Are there any symmetric cryptosystems based on computational complexity assumptions?What is the relation between computational security and provable security?Assumptions on one-way functionsReason for difference in assumptions for practical private-key and public-key cryptoWhat does “Worst-case hardness” mean in lattice-based cryptography?Do we need symmetric cryptosystems?Reductionist proofs of decisional problems to computationalAre there any quantum-resistant symmetric encryption schemes?Defining Symmetric vs Asymmetric cryptosystemsIs AES (or DES) provably secure? What is the hardness assumption underlying these cryptosystems?Lattice Crypto worst case to average caseProof by reduction vs. hybrid argumentWhat conditions does a provable secure cryptosystem satisfy?
Are grass strips more dangerous than tarmac?
Why don't I have ground wiring on any of my outlets?
When was the word "ambigu" first used with the sense of "meal with all items served at the same time"?
Can a rogue effectively triple their speed by combining Dash and Ready?
Are there regional foods in Westeros?
Is there any Biblical Basis for 400 years of silence between Old and New Testament?
Select row of data if next row contains zero
Is it possible to kill all life on Earth?
How can an eldritch abomination hide its true form in public?
Self-Preservation: How to DM NPCs that Love Living?
How to write crossed north east and south east arrows?
How was Apollo supposed to rendezvous in the case of a lunar abort?
How to detach yourself from a character you're going to kill?
Does nuclear propulsion applied to military ships fall under civil or military nuclear power?
What does War Machine's "Canopy! Canopy!" line mean in "Avengers: Endgame"?
Why use water tanks from a retired Space Shuttle?
Future enhancements for the finite element method
Beginner's snake game using PyGame
How and where to change add to cart message in Magento 2?
Since Angular 8 uses @ViewChild, the new static option, how should I use it?
Is EUM the only possible translation for HIM as direct object?
'chmod' would set file permission to 000 no matter what permission I try to set
Why is Overload Resolution favoring unconstrained template function over a more specific one?
What does the behaviour of water on the skin of an aircraft in flight tell us?
Are there any symmetric cryptosystems based on computational complexity assumptions?
What is the relation between computational security and provable security?Assumptions on one-way functionsReason for difference in assumptions for practical private-key and public-key cryptoWhat does “Worst-case hardness” mean in lattice-based cryptography?Do we need symmetric cryptosystems?Reductionist proofs of decisional problems to computationalAre there any quantum-resistant symmetric encryption schemes?Defining Symmetric vs Asymmetric cryptosystemsIs AES (or DES) provably secure? What is the hardness assumption underlying these cryptosystems?Lattice Crypto worst case to average caseProof by reduction vs. hybrid argumentWhat conditions does a provable secure cryptosystem satisfy?
$begingroup$
Are there any symmetric cryptosystems which are provably secure in the sense that there exists a reduction from their security to the hardness of some underlying hard problem such as integer factorisation?
If not, why not?
symmetric provable-security
asked May 16 at 15:33
ChrisChris
61727
$endgroup$
add a comment |
$begingroup$
Are there any symmetric cryptosystems which are provably secure in the sense that there exists a reduction from their security to the hardness of some underlying hard problem such as integer factorisation?
If not, why not?
symmetric provable-security
asked May 16 at 15:33
ChrisChris
61727
$endgroup$
$begingroup$
The pohlig-helman cipher ($c=m^ebmod p$ for some secret $e,p$) could be a candidate for replacing AES in a "provably secure way" (though I couldn't find a proof right now).
$endgroup$
– SEJPM♦
May 16 at 18:31
$begingroup$
AES in CTR mode is just as ‘provable’ as Pohlig–Hellman in, say, CBC mode. Both of them rely on unproven conjectures: that AES and Pohlig–Hellman are PRPs. But AES is tremendously more efficient for the same conjectured security.
$endgroup$
– Squeamish Ossifrage
May 16 at 20:28
$begingroup$
If Hash function count, there was a candidate for SHA-3 based on lattice problems (SWIFFT).
