Efficient Cryptography from Hard Learning Problems

Size: px

Start display at page:

Download "Efficient Cryptography from Hard Learning Problems"

Charla Cook
5 years ago
Views:

1 Efficient Cryptography from Hard Learning Problems SOFSEM 2012 January 26th

2 Outline What this Talk is About Provable Security, Exemplified using LPN based Cryptosystems. 1 Ad-Hoc vs. Provable Security. 2 The Learning Parity with Noise (LPN) Problem. 3 PRG from LPN. 4 Encryption from LPN. 5 Secret-Key Authentication from LPN. 6 Some Open Problems.

3 Cryptography in the Old Days Cryptography secret communication Used by military & governments Cryptographers guided by intuition and experience. Schemes usually broken within short time. Cat & mouse game between cryptographers and cryptanalysts.

4 Modern Cryptography applications ATMs, wireless authentication, Internet-banking, e-voting,... tools public-key crypto, zero-knowledge, multiparty-computation,... technique crypto was put on a solid theoretical basis: provable security.

5 Provable Security 1 Define Breaking the Cryptosystem. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

6 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

7 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

8 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

9 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

10 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

11 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

12 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures? key breaks scheme if? is a valid signature for a new message. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.

13 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures? key breaks scheme if? is a valid signature for a new message. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure. Theorem No efficient adversary who breaks the scheme exists

14 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures? key breaks scheme if? is a valid signature for a new message. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure. Theorem No efficient adversary who breaks the scheme exists if (factoring, SVP,...) is hard.

15 Ad-Hoc Constructions: AES Block-Cipher AES: {0,1} 128 {0,1} 128 {0,1} 128 AES(k,.) indistinguishable from random for random k?

16 What is done in Practice Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.) Provably Secure modes (e.g. CBC for encryption/authentication.) Public-Key Crypto Provably Secure underlying assumption DL, Factoring...(but become more and more exotic in literature...) Often additional heuristics (e.g. Random oracle.)

17 The Provable Security Mantra Practical Efficiency OR Provable Security

18 The Provable Security Mantra Practical Efficiency OR Provable Security Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.)

19 The Provable Security Mantra Practical Efficiency OR Provable Security Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.) Provably Secure (LPN assumption)

20 The Provable Security Mantra Practical Efficiency OR Provable Security Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.) Provably Secure (LPN assumption) Schemes for particular tasks (identification) which outperform best ad-hoc solutions in particular settings (RFIDs where randomness is cheap and gates are expensive.)

21 Learning Parity with Noise (LPN)

22 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5

23 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1 Z n 2 e 1 Ber τ

24 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1, r 1,s +e 1 r 1 Z n 2 e 1 Ber τ

25 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1, r 1,s +e 1 r 2, r 2,s +e 2. r 2 Z n 2 e 2 Ber τ

26 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1, r 1,s +e 1 r 2, r 2,s +e 2. r 2 Z n 2 e 2 Ber τ (q,n,τ) LPN assumption (Search Version) Hard to find s. (q, n, τ) LPN assumption (Decisional Version) Hard to distinguish outputs from uniformly random.

27 Hardness of LPN (Search) LPN equivalent to decoding random linear codes. Search & decision polynomially equivalent. Best (quantum) algorithms run in time Θ(2 n/logn ).

28 PRG from LPN

29 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom).

30 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn.

31 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn. G(A,s,e) A,A.s e

32 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn. G(A,s,e) A,A.s e G(A,s,r) A,A.s e where r used to sample e. Shrinking: need r < m l. H(r) H(e) = h(τ)m h(τ) = τ logτ (1 τ)log(1 τ) < 1 r h(τ)m < m l for sufficiently large m.

33 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn. G(A,s,e) A,A.s e G(A,s,r) A,A.s e where r used to sample e. Shrinking: need r < m l. H(r) H(e) = h(τ)m h(τ) = τ logτ (1 τ)log(1 τ) < 1 r h(τ)m < m l for sufficiently large m. G A (s,r) A.s e where r used to sample e.

34 Encryption from LPN

35 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s m s

36 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c Enc(s,m) m Dec(s,c)

37 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e m R T s e m

38 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e m R T s e m R T s

39 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e m ///////e m R R T s /////// T s

every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable

40 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e C(m) Error Correcting Code (C,D) ///////e C(m) R R T s /////// T s m D(C(m) e)

41 Authentication Protocols

42 Authentication Protocols Secret Key s prover P(s) verifier V(s)

43 Authentication Protocols prover P(s) verifier V(s) accept/reject

44 Authentication Protocols prover P(s) verifier V(s) accept Correctness : V(s) accepts if interacting with P(s)

45 Authentication Protocols prover P(s) A verifier V(s) Security : V(s) rejects if interacting with A reject

46 Authentication Protocols prover P(s) verifier V(s) s Security : V(s) rejects if interacting with A

47 Authentication Protocols prover P(s) A verifier V(s) s Security : V(s) rejects if interacting with A

48 Authentication Protocols prover P(s) A verifier V(s) Passive Security 1st phase: A can observe transcripts.

49 Authentication Protocols prover P(s) A verifier V(s) reject Passive Security 1st phase: A can observe transcripts. 2nd phase: V(s) rejects if interacting with A.

