# Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

## Presentation on theme: "Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton."— Presentation transcript:

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA To appear in CRYPTO 09

Learning Noisy Linear Functions Problem: find s s Z q n = +noise aiai bibi Z q n A s x n m + = b iid noise vector of rate

Learning-Parity-with-Noise (LPN): - q=2, Noise: Bernoulli with = ¼ Learning-with-Errors (LWE) [Reg05] : - q(n)=poly(n) typically prime - Gaussian noise w/mean 0 and std sqrt(q) Learning Noisy Linear Functions A s x n m + = b iid noise vector of rate Problem: find s -(q-1)/2 (q-1)/2 0

Assumption: Problem is computationally hard for all m=poly(n) Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93, Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…] LPN is easy major breakthrough in Coding Theory LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09] Pros: Hardness of search problem, resists sub-exp & quantum attacks Learning Noisy Linear Functions A s x n m + = b Problem: find s

Problem has simple algebraic structure: almost linear function - exploited by [BFKL94, AIK07, D-TK-L09] Computable by simple (bit) operations (low hardware complexity) - exploited by [HB01,AIK04,JW05] Message of this talk: Very useful combination Why LWE/LPN ? rare combination A s x + = b

Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Fast pseudorandom objects from LPN - Pseudorandom generator in quasi-linear time - Oblivious weak randomized pseudorandom function Main Results

Thm.[BFKL94] LPN pseudorandomness (A,As+x) (A,U m ) Proof: [AIK07] Assume LPN By [GL89] cant approximate for a random r Use distinguisher D to compute hardcore bit given a random r -Given (A,b) and r {0,1} n choose v U m and apply D to (C=A-v·r T, b) b=As+x=Cs+vr T s+x=Cs+x+v = Pseudorandomness A s x + = b U m if =1 Cs+xif =0 r v vv + C

E key ( message;random )= ciphertext D key ( ciphertext )= message Security: Even if Adv gets information cannot break scheme. - CPA [GM82] :given oracle to E key () cant distinguish E k (m 1 ) from E k (m 2 ) What if Adv sees E k (msg) where msg depends on the key (KDM attack)? -E.g., E key (key) or E key (f(key)) or E k1 (k 2 ) and E k2 (k 1 ) Encryption Scheme message Enc ciphertext key randomness Enc key message

F-KDM Security [BRS02] : Adv can ask for E k (f(k)) for some f F Circular security [CL01] : Adv can ask for E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08] Motivation: - disk encryption or key-management systems - anonymous credential systems via key cycles [CL01] - axiomatic security (reasoning about security via formal logic) [ABHS05] What about previous/standard schemes? - KDM attack lead to practical attacks (IEEE P1619) - Random oracle construction/text-book constructions are bad [HU08, HK07] - Black box separation of general KDM from trapdoor permutation [HH08] KDM / circular security

F-KDM Security [BRS02] : Adv can ask for E k (f(k)) for some f F Circular security [CL01] : Adv can ask for E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) [BHHO08] First circular public-key encryption under DDH - Get clique security + KDM for affine functions - But large computational/communication overhead - t-bit message requires t exponentiations (compare to El-Gamal) - ciphertext length: t group elements Our schemes: circular encryption under LPN/LWE - Get clique security + KDM for affine functions for free from standard schemes - Efficiency comparable to standard LWE/LPN schemes - t-bit message – Length O(t); Time: t·polylog(t) sym; t 2 ·polylog(t) public-key - Proofs of security follow the [BHHO08] approach KDM / circular security

Let G be a good linear error-correcting code with decoder for noise +0.1 Enc s (mes; A, err)= (A, As+err + G·mes) Dec s (A,y)= decoder(y-As) Semantic security follows from pseudorandomness Simple scheme originally from [Gilbert Robshaw Seurin08] - independently discovered by [A08,Dodis Tauman-Kalai Lovet 09] Scheme has nice statistical properties - entropic-security [DodisSmith05], weak leakage-resilient, error-correction Symmetric Scheme A S err + A, + G m

Use many different ss with the same A Quasi-linear Implementation A S err + A, + G m

Use many different ss with the same A Preserves pseudorandomness since A is public -Proof via Hybrid argument If matrices are very rectangular can multiply in quasi-linear time [Cop82] -E.g., t=n and m=n 6 Use fast ECC (e.g., [spielman95]) to get quasi-linear time encryption/decryption Quasi-linear Implementation A S Err + A n m, n t + G Mes

Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given M and E s (M) can compute E s (M+M) - Key homomorphic: Given S and E s (M) can compute E s+s (M) - Self referential: Given E s (0) can compute E s (S) - Proof: (A,y=As+err) (A-G,y)=(A,As+err+Gs) = E s (S) Clique Security

Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given M and E s (M) can compute E s (M+M) - Key homomorphic: Given S and E s (M) can compute E s+s (M) - Self referential: Given E s (0) can compute E s (S) Suppose that Adv break clique security (can ask for E Si (S k ) for all 1 i,k t) Construct B that breaks standard CPA security (w/r to single key S). B simulates Adv: choose t offsets 1,…, t and pretend that S i =S+ i - Simulate E si (S k ): get E s (0) E s (S) E s+ i (S) E s+ i (S+ k ) Clique Security

Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Rest of the talk

Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz To Decrypt (u,c): compute c- =f(z)+ and decode Security [R05,GPV08] : If b was truly random then (u,v) is random and get OTP Want: Plaintext Homomorphic, Self Referential, Key Homomorphic PH: let mes space be linear-subspace of Z q by taking q=p 2 so Z q =Z p Z p (Pseudorandomness holds as long as noise is sufficiently low) Regevs PKE A s x + = b A b r parity-check matrix = u v noise v= + + f(z) [GentryPeikertVaikuntanathan P V Waters08]

Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz Can we convert E(0) to E(s 1 ) ? Given (u,c= + ) (u,c) where u=u-(g,0,…,0) and c= + +s 1 g Problem: (u,c) is not distributed properly: c= +err(u)+f(s 1 ) Sol: smoothen the ciphertext distribution s Self Reference A x + = b A b r parity-check matrix = u v + f(z) v= + noise e + + +e +err err

Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz Can we convert E(0) to E(s 1 ) ? Given (u,c= + ) (u,c) where u=u-(g,0,…,0) and c= + +s 1 g Problem: s 1 may not be in Z p Sol: Choose s with entries in Z p by sampling from Gaussian around (0 p/2) Security? s Self Reference A x + = b A b r parity-check matrix = u v + f(z) v= + noise e + + +e +err err s

Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise 1.Get (A,b) s.t A is invertible A b

Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x Proof: = + = +e + + +e + - A -1 x Noise

Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x If (, ) are uniform then (, ) also uniform Hence distinguisher for LWE x yields a distinguisher for LWE s +e + - A -1 x Noise

Hardness of LWE with s Noise s Z q n A s x + = b Reduction generates invertible linear mapping f A,b :s x x Noise (A,b)

Hardness of LWE with s Noise s Z q n Reduction generates invertible linear mapping f A,b :s x Key Hom: get pks whose sks x 1,..,x k satisfy known linear-relation Together with prev properties get circular (clique) security Improve efficiency via amortized version of [PVW08] x 1 Noise (A 1,b 1 ) x k Noise (A k,b k )

LWE vs. LPN ? - LWE follows from worst-case lattice assumptions [Regev05, Peikert09] - LWE many important crypto applications [GPV08,PVW08,PW08,CPS09] - LWE can be broken in NP co-NP unknown for LPN - LPN central in learning (complete for learning via Fourier) [FGKP06] Circular Security vs. Leakage Resistance ? - Current constructions coincident - LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09] - common natural ancestor? Open Questions

Download ppt "Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton."

Similar presentations