$endgroup$
– LeoDucas
May 17 at 6:04
add a comment |
$begingroup$
Are there any symmetric cryptosystems which are provably secure in the sense that there exists a reduction from their security to the hardness of some underlying hard problem such as integer factorisation?
If not, why not?
symmetric provable-security
asked May 16 at 15:33
ChrisChris
61727
$endgroup$
Are there any symmetric cryptosystems which are provably secure in the sense that there exists a reduction from their security to the hardness of some underlying hard problem such as integer factorisation?
If not, why not?
symmetric provable-security
symmetric provable-security
asked May 16 at 15:33
ChrisChris
61727
asked May 16 at 15:33
ChrisChris
61727
asked May 16 at 15:33
ChrisChris
61727
asked May 16 at 15:33
ChrisChris
61727
asked May 16 at 15:33
ChrisChris
61727
61727
$begingroup$
The pohlig-helman cipher ($c=m^ebmod p$ for some secret $e,p$) could be a candidate for replacing AES in a "provably secure way" (though I couldn't find a proof right now).
$endgroup$
– SEJPM♦
May 16 at 18:31
$begingroup$
AES in CTR mode is just as ‘provable’ as Pohlig–Hellman in, say, CBC mode. Both of them rely on unproven conjectures: that AES and Pohlig–Hellman are PRPs. But AES is tremendously more efficient for the same conjectured security.
$endgroup$
– Squeamish Ossifrage
May 16 at 20:28
$begingroup$
If Hash function count, there was a candidate for SHA-3 based on lattice problems (SWIFFT).
$endgroup$
– LeoDucas
May 17 at 6:04
add a comment |
$begingroup$
The pohlig-helman cipher ($c=m^ebmod p$ for some secret $e,p$) could be a candidate for replacing AES in a "provably secure way" (though I couldn't find a proof right now).
$endgroup$
– SEJPM♦
May 16 at 18:31
$begingroup$
AES in CTR mode is just as ‘provable’ as Pohlig–Hellman in, say, CBC mode. Both of them rely on unproven conjectures: that AES and Pohlig–Hellman are PRPs. But AES is tremendously more efficient for the same conjectured security.
$endgroup$
– Squeamish Ossifrage
May 16 at 20:28
$begingroup$
If Hash function count, there was a candidate for SHA-3 based on lattice problems (SWIFFT).
$endgroup$
– LeoDucas
May 17 at 6:04
$begingroup$
The pohlig-helman cipher ($c=m^ebmod p$ for some secret $e,p$) could be a candidate for replacing AES in a "provably secure way" (though I couldn't find a proof right now).
$endgroup$
– SEJPM♦
May 16 at 18:31
$begingroup$
The pohlig-helman cipher ($c=m^ebmod p$ for some secret $e,p$) could be a candidate for replacing AES in a "provably secure way" (though I couldn't find a proof right now).
$endgroup$
– SEJPM♦
May 16 at 18:31
$begingroup$
AES in CTR mode is just as ‘provable’ as Pohlig–Hellman in, say, CBC mode. Both of them rely on unproven conjectures: that AES and Pohlig–Hellman are PRPs. But AES is tremendously more efficient for the same conjectured security.
$endgroup$
– Squeamish Ossifrage
May 16 at 20:28
$begingroup$
AES in CTR mode is just as ‘provable’ as Pohlig–Hellman in, say, CBC mode. Both of them rely on unproven conjectures: that AES and Pohlig–Hellman are PRPs. But AES is tremendously more efficient for the same conjectured security.
$endgroup$
– Squeamish Ossifrage
May 16 at 20:28
$begingroup$
If Hash function count, there was a candidate for SHA-3 based on lattice problems (SWIFFT).
$endgroup$
– LeoDucas
May 17 at 6:04
$begingroup$
If Hash function count, there was a candidate for SHA-3 based on lattice problems (SWIFFT).
$endgroup$
– LeoDucas
May 17 at 6:04
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
Finding uniform random $x$ given $x^3 bmodpq$ for uniform random 1024-bit primes $p$ and $q$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.*
Finding uniform random $k$ given $operatornameAES256_k(92187681)$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.
