towards stream ciphers for efficient fhe with low noise
play

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts - PowerPoint PPT Presentation

Oct 19, 2023 •239 likes •953 views

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole normale suprieure, CNRS, INRIA, PSL Joint work with: Anthony J OURNAULT , Franois-Xavier S TANDAERT , and Claude C ARLET Eurocrypt 2016 Vienna,

  1. Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M ÉAUX École normale supérieure, CNRS, INRIA, PSL Joint work with: Anthony J OURNAULT , François-Xavier S TANDAERT , and Claude C ARLET Eurocrypt 2016 — Vienna, Austria Monday May 9 1 / 14

  2. Outsourcing Computation Alice Limited storage Limited power Store ? Compute ? 2 / 14

  3. Outsourcing Computation Claude Alice Limited storage Huge storage Limited power Huge power Store � Compute � 2 / 14

  4. Outsourcing Computation Claude Alice Limited storage Huge storage Limited power Huge power Store � Compute � Privacy ? 2 / 14

  5. Outsourcing Computation Claude Alice Limited storage Huge storage Limited power Huge power Fully Store � Compute Homomorphic � Encryption Privacy � 2 / 14

  6. FHE Framework Claude Alice m H . Enc 3 / 14

  7. FHE Framework Claude Alice m H . Enc C H ( m ) 3 / 14

  8. FHE Framework Claude Alice m H . Enc C H ( m ) H . Eval ( f ) 3 / 14

  9. FHE Framework Claude Alice m H . Enc C H ( m ) Bootstrap H . Eval ( f ) 3 / 14

  10. FHE Framework Claude Alice m H . Enc C H ( m ) Bootstrap H . Eval ( f ) H . Compact 3 / 14

  11. FHE Framework Claude Alice m H . Enc C H ( m ) Bootstrap H . Eval ( f ) H . Compact c H ( f ( m )) 3 / 14

  12. FHE Framework Claude Alice m H . Enc C H ( m ) Bootstrap H . Eval ( f ) H . Compact c H ( f ( m )) H . Dec f ( m ) 3 / 14

  13. HE Framework Claude Alice m H . Enc C H ( m ) Bootstrap H . Eval ( f ) H . Compact c H ( f ( m )) H . Dec f ( m ) 3 / 14

  14. SE-HE Hybrid Framework Claude Alice m S . Enc H . Eval ( f ) H . Compact c H ( f ( m )) H . Dec f ( m ) 3 / 14

  15. SE-HE Hybrid Framework Claude Alice m S . Enc C S ( m ) H . Eval ( f ) H . Compact c H ( f ( m )) H . Dec f ( m ) 3 / 14

  16. SE-HE Hybrid Framework Claude Alice ( C H ( sk S ) ) m S . Enc C S ( m ) H . Eval ( S . Dec ) H . Eval ( f ) H . Compact c H ( f ( m )) H . Dec f ( m ) 3 / 14

  17. Performance Metric (Intuition) ⋄ Computational Cost ⋄ Noise Increase 4 / 14

  18. Performance Metric (Intuition) ⋄ Computational Cost ≈ number of multiplications ⋄ Noise Increase 4 / 14

  19. Performance Metric (Intuition) ⋄ Computational Cost ≈ number of multiplications ⋄ Noise Increase ciphertext noise 4 / 14

  20. Performance Metric (Intuition) ⋄ Computational Cost ≈ number of multiplications ⋄ Noise Increase ≈ multiplicative depth ciphertext noise 4 / 14

  21. State of the Art Internal State 5 / 14

  22. State of the Art Start Internal State Enc Final CT 5 / 14

  23. State of the Art: Block Ciphers Start Internal State 5 / 14

  24. State of the Art: Block Ciphers Start Round 1 5 / 14

  25. State of the Art: Block Ciphers Start Round 1 . . . Round r 5 / 14

  26. State of the Art: Block Ciphers Start Round 1 . . . Round r . . . Final CT 5 / 14

  27. State of the Art: Block Ciphers Start Round 1 . . . Round r . . . Final CT → Constant but High Noise AES[GHS12,CLT14], · · · , LowMC[ARS+15] 5 / 14

  28. State of the Art: Stream Ciphers Start Internal State 5 / 14

  29. State of the Art: Stream Ciphers Start Time 1 5 / 14

  30. State of the Art: Stream Ciphers Start Time 1 . . Output . Time f 5 / 14

  31. State of the Art: Stream Ciphers Start Time 1 . . Output . Time f . . Output . Time f+r 5 / 14

  32. State of the Art: Stream Ciphers Start Time 1 . . Output . Time f . . Output . Time f+r → Slowly Increasing Noise, Limited Output Trivium, Kreyvium[CCF+15] 5 / 14

  33. Our contributions ⋄ Best of both worlds: Constant and Low noise increase ⋄ Take advantage of 3 rd generation FHE 6 / 14

  34. Our contributions ⋄ Best of both worlds: Constant and Low noise increase → Filter Permutator ⋄ Take advantage of 3 rd generation FHE 6 / 14

  35. Our contributions ⋄ Best of both worlds: Constant and Low noise increase → Filter Permutator ⋄ Take advantage of 3 rd generation FHE → FLIP F 6 / 14

  36. Filter Permutator Error Increase Time 0 7 / 14

  37. Filter Permutator Error Increase Time 0 Output F Time 1 7 / 14

  38. Filter Permutator Error Increase Time 0 Output F Time 1 . . . F Time r 7 / 14

  39. Filter Permutator Error Increase Time 0 Output F Time 1 . . . F Time r . . . F Time f 7 / 14

  40. Filter Permutator Error Increase Time 0 Output F Time 1 . . . F Time r . . . F Time f → Constant and Low Noise 7 / 14

  41. Filter Permutator Construction ⊲ Key Register K PRNG Permutation P i Generator Filtering Function Plaintext Ciphertext 8 / 14

  42. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) 9 / 14

  43. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) n 1 variables x 1 ⊕ . . . ⊕ x n 1 9 / 14

  44. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) n 2 variables y 1 y 2 x 1 ⊕ ⊕ . . . . . . ⊕ ⊕ y n 2 2 − 1 y n 2 x n 1 2 9 / 14

  45. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) y 1 y 2 x 1 z 1 ⊕ ⊕ ⊕ z 2 z 3 . . ⊕ . . z 4 z 5 z 6 . . ⊕ · · · ⊕ . . . ⊕ ⊕ ⊕ y n 2 2 − 1 y n 2 z h ( h + 1 ) x n 1 · · · 2 2 9 / 14

  46. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) y 1 y 2 x 1 z 1 ⊕ ⊕ ⊕ z 2 z 3 . . ⊕ . . h z 4 z 5 z 6 . . ⊕ · · · ⊕ . . . ⊕ ⊕ ⊕ y n 2 2 − 1 y n 2 z h ( h + 1 ) x n 1 · · · 2 2 9 / 14

  47. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) y 1 y 2 x 1 z 1 ⊕ ⊕ ⊕ z 2 z 3 . . ⊕ . . h z 4 z 5 z 6 . . ⊕ · · · ⊕ . . . ⊕ ⊕ ⊕ y n 2 2 − 1 y n 2 z h ( h + 1 ) x n 1 · · · 2 2 ℓ triangles 9 / 14

  48. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) y 1 y 2 x 1 z 1 ⊕ ⊕ ⊕ z 2 z 3 . . ⊕ . . h z 4 z 5 z 6 . � . � ⊕ · · · ⊕ . . . ⊕ ⊕ ⊕ y n 2 2 − 1 y n 2 z h ( h + 1 ) x n 1 · · · 2 2 ℓ triangles n 1 + n 2 + ℓ h ( h + 1 ) variables 2 9 / 14

