Fast Cryptographic Primitives & Circular-Secure Encryption
Based on Hard Learning Problems
Benny Applebaum, David Cash, Chris Peikert, Amit Sahai
Princeton University, Georgia Tech, SRI international, UCLA
To appear in CRYPTO 09
Learning Noisy Linear FunctionsProblem: find s
sZqn
=<ai,s>+noiseai biZqn
A
s
x
n
m +
= b
iid noise vector of rate
• Learning-Parity-with-Noise (LPN):
- q=2, Noise: Bernoulli with = ¼
• Learning-with-Errors (LWE) [Reg05] :
- q(n)=poly(n) typically prime
- Gaussian noise w/mean 0 and std sqrt(q)
Learning Noisy Linear Functions
A
s
x
n
m +
= b
iid noise vector of rate
Problem: find s
-(q-1)/2 (q-1)/20
• Assumption: Problem is computationally hard for all m=poly(n)
• Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93,
Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…]
• LPN is easy major breakthrough in Coding Theory
• LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09]
• Pros: Hardness of search problem, resists sub-exp & quantum attacks
Learning Noisy Linear Functions
A
s
x
n
m +
= b
Problem: find s
• Problem has simple algebraic structure: “almost linear” function
- exploited by [BFKL94, AIK07, D-TK-L09]
• Computable by simple (bit) operations (low hardware complexity)
- exploited by [HB01,AIK04,JW05]
• Message of this talk: Very useful combination
Why LWE/LPN ?
rare
combination
As
x+
= b
• Fast circular secure encryption schemes
- Symmetric encryption from LPN
- Public-key encryption from LWE
• Fast pseudorandom objects from LPN
- Pseudorandom generator in quasi-linear time
- Oblivious weak randomized pseudorandom function
Main Results
Thm.[BFKL94] LPN pseudorandomness (A,As+x) (A,Um)
Proof: [AIK07]
• Assume LPN By [GL89] can’t approximate <s,r> for a random r
• Use distinguisher D to compute hardcore bit <s,r> given a random r
-Given (A,b) and r{0,1}n choose v Um and apply D to (C=A-v·rT, b)
b=As+x=Cs+vrTs+x=Cs+x+v<r,s>=
Pseudorandomness
As
x+
= b
Um if <r,s>=1
Cs+x if <r,s>=0
r
v v v+C
• Ekey(message;random)= ciphertext Dkey(ciphertext)= message
• Security: Even if Adv gets information cannot break scheme.
- CPA [GM82]:given oracle to Ekey() can’t distinguish Ek(m1) from Ek(m2)
• What if Adv sees Ek(msg) where msg depends on the key (KDM attack)?
-E.g., Ekey(key) or Ekey(f(key)) or Ek1(k2) and Ek2(k1)
Encryption Scheme
message Enc ciphertext
key
randomness
Enc
key
message
F-KDM Security [BRS02] : Adv can ask for Ek(f(k)) for some fF
Circular security [CL01] : Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1)
•Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08]
• Motivation:
- disk encryption or key-management systems
- anonymous credential systems via key cycles [CL01]
- axiomatic security (reasoning about security via formal logic) [ABHS05]
• What about previous/standard schemes?
- KDM attack lead to practical attacks (IEEE P1619)
- Random oracle construction/text-book constructions are bad [HU08, HK07]
- Black box separation of general KDM from trapdoor permutation [HH08]
KDM / circular security
F-KDM Security [BRS02] : Adv can ask for Ek(f(k)) for some fF
Circular security [CL01] : Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1)
• [BHHO08] First circular public-key encryption under DDH
- Get “clique” security + KDM for affine functions
- But large computational/communication overhead
- t-bit message requires t exponentiations (compare to El-Gamal)
- ciphertext length: t group elements
• Our schemes: circular encryption under LPN/LWE
- Get “clique” security + KDM for affine functions for free from standard schemes
- Efficiency comparable to standard LWE/LPN schemes
- t-bit message – Length O(t); Time: t·polylog(t) sym; t2·polylog(t) public-key
- Proofs of security follow the [BHHO08] approach
KDM / circular security
• Let G be a good linear error-correcting code with decoder for noise +0.1
Encs(mes; A, err)= (A, As+err + G·mes)
Decs(A,y)= decoder(y-As)
• Semantic security follows from pseudorandomness
• Simple scheme originally from [Gilbert Robshaw Seurin08]
- independently discovered by [A08,Dodis Tauman-Kalai Lovet 09]
• Scheme has nice statistical properties
- entropic-security [DodisSmith05], weak leakage-resilient, error-correction
Symmetric Scheme
A
S
err+A
,
+ Gm
• Use many different s’s with the same A
Quasi-linear Implementation
A
S
err+A
,
+ Gm
• Use many different s’s with the same A
• Preserves pseudorandomness since A is public
-Proof via Hybrid argument
•If matrices are very rectangular can multiply in quasi-linear time [Cop82]
-E.g., t=n and m=n6
• Use fast ECC (e.g., [spielman95]) to get quasi-linear time encryption/decryption
Quasi-linear Implementation
A
S
Err+A
n
m
,
n t
+ GMes
Encs(mes; A, err)= (A, As+err + G·mes )
Decs(A,y)= decoder(y-As)
Thm. Scheme is circular (clique) secure and KDM w/r to affine functions
Proof:
• Useful properties:
- Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’)
- Key homomorphic: Given S’ and Es(M) can compute Es+s’(M)
- Self referential: Given Es(0) can compute Es(S)
- Proof: (A,y=As+err) (A-G,y)=(A’,A’s+err+Gs) = Es(S)
Clique Security
Encs(mes; A, err)= (A, As+err + G·mes )
Decs(A,y)= decoder(y-As)
Thm. Scheme is circular (clique) secure and KDM w/r to affine functions
Proof:
• Useful properties:
- Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’)
- Key homomorphic: Given S’ and Es(M) can compute Es+s’(M)
- Self referential: Given Es(0) can compute Es(S)
• Suppose that Adv break clique security (can ask for ESi(Sk) for all 1i,kt)
• Construct B that breaks standard CPA security (w/r to single key S).