That said, the best estimates for the cost of (1) are much cheaper than the best estimates for (2), and the computation of $x^3 bmodpq$ is much costlier than the computation of $operatornameAES256_k(92187681)$. In other words, RSA-2048 is much more expensive for less security than AES-256.
You might be tempted to say that the RSA problem is a more fundamental problem in number theory, and as such is the only one that's really a ‘hard problem’. But it is precisely because RSA is embedded in a rich mathematical theory—as is needed for separate public key and private key operations!—that it is more vulnerable to attacks. In reality, AES is a much harder problem than RSA!
There are many symmetric cryptosystems that use AES, and for which there is a theorem that breaking them can't be much easier than breaking AES, such as AES-GCM. Similarly, there are many public-key cryptosystems that use the RSA trapdoor permutation, and for which there is a theorem that breaking them can't be much easier than inverting the RSA trapdoor permutation, like RSA-PSS and RSA-KEM.
The term ‘provable security’ means nothing more than there is a theorem. These cryptosystems—AES-GCM, RSA-PSS, and RSA-KEM alike—all have ‘provable security’ because there is a theorem, not because of any mathematical theory around AES or RSA. So does a 1-bit universal hashing authenticator have provable security, even though the amount of security it provides is so small an attacker will win with the probability of a fair coin toss coming up heads.
* Incidentally, while the RSA problem can't be harder than factorization, we don't have a proof that it can't be easier. There is some weak evidence—a reduction in the generic ring model—but there's no theorem that if factoring is hard then the RSA problem is hard. Hence not even the RSA problem has ‘provable security’ relative to factoring.
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
add a comment |
$begingroup$
The cipher from Fully Homomorphic Encryption over the Integers is a candidate example.
It is a symmetric cipher that is provably reducible to the approximate greatest common divisor problem.
Note that it is symmetric in the sense of "the same key is used to encrypt and decrypt", as opposed to "extremely fast and useful for bulk data". The latter definition is typically assumed when the words "symmetric cipher" are used, but that is not the case here.
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
$endgroup$
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
2
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
add a comment |
$begingroup$
The existence of one-way functions (OWFs) implies symmetric-key encryption (SKE) through the following sequence of reductions:
- Build a pseudo-random generator (PRG) from the OWF using the HILL construction [H+] (This is not very efficient --- one gets better constructions from one-way permutations: see [BM]).
- Use the GGM construction [GGM] to construct a pseudo-random function (PRF) from this PRG
- The construction of SKE from PRF is folklore (the key of the PRF serves as the key $k$ of the SKE, and to encrypt a message $m$ in the range of the PRF, pick a random element $r$ from the domain of the PRF and set $moplus PRF_k(r)$).
- Alternatively, one can construct a block cipher a.k.a pseudo-random permutation (PRP) from the PRF using Luby-Rackoff [LR] --- once you have block ciphers, it is possible to encrypt arbitrary-sized messages using an appropriate mode of operation (e.g., CBC).
So, it boils down to the assumptions that yield OWFs as raised in this previous question. There are several candidate constructions of one-way functions from diverse problems arising from cryptography (e.g., stream ciphers, hash functions), complexity theory (e.g., the planted SAT and planted Clique problem), combinatorics (e.g., Goldreich's one-way function) and learning theory: I'd recommend reading Barak's recent survey titled "The Complexity of Public-Key Cryptography" for a thorough treatment of this topic. Number theoretic assumptions like integer factorisation or discrete-log problem also yield one-way functions, but they are in some sense an overkill as they have more "structure" than required for SKE.
In practice, however the constructions that you get by following the above chain of reductions are terribly inefficient and one relies on a (heuristic) block cipher like AES.
[BM] Blum and Micali. How to Generate Cryptographically Strong Sequence of Pseudorandom Bits. SIAM JoC’82.
[GGM] Goldreich, Goldwasser and Micali. How to Construct Random Functions. JACM’86.
[H+]: Håstad, Impagliazzo, Levin and Luby. A Pseudorandom Generator from Any One-Way Function. SIAM JoC’99.
[LR] Luby and Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM JoC’88.
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70597%2fare-there-any-symmetric-cryptosystems-based-on-computational-complexity-assumpti%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Finding uniform random $x$ given $x^3 bmodpq$ for uniform random 1024-bit primes $p$ and $q$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.*
Finding uniform random $k$ given $operatornameAES256_k(92187681)$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.
That said, the best estimates for the cost of (1) are much cheaper than the best estimates for (2), and the computation of $x^3 bmodpq$ is much costlier than the computation of $operatornameAES256_k(92187681)$. In other words, RSA-2048 is much more expensive for less security than AES-256.
You might be tempted to say that the RSA problem is a more fundamental problem in number theory, and as such is the only one that's really a ‘hard problem’. But it is precisely because RSA is embedded in a rich mathematical theory—as is needed for separate public key and private key operations!—that it is more vulnerable to attacks. In reality, AES is a much harder problem than RSA!
There are many symmetric cryptosystems that use AES, and for which there is a theorem that breaking them can't be much easier than breaking AES, such as AES-GCM. Similarly, there are many public-key cryptosystems that use the RSA trapdoor permutation, and for which there is a theorem that breaking them can't be much easier than inverting the RSA trapdoor permutation, like RSA-PSS and RSA-KEM.
The term ‘provable security’ means nothing more than there is a theorem. These cryptosystems—AES-GCM, RSA-PSS, and RSA-KEM alike—all have ‘provable security’ because there is a theorem, not because of any mathematical theory around AES or RSA. So does a 1-bit universal hashing authenticator have provable security, even though the amount of security it provides is so small an attacker will win with the probability of a fair coin toss coming up heads.
* Incidentally, while the RSA problem can't be harder than factorization, we don't have a proof that it can't be easier. There is some weak evidence—a reduction in the generic ring model—but there's no theorem that if factoring is hard then the RSA problem is hard. Hence not even the RSA problem has ‘provable security’ relative to factoring.
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
add a comment |
$begingroup$
Finding uniform random $x$ given $x^3 bmodpq$ for uniform random 1024-bit primes $p$ and $q$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.*
Finding uniform random $k$ given $operatornameAES256_k(92187681)$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.
That said, the best estimates for the cost of (1) are much cheaper than the best estimates for (2), and the computation of $x^3 bmodpq$ is much costlier than the computation of $operatornameAES256_k(92187681)$. In other words, RSA-2048 is much more expensive for less security than AES-256.
You might be tempted to say that the RSA problem is a more fundamental problem in number theory, and as such is the only one that's really a ‘hard problem’. But it is precisely because RSA is embedded in a rich mathematical theory—as is needed for separate public key and private key operations!—that it is more vulnerable to attacks. In reality, AES is a much harder problem than RSA!
There are many symmetric cryptosystems that use AES, and for which there is a theorem that breaking them can't be much easier than breaking AES, such as AES-GCM. Similarly, there are many public-key cryptosystems that use the RSA trapdoor permutation, and for which there is a theorem that breaking them can't be much easier than inverting the RSA trapdoor permutation, like RSA-PSS and RSA-KEM.
The term ‘provable security’ means nothing more than there is a theorem. These cryptosystems—AES-GCM, RSA-PSS, and RSA-KEM alike—all have ‘provable security’ because there is a theorem, not because of any mathematical theory around AES or RSA. So does a 1-bit universal hashing authenticator have provable security, even though the amount of security it provides is so small an attacker will win with the probability of a fair coin toss coming up heads.
* Incidentally, while the RSA problem can't be harder than factorization, we don't have a proof that it can't be easier. There is some weak evidence—a reduction in the generic ring model—but there's no theorem that if factoring is hard then the RSA problem is hard. Hence not even the RSA problem has ‘provable security’ relative to factoring.
