Alain Passelègue Amit Sahai and David J Wu Exploring Crypto Dark Matter New Simple PRF Candidates and Their Applications The landscape of cryptography figure not drawn to scale Factoring ID: 751466
Download Presentation The PPT/PDF document "Dan Boneh , Yuval Ishai" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Dan Boneh, Yuval Ishai, Alain Passelègue, Amit Sahai, and David J. Wu
Exploring Crypto Dark Matter:New Simple PRF Candidates and Their ApplicationsSlide2
The landscape of cryptographyfigure not drawn to scale
Factoring
(RSA, QR, ...)
Discrete Log
(DDH,
DLin
, ...)
LPN
AES
SHA
LowMC
RASTA
DES
Blake
Keccak
Theory-driven
Practice-oriented
1
/29
Lattices
(LWE, SIS, ...)
hash functions
block-ciphers
not to scale & non-exhaustive
Salsa20
ChaCha
FLIP
stream-ciphersSlide3
The landscape of cryptographyfigure not drawn to scale
Theory-driven
Practice-oriented
1
/29
crypto dark matter
Factoring
(RSA, QR, ...)
Discrete Log
(DDH,
DLin
, ...)
not to scale & non-exhaustive
LPN
Lattices
(LWE, SIS, ...)
SHA
Blake
Keccak
hash functions
Salsa20
ChaCha
FLIP
stream-ciphers
AES
LowMC
RASTA
DES
block-ciphersSlide4
Exploring crypto dark matterObjectives:
Study simplest unexplored areas of cryptography, i.e. new simple assumptions such that:Validity
Efficient, simple constructions suitable for advanced cryptographic applications (MPC, FHE, ...)Invalidity Positive results in other domains
Better understand boundaries of cryptographic hardness
Examples:
Goldreich’s
PRG
[Gol01]
Candidate low-complexity PRFs
[MV12,ABGKR14]2
/29Slide5
Our focus: (weak) pseudorandom functions
Efficiently
computableIndistinguishable from
a
truly
random
function
if the key is secret
Deterministic
keyed
function
Weak
PRF: Security is guaranteed as long as
is uniformly random
PRFs are widely-used as a building block for symmetric encryption, authentication, ...
3
e.g.,
/29Slide6
Our focus: (weak) pseudorandom functions
Efficiently
computableIndistinguishable from
a
truly
random
function
if the key is secret
Deterministic
keyed
function
Weak
PRF: Security is guaranteed as long as
is uniformly random
PRFs are widely-used as a building block for symmetric encryption, authentication, ...
3
e.g.,
/29
Symmetric encryption from weak PRF
$
Slide7
One-way functionsExisting PRF candidates
Length-doubling PRG
4
/29
Slide8
Existing PRF candidates
[NR97]
[GGM84]
4
/29
One-way functions
Length-doubling PRG
Slide9
Existing PRF candidatesTheory-driven
[NR97]
[GGM84]
Practice-oriented
DES (1975)
AES (1998)
4
/29Slide10
Starting point: hardness from modulus mixingDefine the function
:
“mod-3 sum of binary vector”
cannot be approximated
by a low-degree polynomial over
[Raz87,Smo87]
Could this be a source of hardness?
5
/29Slide11
Our weak PRF candidate
PRF key
input
“secret matrix-vector product over
, sum resulting values mod 3”
6
/29Slide12
Extensions and variants
7
/29Slide13
Extensions and variants
mod-
/mod-
instead of mod-2/mod-3
7
/29Slide14
Extensions and variants
mod-
/mod-
instead of mod-2/mod-3
multiple output bits
compact keys: use structured matrices (e.g., circulant or Toeplitz matrix)
7
/29Slide15
This talk
Focus on the basic
mod-2/mod-3
candidate
“secret matrix-vector product over
, sum resulting values mod 3”
8
/29Slide16
ConjecturesConjecture (Informal): The above function family is a
weak PRF family.
