peculiar properties of lattice based encryption chris
play

Peculiar Properties of Lattice-Based Encryption Chris Peikert - PowerPoint PPT Presentation

Mar 13, 2024 •156 likes •876 views

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19 Talk Agenda Encryption schemes with special features: 2 / 19 Talk Agenda

  1. Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19

  2. Talk Agenda Encryption schemes with special features: 2 / 19

  3. Talk Agenda Encryption schemes with special features: 1 “(Bi-)Deniability” 2 / 19

  4. Talk Agenda Encryption schemes with special features: 1 “(Bi-)Deniability” 2 “Circular” Security 2 / 19

  5. Part 1: Deniable Encryption ◮ A. O’Neill, C. Peikert (2010) “Bideniable Public-Key Encryption” 3 / 19

  6. Deniable Encryption c = Enc pk (“surprise party 4 big bro!”) (Images courtesy xkcd.org) 4 / 19

  7. Deniable Encryption c = Enc pk (“surprise party 4 big bro!”) !! (Images courtesy xkcd.org) 4 / 19

  8. Deniable Encryption c = DenEnc pk (“surprise party 4 big bro!”) What We Want 1 Bob gets Alice’s intended message, but . . . (Images courtesy xkcd.org) 4 / 19

  9. Deniable Encryption c = DenEnc pk (“surprise party 4 big bro!”) (fake!) (fake!) What We Want 1 Bob gets Alice’s intended message, but . . . (Images courtesy xkcd.org) 4 / 19

  10. Deniable Encryption c = Enc pk (“ I love kittens!!!! ”) What We Want 1 Bob gets Alice’s intended message, but . . . 2 Fake coins & keys ‘look as if’ another message was encrypted! (Images courtesy xkcd.org) 4 / 19

  11. Applications of Deniability 1 Anti-coercion: ‘off the record’ communication (journalists, lawyers, whistle-blowers), 1984 5 / 19

  12. Applications of Deniability 1 Anti-coercion: ‘off the record’ communication (journalists, lawyers, whistle-blowers), 1984 2 Voting: can reveal any candidate, so can’t ‘sell’ vote (?) 5 / 19

  13. Applications of Deniability 1 Anti-coercion: ‘off the record’ communication (journalists, lawyers, whistle-blowers), 1984 2 Voting: can reveal any candidate, so can’t ‘sell’ vote (?) 3 Secure protocols tolerating adaptive break-ins [CFGN’96] 5 / 19

  14. State of the Art Theory [CanettiDworkNaorOstrovsky’97] ◮ Sender-deniable encryption scheme ◮ Receiver-deniability by adding interaction & switching roles ◮ Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) 6 / 19

  15. State of the Art Theory [CanettiDworkNaorOstrovsky’97] ◮ Sender-deniable encryption scheme ◮ Receiver-deniability by adding interaction & switching roles ◮ Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) Practice: TrueCrypt, Rubberhose, . . . ◮ Limited deniability: “ move along, no message here. . . ” Plausible for storage , but not so much for communication . 6 / 19

  16. This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible 7 / 19

  17. This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible ⋆ A true public-key scheme: non-interactive, no 3rd parties ⋆ Uses special properties of lattices [Ajtai’96,Regev’05,GPV’08,. . . ] ⋆ Has large keys . . . but this is inherent [Nielsen’02] 7 / 19

  18. This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible ⋆ A true public-key scheme: non-interactive, no 3rd parties ⋆ Uses special properties of lattices [Ajtai’96,Regev’05,GPV’08,. . . ] ⋆ Has large keys . . . but this is inherent [Nielsen’02] 2 “Plan-ahead” bi-deniability with short keys ⋆ Bounded number of alternative messages, decided in advance 7 / 19

  19. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P secret ‘trapdoor’ sk . 8 / 19

  20. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P x secret ‘trapdoor’ sk . Properties 1 Given only pk , ⋆ Can efficiently sample from P (and from U , trivially). ⋆ P -sample is pseudorandom: ‘looks like’ a U -sample. . . ⋆ . . . so it can be ‘faked’ as a U -sample. 8 / 19

