Fast Cryptographic Primitives &
Circular-Secure Encryption
Based on Hard Learning Problems
Benny Applebaum, David Cash, Chris Peikert, Amit Sahai
Princeton University, Georgia Tech, SRI international, UCLA
To appear in CRYPTO 09
Learning Noisy Linear Functions
Problem: find s
n
ai
m
sZqn
A
Zqn
bi =<ai,s>+noise
s
+
x
=
iid noise vector of rate
b
Learning Noisy Linear Functions
Problem: find s
n
s
m
+
A
x
=
b
iid noise vector of rate
• Learning-Parity-with-Noise (LPN):
- q=2, Noise: Bernoulli with = ¼
• Learning-with-Errors (LWE) [Reg05] :
- q(n)=poly(n) typically prime
- Gaussian noise w/mean 0 and std sqrt(q)
-(q-1)/2
0
(q-1)/2
Learning Noisy Linear Functions
Problem: find s
n
s
m
A
+
x
=
b
• Assumption: Problem is computationally hard for all m=poly(n)
• Well studied in Coding Theory/Learning Theory/ Crypto [GKL93,BFKL93,
Chab94,Kearns98,BKW00,HB01,JW05,Lyu05,FGKP06,KS06,PW08,GPV08,PVW08…]
• LPN is easy major breakthrough in Coding Theory
• LWE is easy Lattice problems are easy on the worst-case [Reg05,Peik09]
• Pros: Hardness of search problem, resists sub-exp & quantum attacks
Why LWE/LPN ?
• Problem has simple algebraic structure: “almost linear” function
- exploited by [BFKL94, AIK07, D-TK-L09]
• Computable by simple (bit) operations (low hardware complexity)
- exploited by [HB01,AIK04,JW05]
• Message of this talk: Very useful combination
s
A
+
x
=
b
rare
combination
Main Results
• Fast circular secure encryption schemes
- Symmetric encryption from LPN
- Public-key encryption from LWE
• Fast pseudorandom objects from LPN
- Pseudorandom generator in quasi-linear time
- Oblivious weak randomized pseudorandom function
Pseudorandomness
Thm.[BFKL94] LPN pseudorandomness (A,As+x) (A,Um)
Proof: [AIK07]
• Assume LPN By [GL89] can’t approximate <s,r> for a random r
• Use distinguisher D to compute hardcore bit <s,r> given a random r
-Given (A,b) and r{0,1}n choose v Um and apply D to (C=A-v·rT, b)
b=As+x=Cs+vrTs+x=Cs+x+v<r,s>=
Um
if <r,s>=1
Cs+x
if <r,s>=0
r
s
v CA v
+
x
=
b
+
v
Encryption Scheme
• Ekey(message;random)= ciphertext
Dkey(ciphertext)= message
• Security: Even if Adv gets information cannot break scheme.
- CPA [GM82]:given oracle to Ekey() can’t distinguish Ek(m1) from Ek(m2)
• What if Adv sees Ek(msg) where msg depends on the key (KDM attack)?
-E.g., Ekey(key) or Ekey(f(key)) or Ek1(k2) and Ek2(k1)
randomness
message
Enc
key
ciphertext
Enc
key
message
KDM / circular security
F-KDM Security [BRS02] : Adv can ask for Ek(f(k)) for some fF
Circular security [CL01] : Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1)
•Many recent works [BRS02, HK07, BPS07, BHHO08, CCS08, BDU08, HU08,HH08]
• Motivation:
- disk encryption or key-management systems
- anonymous credential systems via key cycles [CL01]
- axiomatic security (reasoning about security via formal logic) [ABHS05]
• What about previous/standard schemes?
- KDM attack lead to practical attacks (IEEE P1619)
- Random oracle construction/text-book constructions are bad [HU08, HK07]
- Black box separation of general KDM from trapdoor permutation [HH08]
KDM / circular security
F-KDM Security [BRS02] : Adv can ask for Ek(f(k)) for some fF
Circular security [CL01] : Adv can ask for Ek1(k2), Ek2(k3)…, Eki(k1)
• [BHHO08] First circular public-key encryption under DDH
- Get “clique” security + KDM for affine functions
- But large computational/communication overhead
- t-bit message requires t exponentiations (compare to El-Gamal)
- ciphertext length: t group elements
• Our schemes: circular encryption under LPN/LWE
- Get “clique” security + KDM for affine functions for free from standard schemes
- Efficiency comparable to standard LWE/LPN schemes
- t-bit message – Length O(t); Time: t·polylog(t) sym; t2·polylog(t) public-key
- Proofs of security follow the [BHHO08] approach
Symmetric Scheme
• Let G be a good linear error-correcting code with decoder for noise +0.1
Encs(mes; A, err)= (A, As+err + G·mes)
Decs(A,y)= decoder(y-As)
• Semantic security follows from pseudorandomness
• Simple scheme originally from [Gilbert Robshaw Seurin08]
- independently discovered by [A08,Dodis Tauman-Kalai Lovet 09]
• Scheme has nice statistical properties
- entropic-security [DodisSmith05], weak leakage-resilient, error-correction
S
A
A
,
m
+
err
+
G
Quasi-linear Implementation
• Use many different s’s with the same A
S
A
A
,
m
+
err
+
G
Quasi-linear Implementation
• Use many different s’s with the same A
• Preserves pseudorandomness since A is public
-Proof via Hybrid argument
•If matrices are very rectangular can multiply in quasi-linear time [Cop82]
-E.g., t=n and m=n6
• Use fast ECC (e.g., [spielman95]) to get quasi-linear time
encryption/decryption
t
n
S
m
A
A
,
Mes
+
Err
+
G
Clique Security
Encs(mes; A, err)= (A, As+err + G·mes )
Decs(A,y)= decoder(y-As)
Thm. Scheme is circular (clique) secure and KDM w/r to affine functions
Proof:
• Useful properties:
- Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’)
- Key homomorphic: Given S’ and Es(M) can compute Es+s’(M)
- Self referential: Given Es(0) can compute Es(S)
- Proof: (A,y=As+err) (A-G,y)=(A’,A’s+err+Gs) = Es(S)
Clique Security
Encs(mes; A, err)= (A, As+err + G·mes )
Decs(A,y)= decoder(y-As)
Thm. Scheme is circular (clique) secure and KDM w/r to affine functions
Proof:
• Useful properties:
- Plaintext homomorphic: Given M’ and Es(M) can compute Es(M+M’)
- Key homomorphic: Given S’ and Es(M) can compute Es+s’(M)
- Self referential: Given Es(0) can compute Es(S)
• Suppose that Adv break clique security (can ask for ESi(Sk) for all 1i,kt)
• Construct B that breaks standard CPA security (w/r to single key S).
