on the concrete security of goldreich s prg
play

On the Concrete Security of Goldreichs PRG Yann Rotella Joint work - PowerPoint PPT Presentation

Sep 16, 2023 •679 likes •1.22k views

On the Concrete Security of Goldreichs PRG Yann Rotella Joint work with Geoffroy Couteau, Aurlien Dupin, Pierrick Maux and Mlissa Rossi January 31, 2019 Introduction A subexponential-time attack Algebraic cryptanalysis

  1. On the Concrete Security of Goldreich’s PRG Yann Rotella Joint work with Geoffroy Couteau, Aurélien Dupin, Pierrick Méaux and Mélissa Rossi January 31, 2019

  2. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion PseudoRandom Generators ( x 1 , x 2 , . . . , x n ) ∈ F n Seed: 2 PRG ( y 1 , y 2 , . . . , y n , y n + 1 , . . . , y m ) ∈ F n Output: 2 ( y i ) i ≤ m should be indistinguishable from a random string; it is hard to recover ( x i ) i ≤ n using the knowledge of ( y i ) i ≤ m . 1 / 36

  3. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Structure of this Talk 1 Introduction 2 A subexponential-time attack 3 Algebraic cryptanalysis Generalization on all predicates 4 Conclusion 5 2 / 36

  4. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Stretch and locality x 1 x 2 x 3 . . . . . . y j m = n s d = 3 y j + 1 x i y j + 2 . . . . . . x n 3 / 36

  5. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Theoretical applications Semi Secure computation with constant computational overhead [Ishai et al. STOC 2018, Applebaum et al. CRYPTO 2017] MPC-friendly primitives [Albrecht et al. EC 2015, Canteaut et al. FSE 2016, Méaux et al. EC 2016, Grassi et al. ACM-CCS 2016] Indistinguishability Obfuscation [Sahai and Waters STOC 2014, Lin and Tessaro CRYPTO 2017] Cryptographic Capsules [Boyle et al. ACN-CCS 2017] 4 / 36

  6. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Description of Goldreich’s PRG Seed ( x 1 , . . . , x n ) σ i σ i d − 1 2 σ i σ i 1 d P ( x σ i 1 , . . . , x σ i d ) ( y i ) 1 ≤ i ≤ m m = n s , s is the stretch. 5 / 36

  7. ? ? ? ? Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Parameters Stretch s > 1 Subsets ( σ i ) i ≤ 1 Boolean function (predicate) P Locality d 6 / 36

  8. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Parameters Stretch s > 1 ? Subsets ( σ i ) i ≤ 1 ? Boolean function (predicate) P ? Locality d ? 6 / 36

  9. Ok if they are chosen uniformly random Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Subsets The subsets should be sufficiently expanding: for some k , every k subsets should cover k + Ω( n ) elements of { 1 , . . . , n } . 7 / 36

  10. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Subsets The subsets should be sufficiently expanding: for some k , every k subsets should cover k + Ω( n ) elements of { 1 , . . . , n } . Ok if they are chosen uniformly random 7 / 36

  11. A value x of the list can agree on 1 2 n output bits. Final complexity: 2 n 1 s 1 2 d 2 n 0 955 s 1 45 and d 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. 8 / 36

  12. Final complexity: 2 n 1 s 1 2 d 2 n 0 955 s 1 45 and d 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. A value x ′ of the list can agree on ( 1 / 2 + ε ) ∗ n output bits. 8 / 36

  13. 2 n 0 955 s 1 45 and d 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. A value x ′ of the list can agree on ( 1 / 2 + ε ) ∗ n output bits. Final complexity: 2 n 1 − ( s − 1 / 2 d ) 8 / 36

  14. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Generic sub-exponential seed recovery Create a list of all possible values for ( 2 ε ) ∗ n variables. A value x ′ of the list can agree on ( 1 / 2 + ε ) ∗ n output bits. Final complexity: 2 n 1 − ( s − 1 / 2 d ) s = 1 . 45 and d = 5 ⇒ 2 n 0 . 955 8 / 36

  15. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Predicate criteria degree [Goldreich 2000] rational degree (algebraic immunity) [Applebaum and Lovett STOC 2016] AI ( P ) > s resilience [O’Donnelland Witmer CCC 2014, Applebaum 2015] res ( P ) > 2s 9 / 36

