On Black-Box Separations in Cryptography - PowerPoint PPT Presentation

About This Presentation
Title:

On Black-Box Separations in Cryptography

Description:

Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, ... Homomorphic. Encryption. UOWHFs. ID Based. Encryption. PIRs ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 40
Provided by: sali158
Category:

less

Transcript and Presenter's Notes

Title: On Black-Box Separations in Cryptography


1
On Black-Box Separations in Cryptography
  • Omer Reingold

Closed captioning and other considerations
provided by Tal Malkin, Luca Trevisan, and Salil
Vadhan
2
Crypto - The Merry Old Days
3
Cryptographic Protocols, Primitives, and
Assumptions
Strong RSA
Homomorphic Encryption
UOWHFs
PIRs
Dense Crypto System
ID Based Encryption
Electronic Voting
Factoring
Encryption
Digital Signatures
Identification
Electronic Commerce
RSA
One-Way Functions
Pseudo-Random Generators
Trapdoor Permutations
Oblivious Transfer
DDH
4
Determining The Relationships Among Different
Primitives
  • Most tasks in complexity-based crypto imply P¹NP
    (or even OWF).
  • Simplify our conception of the world.
  • Construct protocols with as strong security
    guarantee as possible.
  • Reductions Given any secure implementation of
    primitive A, construct a secure implementation of
    primitive B.

5
Some Known Reductions
OWF
TDP
CLAW-FREE
PRG
COM
UOWHF
PKE
OT
NIZK
PRF
ZK
SIG
KA
CCA-PKE
CF-HASH
MAC
ENC
ID
6
Is the Existence of All Crypto Primitives
Equivalent?
  • If so either no cryptography or Cryptomania!
  • But some tasks seem significantly harder than
    others (e.g. private key vs. public key
    encryption).
  • In what sense can we claim that primitive A does
    not imply primitive B if we believe that both
    exist? After all, a reduction of B to A can
    ignore A and build B from scratch ...

7
Black-Box Separations Where it Begun
Impagliazzo-Rudich 89
  • While not clear how to formalize/show
    non-implications in general can do that wrt
    black-box reductions.

8
What's a Black Box Reduction?
  • Whats not? Think of your favorite crypto
    reduction
  • (not you Boaz!)
  • most likely it was black-box.
  • Consider OWF ? KA, what would a (strongly)
    black-box reduction look like?
  • Implementation for any secure implementation f
    of a OWF give a secure implementation of a KA.
  • Proof of security for any adversary Eve that
    breaks the KA show an adversary Adv that inverts
    the KA.
  • Black-box both implementation and proof of
    security do not need to look at the internals of
    f and Eve. Instead only rely on input/output
    behavior (i.e., only use oracle access to f and
    Eve).
  • Meaningful even if f and Eve are not efficient.

9
More Formally (Strongly) Black-Box Reductions
(for OWF ? KA)
  • ? eff. (Alice, Bob), ?eff. Adv s.t. ?f and ?Eve
    Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f
  • Various flavors
  • Reversing quantifiers
  • Making proof of security less black-box.

10
Relativizing Reductions (OWF ? KA)
  • Fully-BB reduction ? eff. (Alice, Bob), ?eff.
    Adv s.t. ?f and ?Eve Eve breaks (Alicef,Bobf)
    ) Advf, Eve inverts f
  • Relativizing reduction a proof that ? oracle O
    if OWFs exist relative to O then so do KA
    schemes.
  • Exist relative to O?
  • For KA ? eff. (Alice, Bob) s.t. (AliceO,BobO) is
    a secure KA even against EveO where Eve is an
    efficient oracle machine.
  • Proposition Fully BB-reduction is also
    relativizing.
  • Idea f and Eve have secure implementation
    relative to O ? so do (Alicef,Bobf) and Advf, Eve
    .

11
What's not Black Box?
  • No idea ask Boaz
  • Oh well Cook-Levin reduction is used in OWF
    ? ZK proofs for all NP GMW91 NonBB carries
    on to applications
  • Semi-honest OT ? malicious OT GMW87
  • OWF ? ID schemes FFS88
  • Similarly, circuit of f used in secure
    computation of f Yao86,GMW87
  • Beaver96 Few OTs OWF -gt Many OTs
  • Baraks Non-BB ZK and subsequent results. Use
    both old and introduces new non-bb techniques.

12
What do Black-Box Separations Mean?
  • This talk will concentrate on mathematical
    rather than philosophical meaning. Still
  • Few Non black-box techniques (and in limited
    settings). Inherent limitation on efficiency.
  • Therefore, black-box separations are
    explanation/indication for the hardness of
    finding reduction (esp. efficient ones).
  • BB-reductions more robust work wrt. physical
    implementations of primitives.

13
What do Black-Box Separations Mean?
  • Insight into the relevant primitives. Guidance
    for non black-box reductions or even for
    black-box reductions. (Sometimes most
    meaningful when looking inside the box.)
  • Few Examples
  • TDP seems to be of different complexity than
    OWF. IR89 supports.
  • Collision resistant hashing might have seemed
    similar in nature to OWFs. Simon98 challenged
    (this is consistentwith recent cryptanalysis
    attacks against popular hash functions).
  • Insight on the role of interaction, adaptivity,

14
What do Black-Box Separations Mean?
  • Insight into the relevant primitives. Guidance
    for non black-box reductions or even for
    black-box reductions. (Sometimes most
    meaningful when looking inside the box.)
  • Guidance for black-box constructions?
  • Particular approach cannot be proved in
    BBmanner? May be easier to change approach.
  • Examples
  • Want to reduce Stat-Commit to OWF? Probably not
    a good approach Stat-Commit -gt OWP -gt OWF.
  • Myers 04, shows no BB proof for one particular
    natural construction (static to adaptive
    security).

15
What do Black-Box Separations Mean?
  • Insight into the relevant primitives. Guidance
    for non black-box reductions or even for
    black-box reductions. (Sometimes most
    meaningful when looking inside the box.)
  • Word of warning
  • Potentially, a non black-box proof may follow a
    black-box approach most of the way with a
    small non black-box fix.

16
Black-Box and Oracle Separations
  • IR89 there exists an oracle relative to which
    one-way functions exist but key-agreement schemes
    do not. ? No (fully) black-box reduction of
    key-agreement to one-way function.
  • Many other BB separations/lower
    boundsRud91,Sim98,KST99,KSS00,GKM00,GT00,GMR01,
    CHL02,...
  • Various notions of BB reductions, in particular
    not always implying oracle separation (e.g.
    GMR01).

17
Crypto After IR (Impagliazzos Worlds)
Trapdoor Permutation
Secure Multi-Party Computation (OT)
Public Key Encryption
Key Agreement
Private Key Encryption
One Way Functions
Digital Sig.
Pseudorandom Generators
Algoritmica, Heuristica, Pessiland
18
This Talk
  • IR89 The separation, its proof and
    interpretation of results.
  • As many separations and proof intuitions. Focus
    on techniques and subtleties.
  • Beware some cheating involved

19
The Impagliazzo-Rudich Results
  • Thm PNP ? No Key Agreement (KA) even in the
    presence of a Random Oracle.
  • Not that we care about KA if PNP, but this
    means it is at least as hard to prove that KA
    exists with R.O. as to prove P?NP.
  • Cor 1 There is an oracle relative to which OWP
    exists and KA does not.
  • The oracle (f, PSPACE) since PPSPACENPPSPACE
  • Cor 2 There is no fully-BB reduction from KA to
    OWP.
  • Cor 3

20
IR89 - Why f is OWP
  • Intuitively obvious when trying to invert f on
    some yf(x), have no chance unless accidentally
    query f on x.
  • With q queries chances for that lt 2q/2n
    Formally
  • ? M making q queries, ? n-bit y PrfMf(y)
    f-1(y) lt (2q2)/2n
  • To complete the proof need a couple of quantifier
    changes and saying Borel-Cantelli out loud.
  • Not too bad but less trivial than one would
    imagine and uses that Turing machines are
    enumerable.

21
Why f is OWP Against Circuits
  • Too many circuit families for previous (uniform)
    argument.
  • GT00 f is exponentially hard even against
    circuits.
  • High level idea Consider C that makes q queries
    and ?-inverts f.
  • C gives some non-trivial information on f ? a
    compact description of f, relative to C.
  • Setting parameters correctly descriptions
    relative to C ltlt (2n)! ? C only ?-invert
    exponentially small fraction of the fs.

