisy Linear Functions Problem: find s s Z 2 n = +noise aiai bibi Z 2 n A s x n m + = b iid noise vector of rate e.g., =1/4 Extension to larger moduli: Learning-with-Errors (LWE) [Reg05] : - Z q where q(n)=poly(n) is typically prime - Gaussian noise w/mean 0 and std sqrt(q) -(q-1)/2 (q-1)/2 0 Learning Parity with Noise (LPN)

3 Assumption: LWE/LPN is computationally hard for all m=poly(n) Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93, Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…] Pros: - Reduction from worst-case Lattice problems [Reg05,Peik09] - Hardness of search problem - So far resists sub-exp & quantum attacks Learning Noisy Linear Functions A s x n m + = b Problem: find s

4 Problem has simple algebraic structure: almost linear function - exploited by [BFKL94, AIK07, D-TK-L09] Computable by simple (bit) operations (low hardware complexity) - exploited by [HB01,AIK04,JW05] Message of this talk: Very useful combination Why LWE/LPN ? rare combination A s x + = b

5 Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Main Results Fast pseudorandom objects from LPN - Pseudorandom generator G:{0,1} n {0,1} 2n in quasi-linear time - Oblivious weak randomized pseudorandom function This talk:

6 Security: Even if Adv gets information cannot break scheme. - CPA [GM82] :given oracle to E key () cant distinguish E k (m 1 ) from E k (m 2 ) What if Adv sees E k (msg) where msg depends on the key (KDM attack)? -E.g., E key (key) or E key (f(key)) or E k1 (k 2 ) and E k2 (k 1 ) Encryption Scheme message Enc ciphertext key randomness Dec key message

7 F-KDM Security [BlackRogawayShrimpton02] : Adv gets E k (f(k)) for f F Circular security [CamenischLysyanskaya01] : Adv gets E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) Can we achieve KDM/circular security? many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08] natural question also arises in: - disk encryption or key-management systems - anonymous credential systems via key cycles [CL01] - axiomatic security [AdaoBanaHerzogScedrov05] - Gentrys fully homomorphic scheme [Gen09] non-trivial to achieve: - some ciphers become insecure under KDM attacks (e.g.,AES in LRW mode) - random oracle constructions are problematic [HofheintzUnruh08,HaleviKrawczyk07] - cant get KDM from trapdoor permutation in a black-box way [HaitnerHolenstein08] KDM / circular security [BHHO08]: Yes, we can !

8 [BonehHaleviHamburgOstrovsky08] First circular public-key scheme from DDH - Get clique security + KDM for affine functions - But large computational/communication overhead - t-bit message: Time: t exponentiations (compare to El-Gamal) Communication: t group elements Our schemes: circular encryption under LPN/LWE - Get clique security + KDM for affine functions - Proofs of security follow the [BHHO08] approach - Circular security comes for free from standard schemes - Efficiency comparable to standard LWE/LPN schemes - t-bit message: Time: symmetric case: t·polylog(t); public-key: t 2 ·polylog(t) Communication: O(t) bits. BHHO Scheme vs. Our Scheme

9 Symmetric Scheme from LPN

10 Let G be a good linear error-correcting code with decoder for noise +0.1 Enc s (mes; A, err)= (A, As+err + G·mes) Dec s (A,y)= decoder(y-As) Natural scheme originally from [GilbertRobshawSeurin08] - independently discovered by [A08,DodisTauman-KalaiLovet09] Also obtain amortized version with quasilinear implementation (See paper) Symmetric Scheme A s err + A, + G keymessage u randomness Good Error-Correcting-Code

11 Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (u+v) Clique Security (A, As+err) +G v+G (u+v) +G u

12 Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (v+u) - Key homomorphic: Given E s (u) and r can compute E s+r (u) Clique Security (A, +err+Gu) +A rA (s+r) A s

