Cryptography: The Jugalbandi of Structure and Randomness
Transcript of Cryptography: The Jugalbandi of Structure and Randomness
Cryptography:The Jugalbandiof Structure and RandomnessShweta AgrawalIIT Madras
CryptographyThe Art of Secret Keeping
Cryptography guarantees that breaking a cryptosystem is at least as hardas solving some difficult mathematical problem.
2
Case Study: Encryption
3
Functionality: Correctness of decryptionSecurity: Ciphertext looks uniformly random
Walking the Fine Line
4
Want functionality together with securityβ¦Any one without the other is easy β how?
Functionality + Security
5
- Functionality requires structure- Security requires randomness
Computational Problems
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance kBxοΏ½ tk Β΅ from the target
tΒ΅
b1
b2
Bx
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 17 / 43
Get both together from suitable hard problem in math
Closest Vector Problem on
Lattices
What is a lattice?
6
Point Lattices and Lattice Parameters
Lattices: Definition
e1e2
The simplest lattice in n-dimensionalspace is the integer lattice
β€ = Zn
b1b2
Other lattices are obtained byapplying a linear transformation
β€ = BZn (B 2 Rdβ₯n)
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43
Point Lattices and Lattice Parameters
Lattices: Definition
e1e2
The simplest lattice in n-dimensionalspace is the integer lattice
β€ = Zn
b1b2
Other lattices are obtained byapplying a linear transformation
β€ = BZn (B 2 Rdβ₯n)
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43
A set of points with periodic arrangement
Discrete subgroup of Rn
7
Shortest Vector ProblemComputational Problems
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x 2 Zk) oflength (at most) kBxk οΏ½1
b1
b2
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 16 / 43
Computational Problems
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x 2 Zk) oflength (at most) kBxk οΏ½1
b1
b2
οΏ½1
Bx = 5b1 οΏ½ 2b2
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 16 / 43
8
Closest Vector ProblemComputational Problems
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance kBxοΏ½ tk Β΅ from the target
t
b1
b2
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 17 / 43
Computational Problems
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance kBxοΏ½ tk Β΅ from the target
tΒ΅
b1
b2
Bx
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 17 / 43
RD
One Way Functions
9
xy
Easy
Hard
π:π· β π , One Way
π
Most basic βprimitiveβ in cryptography!
10
Q-ary Lattices and Cryptography
Random lattices in Cryptography
0
Cryptography typically uses (random) lattices β€such that
β€ β Zd is an integer latticeqZd β β€ is periodic modulo a small integer q.
Cryptographic functions based on q-ary latticesinvolve only arithmetic modulo q.
Definition (q-ary lattice)
β€ is a q-ary lattice if qZn β β€ β Zn
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 36 / 43
Q-ary Lattices and Cryptography
Random lattices in Cryptography
0
Cryptography typically uses (random) lattices β€such that
β€ β Zd is an integer latticeqZd β β€ is periodic modulo a small integer q.
Cryptographic functions based on q-ary latticesinvolve only arithmetic modulo q.
Definition (q-ary lattice)
β€ is a q-ary lattice if qZn β β€ β Zn
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 36 / 43
Q-ary Lattices and Cryptography
Random lattices in Cryptography
0
Cryptography typically uses (random) lattices β€such that
β€ β Zd is an integer latticeqZd β β€ is periodic modulo a small integer q.
Cryptographic functions based on q-ary latticesinvolve only arithmetic modulo q.
