peculiar properties of lattice based encryption chris
play

Peculiar Properties of Lattice-Based Encryption Chris Peikert - PowerPoint PPT Presentation

Mar 13, 2024 •156 likes •876 views

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19 Talk Agenda Encryption schemes with special features: 2 / 19 Talk Agenda

  1. Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19

  2. Talk Agenda Encryption schemes with special features: 2 / 19

  3. Talk Agenda Encryption schemes with special features: 1 “(Bi-)Deniability” 2 / 19

  4. Talk Agenda Encryption schemes with special features: 1 “(Bi-)Deniability” 2 “Circular” Security 2 / 19

  5. Part 1: Deniable Encryption ◮ A. O’Neill, C. Peikert (2010) “Bideniable Public-Key Encryption” 3 / 19

  6. Deniable Encryption c = Enc pk (“surprise party 4 big bro!”) (Images courtesy xkcd.org) 4 / 19

  7. Deniable Encryption c = Enc pk (“surprise party 4 big bro!”) !! (Images courtesy xkcd.org) 4 / 19

  8. Deniable Encryption c = DenEnc pk (“surprise party 4 big bro!”) What We Want 1 Bob gets Alice’s intended message, but . . . (Images courtesy xkcd.org) 4 / 19

  9. Deniable Encryption c = DenEnc pk (“surprise party 4 big bro!”) (fake!) (fake!) What We Want 1 Bob gets Alice’s intended message, but . . . (Images courtesy xkcd.org) 4 / 19

  10. Deniable Encryption c = Enc pk (“ I love kittens!!!! ”) What We Want 1 Bob gets Alice’s intended message, but . . . 2 Fake coins & keys ‘look as if’ another message was encrypted! (Images courtesy xkcd.org) 4 / 19

  11. Applications of Deniability 1 Anti-coercion: ‘off the record’ communication (journalists, lawyers, whistle-blowers), 1984 5 / 19

  12. Applications of Deniability 1 Anti-coercion: ‘off the record’ communication (journalists, lawyers, whistle-blowers), 1984 2 Voting: can reveal any candidate, so can’t ‘sell’ vote (?) 5 / 19

  13. Applications of Deniability 1 Anti-coercion: ‘off the record’ communication (journalists, lawyers, whistle-blowers), 1984 2 Voting: can reveal any candidate, so can’t ‘sell’ vote (?) 3 Secure protocols tolerating adaptive break-ins [CFGN’96] 5 / 19

  14. State of the Art Theory [CanettiDworkNaorOstrovsky’97] ◮ Sender-deniable encryption scheme ◮ Receiver-deniability by adding interaction & switching roles ◮ Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) 6 / 19

  15. State of the Art Theory [CanettiDworkNaorOstrovsky’97] ◮ Sender-deniable encryption scheme ◮ Receiver-deniability by adding interaction & switching roles ◮ Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) Practice: TrueCrypt, Rubberhose, . . . ◮ Limited deniability: “ move along, no message here. . . ” Plausible for storage , but not so much for communication . 6 / 19

  16. This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible 7 / 19

  17. This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible ⋆ A true public-key scheme: non-interactive, no 3rd parties ⋆ Uses special properties of lattices [Ajtai’96,Regev’05,GPV’08,. . . ] ⋆ Has large keys . . . but this is inherent [Nielsen’02] 7 / 19

  18. This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible ⋆ A true public-key scheme: non-interactive, no 3rd parties ⋆ Uses special properties of lattices [Ajtai’96,Regev’05,GPV’08,. . . ] ⋆ Has large keys . . . but this is inherent [Nielsen’02] 2 “Plan-ahead” bi-deniability with short keys ⋆ Bounded number of alternative messages, decided in advance 7 / 19

  19. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P secret ‘trapdoor’ sk . 8 / 19

  20. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P x secret ‘trapdoor’ sk . Properties 1 Given only pk , ⋆ Can efficiently sample from P (and from U , trivially). ⋆ P -sample is pseudorandom: ‘looks like’ a U -sample. . . ⋆ . . . so it can be ‘faked’ as a U -sample. 8 / 19

  21. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P x secret ‘trapdoor’ sk . Properties 1 Given only pk , ⋆ Can efficiently sample from P (and from U , trivially). ⋆ P -sample is pseudorandom: ‘looks like’ a U -sample. . . ⋆ . . . so it can be ‘faked’ as a U -sample. 2 Given sk , can easily distinguish P from U . 8 / 19

  22. A Core Tool: Translucent Sets [CDNO’97] { 0 , 1 } k = U Public description pk with P x secret ‘trapdoor’ sk . Properties 1 Given only pk , ⋆ Can efficiently sample from P (and from U , trivially). ⋆ P -sample is pseudorandom: ‘looks like’ a U -sample. . . ⋆ . . . so it can be ‘faked’ as a U -sample. 2 Given sk , can easily distinguish P from U . ◮ Many instantiations: trapdoor perms (RSA), DDH, lattices, . . . 8 / 19

  23. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P sk 9 / 19

  24. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P Deniable: Enc(0) = PP Enc(1) = UP sk 9 / 19

  25. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P Deniable: Enc(0) = PP Enc(1) = UP sk Deniability ✔ Alice can fake: PP → UP → UU 9 / 19

