on the concrete security of goldreich s pseudorandom
play

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff - PowerPoint PPT Presentation

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)


  1. On the Concrete Security of Goldreich’s Pseudorandom Generator Geo ff roy Couteau - Aurélien Dupin - Pierrick Méaux - Mélissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 � 1 � 1

  2. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size 2

  3. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s 2

  4. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s x 1 x 2 x 3 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ x n 2

  5. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s x 1 x 2 x 3 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ σ 1 x n 2

  6. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s x 1 x 2 x 3 ⋮ y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ σ 1 x n 2

  7. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s x 1 x 2 x 3 ⋮ y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) ⋮ ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) ⋮ ⋮ ⋮ ⋮ ⋮ σ i x n 2

  8. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) ⋮ y m = f ( x σ m 1 , x σ m 2 , x σ m 3 , x σ m 4 , x σ m 5 ) Public system 2

  9. Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s Locality Cardinality of the subsets y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) - Here the locality is 5 ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) ⋮ y m = f ( x σ m 1 , x σ m 2 , x σ m 3 , x σ m 4 , x σ m 5 ) Public system 2

  10. 
 Goldreich Pseudorandom Generator (Goldreich TOCT 2000) Pseudorandom output PRG Secret seed of longer size Parameters x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 ( n , s ) Stretch s > 1 m = n s Locality Cardinality of the subsets y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) - Here the locality is 5 ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) ⋮ y m = f ( x σ m 1 , x σ m 2 , x σ m 3 , x σ m 4 , x σ m 5 ) Predicate Function f Public system Boolean function of low degree 2

  11. Goldreich Pseudorandom Generator y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 Secret seed ⋮ Public output y m = f ( x σ m 1 , x σ m 2 , x σ m 3 , x σ m 4 , x σ m 5 ) Public system 3

  12. Goldreich Pseudorandom Generator y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 Secret seed ⋮ Public output y m = f ( x σ m 1 , x σ m 2 , x σ m 3 , x σ m 4 , x σ m 5 ) Public system Security properties Consider a uniformly random secret seed Pseudorandomness 1 ( y 1 , y 2 , … y m ) is indistinguishable from uniform 3

  13. Goldreich Pseudorandom Generator y 1 = f ( x σ 1 1 , x σ 1 2 , x σ 1 3 , x σ 1 4 , x σ 1 5 ) ⋮ y i = f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) x 1 , x 2 , … x n ∈ 𝔾 2 y 1 , y 2 , … y m ∈ 𝔾 2 Secret seed ⋮ Public output y m = f ( x σ m 1 , x σ m 2 , x σ m 3 , x σ m 4 , x σ m 5 ) Public system Security properties Consider a uniformly random secret seed Pseudorandomness 1 ( y 1 , y 2 , … y m ) is indistinguishable from uniform One wayness 2 Knowing the system and output, the probability to recover the seed is negligible 3

  14. Predicate P5 - Smallest locality 5 f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) = x σ i 1 + x σ i 2 + x σ i 3 + x σ i 4 x σ i - Algebraic degree 2 5 - Algebraic immunity 2 Predicate P5 m = n s s > 1 Mossel, Shpilka, Trevisan FOCS 2003 4

  15. Predicate P5 - Smallest locality 5 f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) = x σ i 1 + x σ i 2 + x σ i 3 + x σ i 4 x σ i - Algebraic degree 2 5 - Algebraic immunity 2 Predicate P5 m = n s s > 1 Security study s 1 1.5 2 Mossel, Shpilka, Trevisan FOCS 2003 4

  16. Predicate P5 - Smallest locality 5 f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) = x σ i 1 + x σ i 2 + x σ i 3 + x σ i 4 x σ i - Algebraic degree 2 5 - Algebraic immunity 2 Predicate P5 m = n s s > 1 Security study s 1 1.5 2 One wayness broken Inversion with Gaussian elimination Mossel, Shpilka, Trevisan FOCS 2003 4

