Dissection-BKW CRYPTO 2018, Santa Barbara , August 20th 2018 Andre - PowerPoint PPT Presentation

Dissection-BKW CRYPTO 2018, Santa Barbara , August 20th 2018 Andre Esser , Felix Heuer, Robert Kübler, Alexander May, Christian Sohler Horst Görtz Institute for IT Security Ruhr University Bochum

What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13

What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 • Cryptographic applications [HB01, Ale03, HKL + 12, DV13] Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13

What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 • Cryptographic applications [HB01, Ale03, HKL + 12, DV13] • Solve LPN: BKW algorithm [BKW00] ◦ Time = Memory = Samples , slightly subexponential ◦ only small experiments [BTV16, EKM17] Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13

What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 • Cryptographic applications [HB01, Ale03, HKL + 12, DV13] • Solve LPN: BKW algorithm [BKW00] ◦ Time = Memory = Samples , slightly subexponential ◦ only small experiments [BTV16, EKM17] • Goal: BKW-variant applicable for any given memory Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13

Illustration of “BKW” ( a 1 , � a 1 , s � + e 1 ) ( a 2 , � a 2 , s � + e 2 ) Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” ( a 1 , � a 1 , s � + e 1 ) + ( a 2 , � a 2 , s � + e 2 ) = ( a 1 + a 2 , � a 1 + a 2 , s � + e 1 + e 2 ) a ′ � a ′ , s � e ′ ( , + ) Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” $ 0101 0101 $ stripe Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 0000 $ $ 0101 + 0101 $ stripe Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 0000 $ $ 0101 1111 $ 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 0000 $ $ 0101 $ 0000 1111 $ + 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 0000 $ $ 0101 $ 0000 $ 0000 1111 $ 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 0000 $ $ 0101 $ 0000 $ 0000 1111 0000 $ $ 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 0000 $ $ 0101 $ 0000 $ 0000 1111 0000 $ $ 0101 $ . . . . . . . . . $ 1111 0000 $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” $ $ $ $ . . . . . . . . . $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” $ $ $ $ $ $ $ $ → . . . . . . . . . . . . . . . . . . $ $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 1 $ $ $ $ 1 $ $ 1 1 $ $ → → . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 $ $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

Illustration of “BKW” 1 $ $ $ $ 1 $ $ 1 1 $ $ → → . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 $ $ • a i = (1 , 0 , 0 , . . . , 0) ⇒ ( a i , � a i , s � + e i ) = ( a i , s 1 + e i ) • Majority vote! BKW Theorem [BKW00, LF06] BKW solves LPN in time, memory and sample complexity 2 k/ log k . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13

c -sum Observation $ 0000 0101 $ + $ 0101 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 $ 0101 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) ! � N � / 2 b ≥ N c c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) N ≥ 2 b/ ( c − 1) c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) N = 2 b/ ( c − 1) c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) N = 2 b/ ( c − 1) Main Idea: solve c - SP repeatedly on stripes c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13

■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0101 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0101 → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0101 sum of A = 2 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0000 $ 0101 sum of A = 2 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0000 $ 0101 sum of B = 3 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 sum of B = 3 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 sum of A samples → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13

❛♥❞ → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13

❛♥❞ → → N $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13

❛♥❞ → → N $ $ 1 solve c - SP Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13

❛♥❞ → → N $ $ 1 solve c - SP Memory Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13

Dissection-BKW CRYPTO 2018, Santa Barbara , August 20th 2018 Andre - PowerPoint PPT Presentation

Dissection-BKW CRYPTO 2018, Santa Barbara , August 20th 2018 Andre Esser , Felix Heuer, Robert Kbler, Alexander May, Christian Sohler Horst Grtz Institute for IT Security Ruhr University Bochum What is LPN? Learning Parity with Noise (LPN)

Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been

Chronic Aortic Dissection Treatment of Chronic Aortic Dissection Is Evolving 40% of repairs of

Type B Dissection Sub-Categories Acute Complicated Rupture Malperfusion Title

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

1 A RANDOMIZED TRIAL COMPARING RADICAL HYSTERECTOMY AND PELVIC NODE DISSECTION VS SIMPLE

VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE

VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE

GAN Dissection: Visualizing and Understanding Generative Adversarial Networks David Bau, Jun-Yan

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and

Unusual presentation of tension pneumoperitoneum during endo- scopic submucosal dissection of

and Outcomes in Patients With Uncomplicated Type B Aortic Dissection Matthew Aizpuru BA 1 ,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Artery Dissection Diagnosis and Treatment in an Era of Uncertainty James C. Iannuzzi MD, MPH,

Canadian Spontaneous Coronary Artery Dissection Cohort Study Jacqueline Saw, MD, Andrew

Lab #5 4-Cylinder Single Overhead Cam Engine Dissection Equipment: 4-Cylinder Mazda 16 Valve

Acute Aortic Dissection: Lessons Learned from 9000 Patients Kim A. Eagle, M.D. On Behalf of the

Aortic Syndromes Aortic Aneurysm Aortic Dissection Intramural Hematoma (IMH)

Completion Axillary Lymph Node Dissection Is Not Required for Regional Control in Patients With

Genetic dissection of Natural Dry-On-Vine trait in grapevine Jonathan Fresnedo Ramrez

Slides by Nolan Dey Motivation Neural networks are often treated as a black box Network

Local Statistical Filtering via Domain Dissection for Medical Imaging GTC 2016 San Jose, CA,

Disclosures Spontaneous Coronary Artery I have nothing to disclose Dissection Jeffrey Zimmet,

Aortic Dissection 16 th Annual Toronto Perioperative TEE Symposium 2018.11.10 Azad Mashari MD

Tutorial: GAN Dissection What is learned inside a GAN? David Bau To follow along: