The LPN Problem in Cryptography

Similar documents
How to Encrypt with the LPN Problem

Lapin: An Efficient Authentication Protocol Based on Ring-LPN

BEFORE presenting the LPN problem together with its

NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or

Solving LPN Using Covering Codes

Solving LWE with BKW

Pruning and Extending the HB + Family Tree

A Novel Algorithm for Solving the LPN Problem and its Application to Security Evaluation of the HB Protocol for RFID Authentication

Lapin: An Efficient Authentication Protocol Based on Ring-LPN

Never trust a bunny. University of Illinois at Chicago, Chicago, IL , USA

Efficient Authentication from Hard Learning Problems

Practical Attacks on HB and HB+ Protocols

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Efficient Authentication from Hard Learning Problems

New and Improved Key-Homomorphic Pseudorandom Functions

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Cryptography and Security Final Exam

Efficient Authentication from Hard Learning Problems

Simple Chosen-Ciphertext Security from Low-Noise LPN

BEYOND POST QUANTUM CRYPTOGRAPHY

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Cryptography and Security Final Exam

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

Improved Generalized Birthday Attack

Short Exponent Diffie-Hellman Problems

Cryptology. Scribe: Fabrice Mouhartem M2IF

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Lecture 10 - MAC s continued, hash & MAC

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Round-Efficient Multi-party Computation with a Dishonest Majority

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

CRYPTANALYSIS OF COMPACT-LWE

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lattice-Based Non-Interactive Arugment Systems

Breaking Symmetric Cryptosystems Using Quantum Algorithms

1 Number Theory Basics

Chosen-Ciphertext Security from Subset Sum

Lecture 7: CPA Security, MACs, OWFs

On the Security of Non-Linear HB (NLHB) Protocol Against Passive Attack

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Post-quantum key exchange for the Internet based on lattices

Adaptive Security of Compositions

Lossy Trapdoor Functions and Their Applications

Quantum Differential and Linear Cryptanalysis

Security of Random Feistel Schemes with 5 or more Rounds

Katz, Lindell Introduction to Modern Cryptrography

How many rounds can Random Selection handle?

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

On the Practical Security of a Leakage Resilient Masking Scheme

What are we talking about when we talk about post-quantum cryptography?

Cryptographical Security in the Quantum Random Oracle Model

New polynomials for strong algebraic manipulation detection codes 1

Performance Evaluation of an Advanced Man-in-the-Middle Attack Against Certain HB Authentication Protocols

1 Last time and today

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Lecture 11: Key Agreement

6.892 Computing on Encrypted Data September 16, Lecture 2

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Classical hardness of Learning with Errors

Ubiquitous Authentication: Definitions, Attacks, and Constructions

A survey on quantum-secure cryptographic systems

On Noise-Tolerant Learning of Sparse Parities and Related Problems

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Benes and Butterfly schemes revisited

Secure and Practical Identity-Based Encryption

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Minimalist Cryptography: Excerpt from an NSF Proposal

Implementing Ring-LWE cryptosystems

A Domain Extender for the Ideal Cipher

Classical hardness of the Learning with Errors problem

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Some Security Comparisons of GOST R and ECDSA Signature Schemes

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

Improved security analysis of OMAC

Authentication. Chapter Message Authentication

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Question 1. The Chinese University of Hong Kong, Spring 2018

On Two Round Rerunnable MPC Protocols

Lecture 18: Message Authentication Codes & Digital Signa

On error distributions in ring-based LWE

Lattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris

Un-Trusted-HB: Security Vulnerabilities of Trusted-HB

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Middle-Product Learning With Errors

Lecture 10: Zero-Knowledge Proofs

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Notes on Zero Knowledge

Lecture 1: Introduction to Public key cryptography

5199/IOC5063 Theory of Cryptology, 2014 Fall

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Transcription:

The LPN Problem in Cryptography Vadim Lyubashevsky INRIA / ENS, Paris

Learning Parity with Noise (LPN) We have access to an oracle who has a secret s in Z 2 n On every query, the oracle: 1. Picks r Z 2 n 2. Picks a `noise e β ¼ (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=<r,s> + e) 1 1 1 + 1 = 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 The goal: Find s

Algorithms to Solve LPN Important Parameters 1. Dimension 2. Noise rate 3. # of samples Straightforward algorithm: check which s is the best fit 2 n time, any noise rate, minimum samples

