How to Encrypt with the LPN Problem

Similar documents
Pruning and Extending the HB + Family Tree

Solving LPN Using Covering Codes

Practical Attacks on HB and HB+ Protocols

The LPN Problem in Cryptography

BEFORE presenting the LPN problem together with its

A Novel Algorithm for Solving the LPN Problem and its Application to Security Evaluation of the HB Protocol for RFID Authentication

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Notes on Alekhnovich s cryptosystems

Computational security & Private key encryption

Lecture 7: CPA Security, MACs, OWFs

Cryptology. Scribe: Fabrice Mouhartem M2IF

arxiv: v2 [cs.cr] 14 Feb 2018

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Modern Cryptography Lecture 4

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

6.892 Computing on Encrypted Data October 28, Lecture 7

Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification

A New Paradigm of Hybrid Encryption Scheme

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Lectures 2+3: Provable Security

Background: Lattices and the Learning-with-Errors problem

The Theory and Applications of Homomorphic Cryptography

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Chosen-Ciphertext Security from Subset Sum

On the power of non-adaptive quantum chosen-ciphertext attacks

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

1 Number Theory Basics

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Lecture 9 - Symmetric Encryption

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

Short Exponent Diffie-Hellman Problems

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

8 Security against Chosen Plaintext

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

QC-MDPC: A Timing Attack and a CCA2 KEM

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Chapter 2 : Perfectly-Secret Encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lattice Cryptography

Lattice Cryptography

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or

CPA-Security. Definition: A private-key encryption scheme

2 Message authentication codes (MACs)

A Strong Identity Based Key-Insulated Cryptosystem

Modern symmetric-key Encryption

Post-quantum security models for authenticated encryption

Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes

Simple Chosen-Ciphertext Security from Low-Noise LPN

CTR mode of operation

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Block Ciphers/Pseudorandom Permutations

Symmetric Encryption

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

CS 6260 Applied Cryptography

III. Pseudorandom functions & encryption

A survey on quantum-secure cryptographic systems

Proofs of Retrievability via Fountain Code

Advanced Topics in Cryptography

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes

A Fuzzy Sketch with Trapdoor

Provable security. Michel Abdalla

Two-Round PAKE from Approximate SPH and Instantiations from Lattices

Question 1. The Chinese University of Hong Kong, Spring 2018

Code-based public-key encryption resistant to key leakage

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

CS 6260 Applied Cryptography

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Improving the Performance of the SYND Stream Cipher

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Cryptography 2017 Lecture 2

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Lecture 14 - CCA Security

Lossy Trapdoor Functions and Their Applications

Lecture 4: DES and block ciphers

CS Topics in Cryptography January 28, Lecture 5

Lecture Notes. Advanced Discrete Structures COT S

1 Last time and today

OAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland

6.892 Computing on Encrypted Data September 16, Lecture 2

Standard versus Selective Opening Security: Separation and Equivalence Results

ECS 189A Final Cryptography Spring 2011

Chosen-Ciphertext Security without Redundancy

Secure and Practical Identity-Based Encryption

Property Preserving Symmetric Encryption Revisited

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

1 Secure two-party computation

Semantic Security and Indistinguishability in the Quantum World

Lecture 2: Perfect Secrecy and its Limitations

Lecture 5, CPA Secure Encryption from PRFs

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Trapdoor Computational Fuzzy Extractors

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Transcription:

How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs

the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed interest in cryptographic protocols based on the LPN (Learning Parity with Noise) problem, the problem of learning an unknown vector x given noisy versions of its scalar product a x with random vectors a this problem seems promising to obtain efficient protocols since it implies only basic operations on GF(2) in this work, we present a probabilistic symmetric encryption scheme, named LPN-C, whose security against chosen-plaintext attacks can be proved assuming the hardness of the LPN problem ICALP 2008 Y. Seurin 1/20 Orange Labs

outline the LPN problem: a brief survey description and analysis of the encryption scheme LPN-C concrete parameters, practical optimizations conclusion & open problems ICALP 2008 Y. Seurin 2/20 Orange Labs