  26. Translucence for Deniability [CDNO’97] U Normal: Enc(0) = UU Enc(1) = UP P Deniable: Enc(0) = PP Enc(1) = UP sk ✗ Deniability ✔ Alice can fake: PP → UP → UU ✗ What about Bob?? His sk reveals the true nature of the samples! 9 / 19

  27. Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk , each inducing a slightly different P -test. 10 / 19

  28. Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk , each inducing a slightly different P -test. 10 / 19

  29. Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk , each inducing a slightly different P -test. 2 Most sk classify a given P -sample correctly. 10 / 19

  30. Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk , each inducing a slightly different P -test. 2 Most sk classify a given P -sample correctly. 3 Can generate pk with a faking key: given fk and a P -sample x , can find a ‘proper-looking’ sk that classifies x as a U -sample. 10 / 19

  31. Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk , each inducing a slightly different P -test. 2 Most sk classify a given P -sample correctly. 3 Can generate pk with a faking key: given fk and a P -sample x , can find a ‘proper-looking’ sk that classifies x as a U -sample. ⇒ Bob can also fake P → U ! 10 / 19

  32. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r O O Basic Translucency ◮ pk = parity check A of lattice L ⊥ ( A ) . ◮ sk = Gaussian (short) vector r ∈ L ⊥ . (I.e., Ar = 0 ∈ Z n q .) 11 / 19

  33. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) x r O O Basic Translucency ◮ pk = parity check A of lattice L ⊥ ( A ) . ◮ sk = Gaussian (short) vector r ∈ L ⊥ . (I.e., Ar = 0 ∈ Z n q .) ◮ U -sample = uniform x in Z m q . Then � r , x � is uniform mod q . 11 / 19

  34. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) x r O O Basic Translucency ◮ pk = parity check A of lattice L ⊥ ( A ) . ◮ sk = Gaussian (short) vector r ∈ L ⊥ . (I.e., Ar = 0 ∈ Z n q .) ◮ U -sample = uniform x in Z m q . Then � r , x � is uniform mod q . ◮ P -sample = x = A t s + e (LWE). Then � r , x � ≈ 0 mod q . 11 / 19

  35. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) x O O fk Receiver Faking ◮ Faking key = short basis of L ⊥ (a la [GPV’08,. . . ]) 11 / 19

  36. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O fk Receiver Faking ◮ Faking key = short basis of L ⊥ (a la [GPV’08,. . . ]) ◮ Given P -sample x , choose fake r ∈ L ⊥ correlated with x ’s error. Then � r , x � is uniform mod q ⇒ x is classified as a U -sample. 11 / 19

  37. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O fk Security (in a nutshell) ◮ Fake r depends heavily on x . Why would it ‘look like’ a ‘normal’ r ? 11 / 19

  38. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O Security (in a nutshell) ◮ Fake r depends heavily on x . Why would it ‘look like’ a ‘normal’ r ? ◮ Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss · r . This ( r , x ) has the same ∗ joint distrib! 11 / 19

  39. Lattice-Based Bi-Translucent Set Primal L ⊥ ( A ) Dual L ( A ) r x O O Security (in a nutshell) ◮ Fake r depends heavily on x . Why would it ‘look like’ a ‘normal’ r ? ◮ Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss · r . This ( r , x ) has the same ∗ joint distrib! ◮ Finally, replace LWE with uniform ⇒ normal r and U -sample x . 11 / 19

  40. Closing Thoughts on Deniability ◮ Faking sk requires ‘oblivious’ misclassification (of P as U) ◮ Bi-deniability from other cryptographic assumptions? ◮ Full deniability, without alternative algorithms? 12 / 19

  41. Part 2: Circular-Secure Encryption ◮ B. Applebaum, D. Cash, C. Peikert, A. Sahai (CRYPTO 2009) “Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems” 13 / 19

  42. Circular / “Clique” / Key-Dependent Security Enc pk Bob ( sk Alice ) ✔ sk Alice sk Bob 14 / 19

Recommend

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:

835 views • 23 slides
Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for IT Security Ruhr University Bochum Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions

971 views • 60 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard

1.07k views • 81 slides
Study of the influence of external effects on the properties of QCD by means of lattice

Study of the influence of external effects on the properties of QCD by means of lattice

Study of the influence of external effects on the properties of QCD by means of lattice simulations A. Yu. Kotov (based on the PhD thesis) JINR 20 April 2016 Motivation Temperature Baryonic density Chiral density Magnetic field Lattice

622 views • 49 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N =

1.01k views • 84 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

1.2k views • 76 slides
Muon g g- -2 and 2 and Muon a peculiar extra U(1) a peculiar extra U(1) PRD 80, 033001

Muon g g- -2 and 2 and Muon a peculiar extra U(1) a peculiar extra U(1) PRD 80, 033001

Muon g g- -2 and 2 and Muon a peculiar extra U(1) a peculiar extra U(1) PRD 80, 033001 (2009) [hep-ph/0811.0298] Jae Ho Heo Theoretical High Energy Group jheo1@uic.edu University of IL at Chicago PHENO 2010 PHENO 2010 g- -2 2 of the

459 views • 17 slides
Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl Fully Homomorphic Encryption (FHE) Supports homomorphic

791 views • 40 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides

More recommend