privately constraining and programming prfs the lwe way
play

Privately Constraining and Programming PRFs, the LWE Way Chris - PowerPoint PPT Presentation

Jan 11, 2023 •305 likes •916 views

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ13,BW13,BGI14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15 Constrained

  1. Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15

  2. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15

  3. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 2 / 15

  4. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . 2 / 15

  5. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . Correctness ◮ If C ( x ) = 0 (“authorized”) then CEval ( sk C , x ) = Eval ( msk, x ) . 2 / 15

  6. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . Correctness ◮ If C ( x ) = 0 (“authorized”) then CEval ( sk C , x ) = Eval ( msk, x ) . Security c ◮ If C ( x ) = 1 (“unauth”) then Eval ( msk, x ) ≈ random (even w/ sk C ). 2 / 15

  7. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . Correctness ◮ If C ( x ) = 0 (“authorized”) then CEval ( sk C , x ) = Eval ( msk, x ) . Security c ◮ If C ( x ) = 1 (“unauth”) then Eval ( msk, x ) ≈ random (even w/ sk C ). ◮ Applications: uses of iO [SW’14] , ID-based key exchange, broadcast encryption, . . . 2 / 15

  8. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) 3 / 15

  9. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. 3 / 15

  10. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. ◮ Applications: searchable encryption, function secret sharing [BGI’15] . 3 / 15

  11. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. ◮ Applications: searchable encryption, function secret sharing [BGI’15] . Programmability ◮ Can program sk C to produce a desired value at some unauthorized x ∗ . (Nontrivial only if unauthorized x are hidden.) 3 / 15

  12. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. ◮ Applications: searchable encryption, function secret sharing [BGI’15] . Programmability ◮ Can program sk C to produce a desired value at some unauthorized x ∗ . (Nontrivial only if unauthorized x are hidden.) ◮ Applications: watermarking PRFs, ???. 3 / 15

  13. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . 4 / 15

  14. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. 4 / 15

  15. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. 4 / 15

  16. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. BTVW’17 Private constrained PRFs for all circuits, from LWE. 4 / 15

  17. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. BTVW’17 Private constrained PRFs for all circuits, from LWE. Caveat! Limited to one constrained key. Two keys for arbitrary circuits ⇒ iO [CC’17] 4 / 15

  18. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. BTVW’17 Private constrained PRFs for all circuits, from LWE. Caveat! Limited to one constrained key. Two keys for arbitrary circuits ⇒ iO [CC’17] Open Programmable PRFs from a non- iO assumption. 4 / 15

  19. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. 5 / 15

  20. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 5 / 15

  21. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 2 Private constrained & programmable PRFs, simply by letting shift = constraint × (pseudo)random function 5 / 15

  22. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 2 Private constrained & programmable PRFs, simply by letting shift = constraint × (pseudo)random function In particular, the first programmable PRFs from non- iO assumptions. 5 / 15

  23. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 2 Private constrained & programmable PRFs, simply by letting shift = constraint × (pseudo)random function In particular, the first programmable PRFs from non- iO assumptions. Selectively simulation-secure, for a priori bounded-size functions. 5 / 15

  24. Shift-Hiding Functions ⇓ Private/Programmable PRFs 6 / 15

  25. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 7 / 15

  26. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 7 / 15

  27. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 3 Shifted evaluation algorithm SEval ( sk H , · ): X → Z q . 7 / 15

  28. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 3 Shifted evaluation algorithm SEval ( sk H , · ): X → Z q . Shifting ◮ For every shift function H and every x ∈ X : SEval ( sk H , x ) ≈ Eval ( msk, x ) + H ( x ) (mod q ) 7 / 15

  29. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 3 Shifted evaluation algorithm SEval ( sk H , · ): X → Z q . Shifting ◮ For every shift function H and every x ∈ X : SEval ( sk H , x ) ≈ Eval ( msk, x ) + H ( x ) (mod q ) Hiding ◮ sk H reveals nothing about H . 7 / 15

  30. Shift-Hiding Functions ⇒ Private Constrained PRFs ◮ F ( msk, x ) := ⌊ Eval ( msk, x ) ⌉ , where ⌊·⌉ : Z q → Z 2 “rounds off.” 8 / 15

  31. Shift-Hiding Functions ⇒ Private Constrained PRFs ◮ F ( msk, x ) := ⌊ Eval ( msk, x ) ⌉ , where ⌊·⌉ : Z q → Z 2 “rounds off.” ◮ To generate a constrained key for circuit C , define shift function H ( x ) = C ( x ) · PRF k ( x ) and output sk C ← Shift ( msk, H ) . This hides H , hence C (and k ). 8 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the (Im)possibility of Privately Outsourcing Linear Programming 26.10.13 1 / 25 Linear