Basic conjecture: advantage of
-time adversary is
when
Stronger conjecture:
advantage of
-time distinguishers is
when
–
exponential hardness
“secret matrix-vector product over
, sum resulting values mod 3”
where
9
/29Slide17
Rationales for security 1/2
Cannot be approximated by low-degree polynomialsMod-2 computation: high degree over
Mod-3 computation: high degree over
“secret matrix-vector product over
, sum resulting values mod 3”
where
10
/29Slide18
Rationales for security 1/2
BKW-type attacks on LPN relies on constructing new samples by taking linear combinations of existing samples... The
function is highly non-linear
“secret matrix-vector product over
, sum resulting values mod 3”
where
10
Cannot be approximated by low-degree polynomials
Mod-2 computation: high degree over
Mod-3 computation: high degree over
High degree over both
and
/29Slide19
PRFs and hardness of learning theory
Learning phase
Collect samples
Prediction phase
Can predict/approximate
Theorem:
C
is
learnable
there is
no PRF
in C
Learning algorithm for a class
C:
Black-box access to unknown function C Objective: Predict
values of from known values
Proof: Run the learning algorithm for C
can be predicted from samples
, a random function cannot!
11
/29Slide20
Rationales for security 2/2“secret matrix-vector product over
, sum resulting values mod 3”
where
We invite further cryptanalysis!
12
We
rule out statistical learning attacks
(attacks that find a good approximation of the function in a fixed family via testing a statistical property, e.g.,
Linial
et al.
[LMN89]
):
We prove that the above function family is only negligibly correlated with any fixed function family of size
/29Slide21
In what ways is it simple?“secret matrix-vector product over
, sum resulting values mod 3”
where
Conceptually simple:
no mention of groups, S-boxes, ...
13
/29Slide22
In what ways is it simple?“secret matrix-vector product over
, sum resulting values mod 3”
where
Conceptually simple:
no mention of groups, S-boxes, ...
Low-complexity:
computable by depth-2
circuits
13
{
/29Slide23
In what ways is it simple?“secret matrix-vector product over
, sum resulting values mod 3”
where
Conceptually simple:
no mention of groups, S-boxes, ...
Low-complexity:
computable by depth-2
circuits
13
{
/29Slide24
In what ways is it simple?“secret matrix-vector product over
, sum resulting values mod 3”
where
Conceptually simple:
no mention of groups, S-boxes, ...
Low-complexity:
computable by depth-2
circuits
computable by width-3 branching programs
[Bar85]
How much simpler could it be?
13
/29Slide25
Theoretical implications 1/2
this work: weak PRF
(exponential)
weak PRF
[AR16]
(quasi-polynomial)
weak PRF
[ABGKR14]
(quasi-polynomial)
this work: strong PRF
(exponential)
depth 2
depth 3
depth
weak PRF
[Kha93]
(quasi-polynomial)
strong PRF
[Vio13]
(quasi-polynomial)
quasi-poly attack against weak PRFs
quasi-poly attack against strong PRFs
no strong PRFs for broad classes of depth-2 circuits
[BV96]
[LMN89]
[CIKK16]
Under our conjectures:
Depth-2
is
not PAC-learnable
in sub-exponential time under the uniform distribution
Width-3 BPs are
not PAC-learnable
in sub-exponential time under the uniform distribution
14
/29Slide26
Connection with sparse polynomial interpolation15
“secret matrix-vector product over
, sum resulting values mod 3”
where
Consider a change of variables:
and
Then
Sparse multilinear polynomial of degree
over
(only
non-zero coefficients)
/29Slide27
Theoretical implications 2/216
Under our conjectures:
Sparse multivariate polynomials over are hard to interpolate
in sub-exponential time given evaluations at random points in
It is even
hard to test
if a function can be represented as a sparse multivariate polynomial in sub-exponential time! (Property testing)
Known results on interpolating or property testing require making queries
over the full domain!
Not much known from only queries over a subset of the domain...