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
add a comment |
$begingroup$
Finding uniform random $x$ given $x^3 bmodpq$ for uniform random 1024-bit primes $p$ and $q$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.*
Finding uniform random $k$ given $operatornameAES256_k(92187681)$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.
That said, the best estimates for the cost of (1) are much cheaper than the best estimates for (2), and the computation of $x^3 bmodpq$ is much costlier than the computation of $operatornameAES256_k(92187681)$. In other words, RSA-2048 is much more expensive for less security than AES-256.
You might be tempted to say that the RSA problem is a more fundamental problem in number theory, and as such is the only one that's really a ‘hard problem’. But it is precisely because RSA is embedded in a rich mathematical theory—as is needed for separate public key and private key operations!—that it is more vulnerable to attacks. In reality, AES is a much harder problem than RSA!
There are many symmetric cryptosystems that use AES, and for which there is a theorem that breaking them can't be much easier than breaking AES, such as AES-GCM. Similarly, there are many public-key cryptosystems that use the RSA trapdoor permutation, and for which there is a theorem that breaking them can't be much easier than inverting the RSA trapdoor permutation, like RSA-PSS and RSA-KEM.
The term ‘provable security’ means nothing more than there is a theorem. These cryptosystems—AES-GCM, RSA-PSS, and RSA-KEM alike—all have ‘provable security’ because there is a theorem, not because of any mathematical theory around AES or RSA. So does a 1-bit universal hashing authenticator have provable security, even though the amount of security it provides is so small an attacker will win with the probability of a fair coin toss coming up heads.
* Incidentally, while the RSA problem can't be harder than factorization, we don't have a proof that it can't be easier. There is some weak evidence—a reduction in the generic ring model—but there's no theorem that if factoring is hard then the RSA problem is hard. Hence not even the RSA problem has ‘provable security’ relative to factoring.
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
Finding uniform random $x$ given $x^3 bmodpq$ for uniform random 1024-bit primes $p$ and $q$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.*
Finding uniform random $k$ given $operatornameAES256_k(92187681)$ is conjectured to be hard because smart, motivated cryptanalysts have spent decades trying to do so and have left only a track record of failure.
That said, the best estimates for the cost of (1) are much cheaper than the best estimates for (2), and the computation of $x^3 bmodpq$ is much costlier than the computation of $operatornameAES256_k(92187681)$. In other words, RSA-2048 is much more expensive for less security than AES-256.
You might be tempted to say that the RSA problem is a more fundamental problem in number theory, and as such is the only one that's really a ‘hard problem’. But it is precisely because RSA is embedded in a rich mathematical theory—as is needed for separate public key and private key operations!—that it is more vulnerable to attacks. In reality, AES is a much harder problem than RSA!
There are many symmetric cryptosystems that use AES, and for which there is a theorem that breaking them can't be much easier than breaking AES, such as AES-GCM. Similarly, there are many public-key cryptosystems that use the RSA trapdoor permutation, and for which there is a theorem that breaking them can't be much easier than inverting the RSA trapdoor permutation, like RSA-PSS and RSA-KEM.
The term ‘provable security’ means nothing more than there is a theorem. These cryptosystems—AES-GCM, RSA-PSS, and RSA-KEM alike—all have ‘provable security’ because there is a theorem, not because of any mathematical theory around AES or RSA. So does a 1-bit universal hashing authenticator have provable security, even though the amount of security it provides is so small an attacker will win with the probability of a fair coin toss coming up heads.
* Incidentally, while the RSA problem can't be harder than factorization, we don't have a proof that it can't be easier. There is some weak evidence—a reduction in the generic ring model—but there's no theorem that if factoring is hard then the RSA problem is hard. Hence not even the RSA problem has ‘provable security’ relative to factoring.
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
edited May 16 at 21:20
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
answered May 16 at 16:13
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
26.4k142119
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
add a comment |
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
$begingroup$
A different way to say it is to say that "RSA has more structure than AES and thus is weaker", but of course you need that extra structure for public key encryption...