  49. FLIP F Construction Components ◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = ( n 1 , n 2 , ℓ ∆ h ) y 1 y 2 x 1 z 1 ⊕ ⊕ ⊕ z 2 z 3 . . ⊕ . . h z 4 z 5 z 6 . � . � ⊕ · · · ⊕ . . . ⊕ ⊕ ⊕ y n 2 2 − 1 y n 2 z h ( h + 1 ) x n 1 · · · 2 2 ℓ triangles n 1 + n 2 + ℓ h ( h + 1 ) variables 2 FLIP ( 42 , 64 , 8 ∆ 9 ) FLIP ( 82 , 112 , 8 ∆ 16 ) 9 / 14

  50. FLIP F Homomorphic Behavior 3 rd generation FHE Ciphertexts (GSW) sC = µ s + e 10 / 14

  51. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth ciphertext (small) error (small) sC = µ s + e secret key plaintext ≈ eigenvector ≈ eigenvalue 10 / 14

  52. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth sC = µ s + e k k � � H . Add : H . Mul : C i C i i = 1 i = 1 10 / 14

  53. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth sC = µ s + e k k k σ 2 � → σ 2 � � H . Add : H . Mul : C i + = C i i i = 1 i = 1 i = 1 10 / 14

  54. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth sC = µ s + e k k k σ 2 � → σ 2 � � H . Add : H . Mul : C i + = C i i i = 1 i = 1 i = 1 σ 2 × ≈ y log k σ 2 · · · C 1 C k 10 / 14

  55. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth sC = µ s + e k k k σ 2 � → σ 2 � � → σ 2 × ≈ y σ 2 k H . Add : H . Mul : C i + = C i i i = 1 i = 1 i = 1 σ 2 × ≈ y log k σ 2 C 1 ... σ 2 × ≈ y σ 2 k · · · C 1 C k C k 10 / 14

  56. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth: H . Eval ( F ) H . Eval ( F ) ≈ H . Mul k k k σ 2 → σ 2 → σ 2 × ≈ y σ 2 k H . Add : � � H . Mul : � C i + = C i i i = 1 i = 1 i = 1 10 / 14

  57. FLIP F Homomorphic Behavior 3 rd generation FHE Noise Growth: H . Eval ( F ) H . Eval ( F ) ≈ H . Mul k k k σ 2 → σ 2 → σ 2 × ≈ y σ 2 k H . Add : � � H . Mul : � C i + = C i i i = 1 i = 1 i = 1 1 ∆ h C 1 + C 2 C 3 + k variables C 4 C 5 C 6 . . . + k = h ( h + 1 ) C k − h + 1 · · · C k 2 10 / 14

Recommend

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Objectives Non-linear feedback shift registers Stream ciphers using LFSRs: Non-linear

Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Non-linear feedback shift registers Stream ciphers using

445 views • 13 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Stream ciphers and eSTREAM Stream ciphers and eSTREAM Thomas Johansson Lund University Lund

Stream ciphers and eSTREAM Stream ciphers and eSTREAM Thomas Johansson Lund University Lund

Stream ciphers and eSTREAM Stream ciphers and eSTREAM Thomas Johansson Lund University Lund University Motivation Motivation The most used stream cipher constructions (A5, RC4, E0, ...) all have serious weaknesses i k There is a

589 views • 25 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom R&D {firstname.lastname@orange-ftgroup.com} research & development Stream Ciphers IV-less IV-dependent key K IV (initial value)

477 views • 18 slides
Efficient Stream Reduction on the GPU Efficient Stream Reduction on the GPU David Roger, Ulf

Efficient Stream Reduction on the GPU Efficient Stream Reduction on the GPU David Roger, Ulf

Efficient Stream Reduction on the GPU Efficient Stream Reduction on the GPU David Roger, Ulf Assarsson, Nicolas Holzschuch Grenoble Chalmers University Cornell University of Technology University Stream Reduction Removing unwanted elements

761 views • 52 slides
Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013

Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013

Introduction to Design and Analysis of Stream Ciphers Willi Meier Albena, June 30 - July 5, 2013 1 / 63 Overview Stream Ciphers: A short Introduction Cryptanalysis principles Time/Memory/Data tradeoffs Berlekamp-Massey algorithm

940 views • 63 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides

More recommend