Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert - - PowerPoint PPT Presentation

pseudorandom functions and lattices
SMART_READER_LITE
LIVE PREVIEW

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert - - PowerPoint PPT Presentation

Jul 09, 2023 438 likes •1.03k views

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

slide-1
SLIDE 1

Pseudorandom Functions and Lattices

Abhishek Banerjee1 Chris Peikert1 Alon Rosen2

1Georgia Tech 2IDC Herzliya

Faces of Modern Cryptography 9 September 2011

1 / 14

slide-2
SLIDE 2

2 / 14

slide-3
SLIDE 3

Pseudorandom Functions

[GGM’84]

◮ A family F = {Fs : {0, 1}k → D} s.t. given adaptive query access, Fs ← F

c

≈ random func U ?? xi Fs(xi) xi U(xi) (The “seed” or “secret key” for Fs is s.)

(Images courtesy xkcd.org) 3 / 14

slide-4
SLIDE 4

Pseudorandom Functions

[GGM’84]

◮ A family F = {Fs : {0, 1}k → D} s.t. given adaptive query access, Fs ← F

c

≈ random func U ?? xi Fs(xi) xi U(xi) (The “seed” or “secret key” for Fs is s.) ◮ Oodles of applications in symmetric cryptography: (efficient) encryption, identification, authentication, . . .

(Images courtesy xkcd.org) 3 / 14

slide-5
SLIDE 5

How to Construct PRFs

1 Heuristically: AES, Blowfish.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . )

4 / 14

slide-6
SLIDE 6

How to Construct PRFs

1 Heuristically: AES, Blowfish.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

4 / 14

slide-7
SLIDE 7

How to Construct PRFs

1 Heuristically: AES, Blowfish.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · )

4 / 14

slide-8
SLIDE 8

How to Construct PRFs

1 Heuristically: AES, Blowfish.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth)

4 / 14

slide-9
SLIDE 9

How to Construct PRFs

1 Heuristically: AES, Blowfish.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth)

3 Naor-Reingold / Naor-Reingold-Rosen [NR’95,NR’97,NRR’00]

✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC2, NC1 or even TC0 [O(1) depth w/ threshold gates]

4 / 14

slide-10
SLIDE 10

How to Construct PRFs

1 Heuristically: AES, Blowfish.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth)

3 Naor-Reingold / Naor-Reingold-Rosen [NR’95,NR’97,NRR’00]

✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC2, NC1 or even TC0 [O(1) depth w/ threshold gates] ✗ Huge circuits that need mucho preprocessing ✗ No “post-quantum” construction under standard assumptions

4 / 14

slide-11
SLIDE 11

Why Not Try Lattices?

??

= ⇒ Fs ← F

5 / 14

slide-12
SLIDE 12

Why Not Try Lattices?

??

= ⇒ Fs ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ]

5 / 14

slide-13
SLIDE 13

Why Not Try Lattices?

??

= ⇒ Fs ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient)

5 / 14

slide-14
SLIDE 14

Why Not Try Lattices?

??

= ⇒ Fs ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors

5 / 14

slide-15
SLIDE 15

Our Results

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

6 / 14

slide-16
SLIDE 16

Our Results

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

⋆ Synthesizer-based PRF in TC1 ⊆ NC2 a la [NR’95] ⋆ Direct construction in TC0 ⊆ NC1 analogous to [NR’97,NRR’00] 6 / 14

slide-17
SLIDE 17

Our Results

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

⋆ Synthesizer-based PRF in TC1 ⊆ NC2 a la [NR’95] ⋆ Direct construction in TC0 ⊆ NC1 analogous to [NR’97,NRR’00]

2 Main technique: “derandomization” of LWE: deterministic errors

6 / 14

slide-18
SLIDE 18

Our Results

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

⋆ Synthesizer-based PRF in TC1 ⊆ NC2 a la [NR’95] ⋆ Direct construction in TC0 ⊆ NC1 analogous to [NR’97,NRR’00]

2 Main technique: “derandomization” of LWE: deterministic errors

Also gives more practical PRGs, GGM-type PRFs, encryption, . . .

6 / 14

slide-19
SLIDE 19

Synthesizers and PRFs

[NaorReingold’95]

Synthesizer ◮ A deterministic function S: D × D → D s.t. for any m = poly: for a1, . . . , am, b1, . . . , bm ← D, { S(ai , bj) }

c

≈ Unif(Dm×m).

