Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Similar documents
Lossy Trapdoor Functions and Their Applications

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Bounded Key-Dependent Message Security

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 11: Key Agreement

Shai Halevi IBM August 2013

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Notes for Lecture 17

1 Number Theory Basics

Introduction to Cryptography. Lecture 8

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

4-3 A Survey on Oblivious Transfer Protocols

Classical hardness of the Learning with Errors problem

Lecture 17: Constructions of Public-Key Encryption

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Fully Bideniable Interactive Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Classical hardness of Learning with Errors

Public-Key Encryption

Chosen-Ciphertext Security from Subset Sum

On Minimal Assumptions for Sender-Deniable Public Key Encryption

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Notes for Lecture 16

i-hop Homomorphic Encryption Schemes

ECS 189A Final Cryptography Spring 2011

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 1: Introduction to Public key cryptography

Trapdoor functions from the Computational Diffie-Hellman Assumption

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

CS Topics in Cryptography January 28, Lecture 5

Cryptology. Scribe: Fabrice Mouhartem M2IF

6.892 Computing on Encrypted Data September 16, Lecture 2

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Evaluating 2-DNF Formulas on Ciphertexts

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Public-Key Encryption: ElGamal, RSA, Rabin

Building Lossy Trapdoor Functions from Lossy Encryption

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

Lecture 22: RSA Encryption. RSA Encryption

The Cramer-Shoup Cryptosystem

Applied cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 7: ElGamal and Discrete Logarithms

ADVERTISING AGGREGATIONARCHITECTURE

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification

Multiparty Computation

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

CPSC 467b: Cryptography and Computer Security

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Lattice-Based Non-Interactive Arugment Systems

6.892 Computing on Encrypted Data October 28, Lecture 7

Post-quantum key exchange for the Internet based on lattices

Public Key Cryptography

Building Injective Trapdoor Functions From Oblivious Transfer

Black-box circular-secure encryption beyond affine functions

Cryptography and Security Midterm Exam

CRYPTANALYSIS OF COMPACT-LWE

El Gamal A DDH based encryption scheme. Table of contents

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Dual Projective Hashing and its Applications Lossy Trapdoor Functions and More

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

G Advanced Cryptography April 10th, Lecture 11

A survey on quantum-secure cryptographic systems

Recent Advances in Identity-based Encryption Pairing-free Constructions

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Deniable Attribute Based Encryption for Branching Programs from LWE

Lattice Based Crypto: Answering Questions You Don't Understand

Secure and Practical Identity-Based Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Discrete Logarithm Problem

14 Diffie-Hellman Key Agreement

CS 395T. Probabilistic Polynomial-Time Calculus

Great Theoretical Ideas in Computer Science

Public Key Cryptography

Number Theory & Modern Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture V : Public Key Cryptography

1 Basic Number Theory

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Transcription:

1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010

2 / 19 Talk Agenda Encryption schemes with special features:

2 / 19 Talk Agenda Encryption schemes with special features: 1 (Bi-)Deniability

2 / 19 Talk Agenda Encryption schemes with special features: 1 (Bi-)Deniability 2 Circular Security

3 / 19 Part 1: Deniable Encryption A. O Neill, C. Peikert (2010) Bideniable Public-Key Encryption

Deniable Encryption c = Encpk ( surprise party 4 big bro! ) (Images courtesy xkcd.org) 4 / 19

Deniable Encryption c = Encpk ( surprise party 4 big bro! )!! (Images courtesy xkcd.org) 4 / 19

Deniable Encryption c = DenEncpk ( surprise party 4 big bro! ) What We Want 1 Bob gets Alice s intended message, but... (Images courtesy xkcd.org) 4 / 19

Deniable Encryption c = DenEncpk ( surprise party 4 big bro! ) (fake!) (fake!) What We Want 1 Bob gets Alice s intended message, but... (Images courtesy xkcd.org) 4 / 19

Deniable Encryption c = Encpk ( I love kittens!!!! ) What We Want 1 Bob gets Alice s intended message, but... 2 Fake coins & keys look as if another message was encrypted! (Images courtesy xkcd.org) 4 / 19

5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), 1984

5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), 1984 2 Voting: can reveal any candidate, so can t sell vote (?)

5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), 1984 2 Voting: can reveal any candidate, so can t sell vote (?) 3 Secure protocols tolerating adaptive break-ins [CFGN 96]

6 / 19 State of the Art Theory [CanettiDworkNaorOstrovsky 97] Sender-deniable encryption scheme Receiver-deniability by adding interaction & switching roles Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced)

6 / 19 State of the Art Theory [CanettiDworkNaorOstrovsky 97] Sender-deniable encryption scheme Receiver-deniability by adding interaction & switching roles Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) Practice: TrueCrypt, Rubberhose,... Limited deniability: move along, no message here... Plausible for storage, but not so much for communication.

7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible

7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible A true public-key scheme: non-interactive, no 3rd parties Uses special properties of lattices [Ajtai 96,Regev 05,GPV 08,... ] Has large keys... but this is inherent [Nielsen 02]

7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible A true public-key scheme: non-interactive, no 3rd parties Uses special properties of lattices [Ajtai 96,Regev 05,GPV 08,... ] Has large keys... but this is inherent [Nielsen 02] 2 Plan-ahead bi-deniability with short keys Bounded number of alternative messages, decided in advance

8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P Public description pk with secret trapdoor sk.

8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample...... so it can be faked as a U-sample.

8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample...... so it can be faked as a U-sample. 2 Given sk, can easily distinguish P from U.

8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample...... so it can be faked as a U-sample. 2 Given sk, can easily distinguish P from U. Many instantiations: trapdoor perms (RSA), DDH, lattices,...

9 / 19 Translucence for Deniability [CDNO 97] Normal: Enc(0) = UU Enc(1) = UP U P sk

9 / 19 Translucence for Deniability [CDNO 97] Normal: Enc(0) = UU Deniable: Enc(0) = PP Enc(1) = UP Enc(1) = UP U P sk

Translucence for Deniability [CDNO 97] U Normal: Enc(0) = UU Enc(1) = UP Deniable: Enc(0) = PP Enc(1) = UP P sk Deniability 4 Alice can fake: PP UP UU 9 / 19

Translucence for Deniability [CDNO 97] U Normal: Enc(0) = UU Enc(1) = UP Deniable: Enc(0) = PP Enc(1) = UP P sk 7 Deniability 4 Alice can fake: PP UP UU 7 What about Bob?? His sk reveals the true nature of the samples! 9 / 19

10 / 19 Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk, each inducing a slightly different P-test.

10 / 19 Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk, each inducing a slightly different P-test.

10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly.

10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly. 3 Can generate pk with a faking key: given fk and a P-sample x, can find a proper-looking sk that classifies x as a U-sample.

10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly. 3 Can generate pk with a faking key: given fk and a P-sample x, can find a proper-looking sk that classifies x as a U-sample. Bob can also fake P U!

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r O Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.)

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r O x Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.) U-sample = uniform x in Z m q. Then r, x is uniform mod q.

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r x O Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.) U-sample = uniform x in Z m q. Then r, x is uniform mod q. P-sample = x = A t s + e (LWE). Then r, x 0 mod q.

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) x O O fk Receiver Faking Faking key = short basis of L (a la [GPV 08,... ])

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O fk Receiver Faking Faking key = short basis of L (a la [GPV 08,... ]) Given P-sample x, choose fake r L correlated with x s error. Then r, x is uniform mod q x is classified as a U-sample.

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O fk Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r?

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r? Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss r. This (r, x) has the same joint distrib!

11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r? Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss r. This (r, x) has the same joint distrib! Finally, replace LWE with uniform normal r and U-sample x.

12 / 19 Closing Thoughts on Deniability Faking sk requires oblivious misclassification (of P as U) Bi-deniability from other cryptographic assumptions? Full deniability, without alternative algorithms?

13 / 19 Part 2: Circular-Secure Encryption B. Applebaum, D. Cash, C. Peikert, A. Sahai (CRYPTO 2009) Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems

14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) sk Bob

14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate.

14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j

14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j Applications: formal analysis [ABHS 05], disk encryption, anonymity systems [CL 01], fully homomorphic encryption [G 09]

14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j Applications: formal analysis [ABHS 05], disk encryption, anonymity systems [CL 01], fully homomorphic encryption [G 09] Some (semantically secure) schemes are actually circular-insecure [ABBC 10,GH 10]

15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption

15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05]

15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach.

15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Large computation & communication. For k-bit message: Public key Enc Time Ciphertext k 2 group elts k expon k group elts k 3 bits k 4 bit ops k 2 bits Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach.

15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Large computation & communication. For k-bit message: Public key Enc Time Ciphertext k 2 group elts k expon k group elts k 3 bits k 4 bit ops k 2 bits Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach. Efficiency: comes for free with existing schemes! [R 05,PVW 08] Public key Enc Time Ciphertext k 2 bits k 2 ops k bits

16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i )

16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q

16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ).

16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ). Decrypt (u, v ): find the µ Z p such that v u, s µ q p.

16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ). Decrypt (u, v ): find the µ Z p such that v u, s µ q p. Security proof: uniform pk = (A, b) = uniform ciphertext (u, v).

17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. (Or any affine fct of s.)

17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p?

17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? No! Also no!

17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme No! Also no! 1 Use q = p 2 for divisibility. (Need new search/decision reduction for LWE.)

17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] No! Also no!

17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no!

17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no! 3 Use a Gaussian secret s, so each s i ( p 2, p 2 ): self-reference!

17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no! 3 Use a Gaussian secret s, so each s i ( p 2, p 2 ): self-reference!?? But is it secure to use such an s??

18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ),

18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q.

18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e).

18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e). (Also maps uniform samples (a, b) to uniform (a, b )).

18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e). (Also maps uniform samples (a, b) to uniform (a, b )). Clique & Affine Security (Again, For Free) Repeating transform produces ind. sources LWE e1, LWE e2,... Side effect: a known affine relation between unknowns s and e i. This lets us create Enc pki (affine(e j )) for any i, j.

19 / 19 Final Words The simple, linear structure of lattice-based encryption allows for many enhancements. There is much more to be done!

19 / 19 Final Words The simple, linear structure of lattice-based encryption allows for many enhancements. There is much more to be done! Thanks!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback