applications
play

Applications Mark Zhandry Stanford University Diffie-Hellman Key - PowerPoint PPT Presentation

Aug 06, 2023 •21 likes •621 views

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

  1. Multilinear Maps and Their Applications Mark Zhandry – Stanford University

  2. Diffie-Hellman Key Exchange Exchange keys over a public channel: • Public group , generator , order

  3. (Potential) Hard Problems in Groups • Discrete Log (DL): • Computational Diffie-Hellman (CDH): • Decisional Diffie-Hellman (DDH): • Many Others: – Decision Linear (DLIN):

  4. Uses of Diffie-Hellman • Two party key exchange • Encryption • Signatures • …

  5. 3-Way Diffie-Hellman?

  6. 3-Way Diffie-Hellman Problem: Need way to multiply and Solution [Joux ’ 00]: Use bilinear maps • Bilinear group: group with bilinear map

  7. 3-Way Diffie-Hellman?

  8. Potential Hard Problems in Bilinear Groups • DL, CDH, DLIN • DDH? • Bilinear DDH: • Many Others – Bilinear Diffie-Hellman Exponent – Subgroup Decision – …

  9. Uses of Bilinear Maps • Identity-Based Encryption • Broadcast Encryption w/ short ciphertexts • Traitor Tracing w/ short ciphertexts • Short Signatures • Threshold Signatures • Somewhat Homomorphic Encryption • …

  10. 4-Way Diffie Hellman?

  11. Multilinear Maps Many groups: • Generators Source group: , Pairing: ( ) • Often write Gives multilinear map:

  12. Potential Hard Problems in Multilinear Groups • DL, CDH, generalization of DLIN • Multilinear DDH: • ML-CDH for all – ML-DDH easy for all • Many others: – Subgroup Decision – Multilinear DH Exponent

  13. Potential Applications Or: Imagine what we could do…

  14. N-Way Key Exchange

  15. Broadcast Encryption • Alice wants to broadcast a message • Only a subset of players should decrypt ✓ ✓ ✓ • Will build via constrained PRFs

  16. PRFs Keyed functions that look like random functions All or Nothing: • Given , can eval at all • Without , indistinguishable from random

  17. Constrained PRFs [BW ’ 13] Given set of inputs, give “ constrained key ” : can compute on all points : Goal: allow interesting sets

  18. Example: GGM Constrained keys = values of nodes x 0 ⟶ x 1 ⟶ x 2 ⟶ Constrained sets = sets with same prefix

  19. Other Possible Set Systems Left/Right: • Left sets: for fixed • Right sets: for fixed Bit-fixing: • Sets correspond to • Can eval at all that agree with ( wildcard) Example: Circuit Predicates

  20. Bit-Fixing PRF Construction Use multilinear map Setup: • Choose random • Choose random • Secret key: Function:

  21. Bit-Fixing PRF Construction Constrain: • Input • Let • •

  22. Bit-Fixing PRF Construction Eval: • • Pair with to get output

  23. Broadcast Encryption from Bit-Fixing PRFs Setup: • Generate a Bit-Fixing PRF with key • For each player , compute: where , for Encrypt to a subset of players: • Let • Use symmetric cipher with key

  24. Policy-Based Key Agreement ✓ ✓ ✓ Shared secret key Build from constrained PRFs for circuit predicates

  25. Other Applications of Multilinear Maps • Attribute-Based Encryption • Witness Encryption • Obfuscation • Functional Encryption • …

  26. Rest of Talk Two recent candidates for multilinear maps • From ideal lattices • Over the integers Not true multilinear maps • Randomized • Noisy May still be used in many applications

  27. Relaxation: Graded Encodings Scalar  Level 0 encoding of  Level 1 encoding of  Level 2 encoding of … Graded encoding schemes: encoding not unique • Ring : set of level encodings of

  28. Relaxation: Graded Encodings Requirements: Pairing Equivalent: • Add same level encodings • Multiply encodings (as long as )

  29. The GGH Construction

  30. Notation : reduce mod : principle ideal generated by Properties: • , • “ short ”  , “ short ”

  31. The GGH Construction • “ short ” , secret, “ short ” • • • secret, not short • Level encoding of : , “ short ”

  32. Encoding Operations • Addition: Proof: “ short ”

  33. Encoding Operations • Multiplication: Proof: “ short ”

  34. Generating Level 0 Encodings Level 0 encoding of : short Problem: can ’ t encode coset w/o knowing Resolution: sample coset by sampling short rep Fact: Sample “ short ” from appropriate distribution  coset close to uniform

