On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff - - PowerPoint PPT Presentation

• 1

ASIACRYPT 2018/12/04

On the Concrete Security of Goldreich’s Pseudorandom Generator

Geoffroy Couteau - Aurélien Dupin - Pierrick Méaux - Mélissa Rossi - Yann Rotella

• 1

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

x1 x2 x3 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ xn

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

x1 x2 x3 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ xn

σ1

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

x1 x2 x3 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ xn

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

σ1

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

x1 x2 x3 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ xn

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

⋮

σi

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

ym = f(xσm

1 , xσm 2 , xσm 3 , xσm 4 , xσm 5 )

⋮ ⋮

Public system

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

ym = f(xσm

1 , xσm 2 , xσm 3 , xσm 4 , xσm 5 )

⋮ ⋮

Locality Cardinality of the subsets

• Here the locality is 5

Public system

m = ns

(n, s)

s > 1 Parameters Stretch

2

Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

PRG

Secret seed Pseudorandom output

• f longer size

x1, x2, …xn ∈ 𝔾2

y1, y2, …ym ∈ 𝔾2

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

ym = f(xσm

1 , xσm 2 , xσm 3 , xσm 4 , xσm 5 )

⋮ ⋮

Locality Cardinality of the subsets

• Here the locality is 5

Predicate Function f 
 Boolean function of low degree

Public system

m = ns

(n, s)

s > 1 Parameters Stretch

3

Goldreich Pseudorandom Generator

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

ym = f(xσm

1 , xσm 2 , xσm 3 , xσm 4 , xσm 5 )

Public system

⋮ ⋮

x1, x2, …xn ∈ 𝔾2

Secret seed

y1, y2, …ym ∈ 𝔾2

Public output

3

Goldreich Pseudorandom Generator

Security properties Consider a uniformly random secret seed

(y1, y2, …ym) is indistinguishable from uniform

1

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

ym = f(xσm

1 , xσm 2 , xσm 3 , xσm 4 , xσm 5 )

Public system

⋮ ⋮

x1, x2, …xn ∈ 𝔾2

Secret seed

y1, y2, …ym ∈ 𝔾2

Public output

Pseudorandomness

3

Goldreich Pseudorandom Generator

Security properties Consider a uniformly random secret seed

(y1, y2, …ym) is indistinguishable from uniform

Knowing the system and output, the probability to recover the seed is negligible

1 2

y1 = f(xσ1

1, xσ1 2, xσ1 3, xσ1 4, xσ1 5)

yi = f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5)

ym = f(xσm

1 , xσm 2 , xσm 3 , xσm 4 , xσm 5 )

Public system

⋮ ⋮

x1, x2, …xn ∈ 𝔾2

Secret seed

y1, y2, …ym ∈ 𝔾2

Public output

Pseudorandomness One wayness

4

Predicate P5

f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5) = xσi 1 + xσi 2 + xσi 3 + xσi 4xσi 5

Predicate P5

m = ns

s > 1

Mossel, Shpilka, Trevisan FOCS 2003

• Smallest locality 5
• Algebraic degree 2
• Algebraic immunity 2

4

Predicate P5

s

f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5) = xσi 1 + xσi 2 + xσi 3 + xσi 4xσi 5

Predicate P5

m = ns

s > 1

1.5 1 2

Security study

Mossel, Shpilka, Trevisan FOCS 2003

• Smallest locality 5
• Algebraic degree 2
• Algebraic immunity 2

4

Predicate P5

s

f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5) = xσi 1 + xσi 2 + xσi 3 + xσi 4xσi 5

Predicate P5

m = ns

s > 1

1.5 1 2

One wayness broken

Security study

Inversion with Gaussian elimination

Mossel, Shpilka, Trevisan FOCS 2003

• Smallest locality 5
• Algebraic degree 2
• Algebraic immunity 2

4

Predicate P5

s

f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5) = xσi 1 + xσi 2 + xσi 3 + xσi 4xσi 5

Predicate P5

m = ns

s > 1

1.5 1 2

No -linear distinguisher

𝔾2

One wayness broken

Security study

O’Donnel Witmer CCC 2014 Applebaum, Bogdanov, Rosen TCC 2012

Inversion with Gaussian elimination

Mossel, Shpilka, Trevisan FOCS 2003

• Smallest locality 5
• Algebraic degree 2
• Algebraic immunity 2

4

Predicate P5

s

f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5) = xσi 1 + xσi 2 + xσi 3 + xσi 4xσi 5