On the (Im)possibility of Privately Outsourcing Linear Programming 26.10.13 1 / 25 Linear

On the (Im)possibility of Privately Outsourcing Linear Programming 26.10.13 1 / 25 Linear programming Suppose a brewery produces ale and beer . It uses three type of resources: corn , hops , and malt . Each beverage requires

592 views • 44 slides
Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery Ananth Raghunathan Stanford University Pseudorandom Functions (PRFs) x { 0 , 1 } R k K x k PRF PRF( k , x ) x Rand Rand(

565 views • 23 slides
Privately Developed Privately Developed Groundwater Recharge Dave Tuthill, Ph.D., P.E. August

Privately Developed Privately Developed Groundwater Recharge Dave Tuthill, Ph.D., P.E. August

Idaho Section Privately Developed Privately Developed Groundwater Recharge Dave Tuthill, Ph.D., P.E. August 2, 2018 Topics 1. Why Privately Develop Managed Aquifer Recharge? 2. What are: Recharge Development Corporation

406 views • 22 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
Constraining Dark Matter Properties From A Gamma-Ray Detection S ergio Palomares-Rui z Centro de

Constraining Dark Matter Properties From A Gamma-Ray Detection S ergio Palomares-Rui z Centro de

Constraining Dark Matter Properties From A Gamma-Ray Detection S ergio Palomares-Rui z Centro de Fsica Terica de Partculas Instituto Superior Tcnico, Lisbon TeV Particle Astrophysics 2010 Paris, July 21, 2010 Constraining DM properties

415 views • 24 slides
CONSTRAINING NEUTRINOS WITH BBN (WITH A LITTLE HELP FROM THE CMB) GGI NEUTRINO

CONSTRAINING NEUTRINOS WITH BBN (WITH A LITTLE HELP FROM THE CMB) GGI NEUTRINO

CONSTRAINING NEUTRINOS WITH BBN (WITH A LITTLE HELP FROM THE CMB) GGI NEUTRINO WORKSHOP & SMIRNOV FEST Gary Steigman Departments of Physics and Astronomy Center for Cosmology and Astro-Particle Physics Ohio State

623 views • 33 slides
Constraining anomalous HVV interac2ons at proton and lepton

Constraining anomalous HVV interac2ons at proton and lepton

Constraining anomalous HVV interac2ons at proton and lepton colliders Yaofu Zhou Johns Hopkins University The 2014 Phenomenology Symposium May 5,

600 views • 28 slides
Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj odin(ETH Z urich)

Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj odin(ETH Z urich)

Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj odin(ETH Z urich) (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n X n Y n is a pseudorandom function ( PRF) if F ( k , x ) can be

596 views • 48 slides
On constraining the spin of the MBH the GC via star orbits: the effects of stellar perturbations

On constraining the spin of the MBH the GC via star orbits: the effects of stellar perturbations

On constraining the spin of the MBH the GC via star orbits: the effects of stellar perturbations Zhang Fupeng, Sun Yat-sen University, China Collaborator: Lu, Youjun (NAOC), Yu, Qingjuan (PKU), Lorenzo Iorio (MIUR) 2016. 2. 11, Aspen Center for

650 views • 25 slides
Constraining the reionization era and inflation with the CMB polarization at large angular scales

Constraining the reionization era and inflation with the CMB polarization at large angular scales

Constraining the reionization era and inflation with the CMB polarization at large angular scales Anna Mangilli ! Institut dAstrophysique Spatiale & Laboratoire de lAcclrateur Linaire ! Orsay, Paris Sud LPSC Grenoble - January

787 views • 41 slides
Constraining the symmetry energy of the EoS in relativistic energy of the EoS in relativistic

Constraining the symmetry energy of the EoS in relativistic energy of the EoS in relativistic

Constraining the symmetry energy of the EoS in relativistic energy of the EoS in relativistic heavy-ion reactions A. Krasznahorkay, ATOMKI, Debrecen Introduction The neutronskin thickness ( r )

872 views • 30 slides
Constraining fossil fuel CO emissions by the joint assimilation of atmospheric CO and

Constraining fossil fuel CO emissions by the joint assimilation of atmospheric CO and

Constraining fossil fuel CO emissions by the joint assimilation of atmospheric CO and CO measurements Sourish Basu, John Miller, Scott Lehman A T M O S P N D H A E R C I I C N A A E D M C O I N L I S

549 views • 18 slides
Constraining the slope parameter of symmetry energy from nuclear structure International

Constraining the slope parameter of symmetry energy from nuclear structure International

Constraining the slope parameter of symmetry energy from nuclear structure International Symposium on Neutron Star Matter (NSMAT2016) - Recent Progress in Observations, Experiments and Theories - November 21 st 24 th , 2016 Tohoku