• B simulates Adv: choose t offsets 1,…, t and pretend that Si=S+i
- Simulate Esi(Sk): get Es(0) Es(S) Es+ i(S) Es+ i(S+ k)
Clique Security
• Fast circular secure encryption schemes
- Symmetric encryption from LPN
- Public-key encryption from LWE
Rest of the talk
• Public-key: (A,b)ZqnmZq
m Secret-key: s Zq
n
• Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz
• To Decrypt (u,c): compute c-<s,u>=f(z)+<x,r> and decode
• Security [R05,GPV08]: If b was truly random then (u,v) is random and get OTP
• Want: Plaintext Homomorphic, Self Referential, Key Homomorphic
• PH: let mes space be linear-subspace of Zq by taking q=p2 so Zq=ZpZp
(Pseudorandomness holds as long as noise is sufficiently low)
Regev’s PKE
As
x+
= b
A
br
“parity-check” matrix
=u
v
noisev=<s,u>+<x,r>
+ f(z)
[GentryPeikertVaikuntanathanP V Waters08]
• Public-key: (A,b)ZqnmZq
m Secret-key: s Zq
n
• Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz
• Can we convert E(0) to E(s1) ?
• Given (u,c=<s,u>+<x,r>) (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s1g
• Problem: (u’,c) is not distributed properly: c= <s,u’>+err(u)+f(s1)
• Sol: smoothen the ciphertext distribution
s
Self Reference
A x+
= b
A
br
“parity-check” matrix
=u
v + f(z)
v=<s,u>+<x,r>noise
e +++e <s,u>+err
err err
• Public-key: (A,b)ZqnmZq
m Secret-key: s Zq
n
• Encrypt zZpZq by (u,v+f(z)) where f: ZpZq is linear ECC, i.e., f(z)=gz
• Can we convert E(0) to E(s1) ?
• Given (u,c=<s,u>+<x,r>) (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s1g
• Problem: s1 may not be in Zp
• Sol: Choose s with entries in Zp by sampling from Gaussian around (0p/2)
• Security?
s
Self Reference
A x+
= b
A
br
“parity-check” matrix
=u
v + f(z)
v=<s,u>+<x,r>noise
e +++e <s,u>+err
err err
s
Hardness of LWE with sNoise
sZqn
As
x+ = b
Convert standard LWE to LWE with sNoise
1. Get (A,b) s.t A is invertible
A b
Hardness of LWE with sNoise
sZqn
As
x+ = b
Convert standard LWE to LWE with sNoise
• If (,)LWEs then (’,’) LWEx
Proof: ’= +<’,b>
= <,s>+e + <’,As>+<’,x>
= <,s>+e + <-A-1,As>+<’,x>
<,s>+e
+<’,b>
’ ’
-A-1
xNoise
Hardness of LWE with sNoise
sZqn
As
x+ = b
Convert standard LWE to LWE with sNoise
• If (,)LWEs then (’,’) LWEx
• If (,) are uniform then (’,’) also uniform
• Hence distinguisher for LWEx yields a distinguisher for LWEs
<,s>+e
+<’,b>
’ ’
-A-1
xNoise
Hardness of LWE with sNoise
sZqn
As
x+ = b
• Reduction generates invertible linear mapping fA,b:s x
xNoise(A,b)
Hardness of LWE with sNoise
sZqn
• Reduction generates invertible linear mapping fA,b:s x
• Key Hom: get pk’s whose sk’s x1,..,xk satisfy known linear-relation
• Together with prev properties get circular (clique) security
• Improve efficiency via amortized version of [PVW08]
x1Noise(A1,b1)
xkNoise(Ak,bk)
• LWE vs. LPN ?
- LWE follows from worst-case lattice assumptions [Regev05, Peikert09]
- LWE many important crypto applications [GPV08,PVW08,PW08,CPS09]
- LWE can be broken in “NP co-NP” unknown for LPN
- LPN central in learning (“complete” for learning via Fourier) [FGKP06]
• Circular Security vs. Leakage Resistance ?
- Current constructions coincident
- LPN/Regev/BHHO constructions resist key-leakage [AGV09,DKL09,NS09]
- common natural ancestor?
Open Questions