Better than 2 n? If the noise is chosen from β τ : get n samples with probability (1- τ) n, the noise is all s 1 1 1 1 1 1 1 1 1 1 + = 1 1 use Gaussian elimination to solve for s get more samples to check s Solve LPN in time ~ exp(τn)

Better than 2 n for Constant Noise Rate Find s one coefficient at a time [BKW, Wag 2] Main idea (for finding 1 st coefficient of s): 1. Find a linear combination of m samples such that a=a 1 + +a m = (1 ) 2. if <a i,s> = b i with prob. 1-τ, then s (1) = <a,s> = b 1 + + b m with prob. ½ + ½(1-2τ) m 3. repeat step 1 ~ (1-2τ) -m times to find many such a and determine s (1) by majority vote If m=n, can do step 1 in poly(n) time by Gaussian elimination If m= n Ω(1), can do step 1 in in time ~ 2O(n/log n)

List Merging 2 n/log n n/logn n/logn 2 n/log n 2 2n/log n combinations each one has 2 -n/log n chance of matching in the last n/log n spots So resulting list has 2 n/log n elements

Building a Tree n Θ(1) lists 2 n/log n + + + + + + n/logn + 2n/logn (Success can be proved formally [MS 9]) 1

Limited # of Samples # samples = unlimited best algorithm 2 O(n/log n) time # samples = O(n) best algorithm 2 Ω(n) time # samples = Ω(n c ) for c>1 Can solve the problem in time 2 n/loglog n [Lyu 5] Main idea: Combine n/log n samples at a time to create 2Ω(n/log log n) random-looking samples with bigger noise Can prove that the resulting samples are uniform and independent and the noise is not too big (although it is bigger) Use previous algorithm with O(log n/loglog n) lists of 2 Ω(n/log log n) elements each.

Open Problems 1. Improve the 2 O(n/log n) time algorithm 2. Improve the 2 O(n/loglog n) time algorithm for polynomially-many samples 3. Improve the 2 O(n) time algorithm for O(n)- many samples 4. Improve the 2 O(τn) time algorithm when τ = o(1/logn) 5. Improve practical attacks (i.e. the constants in the exponents)

Cryptography from LPN 1. Public-Key Encryption 2. Authentication Schemes 3. MACs

Equivalent Versions of LPN We have access to an oracle who has a secret s in Zn 2 On every query, the oracle: 1. Picks r Zn 2 2. Picks a `noise e β ¼ (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=<r,s> + e) We have access to an oracle who has a secret S in Zn x n 2 On every query, the oracle: 1. Picks r Zn 2 2. Picks a `noise e βn ¼ (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=sr + e) Equivalence by the hybrid argument

Equivalent Versions of LPN We have access to an oracle who has a secret s in Zn 2 On every query, the oracle: 1. Picks r Zn 2 2. Picks a `noise e β ¼ (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=<r,s> + e) We have access to an oracle who has a secret s βn ¼ On every query, the oracle: 1. Picks r Zn 2 2. Picks a `noise e β ¼ (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=<r,s> + e)

Choosing s same as e [ACPS 9, Kir 11] A 1 s + e 1 = b 1 s=a-1 1 (b 1 + e 1 ) A 2 s + e 2 = b 2 A 2 A-1 1 e 1 + e 2 = b 2 + A 2 A-1 1 b 1 A 3 s + e 3 = b 3 A 3 A-1 1 e 1 + e 3 = b 3 + A 3 A-1 1 b 1 A 4 s + e 4 = b 4 A 4 A-1 1 e 1 + e 4 = b 4 + A 4 A-1 1 b 1 Change input (A i,b i ) (A i A 1-1, b i + A i A 1-1 b 1 )

Decision LPN 1 1 1 + 1 = 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 can t distinguish from uniform Thm [BFKL 93]: Decision-LPN is as hard as LPN

Encryption Scheme (based on [Ale 3]) r A s + e = t A t Z 2 n x n sparse from β O(1/ n) Public Key sparse + e + m = u v

Encryption Scheme r A s + e = t A t Is pseudo-random based on the hardness of LPN + e + m = u v

Encryption Scheme r A s + e = t A t v = r + A s + e + m + e + m = u v = r + A s + m

Encryption Scheme r A s + e = t A t u s = r + A s + e + m = u v = r + = v A s + m w.p. > 1/2

Encryption Scheme r A s + e = t A t v + u = s + m + e + m = u v

Multi-Bit Encryption Scheme A S + E = T r A T + e + m = u v

Open Problems 1. Increase the error in PKE from O(1/ n) 2. Construct other public key primitives Identity-Based Encryption Efficient Digital Signatures 3. Build a Collision-Resistant Hash Function from LPN

