fast cryptographic primitives circular secure encryption
play

Fast Cryptographic Primitives & Circular-Secure Encryption - PowerPoint PPT Presentation

Oct 28, 2022 •22 likes •352 views

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA CRYPTO 2009 Learning Noisy Linear

  1. Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international, UCLA CRYPTO 2009

  2. Learning Noisy Linear Functions Learning Parity with Noise (LPN) Problem: find s n n ∈ Z 2 ∈ ∈ ∈ a i b i =<a i ,s>+noise s m = + A x b ε ε ε ε n s ∈ ∈ ∈ Z 2 ∈ iid noise vector of rate ε ε ε ε e.g., ε ε ε =1/4 ε • Extension to larger moduli: Learning-with-Errors (LWE) [Reg05] : - Z q where q(n)=poly(n) is typically prime - Gaussian noise w/mean 0 and std ≈ sqrt(q) (q-1)/2 -(q-1)/2 0

  3. Learning Noisy Linear Functions Problem: find s n s m = + A x b ε ε ε ε • Assumption: LWE/LPN is computationally hard for all m=poly(n) • Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93, Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…] • Pros: - Reduction from worst-case Lattice problems [Reg05,Peik09] - Hardness of search problem - So far resists sub-exp & quantum attacks

  4. Why LWE/LPN ? • Problem has simple algebraic structure: “almost linear” function - exploited by [BFKL94, AIK07, D-TK-L09] rare • Computable by simple (bit) operations (low hardware complexity) combination - exploited by [HB01,AIK04,JW05] • Message of this talk: Very useful combination s + = A x b ε ε ε ε

  5. Main Results This talk: • Fast circular secure encryption schemes - Symmetric encryption from LPN - Public-key encryption from LWE • Fast pseudorandom objects from LPN - Pseudorandom generator G:{0,1} n → {0,1} 2n in quasi-linear time - Oblivious weak randomized pseudorandom function

  6. Encryption Scheme • Security: Even if Adv gets information cannot break scheme. - CPA [GM82] :given oracle to E key () can’t distinguish E k (m 1 ) from E k (m 2 ) • What if Adv sees E k (msg) where msg depends on the key (KDM attack)? -E.g., E key (key) or E key (f(key)) or E k1 (k 2 ) and E k2 (k 1 ) randomness message ciphertext Enc Dec message key key

  7. KDM / circular security F-KDM Security [BlackRogawayShrimpton02] : Adv gets E k (f(k)) for f ∈ F Circular security [CamenischLysyanskaya01] : Adv gets E k1 (k 2 ), E k2 (k 3 )…, E ki (k 1 ) Can we achieve KDM/circular security? • many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08] • natural question also arises in: - disk encryption or key-management systems [BHHO08]: Yes, we can ! - anonymous credential systems via key cycles [CL01] - axiomatic security [AdaoBanaHerzogScedrov05] - Gentry’s fully homomorphic scheme [Gen09] • non-trivial to achieve: - some ciphers become insecure under KDM attacks (e.g.,AES in LRW mode) - random oracle constructions are problematic [HofheintzUnruh08,HaleviKrawczyk07] - can’t get KDM from trapdoor permutation in a black-box way [HaitnerHolenstein08]

  8. BHHO Scheme vs. Our Scheme • [BonehHaleviHamburgOstrovsky08] First circular public-key scheme from DDH - Get “clique” security + KDM for affine functions - But large computational/communication overhead - t-bit message: Time : t exponentiations (compare to El-Gamal) Communication : t group elements • Our schemes: circular encryption under LPN/LWE - Get “clique” security + KDM for affine functions - Proofs of security follow the [BHHO08] approach - Circular security comes “for free” from standard schemes - Efficiency comparable to standard LWE/LPN schemes - t-bit message: Time : symmetric case: t·polylog(t); t 2 ·polylog(t) public-key: Communication : O(t) bits.