• B simulates Adv: choose t offsets 1,…, t and pretend that Si=S+i
- Simulate Esi(Sk): get Es(0) Es(S) Es+ i(S) Es+ i(S+ k)
Rest of the talk
• Fast circular secure encryption schemes
- Symmetric encryption from LPN
- Public-key encryption from LWE
Regev’s PKE
• Public-key: (A,b)ZqnmZqm
s
Secret-key: s Zqn
+
A
r
b
“parity-check” matrix
=
=
x
• Encrypt zZpZq by (u,v+f(z))
A
[GentryPeikertVaikuntanathan
P V Waters08]
b
where f: ZpZq is linear ECC, i.e., f(z)=gz
u
v
+
f(z)
v=<s,u>+<x,r>
noise
• To Decrypt (u,c): compute c-<s,u>=f(z)+<x,r> and decode
• Security [R05,GPV08]: If b was truly random then (u,v) is random and get OTP
• Want: Plaintext Homomorphic, Self Referential, Key Homomorphic
• PH: let mes space be linear-subspace of Zq by taking q=p2 so Zq=ZpZp
(Pseudorandomness holds as long as noise is sufficiently low)
Self Reference
• Public-key: (A,b)ZqnmZqm
s
Secret-key: s Zqn
+
A
• Encrypt zZpZq by (u,v+f(z))
A
r
b
“parity-check” matrix
=
=
x
b
where f: ZpZq is linear ECC, i.e., f(z)=gz
u
e
+
+ f(z)
v=<s,u>+<x,r> +e <s,u>+err
v
+
noise
• Can we convert E(0) to E(s1) ?
• Given (u,c=<s,u>+<x,r>)
err (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s
err
1g
• Problem: (u’,c) is not distributed properly: c= <s,u’>+err(u)+f(s1)
• Sol: smoothen the ciphertext distribution
Self Reference
• Public-key: (A,b)ZqnmZqm
s
Secret-key: s Zqn
+
A
• Encrypt zZpZq by (u,v+f(z))
A
r
b
“parity-check” matrix
=
=
x
b
where f: ZpZq is linear ECC, i.e., f(z)=gz
u
e
+
+ f(z)
v=<s,u>+<x,r> +e <s,u>+err
v
+
noise
• Can we convert E(0) to E(s1) ?
• Given (u,c=<s,u>+<x,r>)
err (u’,c) where u’=u-(g,0,…,0) and c=<s,u’>+<x,r>+s
err
1g
• Problem: s1 may not be in Zp
• Sol: Choose s with entries in Zp by sampling from Gaussian around (0p/2)
• Security?
Hardness of LWE with sNoise
Convert standard LWE to LWE with sNoise
1. Get (A,b) s.t A is invertible
A
b
sZqn
A
s
+
x
=
b
Hardness of LWE with sNoise
Convert standard LWE to LWE with sNoise
•
If (,)LWEs then (’,’) LWEx
’= +<’,b>
Proof:
= <,s>+e + <’,As>+<’,x>
= <,s>+e + <-A-1,As>+<’,x>
-A-1
’
<,s>+e
+<’,b>
’
sZqn
xNoise
A
s
+
x
=
b
Hardness of LWE with sNoise
Convert standard LWE to LWE with sNoise
•
If (,)LWEs then (’,’) LWEx
•
If (,) are uniform then (’,’) also uniform
•
Hence distinguisher for LWEx yields a distinguisher for LWEs
-A-1
’
<,s>+e
+<’,b>
’
sZqn
xNoise
A
s
+
x
=
b
Hardness of LWE with sNoise
•
Reduction generates invertible linear mapping fA,b:s x
(A,b)
sZqn
A
s
+
x
xNoise
=
b
Hardness of LWE with sNoise
•
Reduction generates invertible linear mapping fA,b:s x
•
Key Hom: get pk’s whose sk’s x1,..,xk satisfy known linear-relation
•
Together with prev properties get circular (clique) security
(Ak,bk)
sZqn
•
(A1,b1)
Improve efficiency via amortized version of [PVW08]
xkNoise
x1Noise
Open Questions
• LWE vs. LPN ?
- LWE follows from worst-case lattice assumptions [Regev05, Peikert09]
- LWE many important crypto applications [GPV08,PVW08,PW08,CPS09]
- LWE can be broken in “NP co-NP” unknown for LPN
- LPN central in learning (“complete” for learning via Fourier) [FGKP06]
• Circular Security vs. Leakage Resistance ?
- Current constructions coincident
- LPN/Regev/BHHO constructions resist key-leakage
[AGV09,DKL09,NS09]
- common natural ancestor?
© Copyright 2026 Paperzz