  17. Predicate P5 - Smallest locality 5 f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) = x σ i 1 + x σ i 2 + x σ i 3 + x σ i 4 x σ i - Algebraic degree 2 5 - Algebraic immunity 2 Predicate P5 m = n s s > 1 Security study s 1 1.5 2 No -linear distinguisher One wayness broken 𝔾 2 Inversion with Gaussian elimination Mossel, Shpilka, Trevisan FOCS 2003 O’Donnel Witmer CCC 2014 Applebaum, Bogdanov, Rosen TCC 2012 4

  18. Predicate P5 - Smallest locality 5 f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) = x σ i 1 + x σ i 2 + x σ i 3 + x σ i 4 x σ i - Algebraic degree 2 5 - Algebraic immunity 2 Predicate P5 m = n s s > 1 Security study s 1 1.5 2 No -linear distinguisher One wayness broken One wayness broken 𝔾 2 Polytime inversion Inversion with Gaussian elimination Mossel, Shpilka, Trevisan FOCS 2003 O’Donnel Witmer CCC 2014 Applebaum, Bogdanov, Rosen TCC 2012 Applebaum TCC 2013 4

  19. Predicate P5 - Smallest locality 5 f ( x σ i 1 , x σ i 2 , x σ i 3 , x σ i 4 , x σ i 5 ) = x σ i 1 + x σ i 2 + x σ i 3 + x σ i 4 x σ i - Algebraic degree 2 5 - Algebraic immunity 2 Predicate P5 m = n s s > 1 Security study ? s 1 1.5 2 No -linear distinguisher One wayness broken One wayness broken 𝔾 2 Polytime inversion Inversion with Sub-exponential inversion 2 O ( n 1 − s − 1 10 ) Gaussian elimination Mossel, Shpilka, Trevisan FOCS 2003 O’Donnel Witmer CCC 2014 Applebaum, Bogdanov, Rosen TCC 2012 Applebaum TCC 2013 Bogdanov, Qiao ARCO 2009 4

  20. Theoretical applications of Goldreich’s PRG Goldreich Pseudorandom Generator 5

  21. Theoretical applications of Goldreich’s PRG Semi Secure computation with constant computational overhead Ishai et al. STOC 2008 Applebaum et al. CRYPTO 2017 Goldreich Pseudorandom Generator 5

  22. Theoretical applications of Goldreich’s PRG Semi Secure computation with Indistinguishability Obfuscation constant computational overhead Sahai and Waters STOC 2014 Ishai et al. STOC 2008 Lin and Tessaro CRYPTO 2017 Applebaum et al. CRYPTO 2017 Goldreich Pseudorandom Generator 5

  23. Theoretical applications of Goldreich’s PRG Semi Secure computation with Indistinguishability Obfuscation constant computational overhead Sahai and Waters STOC 2014 Ishai et al. STOC 2008 Lin and Tessaro CRYPTO 2017 Applebaum et al. CRYPTO 2017 Goldreich Pseudorandom Generator MPC-friendly primitives Albrecht et al. EUROCRYPT 2015 Canteaut et al. FSE 2016 Méaux et al. EUROCRYPT 2016 Grassi et al. ACM-CCS 2016 5

  24. Theoretical applications of Goldreich’s PRG Semi Secure computation with Indistinguishability Obfuscation constant computational overhead Sahai and Waters STOC 2014 Ishai et al. STOC 2008 Lin and Tessaro CRYPTO 2017 Applebaum et al. CRYPTO 2017 Goldreich Pseudorandom Generator MPC-friendly primitives Cryptographic capsules Albrecht et al. EUROCRYPT 2015 Canteaut et al. FSE 2016 Boyle et al. ACM-CCS 2017 Méaux et al. EUROCRYPT 2016 Grassi et al. ACM-CCS 2016 5

  25. Our first contribution New attacks with a more fine-grained complexity estimation s 1.5 1 6

  26. Our first contribution New attacks with a more fine-grained complexity estimation s 2 1.5 1 6

  27. Our first contribution New attacks with a more fine-grained complexity estimation s 1.5 1 6

  28. Our first contribution New attacks with a more fine-grained complexity estimation s 1.5 1 n 6

  29. Our first contribution New attacks with a more fine-grained complexity estimation s 1.5 Insecure Conjectured secure 1 n 6

  30. Outline Goldreich Pseudorandom Generator 1 A guess-and-determine attack 2 An algebraic study 3 � 7

Recommend


More recommend