  35. Moving to Higher Levels Need operation where Problem: is secret Solution: publish level 1 encoding of , “ short ” To move to level 1:

  36. Moving to Higher Levels Insecure: by dividing by Solution: rerandomize • Publish many level 1 encodings of 0: , “ short ” To move to level 1: , “ small ”

  37. Testing for Equality Need to be able to test equality • Suffices to test if level encoding encodes 0 Solution: publish “ zero test ” parameter “ somewhat small ” Test if is “ small ”

  38. Testing for Equality If encodes 0: (Multiplication over ) “ short ”

  39. Testing for Equality If encodes non-zero: Thm [GGH] : If , then is large w.h.p.

  40. Extraction Each party needs to agree on same value • But have different encoding of same element Solution : Use zero-test parameter • If encode same value, is “ short ” • agree on most-significant bits

  41. Extraction To extract at level : • Collect most-significant bits of • Apply strong randomness extractor to get uniform bit string

  42. What needs to be a secret? • : otherwise DL is easy • : compute Given level 1 encoding Compute No , so can “ divide mod ” – Obtain , “ short ”

  43. What needs to be a secret? • : compute Pick randomizer “ short ” Compute Now we have level 2k zero tester!  Can solve MLDDH

  44. Security of GGH • No security proof from standard assumptions – Instead: extensive cryptanalysis • Supposed hard problems: – Discrete Log – Multilinear DDH • Easy problems: – Decision Linear – Subgroup Decision

  45. Efficiency of GGH • Parameterized by security , level • All encodings represented as elements in • For functionality, need (at minimum) • For security, need – Implies • Size of encodings:

  46. Efficiency of GGH • Size of encodings: • Size of public parameters: – Level 1 encoding of 1 – level 1 encodings of 0 ( for rerandomization) – Zero tester Total public parameter size: • Even larger for some applications

  47. The CLT Construction

  48. The CLT Construction , component-wise add/mult Let vector of primes “ short ” , secret vector of primes secret, not short

  49. Over the Integers Let CRT isomorphism: Apply to scheme: random Level encoding of : s.t. small

  50. Secrets? Need same secrets as GGH: What about the primes? • Factorization of known  1D problem • Look at what happens mod p • GGH zero tester, encodings of 0, 1:

  51. Secrets? Combine: Compute for many , GCD  Compute for many , GCD   From easy to compute For security, must keep primes secret!

  52. Other Changes Keeping primes secret introduces several issues: • Generating level 0 encodings Must generate integer such that is short Cannot sample without knowing ! Solution: publish many level 0 encodings of random values – To sample, take random subset sums

  53. Other Changes Keeping primes secret introduces several issues: • Zero testing: GGH zero tester: Level encoding of 0:

  54. Zero Testing Multiply GGH zero tester with encoding of 0: Product is “ short ” mod , but we can ’ t test! Instead, want product to be “ short ” mod

  55. CRT Isomorphism Coefficient of >> • Small do not give small Need to cancel out some the coefficient

  56. Zero Testing Solution: new zero tester Multiply with encoding of zero: CRT:

  57. Zero Testing Thm [CLT] : If does not encode 0, then whp

  58. Security of CLT • Just like GGH, no security proof from standard assumptions • Supposed hard problems: – Discrete Log – Multilinear DH – Decision Linear? – Subgroup Decision?

  59. Efficiency of CLT All encodings elements of Size of encodings same as GGH: Public params: • Asymptotically same: • CLT offer some heuristics to reduce size

  60. Open Problems • From standard assumptions • Remove secrets – Necessary to remove trusted setup from key exchange – How to remove zero tester? • More Efficient?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most prevalent Apache, MySQL, and PHP/Python/Perl and is applications in business today. They are driven considered by many as the platform of choice by user

106 views • 9 slides
Applications of AMS There is a rich field of applications for AMS due to the increased efficiency

Applications of AMS There is a rich field of applications for AMS due to the increased efficiency

Applications of AMS There is a rich field of applications for AMS due to the increased efficiency and accuracy of radiocarbon dating. It ranges from geology, hydrology, oceanology, climatology, and a wide range of environmental applications

338 views • 29 slides
New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

Canon New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications Workshop, San Jose, June 2004 Canon Goals Break Web applications out of the browser! Freedom to build wider variety of applications

612 views • 18 slides
Multimedia Applications Multimedia Applications Srinidhi Varadarajan Multimedia Applications

Multimedia Applications Multimedia Applications Srinidhi Varadarajan Multimedia Applications

