on the concrete security of goldreich s prg
play

On the Concrete Security of Goldreichs PRG Yann Rotella Joint work - PowerPoint PPT Presentation

Sep 16, 2023 •679 likes •1.22k views

On the Concrete Security of Goldreichs PRG Yann Rotella Joint work with Geoffroy Couteau, Aurlien Dupin, Pierrick Maux and Mlissa Rossi January 31, 2019 Introduction A subexponential-time attack Algebraic cryptanalysis

  1. On the Concrete Security of Goldreich’s PRG Yann Rotella Joint work with Geoffroy Couteau, Aurélien Dupin, Pierrick Méaux and Mélissa Rossi January 31, 2019

  2. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion PseudoRandom Generators ( x 1 , x 2 , . . . , x n ) ∈ F n Seed: 2 PRG ( y 1 , y 2 , . . . , y n , y n + 1 , . . . , y m ) ∈ F n Output: 2 ( y i ) i ≤ m should be indistinguishable from a random string; it is hard to recover ( x i ) i ≤ n using the knowledge of ( y i ) i ≤ m . 1 / 36

  3. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Structure of this Talk 1 Introduction 2 A subexponential-time attack 3 Algebraic cryptanalysis Generalization on all predicates 4 Conclusion 5 2 / 36

  4. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Stretch and locality x 1 x 2 x 3 . . . . . . y j m = n s d = 3 y j + 1 x i y j + 2 . . . . . . x n 3 / 36

  5. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Theoretical applications Semi Secure computation with constant computational overhead [Ishai et al. STOC 2018, Applebaum et al. CRYPTO 2017] MPC-friendly primitives [Albrecht et al. EC 2015, Canteaut et al. FSE 2016, Méaux et al. EC 2016, Grassi et al. ACM-CCS 2016] Indistinguishability Obfuscation [Sahai and Waters STOC 2014, Lin and Tessaro CRYPTO 2017] Cryptographic Capsules [Boyle et al. ACN-CCS 2017] 4 / 36

  6. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Description of Goldreich’s PRG Seed ( x 1 , . . . , x n ) σ i σ i d − 1 2 σ i σ i 1 d P ( x σ i 1 , . . . , x σ i d ) ( y i ) 1 ≤ i ≤ m m = n s , s is the stretch. 5 / 36

  7. ? ? ? ? Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Parameters Stretch s > 1 Subsets ( σ i ) i ≤ 1 Boolean function (predicate) P Locality d 6 / 36

  8. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Parameters Stretch s > 1 ? Subsets ( σ i ) i ≤ 1 ? Boolean function (predicate) P ? Locality d ? 6 / 36

  9. Ok if they are chosen uniformly random Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Subsets The subsets should be sufficiently expanding: for some k , every k subsets should cover k + Ω( n ) elements of { 1 , . . . , n } . 7 / 36

  10. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Subsets The subsets should be sufficiently expanding: for some k , every k subsets should cover k + Ω( n ) elements of { 1 , . . . , n } . Ok if they are chosen uniformly random 7 / 36

  11. A value x of the list can agree on 1 2 n output bits. Final complexity: 2 n 1 s 1 2 d 2 n 0 955 s 1 45 and d 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. 8 / 36

  12. Final complexity: 2 n 1 s 1 2 d 2 n 0 955 s 1 45 and d 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. A value x ′ of the list can agree on ( 1 / 2 + ε ) ∗ n output bits. 8 / 36

  13. 2 n 0 955 s 1 45 and d 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. A value x ′ of the list can agree on ( 1 / 2 + ε ) ∗ n output bits. Final complexity: 2 n 1 − ( s − 1 / 2 d ) 8 / 36

  14. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. A value x ′ of the list can agree on ( 1 / 2 + ε ) ∗ n output bits. Final complexity: 2 n 1 − ( s − 1 / 2 d ) s = 1 . 45 and d = 5 ⇒ 2 n 0 . 955 8 / 36

  15. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Predicate criteria degree [Goldreich 2000] rational degree (algebraic immunity) [Applebaum and Lovett STOC 2016] AI ( P ) > s resilience [O’Donnelland Witmer CCC 2014, Applebaum 2015] res ( P ) > 2s 9 / 36