Definition (q-ary lattice)
β€ is a q-ary lattice if qZn β β€ β Zn
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 36 / 43
Q-ary Lattices and Cryptography
Examples of q-ary lattices
Examples (for any A 2 Znβ₯dq )
β€q(A) = {x | x mod q 2 ATZnq} β Zd
β€?q (A) = {x | Ax = 0 mod q} β Zd
TheoremFor any lattice β€ the following conditions are equivalent:
qZd β β€ β Zd
β€ = β€q(A) for some A
β€ = β€?q (A) for some A
For any fixed A, the lattices β€q(A) and β€?q (A) are diβ΅erent
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 37 / 43
Random Lattices in Cryptography
11
Ajtaiβs One Way FunctionQ-ary Lattices and Cryptography
Ajtaiβs one-way function (SIS)
Parameters: m, n, q 2 ZKey: A 2 Znβ₯m
q
Input: x 2 {0, 1}m
Output: fA(x) = Ax mod q
m
xT
β₯
n A
f
Ax
Theorem (Aβ96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in the
worst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [Aβ96], Hashing [GGHβ97], Commit [KTXβ08], IDschemes [Lβ08], Signatures [LMβ08,GPVβ08,. . . ,DDLLβ13] . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 39 / 43
Q-ary Lattices and Cryptography
Ajtaiβs one-way function (SIS)
Parameters: m, n, q 2 ZKey: A 2 Znβ₯m
q
Input: x 2 {0, 1}m
Output: fA(x) = Ax mod q
m
xT
β₯
n Af
Ax
Theorem (Aβ96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in the
worst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [Aβ96], Hashing [GGHβ97], Commit [KTXβ08], IDschemes [Lβ08], Signatures [LMβ08,GPVβ08,. . . ,DDLLβ13] . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 39 / 43
Q-ary Lattices and Cryptography
Ajtaiβs one-way function (SIS)
Parameters: m, n, q 2 ZKey: A 2 Znβ₯m
q
Input: x 2 {0, 1}m
Output: fA(x) = Ax mod q
m
xT
β₯
n Af
Ax
Theorem (Aβ96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in the
worst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [Aβ96], Hashing [GGHβ97], Commit [KTXβ08], IDschemes [Lβ08], Signatures [LMβ08,GPVβ08,. . . ,DDLLβ13] . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 39 / 43
Ajtai 96: For m > n log q, if lattice problems are hard to approximate in the worst case then fA(x) = A x mod q is a
one way function.
12
Regevβs One Way FunctionQ-ary Lattices and Cryptography
Regevβs Learning With Errors (LWE)
A 2 Zmβ₯kq , s 2 Zk
q , e 2 Em.
gA(s
; e
) = As
+ e
mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Rβ05)
The function gA(s, e) is hard to
invert on the average, assuming
SIVP is hard to approximate in the
worst-case.
k
sT
β₯
m A
+ e
g
b
Applications: CPA PKE [Rβ05], CCA PKE [PWβ08], (H)IBE[GPVβ08,CHKPβ10,ABBβ10], FHE [. . . ,Bβ12,APβ13,GSWβ13], . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 41 / 43
13
Regevβs One Way FunctionQ-ary Lattices and Cryptography
Regevβs Learning With Errors (LWE)
A 2 Zmβ₯kq , s 2 Zk
q , e 2 Em.
gA(s
; e
) = As
+ e
mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Rβ05)
The function gA(s, e) is hard to
invert on the average, assuming
SIVP is hard to approximate in the
worst-case.
k
sT
β₯
m A
+ e
g
b
Applications: CPA PKE [Rβ05], CCA PKE [PWβ08], (H)IBE[GPVβ08,CHKPβ10,ABBβ10], FHE [. . . ,Bβ12,APβ13,GSWβ13], . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 41 / 43
Q-ary Lattices and Cryptography
Regevβs Learning With Errors (LWE)
A 2 Zmβ₯kq , s 2 Zk
q , e 2 Em.
gA(s; e) = As+ e mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Rβ05)
The function gA(s, e) is hard to
invert on the average, assuming
SIVP is hard to approximate in the
worst-case.
k
sT
β₯
m A + eg
b
Applications: CPA PKE [Rβ05], CCA PKE [PWβ08], (H)IBE[GPVβ08,CHKPβ10,ABBβ10], FHE [. . . ,Bβ12,APβ13,GSWβ13], . . .
Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 41 / 43
Regev 05: The function gA(s, e) is hard to invert on the average assuming lattice problems are hard to
approximate in worst case
k*
An Example Encryption Scheme
14
β Encrypt (A, u) :
β Pick random vector s
β c0 = AT s + noise
β c1 = uT s + noise + q/2 msg
β Recall A (e) = u mod q hard to invert for short e
β Secret: e, Public : A, u
AT
uT
se
+
β Decrypt (e) :
β eT c0 β c1 = q/2 msg + noise Indistinguishable from random!
0
q-1
q/2
Can be made Fully Homomorphic! (BV11, BGV12, GSW13β¦)
15
Expressive Functionality:
Supports arbitrary circuits
Compact ciphertext,
independent of circuit size
Encryption and function evaluation
commute!Enc(f(x)) =* f(Enc(x))
* : roughly
All of cryptography is a jugalbandi between
16
Dancing the Dance
- correctness & security- algorithms & complexity - structure & randomness
Deniable Fully Homomorphic Encryption
Deniable FHEThe notion of Deniable FHE
Deniable Encryption
Fully Homomorphic Encryption
17
Deniable FHE (AGM21)
Vote 1 for me Vote 0 for me10
π π, ππ β πΊππ
π π
ππ
ππ‘! = πΈππ(ππ, π!; π)
ππ‘!