/29Slide28
Application to MPC: Distributed evaluation
Secret key is secret-shared across
multiple
parties
17
Distributed symmetric searchable encryption (SSE)
Encrypted public database
(e.g., movies)
“Movie” is encrypted with the key
Client can pay the servers to get a movie
Client/servers do not learn anything about
Servers do not learn which movie Client wants
/29Slide29
Encrypted public database
(e.g., movies)“Movie” is encrypted with the key
Client can pay the servers to get a movie
Client/servers do not learn anything about
Servers do not learn which movie Client wants
Application to MPC: Distributed evaluation
Secret key is secret-shared across
multiple
parties
In typical MPC protocols, costs (e.g., communication or round complexity) scale with the number of
non-linear
operations
17
/29
Distributed symmetric searchable encryption (SSE)Slide30
3-party secret-sharing based MPC [AFLNO16]
Servers want to compute shares of
Easy, no interaction needed
18
/29Slide31
Servers want to compute shares of
Easy, no interaction needed
Servers want to compute shares of
?
3-party secret-sharing based MPC
[AFLNO16]
18
/29Slide32
Servers want to compute shares of
?
Server
can only compute
All the cross-terms are missing! Need interaction?
3-party secret-sharing based MPC
[AFLNO16]
18
/29Slide33
Servers want to compute shares of
?
3-party secret-sharing based MPC
[AFLNO16]
Idea:
Give 2 shares to each server!
Server
can only compute
All the cross-terms are missing! Need interaction?
18
/29Slide34
Servers want to compute shares of
?
Each server can produce 4 out of the 9 terms
1 multiplication without interaction
3-party secret-sharing based MPC
[AFLNO16]
Idea:
Give 2 shares to each server!
Server
can only compute
All the cross-terms are missing! Need interaction?
18
/29
(Interaction needed for a second multiplication as each server needs to get 2-out-of-3 shares again)Slide35
Overall cost:Linear operations are for free1 round of interaction per multiplicationCommunication per multiplication = |output|
3-party secret-sharing based MPC [AFLNO16]
Only the modulus switching is non-linear...It can be implemented with
only 2 multiplications
!
where
18
/29Slide36
Distributed evaluation in the 3-server setting
AES
LowMC (min-depth)
Our candidate
Round
complexity
Communication
complexity (in kb)
Complexity for output size 128
19
Rasta (min-depth)
LowMC
(min-gates)
Rasta (min-gates)
/29Slide37
2-server protocol in the preprocessing model20
We propose 2-server protocol for distributed evaluation in the preprocessing model:
The 2 servers share common randomnessNon-interactive, input-independent preprocessing
Our protocol is based on oblivious transfers (OT) and oblivious affine function evaluation (OAFE) in the preprocessing model
/29Slide38
Distributed evaluation in the 2-server setting
Yao + AES
Yao + LowMC
Our candidate
Round
complexity
Online
communication (in kb)
Preprocessing
size (in kb)
2
2
4
Complexity for output size 128
21
/29Slide39
From weak PRF to strong PRF
where
This is not a strong PRF!
(At least) 2 attacks against strong PRF security:
Non-adaptive attack
based on representation as a sparse
-variate polynomial
Adaptive attack
based on representation as a finite automaton with multiplicity
[BV94]
Known attacks require close inputs (for the Hamming distance)...
