15 research outputs found
Indistinguishability Obfuscation from Well-Founded Assumptions
In this work, we show how to construct indistinguishability obfuscation from
subexponential hardness of four well-founded assumptions. We prove:
Let be arbitrary
constants. Assume sub-exponential security of the following assumptions, where
is a security parameter, and the parameters below are
large enough polynomials in :
- The SXDH assumption on asymmetric bilinear groups of a prime order ,
- The LWE assumption over with subexponential
modulus-to-noise ratio , where is the dimension of the LWE
secret,
- The LPN assumption over with polynomially many LPN samples
and error rate , where is the dimension of the LPN
secret,
- The existence of a Boolean PRG in with stretch
,
Then, (subexponentially secure) indistinguishability obfuscation for all
polynomial-size circuits exists
์ก์ํค๋ฅผ ๊ฐ์ง๋ ์ ์๊ธฐ๋ฐ ๋ํ์ํธ์ ๊ดํ ์ฐ๊ตฌ
ํ์๋
ผ๋ฌธ(๋ฐ์ฌ)--์์ธ๋ํ๊ต ๋ํ์ :์์ฐ๊ณผํ๋ํ ์๋ฆฌ๊ณผํ๋ถ,2020. 2. ์ฒ์ ํฌ.ํด๋ผ์ฐ๋ ์์ ๋ฐ์ดํฐ ๋ถ์ ์์ ์๋๋ฆฌ์ค๋ ๋ํ์ํธ์ ๊ฐ์ฅ ํจ๊ณผ์ ์ธ ์์ฉ ์๋๋ฆฌ์ค ์ค ํ๋์ด๋ค. ๊ทธ๋ฌ๋, ๋ค์ํ ๋ฐ์ดํฐ ์ ๊ณต์์ ๋ถ์๊ฒฐ๊ณผ ์๊ตฌ์๊ฐ ์กด์ฌํ๋ ์ค์ ํ์ค์ ๋ชจ๋ธ์์๋ ๊ธฐ๋ณธ์ ์ธ ์๋ณตํธํ์ ๋ํ ์ฐ์ฐ ์ธ์๋ ์ฌ์ ํ ํด๊ฒฐํด์ผ ํ ๊ณผ์ ๋ค์ด ๋จ์์๋ ์ค์ ์ด๋ค. ๋ณธ ํ์๋
ผ๋ฌธ์์๋ ์ด๋ฌํ ๋ชจ๋ธ์์ ํ์ํ ์ฌ๋ฌ ์๊ตฌ์ฌํญ๋ค์ ํฌ์ฐฉํ๊ณ , ์ด์ ๋ํ ํด๊ฒฐ๋ฐฉ์์ ๋
ผํ์๋ค.
๋จผ์ , ๊ธฐ์กด์ ์๋ ค์ง ๋ํ ๋ฐ์ดํฐ ๋ถ์ ์๋ฃจ์
๋ค์ ๋ฐ์ดํฐ ๊ฐ์ ์ธต์๋ ์์ค์ ๊ณ ๋ คํ์ง ๋ชปํ๋ค๋ ์ ์ ์ฐฉ์ํ์ฌ, ์ ์๊ธฐ๋ฐ ์ํธ์ ๋ํ์ํธ๋ฅผ ๊ฒฐํฉํ์ฌ ๋ฐ์ดํฐ ์ฌ์ด์ ์ ๊ทผ ๊ถํ์ ์ค์ ํ์ฌ ํด๋น ๋ฐ์ดํฐ ์ฌ์ด์ ์ฐ์ฐ์ ํ์ฉํ๋ ๋ชจ๋ธ์ ์๊ฐํ์๋ค. ๋ํ ์ด ๋ชจ๋ธ์ ํจ์จ์ ์ธ ๋์์ ์ํด์ ๋ํ์ํธ ์นํ์ ์ธ ์ ์๊ธฐ๋ฐ ์ํธ์ ๋ํ์ฌ ์ฐ๊ตฌํ์๊ณ , ๊ธฐ์กด์ ์๋ ค์ง NTRU ๊ธฐ๋ฐ์ ์ํธ๋ฅผ ํ์ฅํ์ฌ module-NTRU ๋ฌธ์ ๋ฅผ ์ ์ํ๊ณ ์ด๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ ์ ์๊ธฐ๋ฐ ์ํธ๋ฅผ ์ ์ํ์๋ค.