13 Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (v+u) - Key homomorphic: Given E s (u) and r can compute E s+r (u) - Self referential: Given E s (0) can compute E s (s) (A, As +err) = (A, +err) =(A, As +err + Gs) = E s (s) Clique Security -G As (A+G)s

14 Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (v+u) - Key homomorphic: Given E s (u) and r can compute E s+r (u) - Self referential: Given E s (0) can compute E s (s) Suppose that Adv break clique security (can ask for E Si (S k ) for all 1 i,k t) Construct B that breaks standard CPA security (w/r to single key S). B simulates Adv: choose t offsets 1,…, t and pretend that S i =S+ i - Simulate E si (S k ): get E s (0) E s (S) E s+ i (S) E s+ i (S+ k ) Clique Security

15 Public-key Scheme from LWE

16 Public-key: A Z q n m, b Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u Z q n,c Z q ) To Decrypt (u,c): compute c- =g mes+err and decode CPA Security in [Regev05, GentryPeikertVaikuntanathan08] Want: Plaintext homomorphic, Self referential, Key homomorphic Regevs Scheme - [GPV-PVW08] variant (u, +err+g (message)) A s x + = b message Enc public-key randomness random vector fixed linear ECC distribution over low-weight elements

17 Public-key: A Z q n m, b Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u Z q n,c Z q ) To Decrypt (u,c): compute c- =g mes+err and decode CPA Security in [Regev05, GentryPeikertVaikuntanathan08] Want: Plaintext homomorphic, Self referential, Key homomorphic Regevs Scheme - [GPV-PVW08] variant (u, +err+g (message)) A s x + = b message Enc public-key randomness random vector fixed linear ECC distribution over low-weight elements

18 s Public-key: A Z q n m, b Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u Z q n,c Z q ) Can we convert E(0) to E(s 1 ) ? Can use prev ideas (up to some technicalities) but… Problem: s 1 may not be in Z p Sol: Choose s with entries in Z p by sampling from Gaussian around (0 p/2) Security: we show how to convert standard LWE to LWE with s Noise Self Reference (u, +err+g (message)) A s x + = b message Enc public-key randomness

19 Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise 1.Get (A,b) s.t A is invertible A b

20 Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x Proof: = + = +e + + +e + -A -1 x Noise

21 Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x If (, ) are uniform then (, ) also uniform Hence distinguisher for LWE x yields a distinguisher for LWE s +e + - A -1 x Noise

22 Hardness of LWE with s Noise s Z q n A s x + = b Reduction generates invertible linear mapping f A,b :s x x Noise (A,b)

23 Hardness of LWE with s Noise s Z q n Reduction generates invertible linear mapping f A,b :s x Key Hom: get pks whose sks x 1,..,x k satisfy known linear-relation Together with prev properties get circular (clique) security Improve efficiency via amortized version of [PVW08] x 1 Noise (A 1,b 1 ) x k Noise (A k,b k )

24 LWE vs. LPN ? - LWE follows from worst-case lattice assumptions [Regev05, Peikert09] - LWE many important crypto applications [GPV08,PVW08,PW08,CPS09] - LWE can be broken in NP co-NP unknown for LPN - LPN central in learning (complete for learning via Fourier) [FeldmanGopalanKhotPonnuswami06] Circular Security vs. Leakage Resistance ? - Current constructions coincident - LPN/Regev/BHHO constructions resist key-leakage [AkaviaGoldwasserVaikuntanathan09, DodisKalaiLovett09, NaorSegev09] - common natural ancestor? Open Questions

25 Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=az To Decrypt (u,c): compute c- =f(z)+ and decode Security [R05,GPV] : If b was truly random then (u,v) is random and get OTP Want: Plaintext homomorphic, Self referential, Key homomorphic Plaintext hom: let message space be subgroup of Z q by taking q=p 2 Regevs Scheme - [GPV-PVW08] variant A s x + = b A b r parity-check matrix = u v noise v= + + f(z)

