Download presentation

Presentation is loading. Please wait.

Published byParis Tatton Modified over 2 years ago

1
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA To appear in CRYPTO 09

2
Learning Noisy Linear Functions Problem: find s s Z q n = +noise aiai bibi Z q n A s x n m + = b iid noise vector of rate

3
Learning-Parity-with-Noise (LPN): - q=2, Noise: Bernoulli with = ¼ Learning-with-Errors (LWE) [Reg05] : - q(n)=poly(n) typically prime - Gaussian noise w/mean 0 and std sqrt(q) Learning Noisy Linear Functions A s x n m + = b iid noise vector of rate Problem: find s -(q-1)/2 (q-1)/2 0

4
Assumption: Problem is computationally hard for all m=poly(n) Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93, Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…] LPN is easy major breakthrough in Coding Theory LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09] Pros: Hardness of search problem, resists sub-exp & quantum attacks Learning Noisy Linear Functions A s x n m + = b Problem: find s

5
Problem has simple algebraic structure: almost linear function - exploited by [BFKL94, AIK07, D-TK-L09] Computable by simple (bit) operations (low hardware complexity) - exploited by [HB01,AIK04,JW05] Message of this talk: Very useful combination Why LWE/LPN ? rare combination A s x + = b

6
Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Fast pseudorandom objects from LPN - Pseudorandom generator in quasi-linear time - Oblivious weak randomized pseudorandom function Main Results

7
Thm.[BFKL94] LPN pseudorandomness (A,As+x) (A,U m ) Proof: [AIK07] Assume LPN By [GL89] cant approximate for a random r Use distinguisher D to compute hardcore bit given a random r -Given (A,b) and r {0,1} n choose v U m and apply D to (C=A-v·r T, b) b=As+x=Cs+vr T s+x=Cs+x+v = Pseudorandomness A s x + = b U m if =1 Cs+xif =0 r v vv + C

8
E key ( message;random )= ciphertext D key ( ciphertext )= message Security: Even if Adv gets information cannot break scheme. - CPA [GM82] :given oracle to E key () cant distinguish E k (m 1 ) from E k (m 2 ) What if Adv sees E k (msg) where msg depends on the key (KDM attack)? -E.g., E key (key) or E key (f(key)) or E k1 (k 2 ) and E k2 (k 1 ) Encryption Scheme message Enc ciphertext key randomness Enc key message

9
F-KDM Security [BRS02] : Adv can ask for E k (f(k)) for some f F Circular security [CL01] : Adv can ask for E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08] Motivation: - disk encryption or key-management systems - anonymous credential systems via key cycles [CL01] - axiomatic security (reasoning about security via formal logic) [ABHS05] What about previous/standard schemes? - KDM attack lead to practical attacks (IEEE P1619) - Random oracle construction/text-book constructions are bad [HU08, HK07] - Black box separation of general KDM from trapdoor permutation [HH08] KDM / circular security

10
F-KDM Security [BRS02] : Adv can ask for E k (f(k)) for some f F Circular security [CL01] : Adv can ask for E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) [BHHO08] First circular public-key encryption under DDH - Get clique security + KDM for affine functions - But large computational/communication overhead - t-bit message requires t exponentiations (compare to El-Gamal) - ciphertext length: t group elements Our schemes: circular encryption under LPN/LWE - Get clique security + KDM for affine functions for free from standard schemes - Efficiency comparable to standard LWE/LPN schemes - t-bit message – Length O(t); Time: t·polylog(t) sym; t 2 ·polylog(t) public-key - Proofs of security follow the [BHHO08] approach KDM / circular security

11
Let G be a good linear error-correcting code with decoder for noise +0.1 Enc s (mes; A, err)= (A, As+err + G·mes) Dec s (A,y)= decoder(y-As) Semantic security follows from pseudorandomness Simple scheme originally from [Gilbert Robshaw Seurin08] - independently discovered by [A08,Dodis Tauman-Kalai Lovet 09] Scheme has nice statistical properties - entropic-security [DodisSmith05], weak leakage-resilient, error-correction Symmetric Scheme A S err + A, + G m

