1. No category

Efficient Cryptography from Hard Learning Problems

Efficient Cryptography from
Hard Learning Problems
Krzysztof Pietrzak
SOFSEM 2012 January 26th
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Outline
What this Talk is About
Provable Security, Exemplified using LPN based Cryptosystems.
1
Ad-Hoc vs. Provable Security.
2
The Learning Parity with Noise (LPN) Problem.
3
PRG from LPN.
4
Encryption from LPN.
5
Secret-Key Authentication from LPN.
6
Some Open Problems.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Cryptography in the Old Days
Cryptography ≈ secret communication
Used by military & governments
Cryptographers guided by intuition and experience.
Schemes usually broken within short time.
Cat & mouse game between cryptographers and cryptanalysts.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Modern Cryptography
applications ATMs, wireless authentication, Internet-banking,
e-voting,. . .
tools public-key crypto, zero-knowledge,
multiparty-computation,. . .
technique crypto was put on a solid theoretical basis:
provable security.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
key
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
key
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
key
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
key
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
key
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
key
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
?
key
breaks scheme if
? is a valid signature for a new message.
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
?
key
breaks scheme if
? is a valid signature for a new message.
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Theorem
No efficient adversary who breaks the scheme exists
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Provable Security
1
Define “Breaking the Cryptosystem”.
Example: Digital Signatures
?
key
breaks scheme if
? is a valid signature for a new message.
2
Construct Cryptosystem.
3
Prove Cryptosystem Secure.
Theorem
No efficient adversary who breaks the scheme exists
if (factoring, SVP,. . . ) is hard.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Ad-Hoc Constructions: AES Block-Cipher
AES: {0, 1}128 × {0, 1}128 → {0, 1}128
AES(k, .) indistinguishable from random for random k?
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
What is done in Practice
Secret-Key Crypto
Ad-Hoc Building Block (e.g. AES block-cipher.)
Provably Secure modes (e.g. CBC for
encryption/authentication.)
Public-Key Crypto
Provably Secure underlying assumption DL, Factoring. . . (but
become more and more exotic in literature...)
Often additional heuristics (e.g. Random oracle.)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Provable Security Mantra
Practical Efficiency OR Provable Security
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Provable Security Mantra
Practical Efficiency OR Provable Security
Secret-Key Crypto
Ad-Hoc Building Block (e.g. AES block-cipher.)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Provable Security Mantra
Practical Efficiency OR Provable Security
Secret-Key Crypto
Ad-Hoc Building Block (e.g. AES block-cipher.)
Provably Secure (LPN assumption)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Provable Security Mantra
Practical Efficiency OR Provable Security
Secret-Key Crypto
Ad-Hoc Building Block (e.g. AES block-cipher.)
Provably Secure (LPN assumption)
Schemes for particular tasks (identification) which outperform
best ad-hoc solutions in particular settings (RFIDs where
randomness is cheap and gates are expensive.)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Learning Parity with Noise (LPN)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Learning Parity with Noise Assumption
s ∈ Zn2 , 0 < τ < 0.5
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Learning Parity with Noise Assumption
s ∈ Zn2 , 0 < τ < 0.5
r1 ← Zn2 e 1 ← Berτ
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Learning Parity with Noise Assumption
s ∈ Zn2 , 0 < τ < 0.5
r1 , hr1 , si + e 1
r1 ← Zn2 e 1 ← Berτ
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Learning Parity with Noise Assumption
s ∈ Zn2 , 0 < τ < 0.5
r1 , hr1 , si + e 1
r2 , hr2 , si + e 2
..
.
r2 ← Zn2 e 2 ← Berτ
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The Learning Parity with Noise Assumption
s ∈ Zn2 , 0 < τ < 0.5
r1 , hr1 , si + e 1
r2 , hr2 , si + e 2
..
.
r2 ← Zn2 e 2 ← Berτ
(q, n, τ ) LPN assumption (Search Version)
Hard to find s.
(q, n, τ ) LPN assumption (Decisional Version)
Hard to distinguish outputs from uniformly random.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Hardness of LPN
(Search) LPN equivalent to decoding random linear codes.
Search & decision polynomially equivalent.
Best (quantum) algorithms run in time Θ(2n/ log n ).
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
PRG from LPN
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
PRG from LPN
Definition (Pseudorandom Generator (PRG))
G : Zn2 → Zm
2 is a PRG if m > n (stretching) and G(Un ) is
computationally indistinguishable from Um (pseudorandom).
