The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya (Thanks: Chris Peikert) Mysore Park Theory Workshop August 15, 2013 1 / 20
Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) 2 / 20
Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Many applications in symmetric cryptography: (efficient) encryption, identification, authentication, . . . (Images courtesy xkcd.org) 2 / 20
How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) 3 / 20
How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 3 / 20
How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) 3 / 20
How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 / 20
How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] 3 / 20
How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] ✗ Large circuits that need much preprocessing ✗ No “post-quantum” construction under standard assumptions 3 / 20
Why Not Try Lattices? ?? = ⇒ F s ← F 4 / 20
Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] 4 / 20
Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) 4 / 20
Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors 4 / 20
PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE 5 / 20
PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 5 / 20
PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: Learning With Rounding (LWR) “derandomization” of LWE: deterministic errors 5 / 20
PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: Learning With Rounding (LWR) “derandomization” of LWE: deterministic errors Also gives more practical PRGs, GGM-type PRFs, encryption, . . . 5 / 20
Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } 6 / 20
Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . 6 / 20
Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. 6 / 20
Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } 7 / 20
Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ 7 / 20
Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . 7 / 20
Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 7 / 20
Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 ◮ Security: the queries F ℓ ( x ℓ ) and F r ( x r ) define (pseudo)random inputs a 1 , a 2 , . . . ∈ D and b 1 , b 2 , . . . ∈ D to synthesizer S . 7 / 20
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 8 / 20
Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . 8 / 20
Recommend
More recommend