12
Use many different ss with the same A Quasi-linear Implementation A S err + A, + G m

13
Use many different ss with the same A Preserves pseudorandomness since A is public -Proof via Hybrid argument If matrices are very rectangular can multiply in quasi-linear time [Cop82] -E.g., t=n and m=n 6 Use fast ECC (e.g., [spielman95]) to get quasi-linear time encryption/decryption Quasi-linear Implementation A S Err + A n m, n t + G Mes

14
Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given M and E s (M) can compute E s (M+M) - Key homomorphic: Given S and E s (M) can compute E s+s (M) - Self referential: Given E s (0) can compute E s (S) - Proof: (A,y=As+err) (A-G,y)=(A,As+err+Gs) = E s (S) Clique Security

15
Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: Useful properties: - Plaintext homomorphic: Given M and E s (M) can compute E s (M+M) - Key homomorphic: Given S and E s (M) can compute E s+s (M) - Self referential: Given E s (0) can compute E s (S) Suppose that Adv break clique security (can ask for E Si (S k ) for all 1 i,k t) Construct B that breaks standard CPA security (w/r to single key S). B simulates Adv: choose t offsets 1,…, t and pretend that S i =S+ i - Simulate E si (S k ): get E s (0) E s (S) E s+ i (S) E s+ i (S+ k ) Clique Security

16
Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE Rest of the talk

17
Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz To Decrypt (u,c): compute c- =f(z)+ and decode Security [R05,GPV08] : If b was truly random then (u,v) is random and get OTP Want: Plaintext Homomorphic, Self Referential, Key Homomorphic PH: let mes space be linear-subspace of Z q by taking q=p 2 so Z q =Z p Z p (Pseudorandomness holds as long as noise is sufficiently low) Regevs PKE A s x + = b A b r parity-check matrix = u v noise v= + + f(z) [GentryPeikertVaikuntanathan P V Waters08]

18
Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz Can we convert E(0) to E(s 1 ) ? Given (u,c= + ) (u,c) where u=u-(g,0,…,0) and c= + +s 1 g Problem: (u,c) is not distributed properly: c= +err(u)+f(s 1 ) Sol: smoothen the ciphertext distribution s Self Reference A x + = b A b r parity-check matrix = u v + f(z) v= + noise e + + +e +err err

19
Public-key: (A,b) Z q n m Z q m Secret-key: s Z q n Encrypt z Z p Z q by (u,v+f(z)) where f: Z p Z q is linear ECC, i.e., f(z)=gz Can we convert E(0) to E(s 1 ) ? Given (u,c= + ) (u,c) where u=u-(g,0,…,0) and c= + +s 1 g Problem: s 1 may not be in Z p Sol: Choose s with entries in Z p by sampling from Gaussian around (0 p/2) Security? s Self Reference A x + = b A b r parity-check matrix = u v + f(z) v= + noise e + + +e +err err s

20
Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise 1.Get (A,b) s.t A is invertible A b

21
Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x Proof: = + = +e + + +e + - A -1 x Noise

22
Hardness of LWE with s Noise s Z q n A s x + = b Convert standard LWE to LWE with s Noise If (, ) LWE s then (, ) LWE x If (, ) are uniform then (, ) also uniform Hence distinguisher for LWE x yields a distinguisher for LWE s +e + - A -1 x Noise

23
Hardness of LWE with s Noise s Z q n A s x + = b Reduction generates invertible linear mapping f A,b :s x x Noise (A,b)

24
Hardness of LWE with s Noise s Z q n Reduction generates invertible linear mapping f A,b :s x Key Hom: get pks whose sks x 1,..,x k satisfy known linear-relation Together with prev properties get circular (clique) security Improve efficiency via amortized version of [PVW08] x 1 Noise (A 1,b 1 ) x k Noise (A k,b k )

25
LWE vs. LPN ? - LWE follows from worst-case lattice assumptions [Regev05, Peikert09] - LWE many important crypto applications [GPV08,PVW08,PW08,CPS09] - LWE can be broken in NP co-NP unknown for LPN - LPN central in learning (complete for learning via Fourier) [FGKP06] Circular Security vs. Leakage Resistance ? - Current constructions coincident - LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09] - common natural ancestor? Open Questions

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google