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
PRG from LPN
Definition (Pseudorandom Generator (PRG))
G : Zn2 → Zm
2 is a PRG if m > n (stretching) and G(Un ) is
computationally indistinguishable from Um (pseudorandom).
PRG from LPN
A ← Zm×ℓ
2
s ← Zℓ2
e ← Berm
τ
A, A.s ⊕ e pseudorandom assuming (τ, ℓ)-LPN.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
PRG from LPN
Definition (Pseudorandom Generator (PRG))
G : Zn2 → Zm
2 is a PRG if m > n (stretching) and G(Un ) is
computationally indistinguishable from Um (pseudorandom).
PRG from LPN
A ← Zm×ℓ
2
s ← Zℓ2
e ← Berm
τ
A, A.s ⊕ e pseudorandom assuming (τ, ℓ)-LPN.
G(A, s, e) → A, A.s ⊕ e
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
PRG from LPN
Definition (Pseudorandom Generator (PRG))
G : Zn2 → Zm
2 is a PRG if m > n (stretching) and G(Un ) is
computationally indistinguishable from Um (pseudorandom).
PRG from LPN
A ← Zm×ℓ
2
s ← Zℓ2
e ← Berm
τ
A, A.s ⊕ e pseudorandom assuming (τ, ℓ)-LPN.
G(A, s, e) → A, A.s ⊕ e
G(A, s, r) → A, A.s ⊕ e where r used to sample e.
Shrinking: need |r| < m − ℓ.
H(r) ≈ H(e) = h(τ )m
h(τ ) = −τ log τ − (1 − τ ) log(1 − τ ) < 1
|r| ≈ h(τ )m < m − ℓ for sufficiently large m.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
PRG from LPN
Definition (Pseudorandom Generator (PRG))
G : Zn2 → Zm
2 is a PRG if m > n (stretching) and G(Un ) is
computationally indistinguishable from Um (pseudorandom).
PRG from LPN
A ← Zm×ℓ
2
s ← Zℓ2
e ← Berm
τ
A, A.s ⊕ e pseudorandom assuming (τ, ℓ)-LPN.
G(A, s, e) → A, A.s ⊕ e
G(A, s, r) → A, A.s ⊕ e where r used to sample e.
Shrinking: need |r| < m − ℓ.
H(r) ≈ H(e) = h(τ )m
h(τ ) = −τ log τ − (1 − τ ) log(1 − τ ) < 1
|r| ≈ h(τ )m < m − ℓ for sufficiently large m.
GA (s, r) → A.s ⊕ e where r used to sample e.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
PRG gives efficient stream-cipher ⇒ stateful encryption.
Definition (CPA-Secure Encryption Scheme)
Pair of Algorithms Enc, Dec
(Correctness) For every key s and message m
Dec(s, Enc(s, m)) = m
(Security) Enc(s, m0 ) indistinguishable from Enc(s, m1 ).
s
s
m
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
PRG gives efficient stream-cipher ⇒ stateful encryption.
Definition (CPA-Secure Encryption Scheme)
Pair of Algorithms Enc, Dec
(Correctness) For every key s and message m
Dec(s, Enc(s, m)) = m
(Security) Enc(s, m0 ) indistinguishable from Enc(s, m1 ).
s
s
c
c ← Enc(s, m)
Krzysztof Pietrzak
m ← Dec(s, c)
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
PRG gives efficient stream-cipher ⇒ stateful encryption.
Definition (CPA-Secure Encryption Scheme)
Pair of Algorithms Enc, Dec
(Correctness) For every key s and message m
Dec(s, Enc(s, m)) = m
(Security) Enc(s, m0 ) indistinguishable from Enc(s, m1 ).
s
s
c
c ← R, RT s ⊕ e ⊕ m
Krzysztof Pietrzak
RT s⊕e ⊕ m
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
PRG gives efficient stream-cipher ⇒ stateful encryption.
Definition (CPA-Secure Encryption Scheme)
Pair of Algorithms Enc, Dec
(Correctness) For every key s and message m
Dec(s, Enc(s, m)) = m
(Security) Enc(s, m0 ) indistinguishable from Enc(s, m1 ).
s
s
c
c ← R, RT s ⊕ e ⊕ m
Krzysztof Pietrzak
RT s⊕e ⊕ m⊕RT s
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
PRG gives efficient stream-cipher ⇒ stateful encryption.