  16. P 5 x 1 x 2 x 3 x 4 x 5 x 1 x 2 x 3 x 4 x 5 Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion locality  degree   ⇒ d ≥ 5 resilience  Siegenthaler  10 / 36

  17. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion locality  degree   ⇒ d ≥ 5 resilience  Siegenthaler  P 5 ( x 1 , x 2 , x 3 , x 4 , x 5 ) = x 1 + x 2 + x 3 + x 4 x 5 10 / 36

  18. Linearization and Gröbner-based attacks. Generalization of the subexponential attack to all predicates. locality and stretch are linked to the size of the seed. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . 11 / 36

  19. Generalization of the subexponential attack to all predicates. locality and stretch are linked to the size of the seed. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . Linearization and Gröbner-based attacks. 11 / 36

  20. locality and stretch are linked to the size of the seed. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . Linearization and Gröbner-based attacks. Generalization of the subexponential attack to all predicates. 11 / 36

  21. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Our results A new subexponential-time attack in 2 O ( n 2 − s ) . Linearization and Gröbner-based attacks. Generalization of the subexponential attack to all predicates. locality and stretch are linked to the size of the seed. 11 / 36

  22. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Plan of this Section 1 Introduction 2 A subexponential-time attack 3 Algebraic cryptanalysis Generalization on all predicates 4 Conclusion 5 12 / 36

  23. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Cryptanalysis of FLIP [Duval, Lallemand, Rotella CRYPTO 2016] Key Register K PRNG Permutation P i Generator F z i p i c i F ( x ) = x 1 + x 2 + · · · + x k 1 + x k 1 + 1 x k 1 + 2 + · · · + x k 2 − 1 x k 2 + x k 3 + x k 3 + 1 x k 3 + 2 + · · · + x n − 14 · · · x n − 1 x n 13 / 36

  24. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion FLIP vs Goldreich’s PRG FLIP: overdetermined Goldreich’s PRG: underdetermined P 5 ( x 1 , x 2 , x 3 , x 4 , x 5 ) = x 1 + x 2 + x 3 + x 4 x 5 14 / 36

  25. We get the following linear equation: x 1 x 4 x 8 x 13 x 10 x 3 0 O n 2 s 1 number of collisions c Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Collect linear equations x 1 + x 4 + x 8 + x 9 x 11 = 1 x 14 + x 5 + x 7 + x 1 x 4 = 0 x 13 + x 10 + x 3 + x 11 x 9 = 1 15 / 36

  26. O n 2 s 1 number of collisions c Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Collect linear equations x 1 + x 4 + x 8 + x 9 x 11 = 1 x 14 + x 5 + x 7 + x 1 x 4 = 0 x 13 + x 10 + x 3 + x 11 x 9 = 1 We get the following linear equation: x 1 + x 4 + x 8 + x 13 + x 10 + x 3 = 0 15 / 36

  27. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Collect linear equations x 1 + x 4 + x 8 + x 9 x 11 = 1 x 14 + x 5 + x 7 + x 1 x 4 = 0 x 13 + x 10 + x 3 + x 11 x 9 = 1 We get the following linear equation: x 1 + x 4 + x 8 + x 13 + x 10 + x 3 = 0 number of collisions c ∈ O ( n 2 ( s − 1 ) ) 15 / 36

  28. For all possible values of the bits: Solve the correponding linear system of n linear equations. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Guessing phase Choose the ℓ variables that appear the most in the quadratic terms, such that you get n − c − ℓ linear equations. 16 / 36

  29. Solve the correponding linear system of n linear equations. Introduction A subexponential-time attack Algebraic cryptanalysis Generalization on all predicates Conclusion Guessing phase Choose the ℓ variables that appear the most in the quadratic terms, such that you get n − c − ℓ linear equations. For all possible values of the ℓ bits: 16 / 36

Recommend

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

1.13k views • 86 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, Yu Yu All widely used GCs have a birthday-bound security Explicit attack GC based on fix-key block cipher

313 views • 7 slides
twenty one service loads x load factors concrete holds no tension failure criteria is

twenty one service loads x load factors concrete holds no tension failure criteria is

E LEMENTS OF A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 614 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2019 design for maximum stresses

253 views • 6 slides
nineteen service loads x load factors concrete holds no tension failure criteria is

nineteen service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel A RCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S UMMER 2018 design for maximum stresses lecture limit

641 views • 9 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu Yaos garbled circuits Two-party computation (2PC) Multiple optimizations

376 views • 20 slides
twenty two service loads x load factors concrete holds no tension failure criteria is

twenty two service loads x load factors concrete holds no tension failure criteria is

A RCHITECTURAL S TRUCTURES : Concrete Beam Design F ORM, B EHAVIOR, AND D ESIGN composite of concrete and steel ARCH 331 D R. A NNE N ICHOLS American Concrete Institute (ACI) S PRING 2018 design for maximum stresses lecture limit

346 views • 9 slides
Concrete Recycling in Pavement Applications Update on the FHWA Concrete Recycling Initiative

Concrete Recycling in Pavement Applications Update on the FHWA Concrete Recycling Initiative

Concrete Recycling in Pavement Applications Update on the FHWA Concrete Recycling Initiative Tara Cavalline, Ph.D., P.E. UNC Charlotte tcavalline@uncc.edu Presentation to National Concrete consortium September 20, 2017 Concrete Recycling

618 views • 26 slides
Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of

Use of Concrete Maturity For Use of Concrete Maturity For Measuring In-Place Strength of Measuring In-Place Strength of Concrete Concrete Prasad Rangaraju, Ph.D., P.E. Assistant Professor Department of Civil Engineering Clemson University

1.08k views • 63 slides
ABC Webinar at FIU Concrete Bridges Concrete Bridges William Nickas, P.E. Managing Director,

ABC Webinar at FIU Concrete Bridges Concrete Bridges William Nickas, P.E. Managing Director,

ABC Webinar at FIU Concrete Bridges Concrete Bridges William Nickas, P.E. Managing Director, Transportation Systems Precast/Prestressed Concrete Institute 2 National Concrete Bridge Council American Coal Ash Association American

1.25k views • 104 slides
Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &

Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &

Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich & Lynden Bell (1965) Julian & Toomre (1966) Shearing sheet Consider large m and study small near-Cartesian patch that rotates with

797 views • 20 slides
Portland Cement Concrete Portland Cement Concrete Portland cement concrete consists of a mixture

Portland Cement Concrete Portland Cement Concrete Portland cement concrete consists of a mixture

Portland Cement Concrete Portland Cement Concrete Portland cement concrete consists of a mixture of portland cement, coarse and fine aggregates, and water. It may be amended with admixtures, fibers, or certain supplementary cementitious

1.26k views • 78 slides
Basic Concrete Tests Hardened Concrete Basic Concrete Tests Cylinder Compression Splitting

Basic Concrete Tests Hardened Concrete Basic Concrete Tests Cylinder Compression Splitting

Basic Concrete Tests Hardened Concrete Basic Concrete Tests Cylinder Compression Splitting Tension Beam Flexure Elastic Modulus Slump Unit Weight Air Content CIVL 3137 2 Cylinder Compression What do we mean when we say I need 10 yd 3

516 views • 51 slides
TESTING MONOTONICITY* ODED GOLDREICH , SHAFI GOLDWASSER , ERIC LEHMAN, DANA RON , ALEX

TESTING MONOTONICITY* ODED GOLDREICH , SHAFI GOLDWASSER , ERIC LEHMAN, DANA RON , ALEX

Combinatorica 20 (3) (2000) 301337 COMBINATORICA Bolyai Society Springer-Verlag TESTING MONOTONICITY* ODED GOLDREICH , SHAFI GOLDWASSER , ERIC LEHMAN, DANA RON , ALEX SAMORODNITSKY Received March 29, 1999 We present a

577 views • 37 slides
Engineering Fly Ash-based Geopolymer Concrete Geopolymer Concrete E. Ivan Diaz-Loya Ph.D.

Engineering Fly Ash-based Geopolymer Concrete Geopolymer Concrete E. Ivan Diaz-Loya Ph.D.

Engineering Fly Ash-based Geopolymer Concrete Geopolymer Concrete E. Ivan Diaz-Loya Ph.D. Candidate Erez N. Allouche Ph.D., P.E. 1 2010 International Concrete Sustainability Conference, Dubai, UAE Engineering fly ash-based geopolymer concrete

713 views • 35 slides
2012 EXCELLENCE IN CONCRETE AWARD Virginia Chapter - American Concrete Institute Hank Keiper,

2012 EXCELLENCE IN CONCRETE AWARD Virginia Chapter - American Concrete Institute Hank Keiper,

2012 EXCELLENCE IN CONCRETE AWARD Virginia Chapter - American Concrete Institute Hank Keiper, P.E. March 7, 2013 Virginia Concrete The SEFA Group Conference Aw ard Criteria Essentially completed in 2012 Concrete a major part of

257 views • 25 slides
BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with

BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with

BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with national annexes for DE, AT, SK/CZ and UK Calculation according to the linear and nonlinear theory under consideration of effective stiffness in

118 views • 8 slides
YOUR ASSETS Precast Concrete Product Solutions Manufacturing precast concrete products since

YOUR ASSETS Precast Concrete Product Solutions Manufacturing precast concrete products since

PROTECT YOUR ASSETS Precast Concrete Product Solutions Manufacturing precast concrete products since 1960 Utility Sector Product Lines: SoftSound Absorptive & SMC Reflective Noise Barriers Easi-Set All-Precast Concrete Shelters -

677 views • 20 slides
prestressed concrete cross-sections with recesses User-defined arrangement of reinforcement as

prestressed concrete cross-sections with recesses User-defined arrangement of reinforcement as

RTzwax Design of Reinforced and Prestressed Concrete Design according to EN 1992-1-1 taking into account the national annexes for DE, UK, CZ/SK, AT Arbitrary polygonal reinforced concrete and prestressed concrete cross-sections with

407 views • 6 slides
A Sublinear Bipartiteness Tester for Bounded Degree Graphs Oded Goldreich Dana Ron

A Sublinear Bipartiteness Tester for Bounded Degree Graphs Oded Goldreich Dana Ron

A Sublinear Bipartiteness Tester for Bounded Degree Graphs Oded Goldreich Dana Ron February 5, 1998 Abstract We present a sublinear-time algorithm for testing whether a bounded degree graph is bipartite or far from being bipartite.

562 views • 26 slides
Monotonicity Testing Yevgeniy Dodis, Oded Goldreich, Eric Lehman, Sofya Raskhodnikova, Dana Ron

Monotonicity Testing Yevgeniy Dodis, Oded Goldreich, Eric Lehman, Sofya Raskhodnikova, Dana Ron

Monotonicity Testing Yevgeniy Dodis, Oded Goldreich, Eric Lehman, Sofya Raskhodnikova, Dana Ron and Alex Samorodnitsky 1 Probabilistic Property Testing Probabilistic Algorithm YES Always accept. NO Reject with probability 1/2. 2

459 views • 35 slides
Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich

Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich

Yes, There is an Oblivious RAM Lower Bound! Kasper Green Larsen Jesper Buus Nielsen Oblivious RAM Introduced by Goldreich and Ostrovsky in 1996 Encrypts the memory access pattern of a random-access algorithm Oblivious RAM, Model

505 views • 32 slides
Introduction to Seismic Essentials in Groningen 7.1 Concrete Structures By Prof Simon Wijte MSc

Introduction to Seismic Essentials in Groningen 7.1 Concrete Structures By Prof Simon Wijte MSc

Introduction to Seismic Essentials in Groningen 7.1 Concrete Structures By Prof Simon Wijte MSc TU Eindhoven Perpendicular loading tension in reinforcement compression in concrete concrete beam Concrete | Stress and Strain compression

344 views • 18 slides
Concrete Ties The Amtrak Experience Alfred J. Cloutier Assistant Deputy Chief Engineer -

Concrete Ties The Amtrak Experience Alfred J. Cloutier Assistant Deputy Chief Engineer -

Concrete Ties The Amtrak Experience Alfred J. Cloutier Assistant Deputy Chief Engineer - Track Presentation Outline Why concrete ties? Timeline of concrete tie manufacture Installation summary by year Concrete tie problems

610 views • 38 slides

More recommend