1 / 33

Public-Key Encryption from Different Assumptions

Public-Key Encryption from Different Assumptions. Benny Applebaum Boaz Barak Avi Wigderson. Plan. Background Our results assumptions & constructions Proof idea Conclusions and Open Problems. Private Key Cryptography (2000BC-1970’s). k Secret key. Public Key Cryptography (1976-…).

haruko
Download Presentation

Public-Key Encryption from Different Assumptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public-Key Encryption from Different Assumptions Benny Applebaum Boaz Barak Avi Wigderson

  2. Plan • Background • Our results • assumptions & constructions • Proof idea • Conclusions and Open Problems

  3. Private Key Cryptography(2000BC-1970’s) kSecret key Public Key Cryptography(1976-…)

  4. Public Key Crypto Talk Securely with no shared key Private Key Crypto Share key and then talk securely Beautiful Math Unstructured • Many Candidates • DES[Feistel+76] • RC4[Rivest87] • Blowfish[Schneie93] • AES[RijmenDaemen98] • Serpent[AndersonBihamKnudsen98] • MARS[Coppersmith+98] • Few Candidates • Discrete Logarithm[DiffieHellman76,Miller85,Koblitz87] • Integer Factorization[RivestShamirAdleman77,Rabin79] • Error Correcting Codes[McEliece78,Alekhnovich03,Regev05] • Lattices [AjtaiDwork96, Regev04] “Beautiful structure” may lead to unforeseen attacks!

  5. The ugly side of beauty Factorization of n bit integers Trial Division ~exp(n/2) Quadratic Sieve~exp(n1/2) Shor’sAlg~poly*(n) Continued Fraction~exp(n1/2) 300BC 1974 1975 1977 1985 1990 1994 Pollard’s Alg~exp(n/4) RSAinvented Number Field Sieve~exp(n1/3)

  6. The ugly side of beauty DES invented Trivial 256 attack Linear Attack [Matsui]243 time+examples 1976 1990 1993 Differntial Attack [Biham Shamir]247 time+examples Factorization of n bit integers Trial Division ~exp(n/2) Quadratic Sieve~exp(n1/2) Shor’sAlg~poly*(n) Continued Fraction~exp(n1/2) 300BC 1974 1975 1977 1985 1990 1994 Are there “ugly” public key cryptosystems? Pollard’s Alg~exp(n/4) RSAinvented Number Field Sieve~exp(n1/3) Cryptanalysis of DES

  7. Complexity Perspective • NP P (clique hard) Our goals as complexity theorists are to prove that: • NP is hard on average (clique hard on avg) •  one-way functions (planted clique hard) (factoring hard) •  public key cryptography

  8. What should be done? Ultimate Goal: public-key cryptosystem from one-way function • Goal: PKC based on more combinatorial problems • increase our confidence in PKC • natural step on the road to Ultimate-Goal • understand avg-hardness/algorithmic aspects of natural problems • This work: Several constructions based on combinatorial problems • Disclaimer: previous schemes are much better in many (most?) aspects • Efficiency • Factoring: old and well-studied • Lattice problems based on worst-case hardness (e.g., n1.5-GapSVP)

  9. Plan • Background • Our results • assumptions & constructions • Proof idea • Conclusions and Open Problems

  10. Assumption DUE Decisional-Unbalanced-Expansion: Hard to distinguish G from H • Can’t approximate vertex expansion in random unbalanced bipartite graphs • Well studied problem though not exactly in this setting (densest-subgraph) Grandom (m,n,d) graph Hrandom (m,n,d) graph + planted shrinking set m m n n  S of size q T of size<q/3 d d

  11. Assumption DUE Decisional-Unbalanced-Expansion: Hard to distinguish G from H We prove: • Thm.Can’t distinguish viacycle-counting / spectral techniques • Thm.Implied by variants of planted-clique in random graphs Grandom (m,n,d) graph Hrandom (m,n,d) graph + planted shrinking set m m n n  S of size q T of size q/3 d d