Definition (CPA-Secure Encryption Scheme)
Pair of Algorithms Enc, Dec
(Correctness) For every key s and message m
Dec(s, Enc(s, m)) = m
(Security) Enc(s, m0 ) indistinguishable from Enc(s, m1 ).
s
s
c
c ← R, RT s ⊕ e ⊕ m
Krzysztof Pietrzak
Ts
RT s⊕e ⊕ m⊕R
///////
///////
Efficient Cryptography from Hard Learning Problems
Encryption from LPN
PRG gives efficient stream-cipher ⇒ stateful encryption.
Definition (CPA-Secure Encryption Scheme)
Pair of Algorithms Enc, Dec
(Correctness) For every key s and message m
Dec(s, Enc(s, m)) = m
(Security) Enc(s, m0 ) indistinguishable from Enc(s, m1 ).
s
s
c
c ← R, RT s ⊕ e ⊕ C(m)
Error Correcting Code (C, D)
Krzysztof Pietrzak
Ts
RT s⊕e ⊕ C(m)⊕R
///////
///////
m ← D(C(m) ⊕ e)
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
Secret Key s
prover P(s)
verifier V(s)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
verifier V(s)
accept/reject
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
verifier V(s)
accept
Correctness : V(s) accepts if interacting with P(s)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
A
verifier V(s)
reject
Security : V(s) rejects if interacting with A
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
verifier V(s)
s
Security : V(s) rejects if interacting with A
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
A
verifier V(s)
s
Security : V(s) rejects if interacting with A
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
A
verifier V(s)
Passive Security
1st phase: A can observe transcripts.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
A
verifier V(s)
reject
Passive Security
1st phase: A can observe transcripts.
2nd phase: V(s) rejects if interacting with A.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
A
verifier V(s)
Active Security
1st phase: A interacts with P(s).
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Protocols
prover P(s)
A
verifier V(s)
reject
Active Security
1st phase: A interacts with P(s).
2nd phase: V(s) rejects if interacting with A.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
challenge
1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
AES(s, challenge)
1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
AES(s, challenge)
What if block ciphers are not an option?
1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
AES(s, challenge)
What if block ciphers are not an option?
1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
RFID1 tags: 1k-10k gates, 200-2k for security.
AES ≥ 5k gates.
1
Radio-Frequency IDentification
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication Using a Block Cipher (e.g. AES)
prover P(s)
verifier V(s)
RFID1 tags: 1k-10k gates, 200-2k for security.
AES ≥ 5k gates.
1
Radio-Frequency IDentification
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
If AES is not an Option...
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
If AES is not an Option...
Lightweight block ciphers: Keeloq, Present,. . .
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
If AES is not an Option...
Lightweight block ciphers: Keeloq, Present,. . .
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
If AES is not an Option...
Lightweight block ciphers: Keeloq, Present,. . .
Provably Secure (LPN Based) Authentication
Schemes. [HB’01],[JW’05],[ACPS’09],[KSS’10],. . .
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication from LPN
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The HB protocol [Hopper and Blum AC’01]
τ = 0.1
P(s)
e ← Berτ
z := ha, si ⊕ e
s ← Zℓ2
V(s)
a
a ← Zℓ2
z
accept if ha, si ⊕ z = 0
| {z }
e
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The HB protocol [Hopper and Blum AC’01]
τ = 0.1
P(s)
e ← Berτ
z := ha, si ⊕ e
s ← Zℓ2
V(s)
a
a ← Zℓ2
z
accept if ha, si ⊕ z = 0
| {z }
e
Secure against passive attacks from LPN.
Krzysztof Pietrzak
to proof
Efficient Cryptography from Hard Learning Problems
The HB protocol [Hopper and Blum AC’01]
τ = 0.1
P(s)
e ← Berτ
z := ha, si ⊕ e
s ← Zℓ2
V(s)
a
a ← Zℓ2
z
accept if ha, si ⊕ z = 0
| {z }
e
Secure against passive attacks from LPN.
to proof
Correctness error 0.1. Soundness error 0.5 + negl.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The HB protocol [Hopper and Blum AC’01]
τ = 0.1
P(s)
e ← Berτ
z := ha, si ⊕ e
s ← Zℓ2
V(s)
a
a ← Zℓ2
z
accept if ha, si ⊕ z = 0
| {z }
e
Secure against passive attacks from LPN.
to proof
Correctness error 0.1. Soundness error 0.5 + negl.
Can be amplified repeating n times ⇒ Errors become 2−Θ(n) .
