circular security for symmetric key bit encryption from
play

Circular Security for Symmetric Key Bit Encryption from LWE Rishab - PowerPoint PPT Presentation

Oct 03, 2023 •171 likes •1.07k views

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1

  1. Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters

  2. n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1 (0) Enc PK1 (SK 2 ) 1 1 n n 2 2 Enc PK2 (0) Enc PK2 (SK 3 ) n - 1 n - 1 3 3

  3. n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PK1 (SK 2 ) Enc PK1 (0) Enc PK2 (SK 3 ) Enc PK1 (0) . . . . . . Enc PKn (SK 1 ) Enc PKn (0)

  4. Does IND-CPA imply n-Circular Security?

  5. Separations: n-Circular Security • n = 1 (Folklore)

  6. Separations: n-Circular Security • n = 1 (Folklore) • n = 2 • Bilinear Groups [A car B elenkiy B ellare C ash 10, C ash G reen H ohenberger 12] • LWE [B ishop H ohenberger W aters 15] • n ≥ 3 • Obfuscation [K oppula R amchen W aters 15, M arcedone O rlandi 14] • LWE [K oppula W aters 16, A lamati P eikert 16]

  7. Can we bypass these negative results?

  8. Can we bypass these negative results? They do seem to use the full key!

  9. Can we bypass these negative results? They do seem to use the full key! What if we encrypt bit-by-bit?

  10. Can we bypass these negative results? They do seem to use the full key! What if we encrypt bit-by-bit? Separations don’t hold!

  11. Does IND-CPA imply Circular Security for bit encryption?

  12. Prior Results K oppula R amchen W aters 15 R othblum 12 iO M-Maps

  13. Our Result LWE Theorem. ∃ IND-CPA secure symmetric key bit encryption scheme E such that it is not 1 -circular secure.

  14. LWE with Short Secrets [R egev 05 , A pplebaum C ash P eikert S ahai 09]

  15. Lattice Trapdoors [G entry P eikert V aikuntanathan 08 … ] • •

  16. Lattice Trapdoors [G entry P eikert V aikuntanathan 08 … ] • • Short matrix s.t.

  17. Lattice Trapdoors [G entry P eikert V aikuntanathan 08 … ] • • Short matrix s.t.

  18. Cycle Testers [B ishop H ohenberger W aters 15] • • •

  19. Cycle Testers [B ishop H ohenberger W aters 15] • • •

  20. Cycle Testers [B ishop H ohenberger W aters 15] • • • Correctness Test and distinguishes

  21. Cycle Testers [B ishop H ohenberger W aters 15] IND-CPA Security • • • Correctness Test and distinguishes

  22. Preview Matrices and Trapdoors

  23. Preview Matrices and Trapdoors

  24. Preview Matrices and Trapdoors Position

  25. Preview 1. Checks if encrypt . ( Ignores ) 2. Assumes encrypts for position .

  26. Preview 1. Checks if encrypt . ( Ignores ) 2. Assumes encrypts for position . Problem setting LWE parameters!

  27. Preview: Strand Structure ( 𝜇 = 3 )

  28. Preview: Strand Structure ……… …… …… …… …… ………

  29. Setup

  30. Setup ……… …… …… …… ………

  31. Setup ……… …… …… …… ………

  32. Setup ……… …… …… …… ………

  33. Setup Level 𝜇 ……… …… …… …… Level 2 ……… Level 1 Base

  34. Enc(bit b , pos i ) ……… …… …… …… ………

  35. Enc(bit b , pos i ) ……… …… …… …… ………

  36. Enc(bit b , pos i ) ………

  37. Enc(bit b , pos i ) ………

  38. Enc(bit b , pos i ) ………

  39. Enc(bit b , pos i ) ………

  40. Enc(bit b , pos i ) ……… …… …… …… ………

  41. Enc(bit b , pos i ) ………

  42. Enc(bit b , pos i ) ………

  43. Enc(bit b , pos i ) ………

  44. Enc(bit b , pos i ) ……… Computed as before

  45. Enc(bit b , pos i ) ………

  46. Oblivious Sequence Transform • Problem •

  47. Oblivious Sequence Transform • Problem •

  48. Oblivious Sequence Transform • Problem •

  49. Oblivious Sequence Transform • Problem • • Solution

  50. Enc(bit b , pos i ) ………  

  51. Enc(bit b , pos i ) ……… …… …… …… ………

  52. Enc(bit b , pos i ) ……… High Level Structure in encryption of bit 𝑐 for position 𝑗 …… …… …… chooses a sub-strand in 𝑗 th strand. ………

  53. Test Encrypt s ………

  54. Test ……… …… …… …… ……… ……… ………

  55. Test ……… …… …… …… …… ……… ……… ………

  56. Test ……… …… …… …… …… ……… ……… ………

  57. Test ……… …… …… …… …… ……… ……… ………

  58. Test ……… …… …… …… …… …… ……… ……… ………

  59. Test ……… …… …… …… …… …… ……… ……… ………

  60. Proof Sketch: IND-CPA Game 0 ……… …… …… …… ………

  61. Proof Sketch: IND-CPA Game 0 ……… …… …… …… Game 1 ………

  62. s chosen Proof Sketch: IND-CPA randomly and hidden ! Game 0 ……… …… …… …… LHL Game 1 ………

  63. Proof Sketch: IND-CPA Random Short Matrices Position- 𝜇 Position-( 𝜇 -1) Position-( 𝜇 -1) … ……… ……… ……… ……… Position-1 Position-1 Game 𝜇 Game 1 Game 2

  64. Proof Sketch: IND-CPA …

  65. Proof Sketch: IND-CPA …

  66. Proof Sketch: IND-CPA LWE …

  67. Proof Sketch: IND-CPA LWE …

  68. Proof Sketch: IND-CPA LWE … Pre-Image

  69. Proof Sketch: IND-CPA LWE … Pre-Image

  70. Setting Parameters?? For Correctness For Security Error Leftover Hash Accumulation Lemma

  71. Setting Parameters?? For Correctness For Security Error Leftover Hash Accumulation Lemma Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels.

  72. Setting Parameters?? For Correctness For Security Error Leftover Hash Accumulation Lemma Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length.

  73. Review ……… …… …… …… …… ………

  74. Review ……… Looks like a Branching Program that …… …… …… …… computes Identity ! ………

  75. Relieving the Tension Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length.

  76. Relieving the Tension Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length.

  77. Relieving the Tension Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length. Encode and Evaluate a PRG!

  78. High Level Structure: Encoding PRG ……… …… …… ……… ……… ………

  79. Conclusions and Open Problems • Bit Encryption - Circular security separation • First from standard assumptions • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice trapdoors

  80. Conclusions and Open Problems • Bit Encryption - Circular security separation • First from standard assumptions • Symmetric Key • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice trapdoors

  81. Conclusions and Open Problems • Bit Encryption - Circular security separation Public Key Setting? • First from standard assumptions • Symmetric Key • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice Can these techniques be used trapdoors elsewhere?

  82. Conclusions and Open Problems • Bit Encryption - Circular security separation Public Key Setting? • First from standard assumptions • Symmetric Key • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice Can these techniques be used trapdoors elsewhere?

  83. Lockable Obfuscation [GK oppula W aters 17] • • • Correctness:

  84. Lockable Obfuscation [GK oppula W aters 17] • • • Security:

  85. Our Result [GK oppula W aters 17] • Lockable Obfuscation • All poly sized circuits* • Secure under LWE • Applications • Attribute-Based Encryption  1-sided Predicate Encryption • Circular Security Separations (Bit Encryption, Unbounded, … ) • Random Oracle Uninstantiability (Fujisaki-Okamoto, … ) • Broadcast Encryption  Anonymous Broadcast Encryption • Rejecting Indistinguishability Obfuscator (riO) • …

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security Circular Security Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09] ) yes but in general No! Circular

545 views • 33 slides
Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular encryption (E, D) a symmetric cipher. k 1 , k 2 two keys. Which of the following is safe to publish? c E k 1 (k

573 views • 13 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap

Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap

Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap First, Symmetric Key Encryption Defining the problem Well do it elaborately, so that it will be easy to see different levels of security 2

1.67k views • 136 slides
Protection and Security - II Encrypts a block of data at a time (64 bit messages, with 56 bit

Protection and Security - II Encrypts a block of data at a time (64 bit messages, with 56 bit

CSC 4103 - Operating Systems Symmetric Encryption Spring 2007 Same key used to encrypt and decrypt E ( k ) can be derived from D ( k ), and vice versa Lecture - XXI DES is most commonly used symmetric block-encryption algorithm

496 views • 4 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

406 views • 38 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) Story So Far We defined (passive) security of Symmetric Key Encryption (SKE)

1.13k views • 67 slides
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct decryption requirement More

1.19k views • 53 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Network and Communications Security (IN3210/IN4210) Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key exchange Eve 6R4Y2 hlbMZ CB... Dear Dear Bob Decryption Bob Encryption .... ....

831 views • 63 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
Verifying Object Construction How to use the builder pattern with the type safety of constructors

Verifying Object Construction How to use the builder pattern with the type safety of constructors

Verifying Object Construction How to use the builder pattern with the type safety of constructors Martin Kellogg a , Manli Ran b , Manu Sridharan b , Martin Schf c , Michael D. Ernst a,c a University of Washington b University of California,

849 views • 55 slides
Hybrid Systems Modeling, Analysis and Control Radu Grosu Vienna University of Technology Lecture

Hybrid Systems Modeling, Analysis and Control Radu Grosu Vienna University of Technology Lecture

Hybrid Systems Modeling, Analysis and Control Radu Grosu Vienna University of Technology Lecture 10 HA with Affine Dynamics Flows of continuous variables: x = A x + B u Invariants and guards: A x c Actions: x : = A x Symbolic

671 views • 43 slides
Types of Correspondence Problems and Data Sets 1 1 Correspondence Registration 2

Types of Correspondence Problems and Data Sets 1 1 Correspondence Registration 2

Types of Correspondence Problems and Data Sets 1 1 Correspondence Registration 2 Correspondence Problem Classification How many meshes? Two: Pairwise registration More than two: multi-view registration Initial registration

565 views • 23 slides
Neural Topological SLAM for Visual Navigation CVPR-2020 Webpage:

Neural Topological SLAM for Visual Navigation CVPR-2020 Webpage:

Neural Topological SLAM for Visual Navigation CVPR-2020 Webpage: https://devendrachaplot.github.io/projects/Neural-Topological-SLAM Abhinav Ruslan Devendra Singh Saurabh Gupta Salakhutdinov Gupta Chaplot Semantic Priors and

821 views • 55 slides
201ab Quantitative methods Visualization E D V UL | UCSD Psychology Visualization failure

201ab Quantitative methods Visualization E D V UL | UCSD Psychology Visualization failure

201ab Quantitative methods Visualization E D V UL | UCSD Psychology Visualization failure modes Cool vs informative visualizations Ways graphs can mislead Making a graph pretty ggplot: grammar of graphics E D V UL | UCSD

871 views • 68 slides
Graphics Writing Functions Marco Chiarandini Department of Mathematics &amp; Computer Science

Graphics Writing Functions Marco Chiarandini Department of Mathematics &amp; Computer Science

FF505/FY505 Computational Science Lecture 3 Graphics Writing Functions Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Graphics Random Number Generators Outline Functions 1. Graphics 2D

584 views • 36 slides
WS Calibration Program and GUI in python 18/11/2014 Carolina Bianchini BE-BI-BL Outline Wire

WS Calibration Program and GUI in python 18/11/2014 Carolina Bianchini BE-BI-BL Outline Wire

WS Calibration Program and GUI in python 18/11/2014 Carolina Bianchini BE-BI-BL Outline Wire scanner calibration Old vs New method GUI: Interface Elements Behind the code How to use the GUI to generate Calibration Executable file

388 views • 35 slides
Preliminary Results of LIGO-ALLEGRO Stochastic Background Search John T. Whelan

Preliminary Results of LIGO-ALLEGRO Stochastic Background Search John T. Whelan

Whelan for LSC &amp; ALLEGRO: prelim LIGO-ALLEGRO SB results LIGO-G060605-04-Z p.1 Preliminary Results of LIGO-ALLEGRO Stochastic Background Search John T. Whelan john.whelan@ligo.org on behalf of the LIGO Scientific Collaboration and the

437 views • 31 slides

More recommend