New Roads to Cryptopia Amit Sahai An NSF Frontier Center OPACity Panel, May 19, 2019
New Roads to Cryptopia What about all this space? Cryptography = Hardness* PKE RSA MPC DDH ZK Signatures Factoring IBE ABE Short Signatures FHE Bilinear BDDH LWE Bilinear DLIN Gentry s ICP *Let s ignore information-theoretic cryptography for now. Crippleware Obfuscation FE New Assumption Weak Mmap Candidates
<latexit sha1_base64="xoqsajidzrsm57hmvdbm5mqrmlm=">aaab5hicbzbns8naeiynftb4vb16wsycp5j40apgxwmf+wftkzvnpf262ytdivbc/4ahlyje/u3e/ddup0btfwhh4z0zduanciutbcgxt7g5tb2zw9nz9w/8w6pj6knlzour2bszykwn4hav1ngksqo7uugergrb0fhuvm8/obey0480ybgf8qgwirscnnuyvgtbpzilruo4hbosnah+9ujmfclqeopb2w2dnpolnysfwqnfkyzmxiz5elsonu/r9sv5mln24zyyjzlxtxobu78nsp5ao0kj15lygtnv2sz8r9ytklnpl1lnbaewi4+sqjhk2oxmfkudgtteardgul2zghhdbblkfjdbuhrxorsu6qhjh58woajnca6xemi13mi9nkajamj4hldv5l14b977onhdw06cwh95h98ypisc</latexit> <latexit sha1_base64="ztzy0mndp7oywxgd88cj3i7gywa=">aaacv3icbzflaxsxeme1mzr13zethnszmhqknwe3l/ry6cvhb+oksfowrtx2hpvyjg2jefslsy/+krkk8qo0jtsg+m1/htkm6kyk57nsmar7+88onvde9f++ev3m7edw6mqz1niccyonvamzqyk0jr3wem8ai0zveq/r+bdv/pohwiem/u4xdzakzbsycs58lkqbdntdplczugzzaba24q50jzqaq8qqqgr6jnhjogo33mciasvrdubvbe4ckdobdhqgxruefrokxxyn1ed4d0fyhxwlx2rro2rwk04mbxvqzyvzrsizxpebws+4xk5pw4cn43m2wykizgpdgdyjdfaxkhoyghup9rbw/64itdm3uhxmvmzfuqexlfi/wnh66zcycn20hjxfxdrtjxgdqyxdrfjkxi4img5ffcvww2yz9/er+nej+dord+hq7dspfplng6rh3pmp5bpjytn5si7iiiwjj7/ifbkx7cfl5ce9shub1dtz1rwj/1h6+aggma59</latexit> <latexit sha1_base64="q2fie6jec0o4pw8mrirxzwrux9m=">aaacv3icdvhlsiqxfe2vjva082h16eyykgymspvsdcnmxqwcruklkflp220wjyjjiu2onxq3/spsnp0qhxuubm495z6sk6qwwvkse0jspevpk6udz921l1+/fe+tb5w701ioa26kszcvcyifxoexxujlbzgpsujfdf1nql/cohxc6dm/qbfqbkzfshdmi1x2dkczibkdv0xi9rnz7l0d7q4nweqxb1qypzy4txy18+wxhiclafugqjk3azqzqgs10lymggonus7anbk33v9mhowdeja2ysjoyt4dhrreknses+zc3s9qxwrmveas2y5thnamx7mx5hfqptavyfakfnyjm4srsffodzp2dudgyrmjqmklyv7kvdwm5eda3vjryrgerhupms8xjroj3sduzbgki9zlsqsmwxhvcvykwcz9/iruaxp+d85/7/cjpn1xg3tifvlbfpi+osbh5jickahh5j78tzas5eqheuxx0s68ne0wpzvkn0jxnwahsa5+</latexit> <latexit sha1_base64="h3qd043qw3gam9whl/nqrim05tu=">aaacv3icdvfbsxwxfm6mt3vbdw0fftm4fgqkzpqij6ivfbtqvweydjns2twyy5bkspcwf1j88a/0pc1ebk31qoa733cuyzeqlsl5lhtk0pxvtfwnzmb3w8et7z3e7qdrzxrlccinnpa2yg6l0dj0wku8rs0yvum8qe4vz/rnt7rogp3dt2ssfjtomrac+uivpr3ofehuj1ursunshkdvqhtaa7bshagvte8klhjh7si7hbcwfg0lvfxmvwblrtbcdbqtg6bcq66l9qds9qflizc9ac9snyzjquw90jhhjultuwto5yos9kvg1gsuse3sxmhn+d2byb6hzgpdeezpauflzeywnjye7whovuwitdk3vvwsvmzfux+1gfk/lw/8+kwiqtenr80xi8anbg9gzjkmhexu5tqcxq2idwv+xyzjpn5f96uj74prk+nbxn+z/vnf0o4o2sp75cszkfnytr6rkzikndys38lkspo8jx/s9bszke2tzc9n8irs3b8vc68a</latexit> Let p be a λ-bit prime; χ be a poly-bounded error distribution for LWE; n is poly(λ). 1. Sample s Z & ' Starting from LWE [AJS18,Agr18,LM18,JLMS19] 2. Sample e ) χ for i [n] We add leakage on e 3. Sample random vectors a ) Z & ' for i [n] {q`(~e, ~y,~z)}`2[n 1+ ] {a i, ha i,si + e i mod p} i2[n]
<latexit sha1_base64="6kmy8b1qbrvyggficuyhsi1ycho=">aaacohicbvflb9qwehbcqyyplnbesknukyq6qpjeqmslopceqlqs21beixk8s1urjppatsvi+xfxp7jxb3b2qwuty1nzzembj2fkrgpjk+rxfn+5e+/+g7whg0epnzxdhz57fmlqvnoc8frw+qxkbqvqolhcsjxrnlkqlhhaxhx08dmr1ebu6rndnjhxbk7ethbmg6sy/nb0wstt8zj3yu6ylpe1shvgn6kdvogxumnuxolkmfsvrg1wwagptcrrbw6qegoegqc+ciikbznk/riavusohfqxbuupt+gvcod+vnslxn/3bzpilwar8lexblnsjjc18rnf9mvw9kdhuabpttaivrwvw590wvo2qmw5zmzkadly3dftbzfob7q12db+weaybahyhsz3y9l4eb08u5jvolxlyen9m+fyzcyikknmxey5urnrnp+lza2d7evoqka1qpjqovkrwdbqbqumqio3chea41qexogfm824dtsdhchc+vjtclk7kwz8vdvaf9+py428jbtki6tkldknh+sitaipxkuh0yfoy7wrh8af4unvahz1nbfkh4m//abp18g4</latexit> The Actual New {q i } sampled Assumption by efficient randomized algorithm. this version from: Each [AJS18,JLMS19] monomial has: Here: s Z ' Poly(λ) & ; e ), y ), z ) χ; a ) Z ' bounded & ; Let δ 9 be adversarial values bounded coefficients by poly(λ) Degree-1 in y and z Now consider distributions: Constant Degree d in e Distribution D1: {a i, ha i,si + e i mod p} i2[n], {q`(~e, ~y,~z)+ `}`2[n 1+ ] Distribution D2: {a i, ha i,si + e i mod p} i2[n], {q`(~e, ~y,~z)}`2[n 1+ ] Assumption: No efficient adversary can distinguish D1 and D2 with advantage > 1-1/poly(λ) Can hold even if Adversary can distinguish with probability 99%!
The Road Ahead How do we deal with new assumptions? Simplicity (first and foremost?) Cryptanalysis Lower bounds Relations with existing assumptions Fundamental issue: We don t know where/how/why structured hardness arises. This is the only way for crypto to progress. io gives us the excuse to investigate new assumptions. Even without io Crypto Dark Matter (TCC 2018)