Public-Key Encryption Based on LPN

Transcription

1 Public-Key Encryption Based on LPN Li Chen lichen.xd at gmail.com Xidian University November 3, 013

2 Public-Key Encryption Based on LPN Outline 1 Basic LPN cryptosystem Multi-bit LPN cryptosystem 3 Ring-LPN cryptosystem 4 Discussion Li Chen Xidian University /13

3 Public-Key Encryption Based on LPN References [1] Ivan Damgård and Sunoo Park. Is public-key encryption based on lpn practical? In IACR Cryptology eprint Archive, 01. Claim: Our slides are based on reference [1] Li Chen Xidian University 3/13

4 1 Basic LPN cryptosystem Notations Ber τ denotes the Bernoulli distribution with parameter τ. Ber k τ denotes the distribution of vectors in Z k, where each entry is drawn independently from Ber τ. Bin n,τ denotes the binomial distribution with n trials, each with success probability τ. we use a bold lower case character z to denote a column vector, use a bold upper case character Z to denote a matrix. Li Chen Xidian University 4/13

5 Definition 1.1 Decisional LPN Problem Take parameters n N and τ R with 0 < τ < 0.5 (the noise rate). A distinguisher D is said to (q, t, ε)-solve the decisional LPN n,τ problem if Pr [D(A, As + e) = 1] Pr [D(A, r) = 1] ε A,mathbfs,e where A $ Z q n, s $ Z n, e Ber q τ, r $ Z q, and the distinguisher runs in time at most t. Lemma 1. (Lemma 1 from []) If there exists a distinguisher D that (q, t, ε)-solve the decisional LPN n,τ problem, then there exists a distinguisher D that (q, t, ε )-solve the search LPN n,τ problem. Definition 1.3 (Decisional LPN Assumption, DLPN) For any probabilistic algorithm D that (q, t, ε)-solve the decisional LPN n,τ problem for all large enough n, where τ is Θ(1/ n), t is polynomial in n, and q is O(n), it holds that ε is negligible as a function of n. A,r Li Chen Xidian University 5/13

6 Definition 1.4 (Basic LPN Cryptosystem) The basic LPN cryptosystem is a 3-tuple (BasicLPNKenGen, BasicLPNEnc, BasicLPNDec), with the parameters n N, the length of the secret key, and τ R, the noise rate. All operations are performed over Z. BasicLPNKenGen(): Choose a secret key sk = s Z n. The public key is pk = (A, b), where A $ Z n n, b = As + e, e Ber n τ. $ BasicLPNEnc(pk = (A, b), v): To encrypt a message bit v Z, choose f Ber n τ and output cipertext (u, c), where u = A T f and c =< b, f > +v. BasicLPNDec(sk = s, (u, v)): The decryption is d = c+ < u, s >. Note: d =< b, f > +v+ < u, s >= b T f + s T u = (s T A T + e T )f + s T A T f + v = e T f + v Li Chen Xidian University 6/13

7 Correctness: Only need to show e T f = 0. To show this, we need some lemmas as follows. Lemma 1.5 Let X Bin n,τ, then the probability that X is even is 1 + (1 τ)n Proof... n Lemma 1.6 For any k such that lim k =, then it holds that lim (1 + k n )n = e k. n n Proof... Li Chen Xidian University 7/13

8 Theorem 1.7 (Correctness) For any constant ε > 0, it holds that τ can be chosen with τ = Θ( 1 n ) such that the probability of correct decryption by BasicLPNDec is at least 1 ε. Proof As we show above that d == e T f +v. Let e i and f i denote the entries of e and f respectively. Define C i = e i f i and C = i C i, then e T f = 0 C is even. Since each C i Ber τ, independently and identically, so C Bin n,τ. By Lemma 1.5, then Pr[e T f = 0] = 1 + (1 τ)n. Take 0 < τ < O( 1 n ), then τ n n = O(1), so lim τ n n =. Applying Lemma 1.6 yields lim (1 τ ) n = e τ (n). Hence, for large n, Pr[e T f = 0] 1+e τ (n) If τ n c n for some constant c > 0, then τ (n) 4c, lim c 0. τ (n) = 0, so lim 1 + e τ (n) = 1. It follows that take τ = Θ( c c 0 n ), for any ε > 0, the probability of correct decryption by BasicLPNDec is at least 1 ε provided by choosing c sufficiently close to 0. Li Chen Xidian University 8/13

9 Multi-bit LPN cryptosystem Definition.1 (Multi-bit LPN Cryptosystem) The multi-bit LPN cryptosystem is a 3- tuple (MultiLPNKenGen, MultiLPNEnc, MultiLPNDec), with the parameters n and τ as in Definition.1, l = O(n), the length of plaintxt that can be encrypted in a single operation. MultiLPNKenGen(): Choose a secret key sk = S Z n l. The public key is pk = (A, B), where A $ Z n n, B = AS + E, E Ber n l τ. MultiLPNEnc(pk = (A, B), v): To encrypt a message v Z l, choose f output cipertext (u, c), where u = A T f and c = B T f + v. MultiLPNDec(sk = s, (u, v)): The decryption is d = c + S T u. $ Ber n τ and Note: d = B T f + v + S T u = S T A T f + E T f + S T A T f + v = E T f + v Li Chen Xidian University 9/13

10 3 Ring-LPN cryptosystem Notations: For a polynomial ring R = GF ()[x]/(g(x)), the distribution Ber R τ denotes the distribution over R, where each of the coefficients of the polynomial is drawn independently from Ber τ. For a polynomial r R, let r denote the weight of r, i.e. the number of nonzero coefficients r has. Let r[i] denote the coefficient of x i in r. For matrix A Z m n, B Z m n, let A//B Z (m+m ) n denote the vertical concatenation of A and B, i.e. A//B is the matrix whose rows are those of A followed by those of B. For any polynomial r R with degree n 1, let vec(r) Z n denote the column vector whose i th entry is r[i], for all 0 i n. And let mat(r) Z n n be the matrix such that for all r R, mat(r)vec(r ) = vec(r r ). Note that the i th column vector of the matrix mat(r) is exactly vec(rx i 1 ). Li Chen Xidian University 10/13

11 Definition 3.1 (Ring LPN Cryptosystem) The ring LPN cryptosystem is a 3-tuple (RingLPNKenGen, RingLPNEnc, RingLPNDec), with the parameters n N, the length of the secret key, and τ R, the noise rate, and the ring R = GF ()[x]/ < g(x) >, with g(x) an irreducible polynomial of degree n. RingLPNKenGen(): Choose a secret key sk = s $ Z n. The public key is pk = (a 1, a, b), $ where a 1, a R, b = As + e, for A = (mat(a1)) T //(mat(a )) T, e Ber n τ. $ RingLPNEnc(pk = (a 1, a, b), v): To encrypt a message bit v Z, choose f 1, f Ber R,n τ, define f = vec(f 1)//vec(f 1), and output cipertext (u, c), where u = A T f and c =< b, f > +v. RingLPNDec(sk = s, (u, v)): The decryption is d = c+ < u, s >. Note: (1) d = b T f + v + s T u = s T A T f + e T f + s T A T f + v = e T f + v () u = A T f = vec(a 1f 1 + a f ) Li Chen Xidian University 11/13

12 4 Discussion To be continued :) Li Chen Xidian University 1/13

13 Thanks! & Questions?