50 Authentication Protocols prover P(s) A verifier V(s) Active Security 1st phase: A interacts with P(s).

51 Authentication Protocols prover P(s) A verifier V(s) reject Active Security 1st phase: A interacts with P(s). 2nd phase: V(s) rejects if interacting with A.

52 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) 1

53 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) challenge 1

54 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) AES(s, challenge) 1

55 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) AES(s, challenge) What if block ciphers are not an option? 1

56 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) AES(s, challenge) What if block ciphers are not an option? 1

57 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) RFID 1 tags: 1k-10k gates, 200-2k for security. AES 5k gates. 1 Radio-Frequency IDentification

58 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) RFID 1 tags: 1k-10k gates, 200-2k for security. AES 5k gates. 1 Radio-Frequency IDentification

59 If AES is not an Option...

60 If AES is not an Option... Lightweight block ciphers: Keeloq, Present,...

61 If AES is not an Option... Lightweight block ciphers: Keeloq, Present,...

62 If AES is not an Option... Lightweight block ciphers: Keeloq, Present,... Provably Secure (LPN Based) Authentication Schemes. [HB 01],[JW 05],[ACPS 09],[KSS 10],...

63 Authentication from LPN

64 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e

65 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof

66 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof Correctness error 0.1. Soundness error negl.

67 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof Correctness error 0.1. Soundness error negl. Can be amplified repeating n times Errors become 2 Θ(n).

68 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof Correctness error 0.1. Soundness error negl. Can be amplified repeating n times Errors become 2 Θ(n). Not secure against active attacks: 1 ask for a,s e i (for several i) majority is a,s w.h.p.. 2 recover s from a j,s (j = 1,...,l) using Gaussian elimination.

69 The HB + protocol [Juels and Weis Crypto 05] τ = 0.1 s,s Z l 2 P(s,s) V(s,s) a a Z l 2 e Ber τ z := a,s e z accept if a,s z = 0

70 The HB + protocol [Juels and Weis Crypto 05] τ = 0.1 s,s Z l 2 P(s,s) b Z l 2 e Ber τ z := b,s a,s e b a z V(s,s) a Z l 2 accept if b,s a,s z = 0 Secure against active attacks. to proof

71 The HB + protocol [Juels and Weis Crypto 05] τ = 0.1 s,s Z l 2 P(s,s) b Z l 2 e Ber τ z := b,s a,s e b a z V(s,s) a Z l 2 accept if b,s a,s z = 0 Secure against active attacks. to proof Can be amplified by repetition [KS 06].

72 HB Round Optimal (2 Rounds). Tight reduction: LPN ε-hard HB ε-secure. Passive security. HB+ Active Security. 3 Rounds (Prover must be stateful). Loose reduction: LPN ε-hard HB ε-secure. Reduction not Quantum (No Cloning Theorem.)

73 HB Round Optimal (2 Rounds). Tight reduction: LPN ε-hard HB ε-secure. Passive security. HB+ Active Security. 3 Rounds (Prover must be stateful). Loose reduction: LPN ε-hard HB ε-secure. Reduction not Quantum (No Cloning Theorem.) a 0 z 0 a 1 z 1

74 HB Round Optimal (2 Rounds). Tight reduction: LPN ε-hard HB ε-secure. Passive security. HB+ Active Security. 3 Rounds (Prover must be stateful). Loose reduction: LPN ε-hard HB ε-secure. Reduction not Quantum (No Cloning Theorem.) a 0 z 0 a 1? z 1