Authentication Protocols First protocol (passively secure) [HB 1] Since then, there were many proposals of more secure variants (e.g. HB + HB ++, HB #, etc.) Many proposals without security proofs Many attacks A very confusing state of affairs In the past 3 years things got sorted out Some new interesting questions opened up

An Abstraction: Weak Pseudo-Random Functions A Family of functions F: D R is a weak-prf family if: for a random f F and d 1,d 2, D (d 1,f(d 1 )), (d 2,f(d 2 )), is indistinguishable from (d 1,r 1 ), (d 2,r 2 ), for r i randomly chosen from R Can build a PRF from a weak-prf using O(n) calls to the weak-prf [GGM 84, NR 97] Efficient (1 call to the weak-prf) actively-secure authentication scheme from any weak-prf [DKPW 12] Efficient (1 call to the weak-prf) MiM secure authentication from any weak- PRF [LM 13]

Passively-Secure Authentication Prover Protocol common secret f F Verifier t=f(r) r t Pick r D Accept iff t=f(r) Secure against a passive Adversary

(Efficient) Weak-PRF from LPN? A great open problem! (Can build them based on the related LWE problem [BPR 12]) But a randomized weak-prf is possible. f S (d) = Sd+e (d 1,Sd 1 + e 1 ), (d 2,Sd 2 + e 2 ), is indistinguishable from uniform Can build efficient secure authentication from LPN

Passively-Secure Authentication Prover Protocol [HB 1] Verifier common secret S in Zn x n 2 r Pick r Zn 2 generate e β ⅛ n set t=sr+ e t Accept iff more than 7% of Sr+t are s As secure as LPN against a passive adversary

Active Attack Against HB Prover Verifier common secret S in Zn x n 2 r = (1 ) Pick r Zn 2 generate e β ⅛ n set t=sr+ e = S 1 + e t Accept iff more than 7% of Sr+t are s Repeat many times to recover each column of S individually

Man-in-the-Middle Security Prover Verifier q r+r t q+q r t+t accept/reject Adversary Phase 1

Man-in-the-Middle Security Adversary Phase 2 Verifier q r t

A Stronger Requirement Prover Verifier q r+r t q+q r t+t if (q,r,t ) (,,), Verifier rejects

MiM Secure Authentication from any Weak-PRF [LM 13] A family of weak-prf functions F: D R A family of pairwise-independent functions H: D R Endow R with addition and multiplication to make it a field shared key: f F, h H Pick d D d t=f(d) + h(d)c c t Pick c R Accept iff t=f(d) + h(d)c

Result of the Security Proof Prover Verifier d c+c t d+d c t+t if (d,r,t ) (,,) and Verifier Accepts, we can break the weak-prf

What About LPN? Prover Pick d D = {,1} n e β ⅛ n t=s d + e + h(d)c d c t Verifier Pick c R = {,1} n Accept iff t S d + h(d)c f S (d) Easy for the Adversary to modify t and have the Verifier accept. Just add a noise of weight 1 to t. Not an attack, but the proof strategy clearly does not work.

The Fix for Randomized Weak-PRFs [LM 13] A family of randomized weak-prf functions F: D R A family of pairwise-independent functions H: D R Endow R with addition and multiplication to make it a field Prover shared key: f F, h H, u R Verifier Pick d D = {,1} n d e β ⅛ n t=(s d + e)u + h(d)c f S (d) c t Pick c R = {,1} n Accept iff (t - h(d)c)u -1 S d

Even Stronger Security Security in the concurrent attack model shared key: f F, h H Verifier 1 Prover Verifier 2 Still secure Verifier l

Even Stronger Security? Security in the concurrent attack model. shared key: f F, h H Prover 1 Verifier 1 Prover 2 Verifier 2 Prover k Verifier l Can get security if H is a (k+1)-wise independent function but this is not a very satisfactory result. Open problem!

2-Round Authentication / MAC Possible from Key-Homomorphic Weak-PRFs [KPCJV 11, DKPW 12] a f k (x) + b f k (x) = f ak+bk (x) e.g. f k (x) = x k mod p is a KHwPRF from DDH can build some nice things from them and their randomized versions slight modification works for LPN

Efficiency Considerations We have access to an oracle who has a secret S in Z 2 n x n On every query, the oracle: 1. Picks r Z 2 n 2. Picks a `noise e β ¼ n (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=sr + e) S is an n x n matrix too big! Idea: Make S a Toeplitz matrix [GRS 8] Open Problems: Is decision Toeplitz-LPN as hard as search? Can s come from the same distribution as e?