๋์งธ๋ก, ๋ํ์ํธ์ ๋ณตํธํ ๊ณผ์ ์๋ ์ฌ์ ํ ๋น๋ฐํค๊ฐ ๊ด์ฌํ๊ณ ์๊ณ , ๋ฐ๋ผ์ ๋น๋ฐํค ๊ด๋ฆฌ ๋ฌธ์ ๊ฐ ๋จ์์๋ค๋ ์ ์ ํฌ์ฐฉํ์๋ค. ์ด๋ฌํ ์ ์์ ์์ฒด์ ๋ณด๋ฅผ ํ์ฉํ ์ ์๋ ๋ณตํธํ ๊ณผ์ ์ ๊ฐ๋ฐํ์ฌ ํด๋น ๊ณผ์ ์ ๋ํ์ํธ ๋ณตํธํ์ ์ ์ฉํ์๊ณ , ์ด๋ฅผ ํตํด ์๋ณตํธํ์ ๋ํ ์ฐ์ฐ์ ์ ๊ณผ์ ์ ์ด๋ ๊ณณ์๋ ํค๊ฐ ์ ์ฅ๋์ง ์์ ์ํ๋ก ์ํํ ์ ์๋ ์ํธ์์คํ
์ ์ ์ํ์๋ค.
๋ง์ง๋ง์ผ๋ก, ๋ํ์ํธ์ ๊ตฌ์ฒด์ ์ธ ์์ ์ฑ ํ๊ฐ ๋ฐฉ๋ฒ์ ๊ณ ๋ คํ์๋ค. ์ด๋ฅผ ์ํด ๋ํ์ํธ๊ฐ ๊ธฐ๋ฐํ๊ณ ์๋ ์ด๋ฅธ๋ฐ Learning With Errors (LWE) ๋ฌธ์ ์ ์ค์ ์ ์ธ ๋ํด์ฑ์ ๋ฉด๋ฐํ ๋ถ์ํ์๊ณ , ๊ทธ ๊ฒฐ๊ณผ ๊ธฐ์กด์ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๋ณด๋ค ํ๊ท ์ ์ผ๋ก 1000๋ฐฐ ์ด์ ๋น ๋ฅธ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๋ค์ ๊ฐ๋ฐํ์๋ค. ์ด๋ฅผ ํตํด ํ์ฌ ์ฌ์ฉํ๊ณ ์๋ ๋ํ์ํธ ํ๋ผ๋ฏธํฐ๊ฐ ์์ ํ์ง ์์์ ๋ณด์๊ณ , ์๋ก์ด ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ์ ํตํ ํ๋ผ๋ฏธํฐ ์ค์ ๋ฐฉ๋ฒ์ ๋ํด์ ๋
ผํ์๋ค.Secure data analysis delegation on cloud is one of the most powerful application that homomorphic encryption (HE) can bring. As the technical level of HE arrive at practical regime, this model is also being considered to be a more serious and realistic paradigm. In this regard, this increasing attention requires more versatile and secure model to deal with much complicated real world problems.
First, as real world modeling involves a number of data owners and clients, an authorized control to data access is still required even for HE scenario. Second, we note that although homomorphic operation requires no secret key, the decryption requires the secret key. That is, the secret key management concern still remains even for HE. Last, in a rather fundamental view, we thoroughly analyze the concrete hardness of the base problem of HE, so-called Learning With Errors (LWE). In fact, for the sake of efficiency, HE exploits a weaker variant of LWE whose security is believed not fully understood.