  16. P 5 x 1 x 2 x 3 x 4 x 5 x 1 x 2 x 3 x 4 x 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion locality  degree   ⇒ d ≥ 5 resilience  Siegenthaler  10 / 36

  17. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion locality  degree   ⇒ d ≥ 5 resilience  Siegenthaler  P 5 ( x 1 , x 2 , x 3 , x 4 , x 5 ) = x 1 + x 2 + x 3 + x 4 x 5 10 / 36

  18. Linearization and Gröbner-based attacks. Generalization of the subexponential attack to all predicates. locality and stretch are linked to the size of the seed. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . 11 / 36

  19. Generalization of the subexponential attack to all predicates. locality and stretch are linked to the size of the seed. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . Linearization and Gröbner-based attacks. 11 / 36

  20. locality and stretch are linked to the size of the seed. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . Linearization and Gröbner-based attacks. Generalization of the subexponential attack to all predicates. 11 / 36

  21. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . Linearization and Gröbner-based attacks. Generalization of the subexponential attack to all predicates. locality and stretch are linked to the size of the seed. 11 / 36

  22. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Plan of this Section 1 Introduction 2 A subexponential-time attack 3 Algebraic cryptanalysis Generalization on all predicates 4 Conclusion 5 12 / 36

  23. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Cryptanalysis of FLIP [Duval, Lallemand, Rotella CRYPTO 2016] Key Register K PRNG Permutation P i Generator F z i p i c i F ( x ) = x 1 + x 2 + · · · + x k 1 + x k 1 + 1 x k 1 + 2 + · · · + x k 2 − 1 x k 2 + x k 3 + x k 3 + 1 x k 3 + 2 + · · · + x n − 14 · · · x n − 1 x n 13 / 36

  24. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion FLIP vs Goldreich’s PRG FLIP: overdetermined Goldreich’s PRG: underdetermined P 5 ( x 1 , x 2 , x 3 , x 4 , x 5 ) = x 1 + x 2 + x 3 + x 4 x 5 14 / 36

  25. We get the following linear equation: x 1 x 4 x 8 x 13 x 10 x 3 0 O n 2 s 1 number of collisions c Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Collect linear equations x 1 + x 4 + x 8 + x 9 x 11 = 1 x 14 + x 5 + x 7 + x 1 x 4 = 0 x 13 + x 10 + x 3 + x 11 x 9 = 1 15 / 36

  26. O n 2 s 1 number of collisions c Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Collect linear equations x 1 + x 4 + x 8 + x 9 x 11 = 1 x 14 + x 5 + x 7 + x 1 x 4 = 0 x 13 + x 10 + x 3 + x 11 x 9 = 1 We get the following linear equation: x 1 + x 4 + x 8 + x 13 + x 10 + x 3 = 0 15 / 36

  27. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Collect linear equations x 1 + x 4 + x 8 + x 9 x 11 = 1 x 14 + x 5 + x 7 + x 1 x 4 = 0 x 13 + x 10 + x 3 + x 11 x 9 = 1 We get the following linear equation: x 1 + x 4 + x 8 + x 13 + x 10 + x 3 = 0 number of collisions c ∈ O ( n 2 ( s − 1 ) ) 15 / 36

  28. For all possible values of the bits: Solve the correponding linear system of n linear equations. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Guessing phase Choose the ℓ variables that appear the most in the quadratic terms, such that you get n − c − ℓ linear equations. 16 / 36

  29. Solve the correponding linear system of n linear equations. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Guessing phase Choose the ℓ variables that appear the most in the quadratic terms, such that you get n − c − ℓ linear equations. For all possible values of the ℓ bits: 16 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

1.13k views • 86 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, Yu Yu All widely used GCs have a birthday-bound security Explicit attack GC based on fix-key block cipher

313 views • 7 slides
twenty one service loads x load factors concrete holds no tension failure criteria is

twenty one service loads x load factors concrete holds no tension failure criteria is

E LEMENTS OF A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 614 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2019 design for maximum stresses

253 views • 6 slides
nineteen service loads x load factors concrete holds no tension failure criteria is

nineteen service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel A RCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S UMMER 2018 design for maximum stresses lecture limit

641 views • 9 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu Yaos garbled circuits Two-party computation (2PC) Multiple optimizations

376 views • 20 slides
twenty two service loads x load factors concrete holds no tension failure criteria is

twenty two service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2018 design for maximum stresses lecture limit

346 views • 9 slides
Concrete Recycling in Pavement Applications Update on the FHWA Concrete Recycling Initiative

Concrete Recycling in Pavement Applications Update on the FHWA Concrete Recycling Initiative

Concrete Recycling in Pavement Applications Update on the FHWA Concrete Recycling Initiative Tara Cavalline, Ph.D., P.E. UNC Charlotte tcavalline@uncc.edu Presentation to National Concrete consortium September 20, 2017 Concrete Recycling

618 views • 26 slides
Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of Measuring In-Place Strength of Concrete Concrete Prasad Rangaraju, Ph.D., P.E. Assistant Professor Department of Civil Engineering Clemson University

1.08k views • 63 slides
ABC Webinar at FIU Concrete Bridges Concrete Bridges William Nickas, P.E. Managing Director,

ABC Webinar at FIU Concrete Bridges Concrete Bridges William Nickas, P.E. Managing Director,

ABC Webinar at FIU Concrete Bridges Concrete Bridges William Nickas, P.E. Managing Director, Transportation Systems Precast/Prestressed Concrete Institute 2 National Concrete Bridge Council American Coal Ash Association American

1.25k views • 104 slides
Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &

Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &

Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich & Lynden Bell (1965) Julian & Toomre (1966) Shearing sheet Consider large m and study small near-Cartesian patch that rotates with

797 views • 20 slides
Portland Cement Concrete Portland Cement Concrete Portland cement concrete consists of a mixture

Portland Cement Concrete Portland Cement Concrete Portland cement concrete consists of a mixture

Portland Cement Concrete Portland Cement Concrete Portland cement concrete consists of a mixture of portland cement, coarse and fine aggregates, and water. It may be amended with admixtures, fibers, or certain supplementary cementitious

1.26k views • 78 slides
Basic Concrete Tests Hardened Concrete Basic Concrete Tests Cylinder Compression Splitting

Basic Concrete Tests Hardened Concrete Basic Concrete Tests Cylinder Compression Splitting

Basic Concrete Tests Hardened Concrete Basic Concrete Tests Cylinder Compression Splitting Tension Beam Flexure Elastic Modulus Slump Unit Weight Air Content CIVL 3137 2 Cylinder Compression What do we mean when we say I need 10 yd 3

516 views • 51 slides
TESTING MONOTONICITY* ODED GOLDREICH , SHAFI GOLDWASSER , ERIC LEHMAN, DANA RON , ALEX

TESTING MONOTONICITY* ODED GOLDREICH , SHAFI GOLDWASSER , ERIC LEHMAN, DANA RON , ALEX

Combinatorica 20 (3) (2000) 301337 COMBINATORICA Bolyai Society Springer-Verlag TESTING MONOTONICITY* ODED GOLDREICH , SHAFI GOLDWASSER , ERIC LEHMAN, DANA RON , ALEX SAMORODNITSKY Received March 29, 1999 We present a

577 views • 37 slides
Engineering Fly Ash-based Geopolymer Concrete Geopolymer Concrete E. Ivan Diaz-Loya Ph.D.

Engineering Fly Ash-based Geopolymer Concrete Geopolymer Concrete E. Ivan Diaz-Loya Ph.D.

Engineering Fly Ash-based Geopolymer Concrete Geopolymer Concrete E. Ivan Diaz-Loya Ph.D. Candidate Erez N. Allouche Ph.D., P.E. 1 2010 International Concrete Sustainability Conference, Dubai, UAE Engineering fly ash-based geopolymer concrete

713 views • 35 slides
2012 EXCELLENCE IN CONCRETE AWARD Virginia Chapter - American Concrete Institute Hank Keiper,

2012 EXCELLENCE IN CONCRETE AWARD Virginia Chapter - American Concrete Institute Hank Keiper,

2012 EXCELLENCE IN CONCRETE AWARD Virginia Chapter - American Concrete Institute Hank Keiper, P.E. March 7, 2013 Virginia Concrete The SEFA Group Conference Aw ard Criteria Essentially completed in 2012 Concrete a major part of

257 views • 25 slides
Prometheus in Debian 4 th year in a row! Martina (Tina) Ferrari November 7th, 2019 Martina

Prometheus in Debian 4 th year in a row! Martina (Tina) Ferrari November 7th, 2019 Martina

Prometheus in Debian 4 th year in a row! Martina (Tina) Ferrari November 7th, 2019 Martina Ferrari (PromCon EU 2019) Prometheus in Debian November 7th, 2019 1 / 14 About Tina Debian contributor since 2005. (Debian Developer since 2008)

347 views • 14 slides
Lecture 7: Convolutional Networks Justin Johnson September 23, 2020 Lecture 7 - 1 Reminder: A2

Lecture 7: Convolutional Networks Justin Johnson September 23, 2020 Lecture 7 - 1 Reminder: A2

Lecture 7: Convolutional Networks Justin Johnson September 23, 2020 Lecture 7 - 1 Reminder: A2 Due this Friday, 9/25/2020 Justin Johnson September 23, 2020 Lecture 7 - 2 Autograder Late Tokens - Our late policy is (from syllabus): - 3

1.26k views • 98 slides
or SoS Meets Program Obfuscation Ilan Komargodski Joint work with Boaz Barak (Harvard) Zvika

or SoS Meets Program Obfuscation Ilan Komargodski Joint work with Boaz Barak (Harvard) Zvika

Limits on Low-Degree PRGs or SoS Meets Program Obfuscation Ilan Komargodski Joint work with Boaz Barak (Harvard) Zvika Brakerski (Weizmann Institute) Pravesh K. Kothari (Princeton) Pseudorandom Generators (PRGs) : {0,1} {0,1}

679 views • 15 slides
March 22, Week 9 Today: Chapter 7, Elastic Potential Energy Homework Assignment #6 - Due Today

March 22, Week 9 Today: Chapter 7, Elastic Potential Energy Homework Assignment #6 - Due Today

March 22, Week 9 Today: Chapter 7, Elastic Potential Energy Homework Assignment #6 - Due Today Mastering Physics: 9 problems from chapters 5 and 6 Written Questions: 6.73 Homework Assignment #7 - Due March 29 Mastering Physics: 6 problems from

949 views • 67 slides
Distributed computing of efficient routing schemes Nicolas Nisse 1 an Rapaport 2 Karol Suchan 3

Distributed computing of efficient routing schemes Nicolas Nisse 1 an Rapaport 2 Karol Suchan 3

Distributed computing of efficient routing schemes Nicolas Nisse 1 an Rapaport 2 Karol Suchan 3 Iv 1 MASCOTTE, INRIA, I3S, CNRS, UNS, Sophia Antipolis, France 2 DIM, Universidad de Chile, Santiago, Chile 3 Universidad Adolfo Ib a nez,

574 views • 34 slides
Motivation The operations and control structures of imperative languages are strongly influenced

Motivation The operations and control structures of imperative languages are strongly influenced

Motivation The operations and control structures of imperative languages are strongly influenced by the way most real computer hardware works. This makes imperative languages relatively easy to compile, but (arguably) less expressive; many

829 views • 44 slides
The Monad of Strict Computation A Categorical Framework for the Semantics of Languages in which

The Monad of Strict Computation A Categorical Framework for the Semantics of Languages in which

The Monad of Strict Computation A Categorical Framework for the Semantics of Languages in which Strict and Non-strict computation rules are mixed Dick Kieburtz Portland State University WG2.8 Meeting July 16-20, 2007 The Problem, illustrated

507 views • 16 slides
Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr

Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr

Evaluation ` a la Carte Non-Strict Evaluation via Compositional Data Types Patrick Bahr University of Copenhagen, Department of Computer Science paba@diku.dk 23rd Nordic Workshop on Programming Theory, M alardalen University, V aster

546 views • 19 slides

More recommend