session 6 another application of lwe pseudorandom
play

Session #6: Another Application of LWE: Pseudorandom Functions - PowerPoint PPT Presentation

Sep 19, 2023 •321 likes •853 views

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

  1. Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/12

  2. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random fct U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/12

  3. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random fct U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Countless applications in symmetric cryptography: (efficient) encryption, authentication, friend-or-foe . . . (Images courtesy xkcd.org) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/12

  4. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  5. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  6. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  7. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  8. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold(-Rosen) [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  9. How to Construct PRFs 1 Heuristically: AES etc. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reductionist) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold(-Rosen) [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] ✗ Huge circuits that need much preprocessing ✗ No “post-quantum” construction under standard assumptions Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/12

  10. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  11. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  12. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  13. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors New Results [BPR’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  14. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors New Results [BPR’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  15. PRFs from Lattices? The Hope ◮ Lattices ⇒ simple, highly parallel, practically efficient . . . PRFs? The Reality ✗ Only known PRF is generic GGM (not parallel or very efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors New Results [BPR’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: “derandomization” of LWE: deterministic errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/12

  16. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

  17. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

  18. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for uniform a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/12

  19. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

  20. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

  21. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

  22. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ≈ Unif ( D m × m ) . ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/12

Recommend

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015

Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015

Application of Information Theory, Lecture 11 Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 1 / 23 Part I

1.42k views • 122 slides
Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano, Carlos Maltzahn, Scott Brandt University of California, Santa Cruz The Load Balancing Problem Pseudorandom placement for distributed storage

513 views • 12 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Pseudorandomness Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Random Bit Generation Pseudorandom Bit Generation

379 views • 17 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &

Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &

Introduction Lab Details Our Experience Conclusion Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto & University of British Columbia July 5, 2012 Teaching Labs on Pseudorandom Number Generation

192 views • 16 slides
TCP Overview Application Application Applications Jeff Chase Presentation Presentation

TCP Overview Application Application Applications Jeff Chase Presentation Presentation

The Internet Protocol Suite TCP Overview Application Application Applications Jeff Chase Presentation Presentation Presentation Duke University Session Session Session UDP TCP Transport Transport Waist Network Network Data link

564 views • 13 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D.

Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D.

Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D. Wagner at the University of California, Berkeley Fall 2012 CS 334: Computer Security 1 What Can Go Wrong? An example: This generates a 16

836 views • 35 slides
Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re Recall: : Succinct Secure Computation from HSS x Exchange additive Eval C Share output shares y 0 w 0 = C(x,x) w + w 1 y 1 Eval C x

638 views • 44 slides
Effjcient Deterministjc and Non- Deterministjc Pseudorandom Number Generatjon Jie Li, Jianliang

Effjcient Deterministjc and Non- Deterministjc Pseudorandom Number Generatjon Jie Li, Jianliang

Effjcient Deterministjc and Non- Deterministjc Pseudorandom Number Generatjon Jie Li, Jianliang Zheng, Paula Whitlock Outline Introductjon MaD1 Algorithm A Building Block: MARC-bb Data Structure Key Scheduling

612 views • 26 slides
Information Session Fall 2020 Information Session What is the purpose? Provide accurate

Information Session Fall 2020 Information Session What is the purpose? Provide accurate

Information Session Fall 2020 Information Session What is the purpose? Provide accurate information and direction for the application process Ensure all application requirements are met before submitting application Provide

768 views • 30 slides
Traversing a n -cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers J.-F .

Traversing a n -cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers J.-F .

Traversing a n -cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers J.-F . Couchot, P .-C. Heam, C. Guyeux, Q. Wang, and J. M. Bahi FEMTO-ST Institute, University of Franche-Comt, France College of Automation, Guangdong

828 views • 24 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

986 views • 61 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides

More recommend