pseudorandom functions and lattices
play

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert - PowerPoint PPT Presentation

Jul 09, 2023 •438 likes •1.03k views

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

  1. Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14

  2. 2 / 14

  3. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) 3 / 14

  4. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Oodles of applications in symmetric cryptography: (efficient) encryption, identification, authentication, . . . (Images courtesy xkcd.org) 3 / 14

  5. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) 4 / 14

  6. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 4 / 14

  7. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) 4 / 14

  8. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 4 / 14

  9. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold / Naor-Reingold-Rosen [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O ( 1 ) depth w/ threshold gates] 4 / 14

  10. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold / Naor-Reingold-Rosen [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O ( 1 ) depth w/ threshold gates] ✗ Huge circuits that need mucho preprocessing ✗ No “post-quantum” construction under standard assumptions 4 / 14

  11. Why Not Try Lattices? ?? = ⇒ F s ← F 5 / 14

  12. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] 5 / 14

  13. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) 5 / 14

  14. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors 5 / 14

  15. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE 6 / 14

  16. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 6 / 14

  17. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: “derandomization” of LWE: deterministic errors 6 / 14

  18. Our Results 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: “derandomization” of LWE: deterministic errors Also gives more practical PRGs, GGM-type PRFs, encryption, . . . 6 / 14

  19. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } 7 / 14

  20. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } · · · b 1 b 2 a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · · · · a 2 U 2 , 1 U 2 , 2 . ... ... . . 7 / 14

  21. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } · · · b 1 b 2 a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · · · · a 2 U 2 , 1 U 2 , 2 . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. 7 / 14

  22. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . 8 / 14

  23. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ 8 / 14

  24. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function: choose F ℓ , F r ← F and let � � F ( F ℓ , F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . 8 / 14

  25. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function: choose F ℓ , F r ← F and let � � F ( F ℓ , F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 , x 1 S s 2 , 0 , s 2 , 1 s 2 , x 2 F { s i , b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 , x 3 S s 4 , 0 , s 4 , 1 s 4 , x 4 8 / 14

  26. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 , s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function: choose F ℓ , F r ← F and let � � F ( F ℓ , F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 , x 1 S s 2 , 0 , s 2 , 1 s 2 , x 2 F { s i , b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 , x 3 S s 4 , 0 , s 4 , 1 s 4 , x 4 ◮ Security: the queries F ℓ ( x ℓ ) and F r ( x r ) define (pseudo)random inputs a 1 , a 2 , . . . ∈ D and b 1 , b 2 , . . . ∈ D for synthesizer S . 8 / 14

  27. (Ring) Learning With Errors (RLWE) [Regev’05,LPR’10] ◮ For (e.g.) n a power of 2 , define “cyclotomic” polynomial rings R := Z [ x ] / ( x n + 1 ) R q := R / qR = Z q [ x ] / ( x n + 1 ) . and 9 / 14

  28. (Ring) Learning With Errors (RLWE) [Regev’05,LPR’10] ◮ For (e.g.) n a power of 2 , define “cyclotomic” polynomial rings R := Z [ x ] / ( x n + 1 ) R q := R / qR = Z q [ x ] / ( x n + 1 ) . and ◮ Hard to distinguish m pairs ( a i , a i · s + e i ) ∈ R q × R q from uniform, where a i , s ← R q uniform and e i “short.” 9 / 14

Recommend

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an additive subgroup R n such that Z n ( is free on n generators) b Z R R n ( spans the whole real vector space) # n +

246 views • 7 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

986 views • 61 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola Theory vs. practice gap in cryptography Theoreticians have . . . - liberal

654 views • 21 slides
SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

1 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . . . . . . . Abhishek Banerjee 1 Hai Brenner 2 Gatan Leurent 3 Chris Peikert 1 Alon Rosen 2

568 views • 29 slides
Lattice Greens Functions of the Higher-Dimensional Face-Centered Cubic Lattices Christoph

Lattice Greens Functions of the Higher-Dimensional Face-Centered Cubic Lattices Christoph

Lattice Greens Functions of the Higher-Dimensional Face-Centered Cubic Lattices Christoph Koutschan MSR-INRIA Joint Centre, Orsay, France November 7 S eminaires Algorithms Introduction We consider lattices in d d

1.36k views • 78 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Correct rounding of transcendental functions: an approach via Euclidean lattices and approximation

Correct rounding of transcendental functions: an approach via Euclidean lattices and approximation

Correct rounding of transcendental functions: an approach via Euclidean lattices and approximation theory Nicolas Brisebarre (C.N.R.S.) and Guillaume Hanrot (.N.S. Lyon) CUNY Graduate Center-Courant Seminar in Symbolic-Numeric Computing -

1.29k views • 118 slides
Magnetic Vortices, Vortex Lattices and Automorphic Functions I.M.Sigal based on the joint work

Magnetic Vortices, Vortex Lattices and Automorphic Functions I.M.Sigal based on the joint work

Magnetic Vortices, Vortex Lattices and Automorphic Functions I.M.Sigal based on the joint work with S. Gustafson and T. Tzaneteas Discussions with J urg Fr ohlich, Gian Michele Graf, Peter Sarnak, Tom Spencer Texas Analysis & Math

1.06k views • 26 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
Two-sided problems with choice functions, matroids and lattices as Fleiner 1 Tam Summer School

Two-sided problems with choice functions, matroids and lattices as Fleiner 1 Tam Summer School

Two-sided problems with choice functions, matroids and lattices as Fleiner 1 Tam Summer School on Matching Problems, Markets, and Mechanisms 24 June 2013, Budapest 1 Budapest University of Technology and Economics A competition problem Prove

1.7k views • 152 slides
Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps Shuichi Katsumata (The University of Tokyo) Shota Yamada (AIST) ASIACRYPT Born in 1991 (Japan) Me Born in 1991 (Japan) Background

850 views • 62 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Recall Cycle-Free Codes and Lattices Lattices from Codes Codes from Lattices Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013

851 views • 55 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides

More recommend