ππ‘" ππ‘# ππ‘$
, ππ‘", β¦ , ππ‘$
ππ‘β = πΈπ£ππ(Ξ£#&!' , ππ‘!, β¦ , ππ‘$)
π·ππ π π, ππ‘β = Ξ£#&!' π#
Bob, for whom did you vote?
18
10
π π
ππ
ππ‘! = πΈππ(ππ, π!; π)
ππ‘!
ππ‘" ππ‘# ππ‘$
, ππ‘", β¦ , ππ‘$
ππ‘β = πΈπ£ππ(Ξ£#&!' , ππ‘!, β¦ , ππ‘$)
π·ππ π π, ππ‘β = Ξ£#&!' π#
Bob, for whom did you vote? π( β πΉπππ(ππ, π!, π, π!)
π!, ππ!, πβ²
ππ, πΈππ(ππ, π!; π), π!, π( β) {ππ, πΈππ ππ, π!; π , π!, π}
ππ‘! = πΈππ ππ, π!; π = πΈππ(ππ, π!; π()
βFakeβ Distribution βHonestβ Distribution
Deniable FHE
19
Deniable FHE
β’ A Deniable FHE scheme (πΊππ, πΈππ, πΈπ£ππ, π·ππ, πΉπππ)
β’ (πΊππ, πΈππ, πΈπ£ππ, π·ππ) is an FHE scheme
β’ (πΊππ, πΈππ, π·ππ, πΉπππ) is a Deniable Encryption scheme
Deniable Encryption
Fully Homomorphic Encryption
20
Deniable FHE
A Deniable FHE scheme (πΊππ, πΈππ, πΈπ£ππ, π·ππ, πΉπππ) syntax
β’ πΊππ β ππ, π π
β’ πΈππ ππ,π; π = ππ‘
β’ π·ππ π π, ππ‘ = π
β’ πΈπ£ππ ππ, π, ππ‘", β¦ , ππ‘* = ππ‘β
β’ πΉπππ ππ, π, π, @π β πβ²
21
Special
Special Fully Homomorphic Encryption
Deniable FHEOur Construction of Deniable FHE
22
FHE: A Very Brief Recap
β’ All known FHE schemes add noise in CT for security.β’ Homomorphic evaluation of CTs (eval(f, ct1β¦ctn) ) cause noise to growβ’ Kills correctness after noise grows too muchβ’ Limits number of homomorphic operations
How to keep going: Gentryβs bootstrapping [Gen09]!
23
The Magic of Bootstrappingβ’ Assume that an encryption scheme is powerful enough to support evaluation of its own decryption circuit Dec.
β’ By correctness of decryption, Dec(ctx, sk) = x
β’ Define circuit Dec!" sk = Dec(sk, ct)β’ By correctness of homomorphic evaluation, Eval(F, ctx) = ct(F(x))
xDec , sk = x
Decct (sk)=skDecct , =Eval x24
The Magic of Bootstrappingβ’Originally introduced to reduce noise in evaluated ciphertext
β’Homomorphic evaluation of decryption β’ removes large old noise β’ adds small new noise (size small since decryption shallow)
AGM21: Oblivious Sampling of FHE ciphertexts!
25
The Magic of Bootstrappingβ’ Assume that decryption always outputs 0 or 1β’ even if input ct is not well formed
β’ Then, bootstrapping always outputs proper encryption of 0 or 1!
Decct (sk)=skDecct , =Eval x
Even if input βctβ is a random element in ciphertext space!
26
The Magic of Bootstrappingβ’ Assume that decryption outputs 0 w.o.p for random input
β’ Then, bootstrapping outputs encryption of 0 w.o.p for random input
Decrand (sk)=skDecrand , =Eval 0
Given enc(sk), run dec homomorphically on random to generate encryption of 0 w.o.p!
27
But, wait a minuteβ¦β’ Given encryption of 1, decryption outputs 1 w.o.p
β’ Encryption of 1 is indistinguishable from random!
β’ Can pretend as if ct1 = enc(1) is a random string
Decct1 (sk)=skDecct1 , =Eval 1
Pretend bootstrapping outputs enc(0) but actually enc(1)!28
Can provide randomness R so it looks like Bootstrap(R) = enc(0) but actually enc(1)
OK⦠but why is this useful?