  21. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P x secret ‘trapdoor’ sk . Properties 1 Given only pk , ⋆ Can efficiently sample from P (and from U , trivially). ⋆ P -sample is pseudorandom: ‘looks like’ a U -sample. . . ⋆ . . . so it can be ‘faked’ as a U -sample. 2 Given sk , can easily distinguish P from U . 8 / 19

  22. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P x secret ‘trapdoor’ sk . Properties 1 Given only pk , ⋆ Can efficiently sample from P (and from U , trivially). ⋆ P -sample is pseudorandom: ‘looks like’ a U -sample. . . ⋆ . . . so it can be ‘faked’ as a U -sample. 2 Given sk , can easily distinguish P from U . ◮ Many instantiations: trapdoor perms (RSA), DDH, lattices, . . . 8 / 19

  23. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P sk 9 / 19

  24. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P Deniable: Enc(0) = PP Enc(1) = UP sk 9 / 19

  25. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P Deniable: Enc(0) = PP Enc(1) = UP sk Deniability ✔ Alice can fake: PP → UP → UU 9 / 19

  26. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P Deniable: Enc(0) = PP Enc(1) = UP sk ✗ Deniability ✔ Alice can fake: PP → UP → UU ✗ What about Bob?? His sk reveals the true nature of the samples! 9 / 19

  27. Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk , each inducing a slightly different P -test. 10 / 19

  28. Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk , each inducing a slightly different P -test. 10 / 19

  29. Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk , each inducing a slightly different P -test. 2 Most sk classify a given P -sample correctly. 10 / 19

  30. Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk , each inducing a slightly different P -test. 2 Most sk classify a given P -sample correctly. 3 Can generate pk with a faking key: given fk and a P -sample x , can find a ‘proper-looking’ sk that classifies x as a U -sample. 10 / 19

  31. Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk , each inducing a slightly different P -test. 2 Most sk classify a given P -sample correctly. 3 Can generate pk with a faking key: given fk and a P -sample x , can find a ‘proper-looking’ sk that classifies x as a U -sample. ⇒ Bob can also fake P → U ! 10 / 19

  32. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r O O Basic Translucency ◮ pk = parity check A of lattice L ⊥ ( A ) . ◮ sk = Gaussian (short) vector r ∈ L ⊥ . (I.e., Ar = 0 ∈ Z n q .) 11 / 19

  33. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) x r O O Basic Translucency ◮ pk = parity check A of lattice L ⊥ ( A ) . ◮ sk = Gaussian (short) vector r ∈ L ⊥ . (I.e., Ar = 0 ∈ Z n q .) ◮ U -sample = uniform x in Z m q . Then � r , x � is uniform mod q . 11 / 19

  34. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) x r O O Basic Translucency ◮ pk = parity check A of lattice L ⊥ ( A ) . ◮ sk = Gaussian (short) vector r ∈ L ⊥ . (I.e., Ar = 0 ∈ Z n q .) ◮ U -sample = uniform x in Z m q . Then � r , x � is uniform mod q . ◮ P -sample = x = A t s + e (LWE). Then � r , x � ≈ 0 mod q . 11 / 19

  35. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) x O O fk Receiver Faking ◮ Faking key = short basis of L ⊥ (a la [GPV’08,. . . ]) 11 / 19

  36. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O fk Receiver Faking ◮ Faking key = short basis of L ⊥ (a la [GPV’08,. . . ]) ◮ Given P -sample x , choose fake r ∈ L ⊥ correlated with x ’s error. Then � r , x � is uniform mod q ⇒ x is classified as a U -sample. 11 / 19

  37. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O fk Security (in a nutshell) ◮ Fake r depends heavily on x . Why would it ‘look like’ a ‘normal’ r ? 11 / 19

  38. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O Security (in a nutshell) ◮ Fake r depends heavily on x . Why would it ‘look like’ a ‘normal’ r ? ◮ Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss · r . This ( r , x ) has the same ∗ joint distrib! 11 / 19