Ring-LPN [HKLPP 12] Another idea: Make the i th column (for i= to n-1) of S be sx i mod f(x) where f(x) is a degree-n polynomial and s is a random polynomial We have access to an oracle who has a secret s in Z 2 [x]/(f(x)) On every query, the oracle: 1. Picks r Z 2 [x]/(f(x)) 2. Picks a `noise e β ¼ n (i.e. e= w.p. ¾ and 1 w.p ¼) 3. Outputs (r, t=sr + e) want f(x) to be irreducible over Z 2 or split into large factors for public-key encryption, want f(x) so that ab mod f(x) is not much bigger than a and b ( f(x)=x 2n +x n +1 is a good choice for n=3 k ) s can have the same distribution as the error

Ring-LPN Open Problems Is Ring-LPN hard? Are there some irreducible polynomials for which Ring-LPN is easy? Is decision Ring-LPN as hard as the search version?

LaPiN [HKLPP 12] (based on [KPCJV 11]) Prover Verifier common secrets s, s in R=Z 2 [x]/<f(x)> (We will pretend R is a field but we can also work in certain rings) generate r R generate e β ⅛ n set z = r(sc+s )+e c (r,z) Pick c R Accept iff z r(sc+s )

LaPiN Open Problems Security against MiM attacks? Open problem Best attack we know runs in time 2 C /2 where C is the domain of the challenge c Interesting direction: Make LaPiN secure against practical side-channel attacks. LaPiN s advantage over AES: it s linear, and so much easier to mask [GLS 14]

Message Authentication [KPCJV 11, DKPW, 12] generate r R generate e β ⅛ n set z = r(sc+s )+e c (r,z) Pick c R Accept iff z r(sc+s ) secret keys: s,s, pairwise-independent function h m generate r R generate e β ⅛ n generate random b set z = r(s(m b)+s )+e set z = h(r z)+b (r,z,z ) compute b = z + h(r z) Accept iff z r(s(m b)+s )

Bibliography Avrim Blum, Adam Kalai, Hal Wasserman: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 5(4): 56-519 (23) David Wagner: A Generalized Birthday Problem. CRYPTO 22: 288-33 Vadim Lyubashevsky: The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem. APPROX- RANDOM 25: 378-389 Lorenz Minder, Alistair Sinclair: The Extended k-tree Algorithm. J. Cryptology 25(2): 349-382 (212) Avrim Blum, Merrick L. Furst, Michael J. Kearns, Richard J. Lipton: Cryptographic Primitives Based on Hard Learning Problems. CRYPTO 1993: 278-291 Nicholas J. Hopper, Manuel Blum: Secure Human Identification Protocols. ASIACRYPT 21: 52-66 Michael Alekhnovich: More on Average Case vs Approximation Complexity. FOCS 23: 298-37 Ari Juels, Stephen A. Weis: Authenticating Pervasive Devices with Human Protocols. CRYPTO 25: 293-38 Jonathan Katz, Ji Sun Shin, Adam Smith: Parallel and Concurrent Security of the HB and HB+ Protocols. J. Cryptology 23(3): 42-421 (21) Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin: HB#: Increasing the Security and Efficiency of HB+. EUROCRYPT 28: 361-378 Khaled Ouafi, Raphael Overbeck, Serge Vaudenay: On the Security of HB# against a Man-in-the-Middle Attack. ASIACRYPT 28: 18-124 Eike Kiltz, Krzysztof Pietrzak, David Cash, Abhishek Jain, Daniele Venturi: Efficient Authentication from Hard Learning Problems. EUROCRYPT 211: 7-26 Yevgeniy Dodis, Eike Kiltz, Krzysztof Pietrzak, Daniel Wichs: Message Authentication, Revisited. EUROCRYPT 212: 355-374 Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak: Lapin: An Efficient Authentication Protocol Based on Ring-LPN. FSE 212: 346-365 Vadim Lyubashevsky, Daniel Masny: Man-in-the-Middle Secure Authentication Schemes from LPN and Weak PRFs. CRYPTO (2) 213: 38-325 Lubos Gaspar, Gaetan Leurent, Francois-Xavier Standaert: Hardware Implementation and Side-Channel Analysis of Lapin. CT-RSA 214

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback