1 / 25

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems. Benny Applebaum , David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA. To appear in CRYPTO 09. =<a i ,s>+noise. a i. b i. s  Z q n.

quincy
Download Presentation

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit SahaiPrinceton University, Georgia Tech, SRI international, UCLA To appear in CRYPTO 09

  2. =<ai,s>+noise ai bi sZqn Learning Noisy Linear Functions Problem: find s n Zqn A s x b m = +  iid noise vector of rate 

  3. (q-1)/2 -(q-1)/2 0 Learning Noisy Linear Functions Problem: find s n A s x b m = +  iid noise vector of rate  • Learning-Parity-with-Noise (LPN): • - q=2, Noise: Bernoulli with  = ¼ • Learning-with-Errors (LWE) [Reg05]: • q(n)=poly(n) typically prime • Gaussian noise w/mean 0 and std  sqrt(q)

  4. Learning Noisy Linear Functions Problem: find s n A s x b m = +  • Assumption: Problem is computationally hard for all m=poly(n) • Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93, Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…] • LPN is easy  major breakthrough in Coding Theory • LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09] • Pros: Hardness of search problem, resists sub-exp & quantum attacks

  5. A s x b = +  Why LWE/LPN ? • Problem has simple algebraic structure: “almost linear” function • - exploited by [BFKL94, AIK07, D-TK-L09] • Computable by simple (bit) operations (low hardware complexity) • exploited by [HB01,AIK04,JW05] • Message of this talk: Very useful combination rare combination

  6. Main Results • Fast circular secure encryption schemes • Symmetric encryption from LPN • Public-key encryption from LWE • Fast pseudorandom objects from LPN • - Pseudorandom generator in quasi-linear time • Oblivious weak randomized pseudorandom function

  7. r Pseudorandomness • Thm.[BFKL94] LPN  pseudorandomness (A,As+x)  (A,Um) • Proof: [AIK07] • Assume LPN  By [GL89] can’t approximate <s,r> for a random r • Use distinguisher D to compute hardcore bit <s,r> given a random r • Given (A,b) and r{0,1}n choose v Um and apply D to(C=A-v·rT, b) • b=As+x=Cs+vrTs+x=Cs+x+v<r,s>= Um if <r,s>=1 Cs+x if <r,s>=0 A s x b v v C v + = + 

  8. Encryption Scheme • Ekey(message;random)= ciphertext Dkey(ciphertext)= message • Security: Even if Adv gets information cannot break scheme. • CPA [GM82]:given oracle to Ekey() can’t distinguish Ek(m1) from Ek(m2) • What if Adv sees Ek(msg) where msg depends on thekey (KDM attack)? • E.g., Ekey(key) or Ekey(f(key)) or Ek1(k2) and Ek2(k1) randomness Enc Enc ciphertext message message key key

  9. KDM / circular security • F-KDM Security[BRS02]: Adv can ask for Ek(f(k)) for some fF • Circular security[CL01]: Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1) • Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08] • Motivation: • disk encryption or key-management systems • anonymous credential systems via key cycles [CL01] • axiomatic security (reasoning about security via formal logic) [ABHS05] • What about previous/standard schemes? • KDM attack lead to practical attacks (IEEE P1619) • Random oracle construction/text-book constructions are bad [HU08, HK07] • Black box separation of general KDM from trapdoor permutation [HH08]

  10. KDM / circular security • F-KDM Security[BRS02]: Adv can ask for Ek(f(k)) for some fF • Circular security[CL01]: Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1) • [BHHO08] Firstcircular public-key encryption under DDH • -Get “clique” security + KDM for affine functions • But large computational/communication overhead • t-bit messagerequires t exponentiations (compare to El-Gamal) • ciphertext length: t group elements • Our schemes: circular encryption under LPN/LWE • Get “clique” security + KDM for affine functions for free from standard schemes • Efficiency comparable to standard LWE/LPN schemes • t-bit message – Length O(t);Time: t·polylog(t) sym;t2·polylog(t) public-key • Proofs ofsecurity follow the[BHHO08] approach

  11. Symmetric Scheme • Let G be a good linear error-correcting code with decoder for noise +0.1 • Encs(mes; A, err)= (A, As+err + G·mes) • Decs(A,y)= decoder(y-As) • Semantic security follows from pseudorandomness • Simple scheme originally from [Gilbert Robshaw Seurin08] • - independently discovered by [A08,Dodis Tauman-Kalai Lovet 09] • Scheme has nice statistical properties • - entropic-security [DodisSmith05], weak leakage-resilient, error-correction A S err A G m + + ,

  12. Quasi-linear Implementation • Use many different s’s with the same A A S err A G m + + ,

  13. Quasi-linear Implementation • Use many different s’s with the same A • Preserves pseudorandomness since A is public • Proof via Hybrid argument • If matrices are very rectangular can multiply in quasi-linear time [Cop82] • E.g., t=n and m=n6 • Use fast ECC (e.g., [spielman95]) to get quasi-linear time encryption/decryption t n n A S Err A G Mes m + + ,