75 1 Nicholas J. Hopper, Manuel BlumSecure Human Identification Protocols. ASIACRYPT Ari Juels, Stephen A. Weis.Authenticating Pervasive Devices with Human Protocols. CRYPTO Jonathan Katz, Ji Sun Shin.Parallel and Concurrent Security of the HB and HB+ Protocols. EUROCRYPT Éric Levieil, Pierre-Alain Fouque.An Improved LPN Algorithm. SCN Henri Gilbert, Matt Robshaw, Herve Sibert.An Active Attack Against HB+ - A Provably Secure Lightweight Authentication Protocol. Cryptology eprint Archive. 6 Jonathan Katz, Adam Smith.Analyzing the HB and HB+ Protocols in the Large Error Case. Cryptology eprint Archive. 7 Julien Bringer, Hervé Chabanne, Emmanuelle Dottax.HB++.a Lightweight Authentication Protocol Secure against Some Attacks. SecPerU Jonathan Katz.Efficient Cryptographic Protocols Based on the Hardness of Learning Parity with Noise. IMA Int. Conf Jorge Munilla, Alberto Peinado.HB-MP.A further step in the HB-family of lightweight authentication protocols. Computer Networks 51(9) (2007) 10 Dang Nguyen Duc, Kwangjo Kim.Securing HB+ against GRS Man-in-the-Middle Attack. Proc. Of SCIS 2007, Abstracts pp.123, Jan , 2007, Sasebo, Japan. 11 Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.HB#.Increasing the Security and Efficiency of HB+. EUROCRYPT Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.Good Variants of HB+ Are Hard to Find. Financial Cryptography Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.How to Encrypt with the LPN Problem. ICALP (2) Julien Bringer, Herv Chabanne.Trusted-HB.A Low-Cost Version of HB+ Secure Against Man-in-the-Middle Attacks. IEEE Transactions on Information Theory 54(9) (2008). 15 Khaled Ouafi, Raphael Overbeck, Serge Vaudenay.On the Security of HB# against a Man-in-the-Middle Attack. ASIACRYPT Zbigniew Golebiewski, Krzysztof Majcher, Filip Zagorski, Marcin Zawada.Practical Attacks on HB and HB+ Protocols. Cryptology eprint Archive. 17 Xuefei Leng, Keith Mayes, Konstantinos Markantonakis.HB-MP+ Protocol.An Improvement on the HB-MP Protocol. IEEE International Conference on RFID, 2008 April Dmitry Frumkin, Adi Shamir.Un-Trusted-HB.Security Vulnerabilities of Trusted-HB. Cryptology eprint Archive.

76 New Authentication Protocol Active Security. Round Optimal (2 Rounds). Tight (Quantum) Reduction.

77 Subset LPN Subspace LWE, K.Pietrzak, TCC 2012.

78 LPN s Z m 2

79 LPN s Z m 2 r Z m 2 e Ber τ

80 LPN s Z m 2 r, r,s +e r Z m 2 e Ber τ

81 Subset LPN s Z m 2 n m v Z m 2, v 1 = n

82 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e r Z n 2 e Ber τ m = 6,n = 3 s = v = s v = 0 0 1

83 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e (m,n,τ) Subset LPN Assumption Hard to distinguish outputs from uniform.

84 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e (m,n,τ) Subset LPN Assumption Hard to distinguish outputs from uniform. (m,n,τ) Subset LPN (n,τ) LPN.

85 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e (m,n,τ) Subset LPN Assumption Hard to distinguish outputs from uniform. (m,n,τ) Subset LPN (n,τ) LPN. Theorem (n,τ) LPN (m,n d,τ) Subset LPN (2 d = negl)

86 Authentication from Subset LPN

87 P(s) HB and Friends a a,s e V(s) P(s) New Approach v a, a,s v e V(s)

88 P(s) HB and Friends a a,s e V(s) a Z l 2 P(s) a Z l 2 New Approach v a, a,s v e V(s)

89 Active Security in Two Rounds to proof τ = 0.1 P(s) a Z l 2 e Ber τ z := a,s v e s Z 2l 2 v a,z V(s) v Z 2l 2, v 1 = l accept if a,s v z 1 0.2n }{{} e

90 Active Security in Two Rounds to proof τ = 0.1 s Z 2l 2 n : # of repetitions. P(s) A Z l n 2 e Ber n τ z := A T s v e v A,z V(s) v Z 2l 2, v 1 = l accept if A T s v z 1 0.2n }{{} e and rank(a) = n

91 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard.

92 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. 1st Phase of Active Attack Simulates P(s)

93 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard. s Z l 2 1st Phase of Active Attack Simulates P(s) v

94 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard. s Z l 2 v 1st Phase of Active Attack Simulates P(s) v

95 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard. s Z l 2 v A,A T s v e 1st Phase of Active Attack Simulates P(s) v

96 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 1st Phase of Active Attack Simulates P(s) v A,A T s v e

97 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e

98 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v

99 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e

100 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e If e Ber n τ simulation of P(s) perfect e 1 0.2n. If e uniform s hidden e uniform e 1 0.5n.

101 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e If e Ber n τ simulation of P(s) perfect e 1 0.2n. If e uniform s hidden e uniform e 1 0.5n. But... can t compute e 1 from A,A T s v e.

102 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e If e Ber n τ simulation of P(s) perfect e 1 0.2n. If e uniform s hidden e uniform e 1 0.5n. But... can t compute e 1 from A,A T s v e. Simulate protocol for key ŝ Z 2l 2 such that ŝ v known ŝ v = s

103 Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000 bits Communication 2ln 20kb Computation (small multiple of) ln.

104 Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000c bits Communication 2ln 20kb/c Computation (small multiple of) ln. Communication vs. Keysize tradeoff c {1,...,n}.

Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000c bits Communication 2ln 20kb/c Computation (small multiple of) ln. Communication vs.

105 Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000c bits Communication 2ln 20kb/c Computation (small multiple of) ln. Communication vs. Keysize tradeoff c {1,...,n}. Protocol with Communication & Key-size l and computation l log l from Field-LPN (FSE 2012, with S.Heyse, E.Kiltz, V.Lyubashevsky, C.Paar) First prototype implemented.

106 Questions?

Computer Security CS 526

Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability