Session #6: Another Application of LWE: Pseudorandom Functions - - PowerPoint PPT Presentation

session 6 another application of lwe pseudorandom
SMART_READER_LITE
LIVE PREVIEW

Session #6: Another Application of LWE: Pseudorandom Functions - - PowerPoint PPT Presentation

Sep 19, 2023 321 likes •853 views

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

slide-1
SLIDE 1

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert

Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/12

slide-2
SLIDE 2

Pseudorandom Functions

[GGM’84]

◮ A family F = {Fs : {0, 1}k → D} s.t. given adaptive query access, Fs ← F

c

≈ random fct U ?? xi Fs(xi) xi U(xi) (The “seed” or “secret key” for Fs is s.)

(Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/12

slide-3
SLIDE 3

Pseudorandom Functions

[GGM’84]

◮ A family F = {Fs : {0, 1}k → D} s.t. given adaptive query access, Fs ← F

c

≈ random fct U ?? xi Fs(xi) xi U(xi) (The “seed” or “secret key” for Fs is s.) ◮ Countless applications in symmetric cryptography: (efficient) encryption, authentication, friend-or-foe . . .

(Images courtesy xkcd.org)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/12

slide-4
SLIDE 4

How to Construct PRFs

1 Heuristically: AES etc.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . )

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

slide-5
SLIDE 5

How to Construct PRFs

1 Heuristically: AES etc.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

slide-6
SLIDE 6

How to Construct PRFs

1 Heuristically: AES etc.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · )

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

slide-7
SLIDE 7

How to Construct PRFs

1 Heuristically: AES etc.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

slide-8
SLIDE 8

How to Construct PRFs

1 Heuristically: AES etc.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth)

3 Naor-Reingold(-Rosen) [NR’95,NR’97,NRR’00]

✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC2, NC1 or even TC0 [O(1) depth w/ threshold gates]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

slide-9
SLIDE 9

How to Construct PRFs

1 Heuristically: AES etc.

✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees

2 Goldreich-Goldwasser-Micali [GGM’84]

✔ Based on any (doubling) PRG. Fs(x1 · · · xk) = Gxk(· · · Gx1(s) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth)

3 Naor-Reingold(-Rosen) [NR’95,NR’97,NRR’00]

✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC2, NC1 or even TC0 [O(1) depth w/ threshold gates] ✗ Huge circuits that need much preprocessing ✗ No “post-quantum” construction under standard assumptions

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

slide-10
SLIDE 10

PRFs from Lattices?

The Hope

◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs?

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

slide-11
SLIDE 11

PRFs from Lattices?

The Hope

◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs?

The Reality

✗ Only known PRF is generic GGM (not parallel or very efficient)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

slide-12
SLIDE 12

PRFs from Lattices?

The Hope

◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs?

The Reality

✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

slide-13
SLIDE 13

PRFs from Lattices?

The Hope

◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs?

The Reality

✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors

New Results [BPR’12]

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

slide-14
SLIDE 14

PRFs from Lattices?

The Hope

◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs?

The Reality

✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors

New Results [BPR’12]

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

⋆ Synthesizer-based PRF in TC1 ⊆ NC2 a la [NR’95] ⋆ Direct construction in TC0 ⊆ NC1 analogous to [NR’97,NRR’00]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

slide-15
SLIDE 15

PRFs from Lattices?

The Hope

◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs?

The Reality

✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors

New Results [BPR’12]

1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE

⋆ Synthesizer-based PRF in TC1 ⊆ NC2 a la [NR’95] ⋆ Direct construction in TC0 ⊆ NC1 analogous to [NR’97,NRR’00]

2 Main technique: “derandomization” of LWE: deterministic errors

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

slide-16
SLIDE 16

Synthesizers and PRFs

[NaorReingold’95]

Synthesizer

◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a1, . . . , am, b1, . . . , bm ← D, { S(ai , bj) }

c

≈ Unif(Dm×m).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

slide-17
SLIDE 17

Synthesizers and PRFs

[NaorReingold’95]

Synthesizer

◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a1, . . . , am, b1, . . . , bm ← D, { S(ai , bj) }

c

≈ Unif(Dm×m). b1 b2 · · · a1 S(a1, b1) S(a1, b2) · · · a2 S(a2, b1) S(a2, b2) · · · . . . ... vs. U1,1 U1,2 · · · U2,1 U2,2 · · · ...

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

slide-18
SLIDE 18

Synthesizers and PRFs

[NaorReingold’95]

Synthesizer

◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a1, . . . , am, b1, . . . , bm ← D, { S(ai , bj) }

c

≈ Unif(Dm×m). b1 b2 · · · a1 S(a1, b1) S(a1, b2) · · · a2 S(a2, b1) S(a2, b2) · · · . . . ... vs. U1,1 U1,2 · · · U2,1 U2,2 · · · ... ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D2m → Dm2, and each output depends on only 2 inputs.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

slide-19
SLIDE 19

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively

◮ Synthesizer S : D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

slide-20
SLIDE 20

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively

◮ Synthesizer S : D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

slide-21
SLIDE 21

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively

◮ Synthesizer S : D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔ ◮ Input doubling: given k-bit PRF family F = {F : {0, 1}k → D}, define a {0, 1}2k → D function with seed Fℓ, Fr ← F: F(Fℓ,Fr)(xℓ , xr) = S

  • Fℓ(xℓ) , Fr(xr)
  • .

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

slide-22
SLIDE 22

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively

◮ Synthesizer S : D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔ ◮ Input doubling: given k-bit PRF family F = {F : {0, 1}k → D}, define a {0, 1}2k → D function with seed Fℓ, Fr ← F: F(Fℓ,Fr)(xℓ , xr) = S

  • Fℓ(xℓ) , Fr(xr)
  • .

S S s1,x1 s1,0 , s1,1 s2,x2 s2,0 , s2,1 S s3,x3 s3,0 , s3,1 s4,x4 s4,0 , s4,1 F{si,b}(x1 · · · x4)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

slide-23
SLIDE 23

Synthesizers and PRFs

[NaorReingold’95]

PRF from Synthesizer, Recursively

◮ Synthesizer S : D × D → D, where { S(ai , bj) }

c

≈ Unif(Dm×m). ◮ Base case: “one-bit” PRF Fs0,s1(x) := sx ∈ D. ✔ ◮ Input doubling: given k-bit PRF family F = {F : {0, 1}k → D}, define a {0, 1}2k → D function with seed Fℓ, Fr ← F: F(Fℓ,Fr)(xℓ , xr) = S

  • Fℓ(xℓ) , Fr(xr)
  • .

S S s1,x1 s1,0 , s1,1 s2,x2 s2,0 , s2,1 S s3,x3 s3,0 , s3,1 s4,x4 s4,0 , s4,1 F{si,b}(x1 · · · x4) ◮ Security: the queries Fℓ(xℓ) and Fr(xr) define (pseudo)random inputs a1, a2, . . . ∈ D and b1, b2, . . . ∈ D to synthesizer S.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

slide-24
SLIDE 24

LWE ⇒ Synthesizer?

◮ Hard to distinguish pairs (ai ∈ Zn

q , bi = ai, s + ei) from (ai , bi).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/12

slide-25
SLIDE 25

LWE ⇒ Synthesizer?

◮ Hard to distinguish pairs (ai ∈ Zn

q , bi = ai, s + ei) from (ai , bi).

◮ By hybrid argument, can’t distinguish tuples (Ai ∈ Zn×n

q

, Ai · S1 + Ei,1 ∈ Zn×n

q

, Ai · S2 + Ei,2 ∈ Zn×n

q

, . . .)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/12

slide-26
SLIDE 26

LWE ⇒ Synthesizer?

◮ Hard to distinguish pairs (ai ∈ Zn

q , bi = ai, s + ei) from (ai , bi).

◮ By hybrid argument, can’t distinguish tuples (Ai ∈ Zn×n

q

, Ai · S1 + Ei,1 ∈ Zn×n

q

, Ai · S2 + Ei,2 ∈ Zn×n

q

, . . .)

An LWE-Based Synthesizer?

S1 S2 · · · A1 A1 · S1 + E1,1 A1 · S2 + E1,2 · · · A2 A2 · S1 + E2,1 A2 · S2 + E2,2 · · · . . . ...

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/12

slide-27
SLIDE 27

LWE ⇒ Synthesizer?

◮ Hard to distinguish pairs (ai ∈ Zn

q , bi = ai, s + ei) from (ai , bi).

◮ By hybrid argument, can’t distinguish tuples (Ai ∈ Zn×n

q

, Ai · S1 + Ei,1 ∈ Zn×n

q

, Ai · S2 + Ei,2 ∈ Zn×n

q

, . . .)

An LWE-Based Synthesizer?

S1 S2 · · · A1 A1 · S1 + E1,1 A1 · S2 + E1,2 · · · A2 A2 · S1 + E2,1 A2 · S2 + E2,2 · · · . . . ... ✔ {Ai · Sj + Ei,j}

c

≈ Uniform, but. . .

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/12

slide-28
SLIDE 28

LWE ⇒ Synthesizer?

◮ Hard to distinguish pairs (ai ∈ Zn

q , bi = ai, s + ei) from (ai , bi).

◮ By hybrid argument, can’t distinguish tuples (Ai ∈ Zn×n

q

, Ai · S1 + Ei,1 ∈ Zn×n

q

, Ai · S2 + Ei,2 ∈ Zn×n

q

, . . .)

An LWE-Based Synthesizer?

S1 S2 · · · A1 A1 · S1 + E1,1 A1 · S2 + E1,2 · · · A2 A2 · S1 + E2,1 A2 · S2 + E2,2 · · · . . . ... ✔ {Ai · Sj + Ei,j}

c

≈ Uniform, but. . . ✗ What about Ei,j? Synthesizer must be

  • deterministic. . .

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 7/12

slide-29
SLIDE 29

“Learning With Rounding” (LWR)

[BPR’12]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup Zp). (Common in decryption to remove error.)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/12

slide-30
SLIDE 30

“Learning With Rounding” (LWR)

[BPR’12]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup Zp). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/12

slide-31
SLIDE 31

“Learning With Rounding” (LWR)

[BPR’12]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup Zp). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai, s⌉p
  • ∈ Zq × Zp

from uniform

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/12

slide-32
SLIDE 32

“Learning With Rounding” (LWR)

[BPR’12]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup Zp). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai, s⌉p
  • ∈ Zq × Zp

from uniform Interpretation: LWE conceals low-order bits by adding small random

  • error. LWR just discards those bits instead.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/12

slide-33
SLIDE 33

“Learning With Rounding” (LWR)

[BPR’12]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup Zp). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai, s⌉p
  • ∈ Zq × Zp

from uniform Interpretation: LWE conceals low-order bits by adding small random

  • error. LWR just discards those bits instead.

◮ We prove LWE ≤ LWR for q ≥ p · nω(1) [but it seems 2n-hard for q ≥ p√n]

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/12

slide-34
SLIDE 34

“Learning With Rounding” (LWR)

[BPR’12]

◮ IDEA: generate errors deterministically by rounding Zq to a “sparse” subset (e.g. subgroup Zp). (Common in decryption to remove error.) Let p < q and define ⌊x⌉p = ⌊(p/q) · x⌉ mod p.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

1 2

◮ LWR problem: distinguish any m = poly pairs

  • ai , ⌊ai, s⌉p
  • ∈ Zq × Zp

from uniform Interpretation: LWE conceals low-order bits by adding small random

  • error. LWR just discards those bits instead.

◮ We prove LWE ≤ LWR for q ≥ p · nω(1) [but it seems 2n-hard for q ≥ p√n] Proof idea: w.h.p., ( a , ⌊a, s + e⌉p ) = ( a , ⌊a, s⌉p ) and ( a , ⌊Unif(Zq)⌉p ) = ( a , Unif(Zp) )

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 8/12

slide-35
SLIDE 35

LWR-Based Synthesizer & PRF

◮ Synthesizer S : Zn×n

q

× Zn×n

q

→ Zn×n

p

is S(A, S) = ⌊A · S⌉p.

(Note: range Zp is slightly smaller than domain Zq. Only limits composition.)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/12

slide-36
SLIDE 36

LWR-Based Synthesizer & PRF

◮ Synthesizer S : Zn×n

q

× Zn×n

q

→ Zn×n

p

is S(A, S) = ⌊A · S⌉p.

(Note: range Zp is slightly smaller than domain Zq. Only limits composition.)

PRF on Domain {0, 1}k=2d

◮ “Tower” of public moduli qd > qd−1 > · · · > q0. ◮ Secret key is 2k square matrices Si,b over Zqd for i ∈ [k], b ∈ {0, 1}.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/12

slide-37
SLIDE 37

LWR-Based Synthesizer & PRF

◮ Synthesizer S : Zn×n

q

× Zn×n

q

→ Zn×n

p

is S(A, S) = ⌊A · S⌉p.

(Note: range Zp is slightly smaller than domain Zq. Only limits composition.)

PRF on Domain {0, 1}k=2d

◮ “Tower” of public moduli qd > qd−1 > · · · > q0. ◮ Secret key is 2k square matrices Si,b over Zqd for i ∈ [k], b ∈ {0, 1}. ◮ Depth d = lg k tree of LWR synthesizers: F{Si,b}(x1 · · · x8) =

  • ⌊S1,x1· S2,x2⌉q2

· ⌊S3,x3· S4,x4⌉q2

  • q1

·

  • ⌊S5,x5· S6,x6⌉q2

· ⌊S7,x7· S8,x8⌉q2

  • q1
  • q0

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 9/12

slide-38
SLIDE 38

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/12

slide-39
SLIDE 39

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/12

slide-40
SLIDE 40

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Direct LWE-Based Construction

◮ Public moduli q > p. ◮ Secret key is uniform A and short S1, . . . , Sk over Zq.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/12

slide-41
SLIDE 41

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Direct LWE-Based Construction

◮ Public moduli q > p. ◮ Secret key is uniform A and short S1, . . . , Sk over Zq. ◮ “Rounded subset-product” function: FA,S1,...,Sk(x1 · · · xk) =

  • A ·

k

  • i=1

Sxi

i mod q

  • p

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/12

slide-42
SLIDE 42

Shallower? More Efficient?

◮ Synth-based PRF is log k levels of NC1 synthesizers ⇒ NC2. ◮ [NR’97,NRR’00]: direct PRFs from DDH / factoring, in TC0 ⊆ NC1. Fg,s1,...,sk(x1 · · · xk) = g

sxi

i

(Computing this in TC0 needs huge circuits, though. . . )

Direct LWE-Based Construction

◮ Public moduli q > p. ◮ Secret key is uniform A and short S1, . . . , Sk over Zq. ◮ “Rounded subset-product” function: FA,S1,...,Sk(x1 · · · xk) =

  • A ·

k

  • i=1

Sxi

i mod q

  • p

Ring variant has small(ish) TC0 circuit, practical implementation

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 10/12

slide-43
SLIDE 43

Proof Sketch

◮ Seed is uniform A over Zq and short S1, . . . , Sk. FA,S1,...,Sk(x1 · · · xk) =

  • ASx1

1 · · · Sxk k mod q

  • p

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/12

slide-44
SLIDE 44

Proof Sketch

◮ Seed is uniform A over Zq and short S1, . . . , Sk. FA,S1,...,Sk(x1 · · · xk) =

  • ASx1

1 · · · Sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/12

slide-45
SLIDE 45

Proof Sketch

◮ Seed is uniform A over Zq and short S1, . . . , Sk. FA,S1,...,Sk(x1 · · · xk) =

  • ASx1

1 · · · Sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries. Thought experiment: answer queries with ˜ F(x) :=

  • (ASx1

1 + x1E)Sx2 2 · · · Sxk k

  • p =
  • A

k

  • i=1

Sxi

i + x1E k

  • i=2

Sxi

i

  • p

W.h.p., ˜ F(x) = F(x) on all queries due to “small” error & rounding.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/12

slide-46
SLIDE 46

Proof Sketch

◮ Seed is uniform A over Zq and short S1, . . . , Sk. FA,S1,...,Sk(x1 · · · xk) =

  • ASx1

1 · · · Sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries. Thought experiment: answer queries with ˜ F(x) :=

  • (ASx1

1 + x1E)Sx2 2 · · · Sxk k

  • p =
  • A

k

  • i=1

Sxi

i + x1E k

  • i=2

Sxi

i

  • p

W.h.p., ˜ F(x) = F(x) on all queries due to “small” error & rounding. ◮ Using LWE, replace (A, AS1 + E) with uniform (A0, A1) ⇒ New function F ′(x) = ⌊Ax1Sx2

2 · · · Sxk k ⌉p.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/12

slide-47
SLIDE 47

Proof Sketch

◮ Seed is uniform A over Zq and short S1, . . . , Sk. FA,S1,...,Sk(x1 · · · xk) =

  • ASx1

1 · · · Sxk k mod q

  • p

◮ Like the LWE ≤ LWR proof, but “souped up” to handle queries. Thought experiment: answer queries with ˜ F(x) :=

  • (ASx1

1 + x1E)Sx2 2 · · · Sxk k

  • p =
  • A

k

  • i=1

Sxi

i + x1E k

  • i=2

Sxi

i

  • p

W.h.p., ˜ F(x) = F(x) on all queries due to “small” error & rounding. ◮ Using LWE, replace (A, AS1 + E) with uniform (A0, A1) ⇒ New function F ′(x) = ⌊Ax1Sx2

2 · · · Sxk k ⌉p.

◮ Repeat for S2, S3, . . . to get F ′′′′′′′(x) = ⌊Ax⌉p = U(x).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 11/12

slide-48
SLIDE 48

Open Questions

◮ Better hardness for LWR, e.g. for q/p = √n? (The proof from LWE relies on approx factor and modulus = nω(1).)

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/12

slide-49
SLIDE 49

Open Questions

◮ Better hardness for LWR, e.g. for q/p = √n? (The proof from LWE relies on approx factor and modulus = nω(1).) ◮ Synth-based PRF relies on approx factor and modulus nΘ(log k). Direct construction relies on approx factor and modulus nΘ(k).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/12

slide-50
SLIDE 50

Open Questions

◮ Better hardness for LWR, e.g. for q/p = √n? (The proof from LWE relies on approx factor and modulus = nω(1).) ◮ Synth-based PRF relies on approx factor and modulus nΘ(log k). Direct construction relies on approx factor and modulus nΘ(k). Conjecture (?): direct PRF is secure for integral q/p = poly(n).

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/12

slide-51
SLIDE 51

Open Questions

◮ Better hardness for LWR, e.g. for q/p = √n? (The proof from LWE relies on approx factor and modulus = nω(1).) ◮ Synth-based PRF relies on approx factor and modulus nΘ(log k). Direct construction relies on approx factor and modulus nΘ(k). Conjecture (?): direct PRF is secure for integral q/p = poly(n). ◮ Efficient PRFs from subset-sum/LPN?

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/12

slide-52
SLIDE 52

Open Questions

◮ Better hardness for LWR, e.g. for q/p = √n? (The proof from LWE relies on approx factor and modulus = nω(1).) ◮ Synth-based PRF relies on approx factor and modulus nΘ(log k). Direct construction relies on approx factor and modulus nΘ(k). Conjecture (?): direct PRF is secure for integral q/p = poly(n). ◮ Efficient PRFs from subset-sum/LPN? Selected bibliography for this talk:

NR’95 M. Naor, O. Reingold, “Synthesizers and Their Applications to the Parallel Construction of Pseudorandom Functions,” FOCS’95 / JCSS’99. NR’97 M. Naor, O. Reingold, “Number-theoretic constructions of efficient pseudorandom functions,” FOCS’97 / JACM’04. NRR’00 M. Naor, O. Reingold, A. Rosen, “Pseudorandom functions and factoring,” STOC’00 / SICOMP’02. BPR’12 A. Banerjee, C. Peikert, A. Rosen, “Pseudorandom Functions and Lattices,” Eurocrypt’12.

Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 12/12