  14. Clique Security • Encs(mes; A, err)= (A, As+err + G·mes ) • Decs(A,y)= decoder(y-As) • Thm. Scheme is circular (clique) secure and KDM w/r to affine functions • Proof: • Useful properties: • Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’) • Key homomorphic:Given S’ and Es(M) can compute Es+s’(M) • Self referential: Given Es(0) can compute Es(S) • Proof: (A,y=As+err) (A-G,y)=(A’,A’s+err+Gs) = Es(S)

  15. Clique Security • Encs(mes; A, err)= (A, As+err + G·mes ) • Decs(A,y)= decoder(y-As) • Thm. Scheme is circular (clique) secure and KDM w/r to affine functions • Proof: • Useful properties: • Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’) • Key homomorphic:Given S’ and Es(M) can compute Es+s’(M) • Self referential: Given Es(0) can compute Es(S) • Suppose that Adv break clique security (can ask for ESi(Sk) for all 1i,kt) • Construct B that breaks standard CPA security (w/r to single key S). • B simulates Adv: choose t offsets 1,…, t andpretend that Si=S+i • - Simulate Esi(Sk): get Es(0)  Es(S)  Es+ i(S)  Es+ i(S+ k)

  16. Rest of the talk • Fast circular secure encryption schemes • Symmetric encryption from LPN • Public-key encryption from LWE

  17. [GentryPeikertVaikuntanathan P V Waters08] Regev’s PKE • Public-key: (A,b)ZqnmZqm Secret-key: s Zqn • Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz • ToDecrypt (u,c): compute c-<s,u>=f(z)+<x,r> and decode • Security [R05,GPV08]: If b was truly random then (u,v) is random and get OTP • Want:Plaintext Homomorphic,Self Referential,Key Homomorphic • PH: let mes space be linear-subspace of Zq by taking q=p2 so Zq=ZpZp (Pseudorandomness holds as long as noise is sufficiently low) b A x s + =  A r u b = + v f(z)  v=<s,u>+<x,r> “parity-check” matrix noise

  18. Self Reference • Public-key: (A,b)ZqnmZqm Secret-key: s Zqn • Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz • Can we convert E(0) to E(s1)? • Given (u,c=<s,u>+<x,r>)  (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s1g • Problem: (u’,c) is not distributed properly: c= <s,u’>+err(u)+f(s1) • Sol: smoothen the ciphertext distribution b A x s + =  A r u b = + + + v e f(z) +e  <s,u>+err  v=<s,u>+<x,r> “parity-check” matrix noise err err

  19. Self Reference • Public-key: (A,b)ZqnmZqm Secret-key: s Zqn • Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz • Can we convert E(0) to E(s1)? • Given (u,c=<s,u>+<x,r>)  (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s1g • Problem: s1 may not be in Zp • Sol: Choose s with entries in Zp by sampling from Gaussian around (0p/2) • Security? b A x s s + =  A r u b = + + + v e f(z) +e  <s,u>+err  v=<s,u>+<x,r> “parity-check” matrix noise err err

  20. A b sZqn Hardness of LWE with sNoise • Convert standard LWE to LWE with sNoise • Get (A,b) s.t A is invertible x A s b + =

  21. xNoise sZqn Hardness of LWE with sNoise • Convert standard LWE to LWE with sNoise • If (,)LWEs then (’,’) LWEx • Proof: ’= +<’,b> • = <,s>+e + <’,As>+<’,x> • = <,s>+e + <-A-1,As>+<’,x> -A-1 +<’,b> <,s>+e ’ ’   x A s b + =

  22. xNoise sZqn Hardness of LWE with sNoise • Convert standard LWE to LWE with sNoise • If (,)LWEs then (’,’) LWEx • If (,) are uniform then (’,’) also uniform • Hence distinguisher for LWEx yields a distinguisher for LWEs -A-1 +<’,b> <,s>+e ’ ’   x A s b + =

  23. sZqn xNoise Hardness of LWE with sNoise • Reduction generates invertible linear mapping fA,b:s  x (A,b) x A s b + =

  24. sZqn x1Noise xkNoise Hardness of LWE with sNoise • Reduction generates invertible linear mapping fA,b:s  x • Key Hom: getpk’s whose sk’s x1,..,xk satisfy known linear-relation • Together with prev properties get circular (clique) security • Improve efficiency via amortized version of [PVW08] (Ak,bk)   (A1,b1)

  25. Open Questions • LWE vs. LPN ? • LWE follows from worst-case lattice assumptions [Regev05, Peikert09] • LWE many important crypto applications [GPV08,PVW08,PW08,CPS09] • LWE can be broken in “NP co-NP” unknown for LPN • LPN central in learning (“complete” for learning via Fourier) [FGKP06] • Circular Security vs.Leakage Resistance? • Current constructions coincident • LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09] • common natural ancestor?

More Related