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The HB protocol [Hopper and Blum AC’01]
τ = 0.1
P(s)
e ← Berτ
z := ha, si ⊕ e
s ← Zℓ2
V(s)
a
a ← Zℓ2
z
accept if ha, si ⊕ z = 0
| {z }
e
Secure against passive attacks from LPN.
to proof
Correctness error 0.1. Soundness error 0.5 + negl.
Can be amplified repeating n times ⇒ Errors become 2−Θ(n) .
Not secure against active attacks:
1
2
ask for ha, si ⊕ e i (for several i) ⇒ majority is ha, si w.h.p..
recover s from haj , si (j = 1, . . . , ℓ) using Gaussian elimination.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
The HB+ protocol [Juels and Weis Crypto’05]
s′ , s ← Zℓ2
τ = 0.1
P(s′ , s)
z :=
V(s′ , s)
e ← Berτ
ha, si ⊕ e
Krzysztof Pietrzak
a
a ← Zℓ2
z
accept if
ha, si ⊕ z = 0
Efficient Cryptography from Hard Learning Problems
The HB+ protocol [Juels and Weis Crypto’05]
s′ , s ← Zℓ2
τ = 0.1
P(s′ , s)
b ← Zℓ2
V(s′ , s)
b
a
e ← Berτ
z := hb, s′ i ⊕ ha, si ⊕ e
z
Secure against active attacks.
Krzysztof Pietrzak
a ← Zℓ2
hb, s′ i
accept if
⊕ ha, si ⊕ z = 0
to proof
Efficient Cryptography from Hard Learning Problems
The HB+ protocol [Juels and Weis Crypto’05]
s′ , s ← Zℓ2
τ = 0.1
P(s′ , s)
b ← Zℓ2
V(s′ , s)
b
a
e ← Berτ
z := hb, s′ i ⊕ ha, si ⊕ e
a ← Zℓ2
z
Secure against active attacks.
hb, s′ i
accept if
⊕ ha, si ⊕ z = 0
to proof
Can be amplified by repetition [KS’06].
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
HB
,
,
/
Round Optimal (2 Rounds).
Tight reduction: LPN ε-hard ⇒ HB ε-secure.
Passive security.
HB+
,
/
/
/
Active Security.
3 Rounds (Prover must be stateful).
Loose reduction: LPN ε-hard ⇒ HB
√
ε-secure.
Reduction not Quantum (No Cloning Theorem.)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
HB
,
,
/
Round Optimal (2 Rounds).
Tight reduction: LPN ε-hard ⇒ HB ε-secure.
Passive security.
HB+
,
/
/
/
Active Security.
3 Rounds (Prover must be stateful).
Loose reduction: LPN ε-hard ⇒ HB
√
ε-secure.
Reduction not Quantum (No Cloning Theorem.)
a0
z0
a1
z1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
HB
,
,
/
Round Optimal (2 Rounds).
Tight reduction: LPN ε-hard ⇒ HB ε-secure.
Passive security.
HB+
,
/
/
/
Active Security.
3 Rounds (Prover must be stateful).
Loose reduction: LPN ε-hard ⇒ HB
√
ε-secure.
Reduction not Quantum (No Cloning Theorem.)
a0
a1
Krzysztof Pietrzak
z0
?
z1
Efficient Cryptography from Hard Learning Problems
http://www.ecrypt.eu.org/lightweight/index.php/HB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Nicholas J. Hopper, Manuel BlumSecure Human Identification Protocols. ASIACRYPT 2001
Ari Juels, Stephen A. Weis.Authenticating Pervasive Devices with Human Protocols. CRYPTO 2005
Jonathan Katz, Ji Sun Shin.Parallel and Concurrent Security of the HB and HB+ Protocols.
EUROCRYPT 2006
Éric Levieil, Pierre-Alain Fouque.An Improved LPN Algorithm. SCN 2006
Henri Gilbert, Matt Robshaw, Herve Sibert.An Active Attack Against HB+ - A Provably Secure
Lightweight Authentication Protocol. Cryptology ePrint Archive.
Jonathan Katz, Adam Smith.Analyzing the HB and HB+ Protocols in the Large Error Case. Cryptology
ePrint Archive.
Julien Bringer, Hervé Chabanne, Emmanuelle Dottax.HB++.a Lightweight Authentication Protocol Secure
against Some Attacks. SecPerU 2006
Jonathan Katz.Efficient Cryptographic Protocols Based on the Hardness of Learning Parity with Noise.