  39. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O Security (in a nutshell) ◮ Fake r depends heavily on x . Why would it ‘look like’ a ‘normal’ r ? ◮ Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss · r . This ( r , x ) has the same ∗ joint distrib! ◮ Finally, replace LWE with uniform ⇒ normal r and U -sample x . 11 / 19

  40. Closing Thoughts on Deniability ◮ Faking sk requires ‘oblivious’ misclassification (of P as U) ◮ Bi-deniability from other cryptographic assumptions? ◮ Full deniability, without alternative algorithms? 12 / 19

  41. Part 2: Circular-Secure Encryption ◮ B. Applebaum, D. Cash, C. Peikert, A. Sahai (CRYPTO 2009) “Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems” 13 / 19

  42. Circular / “Clique” / Key-Dependent Security Enc pk Bob ( sk Alice ) ✔ sk Alice sk Bob 14 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:

835 views • 23 slides
Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for IT Security Ruhr University Bochum Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions

971 views • 60 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard

1.07k views • 81 slides
Study of the influence of external effects on the properties of QCD by means of lattice

Study of the influence of external effects on the properties of QCD by means of lattice

Study of the influence of external effects on the properties of QCD by means of lattice simulations A. Yu. Kotov (based on the PhD thesis) JINR 20 April 2016 Motivation Temperature Baryonic density Chiral density Magnetic field Lattice

622 views • 49 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Cryptography Overview John Mitchell Announcement: Homework 1 Homework 1 has 3 problems

Cryptography Overview John Mitchell Announcement: Homework 1 Homework 1 has 3 problems

CS259 Winter 2008 Cryptography Overview John Mitchell Announcement: Homework 1 Homework 1 has 3 problems Problems 1 and 2 on the web now Problem 3 to be added soon Due in two weeks, on January 24 Install Murphi and run

723 views • 45 slides
Classical Cryptosystems Debdeep Mukhopadhyay Assistant Professor Department of Computer Science

Classical Cryptosystems Debdeep Mukhopadhyay Assistant Professor Department of Computer Science

Classical Cryptosystems Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Definitions Kerckhoffs Principle Monoalphabetic

867 views • 23 slides
Would You Buy This? Our unbreakable military-grade 10,240-bit bi-Gaussian encryption system,

Would You Buy This? Our unbreakable military-grade 10,240-bit bi-Gaussian encryption system,

Would You Buy This? Our unbreakable military-grade 10,240-bit bi-Gaussian encryption system, using a proprietary one- time pad algorithm, has recently been reviewed by the NSA and approved by a Fortune 500 customer and is available both inside

590 views • 33 slides
Cryptography November 14, 2011 1 Intercepting Information Scenario 1 Wireless broadcasts

Cryptography November 14, 2011 1 Intercepting Information Scenario 1 Wireless broadcasts

Cryptography November 14, 2011 1 Intercepting Information Scenario 1 Wireless broadcasts information using radio signals Any computer on a wireless network CAN listen to any network traffic A computer SHOULD only listen to traffic

182 views • 6 slides
RSA and the Cloud Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Encry ryption We

RSA and the Cloud Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Encry ryption We

RSA and the Cloud Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Encry ryption We encrypt (encode) our data so others can t understand it (easily) except for the person who is supposed to receive it. We call the data to encode

638 views • 32 slides
Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics,

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics,

Discrete Mathematics with Applications MATH236 Dr. Hung P. Tong-Viet School of Mathematics, Statistics and Computer Science University of KwaZulu-Natal Pietermaritzburg Campus Semester 1, 2013 Tong-Viet (UKZN) MATH236 Semester 1, 2013 1 /

697 views • 23 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
ENGR/CS 101 CS Session Lecture 9 Log into Windows/ACENET (reboot if in Linux) Start

ENGR/CS 101 CS Session Lecture 9 Log into Windows/ACENET (reboot if in Linux) Start

ENGR/CS 101 CS Session Lecture 9 Log into Windows/ACENET (reboot if in Linux) Start Microsoft Visual Studio 2012 Any questions about the exercise from last time? Lecture 4 ENGR/CS 101 Computer Science Session 1 Outline

482 views • 20 slides

More recommend