pseudorandom functions and lattices
play

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert - PowerPoint PPT Presentation

Jul 09, 2023 •438 likes •1.03k views

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

  1. Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14

  2. 2 / 14

  3. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) 3 / 14

  4. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Oodles of applications in symmetric cryptography: (efficient) encryption, identification, authentication, . . . (Images courtesy xkcd.org) 3 / 14

  5. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) 4 / 14

  6. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 4 / 14

  7. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) 4 / 14

  8. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 4 / 14

  9. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold / Naor-Reingold-Rosen [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O ( 1 ) depth w/ threshold gates] 4 / 14

  10. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold / Naor-Reingold-Rosen [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O ( 1 ) depth w/ threshold gates] ✗ Huge circuits that need mucho preprocessing ✗ No “post-quantum” construction under standard assumptions 4 / 14

  11. Why Not Try Lattices? ?? = ⇒ F s ← F 5 / 14

  12. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] 5 / 14

  13. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) 5 / 14

  14. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors 5 / 14

  15. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE 6 / 14

  16. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 6 / 14

  17. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: “derandomization” of LWE: deterministic errors 6 / 14

  18. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: “derandomization” of LWE: deterministic errors Also gives more practical PRGs, GGM-type PRFs, encryption, . . . 6 / 14

  19. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } 7 / 14

  20. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } · · · b 1 b 2 a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · · · · a 2 U 2 , 1 U 2 , 2 . ... ... . . 7 / 14

  21. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } · · · b 1 b 2 a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · · · · a 2 U 2 , 1 U 2 , 2 . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. 7 / 14

  22. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . 8 / 14

  23. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ 8 / 14

  24. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function: choose F ℓ , F r ← F and let � � F ( F ℓ , F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . 8 / 14

  25. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function: choose F ℓ , F r ← F and let � � F ( F ℓ , F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 , x 1 S s 2 , 0 , s 2 , 1 s 2 , x 2 F { s i , b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 , x 3 S s 4 , 0 , s 4 , 1 s 4 , x 4 8 / 14

  26. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function: choose F ℓ , F r ← F and let � � F ( F ℓ , F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 , x 1 S s 2 , 0 , s 2 , 1 s 2 , x 2 F { s i , b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 , x 3 S s 4 , 0 , s 4 , 1 s 4 , x 4 ◮ Security: the queries F ℓ ( x ℓ ) and F r ( x r ) define (pseudo)random inputs a 1 , a 2 , . . . ∈ D and b 1 , b 2 , . . . ∈ D for synthesizer S . 8 / 14

  27. (Ring) Learning With Errors (RLWE) [Regev’05,LPR’10] ◮ For (e.g.) n a power of 2 , define “cyclotomic” polynomial rings R := Z [ x ] / ( x n + 1 ) R q := R / qR = Z q [ x ] / ( x n + 1 ) . and 9 / 14

  28. (Ring) Learning With Errors (RLWE) [Regev’05,LPR’10] ◮ For (e.g.) n a power of 2 , define “cyclotomic” polynomial rings R := Z [ x ] / ( x n + 1 ) R q := R / qR = Z q [ x ] / ( x n + 1 ) . and ◮ Hard to distinguish m pairs ( a i , a i · s + e i ) ∈ R q × R q from uniform, where a i , s ← R q uniform and e i “short.” 9 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an additive subgroup R n such that Z n ( is free on n generators) b Z R R n ( spans the whole real vector space) # n +

246 views • 7 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

986 views • 61 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola Theory vs. practice gap in cryptography Theoreticians have . . . - liberal

654 views • 21 slides
SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

1 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . . . . . . . Abhishek Banerjee 1 Hai Brenner 2 Gatan Leurent 3 Chris Peikert 1 Alon Rosen 2

568 views • 29 slides
Lattice Greens Functions of the Higher-Dimensional Face-Centered Cubic Lattices Christoph

Lattice Greens Functions of the Higher-Dimensional Face-Centered Cubic Lattices Christoph

Lattice Greens Functions of the Higher-Dimensional Face-Centered Cubic Lattices Christoph Koutschan MSR-INRIA Joint Centre, Orsay, France November 7 S eminaires Algorithms Introduction We consider lattices in d d

1.36k views • 78 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Correct rounding of transcendental functions: an approach via Euclidean lattices and approximation

Correct rounding of transcendental functions: an approach via Euclidean lattices and approximation

Correct rounding of transcendental functions: an approach via Euclidean lattices and approximation theory Nicolas Brisebarre (C.N.R.S.) and Guillaume Hanrot (.N.S. Lyon) CUNY Graduate Center-Courant Seminar in Symbolic-Numeric Computing -