26 Pseudorandom Generator (PRG) Rand Src. G(s) Uniform Poly-time machine random seed s Pseudorandom or Random? stretch G Can be constructed from any one-way function [HILL90] Stretch of 1 bit Stretch of polynomially many bits [BM-Y, GM84]

27 Pseudorandom generator G:{0,1} n {0,1} 2n At least (n) circuit size Can we get low overhead of O(n) or n ·polylog(n) ? - natural question - [IKOS08] PRG with low overhead low-overhead cryptography e.g., PK-encryption in time O(|message|), for sufficiently large message. Circuit Complexity of PRGs Time (circuit size)AssumptionConstruction n·Time(G)>n 2 1-bit PRG G [BM84, GM84] More than n 2 Number Theoretic [Gen00,DRV02, DN02] n2n2 LPN [BFKL94, FS96] nsparse-LPN (non-standard) [AIK06] n· polylog(n)LPN (standard) This work

28 Pseudorandom generator G:{0,1} n {0,1} 2n Can we get low overhead of O(n) or n ·polylog(n) ? - natural question - [IKOS08] PRG with low overhead low-overhead cryptography e.g., PK-encryption in time O(|message|), for sufficiently large message. Circuit Complexity of PRGs Time (circuit size)AssumptionConstruction n·Time(G)>n 2 1-bit PRG G [BlumMicali84, GoldreichMicali84] More than n 2 Number Theoretic [Genarro00, DedicReyzinVadhan02, DamgardNielsen02] n2n2 LPN [BlumFurstKearnsLipton94, FischerStern96] nsparse-LPN (non-standard) [A-IshaiKushilevitz06] n· polylog(n)LPN (standard) This work

29 BFKL generator: G(A, s, r)= (A,As+ Err(r)) input: nm+n+mH 2 ( ) output: nm+mstretch: m(1-n/m - H 2 ( )) Efficiency: only bit operations ! Bottleneck 1: at least (mn) due to matrix-vector multiplication Bottleneck 2: Sampling Err(r) (with low randomness complexity) takes time [FischerStern96] : quadratic time on a RAM machine The [BFKL] generator (A,s,r) BFKL PRG: A s E(r) + A n m,

30 BFKL generator: G(A, s, r)= (A,As+ Err(r)) Bottleneck 1: at least (mn) due to matrix-vector multiplication Sol: Amortization Use many different ss with the same A Preserves pseudorandomness since A is public -Proof via Hybrid argument If matrices are very rectangular can multiply in quasi-linear time [Cop82] - E.g., t=n and m=n 6 Solving 1: Amortization A S E(r) + (A,S,r) A n m, PRG: n t

31 Bottleneck 2: Sampling noise w/low randomness takes O(n 2 ) Sol: [AIK06] Samp(r)= (err, leftover) PRG G(A,S,r)= (A, AS+err, leftover) How to sample w/leftovers? - If =1/4 partition r to pairs and let err i = r 2i-1 r 2i - r has a lot of entropy given err, so can extract the leftover - Can get linear time with leftover of linear length G has linear stretch and computable in quasi-linear time Solving 2: Sampling with leftovers r Samp err leftover

32 LWE vs. LPN ? - LWE follows from worst-case lattice assumptions [Regev05, Peikert09] - LWE many important crypto applications [GPV08,PVW08,PW08,CPS09] - LWE can be broken in NP co-NP unknown for LPN - LPN central in learning (complete for learning via Fourier) [FGKP06] Circular Security vs. Leakage Resistance ? - Current constructions coincident - LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09] - common natural ancestor? Open Questions

33 DRLC is useful for private-key primitives that need - fast hardware implementation - special homomorphic properties Find more crypto application for DRLC - collision resistance hash-functions - public-key crypto [Alekh03] uses m=O(n), =sqrt(n) Conclusion and Open Questions

Download ppt "Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton."

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.
Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.

Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.

Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.

Similar presentations

Ads by Google