7 / 14

slide-20
SLIDE 20

Synthesizers and PRFs

[NaorReingold’95]

Synthesizer ◮ A deterministic function S: D × D → D s.t. for any m = poly: for a1, . . . , am, b1, . . . , bm ← D, { S(ai , bj) }

c

≈ Unif(Dm×m). b1 b2 · · · a1 S(a1, b1) S(a1, b2) · · · a2 S(a2, b1) S(a2, b2) · · · . . . ... vs. U1,1 U1,2 · · · U2,1 U2,2 · · · ...

7 / 14

slide-21
SLIDE 21

Synthesizers and PRFs

[NaorReingold’95]

Synthesizer ◮ A deterministic function S: D × D → D s.t. for any m = poly: for a1, . . . , am, b1, . . . , bm ← D, { S(ai , bj) }

c

≈ Unif(Dm×m). b1 b2 · · · a1 S(a1, b1) S(a1, b2) · · · a2 S(a2, b1) S(a2, b2) · · · . . . ... vs. U1,1 U1,2 · · · U2,1 U2,2 · · · ... ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D2m → Dm2, and each output depends on only 2 inputs.

7 / 14

slide-22
SLIDE 22

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively ◮ Synthesizer S: D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m).

8 / 14

slide-23
SLIDE 23

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively ◮ Synthesizer S: D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔

8 / 14

slide-24
SLIDE 24

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively ◮ Synthesizer S: D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔ ◮ Input doubling: given k-bit PRF family F = {F: {0, 1}k → D}, define a {0, 1}2k → D function: choose Fℓ, Fr ← F and let F(Fℓ,Fr)(xℓ , xr) = S

  • Fℓ(xℓ) , Fr(xr)
  • .

8 / 14

slide-25
SLIDE 25

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively ◮ Synthesizer S: D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔ ◮ Input doubling: given k-bit PRF family F = {F: {0, 1}k → D}, define a {0, 1}2k → D function: choose Fℓ, Fr ← F and let F(Fℓ,Fr)(xℓ , xr) = S

  • Fℓ(xℓ) , Fr(xr)
  • .

S S s1,x1 s1,0 , s1,1 s2,x2 s2,0 , s2,1 S s3,x3 s3,0 , s3,1 s4,x4 s4,0 , s4,1 F{si,b}(x1 · · · x4)

8 / 14

slide-26
SLIDE 26

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively ◮ Synthesizer S: D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔ ◮ Input doubling: given k-bit PRF family F = {F: {0, 1}k → D}, define a {0, 1}2k → D function: choose Fℓ, Fr ← F and let F(Fℓ,Fr)(xℓ , xr) = S

  • Fℓ(xℓ) , Fr(xr)
  • .

S S s1,x1 s1,0 , s1,1 s2,x2 s2,0 , s2,1 S s3,x3 s3,0 , s3,1 s4,x4 s4,0 , s4,1 F{si,b}(x1 · · · x4) ◮ Security: the queries Fℓ(xℓ) and Fr(xr) define (pseudo)random inputs a1, a2, . . . ∈ D and b1, b2, . . . ∈ D for synthesizer S.

8 / 14

slide-27
SLIDE 27

(Ring) Learning With Errors (RLWE)

[Regev’05,LPR’10]

◮ For (e.g.) n a power of 2, define “cyclotomic” polynomial rings R := Z[x]/(xn + 1) and Rq := R/qR = Zq[x]/(xn + 1).

9 / 14

slide-28
SLIDE 28

(Ring) Learning With Errors (RLWE)

[Regev’05,LPR’10]

◮ For (e.g.) n a power of 2, define “cyclotomic” polynomial rings R := Z[x]/(xn + 1) and Rq := R/qR = Zq[x]/(xn + 1). ◮ Hard to distinguish m pairs (ai , ai · s + ei) ∈ Rq × Rq from uniform, where ai, s ← Rq uniform and ei “short.”

9 / 14

slide-29
SLIDE 29

(Ring) Learning With Errors (RLWE)

[Regev’05,LPR’10]

◮ For (e.g.) n a power of 2, define “cyclotomic” polynomial rings R := Z[x]/(xn + 1) and Rq := R/qR = Zq[x]/(xn + 1). ◮ Hard to distinguish m pairs (ai , ai · s + ei) ∈ Rq × Rq from uniform, where ai, s ← Rq uniform and ei “short.” ◮ By hybrid argument, for s1, s2, . . . ← Rq can’t distinguish m tuples (ai , ai · s1 + ei,1 , ai · s2 + ei,2 , . . .) from uniform.