the LPN problem Given q noisy samples (a i, a i x ν i ), where x is a secret k -bit vector, the a i s are random, and Pr[ν i = 1] = η, find x. similar to the problem of decoding a random linear code (NP-complete) best solving algorithms require T, q = 2 Θ( k log k ) : Blum, Kalai, Wasserman [BKW03], Levieil, Fouque [LF06] a variant by Lyubashevsky [L05] requires q = O(k 1+ɛ ) but T = 2 O( numerical examples: for k = 512 and η = 0.25, LF requires T, q 2 89 for k = 768 and η = 0.01, LF requires T, q 2 74 k log log k ) ICALP 2008 Y. Seurin 3/20 Orange Labs

previous schemes based on LPN PRNG by Blum et al. [BFKL93] public-key encryption scheme by Regev [R05] based on the LWE problem, the generalization of LPN to GF( p ), p > 2 the HB family of authentication protocols: HB [HB01] HB + [JW05] HB ++ [BCD06] HB [DK07] HB # [GRS08] Trusted-HB [BC07] PUF-HB [HS08] ICALP 2008 Y. Seurin 4/20 Orange Labs

description of LPN-C public components: a (linear) error-correcting code C : {0, 1} r {0, 1} m of parameters [m, r, d] and the corresponding decoding algorithm C 1 secret key: a k m binary matrix M encryption: r -bit plaintext x, encode it to C(x) draw a random k -bit vector a and a noise vector ν where Pr[ν[i] = 1] = η ciphertext (a, y), where y = C(x) a M ν decryption: on input (a, y), compute y a M and decode the resulting value, or output if unable to decode ICALP 2008 Y. Seurin 5/20 Orange Labs

security intuition y = C(x) a M ν in a chosen-plaintext attack, the adversary only learns a i M ν i random vectors a i for hardness of the LPN problem implies that the adversary cannot guess a M for a new random a better than with a priori probability ( MHB puzzle [GRS08]), hence will have no information on a challenge ciphertext (a, C(x) a M ν) ICALP 2008 Y. Seurin 6/20 Orange Labs

decryption failures decryption failures happen when Hwt(ν) > t, where t = d 1 2 is the correction capacity of the code when the noise is randomly drawn, m ( ) m P DF = η i (1 η) m i i is negligible for ηm < t i=t+1 for eliminating decryption failures, the Hamming weight of the noise vector can be tested before being used and regenerated when Hwt(ν) > t, but this may impact the security proof ICALP 2008 Y. Seurin 7/20 Orange Labs

quasi-homomorphic encryption the scheme enjoys some kind of homomorphism property given two plaintexts one has: (a, y) = (a, C(x) a M ν) (a, y ) = (a, C(x ) a M ν ), y y = C(x x ) (a a ) M (ν ν ) so that (a a, y y ) is a valid ciphertext for x x if Hwt(ν ν ) t ν ν is a noise vector with noise parameter η = 2η(1 η) ; if η m < t, the homomorphism property holds with overwhelming probability ICALP 2008 Y. Seurin 8/20 Orange Labs

security notions security goals: indistinguishability (IND) and non-malleability (NM) adversaries run in two phases; at the end of the first phase they output a distribution on the plaintexts and receive a ciphertext challenge they are denoted P X -C Y according to the oracles (P for encryption, C for decryption) they can access X, Y = 0 : the adversary can never access the oracle X, Y = 1 : the adversary can only access the oracle during phase 1 (non-adaptive) X, Y = 2 : the adversary can access the oracle during phases 1 and 2, i.e. after having seen the challenge ciphertext (adaptive) ICALP 2008 Y. Seurin 9/20 Orange Labs

security notions relations between different types of attacks have been studied by Katz and Yung [KY06]: IND-P1-C Y IND-P2-C Y and NM-P1-C Y NM-P2-C Y IND-P2-C2 NM-P2-C2 ICALP 2008 Y. Seurin 10/20 Orange Labs

security proof: a useful lemma notations: U k+1 will be the oracle returning uniformly random (k + 1) -bit strings Π s,η will be the oracle returning the (k + 1) -bit string (a, a s ν), where a is uniformly random and Pr[ν = 1] = η we have the following decision-to-search lemma (Regev [R05], Katz and Shin [KS06]): lemma: if there is an efficient oracle adversary distinguishing between the two oracles U k+1 and Π s,η, then there is an efficient adversary solving the LPN problem ICALP 2008 Y. Seurin 11/20 Orange Labs

IND-P2-C0 security proof P2-C0 adversary A breaking the indistinguishability of the scheme we use it to distinguish between U k+1 and Π s,η as follows: draw a random j [1..m] and a random k (m j) binary matrix M use the following method to encrypt: get a sample (a, z) from the oracle O form the m -bit masking vector b = r z (a M ν) where r is a random (j 1) -bit string and ν an (m j) -bit noise vector return the ciphertext (a, C(x) b) play the indistinguishability game with A ; if A distinguishes, return 1, otherwise return 0 ICALP 2008 Y. Seurin 12/20 Orange Labs

IND-P2-C0 security proof masking vector b = r z (a M ν) when O = U k+1, the j first bits of b are random and the m j last ones are distributed according to an LPN distribution; for j = m the ciphertexts are completely random when O = Π s,η, the j 1 first bits of b are random and the m j + 1 last ones are distributed according to an LPN distribution; for j = 1 the encryption is perfectly simulated when expressing the advantage of this distinguisher, the terms for j = 2 to (m 1) cancel and we obtain advantage δ/m if the advantage of the original distinguisher A was δ ICALP 2008 Y. Seurin 13/20 Orange Labs

malleability as is, the scheme is clearly malleable (P0-C0 attack): given a ciphertext (a, y) corresponding to some plaintext x, the adversary can simply modify it to (a, y C(x )), which will correspond to the plaintext x x since IND-P2-C2 NM-P2-C2, the scheme cannot be IND-P2-C2 or even IND-P0-C2 either what about non-adaptive ciphertext attacks? ICALP 2008 Y. Seurin 14/20 Orange Labs

an IND-P0-C1 attack idea: query the decryption oracle on (a, y i ) many times with the same a and random y i s to get approximate equations on a M when y i a M is at Hamming distance less than t from a codeword, the decryption oracle will return x i such that Hwt(C(x i ) y i a M) t this will give an approximation of each bit of a M with noise parameter less than t/m ; repeating the experiment sufficiently many times with the same a enables to retrieve a M with high probability, hence to retrieve the secret key M this attack works only if the probability that a random m -bit string is decodable is sufficiently high, i.e. if the code is good enough ICALP 2008 Y. Seurin 15/20 Orange Labs

P2-C2 security one can obtain an IND/NM-P2-C2 scheme by appending a MAC to the ciphertext (Encrypt-then-MAC paradigm studied by Bellare et al. [BN00]) we propose the following MAC based on the LPN problem: let M be a l l secret binary matrix and H be a one-way function for X {0, 1} define MAC M (X) = H(X) M ν, where ν is a noise vector of parameter η one can prove the security of this MAC in the random oracle model for H, using the hardness of the MHB puzzle [GRS08] Given q noisy samples (a i, a i M ν i ), where M is a secret k m matrix and Pr[ν i [j] = 1] = η, and a random challenge a, find a M. ICALP 2008 Y. Seurin 16/20 Orange Labs

example parameters expansion factor σ = ciphertext plaintext = m+k r k η m r d expansion factor key size key size (Toeplitz) 512 0.125 80 27 21 21.9 40, 960 591 0.42 512 0.125 160 42 42 16 81, 920 671 0.44 768 0.05 80 53 9 16 61, 440 847 0.37 768 0.05 160 99 17 9.4 122, 880 927 0.41 768 0.05 160 75 25 12.4 122, 880 927 0.06 P DF ICALP 2008 Y. Seurin 17/20 Orange Labs

possible variants and optimizations use of Toeplitz matrices to reduce the key size Toeplitz matrices have good randomization properties: (x x T) T is a 1/2 m -balanced function family (for any non-zero vector a, a T is uniformly distributed) t k+m 1... t 3 t 2 t 1 t 3 t 2 possibility to pre-share the random vectors a used to encrypt, or to regenerate them from a PRNG and a small seed; then σ = m r, the expansion factor of the error-correcting code t 3 ICALP 2008 Y. Seurin 18/20 Orange Labs

conclusion & open problems we presented LPN-C, a probabilistic symmetric encryption scheme whose security relies on the LPN problem it extends the range of cryptographic protocols based on the LPN problem implementation would be quite efficient but practical problems remain: expansion of the ciphertext, high key size open problems include: understand the impact of the use of Toeplitz matrices on the security of the scheme devise an efficient MAC whose security relies only on the LPN problem to obtain an IND/NM-P2-C2 secure encryption scheme ICALP 2008 Y. Seurin 19/20 Orange Labs

thanks for your attention! comments questions? ICALP 2008 Y. Seurin 20/20 Orange Labs

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback