On Black-Box Separations in Cryptography

1
On Black-Box Separations in Cryptography

• Omer Reingold

Closed captioning and other considerations
provided by Tal Malkin, Luca Trevisan, and Salil
Vadhan
2
Crypto - The Merry Old Days
3
Cryptographic Protocols, Primitives, and
Assumptions
Strong RSA
Homomorphic Encryption
UOWHFs
PIRs
Dense Crypto System
ID Based Encryption
Electronic Voting
Factoring
Encryption
Digital Signatures
Identification
Electronic Commerce
RSA
One-Way Functions
Pseudo-Random Generators
Trapdoor Permutations
Oblivious Transfer
DDH
4
Determining The Relationships Among Different
Primitives

• Most tasks in complexity-based crypto imply P¹NP
  (or even OWF).
• Simplify our conception of the world.
• Construct protocols with as strong security
  guarantee as possible.
• Reductions Given any secure implementation of
  primitive A, construct a secure implementation of
  primitive B.

5
Some Known Reductions
OWF
TDP
CLAW-FREE
PRG
COM
UOWHF
PKE
OT
NIZK
PRF
ZK
SIG
KA
CCA-PKE
CF-HASH
MAC
ENC
ID
6
Is the Existence of All Crypto Primitives
Equivalent?

• If so either no cryptography or Cryptomania!
• But some tasks seem significantly harder than
  others (e.g. private key vs. public key
  encryption).
• In what sense can we claim that primitive A does
  not imply primitive B if we believe that both
  exist? After all, a reduction of B to A can
  ignore A and build B from scratch ...

7
Black-Box Separations Where it Begun
Impagliazzo-Rudich 89

• While not clear how to formalize/show
  non-implications in general can do that wrt
  black-box reductions.

8
What's a Black Box Reduction?

• Whats not? Think of your favorite crypto
  reduction
• (not you Boaz!)
• most likely it was black-box.
• Consider OWF ? KA, what would a (strongly)
  black-box reduction look like?
• Implementation for any secure implementation f
  of a OWF give a secure implementation of a KA.
• Proof of security for any adversary Eve that
  breaks the KA show an adversary Adv that inverts
  the KA.
• Black-box both implementation and proof of
  security do not need to look at the internals of
  f and Eve. Instead only rely on input/output
  behavior (i.e., only use oracle access to f and
  Eve).
• Meaningful even if f and Eve are not efficient.

9
More Formally (Strongly) Black-Box Reductions
(for OWF ? KA)

• ? eff. (Alice, Bob), ?eff. Adv s.t. ?f and ?Eve
  Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f
  
• Various flavors
• Reversing quantifiers
• Making proof of security less black-box.

10
Relativizing Reductions (OWF ? KA)

• Fully-BB reduction ? eff. (Alice, Bob), ?eff.
  Adv s.t. ?f and ?Eve Eve breaks (Alicef,Bobf)
  ) Advf, Eve inverts f
• Relativizing reduction a proof that ? oracle O
  if OWFs exist relative to O then so do KA
  schemes.
• Exist relative to O?
• For KA ? eff. (Alice, Bob) s.t. (AliceO,BobO) is
  a secure KA even against EveO where Eve is an
  efficient oracle machine.
• Proposition Fully BB-reduction is also
  relativizing.
• Idea f and Eve have secure implementation
  relative to O ? so do (Alicef,Bobf) and Advf, Eve
  .

11
What's not Black Box?

• No idea ask Boaz
• Oh well Cook-Levin reduction is used in OWF
  ? ZK proofs for all NP GMW91 NonBB carries
  on to applications
• Semi-honest OT ? malicious OT GMW87
• OWF ? ID schemes FFS88
• Similarly, circuit of f used in secure
  computation of f Yao86,GMW87
• Beaver96 Few OTs OWF -gt Many OTs
• Baraks Non-BB ZK and subsequent results. Use
  both old and introduces new non-bb techniques.

12
What do Black-Box Separations Mean?

• This talk will concentrate on mathematical
  rather than philosophical meaning. Still
• Few Non black-box techniques (and in limited
  settings). Inherent limitation on efficiency.
• Therefore, black-box separations are
  explanation/indication for the hardness of
  finding reduction (esp. efficient ones).
• BB-reductions more robust work wrt. physical
  implementations of primitives.

13
What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance
  for non black-box reductions or even for
  black-box reductions. (Sometimes most
  meaningful when looking inside the box.)
• Few Examples
• TDP seems to be of different complexity than
  OWF. IR89 supports.
• Collision resistant hashing might have seemed
  similar in nature to OWFs. Simon98 challenged
  (this is consistentwith recent cryptanalysis
  attacks against popular hash functions).
• Insight on the role of interaction, adaptivity,

14
What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance
  for non black-box reductions or even for
  black-box reductions. (Sometimes most
  meaningful when looking inside the box.)
• Guidance for black-box constructions?
• Particular approach cannot be proved in
  BBmanner? May be easier to change approach.
• Examples
• Want to reduce Stat-Commit to OWF? Probably not
  a good approach Stat-Commit -gt OWP -gt OWF.
• Myers 04, shows no BB proof for one particular
  natural construction (static to adaptive
  security).

15
What do Black-Box Separations Mean?

• Insight into the relevant primitives. Guidance
  for non black-box reductions or even for
  black-box reductions. (Sometimes most
  meaningful when looking inside the box.)
• Word of warning
• Potentially, a non black-box proof may follow a
  black-box approach most of the way with a
  small non black-box fix.

16
Black-Box and Oracle Separations

• IR89 there exists an oracle relative to which
  one-way functions exist but key-agreement schemes
  do not. ? No (fully) black-box reduction of
  key-agreement to one-way function.
• Many other BB separations/lower
  boundsRud91,Sim98,KST99,KSS00,GKM00,GT00,GMR01,
  CHL02,...
• Various notions of BB reductions, in particular
  not always implying oracle separation (e.g.
  GMR01).

17
Crypto After IR (Impagliazzos Worlds)
Trapdoor Permutation
Secure Multi-Party Computation (OT)
Public Key Encryption
Key Agreement
Private Key Encryption
One Way Functions
Digital Sig.
Pseudorandom Generators
Algoritmica, Heuristica, Pessiland
18
This Talk

• IR89 The separation, its proof and
  interpretation of results.
• As many separations and proof intuitions. Focus
  on techniques and subtleties.
• Beware some cheating involved

19
The Impagliazzo-Rudich Results

• Thm PNP ? No Key Agreement (KA) even in the
  presence of a Random Oracle.
• Not that we care about KA if PNP, but this
  means it is at least as hard to prove that KA
  exists with R.O. as to prove P?NP.
• Cor 1 There is an oracle relative to which OWP
  exists and KA does not.
• The oracle (f, PSPACE) since PPSPACENPPSPACE
• Cor 2 There is no fully-BB reduction from KA to
  OWP.
• Cor 3

20
IR89 - Why f is OWP

• Intuitively obvious when trying to invert f on
  some yf(x), have no chance unless accidentally
  query f on x.
• With q queries chances for that lt 2q/2n
  Formally
• ? M making q queries, ? n-bit y PrfMf(y)
  f-1(y) lt (2q2)/2n
• To complete the proof need a couple of quantifier
  changes and saying Borel-Cantelli out loud.
• Not too bad but less trivial than one would
  imagine and uses that Turing machines are
  enumerable.

21
Why f is OWP Against Circuits

• Too many circuit families for previous (uniform)
  argument.
• GT00 f is exponentially hard even against
  circuits.
• High level idea Consider C that makes q queries
  and ?-inverts f.
• C gives some non-trivial information on f ? a
  compact description of f, relative to C.
• Setting parameters correctly descriptions
  relative to C ltlt (2n)! ? C only ?-invert
  exponentially small fraction of the fs.