9 / 14

slide-30
SLIDE 30

(Ring) Learning With Errors (RLWE)

[Regev’05,LPR’10]

◮ For (e.g.) n a power of 2, define “cyclotomic” polynomial rings R := Z[x]/(xn + 1) and Rq := R/qR = Zq[x]/(xn + 1). ◮ Hard to distinguish m pairs (ai , ai · s + ei) ∈ Rq × Rq from uniform, where ai, s ← Rq uniform and ei “short.” ◮ By hybrid argument, for s1, s2, . . . ← Rq can’t distinguish m tuples (ai , ai · s1 + ei,1 , ai · s2 + ei,2 , . . .) from uniform. An RLWE-Based Synthesizer? s1 s2 · · · a1 a1 · s1 + e1,1 a1 · s2 + e1,2 · · · a2 a2 · s1 + e2,1 a2 · s2 + e2,2 · · · . . . ...

9 / 14

slide-31
SLIDE 31

(Ring) Learning With Errors (RLWE)

[Regev’05,LPR’10]

◮ For (e.g.) n a power of 2, define “cyclotomic” polynomial rings R := Z[x]/(xn + 1) and Rq := R/qR = Zq[x]/(xn + 1). ◮ Hard to distinguish m pairs (ai , ai · s + ei) ∈ Rq × Rq from uniform, where ai, s ← Rq uniform and ei “short.” ◮ By hybrid argument, for s1, s2, . . . ← Rq can’t distinguish m tuples (ai , ai · s1 + ei,1 , ai · s2 + ei,2 , . . .) from uniform. An RLWE-Based Synthesizer? s1 s2 · · · a1 a1 · s1 + e1,1 a1 · s2 + e1,2 · · · a2 a2 · s1 + e2,1 a2 · s2 + e2,2 · · · . . . ... ✔ {ai · sj + ei,j}

c

≈ Uniform,

  • but. . .

9 / 14

slide-32
SLIDE 32

(Ring) Learning With Errors (RLWE)

[Regev’05,LPR’10]

◮ For (e.g.) n a power of 2, define “cyclotomic” polynomial rings R := Z[x]/(xn + 1) and Rq := R/qR = Zq[x]/(xn + 1). ◮ Hard to distinguish m pairs (ai , ai · s + ei) ∈ Rq × Rq from uniform, where ai, s ← Rq uniform and ei “short.” ◮ By hybrid argument, for s1, s2, . . . ← Rq can’t distinguish m tuples (ai , ai · s1 + ei,1 , ai · s2 + ei,2 , . . .) from uniform. An RLWE-Based Synthesizer? s1 s2 · · · a1 a1 · s1 + e1,1 a1 · s2 + e1,2 · · · a2 a2 · s1 + e2,1 a2 · s2 + e2,2 · · · . . . ... ✔ {ai · sj + ei,j}

c

≈ Uniform,

  • but. . .

✗ Where do ei,j come from? Synthesizer must be

  • deterministic. . .

9 / 14

slide-33
SLIDE 33

“Learning With Rounding” (LWR)

[This work]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup). (Common in decryption to remove error.)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

10 / 14

slide-34
SLIDE 34

“Learning With Rounding” (LWR)

[This work]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

10 / 14

slide-35
SLIDE 35

“Learning With Rounding” (LWR)

[This work]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ Ring-LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai · s⌉p
  • ∈ Rq × Rp

from uniform

10 / 14

slide-36
SLIDE 36

“Learning With Rounding” (LWR)

[This work]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ Ring-LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai · s⌉p
  • ∈ Rq × Rp

from uniform Interpretation: LWE conceals low-order bits by adding small random error. LWR just discards those bits instead.

10 / 14

slide-37
SLIDE 37

“Learning With Rounding” (LWR)

[This work]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ Ring-LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai · s⌉p
  • ∈ Rq × Rp

from uniform Interpretation: LWE conceals low-order bits by adding small random error. LWR just discards those bits instead. ◮ We prove LWE ≤ LWR for q ≥ p · nω(1)

[but seems 2n-hard for q ≥ p√n]

10 / 14

slide-38
SLIDE 38

“Learning With Rounding” (LWR)

[This work]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ Ring-LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai · s⌉p
  • ∈ Rq × Rp

from uniform Interpretation: LWE conceals low-order bits by adding small random error. LWR just discards those bits instead. ◮ We prove LWE ≤ LWR for q ≥ p · nω(1)

[but seems 2n-hard for q ≥ p√n]

Main idea: w.h.p. ( a , ⌊a · s + e⌉p ) = ( a , ⌊a · s⌉p ) and ( a , ⌊Unif(Zq)⌉p ) = ( a , Unif(Zp) )

10 / 14

slide-39
SLIDE 39

LWR-Based Synthesizer & PRF

◮ Synthesizer S: Rq × Rq → Rp is S(a, s) = ⌊a · s⌉p. Note: range Rp slightly smaller than domain Rq. (Limits composition.)

