session 6 another application of lwe pseudorandom
play

Session #6: Another Application of LWE: Pseudorandom Functions - PowerPoint PPT Presentation

Sep 19, 2023 •321 likes •853 views

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

  1. Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/12

  2. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random fct U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/12

  3. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random fct U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Countless applications in symmetric cryptography: (efficient) encryption, authentication, friend-or-foe . . . (Images courtesy xkcd.org) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/12

  4. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  5. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  6. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  7. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  8. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold(-Rosen) [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  9. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold(-Rosen) [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] ✗ Huge circuits that need much preprocessing ✗ No “post-quantum” construction under standard assumptions Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  10. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  11. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  12. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  13. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors New Results [BPR’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  14. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors New Results [BPR’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  15. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors New Results [BPR’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: “derandomization” of LWE: deterministic errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  16. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

  17. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

  18. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

  19. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

  20. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

  21. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

  22. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015

Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015

Application of Information Theory, Lecture 11 Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 1 / 23 Part I

1.42k views • 122 slides
Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano, Carlos Maltzahn, Scott Brandt University of California, Santa Cruz The Load Balancing Problem Pseudorandom placement for distributed storage

513 views • 12 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Pseudorandomness Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Random Bit Generation Pseudorandom Bit Generation

379 views • 17 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &

Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &

Introduction Lab Details Our Experience Conclusion Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto & University of British Columbia July 5, 2012 Teaching Labs on Pseudorandom Number Generation

192 views • 16 slides
TCP Overview Application Application Applications Jeff Chase Presentation Presentation

TCP Overview Application Application Applications Jeff Chase Presentation Presentation

The Internet Protocol Suite TCP Overview Application Application Applications Jeff Chase Presentation Presentation Presentation Duke University Session Session Session UDP TCP Transport Transport Waist Network Network Data link

564 views • 13 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina

Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina

Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic Functional General-purpose

918 views • 23 slides
Symmetric encrypBon CS642: Computer Security Professor

Symmetric encrypBon CS642: Computer Security Professor

Symmetric encrypBon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

389 views • 34 slides
Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen

Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen

Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen NCSU , DUKE UNIVERSITY google->kaltofen 2 Computations for the Cloud: RSA Challenge RSA220 =

543 views • 38 slides
1 Scenario I: Semantic Parsing [CoNLL 10 ,ACL 11 ] Scenario II. The language-world

1 Scenario I: Semantic Parsing [CoNLL 10 ,ACL 11 ] Scenario II. The language-world

Can we rely on this interaction to provide supervision? Connecting Language to the World Can I get a coffee with sugar and no milk Learning Great ! from Natural Instructions Arggg Semantic Parser MAKE(COFFEE,SUGAR=YES,MILK=NO) Dan Roth

820 views • 14 slides
Driving Semantic Parsing from the Worlds Response James Clarke , Dan Goldwasser, Ming-Wei

Driving Semantic Parsing from the Worlds Response James Clarke , Dan Goldwasser, Ming-Wei

Driving Semantic Parsing from the Worlds Response James Clarke , Dan Goldwasser, Ming-Wei Chang, Dan Roth Cognitive Computation Group University of Illinois at Urbana-Champaign CoNLL 2010 Clarke, Goldwasser, Chang, Roth 1 What is Semantic

1.07k views • 78 slides
Ou Outso source urced Co Comp mputatio tation Graham Cormode G.Cormode@warwick.ac.uk Amit

Ou Outso source urced Co Comp mputatio tation Graham Cormode G.Cormode@warwick.ac.uk Amit

St Streamin aming g Ve Verifica ficatio tion n of Ou Outso source urced Co Comp mputatio tation Graham Cormode G.Cormode@warwick.ac.uk Amit Chakrabarti (Dartmouth) Andrew McGregor (U Mass Amherst) Michael Mitzenmacher (Harvard)

857 views • 19 slides
Physical Zero-Knowledge Proofs for Akari, Takuzu, Kakuro and KenKen X. Bultel 1 J. Dreier 2 J-G.

Physical Zero-Knowledge Proofs for Akari, Takuzu, Kakuro and KenKen X. Bultel 1 J. Dreier 2 J-G.

Physical Zero-Knowledge Proofs for Akari, Takuzu, Kakuro and KenKen X. Bultel 1 J. Dreier 2 J-G. Dumas 3 P. Lafourcade 1 1 LIMOS, University Clermont Auvergne, France 2 Universit e de Lorraine, LORIA, Nancy, France 3 LJK, Universit e Grenoble

1.01k views • 47 slides
r

r

r r

424 views • 4 slides

More recommend