400 views • 12 slides
Constraining h s s at lepton colliders Matthias Schla ff er Weizmann Institute of Science

Constraining h s s at lepton colliders Matthias Schla ff er Weizmann Institute of Science

Constraining h s s at lepton colliders Matthias Schla ff er Weizmann Institute of Science based on ongoing work with: J. Duarte-Campderros, G. Perez, A. So ff er GGI, Florence August 2018 Gauge boson masses Higgs is main source of

525 views • 39 slides
Tagging strange jets & constraining h s s Matthias Schlaffer Weizmann Institute of

Tagging strange jets & constraining h s s Matthias Schlaffer Weizmann Institute of

Tagging strange jets & constraining h s s Matthias Schlaffer Weizmann Institute of Science based on: 1811.09636 (J. Duarte-Campderros, G. Perez, MS, A. Soffer) work in progress 4th NPKI workshop, Seoul May 2019 Gauge boson masses

589 views • 45 slides
Crypto API for Web Application Client-side Instances (aka web pages) Jeff Hodges

Crypto API for Web Application Client-side Instances (aka web pages) Jeff Hodges

Crypto API for Web Application Client-side Instances (aka web pages) Jeff Hodges channeling Stephen Farrell, Sean Turner, Peter Saint-Andre IETF Security Area and Applications Area Position Paper for W3C Workshop on Identity in the

244 views • 6 slides
Microsoft Teams: Remote Learning for Schools and Teachers Troy Waller, Microsoft Australia

Microsoft Teams: Remote Learning for Schools and Teachers Troy Waller, Microsoft Australia

Microsoft Teams: Remote Learning for Schools and Teachers Troy Waller, Microsoft Australia Education 28 th April, 2020 This webinar is part of DLTVs Online Teaching series in 2020. To receive our newsletter: dltv.vic.edu.au/subscribe To

549 views • 31 slides
Software Quality Dr. Vadim Zaytsev aka @grammarware 2015 http://www.computer.org/web/swebok/v3

Software Quality Dr. Vadim Zaytsev aka @grammarware 2015 http://www.computer.org/web/swebok/v3

Software Quality Dr. Vadim Zaytsev aka @grammarware 2015 http://www.computer.org/web/swebok/v3 Sw Quality * may refer to * desirable characteristics of software products * the extent to which a particular software product fits *

698 views • 6 slides
MAS.S61: Emerging Wireless & Mobile Technologies aka The Extreme IoT Class Lecturers

MAS.S61: Emerging Wireless & Mobile Technologies aka The Extreme IoT Class Lecturers

MAS.S61: Emerging Wireless & Mobile Technologies aka The Extreme IoT Class Lecturers Fadel Adib (fadel@mit.edu) Reza Ghaffarivardavagh (rezagh@mit.edu) Website http://www.mit.edu/~fadel/courses/MAS.S61/index.html Sign up on Piazza

786 views • 65 slides
Where does CoreOS fit in? Automating Monitoring infrastructure Prometheus + Kubernetes

Where does CoreOS fit in? Automating Monitoring infrastructure Prometheus + Kubernetes

Alertmanager and high availability Frederic Branczyk Software Engineer at CoreOS Prometheus/Alertmanager/Kubernetes @brancz Where does CoreOS fit in? Automating Monitoring infrastructure Prometheus + Kubernetes What will I be talking

488 views • 29 slides
Alerting with Time Series Fabian Reinartz, CoreOS github.com/fabxc @fabxc Time Series Stream

Alerting with Time Series Fabian Reinartz, CoreOS github.com/fabxc @fabxc Time Series Stream

Alerting with Time Series Fabian Reinartz, CoreOS github.com/fabxc @fabxc Time Series Stream of <timestamp, value> pairs associated with an identifier

714 views • 55 slides
IPAWS Alert Origination Service Provider Webinar Series Mark Lucero, Chief Engineer IPAWS

IPAWS Alert Origination Service Provider Webinar Series Mark Lucero, Chief Engineer IPAWS

IPAWS Alert Origination Service Provider Webinar Series Mark Lucero, Chief Engineer IPAWS Division mark.lucero@dhs.gov 202-646-1386 July 24, 2013 Agenda Concept and Purpose Technical Requirements Demonstrated The Scenario Flow and

298 views • 18 slides
Effjcient Monitoring and Root Cause Analysis in Complex Systems Witek Bedyk Agenda

Effjcient Monitoring and Root Cause Analysis in Complex Systems Witek Bedyk Agenda

Effjcient Monitoring and Root Cause Analysis in Complex Systems Witek Bedyk Agenda Benefjts of robust monitoring Measurements vs. Alarms Importance of Alarms Correlation Effective Alerting Self-healing Why is

725 views • 34 slides

More recommend