On Public Key Encryption from Noisy Codewords

Several well-known public key encryption schemes, including those of Alekhnovich FOCS 2003, Regev STOC 2005, and Gentry, Peikert and Vaikuntanathan STOC 2008, rely on the conjectured intractability of inverting noisy linear encodings. These schemes are limited in that they either require the underlying field to grow with the security parameter, or alternatively they can work over the binary field but have a low noise entropy that gives rise to sub-exponential attacks. Motivated by the goal of efficient public key cryptography, we study the possibility of obtaining improved security over the binary field by using different noise distributions. Inspired by an abstract encryption scheme of Micciancio PKC 2010, we study an abstract encryption scheme that unifies all the three schemes mentioned above and allows for arbitrary choices of the underlying field and noise distributions. Our main result establishes an unexpected connection between the power of such encryption schemes and additive combinatorics. Concretely, we show that under the "approximate duality conjecture" from additive combinatorics Ben-Sasson and Zewi, STOC 2011, every instance of the abstract encryption scheme over the binary field can be attacked in time $$2^{O\sqrt{n}}$$, where n is the maximum of the ciphertext size and the public key size and where the latter excludes public randomness used for specifying the code. On the flip side, counter examples to the above conjecture if false may lead to candidate public key encryption schemes with improved security guarantees. We also show, using a simple argument that relies on agnostic learning of parities Kalai, Mansour and Verbin, STOC 2008, that any such encryption scheme can be unconditionally attacked in time $$2^{On/\log n}$$, where n is the ciphertext size. Combining this attack with the security proof of Regev's cryptosystem, we immediately obtain an algorithm that solves the learning parity with noise LPN problem in time $$2^{On/\log \log n}$$ using only $$n^{1+\epsilon }$$ samples, reproducing the result of Lyubashevsky Random 2005 in a conceptually different way. Finally, we study the possibility of instantiating the abstract encryption scheme over constant-size rings to yield encryption schemes with no decryption error. We show that over the binary field decryption errors are inherent. On the positive side, building on the construction of matching vector families Grolmusz, Combinatorica 2000; Efremenko, STOC 2009; Dvir, Gopalan and Yekhanin, FOCS 2010, we suggest plausible candidates for secure instances of the framework over constant-size rings that can offer perfectly correct decryption.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[3]  Klim Efremenko,et al.  3-Query Locally Decodable Codes of Subexponential Length , 2008 .

[4]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[5]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[6]  Zeev Dvir,et al.  Matching Vector Codes , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[7]  Salil P. Vadhan,et al.  Pseudorandomness , 2012, Found. Trends Theor. Comput. Sci..

[8]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[9]  Shubhangi Saraf,et al.  Local list-decoding and testing of random linear codes from high error , 2010, STOC '10.

[10]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[11]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[12]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[13]  Moni Naor,et al.  Immunizing Encryption Schemes from Decryption Errors , 2004, EUROCRYPT.

[14]  Shachar Lovett,et al.  An Additive Combinatorics Approach Relating Rank to Communication Complexity , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[15]  Eli Ben-Sasson,et al.  From affine to two-source extractors via approximate duality , 2011, STOC '11.

[16]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[17]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[18]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[19]  Terence Tao,et al.  Additive combinatorics , 2007, Cambridge studies in advanced mathematics.

[20]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[21]  Shachar Lovett,et al.  Additive Combinatorics and its Applications in Theoretical Computer Science , 2017, Theory Comput..

[22]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[23]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[24]  Daniele Micciancio,et al.  Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions , 2011, CRYPTO.

[25]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[26]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[27]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[28]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[29]  Eli Ben-Sasson,et al.  From affine to two-source extractors via approximate duality , 2011, STOC '11.

[30]  Shachar Lovett,et al.  New bounds for matching vector families , 2013, STOC '13.

[31]  Adam Tauman Kalai,et al.  On agnostic boosting and parity learning , 2008, STOC.

[32]  Krzysztof Pietrzak,et al.  Cryptography from Learning Parity with Noise , 2012, SOFSEM.

[33]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[34]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[35]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[36]  Ben Green,et al.  Finite field models in additive combinatories , 2004, BCC.

[37]  Yuval Ishai,et al.  Cryptography with Constant Input Locality , 2007, Journal of Cryptology.

[38]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[39]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[40]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[41]  Vince Grolmusz,et al.  Superpolynomial Size Set-systems with Restricted Intersections mod 6 and Explicit Ramsey Graphs , 2000, Comb..

[42]  Shachar Lovett,et al.  Communication is bounded by root of rank , 2013, STOC.

[43]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[44]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[45]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[46]  Ivan Damgård,et al.  Is Public-Key Encryption Based on LPN Practical? , 2012, IACR Cryptol. ePrint Arch..