Circular Security for Symmetric Key Bit Encryption from LWE Rishab - PowerPoint PPT Presentation

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters

n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1 (0) Enc PK1 (SK 2 ) 1 1 n n 2 2 Enc PK2 (0) Enc PK2 (SK 3 ) n - 1 n - 1 3 3

n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PK1 (SK 2 ) Enc PK1 (0) Enc PK2 (SK 3 ) Enc PK1 (0) . . . . . . Enc PKn (SK 1 ) Enc PKn (0)

Does IND-CPA imply n-Circular Security?

Separations: n-Circular Security • n = 1 (Folklore)

Separations: n-Circular Security • n = 1 (Folklore) • n = 2 • Bilinear Groups [A car B elenkiy B ellare C ash 10, C ash G reen H ohenberger 12] • LWE [B ishop H ohenberger W aters 15] • n ≥ 3 • Obfuscation [K oppula R amchen W aters 15, M arcedone O rlandi 14] • LWE [K oppula W aters 16, A lamati P eikert 16]

Can we bypass these negative results?

Can we bypass these negative results? They do seem to use the full key!

Can we bypass these negative results? They do seem to use the full key! What if we encrypt bit-by-bit?

Can we bypass these negative results? They do seem to use the full key! What if we encrypt bit-by-bit? Separations don’t hold!

Does IND-CPA imply Circular Security for bit encryption?

Prior Results K oppula R amchen W aters 15 R othblum 12 iO M-Maps

Our Result LWE Theorem. ∃ IND-CPA secure symmetric key bit encryption scheme E such that it is not 1 -circular secure.

LWE with Short Secrets [R egev 05 , A pplebaum C ash P eikert S ahai 09]

Lattice Trapdoors [G entry P eikert V aikuntanathan 08 … ] • •

Lattice Trapdoors [G entry P eikert V aikuntanathan 08 … ] • • Short matrix s.t.

Lattice Trapdoors [G entry P eikert V aikuntanathan 08 … ] • • Short matrix s.t.

Cycle Testers [B ishop H ohenberger W aters 15] • • •

Cycle Testers [B ishop H ohenberger W aters 15] • • •

Cycle Testers [B ishop H ohenberger W aters 15] • • • Correctness Test and distinguishes

Cycle Testers [B ishop H ohenberger W aters 15] IND-CPA Security • • • Correctness Test and distinguishes

Preview Matrices and Trapdoors

Preview Matrices and Trapdoors

Preview Matrices and Trapdoors Position

Preview 1. Checks if encrypt . ( Ignores ) 2. Assumes encrypts for position .

Preview 1. Checks if encrypt . ( Ignores ) 2. Assumes encrypts for position . Problem setting LWE parameters!

Preview: Strand Structure ( 𝜇 = 3 )

Preview: Strand Structure ……… …… …… …… …… ………

Setup

Setup ……… …… …… …… ………

Setup ……… …… …… …… ………

Setup ……… …… …… …… ………

Setup Level 𝜇 ……… …… …… …… Level 2 ……… Level 1 Base

Enc(bit b , pos i ) ……… …… …… …… ………

Enc(bit b , pos i ) ……… …… …… …… ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ……… …… …… …… ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ………

Enc(bit b , pos i ) ……… Computed as before

Enc(bit b , pos i ) ………

Oblivious Sequence Transform • Problem •

Oblivious Sequence Transform • Problem •

Oblivious Sequence Transform • Problem •

Oblivious Sequence Transform • Problem • • Solution

Enc(bit b , pos i ) ………  

Enc(bit b , pos i ) ……… …… …… …… ………

Enc(bit b , pos i ) ……… High Level Structure in encryption of bit 𝑐 for position 𝑗 …… …… …… chooses a sub-strand in 𝑗 th strand. ………

Test Encrypt s ………

Test ……… …… …… …… ……… ……… ………

Test ……… …… …… …… …… ……… ……… ………

Test ……… …… …… …… …… ……… ……… ………

Test ……… …… …… …… …… ……… ……… ………

Test ……… …… …… …… …… …… ……… ……… ………

Test ……… …… …… …… …… …… ……… ……… ………

Proof Sketch: IND-CPA Game 0 ……… …… …… …… ………

Proof Sketch: IND-CPA Game 0 ……… …… …… …… Game 1 ………

s chosen Proof Sketch: IND-CPA randomly and hidden ! Game 0 ……… …… …… …… LHL Game 1 ………

Proof Sketch: IND-CPA Random Short Matrices Position- 𝜇 Position-( 𝜇 -1) Position-( 𝜇 -1) … ……… ……… ……… ……… Position-1 Position-1 Game 𝜇 Game 1 Game 2

Proof Sketch: IND-CPA …

Proof Sketch: IND-CPA …

Proof Sketch: IND-CPA LWE …

Proof Sketch: IND-CPA LWE …

Proof Sketch: IND-CPA LWE … Pre-Image

Proof Sketch: IND-CPA LWE … Pre-Image

Setting Parameters?? For Correctness For Security Error Leftover Hash Accumulation Lemma

Setting Parameters?? For Correctness For Security Error Leftover Hash Accumulation Lemma Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels.

Setting Parameters?? For Correctness For Security Error Leftover Hash Accumulation Lemma Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length.

Review ……… …… …… …… …… ………

Review ……… Looks like a Branching Program that …… …… …… …… computes Identity ! ………

Relieving the Tension Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length.

Relieving the Tension Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length.

Relieving the Tension Problem. For LHL: # Strands > log 𝑟 . Error Accumulation: # Levels < log 𝑟 . Current Design: Strands = Levels. New Design: # Strands = PRG output length. Encode and Evaluate a PRG!

High Level Structure: Encoding PRG ……… …… …… ……… ……… ………

Conclusions and Open Problems • Bit Encryption - Circular security separation • First from standard assumptions • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice trapdoors

Conclusions and Open Problems • Bit Encryption - Circular security separation • First from standard assumptions • Symmetric Key • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice trapdoors

Conclusions and Open Problems • Bit Encryption - Circular security separation Public Key Setting? • First from standard assumptions • Symmetric Key • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice Can these techniques be used trapdoors elsewhere?

Conclusions and Open Problems • Bit Encryption - Circular security separation Public Key Setting? • First from standard assumptions • Symmetric Key • Technical Contributions • Oblivious sequence transformation • Encoding log-depth PRG for reduction to LWE • Fixed-input BPs for consistent cascading • Novel technique to encode and hide BPs using lattice Can these techniques be used trapdoors elsewhere?

Lockable Obfuscation [GK oppula W aters 17] • • • Correctness:

Lockable Obfuscation [GK oppula W aters 17] • • • Security:

Our Result [GK oppula W aters 17] • Lockable Obfuscation • All poly sized circuits* • Secure under LWE • Applications • Attribute-Based Encryption  1-sided Predicate Encryption • Circular Security Separations (Bit Encryption, Unbounded, … ) • Random Oracle Uninstantiability (Fujisaki-Okamoto, … ) • Broadcast Encryption  Anonymous Broadcast Encryption • Rejecting Indistinguishability Obfuscator (riO) • …