Circular Security for Symmetric Key Bit Encryption from LWE Rishab - - PowerPoint PPT Presentation

circular security for symmetric key bit encryption from
SMART_READER_LITE
LIVE PREVIEW

Circular Security for Symmetric Key Bit Encryption from LWE Rishab - - PowerPoint PPT Presentation

Oct 03, 2023 171 likes •1.07k views

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1

slide-1
SLIDE 1

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE

Rishab Goyal Venkata Koppula Brent Waters

slide-2
SLIDE 2

n-Circular Security [CamenischLysyanskya01]

EncPK1(SK2) EncPKn(SK1)

1 2 n - 1 n 3

PK1 PKn . . . EncPK2(SK3) PK1 PKn . . . EncPK1(0) EncPKn(0)

1 2 n - 1 n 3

EncPK2(0)

slide-3
SLIDE 3

n-Circular Security [CamenischLysyanskya01]

PK1 PKn EncPK1(SK2) EncPKn(SK1) . . . . . . PK1 PKn EncPK1(0) EncPKn(0) . . . . . . EncPK2(SK3) EncPK1(0)

slide-4
SLIDE 4

Does IND-CPA imply n-Circular Security?

slide-5
SLIDE 5

Separations: n-Circular Security

  • n = 1 (Folklore)
slide-6
SLIDE 6

Separations: n-Circular Security

  • n = 1 (Folklore)
  • n = 2
  • Bilinear Groups [AcarBelenkiyBellareCash10, CashGreenHohenberger12]
  • LWE [BishopHohenbergerWaters15]
  • n ≥ 3
  • Obfuscation [KoppulaRamchenWaters15, MarcedoneOrlandi14]
  • LWE [KoppulaWaters16, AlamatiPeikert16]
slide-7
SLIDE 7

Can we bypass these negative results?

slide-8
SLIDE 8

Can we bypass these negative results? They do seem to use the full key!

slide-9
SLIDE 9

Can we bypass these negative results? They do seem to use the full key! What if we encrypt bit-by-bit?

slide-10
SLIDE 10

Can we bypass these negative results? They do seem to use the full key! What if we encrypt bit-by-bit? Separations don’t hold!

slide-11
SLIDE 11

Does IND-CPA imply Circular Security for bit encryption?

slide-12
SLIDE 12

Prior Results iO

M-Maps

KoppulaRamchenWaters15 Rothblum12

slide-13
SLIDE 13

Our Result

  • Theorem. ∃ IND-CPA secure symmetric

key bit encryption scheme E such that it is not 1-circular secure. LWE

slide-14
SLIDE 14

LWE with Short Secrets

[Regev05, ApplebaumCashPeikertSahai09]

slide-15
SLIDE 15
  • Lattice Trapdoors [GentryPeikertVaikuntanathan08…]
slide-16
SLIDE 16
  • Lattice Trapdoors [GentryPeikertVaikuntanathan08…]

Short matrix s.t.

slide-17
SLIDE 17
  • Lattice Trapdoors [GentryPeikertVaikuntanathan08…]

Short matrix s.t.

slide-18
SLIDE 18

Cycle Testers [BishopHohenbergerWaters15]

slide-19
SLIDE 19

Cycle Testers [BishopHohenbergerWaters15]

slide-20
SLIDE 20

Cycle Testers [BishopHohenbergerWaters15]

  • Test

distinguishes

Correctness

and

slide-21
SLIDE 21

Cycle Testers [BishopHohenbergerWaters15]

  • Test

distinguishes

Correctness

and

IND-CPA Security

slide-22
SLIDE 22

Preview

Matrices and Trapdoors

slide-23
SLIDE 23

Preview

Matrices and Trapdoors

slide-24
SLIDE 24

Preview

Matrices and Trapdoors Position

slide-25
SLIDE 25

Preview

  • 1. Checks if

encrypt . (Ignores )

  • 2. Assumes encrypts for

position .

slide-26
SLIDE 26

Preview

  • 1. Checks if

encrypt . (Ignores )

  • 2. Assumes encrypts for

position . Problem setting LWE parameters!

slide-27
SLIDE 27

Preview: Strand Structure (𝜇 = 3)

slide-28
SLIDE 28

Preview: Strand Structure

…… …… …… …… ……… ………

slide-29
SLIDE 29

Setup

slide-30
SLIDE 30

Setup

…… …… …… ……… ………

slide-31
SLIDE 31

Setup

…… …… …… ……… ………

slide-32
SLIDE 32

Setup

…… …… …… ……… ………

slide-33
SLIDE 33

Setup

…… …… …… ……… ………

Base Level 1 Level 2 Level 𝜇

slide-34
SLIDE 34

Enc(bit b, pos i)

…… …… …… ……… ………

slide-35
SLIDE 35

Enc(bit b, pos i)

…… …… …… ……… ………

slide-36
SLIDE 36

Enc(bit b, pos i)

………

slide-37
SLIDE 37

Enc(bit b, pos i)

………

slide-38
SLIDE 38

Enc(bit b, pos i)

………

slide-39
SLIDE 39

Enc(bit b, pos i)

………

slide-40
SLIDE 40

Enc(bit b, pos i)

…… …… …… ……… ………

slide-41
SLIDE 41

Enc(bit b, pos i)

………

slide-42
SLIDE 42

Enc(bit b, pos i)

………

slide-43
SLIDE 43

Enc(bit b, pos i)

………

slide-44
SLIDE 44

Enc(bit b, pos i)

………

Computed as before

slide-45
SLIDE 45

Enc(bit b, pos i)

………

slide-46
SLIDE 46

Oblivious Sequence Transform

  • Problem
slide-47
SLIDE 47

Oblivious Sequence Transform

  • Problem
slide-48
SLIDE 48

Oblivious Sequence Transform

  • Problem
slide-49
SLIDE 49

Oblivious Sequence Transform

  • Problem
  • Solution
slide-50
SLIDE 50

Enc(bit b, pos i)

………

 

slide-51
SLIDE 51

Enc(bit b, pos i)

…… …… …… ……… ………

slide-52
SLIDE 52

Enc(bit b, pos i)

…… …… …… ……… ………

High Level Structure in encryption of bit 𝑐 for position 𝑗 chooses a sub-strand in 𝑗th strand.

slide-53
SLIDE 53

Test

Encrypt s

………

slide-54
SLIDE 54

Test

…… …… …… ……… ……… ……… ………

slide-55
SLIDE 55

Test

…… …… …… ……… …… ……… ……… ………

slide-56
SLIDE 56

Test

…… …… …… ……… …… ……… ……… ………

slide-57
SLIDE 57

Test

…… …… …… ……… …… ……… ……… ………

slide-58
SLIDE 58

Test

…… …… …… ……… …… ……… ……… ……… ……

slide-59
SLIDE 59

Test

…… …… …… ……… …… ……… ……… ……… ……

slide-60
SLIDE 60

Proof Sketch: IND-CPA

Game 0

…… …… …… ……… ………

slide-61
SLIDE 61

Proof Sketch: IND-CPA

Game 0 Game 1

…… …… …… ……… ………

slide-62
SLIDE 62

Proof Sketch: IND-CPA

Game 0 Game 1

LHL

…… …… …… ……… ………

s chosen

randomly and hidden!

slide-63
SLIDE 63

Proof Sketch: IND-CPA

Position-1 Position-𝜇

………

Position-(𝜇-1)

Random Short Matrices

………

Position-1

………

Position-(𝜇-1)

………

Game 1 Game 2 Game 𝜇

slide-64
SLIDE 64

Proof Sketch: IND-CPA

slide-65
SLIDE 65

Proof Sketch: IND-CPA

slide-66
SLIDE 66

Proof Sketch: IND-CPA

LWE

slide-67
SLIDE 67

Proof Sketch: IND-CPA

LWE

slide-68
SLIDE 68

Proof Sketch: IND-CPA

LWE Pre-Image

slide-69
SLIDE 69

Proof Sketch: IND-CPA

LWE Pre-Image

slide-70
SLIDE 70

Setting Parameters??

For Correctness For Security Error Accumulation Leftover Hash Lemma

slide-71
SLIDE 71

Setting Parameters??

For Correctness For Security Error Accumulation Leftover Hash Lemma Problem. For LHL: #Strands > log 𝑟 . Error Accumulation: #Levels < log 𝑟 . Current Design: Strands = Levels.

slide-72
SLIDE 72

Setting Parameters??