22
IR89 How Eve Finds the Secret
  • Recall, we assume PNP, and want to show that ?
    KA (Alice,Bob) ? eff. Eve s.t. Evef breaks
    (Alicef,Bobf).
  • PNP implies that without f no cryptographic
    hardness. In particular, no KA !
  • In fact, for the purpose of oracle separation, we
    can essentially assume Eve, Alice and Bob are all
    powerful and only bounded by number of queries to
    f.
  • In this setting, a clear characterization of
    knowledge The queries made to f and its
    answers.

23
IR89 How Eve Finds the Secret Cont.
  • Alices view contains its secret randomness, the
    conversation transcript T of (Alicef,Bobf), and
    the list of query-answer pairs she made to f.
  • Same for Bob.
  • If s is the key agreed by Alice and Bob, can
    assume wlog that (s, f(s)) is in both their
    lists.
  • ? Enough that Eve finds all likely
    intersection queries.

24
IR89 How Eve Finds the Secret Cont.
  • Eves algorithm (over simplified)
  • Let T be the transcript of (Alicef,Bobf), let L
    be Eves list of queries and answers to f
    (initially empty).
  • Repeat polynomial number of times
  • Simulate sample a random view of Alice which is
    consistent with T and L.
  • Update Repeat all the queries made by simulated
    Alice, but this time to real f. Insert to L.
  • Output a random query from L.
  • Intuition
  • Whenever simulated Alice is consistent with real
    Bobs view, simulated Alice has a fair chance to
    query s.
  • Any inconsistency reveals one of Bobs queries.
    This can happen only polynomial number of times.

25
IR89 Results Revisited
  • Thm If PNP, Key Agreement (KA) is impossible in
    the Random Oracle model.
  • Cannot get a more natural and meaningful
    separation.
  • How can a reduction overcome this separation?
  • Traditional interpretation to overcome the
    separation the construction of KA must use code
    of OWP.
  • RTV04 argues that there is no limitation in
    using OWP as a black box in construction of KA.?
    Separation might be overcome using code of
    adversary in proof of security (as in
    Bar01,Bar02).

26
Taxonomy of BB Reductions RTV04
  • Fully-BB reduction the proof of security is
    black box need to consider any Eve not
    necessarily an efficient one.
  • Two steps towards a black-box construction with
    arbitrary proof
  • Semi-BB reduction ? eff Eve ? eff. Adv
  • Evef breaks (Alicef,Bobf) ) Advf inverts f
  • Mildly-BB reduction ? eff Eve ? eff. Adv
  • Eve breaks (Alicef,Bobf) ) Advf inverts f
  • Now Eve is really efficient.

27
OWF vs. OWP
  • IR,KSS00 Random Oracle separates OWF from OWP.
  • A much simpler argument for weaker result
  • Thm. Gf is a permutation for every function f ?
    For all f can invert Gf (using a PSPACE-complete
    oracle).
  • Adv algorithm on input y Gf(x)
  • Let L be a list of queries and answers to f
    (initially empty). Repeat polynomial number of
    times
  • Simulate generate some f and x such that f is
    consistent with L and y Gf(x).
  • Update Repeat all the simulated queries of
    Gf(x) but this time to real f. Insert to L.
  • Output last x.
  • Correctness If x ? x then the evaluations Gf(x)
    and Gf(x) must reveal a new inconsistency of f
    and f.

28
OWF vs. OWP Cont.
  • Where is the weakness? To argue that G is
    insecure we assumed it is correct Gf is a
    permutation for every function f.
  • Is this legitimate?

29
More on Relatevizing vs. BB Reductions
  • In some scenarios (e.g. KA -gt OWF), No
    relativizing reduction , No fully-BB reduction.
  • Not always Consider the construction of Trapdoor
    (poly-1) Functions from PKE.
  • BHSV98 gives a construction in the random
    oracle model.
  • ? Hard to come up with an oracle separation (as
    the oracle may potentially be used for
    BHSV-transformation).
  • GMR01 solves it by showing for any particular
    construction an oracle that foils it (rather than
    giving one oracle that foils all constructions).
  • Myers04 takes it further, considers one
    specific (but very natural) construction and
    gives an oracle that foils it.
  • Are we happy/unhappy with this?