  12. Assumption DSF Decisional-Sparse-Function: Let G be a random (m,n,d) graph. • Hard to solve random sparse (non-linear) equations • Conjectured to be one-way function when m=n [Goldreich00] • Thm: Hard for: myopic-algorithms, linear tests, low-depth circuits (AC0) • (as long as P is “good” e.g., 3-majority of XORs) Then, y is pseudorandom. m y1 yi ym n P is (non-linear) predicate x1 xn  random string =P(x2,x3,x6) d random input

  13. Assumption SLIN SearchLIN: Let G be a random (m,n,d) graph. • Hard to solve sparse “noisy” random linear equations • Well studied hard problem, sparseness doesn’t seem to help. • Thm: SLIN is Hard for: low-degree polynomials (via [Viola08]) low-depth circuits (via [MST03+Brav n-order Lasserre SDP’s [Schoen08] Given G and y, can’t recoverx. m y1 yi ym n  - noisy bit x1 xn +err =x2+x3+x6 Goal: find x. random input

  14. Main Results • PKCfrom: • Thm 1: DUE(m, q= log n, d)+DSF(m, d) • e.g., m=n1.1 and d= O(1) • pro: “combinatorial/private-key” nature • con: only n log n security DUE: graph looks random DSF: output looks random dLIN: can’t find x m output output n input input x1 xn x1 xn x2+x3+x6+err P(x2,x3,x6) q d q/3 d

  15. Main Results • PKCfrom: • Thm 1: DUE(m, q= log n, d)+DSF(m, d) • Thm 2: SLIN(m=n1.4,=n-0.2,d=3) DUE: graph looks random DSF: output looks random dLIN: can’t find x m output output n input input x1 xn x1 xn x2+x3+x6+err P(x2,x3,x6) q d q/3 d

  16. Main Results PKCfrom: Thm 1: DUE(m, q= log n, d)+DSF(m, d) Thm 2: SLIN(m=n1.4,=n-0.2,d=3) Thm 3: SLIN(m=n log n, ,d) + DUE(m=10000n, q=1/, d) DUE: graph looks random DSF: output looks random dLIN: can’t find x m output output n input input x1 xn x1 xn x2+x3+x6+err P(x2,x3,x6) q d q/3 d

  17. 3LIN vs. Related Schemes • Our intuition: • 1/n noise was a real barrier for PKC construction • 3LIN is more combinatorial(CSP) • low-locality-noisy-parity is “universal” for low-locality dLIN: can’t find x output input x1 xn x2+x3+x6+err d

  18. Plan • Background • Our results • assumptions & constructions • Proof idea • Conclusions and Open Problems

  19. S3LIN(m=n1.4,=n-0.2)  PKE n x e y 1 1 1  + = M m random 3-sparse matrix err vector of rate  y1 yi ym n  - noisy bit x1 xn =x2+x3+x6+err random input Goal: find x

  20. Our Encryption Scheme Params: m=10000n1.4 =n-0.2 |S|=0.1n0.2 Public-key: Matrix M Private-key: S s.t Mm=iSMi Encrypt(b): choose x,e and output z=(y1, y2,…, ym+b) z x e y S + = = z y + b M • Decryption: • w/p (1-)|S| >0.9 no noise in eS iSyi=0 iSzi=b Given ciphertext z output iS zi

  21. Our Encryption Scheme Params: m=10000n1.4 =n-0.2 |S|=0.1n0.2 Public-key: Matrix M Private-key: S s.t Mm=iSMi Encrypt(b): choose x,e and output z=(y1, y2,…, ym+b) z x e y S + = = z y + b M Thm. (security): If M is at most 0.99-far from uniform S3LIN(m, ) hard  Can’t distinguish E(0)fromE(1) Proof outline: Search  Approximate Search  Prediction  Prediction over planted distribution  security

  22. Search  Approximate Search S3LIN(m,): Given M,y find x whp AS3LIN(m,): Given M,y find w 0.9x whp Lemma: Solver A forAS3LIN(m,) allows to solve S3LIN(m+10n lg n ,) random n-bit vector n x e y 1 1 1  + = M m random 3-sparse matrix err vector of rate  search app-searchprediction  prediction over planted  PKC

  23. Search  Approximate Search • S3LIN(m,): Given M,y find x whp • AS3LIN(m,): Given M,y find w 0.9x whp • Lemma: Solver A forAS3LIN(m,) allows to solve S3LIN(m+10n lg n ,) • Use A and first m equations to obtain w. • Use w and remaining equations to recover x as follows. • Recovering x1: • for each equation x1+xi+xk=y compute a vote x1=xi+xk+y • Take majority • Analysis: • Assume wS = xS for set S of size 0.9n • Vote is good w/p>>1/2 as Pr[iS], Pr[kS], Pr[yrow isnot noisy]>1/2 • If x1appears in 2log n distinct equations. Then, majority is correct w/p 1-1/n2 • Take union bound over all variables =wi+wk+y

  24. Approximate Search  Prediction AS3LIN(m,): Given M,y find w0.9x w/p 0.8 P3LIN(m,): Given M,y, (i,j,k) find xi+xj+xkw/p 0.9 Lemma: Solver A forP3LIN(m,) allows to solve AS3LIN(m+1000 n ,) n x e y  + = M m 1 1 1 ? searchapp-search prediction prediction over planted  PKC

  25. y M 1000n z T m Approximate Search  Prediction Proof:

  26. y 1 1 1 M 1000n 11 1 z T m Approximate Search  Prediction • Proof: • Do 100n times • Analysis: • By Markov, whp T, z are good i.e., Prt,j,k[A(T,z,(t,j,k))=xt+xj+xk]>0.8 • Conditioned on this, each red prediction is good w/p>>1/2 • whp will see 0.99 of vars many times – each prediction is independent Invoke Predictor A  0.2 noisy +  xi  2 noisy 11 11 1 1111 i

  27. Prediction over Related Distribution • P3LIN(m,): Given M,y, r=(i,j,k) find xi+xj+xkw/p 0.9 • D = distribution over (M,r) which at most 0.99-far from uniform • Lemma: Solver A forP3LIND(m,)allows to solve P3LINU(O(m) ,) • Problem: A might be bad predictor over uniform distribution • Sol: Test that (M,r)isgood for A with respect to random x and random noise • Good prediction w/p 0.01 Otherwise, “I don’t know” Uniform D x e y M  + = r 1 1 1 ? search app-searchprediction  prediction over planted PKC

  28. Prediction over Related Distribution • Lemma: Solver A forP3LIND(m,)allows to solve P3LINU(O(m) ,) • Sketch: Partition M,y to many pieces Mi,yi theninvoke A(Mi,yi,r) and take majority • Problem: All invocations use the same r and x • Sol: Re-randmization ! x e y  M + = r 1 1 1 ?

  29. Distribution with Short Linear Dependency Hq,n=Uniform over matrices with q-rows each with 3 ones and n cols each with either 0 ones or 2 ones Pm,nq = (m,n,3)-uniform conditioned on existence of sub-matrix HHq that touches the last row Lemma : Let m=n1.4 and q=n0.2 Then, (m,n,3)-uniformand Pm,nq are at most 0.999-statistially far Proof: follows from [FKO06]. 1 1 1 1 11 1 1 1 1 1 1 1 1 1 1 11 1 1 1 1 1 1 stat

  30. Plan • Background • Our results • assumptions & constructions • Proof idea • Conclusions and Open Problems

  31. Other Results • Assumptions  Oblivious-Transfer •  General secure computation • New construction of PRG with large stretch + low locality • Assumptions  Learning k-juntas requires time n(k)

  32. Conclusions • New Cryptosystems with arguably “less structured” assumptions • Future Directions: • Improve assumptions • - use random 3SAT ? • Better theoretical understanding of public-key encryption • public-key cryptography can be broken in “NP  co-NP” ?

  33. Thank You !

More Related