  9. Symmetric Scheme from LPN

  10. Symmetric Scheme • Let G be a good linear error-correcting code with decoder for noise ε +0.1 Enc s (mes; A, err)= (A, As+err + G·mes) Dec s (A,y)= decoder(y-As) • Natural scheme originally from [GilbertRobshawSeurin08] - independently discovered by [A08,DodisTauman-KalaiLovet09] • Also obtain amortized version with quasilinear implementation (See paper) randomness randomness key message s u + + A A err G , Good Error-Correcting-Code

  11. Clique Security Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: • Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (u+v) (A, As+err ) +G ⋅ (u+v) +G ⋅ u +G ⋅ v

  12. Clique Security Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: • Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (v+u) - Key homomorphic: Given E s (u) and r can compute E s+r (u) (A, +err+Gu ) A ⋅ (s+r) A ⋅ s +A ⋅ r

  13. Clique Security Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: • Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (v+u) - Key homomorphic: Given E s (u) and r can compute E s+r (u) - Self referential: Given E s (0) can compute E s (s) (A , As +err) -G = (A’ , +err) (A’+G)s As = (A’ , A’s +err + Gs) = E s (s)

  14. Clique Security Enc s (mes; A, err)= (A, As+err + G·mes ) Dec s (A,y)= decoder(y-As) Thm. Scheme is circular (clique) secure and KDM w/r to affine functions Proof: • Useful properties: - Plaintext homomorphic: Given E s (u) and v can compute E s (v+u) - Key homomorphic: Given E s (u) and r can compute E s+r (u) - Self referential: Given E s (0) can compute E s (s) • Suppose that Adv break clique security (can ask for E Si (S k ) for all 1 ≤ i,k ≤ t) • Construct B that breaks standard CPA security (w/r to single key S). • B simulates Adv: choose t offsets ∆ 1 ,…, ∆ t and pretend that S i =S+ ∆ i - Simulate E si (S k ): get E s (0) → E s (S) → E s+ ∆ i (S) → E s+ ∆ i (S+ ∆ k )

  15. Public-key Scheme from LWE

  16. Regev’s Scheme - [GPV-PVW08] variant n × m , b ∈ Z q m • Public-key: A ∈ Z q s n • Secret-key: s ∈ Z q A x b + = ε ε ε ε • Encrypt z ∈ Z p ⊂ Z q by (u ∈ Z q n ,c ∈ Z q ) fixed linear ECC random randomness vector (u, <s,u>+err+g ⋅ (message)) Enc message distribution over low-weight elements public-key • To Decrypt (u,c): compute c-<s,u>=g ⋅ mes+err and decode • CPA Security in [Regev05, GentryPeikertVaikuntanathan08] • Want: Plaintext homomorphic, Self referential, Key homomorphic

  17. Regev’s Scheme - [GPV-PVW08] variant n × m , b ∈ Z q m • Public-key: A ∈ Z q s n • Secret-key: s ∈ Z q A x b + = ε ε ε ε • Encrypt z ∈ Z p ⊂ Z q by (u ∈ Z q n ,c ∈ Z q ) fixed linear ECC random randomness vector (u, <s,u>+err+g ⋅ (message)) Enc message distribution over low-weight elements public-key • To Decrypt (u,c): compute c-<s,u>=g ⋅ mes+err and decode • CPA Security in [Regev05, GentryPeikertVaikuntanathan08] • Want: Plaintext homomorphic, Self referential , Key homomorphic

  18. Self Reference n × m , b ∈ Z q m • Public-key: A ∈ Z q s s n • Secret-key: s ∈ Z q A x b + = ε ε ε ε • Encrypt z ∈ Z p ⊂ Z q by (u ∈ Z q n ,c ∈ Z q ) randomness (u, <s,u>+err+g ⋅ (message)) Enc message public-key • Can we convert E(0) to E(s 1 ) ? • Can use prev ideas (up to some technicalities) but… • Problem: s 1 may not be in Z p • Sol: Choose s with entries in Z p by sampling from Gaussian around (0 ± p/2) • Security: we show how to convert standard LWE to LWE with s ← Noise

  19. Hardness of LWE with s ← Noise Convert standard LWE to LWE with s ← Noise 1. Get (A,b) s.t A is invertible A b n s ∈ ∈ Z q ∈ ∈ s A x b + =

  20. Hardness of LWE with s ← Noise Convert standard LWE to LWE with s ← Noise • If ( α , β ) ← LWE s then ( α ’, β ’) ← LWE x Proof: β ’= β +< α ’,b> = < α ,s>+e + < α ’,As>+< α ’,x> = < α ,s>+e + <-A -1 α ,As>+< α ’,x> -A -1 α β +< α ’,b> < α ,s>+e α α α α ’ β β β β ’ α α α α β β β β n s ∈ ∈ ∈ ∈ Z q x ∈ ∈ ∈ Noise ∈ A s x b + =

  21. Hardness of LWE with s ← Noise Convert standard LWE to LWE with s ← Noise • If ( α , β ) ← LWE s then ( α ’, β ’) ← LWE x • If ( α , β ) are uniform then ( α ’, β ’) also uniform • Hence distinguisher for LWE x yields a distinguisher for LWE s - α A -1 β +< α ’,b> < α ,s>+e α α α α ’ β β β β ’ α α α α β β β β n s ∈ ∈ ∈ ∈ Z q x ∈ ∈ ∈ Noise ∈ A s x b + =

  22. Hardness of LWE with s ← Noise • Reduction generates invertible linear mapping f A,b :s → x (A,b) n x ∈ ∈ ∈ ∈ Noise s ∈ ∈ Z q ∈ ∈ A s x b + =

  23. Hardness of LWE with s ← Noise • Reduction generates invertible linear mapping f A,b :s → x • Key Hom: get pk’s whose sk’s x 1 ,..,x k satisfy known linear-relation • Together with prev properties get circular (clique) security x k ∈ ∈ Noise ∈ ∈ (A k ,b k ) • • • • • • • • • • • • • • • • • • • • • • • • (A 1 ,b 1 ) n x 1 ∈ ∈ ∈ Noise ∈ s ∈ ∈ Z q ∈ ∈ • Improve efficiency via amortized version of [PVW08]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric

CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

779 views • 47 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness Extractors Story So Far Basic primitives for secure communication: Shared-Key Public-Key SKE PKE Encryption MAC

498 views • 17 slides
Constructions of feebly secure cryptographic primitives Olga Melanich Steklov Institute of

Constructions of feebly secure cryptographic primitives Olga Melanich Steklov Institute of

Constructions of feebly secure cryptographic primitives Olga Melanich Steklov Institute of Mathematics at St. Petersburg 3.10.2009 1 / 12 Basic definitions Notation B n , m = { f : B n B m } , where B = { 0 , 1 } . 2 / 12 Basic

605 views • 39 slides
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions

CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation Problem and

773 views • 39 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and Technology (NTNU), Norway 2 Bergische Universitt Wuppertal, Germany 1 Colin Boyd 1 Gareth T. Davies 2 Kristian Gjsteen 1 Yao Jiang 1 Table of contents

578 views • 46 slides
Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP

Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP

Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP Semiconductors miroslav.knezevic@nxp.com January 25, 2016 School on Design for a Secure IoT, Tenerife, 2016 THINGS Smart Plugs 3. January 28, 2016

1.09k views • 86 slides
Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive &amp; Secure Computing Systems Lab Department of Electrical &amp; Computer Engineering Boston

964 views • 48 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA &amp; PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA &amp; PSL

Key-Robustness for Cryptographic Primitives ie 1 R azvan Ros 1 ENS, CNRS, INRIA &amp; PSL Research University, Paris, France ECRYPT-NET Summer School, Crete, Greece 12 th October 2017 R azvan Ros ie Key-Robustness for Cryptographic

949 views • 48 slides
Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular

Circular Encryption Dan Boneh Shai Halevi Mike Hamburg Rafi Ostrovsoky Circular encryption (E, D) a symmetric cipher. k 1 , k 2 two keys. Which of the following is safe to publish? c E k 1 (k

573 views • 13 slides
On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security

On the Circular Security of Bit Encryption Ron Rothblum Weizmann Institute Circular Security Circular Security Q: Is it in general safe to encrypt your own key? A: For some schemes (e.g. [BHHO08,ACPS09] ) yes but in general No! Circular