30
Rudich91 Hard to Reduce Interaction
  • Rud 91 Separate k-message KA from
    (k-1)-message KA.
  • For k3 oracle O contains f1, f2, f3, length
    tripling random functions, R defined below, ? -
    PSPACE complete.
  • 3 KA
  • On an incorrect input R outputs a random string.

31
Rud91 No 2-KA (? PKE) relative to O
  • Without R no KA IR89
  • Let (Alice,Bob) be two message protocol.
  • Assume Alice makes a useful query R (s,m3).
  • (s,m3) is a correct input to R ? must have been
    created by 3 correct consecutive invocations ?
    either Alice or Bob must already know z,r,s.
  • If its Alice, R is not needed.
  • Otherwise, Eve can also know (s,m3) and apply R.

32
How do we define BB access to a protocol?
  • In Rudich91 and most subsequent works this
    means black-box access to the message function
    and output function of the parties.
  • Can consider a more restricted notion where the
    access is to a third party implementing the
    functionality. (Closer in spirit to a physical
    implementation).
  • May make arguments much simpler but need to be
    careful. For example OT in this model does not
    imply OWF.
  • Other possible formalizations in between HKNRR05

33
OWF vs. Collision Resistant Hashing
  • Simon98 gives an oracle separating the two.
  • Here Simon Light In particular, consider only
    regular hash functions (every image has the same
    number of preimages).
  • Regular coll. resistant implied by claw-free
    permutations.
  • Oracle f - random functions, ? - PSPACE
    complete, and Q on input circuit C defined as
    follows If Cg is regular for every function g
    then Q outputs uniformly selected x and x such
    that Cf(x) Cf(x).
  • Note relative to this oracle may have
    collision-resistant hash functions (using Q
    itself). Simon98 handles this case as well.

34
OWF vs. Collision Resistant Hashing Cont.
  • Oracle f - random functions, ? - PSPACE
    complete, and Q on input circuit C defined as
    followsIf Cg is regular for every function g
    then Q outputs uniformly selected x and x such
    that Cf (x) Cf (x).
  • Proof intuition Assume want to find f-1(y).
  • Due to universal regularity, the only information
    given by x and x are the values of f queried by
    the evaluations Cf(x), and Cf(x).
  • As long as none of these queries is f-1(y) not
    much help.
  • By regularity, x and x are each uniformly
    distributed (though they are correlated).
  • By union bound, only negligible chance to
    encounter f-1(y).

35
Limitation On Efficiency
  • This line considers the most efficient
    (black-box) construction (rather than the minimal
    assumption necessary) KST99,GT00, GGK03.
  • Example OWP ? PRG.
  • Thm GT00 PRG that expands the seed by k bits
    requires ?(k/s) invocations of the OWP (where s
    is the security parameter of the OWP).

36
Limitation On Efficiency Cont.
  • Thm GT00 PRG that expands the seed by k bits
    requires ?(k/s) invocations of the OWP (where s
    is the security parameter of the OWP).
  • Idea Define f(w,z)g(w),z,where w is O(s)-bit
    long and g is random ? Each invocation only
    gives O(s) bits of randomness? Can simulate f
    using randomness from the seed.

37
Concluding Remarks
  • Many more beautiful arguments we did not touch!
  • BB separations - a useful research tool.
  • The extent to which the proof of security is
    black-box plays a major role.
  • Definitions are subtle, need to make sure we
    understand the mathematical/philosophical meaning
    of what we prove.

38
Some Open Problems
  • More Non black-box techniques.
  • Can we Razborov-Rudich Impagliazzo-Rudich ?
  • Power of reductions that use code of primitive
    but are BB wrt adversary?

39
GKMVR00 incomparability of PKE and OT
  • OT ? PKE by an extension of Rud91.PKE ? OT by
    oracle containing f1, f2, R, ?, (similar to
    Rud91) to allow PKE. But with a small twist

Important define f2 and R to output ? on
incorrect inputs (sort of validity tests) ?
Prevent this specific key agreement from being
fakable, and turns out to be sufficient.
Write a Comment
User Comments (0)
About PowerShow.com