For Correctness For Security Error Accumulation Leftover Hash Lemma Problem. For LHL: #Strands > log 𝑟 . Error Accumulation: #Levels < log 𝑟 . Current Design: Strands = Levels. New Design: #Strands = PRG output length.

slide-73
SLIDE 73

Review

…… …… …… …… ……… ………

slide-74
SLIDE 74

Review

…… …… …… …… ……… ………

Looks like a Branching Program that computes Identity!

slide-75
SLIDE 75

Relieving the Tension

Problem. For LHL: #Strands > log 𝑟 . Error Accumulation: #Levels < log 𝑟 . Current Design: Strands = Levels. New Design: #Strands = PRG output length.

slide-76
SLIDE 76

Relieving the Tension

Problem. For LHL: #Strands > log 𝑟 . Error Accumulation: #Levels < log 𝑟 . Current Design: Strands = Levels. New Design: #Strands = PRG output length.

slide-77
SLIDE 77

Relieving the Tension

Encode and Evaluate a PRG! Problem. For LHL: #Strands > log 𝑟 . Error Accumulation: #Levels < log 𝑟 . Current Design: Strands = Levels. New Design: #Strands = PRG output length.

slide-78
SLIDE 78

High Level Structure: Encoding PRG

…… …… ……… ……… ……… ………

slide-79
SLIDE 79

Conclusions and Open Problems

  • Bit Encryption - Circular security separation
  • First from standard assumptions
  • Technical Contributions
  • Oblivious sequence transformation
  • Encoding log-depth PRG for reduction to LWE
  • Fixed-input BPs for consistent cascading
  • Novel technique to encode and hide BPs using lattice

trapdoors

slide-80
SLIDE 80

Conclusions and Open Problems

  • Bit Encryption - Circular security separation
  • First from standard assumptions
  • Symmetric Key
  • Technical Contributions
  • Oblivious sequence transformation
  • Encoding log-depth PRG for reduction to LWE
  • Fixed-input BPs for consistent cascading
  • Novel technique to encode and hide BPs using lattice

trapdoors

slide-81
SLIDE 81

Conclusions and Open Problems

  • Bit Encryption - Circular security separation
  • First from standard assumptions
  • Symmetric Key
  • Technical Contributions
  • Oblivious sequence transformation
  • Encoding log-depth PRG for reduction to LWE
  • Fixed-input BPs for consistent cascading
  • Novel technique to encode and hide BPs using lattice

trapdoors

Can these techniques be used elsewhere? Public Key Setting?

slide-82
SLIDE 82

Conclusions and Open Problems

  • Bit Encryption - Circular security separation
  • First from standard assumptions
  • Symmetric Key
  • Technical Contributions
  • Oblivious sequence transformation
  • Encoding log-depth PRG for reduction to LWE
  • Fixed-input BPs for consistent cascading
  • Novel technique to encode and hide BPs using lattice

trapdoors

Can these techniques be used elsewhere? Public Key Setting?

slide-83
SLIDE 83

Lockable Obfuscation [GKoppulaWaters17]

  • Correctness:
slide-84
SLIDE 84

Lockable Obfuscation [GKoppulaWaters17]

  • Security:
slide-85
SLIDE 85

Our Result [GKoppulaWaters17]

  • Lockable Obfuscation
  • All poly sized circuits*
  • Secure under LWE
  • Applications
  • Attribute-Based Encryption  1-sided Predicate Encryption
  • Circular Security Separations (Bit Encryption, Unbounded, …)
  • Random Oracle Uninstantiability (Fujisaki-Okamoto, …)
  • Broadcast Encryption  Anonymous Broadcast Encryption
  • Rejecting Indistinguishability Obfuscator (riO)
slide-86
SLIDE 86

Our Result [GKoppulaWaters17]

ePrint: 2017/274

Concurrent [WichsZirdelis17]

  • Lockable Obfuscation
  • All poly sized circuits*
  • Secure under LWE
  • Applications
  • Attribute-Based Encryption  1-sided Predicate Encryption
  • Circular Security Separations (Bit Encryption, Unbounded, …)
  • Random Oracle Uninstantiability (Fujisaki-Okamoto, …)
  • Broadcast Encryption  Anonymous Broadcast Encryption
  • Rejecting Indistinguishability Obfuscator (riO)
slide-87
SLIDE 87

Thank you! Questions?

slide-88
SLIDE 88

1-Cycle Tester

  • Choose key pair , string s

Compute = obfuscation of Output

iO Lockable

slide-89
SLIDE 89