Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny...

Fast Cryptographic Primitives & Circular-Secure Encryption

Based on Hard Learning Problems

Benny Applebaum, David Cash, Chris Peikert, Amit Sahai

Princeton University, Georgia Tech, SRI international, UCLA

To appear in CRYPTO 09

Learning Noisy Linear FunctionsProblem: find s

sZqn

=<ai,s>+noiseai biZqn

A

s

x

n

m +

= b

iid noise vector of rate

• Learning-Parity-with-Noise (LPN):

- q=2, Noise: Bernoulli with = ¼

• Learning-with-Errors (LWE) [Reg05] :

- q(n)=poly(n) typically prime

- Gaussian noise w/mean 0 and std sqrt(q)

Learning Noisy Linear Functions

A

s

x

n

m +

= b

iid noise vector of rate

Problem: find s

-(q-1)/2 (q-1)/20

• Assumption: Problem is computationally hard for all m=poly(n)

• Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93,

Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…]

• LPN is easy major breakthrough in Coding Theory

• LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09]

• Pros: Hardness of search problem, resists sub-exp & quantum attacks

Learning Noisy Linear Functions

A

s

x

n

m +

= b

Problem: find s

• Problem has simple algebraic structure: “almost linear” function

- exploited by [BFKL94, AIK07, D-TK-L09]

• Computable by simple (bit) operations (low hardware complexity)

- exploited by [HB01,AIK04,JW05]

• Message of this talk: Very useful combination

Why LWE/LPN ?

rare

combination

As

x+

= b

• Fast circular secure encryption schemes

- Symmetric encryption from LPN

- Public-key encryption from LWE

• Fast pseudorandom objects from LPN

- Pseudorandom generator in quasi-linear time

- Oblivious weak randomized pseudorandom function

Main Results

Thm.[BFKL94] LPN pseudorandomness (A,As+x) (A,Um)

Proof: [AIK07]

• Assume LPN By [GL89] can’t approximate <s,r> for a random r

• Use distinguisher D to compute hardcore bit <s,r> given a random r

-Given (A,b) and r{0,1}n choose v Um and apply D to (C=A-v·rT, b)

b=As+x=Cs+vrTs+x=Cs+x+v<r,s>=

Pseudorandomness

As

x+

= b

Um if <r,s>=1

Cs+x if <r,s>=0

r

v v v+C

• Ekey(message;random)= ciphertext Dkey(ciphertext)= message

• Security: Even if Adv gets information cannot break scheme.

- CPA [GM82]:given oracle to Ekey() can’t distinguish Ek(m1) from Ek(m2)

• What if Adv sees Ek(msg) where msg depends on the key (KDM attack)?

-E.g., Ekey(key) or Ekey(f(key)) or Ek1(k2) and Ek2(k1)

Encryption Scheme

message Enc ciphertext

key

randomness

Enc

key

message

F-KDM Security [BRS02] : Adv can ask for Ek(f(k)) for some fF

Circular security [CL01] : Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1)

•Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08]

• Motivation:

- disk encryption or key-management systems

- anonymous credential systems via key cycles [CL01]

- axiomatic security (reasoning about security via formal logic) [ABHS05]

• What about previous/standard schemes?

- KDM attack lead to practical attacks (IEEE P1619)

- Random oracle construction/text-book constructions are bad [HU08, HK07]

- Black box separation of general KDM from trapdoor permutation [HH08]

KDM / circular security

F-KDM Security [BRS02] : Adv can ask for Ek(f(k)) for some fF

Circular security [CL01] : Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1)

• [BHHO08] First circular public-key encryption under DDH

- Get “clique” security + KDM for affine functions

- But large computational/communication overhead

- t-bit message requires t exponentiations (compare to El-Gamal)

- ciphertext length: t group elements

• Our schemes: circular encryption under LPN/LWE

- Get “clique” security + KDM for affine functions for free from standard schemes

- Efficiency comparable to standard LWE/LPN schemes

- t-bit message – Length O(t); Time: t·polylog(t) sym; t2·polylog(t) public-key

- Proofs of security follow the [BHHO08] approach

KDM / circular security

• Let G be a good linear error-correcting code with decoder for noise +0.1

Encs(mes; A, err)= (A, As+err + G·mes)

Decs(A,y)= decoder(y-As)

• Semantic security follows from pseudorandomness

• Simple scheme originally from [Gilbert Robshaw Seurin08]

- independently discovered by [A08,Dodis Tauman-Kalai Lovet 09]

• Scheme has nice statistical properties

- entropic-security [DodisSmith05], weak leakage-resilient, error-correction

Symmetric Scheme

A

S

err+A

,

+ Gm

• Use many different s’s with the same A

Quasi-linear Implementation

A

S

err+A

,

+ Gm

• Use many different s’s with the same A

• Preserves pseudorandomness since A is public

-Proof via Hybrid argument

•If matrices are very rectangular can multiply in quasi-linear time [Cop82]

-E.g., t=n and m=n6

• Use fast ECC (e.g., [spielman95]) to get quasi-linear time encryption/decryption

Quasi-linear Implementation

A

S

Err+A

n

m

,

n t

+ GMes

Encs(mes; A, err)= (A, As+err + G·mes )

Decs(A,y)= decoder(y-As)

Thm. Scheme is circular (clique) secure and KDM w/r to affine functions

Proof:

• Useful properties:

- Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’)

- Key homomorphic: Given S’ and Es(M) can compute Es+s’(M)

- Self referential: Given Es(0) can compute Es(S)

- Proof: (A,y=As+err) (A-G,y)=(A’,A’s+err+Gs) = Es(S)

Clique Security

Encs(mes; A, err)= (A, As+err + G·mes )

Decs(A,y)= decoder(y-As)

Thm. Scheme is circular (clique) secure and KDM w/r to affine functions

Proof:

• Useful properties:

- Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’)

- Key homomorphic: Given S’ and Es(M) can compute Es+s’(M)

- Self referential: Given Es(0) can compute Es(S)

• Suppose that Adv break clique security (can ask for ESi(Sk) for all 1i,kt)

• Construct B that breaks standard CPA security (w/r to single key S).

• B simulates Adv: choose t offsets 1,…, t and pretend that Si=S+i

- Simulate Esi(Sk): get Es(0) Es(S) Es+ i(S) Es+ i(S+ k)

Clique Security

• Fast circular secure encryption schemes

- Symmetric encryption from LPN

- Public-key encryption from LWE

Rest of the talk

• Public-key: (A,b)ZqnmZq

m Secret-key: s Zq

n

• Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz

• To Decrypt (u,c): compute c-<s,u>=f(z)+<x,r> and decode

• Security [R05,GPV08]: If b was truly random then (u,v) is random and get OTP

• Want: Plaintext Homomorphic, Self Referential, Key Homomorphic

• PH: let mes space be linear-subspace of Zq by taking q=p2 so Zq=ZpZp

(Pseudorandomness holds as long as noise is sufficiently low)

Regev’s PKE

As

x+

= b

A

br

“parity-check” matrix

=u

v

noisev=<s,u>+<x,r>

+ f(z)

[GentryPeikertVaikuntanathanP V Waters08]

• Public-key: (A,b)ZqnmZq

m Secret-key: s Zq

n

• Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz

• Can we convert E(0) to E(s1) ?

• Given (u,c=<s,u>+<x,r>) (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s1g

• Problem: (u’,c) is not distributed properly: c= <s,u’>+err(u)+f(s1)

• Sol: smoothen the ciphertext distribution

s

Self Reference

A x+

= b

A

br

“parity-check” matrix

=u

v + f(z)

v=<s,u>+<x,r>noise

e +++e <s,u>+err

err err

• Public-key: (A,b)ZqnmZq

m Secret-key: s Zq

n

• Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz

• Can we convert E(0) to E(s1) ?

• Given (u,c=<s,u>+<x,r>) (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s1g

• Problem: s1 may not be in Zp

• Sol: Choose s with entries in Zp by sampling from Gaussian around (0p/2)

• Security?

s

Self Reference

A x+

= b

A

br

“parity-check” matrix

=u

v + f(z)

v=<s,u>+<x,r>noise

e +++e <s,u>+err

err err

s

Hardness of LWE with sNoise

sZqn

As

x+ = b

Convert standard LWE to LWE with sNoise

1. Get (A,b) s.t A is invertible

A b

Hardness of LWE with sNoise

sZqn

As

x+ = b

Convert standard LWE to LWE with sNoise

• If (,)LWEs then (’,’) LWEx

Proof: ’= +<’,b>

= <,s>+e + <’,As>+<’,x>

= <,s>+e + <-A-1,As>+<’,x>

<,s>+e

+<’,b>

’ ’

-A-1

xNoise

Hardness of LWE with sNoise

sZqn

As

x+ = b

Convert standard LWE to LWE with sNoise

• If (,)LWEs then (’,’) LWEx

• If (,) are uniform then (’,’) also uniform

• Hence distinguisher for LWEx yields a distinguisher for LWEs

<,s>+e

+<’,b>

’ ’

-A-1

xNoise

Hardness of LWE with sNoise

sZqn

As

x+ = b

• Reduction generates invertible linear mapping fA,b:s x

xNoise(A,b)

Hardness of LWE with sNoise

sZqn

• Reduction generates invertible linear mapping fA,b:s x

• Key Hom: get pk’s whose sk’s x1,..,xk satisfy known linear-relation

• Together with prev properties get circular (clique) security

• Improve efficiency via amortized version of [PVW08]

x1Noise(A1,b1)

xkNoise(Ak,bk)

• LWE vs. LPN ?

- LWE follows from worst-case lattice assumptions [Regev05, Peikert09]

- LWE many important crypto applications [GPV08,PVW08,PW08,CPS09]

- LWE can be broken in “NP co-NP” unknown for LPN

- LPN central in learning (“complete” for learning via Fourier) [FGKP06]

• Circular Security vs. Leakage Resistance ?

- Current constructions coincident

- LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09]

- common natural ancestor?

Open Questions