For the data encryption phase efficiency, we improve the previously suggested NTRU-lattice ID-based encryption by generalizing the NTRU concept into module-NTRU lattice. Moreover, we design a novel method that decrypts the resulting ciphertext with a noisy key. This enables the decryptor to use its own noisy source, in particular biometric, and hence fundamentally solves the key management problem. Finally, by considering further improvement on existing LWE solving algorithms, we propose new algorithms that shows much faster performance. Consequently, we argue that the HE parameter choice should be updated regarding our attacks in order to maintain the currently claimed security level.1 Introduction 1
1.1 Access Control based on Identity 2
1.2 Biometric Key Management 3
1.3 Concrete Security of HE 3
1.4 List of Papers 4
2 Background 6
2.1 Notation 6
2.2 Lattices 7
2.2.1 Lattice Reduction Algorithm 7
2.2.2 BKZ cost model 8
2.2.3 Geometric Series Assumption (GSA) 8
2.2.4 The Nearest Plane Algorithm 9
2.3 Gaussian Measures 9
2.3.1 Kullback-Leibler Divergence 11
2.4 Lattice-based Hard Problems 12
2.4.1 The Learning With Errors Problem 12
2.4.2 NTRU Problem 13
2.5 One-way and Pseudo-random Functions 14
3 ID-based Data Access Control 16
3.1 Module-NTRU Lattices 16
3.1.1 Construction of MNTRU lattice and trapdoor 17
3.1.2 Minimize the Gram-Schmidt norm 22
3.2 IBE-Scheme from Module-NTRU 24
3.2.1 Scheme Construction 24
3.2.2 Security Analysis by Attack Algorithms 29
3.2.3 Parameter Selections 31
3.3 Application to Signature 33
4 Noisy Key Cryptosystem 36
4.1 Reusable Fuzzy Extractors 37
4.2 Local Functions 40
4.2.1 Hardness over Non-uniform Sources 40
4.2.2 Flipping local functions 43
4.2.3 Noise stability of predicate functions: Xor-Maj 44
4.3 From Pseudorandom Local Functions 47
4.3.1 Basic Construction: One-bit Fuzzy Extractor 48
4.3.2 Expansion to multi-bit Fuzzy Extractor 50
4.3.3 Indistinguishable Reusability 52
4.3.4 One-way Reusability 56
4.4 From Local One-way Functions 59
5 Concrete Security of Homomorphic Encryption 63
5.1 Albrecht's Improved Dual Attack 64
5.1.1 Simple Dual Lattice Attack 64
5.1.2 Improved Dual Attack 66
5.2 Meet-in-the-Middle Attack on LWE 69
5.2.1 Noisy Collision Search 70
5.2.2 Noisy Meet-in-the-middle Attack on LWE 74
5.3 The Hybrid-Dual Attack 76
5.3.1 Dimension-error Trade-o of LWE 77
5.3.2 Our Hybrid Attack 79
5.4 The Hybrid-Primal Attack 82
5.4.1 The Primal Attack on LWE 83
5.4.2 The Hybrid Attack for SVP 86
5.4.3 The Hybrid-Primal attack for LWE 93
5.4.4 Complexity Analysis 96
5.5 Bit-security estimation 102
5.5.1 Estimations 104
5.5.2 Application to PKE 105
6 Conclusion 108
Abstract (in Korean) 120Docto
Non-Interactive Zero-Knowledge from Non-Interactive Batch Arguments
Zero-knowledge and succinctness are two important properties that arise in the study of non-interactive arguments. Previously, Kitagawa et al. (TCC 2020) showed how to obtain a non-interactive zero-knowledge (NIZK) argument for NP from a succinct non-interactive argument (SNARG) for NP. In particular, their work demonstrates how to leverage the succinctness property from an argument system and transform it into a zero-knowledge property.
