New and Improved Key-Homomorphic Pseudorandom Functions

Size: px

Start display at page:

Download "New and Improved Key-Homomorphic Pseudorandom Functions"

Martina Floyd
5 years ago
Views:

1 New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO August 2014

2 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 1 / 11

3 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 1 / 11

4 Pseudorandom Functions [GGM 84] A family of functions F = {F s : {0, 1} k B} such that, given adaptive query access, c F s F Random U x i F s (x i ) x i U(x i )?? Lots of applications in symmetric key cryptography: encryption, message authentication, friend or foe identification,... (Thanks to Seth MacFarlane for the adversary) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 2 / 11

5 Cooking a (Provably Secure) PRF 1 Goldreich-Goldwasser-Micali [GGM 84] Based on any (doubling) PRG: F s (x 1,..., x k ) = G xk ( (G x1 (s)) ) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 3 / 11

6 Cooking a (Provably Secure) PRF 1 Goldreich-Goldwasser-Micali [GGM 84] Based on any (doubling) PRG: F s (x 1,..., x k ) = G xk ( (G x1 (s)) ) 2 Number-theoretic direct constructions [NR 97, NRR 00] Framework: exponentiate to a product of (secret) exponents Security from number-theoretic assumptions (DDH, factoring,... ) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 3 / 11

7 Cooking a (Provably Secure) PRF 1 Goldreich-Goldwasser-Micali [GGM 84] Based on any (doubling) PRG: F s (x 1,..., x k ) = G xk ( (G x1 (s)) ) 2 Number-theoretic direct constructions [NR 97, NRR 00] Framework: exponentiate to a product of (secret) exponents Security from number-theoretic assumptions (DDH, factoring,... ) 3 Lattice-based direct constructions [BPR 12] Framework: round a product of (secret) matrices/ring elements Security from lattice assumptions (LWE, worst-case lattice problems) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 3 / 11

8 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11

9 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, 1 DDH-based construction [NPR 99] Security in the random oracle model Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11

10 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11

11 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Main drawback: has huge parameters, keys, and runtimes Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11

12 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Main drawback: has huge parameters, keys, and runtimes [BPR 12] also gives (non-kh) PRFs having much better parameters, with slightly worse (still polylog) depth Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11

13 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Main drawback: has huge parameters, keys, and runtimes [BPR 12] also gives (non-kh) PRFs having much better parameters, with slightly worse (still polylog) depth Can we obtain similar tradeoffs for KH-PRFs? Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11

14 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11

15 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Reference Key Pub Params Time/Bit [BLMR 13] λ 3 [λ 3 ] λ 6 [λ 4 ] λ 5 [λ 3 ] This work λ [λ] λ 2 [λ] λ ω [λ] Figure : For input length λ with 2 λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets]. Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11

16 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Reference Key Pub Params Time/Bit [BLMR 13] λ 3 [λ 3 ] λ 6 [λ 4 ] λ 5 [λ 3 ] This work λ [λ] λ 2 [λ] λ ω [λ] Figure : For input length λ with 2 λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets]. New proof technique that may be useful elsewhere Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11

17 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Reference Key Pub Params Time/Bit [BLMR 13] λ 3 [λ 3 ] λ 6 [λ 4 ] λ 5 [λ 3 ] This work λ [λ] λ 2 [λ] λ ω [λ] Figure : For input length λ with 2 λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets]. New proof technique that may be useful elsewhere Full version: Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11

18 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11

19 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k k F s (x) = s B xi i=1 p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11

20 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k 1 k F s (x) = s B xi i=1 p 2 0 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11

21 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n 1 0 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11

22 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n Proof strategy: introduce short error which rounds away x k k s k F s (x) = s B xi (sb x1 + e x1 ) x }{{} 3 i=1 p s i=2 x1 x 2 x B xi p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11

23 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n Proof strategy: introduce short error which rounds away x k k s k F s (x) = s B xi (sb x1 + e x1 ) x }{{} 3 i=1 p s i=2 x1 x 2 c k c s x1 B xi... c s x p = U(x) i=2 p 1 0 B xi p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11

24 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n Proof strategy: introduce short error which rounds away x k k s k F s (x) = s B xi (sb x1 + e x1 ) x }{{} 3 i=1 p s i=2 x1 x 2 c k c s x1 B xi... c s x p = U(x) i=2 LWE approx factor grows exponentially in input length k. p 1 0 B xi p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11

25 Gadget and Bit-Decomposition Gadget Z q -matrix G [MP 12]: A = G G 1 (A) Any Z q -matrix Square {0, 1}-matrix Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 7 / 11

26 Gadget and Bit-Decomposition Gadget Z q -matrix G [MP 12]: A = G G 1 (A) Any Z q -matrix Square {0, 1}-matrix A ubiquitous tool in lattice cryptography: FHE [BV 11,GSW 13,AP 14], CCA/IBE/ABE/FHS [MP 12,BGG + 14,GVW 14] Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 7 / 11

27 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11

28 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x A T (x) := A x for T = 1 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11

29 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x T T.l x l T.r x r A T (x) := A x for T = 1 A T (x l x r ) := A T.l (x l ) G 1 (A T.r (x r )) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11

30 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x T T.l x l T.r x r A T (x) := A x for T = 1 A T (x l x r ) := A T.l (x l ) G 1 (A T.r (x r )) New KH-PRF Construction Public parameters: matrices A 0, A 1, full binary tree T Function F s on T -bit input x defined as F s (x) = s A T (x) p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11

31 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x T T.l x l T.r x r A T (x) := A x for T = 1 A T (x l x r ) := A T.l (x l ) G 1 (A T.r (x r )) New KH-PRF Construction Public parameters: matrices A 0, A 1, full binary tree T Function F s on T -bit input x defined as F s (x) = s A T (x) p Somewhat KH just as in [BLMR 13]. Same applications! Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11

32 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) s = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

33 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

34 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s s = 2, e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

35 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s s = 2, e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

36 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 s = 2, e = 2 Left Spine x λ x 3 x 1 x 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

37 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 s = 2, e = 2 [BLMR 13] Construction! x λ x 3 x 1 x 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

38 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 1 λ 1 λ λ 2 s = 2, e = 2 Right Spine x 1 x 2 x 3 x λ Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

39 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 1 λ 1 λ λ 2 log 4 (λ) log 4 (λ) λ λ 2 s = 2, e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

40 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11

41 Proof Idea T T d x d T 2 x 0 T x 2 1 x1 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

42 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 2 x 0 T x 2 1 x1 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

43 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 2 x 0 T x 2 1 x1 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p = s x0 A T1 ( x 1 ) G 1 (A T2 ( x 2 )) + v x0 G 1 (A T1 ( x 1 )) p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

44 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 1 T 2 x 1 x 2 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p = s x0 A T1 ( x 1 ) G 1 (A T2 ( x 2 )) + v x0 G 1 (A T1 ( x 1 )) p = s x0 A T ( x 1 x d ) + v x0 G 1 (A T1 ( x 1 )) p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

45 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 1 T 2 x 1 x 2 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p = s x0 A T1 ( x 1 ) G 1 (A T2 ( x 2 )) + v x0 G 1 (A T1 ( x 1 )) p = s x0 A T ( x 1 x d ) + v x0 G 1 (A T1 ( x 1 )) p c s x + v x0 G 1 (A T1 ( x 1 )) + other v terms s U(x). p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

46 Conclusions Our main contributions New KH-PRFs from lattices: quasi-optimal key sizes, polylog depth New proof technique Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

47 Conclusions Our main contributions New KH-PRFs from lattices: quasi-optimal key sizes, polylog depth New proof technique The Last Word [Mun 07] (Image source: Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11

New and Improved Key-Homomorphic Pseudorandom Functions

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee Chris Peikert June 13, 2014 Abstract A key-homomorphic pseudorandom function (PRF) family {F s : D R} allows one to efficiently