Idea:
Require inputs to be pairwise far
22
/29Slide40
Encoded-input PRFs
not a strong PRF
23
/29Slide41
Encoded-input PRFs
not a strong PRF
strong PRF on a fixed sparse subset
public keyless encoding
such that
is a strong PRF
“Pushing the complexity of the PRF back into the public encoding
, while leaving security in the simple evaluation of
”
23
/29Slide42
Applications of EI-PRFs
such that
is a strong PRF
For applications, we can provide directly
and a proof that it is a valid encoding... It is easy to verify it with a depth-2 circuit
only the complexity of
really matters
24
/29
Symmetric encryption from weak PRF
$
Slide43
Applications of EI-PRFs
such that
is a strong PRF
For applications, we can provide directly
and a proof that it is a valid encoding... It is easy to verify it with a depth-2 circuit
only the complexity of
really matters
24
/29
Symmetric encryption from weak PRF
$
EI-PRFSlide44
Applications of EI-PRFs
such that
is a strong PRF
For applications, we can provide directly
and a proof that it is a valid encoding... It is easy to verify it with a depth-2 circuit
only the complexity of
really matters
Assuming
has low-depth, we obtain:
Symmetric encryption with low-depth decryption
MAC with low-depth verification
CCA-secure symmetric encryption with low-depth decryption
24
/29
Symmetric encryption from
$
EI-PRFSlide45
EI-PRFs from our candidate
pairwise far inputs
a linear code
over
over
25
/29
We are just mixing moduli again: mod-3/mod-2/mod-3 computationSlide46
Depth-3 strong PRF candidate
/2926
Secret linear mapping
Public encoding procedure
Conjecture:
This is a strong PRF (with plausible exponential security)Slide47
Asymptotically-optimal strong PRFs27
and generator matrices of linear-time encodable codes (over
and
)
[IKOS08,DI14]
Resulting construction is linear-time computable
Does there exist strong PRFs with
exponential security
that can be computed by a
linear-size circuit
?
/29Slide48
An alternative candidate weak PRF
if
otherwise
This is
almost
Learning With Rounding (LWR)
Surprisingly, known efficient attacks against LWR with constant prime moduli seem to fail with composite modulus...
Need further cryptanalysis!
28
/29Slide49
Conclusion
Modulus mixing is a relatively unexplored source of hardness:Enables simple cryptographic primitives: First candidate depth-2 weak PRF and depth-3 strong PRF
Useful for efficient MPCNatural connections to complexity theory, learning theory, mathematics, ...
Much more to explore:
Further cryptanalysis
Other primitives:
MPC-friendly primitives give natural candidate for
post-quantum
signatures
[IKOS07]More crypto dark matter
/2929Slide50
Thank you!Slide51
Extensions and variants
Slide52
Extensions and variants
mod-
/mod-
instead of mod-2/mod-3
Slide53
Extensions and variants
mod-
/mod-
instead of mod-2/mod-3
multiple output bits
compact keys: use structured matrices (e.g., Toeplitz matrix)
Slide54
This talk
Focus on the basic
mod-2/mod-3
candidate
“secret matrix-vector product over
, sum resulting values mod 3”
Slide55
How Do We Design Cryptographic Primitives?Theory-Driven
Introduce hardness assumption (e.g., RSA, discrete log , LWE)
Reduce security to breaking hardness assumption
Concrete efficiency of these constructions often limited by structure of computational assumptions (e.g., algebraic PRFs vs. AES)
Often exist non-trivial attacks (e.g., sub-exponential attacks, quantum attacks)Slide56
How Do We Design Cryptographic Primitives?Practice-Oriented
Design primitive (e.g., block ciphers, hash functions) with focus on concrete efficiency
Security relies on heuristics, cryptanalysis
Designs often complex and difficult to analyze
Security based on heuristics, experience, cryptanalysis
Typically, designs tailored to one type of applicationSlide57
How do we design cryptographic primitives?
theory-driven
introduce hardness assumptions (e.g., LWE, factoring, ...)reduce security of constructions to hardness assumptions
practice-oriented
build efficient specific primitives
(e.g., block ciphers, hash functions, ...)
security based on heuristics, experience, cryptanalysis, ...
+
+
-
-
easy to analyze
“
primitives
1 assumption”
algebraic structure:
limited efficiency
can be exploited in attacks
efficient
tailored to one specific application:
hard to analyze
“
primitives assumptions”
Slide58
The landscape of cryptography
figure not drawn to scale
lattice-based
(LWE, SIS, ...)
Dlog
-based
(DDH,
DLin
, ...)
factoring-based
(RSA, QR, ...)