IMA Int. Conf. 2007
Jorge Munilla, Alberto Peinado.HB-MP.A further step in the HB-family of lightweight authentication
protocols. Computer Networks 51(9).2262-2267 (2007)
Dang Nguyen Duc, Kwangjo Kim.Securing HB+ against GRS Man-in-the-Middle Attack. Proc. Of SCIS
2007, Abstracts pp.123, Jan. 23-26, 2007, Sasebo, Japan.
Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.HB#.Increasing the Security and Efficiency of
HB+. EUROCRYPT 2008
Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.Good Variants of HB+ Are Hard to Find. Financial
Cryptography 2008
Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.How to Encrypt with the LPN Problem. ICALP (2)
2008
Julien Bringer, Herv Chabanne.Trusted-HB.A Low-Cost Version of HB+ Secure Against Man-in-the-Middle
Attacks. IEEE Transactions on Information Theory 54(9).4339-4342 (2008).
Khaled Ouafi, Raphael Overbeck, Serge Vaudenay.On the Security of HB# against a Man-in-the-Middle
Attack. ASIACRYPT 2008
Zbigniew Golebiewski, Krzysztof Majcher, Filip Zagorski, Marcin Zawada.Practical Attacks on HB and
HB+ Protocols. Cryptology ePrint Archive.
Xuefei Leng, Keith Mayes, Konstantinos Markantonakis.HB-MP+ Protocol.An Improvement on the
HB-MP Protocol. IEEE International Conference on RFID, 2008 April 2008.
Dmitry Frumkin, Adi Shamir.Un-Trusted-HB.Security Vulnerabilities of Trusted-HB. Cryptology ePrint
Archive.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
New Authentication Protocol
,
,
,
Active Security.
Round Optimal (2 Rounds).
Tight (Quantum) Reduction.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Subset LPN
Subspace LWE, K.Pietrzak, TCC 2012.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
LPN
s ∈ Zm
2
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
LPN
s ∈ Zm
2
r ← Zm
2 e ← Berτ
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
LPN
s ∈ Zm
2
r, hr, si + e
r ← Zm
2 e ← Berτ
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Subset LPN
s ∈ Zm
2
n≤m
v ∈ Zm
2 , kvk1 = n
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Subset LPN
s ∈ Zm
2
n≤m
v ∈ Zm
2 , kvk1 = n
r, hr, s↓v i + e
r ← Zn2 e ← Berτ
m = 6, n = 3
s= 1 0 0 0 1 1
v= 0 0 1 1 1 0
s↓v =
0 0 1
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Subset LPN
s ∈ Zm
2
n≤m
v ∈ Zm
2 , kvk1 = n
r, hr, s↓v i + e
(m, n, τ ) Subset LPN Assumption
Hard to distinguish outputs from uniform.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Subset LPN
s ∈ Zm
2
n≤m
v ∈ Zm
2 , kvk1 = n
r, hr, s↓v i + e
(m, n, τ ) Subset LPN Assumption
Hard to distinguish outputs from uniform.
(m, n, τ ) Subset LPN ⇒ (n, τ ) LPN.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Subset LPN
s ∈ Zm
2
n≤m
v ∈ Zm
2 , kvk1 = n
r, hr, s↓v i + e
(m, n, τ ) Subset LPN Assumption
Hard to distinguish outputs from uniform.
(m, n, τ ) Subset LPN ⇒ (n, τ ) LPN.
Theorem
(n, τ ) LPN ⇒ (m, n − d, τ ) Subset LPN (2−d = negl)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Authentication from Subset LPN
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
HB and Friends
P(s)
a
ha, si ⊕ e
V(s)
New Approach
P(s)
v
a, ha, s↓v i ⊕ e
Krzysztof Pietrzak
V(s)
Efficient Cryptography from Hard Learning Problems
HB and Friends
P(s)
a
ha, si ⊕ e
V(s)
a ← Zℓ2
New Approach
P(s)
a←
Zℓ2
v
a, ha, s↓v i ⊕ e
Krzysztof Pietrzak
V(s)
Efficient Cryptography from Hard Learning Problems
Active Security in Two Rounds
τ = 0.1
P(s)
a←
s ← Z2ℓ
2
v
Zℓ2
e ← Berτ
z := ha, s↓v i ⊕ e
to proof
a, z
v←
V(s)
, kvk1 = ℓ
Z2ℓ
2
accept if
k ha, s↓v i ⊕ z k1 ≤ 0.2n
| {z }
e
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Active Security in Two Rounds
s ← Z2ℓ
2
τ = 0.1
P(s)
z
A ← Z2ℓ×n
e ← Bernτ
:= AT s↓v ⊕
v
e
to proof
n : # of repetitions.