In this work, we study a similar question of leveraging succinctness for zero-knowledge. Our starting point is a batch argument for NP, a primitive that allows a prover to convince a verifier of NP statements with a proof whose size scales sublinearly with . Unlike SNARGs for NP, batch arguments for NP can be built from group-based assumptions in both pairing and pairing-free groups and from lattice-based assumptions. The challenge with batch arguments is that the proof size is only amortized over the number of instances, but can still encode full information about the witness to a small number of instances.
We show how to combine a batch argument for NP with a local pseudorandom generator (i.e., a pseudorandom generator where each output bit only depends on a small number of input bits) and a dual-mode commitment scheme to obtain a NIZK for NP. Our work provides a new generic approach of realizing zero-knowledge from succinctness and highlights a new connection between succinctness and zero-knowledge
Structured-Seed Local Pseudorandom Generators and their Applications
In this note, we introduce structured-seed local pseudorandom generators, a relaxation of local pseudorandom generators. We provide constructions of this primitive under the sparse-LPN assumption, and explore its implications
Time-Space Tradeoffs for Distinguishing Distributions and Applications to Security of Goldreich's PRG
In this work, we establish lower-bounds against memory bounded algorithms for
distinguishing between natural pairs of related distributions from samples that
arrive in a streaming setting.
In our first result, we show that any algorithm that distinguishes between
uniform distribution on and uniform distribution on an
-dimensional linear subspace of with non-negligible advantage
needs samples or memory.
Our second result applies to distinguishing outputs of Goldreich's local
pseudorandom generator from the uniform distribution on the output domain.
Specifically, Goldreich's pseudorandom generator fixes a predicate
and a collection of subsets of size . For any seed , it
outputs where is the
projection of to the coordinates in . We prove that whenever is
-resilient (all non-zero Fourier coefficients of are of degree
or higher), then no algorithm, with memory, can distinguish the
output of from the uniform distribution on with a large inverse
polynomial advantage, for stretch (barring some
restrictions on ). The lower bound holds in the streaming model where at
each time step , is a randomly chosen (ordered) subset of
size and the distinguisher sees either or a uniformly random
bit along with .
Our proof builds on the recently developed machinery for proving time-space
trade-offs (Raz 2016 and follow-ups) for search/learning problems.Comment: 35 page
Lossy Cryptography from Code-Based Assumptions
Over the past few decades, we have seen a proliferation of advanced cryptographic primitives with lossy or homomorphic properties built from various assumptions such as Quadratic Residuosity, Decisional Diffie-Hellman, and Learning with Errors. These primitives imply hard problems in the complexity class (statistical zero-knowledge); as a consequence, they can only be based on assumptions that are broken in . This poses a barrier for building advanced primitives from code-based assumptions, as the only known such assumption is Learning Parity with Noise (LPN) with an extremely low noise rate , which is broken in quasi-polynomial time.
In this work, we propose a new code-based assumption: Dense-Sparse LPN, that falls in the complexity class and is conjectured to be secure against subexponential time adversaries. Our assumption is a variant of LPN that is inspired by McEliece\u27s cryptosystem and random k\mbox{-}XOR in average-case complexity. Roughly, the assumption states that
for a random (dense) matrix , random sparse matrix , and sparse noise vector drawn from the Bernoulli distribution with inverse polynomial noise probability.
We leverage our assumption to build lossy trapdoor functions (Peikert-Waters STOC 08). This gives the first post-quantum alternative to the lattice-based construction in the original paper. Lossy trapdoor functions, being a fundamental cryptographic tool, are known to enable a broad spectrum of both lossy and non-lossy cryptographic primitives; our construction thus implies these primitives in a generic manner. In particular, we achieve collision-resistant hash functions with plausible subexponential security, improving over a prior construction from LPN with noise rate that is only quasi-polynomially secure
Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)
Consider a pseudorandom generator with outputs, whose seed contains blocks of bits each. Further, assume that this PRG has block-locality , i.e. each output bit depends on at most out of the blocks. The question of the maximum stretch that such PRGs can have, as a function of recently emerged in the context of constructing provably secure program obfuscation. It also relates to the question of refuting constraint satisfaction problems on predicates with large alphabets in complexity theory.