Leveraging our trick (binary msg space)
β’ Let π΅ π₯ = πΈπ£ππ(ππ, π·ππ# , ππ‘$%) the bootstrapping procedure β’ recall π·ππ+ π π = π·ππ(π π, π₯)
β’ Denote homomorphic addition (mod 2) asπΈπ£ππ ππ, +, ππ‘& , ππ‘' = ππ‘& β ππ‘'
π΅ π ! ββ―βπ΅(π ") = Enc (Parity (π₯!, β¦ , π₯"))
30
Construction
πΊππ:1. (ππ, π π) β πΊππ2. ππ‘,* β πΈππ(ππ, π π)3. Output ππ = ππ, ππ‘,* , π π = π π
31
πΈππ(ππ, π):1. Sample π₯", β¦ , π₯$ β {0,1} s.t. β# π₯# = π (πππ 2)2. For π₯# = 0, sample π # β ββ
3. For π₯# = 1, sample π# β 0,1 β! and set π # = πΈππ(ππ, 1; π#)4. Compute ππ‘ = π΅ π " ββ―βπ΅(π $)5. Output ππ‘
π΅ ββ is a valid encryption of 0 w.h.p
Construction
32
Construction
πΉπππ(ππ, π, ππππ, ?π):1. If π = @π, output ππππ2. Sample π β [π] s.t. π₯* = 13. Set π₯*( = 0 and π *( = πΈππ ππ, 1; π*4. For π β π, set π #( = π # and π#( = π#5. Output ππππ( = (π₯"( , β¦ , π₯$( , π #( +"!&!, π#
(+"!&")
Pseudorandom Ciphertext
By pretending one ciphertext enc(1) is random, parity flipped!
33
Construction
πΈπ£ππ(ππ, π, ππ‘(, β¦ , ππ‘%):1. Interpret ππ‘# as special FHE ciphertext ππ‘#2. Output πΈπ£ππ(ππ, π, ππ‘", β¦ , ππ‘*)
π·ππ(ππ π, ππ‘): 1. Interpret ππ‘ as special FHE ciphertext ππ‘2. Output π·ππ(π π, ππ‘)
34
As before!
Special FHEDefinition and Instantiation
Special FHE
Can be removed
Circular security
π΅ ββ is a valid
encryption of 0 w.h.p
36
Can be weakenedwhp to wnnp
Usually OK
Pseudo-random
CT
Det. eval and
dec
[BGV14] FHE satisfies all properties!
Women in Science
37
Is Science Objective?
βWhenever the subject of women in science comes up, there are people fiercely committed to the idea that sexism does not exist. They will point to everything and anything else to explain differences while becoming angry and condescending if you even suggest that discrimination could be a factor. But these people are wrong. This data shows they are wrong.β
[Scientific American 2012]
38Can we be open to this idea?
Society has biases!A girl receives literally thousands of suggestions over time that tell her what her place/role isβ¦
- My earliest memory: Blessings received when touching feet of elders
- Todayβs experience: Prepared for women who (seem to) need, not for women who (seem to) lead
- Enormous pressure felt by (esp.) MS/PhD students about βown desiresβ versus family/expectations. Seen many bright young girls giving up or compromising heavily on career
39
Sometimes, discards/rebels. Often internalizes/compromises.
Gender Biased Forms
Faculty daughter or wife?
Students referred as βboysβ
Prof. X and Shweta, Dr. Uday and wife
Future of country depends on βthese guysβ
Society has biases! And Science?
42
Scientists are supposed to be objective, able to evaluate data and results without being swayed by emotions or biases. This is a fundamental tenet of science. What this extensive literature shows is, in fact, scientists are people, subject to the same cultural norms and beliefs as the rest of society.
[Prof. Alison Coil, UCSD]
β’ Women canβt do mathβ’ Women are good at rote learning not reasoningβ’ It is not feminine to argueβ’ Why would Google pay so much to hire a woman whose just
going to go on maternity leaveβ’ I saw a very beautiful woman on our floor today and I
wondered, what she is doing on the science floor?β’ Your paper has better chances since it will get sympathy,
being an all woman paperβ’ You left your parents to follow your desires? Our daughters
would never do thatβ’ If you study so much, who will marry you?β’ Women need to put family first
So⦠what next?
44
It only matters if you let it!
β’ Is this daunting/depressing? Seeing it is overcoming it!
β’ Reject these suggestions and they cannot touch you.β’ Calling it out? Take a call. β’ Preserve creative energy: results talk loudest!β’ Cultivate support systemβ’ Personally: Follow(ed) gut even when no support. Willing to accept consequences.
No Looking Back!
45Thank You
Images Credit: MF Hussain, Hans HoffmanSlides Credit: Daniele Micciancio, Chris Peikert, Saleet Mossel
Life is not easy for any of us. But what of that? We must have perseverance and above all confidence in ourselves. We must believe that we are gifted for something and that this thing must be attained.
-Marie Curie (first scientist to be awarded a Nobel Prize in two different categories)