11 / 14

slide-40
SLIDE 40

LWR-Based Synthesizer & PRF

◮ Synthesizer S: Rq × Rq → Rp is S(a, s) = ⌊a · s⌉p. Note: range Rp slightly smaller than domain Rq. (Limits composition.) PRF on Domain {0, 1}k=2d ◮ Public moduli qd > qd−1 > · · · > q0. ◮ Secret key is 2k ring elements si,b ∈ Rqd for i ∈ [k], b ∈ {0, 1}.

11 / 14

slide-41
SLIDE 41

LWR-Based Synthesizer & PRF

◮ Synthesizer S: Rq × Rq → Rp is S(a, s) = ⌊a · s⌉p. Note: range Rp slightly smaller than domain Rq. (Limits composition.) PRF on Domain {0, 1}k=2d ◮ Public moduli qd > qd−1 > · · · > q0. ◮ Secret key is 2k ring elements si,b ∈ Rqd for i ∈ [k], b ∈ {0, 1}. ◮ Depth d = lg k tree of LWR synthesizers: F{si,b}(x1 · · · x8) =

  • ⌊s1,x1· s2,x2⌉q2· ⌊s3,x3· s4,x4⌉q2
  • q1

·

  • ⌊s5,x5· s6,x6⌉q2· ⌊s7,x7· s8,x8⌉q2
  • q1
  • q0

11 / 14

slide-42
SLIDE 42

LWR-Based Synthesizer & PRF

◮ Synthesizer S: Rq × Rq → Rp is S(a, s) = ⌊a · s⌉p. Note: range Rp slightly smaller than domain Rq. (Limits composition.) PRF on Domain {0, 1}k=2d ◮ Public moduli qd > qd−1 > · · · > q0. ◮ Secret key is 2k ring elements si,b ∈ Rqd for i ∈ [k], b ∈ {0, 1}. ◮ Depth d = lg k tree of LWR synthesizers: F{si,b}(x1 · · · x8) =

  • ⌊s1,x1· s2,x2⌉q2· ⌊s3,x3· s4,x4⌉q2
  • q1

·

  • ⌊s5,x5· s6,x6⌉q2· ⌊s7,x7· s8,x8⌉q2
  • q1
  • q0

◮ Craig’s talk: deja vu. . .

11 / 14

slide-43
SLIDE 43

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2.

12 / 14

slide-44
SLIDE 44

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

12 / 14

slide-45
SLIDE 45

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Direct LWE-Based Construction ◮ Public moduli q > p. ◮ Secret key is uniform a ← Rq and short s1, . . . , sk ∈ R.

12 / 14

slide-46
SLIDE 46

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Direct LWE-Based Construction ◮ Public moduli q > p. ◮ Secret key is uniform a ← Rq and short s1, . . . , sk ∈ R. ◮ “Rounded subset-product” function: Fa,s1,...,sk(x1 · · · xk) =

  • a ·

k

  • i=1

sxi

i mod q

  • p

12 / 14

slide-47
SLIDE 47

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Direct LWE-Based Construction ◮ Public moduli q > p. ◮ Secret key is uniform a ← Rq and short s1, . . . , sk ∈ R. ◮ “Rounded subset-product” function: Fa,s1,...,sk(x1 · · · xk) =

  • a ·

k

  • i=1

sxi

i mod q

  • p

Has small(ish) TC0 circuit, via CRT and reduction to subset-sum.

12 / 14

slide-48
SLIDE 48

Proof Outline

◮ Seed is uniform a ∈ Rq and short s1, . . . , sk ∈ R. Fa,s1,...,sk(x1 · · · xk) =

  • a · sx1

1 · · · sxk k mod q

  • p

13 / 14

slide-49
SLIDE 49

Proof Outline

◮ Seed is uniform a ∈ Rq and short s1, . . . , sk ∈ R. Fa,s1,...,sk(x1 · · · xk) =

  • a · sx1

1 · · · sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries.