545 views • 33 slides
CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and

CryptoManiac: A Fast Flexible Architecture for Secure Communication Lisa Wu, Chris Weaver, and Todd Austin Presented by Dan Amelang Background Rise of the Internet created demand for fast and efficient cryptographic processing

309 views • 14 slides
Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s

Towards Standardization of Threshold Schemes for Cryptographic Primitives at NIST Lu s Brand ao Joint work with: Apostol Vassilev, Nicky Mouha, Michael Davidson The red dancing devil is from clker.com/clipart-13643.html National

2.04k views • 175 slides
Circular Economy: Connecting research, industry, and policy A background report f t for i initi

Circular Economy: Connecting research, industry, and policy A background report f t for i initi

Circular Economy How to connect policy, research and business May 10, 2019 , Fondazione Eni Enrico Mattei, Milano Circular Economy: Connecting research, industry, and policy A background report f t for i initi tiati tives d design Roberto

381 views • 23 slides
Power radiated in linear accelerators 1 In linear accelerators We need to evaluate the

Power radiated in linear accelerators 1 In linear accelerators We need to evaluate the

Power radiated in linear accelerators 1 In linear accelerators We need to evaluate the acceleration. Start from the momentum Thus the radiated power is Lighter particles are subject to higher loss P. Piot, PHYS 571 Fall 2007

159 views • 12 slides
Experiments and Optimal Results Experiments and Optimal Results f or Outerplanar Outerplanar

Experiments and Optimal Results Experiments and Optimal Results f or Outerplanar Outerplanar

Experiments and Optimal Results Experiments and Optimal Results f or Outerplanar Outerplanar Drawings of Graphs Drawings of Graphs f or EPSRC GR/S76694/01 GR/S76694/01 EPSRC Outerlanar Crossing Numbers(2003 Crossing Numbers(2003-

550 views • 32 slides
Matching the circular Wilson loop with dual open string solution at 1 -loop in strong coupling M.

Matching the circular Wilson loop with dual open string solution at 1 -loop in strong coupling M.

Matching the circular Wilson loop with dual open string solution at 1 -loop in strong coupling M. Kruczenski and A. Tirziu arXiv:0803.0315 [hep-th] Compute the 1 -loop correction to the effective action for the string solution ending on a

482 views • 22 slides
Saving space: a circular shift algorithm. Consider the problem of shifting the elements of a

Saving space: a circular shift algorithm. Consider the problem of shifting the elements of a

Saving space: a circular shift algorithm. Consider the problem of shifting the elements of a large array circularly by some significant distance. before section 1 section 2 after section 2 section 1 I emphasise size and distance,

468 views • 10 slides
1 REFLOWs Approach to Circular Economy Based on the REFLOW mission: &quot; To understand and

1 REFLOWs Approach to Circular Economy Based on the REFLOW mission: &quot; To understand and

Urban Circular Economy: how can we enable the transition towards circular and regenerative cities? Cristiana Parisi , PhD Associate Professor in Management Control Copenhagen Business School Project Coordinator and PI Horizon 2020 Project

307 views • 3 slides
Circular Words in Finite and Infinite Sequences: Theory and Applications Marinella Sciortino

Circular Words in Finite and Infinite Sequences: Theory and Applications Marinella Sciortino

Circular Words in Finite and Infinite Sequences: Theory and Applications Marinella Sciortino University of Palermo, Italy AutoMathA 2015 Leipzig, May 6 9, 2015 M. Sciortino Circular Words in Finite and Infinite Sequences: Theory and

1.02k views • 99 slides
Flock on the March A Meta-Proof of a Meta-Model By Zihan Zhou QCS, Class of 2017 What am I

Flock on the March A Meta-Proof of a Meta-Model By Zihan Zhou QCS, Class of 2017 What am I

Flock on the March A Meta-Proof of a Meta-Model By Zihan Zhou QCS, Class of 2017 What am I modeling? Boids Infinite many Same destination Not a transportation protocol Obstacles Infinite many Arbitrary

267 views • 26 slides

More recommend