$endgroup$
– SEJPM♦
May 16 at 18:26
add a comment |
$begingroup$
The cipher from Fully Homomorphic Encryption over the Integers is a candidate example.
It is a symmetric cipher that is provably reducible to the approximate greatest common divisor problem.
Note that it is symmetric in the sense of "the same key is used to encrypt and decrypt", as opposed to "extremely fast and useful for bulk data". The latter definition is typically assumed when the words "symmetric cipher" are used, but that is not the case here.
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
$endgroup$
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
2
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
add a comment |
$begingroup$
The cipher from Fully Homomorphic Encryption over the Integers is a candidate example.
It is a symmetric cipher that is provably reducible to the approximate greatest common divisor problem.
Note that it is symmetric in the sense of "the same key is used to encrypt and decrypt", as opposed to "extremely fast and useful for bulk data". The latter definition is typically assumed when the words "symmetric cipher" are used, but that is not the case here.
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
$endgroup$
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
2
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
add a comment |
$begingroup$
The cipher from Fully Homomorphic Encryption over the Integers is a candidate example.
It is a symmetric cipher that is provably reducible to the approximate greatest common divisor problem.
Note that it is symmetric in the sense of "the same key is used to encrypt and decrypt", as opposed to "extremely fast and useful for bulk data". The latter definition is typically assumed when the words "symmetric cipher" are used, but that is not the case here.
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
$endgroup$
The cipher from Fully Homomorphic Encryption over the Integers is a candidate example.
It is a symmetric cipher that is provably reducible to the approximate greatest common divisor problem.
Note that it is symmetric in the sense of "the same key is used to encrypt and decrypt", as opposed to "extremely fast and useful for bulk data". The latter definition is typically assumed when the words "symmetric cipher" are used, but that is not the case here.
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
answered May 16 at 16:03
Ella Rose♦Ella Rose
17k44586
17k44586
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
2
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
add a comment |
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
2
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
$begingroup$
I wonder what security claims that scheme achieves, ie could one (probably) build CCA-secure encryption from that?
$endgroup$
– SEJPM♦
May 16 at 18:27
2
2
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
@SEJPM If solving Approximate Common Divisor problem is hard, then it is IND-CPA.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:09
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
$begingroup$
It is worth noting that several homomorphic public key schemes (even the ones over lattices) are construct on top of symmetric homomorphic ones, i.e. construct a private key homomorphic scheme, define the public key $pk = c_1, ..., c_ell$ where $c_i$'s are encryptions of zero, then encrypt message $m$ by taking a random linear combination of those publicly available ciphertexts and adding $m$, that is $Enc_pk(m) = sum r_i c_i + m$ for random $r_i in 0, 1$.
$endgroup$
– Hilder Vítor Lima Pereira
May 24 at 13:17
add a comment |
$begingroup$
The existence of one-way functions (OWFs) implies symmetric-key encryption (SKE) through the following sequence of reductions:
- Build a pseudo-random generator (PRG) from the OWF using the HILL construction [H+] (This is not very efficient --- one gets better constructions from one-way permutations: see [BM]).
- Use the GGM construction [GGM] to construct a pseudo-random function (PRF) from this PRG
- The construction of SKE from PRF is folklore (the key of the PRF serves as the key $k$ of the SKE, and to encrypt a message $m$ in the range of the PRF, pick a random element $r$ from the domain of the PRF and set $moplus PRF_k(r)$).
- Alternatively, one can construct a block cipher a.k.a pseudo-random permutation (PRP) from the PRF using Luby-Rackoff [LR] --- once you have block ciphers, it is possible to encrypt arbitrary-sized messages using an appropriate mode of operation (e.g., CBC).
So, it boils down to the assumptions that yield OWFs as raised in this previous question. There are several candidate constructions of one-way functions from diverse problems arising from cryptography (e.g., stream ciphers, hash functions), complexity theory (e.g., the planted SAT and planted Clique problem), combinatorics (e.g., Goldreich's one-way function) and learning theory: I'd recommend reading Barak's recent survey titled "The Complexity of Public-Key Cryptography" for a thorough treatment of this topic. Number theoretic assumptions like integer factorisation or discrete-log problem also yield one-way functions, but they are in some sense an overkill as they have more "structure" than required for SKE.
In practice, however the constructions that you get by following the above chain of reductions are terribly inefficient and one relies on a (heuristic) block cipher like AES.
[BM] Blum and Micali. How to Generate Cryptographically Strong Sequence of Pseudorandom Bits. SIAM JoC’82.
[GGM] Goldreich, Goldwasser and Micali. How to Construct Random Functions. JACM’86.
[H+]: Håstad, Impagliazzo, Levin and Luby. A Pseudorandom Generator from Any One-Way Function. SIAM JoC’99.
[LR] Luby and Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM JoC’88.
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
$endgroup$
add a comment |
$begingroup$
The existence of one-way functions (OWFs) implies symmetric-key encryption (SKE) through the following sequence of reductions:
- Build a pseudo-random generator (PRG) from the OWF using the HILL construction [H+] (This is not very efficient --- one gets better constructions from one-way permutations: see [BM]).
- Use the GGM construction [GGM] to construct a pseudo-random function (PRF) from this PRG
- The construction of SKE from PRF is folklore (the key of the PRF serves as the key $k$ of the SKE, and to encrypt a message $m$ in the range of the PRF, pick a random element $r$ from the domain of the PRF and set $moplus PRF_k(r)$).
- Alternatively, one can construct a block cipher a.k.a pseudo-random permutation (PRP) from the PRF using Luby-Rackoff [LR] --- once you have block ciphers, it is possible to encrypt arbitrary-sized messages using an appropriate mode of operation (e.g., CBC).
So, it boils down to the assumptions that yield OWFs as raised in this previous question. There are several candidate constructions of one-way functions from diverse problems arising from cryptography (e.g., stream ciphers, hash functions), complexity theory (e.g., the planted SAT and planted Clique problem), combinatorics (e.g., Goldreich's one-way function) and learning theory: I'd recommend reading Barak's recent survey titled "The Complexity of Public-Key Cryptography" for a thorough treatment of this topic. Number theoretic assumptions like integer factorisation or discrete-log problem also yield one-way functions, but they are in some sense an overkill as they have more "structure" than required for SKE.
In practice, however the constructions that you get by following the above chain of reductions are terribly inefficient and one relies on a (heuristic) block cipher like AES.
[BM] Blum and Micali. How to Generate Cryptographically Strong Sequence of Pseudorandom Bits. SIAM JoC’82.
[GGM] Goldreich, Goldwasser and Micali. How to Construct Random Functions. JACM’86.
[H+]: Håstad, Impagliazzo, Levin and Luby. A Pseudorandom Generator from Any One-Way Function. SIAM JoC’99.
[LR] Luby and Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM JoC’88.
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
$endgroup$
add a comment |
$begingroup$
The existence of one-way functions (OWFs) implies symmetric-key encryption (SKE) through the following sequence of reductions:
- Build a pseudo-random generator (PRG) from the OWF using the HILL construction [H+] (This is not very efficient --- one gets better constructions from one-way permutations: see [BM]).
- Use the GGM construction [GGM] to construct a pseudo-random function (PRF) from this PRG
- The construction of SKE from PRF is folklore (the key of the PRF serves as the key $k$ of the SKE, and to encrypt a message $m$ in the range of the PRF, pick a random element $r$ from the domain of the PRF and set $moplus PRF_k(r)$).
- Alternatively, one can construct a block cipher a.k.a pseudo-random permutation (PRP) from the PRF using Luby-Rackoff [LR] --- once you have block ciphers, it is possible to encrypt arbitrary-sized messages using an appropriate mode of operation (e.g., CBC).
So, it boils down to the assumptions that yield OWFs as raised in this previous question. There are several candidate constructions of one-way functions from diverse problems arising from cryptography (e.g., stream ciphers, hash functions), complexity theory (e.g., the planted SAT and planted Clique problem), combinatorics (e.g., Goldreich's one-way function) and learning theory: I'd recommend reading Barak's recent survey titled "The Complexity of Public-Key Cryptography" for a thorough treatment of this topic. Number theoretic assumptions like integer factorisation or discrete-log problem also yield one-way functions, but they are in some sense an overkill as they have more "structure" than required for SKE.
In practice, however the constructions that you get by following the above chain of reductions are terribly inefficient and one relies on a (heuristic) block cipher like AES.
[BM] Blum and Micali. How to Generate Cryptographically Strong Sequence of Pseudorandom Bits. SIAM JoC’82.
[GGM] Goldreich, Goldwasser and Micali. How to Construct Random Functions. JACM’86.
[H+]: Håstad, Impagliazzo, Levin and Luby. A Pseudorandom Generator from Any One-Way Function. SIAM JoC’99.
[LR] Luby and Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM JoC’88.
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
$endgroup$
The existence of one-way functions (OWFs) implies symmetric-key encryption (SKE) through the following sequence of reductions:
- Build a pseudo-random generator (PRG) from the OWF using the HILL construction [H+] (This is not very efficient --- one gets better constructions from one-way permutations: see [BM]).
- Use the GGM construction [GGM] to construct a pseudo-random function (PRF) from this PRG
- The construction of SKE from PRF is folklore (the key of the PRF serves as the key $k$ of the SKE, and to encrypt a message $m$ in the range of the PRF, pick a random element $r$ from the domain of the PRF and set $moplus PRF_k(r)$).
- Alternatively, one can construct a block cipher a.k.a pseudo-random permutation (PRP) from the PRF using Luby-Rackoff [LR] --- once you have block ciphers, it is possible to encrypt arbitrary-sized messages using an appropriate mode of operation (e.g., CBC).
So, it boils down to the assumptions that yield OWFs as raised in this previous question. There are several candidate constructions of one-way functions from diverse problems arising from cryptography (e.g., stream ciphers, hash functions), complexity theory (e.g., the planted SAT and planted Clique problem), combinatorics (e.g., Goldreich's one-way function) and learning theory: I'd recommend reading Barak's recent survey titled "The Complexity of Public-Key Cryptography" for a thorough treatment of this topic. Number theoretic assumptions like integer factorisation or discrete-log problem also yield one-way functions, but they are in some sense an overkill as they have more "structure" than required for SKE.
In practice, however the constructions that you get by following the above chain of reductions are terribly inefficient and one relies on a (heuristic) block cipher like AES.
[BM] Blum and Micali. How to Generate Cryptographically Strong Sequence of Pseudorandom Bits. SIAM JoC’82.
[GGM] Goldreich, Goldwasser and Micali. How to Construct Random Functions. JACM’86.
[H+]: Håstad, Impagliazzo, Levin and Luby. A Pseudorandom Generator from Any One-Way Function. SIAM JoC’99.
[LR] Luby and Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM JoC’88.
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
edited May 24 at 10:32
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
answered May 24 at 10:20
Occams_TrimmerOccams_Trimmer
1,63911119
1,63911119
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70597%2fare-there-any-symmetric-cryptosystems-based-on-computational-complexity-assumpti%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
The pohlig-helman cipher ($c=m^ebmod p$ for some secret $e,p$) could be a candidate for replacing AES in a "provably secure way" (though I couldn't find a proof right now).
$endgroup$
– SEJPM♦
May 16 at 18:31
$begingroup$
AES in CTR mode is just as ‘provable’ as Pohlig–Hellman in, say, CBC mode. Both of them rely on unproven conjectures: that AES and Pohlig–Hellman are PRPs. But AES is tremendously more efficient for the same conjectured security.
$endgroup$
– Squeamish Ossifrage
May 16 at 20:28
$begingroup$
If Hash function count, there was a candidate for SHA-3 based on lattice problems (SWIFFT).
$endgroup$
– LeoDucas
May 17 at 6:04