13 / 14

slide-50
SLIDE 50

Proof Outline

◮ Seed is uniform a ∈ Rq and short s1, . . . , sk ∈ R. Fa,s1,...,sk(x1 · · · xk) =

  • a · sx1

1 · · · sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries. Thought experiment: answer queries with ˜ F(x) :=

  • (a · sx1

1 + x1·ex1) · sx2 2 · · · sxk k

  • p =
  • a

k

  • i=1

sxi

i + x1·ex1· k

  • i=2

sxi

i

  • p

W.h.p., ˜ F(x) = F(x) on all queries due to “small” error & rounding.

13 / 14

slide-51
SLIDE 51

Proof Outline

◮ Seed is uniform a ∈ Rq and short s1, . . . , sk ∈ R. Fa,s1,...,sk(x1 · · · xk) =

  • a · sx1

1 · · · sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries. Thought experiment: answer queries with ˜ F(x) :=

  • (a · sx1

1 + x1·ex1) · sx2 2 · · · sxk k

  • p =
  • a

k

  • i=1

sxi

i + x1·ex1· k

  • i=2

sxi

i

  • p

W.h.p., ˜ F(x) = F(x) on all queries due to “small” error & rounding. ◮ Replace (a, a · s1 + ex1) with uniform (a0, a1) [ring-LWE]. ⇒ New function F′(x) = ⌊ax1 · sx2

2 · · · sxk k ⌉p.

13 / 14

slide-52
SLIDE 52

Proof Outline

◮ Seed is uniform a ∈ Rq and short s1, . . . , sk ∈ R. Fa,s1,...,sk(x1 · · · xk) =

  • a · sx1

1 · · · sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries. Thought experiment: answer queries with ˜ F(x) :=

  • (a · sx1

1 + x1·ex1) · sx2 2 · · · sxk k

  • p =
  • a

k

  • i=1

sxi

i + x1·ex1· k

  • i=2

sxi

i

  • p

W.h.p., ˜ F(x) = F(x) on all queries due to “small” error & rounding. ◮ Replace (a, a · s1 + ex1) with uniform (a0, a1) [ring-LWE]. ⇒ New function F′(x) = ⌊ax1 · sx2

2 · · · sxk k ⌉p.

◮ Repeat for s2, s3, . . . until F′′′′′′(x) = ⌊ax⌉p = Uniform func.

13 / 14

slide-53
SLIDE 53

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

14 / 14

slide-54
SLIDE 54

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

2 Synth-based PRF relies on approx factor and modulus = nΘ(log k).

Direct construction relies on approx factor and modulus = nΘ(k).

14 / 14

slide-55
SLIDE 55

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

2 Synth-based PRF relies on approx factor and modulus = nΘ(log k).

Direct construction relies on approx factor and modulus = nΘ(k). Are such strong assumptions necessary (even for these constructions)?

14 / 14

slide-56
SLIDE 56

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

2 Synth-based PRF relies on approx factor and modulus = nΘ(log k).

Direct construction relies on approx factor and modulus = nΘ(k). Are such strong assumptions necessary (even for these constructions)? Conjecture (?): direct PRF is secure for integral q/p = poly(n).

14 / 14

slide-57
SLIDE 57

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

2 Synth-based PRF relies on approx factor and modulus = nΘ(log k).

Direct construction relies on approx factor and modulus = nΘ(k). Are such strong assumptions necessary (even for these constructions)? Conjecture (?): direct PRF is secure for integral q/p = poly(n).

3 Efficient PRF from parity with noise (LPN)?

14 / 14

slide-58
SLIDE 58

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

2 Synth-based PRF relies on approx factor and modulus = nΘ(log k).

Direct construction relies on approx factor and modulus = nΘ(k). Are such strong assumptions necessary (even for these constructions)? Conjecture (?): direct PRF is secure for integral q/p = poly(n).

3 Efficient PRF from parity with noise (LPN)? 4 Efficient PRF from subset sum?

14 / 14

slide-59
SLIDE 59

Open Questions

1 Better (worst-case) hardness for LWR, e.g. for q/p = √n?

(The proof from LWE relies on approx factor and modulus = nω(1).)

2 Synth-based PRF relies on approx factor and modulus = nΘ(log k).

Direct construction relies on approx factor and modulus = nΘ(k). Are such strong assumptions necessary (even for these constructions)? Conjecture (?): direct PRF is secure for integral q/p = poly(n).

3 Efficient PRF from parity with noise (LPN)? 4 Efficient PRF from subset sum?

Thanks! Full paper: ePrint report #2011/401

14 / 14