1.29k views • 118 slides
Magnetic Vortices, Vortex Lattices and Automorphic Functions I.M.Sigal based on the joint work

Magnetic Vortices, Vortex Lattices and Automorphic Functions I.M.Sigal based on the joint work

Magnetic Vortices, Vortex Lattices and Automorphic Functions I.M.Sigal based on the joint work with S. Gustafson and T. Tzaneteas Discussions with J urg Fr ohlich, Gian Michele Graf, Peter Sarnak, Tom Spencer Texas Analysis & Math

1.06k views • 26 slides
Light flavor at e + e colliders: Impact of hadronic cross sections on g 2 Andreas Hafner

Light flavor at e + e colliders: Impact of hadronic cross sections on g 2 Andreas Hafner

Light flavor at e + e colliders: Impact of hadronic cross sections on g 2 Andreas Hafner (hafner@slac.stanford.edu) Mainz University On behalf of the B A B A R Collaboration FPCP May 23, 2013 Andreas Hafner (Mainz University) ISR at

428 views • 39 slides
Multi-Commodity Flow with In-Network Processing Moses Charikar Yonatan Naamad Jennifer Rexford

Multi-Commodity Flow with In-Network Processing Moses Charikar Yonatan Naamad Jennifer Rexford

Routing and Steering Network Design Multi-Commodity Flow with In-Network Processing Moses Charikar Yonatan Naamad Jennifer Rexford X. Kelvin Zou Moses Charikar, Yonatan Naamad, Jennifer Rexford, X. Kelvin Zou Multi-Commodity Flow with

1.45k views • 25 slides
Precision medicine with prediction tools in high CV risk patients Symposium New concepts and

Precision medicine with prediction tools in high CV risk patients Symposium New concepts and

Precision medicine with prediction tools in high CV risk patients Symposium New concepts and models in CV risk management ESC, Munich August 28, 2018 Frank L.J. Visseren Faculty Disclosure Declaration of financial interests For the

482 views • 27 slides
KATRIN experiment: fjrst neutrino mass result and future prospects Alexey Lokhov on behalf of

KATRIN experiment: fjrst neutrino mass result and future prospects Alexey Lokhov on behalf of

KATRIN experiment: fjrst neutrino mass result and future prospects Alexey Lokhov on behalf of KATRIN collaboration 13th European Research Conference on Electromagnetic Interactions with Nucleons and Nuclei Paphos, Cyprus Institut fr

292 views • 26 slides
The muon g 2 : a new data-based analysis Alex Keshavarzi with Daisuke Nomura, Thomas Teubner

The muon g 2 : a new data-based analysis Alex Keshavarzi with Daisuke Nomura, Thomas Teubner

The muon g 2 : a new data-based analysis Alex Keshavarzi with Daisuke Nomura, Thomas Teubner (KNT18) [arXiv:1802.02995, accepted for publication in Phys. Rev. D (in press)] Muon g 2 Theory Initiative Workshop, JGU Mainz 20th June 2018

632 views • 42 slides
Time-integrated CP violation in beauty at LHCb Moriond Electroweak 2019 Emilie Bertholet on

Time-integrated CP violation in beauty at LHCb Moriond Electroweak 2019 Emilie Bertholet on

Time-integrated CP violation in beauty at LHCb Moriond Electroweak 2019 Emilie Bertholet on behalf of the LHCb collaboration What am I going to talk about? Morion EW 2019 Emilie Bertholet (LPNHE, Paris) eberthol@cern.ch 2 What am I

526 views • 40 slides
Efficient Sparse Approximations for Convolution Processes Mauricio A. lvarez Joint work with

Efficient Sparse Approximations for Convolution Processes Mauricio A. lvarez Joint work with

Outline Partial independence Fully Independence Variational Approximation Variational Inducing Kernels Case study: a dynamic model for financial data Efficient Sparse Approximations for Convolution Processes Mauricio A. lvarez Joint work

1.12k views • 73 slides
Monodromies revisited with twisted homology and BCJ Piotr Tourkine, CNRS & LPTHE, Sorbonne

Monodromies revisited with twisted homology and BCJ Piotr Tourkine, CNRS & LPTHE, Sorbonne

Monodromies revisited with twisted homology and BCJ Piotr Tourkine, CNRS & LPTHE, Sorbonne Universits QCD meets Gravity V, dec 2019, UCLA, Mani L. Bhaumik Institute for Theoretical Physics [arXiv:1910.08514] [Work in progress] +

993 views • 50 slides

More recommend