v←
A, z
V(s)
, kvk1 = ℓ
Z2ℓ
2
accept if
T
k A s↓v ⊕ z k1 ≤ 0.2n
| {z }
e
and rank(A) = n
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
1st Phase of Active Attack
s∈
Zℓ2
Simulates P(s)
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
1st Phase of Active Attack
s∈
Zℓ2
Simulates P(s)
Krzysztof Pietrzak
v
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
1st Phase of Active Attack
s∈
Zℓ2
v
Simulates P(s)
Krzysztof Pietrzak
v
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
1st Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates P(s)
Krzysztof Pietrzak
v
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
1st Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates P(s)
Krzysztof Pietrzak
v
A, AT s↓v ⊕ e
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
2nd Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates V(s)
Krzysztof Pietrzak
v
A, AT s↓v ⊕ e
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
2nd Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates V(s)
Krzysztof Pietrzak
v
A, AT s↓v ⊕ e
v∗
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
2nd Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates V(s)
Krzysztof Pietrzak
v
A, AT s↓v ⊕ e
v∗
∗
T
A , A s↓v∗ ⊕ e∗
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
2nd Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates V(s)
v
A, AT s↓v ⊕ e
v∗
∗
T
A , A s↓v∗ ⊕ e∗
If e ← Bernτ ⇒ simulation of P(s) perfect ⇒ ke∗ k1 ≤ 0.2n.
If e uniform ⇒ s hidden ⇒ e∗ uniform ⇒ ke∗ k1 ≈ 0.5n.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
2nd Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates V(s)
v
A, AT s↓v ⊕ e
v∗
∗
T
A , A s↓v∗ ⊕ e∗
If e ← Bernτ ⇒ simulation of P(s) perfect ⇒ ke∗ k1 ≤ 0.2n.
If e uniform ⇒ s hidden ⇒ e∗ uniform ⇒ ke∗ k1 ≈ 0.5n.
But... can’t compute ke∗ k1 from A∗ , AT s↓v∗ ⊕ e∗ .
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Active Security of New Protocol
If ∃
to protocol
who breaks active security, then Subset LPN is not hard.
2nd Phase of Active Attack
s∈
Zℓ2
v
A, AT s↓v ⊕ e
Simulates V(s)
v
A, AT s↓v ⊕ e
v∗
∗
T
A , A s↓v∗ ⊕ e∗
If e ← Bernτ ⇒ simulation of P(s) perfect ⇒ ke∗ k1 ≤ 0.2n.
If e uniform ⇒ s hidden ⇒ e∗ uniform ⇒ ke∗ k1 ≈ 0.5n.
But... can’t compute ke∗ k1 from A∗ , AT s↓v∗ ⊕ e∗ .
Simulate protocol for key ŝ ∈ Z2ℓ
2 such that
ŝ↓v∗ known
Krzysztof Pietrzak
ŝ↓v∗ = s
Efficient Cryptography from Hard Learning Problems
Length of LPN secret ℓ ≈ 500
# Repetitions n ≈ 160
Efficiency
Keysize 4ℓ = 2000 bits
Communication 2ℓn ≈ 20kb
Computation (small multiple of) ℓn.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Length of LPN secret ℓ ≈ 500
# Repetitions n ≈ 160
Efficiency
Keysize 4ℓ = 2000c bits
Communication 2ℓn ≈ 20kb/c
Computation (small multiple of) ℓn.
Communication vs. Keysize tradeoff c ∈ {1, . . . , n}.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Length of LPN secret ℓ ≈ 500
# Repetitions n ≈ 160
Efficiency
Keysize 4ℓ = 2000c bits
Communication 2ℓn ≈ 20kb/c
Computation (small multiple of) ℓn.
Communication vs. Keysize tradeoff c ∈ {1, . . . , n}.
Protocol with Communication & Key-size ℓ and computation
ℓ log ℓ from “Field-LPN” (FSE 2012, with S.Heyse, E.Kiltz,
V.Lyubashevsky, C.Paar)
First prototype implemented.
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems
Questions?
Krzysztof Pietrzak
Efficient Cryptography from Hard Learning Problems

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz