Title: On Black-Box Separations in Cryptography
1On Black-Box Separations in Cryptography
Closed captioning and other considerations
provided by Tal Malkin, Luca Trevisan, and Salil
Vadhan
2Crypto - The Merry Old Days
3Cryptographic Protocols, Primitives, and
Assumptions
Strong RSA
Homomorphic Encryption
UOWHFs
PIRs
Dense Crypto System
ID Based Encryption
Electronic Voting
Factoring
Encryption
Digital Signatures
Identification
Electronic Commerce
RSA
One-Way Functions
Pseudo-Random Generators
Trapdoor Permutations
Oblivious Transfer
DDH
4Determining The Relationships Among Different
Primitives
- Most tasks in complexity-based crypto imply P¹NP
(or even OWF). - Simplify our conception of the world.
- Construct protocols with as strong security
guarantee as possible. - Reductions Given any secure implementation of
primitive A, construct a secure implementation of
primitive B.
5Some Known Reductions
OWF
TDP
CLAW-FREE
PRG
COM
UOWHF
PKE
OT
NIZK
PRF
ZK
SIG
KA
CCA-PKE
CF-HASH
MAC
ENC
ID
6Is the Existence of All Crypto Primitives
Equivalent?
- If so either no cryptography or Cryptomania!
- But some tasks seem significantly harder than
others (e.g. private key vs. public key
encryption). - In what sense can we claim that primitive A does
not imply primitive B if we believe that both
exist? After all, a reduction of B to A can
ignore A and build B from scratch ...
7Black-Box Separations Where it Begun
Impagliazzo-Rudich 89
- While not clear how to formalize/show
non-implications in general can do that wrt
black-box reductions.
8What's a Black Box Reduction?
- Whats not? Think of your favorite crypto
reduction - (not you Boaz!)
- most likely it was black-box.
- Consider OWF ? KA, what would a (strongly)
black-box reduction look like? - Implementation for any secure implementation f
of a OWF give a secure implementation of a KA. - Proof of security for any adversary Eve that
breaks the KA show an adversary Adv that inverts
the KA. - Black-box both implementation and proof of
security do not need to look at the internals of
f and Eve. Instead only rely on input/output
behavior (i.e., only use oracle access to f and
Eve). - Meaningful even if f and Eve are not efficient.
9More Formally (Strongly) Black-Box Reductions
(for OWF ? KA)
- ? eff. (Alice, Bob), ?eff. Adv s.t. ?f and ?Eve
Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f
-
-
-
- Various flavors
- Reversing quantifiers
- Making proof of security less black-box.
10Relativizing Reductions (OWF ? KA)
- Fully-BB reduction ? eff. (Alice, Bob), ?eff.
Adv s.t. ?f and ?Eve Eve breaks (Alicef,Bobf)
) Advf, Eve inverts f - Relativizing reduction a proof that ? oracle O
if OWFs exist relative to O then so do KA
schemes. - Exist relative to O?
- For KA ? eff. (Alice, Bob) s.t. (AliceO,BobO) is
a secure KA even against EveO where Eve is an
efficient oracle machine. - Proposition Fully BB-reduction is also
relativizing. - Idea f and Eve have secure implementation
relative to O ? so do (Alicef,Bobf) and Advf, Eve
.
11What's not Black Box?
- No idea ask Boaz
- Oh well Cook-Levin reduction is used in OWF
? ZK proofs for all NP GMW91 NonBB carries
on to applications - Semi-honest OT ? malicious OT GMW87
- OWF ? ID schemes FFS88
- Similarly, circuit of f used in secure
computation of f Yao86,GMW87 - Beaver96 Few OTs OWF -gt Many OTs
- Baraks Non-BB ZK and subsequent results. Use
both old and introduces new non-bb techniques.
12What do Black-Box Separations Mean?
- This talk will concentrate on mathematical
rather than philosophical meaning. Still - Few Non black-box techniques (and in limited
settings). Inherent limitation on efficiency. - Therefore, black-box separations are
explanation/indication for the hardness of
finding reduction (esp. efficient ones). - BB-reductions more robust work wrt. physical
implementations of primitives.
13What do Black-Box Separations Mean?
- Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.) - Few Examples
- TDP seems to be of different complexity than
OWF. IR89 supports. - Collision resistant hashing might have seemed
similar in nature to OWFs. Simon98 challenged
(this is consistentwith recent cryptanalysis
attacks against popular hash functions). - Insight on the role of interaction, adaptivity,
14What do Black-Box Separations Mean?
- Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.) - Guidance for black-box constructions?
- Particular approach cannot be proved in
BBmanner? May be easier to change approach. - Examples
- Want to reduce Stat-Commit to OWF? Probably not
a good approach Stat-Commit -gt OWP -gt OWF. - Myers 04, shows no BB proof for one particular
natural construction (static to adaptive
security).
15What do Black-Box Separations Mean?
- Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.) - Word of warning
- Potentially, a non black-box proof may follow a
black-box approach most of the way with a
small non black-box fix.
16Black-Box and Oracle Separations
- IR89 there exists an oracle relative to which
one-way functions exist but key-agreement schemes
do not. ? No (fully) black-box reduction of
key-agreement to one-way function. - Many other BB separations/lower
boundsRud91,Sim98,KST99,KSS00,GKM00,GT00,GMR01,
CHL02,... - Various notions of BB reductions, in particular
not always implying oracle separation (e.g.
GMR01).
17Crypto After IR (Impagliazzos Worlds)
Trapdoor Permutation
Secure Multi-Party Computation (OT)
Public Key Encryption
Key Agreement
Private Key Encryption
One Way Functions
Digital Sig.
Pseudorandom Generators
Algoritmica, Heuristica, Pessiland
18This Talk
- IR89 The separation, its proof and
interpretation of results. - As many separations and proof intuitions. Focus
on techniques and subtleties. - Beware some cheating involved
19The Impagliazzo-Rudich Results
- Thm PNP ? No Key Agreement (KA) even in the
presence of a Random Oracle. - Not that we care about KA if PNP, but this
means it is at least as hard to prove that KA
exists with R.O. as to prove P?NP. - Cor 1 There is an oracle relative to which OWP
exists and KA does not. - The oracle (f, PSPACE) since PPSPACENPPSPACE
- Cor 2 There is no fully-BB reduction from KA to
OWP. - Cor 3
20IR89 - Why f is OWP
- Intuitively obvious when trying to invert f on
some yf(x), have no chance unless accidentally
query f on x. - With q queries chances for that lt 2q/2n
Formally - ? M making q queries, ? n-bit y PrfMf(y)
f-1(y) lt (2q2)/2n - To complete the proof need a couple of quantifier
changes and saying Borel-Cantelli out loud. - Not too bad but less trivial than one would
imagine and uses that Turing machines are
enumerable.
21Why f is OWP Against Circuits
- Too many circuit families for previous (uniform)
argument. - GT00 f is exponentially hard even against
circuits. - High level idea Consider C that makes q queries
and ?-inverts f. - C gives some non-trivial information on f ? a
compact description of f, relative to C. - Setting parameters correctly descriptions
relative to C ltlt (2n)! ? C only ?-invert
exponentially small fraction of the fs.
22IR89 How Eve Finds the Secret
- Recall, we assume PNP, and want to show that ?
KA (Alice,Bob) ? eff. Eve s.t. Evef breaks
(Alicef,Bobf). - PNP implies that without f no cryptographic
hardness. In particular, no KA ! - In fact, for the purpose of oracle separation, we
can essentially assume Eve, Alice and Bob are all
powerful and only bounded by number of queries to
f. -
- In this setting, a clear characterization of
knowledge The queries made to f and its
answers.
23IR89 How Eve Finds the Secret Cont.
- Alices view contains its secret randomness, the
conversation transcript T of (Alicef,Bobf), and
the list of query-answer pairs she made to f. - Same for Bob.
- If s is the key agreed by Alice and Bob, can
assume wlog that (s, f(s)) is in both their
lists. - ? Enough that Eve finds all likely
intersection queries.
24IR89 How Eve Finds the Secret Cont.
- Eves algorithm (over simplified)
- Let T be the transcript of (Alicef,Bobf), let L
be Eves list of queries and answers to f
(initially empty). - Repeat polynomial number of times
- Simulate sample a random view of Alice which is
consistent with T and L. - Update Repeat all the queries made by simulated
Alice, but this time to real f. Insert to L. - Output a random query from L.
- Intuition
- Whenever simulated Alice is consistent with real
Bobs view, simulated Alice has a fair chance to
query s. - Any inconsistency reveals one of Bobs queries.
This can happen only polynomial number of times.
25IR89 Results Revisited
- Thm If PNP, Key Agreement (KA) is impossible in
the Random Oracle model. - Cannot get a more natural and meaningful
separation. - How can a reduction overcome this separation?
- Traditional interpretation to overcome the
separation the construction of KA must use code
of OWP. - RTV04 argues that there is no limitation in
using OWP as a black box in construction of KA.?
Separation might be overcome using code of
adversary in proof of security (as in
Bar01,Bar02).
26Taxonomy of BB Reductions RTV04
- Fully-BB reduction the proof of security is
black box need to consider any Eve not
necessarily an efficient one. - Two steps towards a black-box construction with
arbitrary proof - Semi-BB reduction ? eff Eve ? eff. Adv
- Evef breaks (Alicef,Bobf) ) Advf inverts f
- Mildly-BB reduction ? eff Eve ? eff. Adv
- Eve breaks (Alicef,Bobf) ) Advf inverts f
- Now Eve is really efficient.
27OWF vs. OWP
- IR,KSS00 Random Oracle separates OWF from OWP.
- A much simpler argument for weaker result
- Thm. Gf is a permutation for every function f ?
For all f can invert Gf (using a PSPACE-complete
oracle). - Adv algorithm on input y Gf(x)
- Let L be a list of queries and answers to f
(initially empty). Repeat polynomial number of
times - Simulate generate some f and x such that f is
consistent with L and y Gf(x). - Update Repeat all the simulated queries of
Gf(x) but this time to real f. Insert to L. - Output last x.
- Correctness If x ? x then the evaluations Gf(x)
and Gf(x) must reveal a new inconsistency of f
and f.
28OWF vs. OWP Cont.
- Where is the weakness? To argue that G is
insecure we assumed it is correct Gf is a
permutation for every function f. - Is this legitimate?
29More on Relatevizing vs. BB Reductions
- In some scenarios (e.g. KA -gt OWF), No
relativizing reduction , No fully-BB reduction. - Not always Consider the construction of Trapdoor
(poly-1) Functions from PKE. - BHSV98 gives a construction in the random
oracle model. - ? Hard to come up with an oracle separation (as
the oracle may potentially be used for
BHSV-transformation). - GMR01 solves it by showing for any particular
construction an oracle that foils it (rather than
giving one oracle that foils all constructions). - Myers04 takes it further, considers one
specific (but very natural) construction and
gives an oracle that foils it. - Are we happy/unhappy with this?
30Rudich91 Hard to Reduce Interaction
- Rud 91 Separate k-message KA from
(k-1)-message KA. - For k3 oracle O contains f1, f2, f3, length
tripling random functions, R defined below, ? -
PSPACE complete. - 3 KA
- On an incorrect input R outputs a random string.
31Rud91 No 2-KA (? PKE) relative to O
-
- Without R no KA IR89
- Let (Alice,Bob) be two message protocol.
- Assume Alice makes a useful query R (s,m3).
- (s,m3) is a correct input to R ? must have been
created by 3 correct consecutive invocations ?
either Alice or Bob must already know z,r,s. - If its Alice, R is not needed.
- Otherwise, Eve can also know (s,m3) and apply R.
32How do we define BB access to a protocol?
- In Rudich91 and most subsequent works this
means black-box access to the message function
and output function of the parties. - Can consider a more restricted notion where the
access is to a third party implementing the
functionality. (Closer in spirit to a physical
implementation). - May make arguments much simpler but need to be
careful. For example OT in this model does not
imply OWF. - Other possible formalizations in between HKNRR05
33OWF vs. Collision Resistant Hashing
- Simon98 gives an oracle separating the two.
- Here Simon Light In particular, consider only
regular hash functions (every image has the same
number of preimages). - Regular coll. resistant implied by claw-free
permutations. - Oracle f - random functions, ? - PSPACE
complete, and Q on input circuit C defined as
follows If Cg is regular for every function g
then Q outputs uniformly selected x and x such
that Cf(x) Cf(x). - Note relative to this oracle may have
collision-resistant hash functions (using Q
itself). Simon98 handles this case as well.
34OWF vs. Collision Resistant Hashing Cont.
- Oracle f - random functions, ? - PSPACE
complete, and Q on input circuit C defined as
followsIf Cg is regular for every function g
then Q outputs uniformly selected x and x such
that Cf (x) Cf (x). - Proof intuition Assume want to find f-1(y).
- Due to universal regularity, the only information
given by x and x are the values of f queried by
the evaluations Cf(x), and Cf(x). - As long as none of these queries is f-1(y) not
much help. - By regularity, x and x are each uniformly
distributed (though they are correlated). - By union bound, only negligible chance to
encounter f-1(y).
35Limitation On Efficiency
- This line considers the most efficient
(black-box) construction (rather than the minimal
assumption necessary) KST99,GT00, GGK03. - Example OWP ? PRG.
- Thm GT00 PRG that expands the seed by k bits
requires ?(k/s) invocations of the OWP (where s
is the security parameter of the OWP).
36Limitation On Efficiency Cont.
- Thm GT00 PRG that expands the seed by k bits
requires ?(k/s) invocations of the OWP (where s
is the security parameter of the OWP). -
- Idea Define f(w,z)g(w),z,where w is O(s)-bit
long and g is random ? Each invocation only
gives O(s) bits of randomness? Can simulate f
using randomness from the seed.
37Concluding Remarks
- Many more beautiful arguments we did not touch!
- BB separations - a useful research tool.
-
- The extent to which the proof of security is
black-box plays a major role. - Definitions are subtle, need to make sure we
understand the mathematical/philosophical meaning
of what we prove.
38Some Open Problems
- More Non black-box techniques.
- Can we Razborov-Rudich Impagliazzo-Rudich ?
- Power of reductions that use code of primitive
but are BB wrt adversary?
39GKMVR00 incomparability of PKE and OT
- OT ? PKE by an extension of Rud91.PKE ? OT by
oracle containing f1, f2, R, ?, (similar to
Rud91) to allow PKE. But with a small twist
Important define f2 and R to output ? on
incorrect inputs (sort of validity tests) ?
Prevent this specific key agreement from being
fakable, and turns out to be sufficient.