Multimedia Applications Multimedia Applications Srinidhi Varadarajan Multimedia Applications Multimedia Applications Multimedia requirements Streaming Phone over IP Recovering from Jitter and Loss RTP Diff-serv, Int-serv,

483 views • 27 slides
Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network applications involve the cooperation Client Server Programming Client Server Programming of processes running on different hosts connected by a

323 views • 7 slides
Web applications are used extensively in many areas: We will rely on web applications more in

Web applications are used extensively in many areas: We will rely on web applications more in

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech Web applications are used extensively in many areas: We will rely on web applications more in

872 views • 47 slides
Topic 10: Applications of Holography Aim: To review a range of applications of holography,

Topic 10: Applications of Holography Aim: To review a range of applications of holography,

E I H T Y T Modern Optics O H F G R E U D B I N Topic 10: Applications of Holography Aim: To review a range of applications of holography, including holo- graphic lenses and commercial holographic applications. Contents:

298 views • 14 slides
MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 20 Applications on my Iphone Additional assorted applications you may find useful Format: Combination of screen

859 views • 56 slides
Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer

Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer

Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer Security l Pattern Recognition l Data Mining and Retrieval l Multi-Agent Systems l Design Optimization l Control Applications l Robotics l A

414 views • 28 slides
BFS/DFS Applications BFS and DFS applications Tyler Moore Shortest path between two nodes in a

BFS/DFS Applications BFS and DFS applications Tyler Moore Shortest path between two nodes in a

BFS/DFS Applications BFS and DFS applications Tyler Moore Shortest path between two nodes in a graph CSE 3353, SMU, Dallas, TX Topological sorting Lecture 7 Finding connected components Some slides created by or adapted from Dr. Kevin Wayne.

366 views • 7 slides
New Applications for Graphene Electronics New Applications for Graphene Electronics Han Wang,

New Applications for Graphene Electronics New Applications for Graphene Electronics Han Wang,

New Applications for Graphene Electronics New Applications for Graphene Electronics Han Wang, Daniel Nezich, Jing Kong and Tomas Palacios Department of Electrical Engineering and Computer Science Massachusetts Institute of Technology

421 views • 10 slides
Chapter 2: outline 2.5 P2P applications 2.1 principles of network applications 2.6 video

Chapter 2: outline 2.5 P2P applications 2.1 principles of network applications 2.6 video

Chapter 2: outline 2.5 P2P applications 2.1 principles of network applications 2.6 video streaming and content distribution 2.2 Web and HTTP networks 2.3 electronic mail 2.7 socket programming SMTP, POP3, IMAP with UDP and TCP 2.4 DNS

648 views • 53 slides
Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user, double-clickable/command-line Create a JPanel with the guts of the GUI/logic No restrictions on access, reads files, URLS, What will be in the

256 views • 6 slides
New Real-time Applications PhD Peter Idestam-Almquist Starcounter AB New real time applications

New Real-time Applications PhD Peter Idestam-Almquist Starcounter AB New real time applications

NewSQL Database for New Real-time Applications PhD Peter Idestam-Almquist Starcounter AB New real time applications Millions of simultaneous online users. High degree of concurrency. Interactive applications (95% reads; 5% writes). 2

700 views • 38 slides
Com paring W eb Applications w ith Desktop Applications: An Em pirical Study Paul Pop

Com paring W eb Applications w ith Desktop Applications: An Em pirical Study Paul Pop

Com paring W eb Applications w ith Desktop Applications: An Em pirical Study Paul Pop paupo@ida.liu.se Department of Computer and Information Science Linkping University Sweden 1 of 13 May 26, 20 0 0 Motivation and Objective Draw

519 views • 13 slides
Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network

Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network

Maximum Flow Applications Contents Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network connectivity. Bipartite matchings. Circulations with upper and lower bounds. Census tabulation (matrix

492 views • 20 slides
MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the standard representation of the answer. Try not to use a calculator. 2 1 (mod 11) 2 2 = 2 2 (mod 11) 2 4 = (2 2) (2 2) (mod 11) 2 8 = (2

467 views • 7 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots (Recall) Number Theory, Security and Efficiency of Diffie-Hellman, Hash Eulers Function Functions Security of Diffie-Hellman 2 Discrete Log

671 views • 7 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM Turing Award Lecture Lessons Learned Try to solve real-world problems using computer science theory and number theory.

806 views • 22 slides
Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x (mod p ) Given a prime number p , Z p , (mod p ) finding x is called the discrete logarithm problem Not every discrete

640 views • 11 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory Groups Public-Key Algorithms: RSA, ElGamal,

525 views • 26 slides

More recommend