AES
SHA
LowMC
RASTA
DES
Salsa20
ChaCha
Blake
Keccak
crypto dark matter
FLIPSlide59
Not a strong PRF“secret matrix-vector product over
, sum resulting values mod 3”
Conjecture
(Informal)
:
The above function family is a
weak PRF family.
not
a strong PRF: a non-adaptive attack can be mounted based on representing the computation as evaluating a sparse polynomial(non-adaptive = fixed set of queries)
where
Slide60
Rationales for security 1/2
is hard to approximate
: it cannot be approximated by a low-degree polynomialConjecture:
cannot be approximated by a low-degree rational function
[Raz87, Smo87]
“secret matrix-vector product over
, sum resulting values mod 3”
where
Slide61
Rationales for security 2/2
is
hard to learn: it is only negligibly correlated to any fixed function families of size
rules out LMN-style algorithms
is
highly non-linear
: it seems hard to create new samples by taking linear combinations of existing samples
BKW-style attacks seem irrelevant
We invite further cryptanalysis!
“secret matrix-vector product over , sum resulting values mod 3”
where
Slide62
Encoded-input PRFs
domain
Encoded-input PRF:
function whose behavior is pseudorandom on a
sparse
subset of the domain
is an encoded-input PRF if
is a
strong
PRF
Advantage:
checking
that an input is properly encoded is simple (depth-2 circuit); this is useful for many applicationsSlide63
Encoded-Input PRFsEncoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain
is an encoded-input PRF if
is a
strong
PRF
Advantage:
checking
that an input is properly encoded is simple (depth-2 circuit); this is useful for many applications
Implication:
If
can be computed by a low-depth circuit, then the combination of checking than an input is properly-encoded + computing
is also low-depth (even if
is complex!)
Given EI-PRF with low-depth :Symmetric encryption with low-depth decryptionMACs with low-depth verification
CCA-secure symmetric encryption with low-depth decryption Slide64
Encoded-Input PRFsEncoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain
is an encoded-input PRF if
is a
strong
PRF
Implication:
If
can be computed by a low-depth circuit, then the combination of checking than an input is properly-encoded + computing
is also low-depth (even if
is complex!)
Given EI-PRF with low-depth
:Symmetric encryption with low-depth decryption
MACs with low-depth verificationCCA-secure symmetric encryption with low-depth decryption
A way to bypass impossibility results for weak/strong PRFs (e.g., can have EI-PRF in complexity class where weak/strong PRFs do not exist)Slide65
Encoded-Input PRFs
domain
Encoded-input PRF:
function whose behavior is pseudorandom on a
sparse
subset of the domain
is an encoded-input PRF if
is a
strong
PRF
Concrete proposal:
take encoding function to be encoding algorithm of a linear error-correcting codeSlide66
Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain
is an encoded-input PRF if
is a
strong
PRF
Encoding is done using a linear ECC over
and taking the binary decomposition
Concrete proposal:
take encoding function to be encoding algorithm of a linear error-correcting code
Encoded-Input PRFsSlide67
Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain
is an encoded-input PRF if
is a
strong
PRF
Encoding is done using a linear ECC over
and taking the binary decomposition
Important to consider ECC over
and not
since otherwise, encoding and multiplication by secret key
can be combined (again relies on modulus mixing!)
Encoded-Input PRFsSlide68
Secret linear mapping
Public encoding procedure
Conjecture:
is a strong PRF (when considering the composition of encoding with weak PRF)
Encoded-Input PRFs and strong PRFsSlide69
Conjecture:
is a strong PRF (when considering the composition of encoding with weak PRF)
First candidate strong PRF in
depth-3
(and even has plausible
exponential
security)
Encoded-Input PRFs and strong PRFsSlide70
Asymptotically-Optimal Strong PRFsDoes there exist strong PRFs with exponential security that can be computed by
linear-size circuits?
Can instantiate with linear-time encodable codes (e.g., IKOS / Druk-Ishai family)
Resulting construction can be implemented by a
linear-size
circuit
Slide71
Asymptotically-Optimal Strong PRFsDoes there exist strong PRFs with exponential security that can be computed by
linear-size circuits?
Can instantiate with linear-time encodable codes (e.g., IKOS / Druk-Ishai family)
Resulting construction can be implemented by a
linear-size
circuit
Gives new natural proof barrier (
Razborov-Rudich
style) against proving super-linear circuit lower bounds