Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Size: px

Start display at page:

Download "Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology"

Lawrence Cook
6 years ago
Views:

1 1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010

2 2 / 19 Talk Agenda Encryption schemes with special features:

3 2 / 19 Talk Agenda Encryption schemes with special features: 1 (Bi-)Deniability

4 2 / 19 Talk Agenda Encryption schemes with special features: 1 (Bi-)Deniability 2 Circular Security

5 3 / 19 Part 1: Deniable Encryption A. O Neill, C. Peikert (2010) Bideniable Public-Key Encryption

6 Deniable Encryption c = Encpk ( surprise party 4 big bro! ) (Images courtesy xkcd.org) 4 / 19

7 Deniable Encryption c = Encpk ( surprise party 4 big bro! )!! (Images courtesy xkcd.org) 4 / 19

8 Deniable Encryption c = DenEncpk ( surprise party 4 big bro! ) What We Want 1 Bob gets Alice s intended message, but... (Images courtesy xkcd.org) 4 / 19

9 Deniable Encryption c = DenEncpk ( surprise party 4 big bro! ) (fake!) (fake!) What We Want 1 Bob gets Alice s intended message, but... (Images courtesy xkcd.org) 4 / 19

10 Deniable Encryption c = Encpk ( I love kittens!!!! ) What We Want 1 Bob gets Alice s intended message, but... 2 Fake coins & keys look as if another message was encrypted! (Images courtesy xkcd.org) 4 / 19

11 5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), 1984

12 5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), Voting: can reveal any candidate, so can t sell vote (?)

13 5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), Voting: can reveal any candidate, so can t sell vote (?) 3 Secure protocols tolerating adaptive break-ins [CFGN 96]

14 6 / 19 State of the Art Theory [CanettiDworkNaorOstrovsky 97] Sender-deniable encryption scheme Receiver-deniability by adding interaction & switching roles Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced)

15 6 / 19 State of the Art Theory [CanettiDworkNaorOstrovsky 97] Sender-deniable encryption scheme Receiver-deniability by adding interaction & switching roles Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) Practice: TrueCrypt, Rubberhose,... Limited deniability: move along, no message here... Plausible for storage, but not so much for communication.

16 7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible

17 7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible A true public-key scheme: non-interactive, no 3rd parties Uses special properties of lattices [Ajtai 96,Regev 05,GPV 08,... ] Has large keys... but this is inherent [Nielsen 02]

18 7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible A true public-key scheme: non-interactive, no 3rd parties Uses special properties of lattices [Ajtai 96,Regev 05,GPV 08,... ] Has large keys... but this is inherent [Nielsen 02] 2 Plan-ahead bi-deniability with short keys Bounded number of alternative messages, decided in advance

19 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P Public description pk with secret trapdoor sk.

20 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample so it can be faked as a U-sample.

21 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample so it can be faked as a U-sample. 2 Given sk, can easily distinguish P from U.

22 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample so it can be faked as a U-sample. 2 Given sk, can easily distinguish P from U. Many instantiations: trapdoor perms (RSA), DDH, lattices,...

23 9 / 19 Translucence for Deniability [CDNO 97] Normal: Enc(0) = UU Enc(1) = UP U P sk

24 9 / 19 Translucence for Deniability [CDNO 97] Normal: Enc(0) = UU Deniable: Enc(0) = PP Enc(1) = UP Enc(1) = UP U P sk

25 Translucence for Deniability [CDNO 97] U Normal: Enc(0) = UU Enc(1) = UP Deniable: Enc(0) = PP Enc(1) = UP P sk Deniability 4 Alice can fake: PP UP UU 9 / 19

26 Translucence for Deniability [CDNO 97] U Normal: Enc(0) = UU Enc(1) = UP Deniable: Enc(0) = PP Enc(1) = UP P sk 7 Deniability 4 Alice can fake: PP UP UU 7 What about Bob?? His sk reveals the true nature of the samples! 9 / 19

27 10 / 19 Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk, each inducing a slightly different P-test.

