On Error Correction in the Exponent Chris Peikert MIT Computer - PowerPoint PPT Presentation

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. P 6 P 2 P 5 P 3 P 4 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. x 1 P 6 P 2 Reconstruction • P i announces x i . P 5 P 3 P 4 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. x 2 P 6 P 2 Reconstruction • P i announces x i . P 5 P 3 P 4 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. x i P 6 P 2 Reconstruction • P i announces x i . Interpolation: p ( α ) = � x i λ i for any α . P 5 P 3 P 4 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. P 6 P 2 Reconstruction • P i announces x i . Interpolation: p ( α ) = � x i λ i for any α . P 5 P 3 P 4 P 4 Error correction: [BeWe86, GuSu98] Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. g x 1 P 6 P 2 Placing Shares “in the Exponent” [CJKR96, PK96, RG03, NPR99, D03, CD04, CG99, BF99,. . . ] Cyclic group G = � g � , order q P 5 P 3 • P i announces g x i . P 4 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. g x 2 P 6 P 2 Placing Shares “in the Exponent” [CJKR96, PK96, RG03, NPR99, D03, CD04, CG99, BF99,. . . ] Cyclic group G = � g � , order q P 5 P 3 • P i announces g x i . P 4 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. g x i P 6 P 2 Placing Shares “in the Exponent” [CJKR96, PK96, RG03, NPR99, D03, CD04, CG99, BF99,. . . ] Cyclic group G = � g � , order q P 5 P 3 • P i announces g x i . P 4 g p ( α ) = � ( g x i ) λ i Interpolation: Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. P 6 P 2 Placing Shares “in the Exponent” ✔ [CJKR96, PK96, RG03, NPR99, D03, CD04, CG99, BF99,. . . ] Cyclic group G = � g � , order q P 5 P 3 • P i announces g x i . P 4 P 4 g p ( α ) = � ( g x i ) λ i Interpolation: Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Error Correction (in the Exponent) Sharing Secrets (mod q ) • Random p ( · ) , deg ( p ) < k , s.t. p ( 0 ) = secret. • P i gets share x i = p ( i ) . P 7 P 7 P 1 ( x 1 , . . . , x n ) is Reed-Solomon codewd. P 6 P 2 Placing Shares “in the Exponent” g ? [CJKR96, PK96, RG03, NPR99, D03, CD04, CG99, BF99,. . . ] Cyclic group G = � g � , order q P 5 P 3 • P i announces g x i . P 4 P 4 g p ( α ) = � ( g x i ) λ i Interpolation: ERROR CORRECTION: ??? • Guess-and-check: n log n errors k Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 2 / 9

Our Contributions ☞ The first detailed study of the complexity of ECE. Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 3 / 9

Our Contributions ☞ The first detailed study of the complexity of ECE. Unconditional Results Errors Complexity √ n − nk EASY AS DH n − k − k 1 − ǫ HARD AS DLOG Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 3 / 9

Our Contributions ☞ The first detailed study of the complexity of ECE. Unconditional Results Errors Complexity √ Gap n − nk EASY AS DH ≈ δ · k n − k − k 1 − ǫ HARD AS DLOG Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 3 / 9

Our Contributions ☞ The first detailed study of the complexity of ECE. Unconditional Results Errors Complexity √ Gap n − nk EASY AS DH link DH to ≈ δ · k DLOG? n − k − k 1 − ǫ HARD AS DLOG Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 3 / 9

Our Contributions ☞ The first detailed study of the complexity of ECE. Unconditional Results Errors Complexity √ Gap n − nk EASY AS DH link DH to ≈ δ · k DLOG? n − k − k 1 − ǫ HARD AS DLOG Results for Generic Algorithms • Guess-and-check is optimal — even if DDH is easy. Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 3 / 9

Our Contributions ☞ The first detailed study of the complexity of ECE. Unconditional Results Errors Complexity √ Gap n − nk EASY AS DH link DH to ≈ δ · k DLOG? n − k − k 1 − ǫ HARD AS DLOG Results for Generic Algorithms • Guess-and-check is optimal — even if DDH is easy. Evidence for: A new approach for: < ≤ DDH ECE DH DLOG = < DDH ECE = = DH Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 3 / 9

Relation to Discrete Log Theorem Decoding (in the exponent) to distance n − k − k 1 − ǫ is as hard as computing discrete logs in G . Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 4 / 9

Relation to Discrete Log Theorem Decoding (in the exponent) to distance n − k − k 1 − ǫ is as hard as computing discrete logs in G . Proof Sketch 1 Finding a representation on uniform w ∈ G n is as hard as dlog. 2 Uniform w is close (in the exponent) to some codeword. 3 Decoding w yields a representation on w . Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 4 / 9

Relation to Discrete Log Theorem Decoding (in the exponent) to distance n − k − k 1 − ǫ is as hard as computing discrete logs in G . Proof Sketch 1 Finding a representation on uniform w ∈ G n is as hard as dlog. 2 Uniform w is close (in the exponent) to some codeword. 3 Decoding w yields a representation on w . - Representation on w : nonzero a = ( a 1 , . . . , a n ) ∈ Z n q s.t. � w a i i = 1 . i - [Bra93] showed hardness. Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 4 / 9

Relation to Discrete Log Theorem Decoding (in the exponent) to distance n − k − k 1 − ǫ is as hard as computing discrete logs in G . Proof Sketch 1 Finding a representation on uniform w ∈ G n is as hard as dlog. 2 Uniform w is close (in the exponent) to some codeword. 3 Decoding w yields a representation on w . We show ∃ ℓ = k + k 1 − ǫ points w i = g x i , with x i on poly of deg < k . � n � - There are distinct events (each very rare). ℓ - These events have limited dependence. Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 4 / 9

Relation to Discrete Log Theorem Decoding (in the exponent) to distance n − k − k 1 − ǫ is as hard as computing discrete logs in G . Proof Sketch 1 Finding a representation on uniform w ∈ G n is as hard as dlog. 2 Uniform w is close (in the exponent) to some codeword. 3 Decoding w yields a representation on w . We show ∃ ℓ = k + k 1 − ǫ points w i = g x i , with x i on poly of deg < k . � n � - There are distinct events (each very rare). ℓ - These events have limited dependence. Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 4 / 9

Relation to Discrete Log Theorem Decoding (in the exponent) to distance n − k − k 1 − ǫ is as hard as computing discrete logs in G . Proof Sketch 1 Finding a representation on uniform w ∈ G n is as hard as dlog. 2 Uniform w is close (in the exponent) to some codeword. 3 Decoding w yields a representation on w . - Decode w to ( g x 1 , . . . , g x n ) , where x i lie on poly of deg < k . - There are ≫ k points w i = g x i . wlog: w 1 , . . . , w k + 1 . - Interpolate in the exponent: k � w λ i w k + 1 = ⇒ representation! i i = 1 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 4 / 9

Generic Algorithms [Sho97] Intuition Treat group as “black-box” — don’t use element representations Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 5 / 9