We show that such -block local PRGs can have output length at most , by presenting a polynomial time algorithm that distinguishes inputs of the form (for any ) from inputs where each coordinate is sampled independently according to the marginal distributions of the coordinates of .
As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro\u27s \cite{LinT17} recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator as above for large enough with . (Following this work, and an independent work of Lombardi and Vaikuntanthan \cite{LombardiV17a}, Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.)
Our results follow from a general framework that handles more general class of pseudorandom generators. Namely they work even if the outputs are not binary valued and are computed using low-degree polynomial over (instead of the more restrictive local/block-local assumption). Specifically, we prove that for every function ( = reals), if every output of is a polynomial (over the real numbers ) of degree at most of at most monomials and , then there is a polynomial time algorithm for the distinguishing task above. This implies that any such map cannot be a pseudorandom generator. Our results yield, in particular, that natural modifications to notion of generators that are still sufficient for obtaining indistinguishability obfuscation from bilinear maps run into similar barriers.
Our algorithms follow the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever . This class is extremely easy to describe: Let be any simple non-abelian group with the group operation ``\u27\u27, and interpret the blocks of as elements in . The description of the pseudorandom generator is a sequence of triples of indices chosen at random and each output of the generator is of the form
On the Concrete Security of Goldreichโs Pseudorandom Generator
International audienceLocal pseudorandom generators allow to expand a short random string into a long pseudo-random string, such that each output bit depends on a constant number d of input bits. Due to its extreme efficiency features, this intriguing primitive enjoys a wide variety of applications in cryptography and complexity. In the polynomial regime, where the seed is of size n and the output of size n s for s > 1, the only known solution, commonly known as Goldreich's PRG, proceeds by applying a simple d-ary predicate to public random sized subsets of the bits of the seed. While the security of Goldreich's PRG has been thoroughly investigated, with a variety of results deriving provable security guarantees against class of attacks in some parameter regimes and necessary criteria to be satisfied by the underlying predicate, little is known about its concrete security and efficiency. Motivated by its numerous theoretical applications and the hope of getting practical instantiations for some of them, we initiate a study of the concrete security of Goldreich's PRG, and evaluate its resistance to cryptanalytic attacks. Along the way, we develop a new guess-and-determine-style attack, and identify new criteria which refine existing criteria and capture the security guarantees of candidate local PRGs in a more fine-grained way
Multi-Party Homomorphic Secret Sharing and Sublinear MPC from Sparse LPN
Over the past few years, homomorphic secret sharing (HSS) emerged as a compelling alternative to fully homomorphic encryption (FHE), due to its feasibility from an array of standard assumptions and its potential efficiency benefits. However, all known HSS schemes, with the exception of schemes built from FHE or indistinguishability obfuscation (iO), can only support two or four parties.
In this work, we give the first construction of a multi-party HSS scheme for a non-trivial function class, from an assumption not known to imply FHE. In particular, we construct an HSS scheme for an arbitrary number of parties with an arbitrary corruption threshold, supporting evaluations of multivariate polynomials of degree over arbitrary finite fields. As a consequence, we obtain a secure multiparty computation (MPC) protocol for any number of parties, with (slightly) sub-linear per-party communication of roughly bits when evaluating a layered Boolean circuit of size .
Our HSS scheme relies on the Sparse Learning Parity with Noise assumption, a standard variant of LPN with a sparse public matrix that has been studied and used in prior works. Thanks to this assumption, our construction enjoys several unique benefits. In particular, it can be built on top of any linear secret sharing scheme, producing noisy output shares that can be error-corrected by the decoder. This yields HSS for low-degree polynomials with optimal download rate. Unlike prior works, our scheme also has a low computation overhead in that the per-party computation of a constant degree polynomial takes work, where is the number of monomials
On the algebraic immunity - resiliency trade-off, implications for Goldreich's pseudorandom generator
peer reviewe