28 10 / 19 Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk, each inducing a slightly different P-test.

29 10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly.

30 10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly. 3 Can generate pk with a faking key: given fk and a P-sample x, can find a proper-looking sk that classifies x as a U-sample.

31 10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly. 3 Can generate pk with a faking key: given fk and a P-sample x, can find a proper-looking sk that classifies x as a U-sample. Bob can also fake P U!

32 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r O Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.)

33 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r O x Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.) U-sample = uniform x in Z m q. Then r, x is uniform mod q.

34 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r x O Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.) U-sample = uniform x in Z m q. Then r, x is uniform mod q. P-sample = x = A t s + e (LWE). Then r, x 0 mod q.

35 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) x O O fk Receiver Faking Faking key = short basis of L (a la [GPV 08,... ])

36 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O fk Receiver Faking Faking key = short basis of L (a la [GPV 08,... ]) Given P-sample x, choose fake r L correlated with x s error. Then r, x is uniform mod q x is classified as a U-sample.

37 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O fk Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r?

38 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r? Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss r. This (r, x) has the same joint distrib!

39 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r? Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss r. This (r, x) has the same joint distrib! Finally, replace LWE with uniform normal r and U-sample x.

40 12 / 19 Closing Thoughts on Deniability Faking sk requires oblivious misclassification (of P as U) Bi-deniability from other cryptographic assumptions? Full deniability, without alternative algorithms?

41 13 / 19 Part 2: Circular-Secure Encryption B. Applebaum, D. Cash, C. Peikert, A. Sahai (CRYPTO 2009) Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems

42 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) sk Bob

43 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate.

44 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j

45 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j Applications: formal analysis [ABHS 05], disk encryption, anonymity systems [CL 01], fully homomorphic encryption [G 09]

46 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j Applications: formal analysis [ABHS 05], disk encryption, anonymity systems [CL 01], fully homomorphic encryption [G 09] Some (semantically secure) schemes are actually circular-insecure [ABBC 10,GH 10]

47 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption

48 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05]

49 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach.

50 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Large computation & communication. For k-bit message: Public key Enc Time Ciphertext k 2 group elts k expon k group elts k 3 bits k 4 bit ops k 2 bits Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach.

51 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Large computation & communication. For k-bit message: Public key Enc Time Ciphertext k 2 group elts k expon k group elts k 3 bits k 4 bit ops k 2 bits Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach. Efficiency: comes for free with existing schemes! [R 05,PVW 08] Public key Enc Time Ciphertext k 2 bits k 2 ops k bits

52 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i )

53 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q

54 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ).

55 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ). Decrypt (u, v ): find the µ Z p such that v u, s µ q p.

56 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ). Decrypt (u, v ): find the µ Z p such that v u, s µ q p. Security proof: uniform pk = (A, b) = uniform ciphertext (u, v).

57 17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. (Or any affine fct of s.)

58 17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p?

59 17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? No! Also no!

60 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme No! Also no! 1 Use q = p 2 for divisibility. (Need new search/decision reduction for LWE.)

61 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] No! Also no!

62 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no!

63 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no! 3 Use a Gaussian secret s, so each s i ( p 2, p 2 ): self-reference!

64 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no! 3 Use a Gaussian secret s, so each s i ( p 2, p 2 ): self-reference!?? But is it secure to use such an s??

65 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ),

66 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q.

67 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e).

68 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e). (Also maps uniform samples (a, b) to uniform (a, b )).

69 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e). (Also maps uniform samples (a, b) to uniform (a, b )). Clique & Affine Security (Again, For Free) Repeating transform produces ind. sources LWE e1, LWE e2,... Side effect: a known affine relation between unknowns s and e i. This lets us create Enc pki (affine(e j )) for any i, j.

70 19 / 19 Final Words The simple, linear structure of lattice-based encryption allows for many enhancements. There is much more to be done!

71 19 / 19 Final Words The simple, linear structure of lattice-based encryption allows for many enhancements. There is much more to be done! Thanks!

Lossy Trapdoor Functions and Their Applications

1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information