Predicate P5

m = ns

s > 1

1.5 1 2

No -linear distinguisher

𝔾2

One wayness broken

Security study

O’Donnel Witmer CCC 2014 Applebaum, Bogdanov, Rosen TCC 2012

One wayness broken

Polytime inversion Inversion with Gaussian elimination

Applebaum TCC 2013 Mossel, Shpilka, Trevisan FOCS 2003

• Smallest locality 5
• Algebraic degree 2
• Algebraic immunity 2

4

Predicate P5

s

f(xσi

1, xσi 2, xσi 3, xσi 4, xσi 5) = xσi 1 + xσi 2 + xσi 3 + xσi 4xσi 5

Predicate P5

m = ns

s > 1

1.5 1 2

No -linear distinguisher

𝔾2

One wayness broken

Security study

O’Donnel Witmer CCC 2014 Applebaum, Bogdanov, Rosen TCC 2012

One wayness broken

Polytime inversion Inversion with Gaussian elimination

Sub-exponential inversion 2O(n1− s − 1

10 )

Bogdanov, Qiao ARCO 2009 Applebaum TCC 2013 Mossel, Shpilka, Trevisan FOCS 2003

• Smallest locality 5
• Algebraic degree 2
• Algebraic immunity 2

?

5

Theoretical applications of Goldreich’s PRG

Goldreich Pseudorandom Generator

5

Theoretical applications of Goldreich’s PRG

Semi Secure computation with constant computational overhead

Ishai et al. STOC 2008 Applebaum et al. CRYPTO 2017

Goldreich Pseudorandom Generator

5

Theoretical applications of Goldreich’s PRG

Semi Secure computation with constant computational overhead

Ishai et al. STOC 2008 Applebaum et al. CRYPTO 2017

Indistinguishability Obfuscation

Sahai and Waters STOC 2014 Lin and Tessaro CRYPTO 2017

Goldreich Pseudorandom Generator

5

Theoretical applications of Goldreich’s PRG

Semi Secure computation with constant computational overhead

Ishai et al. STOC 2008 Applebaum et al. CRYPTO 2017

Indistinguishability Obfuscation

Sahai and Waters STOC 2014 Lin and Tessaro CRYPTO 2017

MPC-friendly primitives

Albrecht et al. EUROCRYPT 2015 Canteaut et al. FSE 2016 Méaux et al. EUROCRYPT 2016 Grassi et al. ACM-CCS 2016

Goldreich Pseudorandom Generator

5

Theoretical applications of Goldreich’s PRG

Semi Secure computation with constant computational overhead

Ishai et al. STOC 2008 Applebaum et al. CRYPTO 2017

Indistinguishability Obfuscation

Sahai and Waters STOC 2014 Lin and Tessaro CRYPTO 2017

MPC-friendly primitives

Albrecht et al. EUROCRYPT 2015 Canteaut et al. FSE 2016 Méaux et al. EUROCRYPT 2016 Grassi et al. ACM-CCS 2016

Cryptographic capsules

Boyle et al. ACM-CCS 2017

Goldreich Pseudorandom Generator

6

Our first contribution

s 1 1.5

New attacks with a more fine-grained complexity estimation

6

Our first contribution

s 1 1.5

New attacks with a more fine-grained complexity estimation

2

6

Our first contribution

s 1 1.5

New attacks with a more fine-grained complexity estimation

6

Our first contribution

s 1 1.5 n

New attacks with a more fine-grained complexity estimation

6

Our first contribution

s 1 1.5 n

New attacks with a more fine-grained complexity estimation

Insecure Conjectured secure

7

Goldreich Pseudorandom Generator

1

A guess-and-determine attack

2

An algebraic study

3

Outline

8

Guess-and-Determine attack

Collisions : linear equations for free

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

1

8

Guess-and-Determine attack

Collisions : linear equations for free

x3 + x9 + x2+x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1+x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

1

8

Guess-and-Determine attack

Collisions : linear equations for free

x3 + x9 + x2+x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1+x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

x3 + x9 + x2+x5x1+x17 + x2 + x1+x5x1 = 1 + 1 x3 + x9 + x2 + x17 + x2 + x1 = 0

1

8

Guess-and-Determine attack

Collisions : linear equations for free

x3 + x9 + x2+x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1+x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

x3 + x9 + x2+x5x1+x17 + x2 + x1+x5x1 = 1 + 1 x3 + x9 + x2 + x17 + x2 + x1 = 0

1

𝔽(c) = m − ( n 2) + ( n 2) (

n 2) − 1

(

n 2) m

∈ O(n2(s−1))

Average number of collisions

8

Guess-and-Determine attack

Collisions : linear equations for free

x3 + x9 + x2+x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1+x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

x3 + x9 + x2+x5x1+x17 + x2 + x1+x5x1 = 1 + 1 x3 + x9 + x2 + x17 + x2 + x1 = 0

1

𝔽(c) = m − ( n 2) + ( n 2) (

n 2) − 1

(

n 2) m

∈ O(n2(s−1))

Average number of collisions

Average collisions

Stretch 1.3 1.35 1.4 1.45 1.5

n

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

9

Guess-and-Determine attack

Complete the linear system obtained with guesses

2

9

Guess-and-Determine attack

Complete the linear system obtained with guesses

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11+x6x5 = 1

2

9

Guess-and-Determine attack

Complete the linear system obtained with guesses

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11+x6x5 = 1

Guessing creates linear equations

2

Try x6 = 0 x6 = 1 and

9

Guess-and-Determine attack

Complete the linear system obtained with guesses

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11+x6x5 = 1

Guessing creates linear equations

2

⌊ n(n − c) 2(m − c) + n + 1⌋ ≃ O ( n2−s 2 )

Average number of necessary guesses

Try x6 = 0 x6 = 1 and

10

Guess-and-Determine attack

Derive all the collisions

1

Σ1

Idea introduced by Bettale PhD Thesis 2011

Linear system

10

Guess-and-Determine attack

Derive all the collisions

1 2

Σ1 Σ2

such that |Σ1| + |Σ2| ≫ n

𝒣

Idea introduced by Bettale PhD Thesis 2011

Linear system Linear system Compute a small subset of guesses

10

Guess-and-Determine attack

Derive all the collisions

1 2 3

i.e. solve the system, find a candidate seed and check if it matches the public evaluation of the PRG.

Σ1 Σ2

such that |Σ1| + |Σ2| ≫ n

Σ = Σ1 ∪ Σ2

𝒣 𝒣

Solve for all elements in

Idea introduced by Bettale PhD Thesis 2011

Linear system Linear system Compute a small subset of guesses

10

Guess-and-Determine attack

Derive all the collisions

1 2 3

i.e. solve the system, find a candidate seed and check if it matches the public evaluation of the PRG.

O (nω2

n2−s 2 )

Total complexity

Σ1 Σ2

such that |Σ1| + |Σ2| ≫ n

Σ = Σ1 ∪ Σ2

𝒣 𝒣

Solve for all elements in

Idea introduced by Bettale PhD Thesis 2011

Linear system Linear system

Exponent for solving linear systems

ω Compute a small subset of guesses

11

Guess-and-Determine attack

1 2 8

• b

i t s e c u r i t y Stretch 1,1 1,2 1,3 1,4 1,5 n 2^9 2^10 2^11 2^12 2^13 2^14 8

• b

i t s e c u r i t y

11

Guess-and-Determine attack

1 2 8

• b

i t s e c u r i t y Stretch 1,1 1,2 1,3 1,4 1,5 n 2^9 2^10 2^11 2^12 2^13 2^14 8

• b

i t s e c u r i t y

Insecure parameters

12

Goldreich Pseudorandom Generator

1

A guess-and-determine attack

2

An algebraic study

3

Outline

Degree-two attack

13

Create many additional quadratic equations in order to be able to linearize

y1 = xσ1

1 + xσ1 2 + xσ1 3 + xσ1 4xσ1 5

yi = xσi

1 + xσi 2 + xσi 3 + xσi 4xσi 5

ym = xσm

1 + xσm 2 + xσm 3 + xσm 4 xσm 5

⋮ ⋮

y1 = xσ1

1 + xσ1 2 + xσ1 3 + xσ1 4xσ1 5

yi = xσi

1 + xσi 2 + xσi 3 + xσi 4xσi 5

ym = xσm

1 + xσm 2 + xσm 3 + xσm 4 xσm 5

Public system

⋮ ⋮

Xi,j ← xixj

Degree-two attack

Create degree 2 equations

1 14

Degree-two attack

Create degree 2 equations

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

x5(x3 + x9 + x2 + x1) = x5 x1(x3 + x9 + x2 + x5) = x1

Each equation can create 2 more equations

1 14

× x5 × x1

Degree-two attack

Create degree 2 equations

x3 + x9 + x2+x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1+x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

x6(x17 + x2 + x1 + x5x1)+x1(x7 + x1 + x11 + x6x5) = x6 + x1 x6(x17 + x2 + x1) + x1(x7 + x1 + x11) = x6 + x1

Degree-two equation

x3 + x9 + x2 + x5x1 = 1 x1 + x8 + x3 + x15x2 = 0 x4 + x10 + x12 + x14x6 = 0 x17 + x2 + x1 + x5x1 = 1 x7 + x1 + x11 + x6x5 = 1

x5(x3 + x9 + x2 + x1) = x5 x1(x3 + x9 + x2 + x5) = x1

Each equation can create 2 more equations

Semi collision

1 14

× x6 × x1

S-polynomial

× x5 × x1

Degree-two attack

2

Try to solve

Xi,j ← xixj

Q and L are very sparse

Q L xixj xi = 0

15

Degree-two attack

2

Try to solve

Xi,j ← xixj

Q and L are very sparse

Q L xixj xi = 0

, Q|L is full rank and the secret seed

15

𝒪eq(n, s) ≈ 𝒪var(n)

When can be recovered

Degree-two attack

2

Try to solve

Xi,j ← xixj

Q and L are very sparse

Q L xixj xi = 0

, Q|L is full rank and the secret seed

15

f

Using heuristic assumptions (counting equations, linear independence), we were able to define a function

s ≥ f(n) ⟹

such that*

the degree 2 attack succeeds with high probability

*We thank Henri Gilbert and Guénaël Renault for helpful insights with this approach

𝒪eq(n, s) ≈ 𝒪var(n)

When can be recovered

Conjectured degree 2 linearization (experimentally checked for small n)

Gröbner basis approach

16

Conjectured polynomial attack

For s ≥ f(n) , the degree of regularity of the Gröbner basis computation

O(n2ω)

complexity

Stretch 1,1 1,2 1,3 1,4 1,5 n 2^7 2^8 2^9 2^10 2^11 2^12 2^13 2^14

is 3 with a degree 2 final resolution

Gröbner basis approach

16

Conjectured polynomial attack

For s ≥ f(n) , the degree of regularity of the Gröbner basis computation

O(n2ω)

complexity

Stretch 1,1 1,2 1,3 1,4 1,5 n 2^7 2^8 2^9 2^10 2^11 2^12 2^13 2^14

is 3 with a degree 2 final resolution Verified for small n with Faugère’s F4

Experiment

Gröbner basis approach

16

Conjectured polynomial attack

For s ≥ f(n) , the degree of regularity of the Gröbner basis computation

O(n2ω)

complexity

Stretch 1,1 1,2 1,3 1,4 1,5 n 2^7 2^8 2^9 2^10 2^11 2^12 2^13 2^14

is 3 with a degree 2 final resolution Verified for small n with Faugère’s F4

Experiment

Included in the vulnerable parameters

?

17

128-bit security for the subexp attack

Stretch 1,1 1,2 1,3 1,4 1,5 n 2^9 2^10 2^11 2^12 2^13 2^14

80-bit security for the subexp attack C

• n

j e c t u r e d P

• l

y n

• m

i a l a t t a c k

All results

18

Other contribution

Our guess and determine attack can be generalized to other predicates:

XORlMAJk(x) = XOR(x1, . . . , xl) + MAJ(xl+1, . . . , xk)

XorMaj predicate

Applebaum, Lovett STOC 2016

18

Other contribution

Our guess and determine attack can be generalized to other predicates:

XORlMAJk(x) = XOR(x1, . . . , xl) + MAJ(xl+1, . . . , xk)

XorMaj predicate

Applebaum, Lovett STOC 2016

O(nω2n

1− s − 1 ⌈ k 2 ⌉ + 1

)

Total complexity

Another approach: The set of guesses is not fixed, and all the guesses are assigned to (0,0,…0) or (1,1,…1)

19

Conclusion and open questions

Can we improve the security bounds for P5?

Concrete security of Goldreich PRG with predicate P5 and XorMaj predicates

Stretch 1,1 1,2 1,3 1,4 1,5 n 2^9 2^10 2^11 2^12 2^13 2^14

19

Conclusion and open questions

Can we improve the security bounds for P5?

Concrete security of Goldreich PRG with predicate P5 and XorMaj predicates

Stretch 1,1 1,2 1,3 1,4 1,5 n 2^9 2^10 2^11 2^12 2^13 2^14

OK ?

19

Conclusion and open questions

Can we improve the security bounds for P5?

Concrete security of Goldreich PRG with predicate P5 and XorMaj predicates

x0 + x1x2x3x4

On other predicates, the inequivalence between the guesses must be taken into account

x1 = 0 x1 = 1

Linear equation Degree 3 equation

for other predicates ?

20

Conclusion and open questions

Eprint: https://eprint.iacr.org/2018/1162 Codes: https://github.com/LuMopY/SecurityGoldreichPRG

20

Conclusion and open questions

Thank you for your attention Eprint: https://eprint.iacr.org/2018/1162 Codes: https://github.com/LuMopY/SecurityGoldreichPRG