22
IR89 How Eve Finds the Secret

• Recall, we assume PNP, and want to show that ?
  KA (Alice,Bob) ? eff. Eve s.t. Evef breaks
  (Alicef,Bobf).
• PNP implies that without f no cryptographic
  hardness. In particular, no KA !
• In fact, for the purpose of oracle separation, we
  can essentially assume Eve, Alice and Bob are all
  powerful and only bounded by number of queries to
  f.
• In this setting, a clear characterization of
  knowledge The queries made to f and its
  answers.

23
IR89 How Eve Finds the Secret Cont.

• Alices view contains its secret randomness, the
  conversation transcript T of (Alicef,Bobf), and
  the list of query-answer pairs she made to f.
• Same for Bob.
• If s is the key agreed by Alice and Bob, can
  assume wlog that (s, f(s)) is in both their
  lists.
• ? Enough that Eve finds all likely
  intersection queries.

24
IR89 How Eve Finds the Secret Cont.

• Eves algorithm (over simplified)
• Let T be the transcript of (Alicef,Bobf), let L
  be Eves list of queries and answers to f
  (initially empty).
• Repeat polynomial number of times
• Simulate sample a random view of Alice which is
  consistent with T and L.
• Update Repeat all the queries made by simulated
  Alice, but this time to real f. Insert to L.
• Output a random query from L.
• Intuition
• Whenever simulated Alice is consistent with real
  Bobs view, simulated Alice has a fair chance to
  query s.
• Any inconsistency reveals one of Bobs queries.
  This can happen only polynomial number of times.

25
IR89 Results Revisited

• Thm If PNP, Key Agreement (KA) is impossible in
  the Random Oracle model.
• Cannot get a more natural and meaningful
  separation.
• How can a reduction overcome this separation?
• Traditional interpretation to overcome the
  separation the construction of KA must use code
  of OWP.
• RTV04 argues that there is no limitation in
  using OWP as a black box in construction of KA.?
  Separation might be overcome using code of
  adversary in proof of security (as in
  Bar01,Bar02).

26
Taxonomy of BB Reductions RTV04

• Fully-BB reduction the proof of security is
  black box need to consider any Eve not
  necessarily an efficient one.
• Two steps towards a black-box construction with
  arbitrary proof
• Semi-BB reduction ? eff Eve ? eff. Adv
• Evef breaks (Alicef,Bobf) ) Advf inverts f
• Mildly-BB reduction ? eff Eve ? eff. Adv
• Eve breaks (Alicef,Bobf) ) Advf inverts f
• Now Eve is really efficient.

27
OWF vs. OWP

• IR,KSS00 Random Oracle separates OWF from OWP.
• A much simpler argument for weaker result
• Thm. Gf is a permutation for every function f ?
  For all f can invert Gf (using a PSPACE-complete
  oracle).
• Adv algorithm on input y Gf(x)
• Let L be a list of queries and answers to f
  (initially empty). Repeat polynomial number of
  times
• Simulate generate some f and x such that f is
  consistent with L and y Gf(x).
• Update Repeat all the simulated queries of
  Gf(x) but this time to real f. Insert to L.
• Output last x.
• Correctness If x ? x then the evaluations Gf(x)
  and Gf(x) must reveal a new inconsistency of f
  and f.

28
OWF vs. OWP Cont.

• Where is the weakness? To argue that G is
  insecure we assumed it is correct Gf is a
  permutation for every function f.
• Is this legitimate?

29
More on Relatevizing vs. BB Reductions

• In some scenarios (e.g. KA -gt OWF), No
  relativizing reduction , No fully-BB reduction.
• Not always Consider the construction of Trapdoor
  (poly-1) Functions from PKE.
• BHSV98 gives a construction in the random
  oracle model.
• ? Hard to come up with an oracle separation (as
  the oracle may potentially be used for
  BHSV-transformation).
• GMR01 solves it by showing for any particular
  construction an oracle that foils it (rather than
  giving one oracle that foils all constructions).
• Myers04 takes it further, considers one
  specific (but very natural) construction and
  gives an oracle that foils it.
• Are we happy/unhappy with this?

30
Rudich91 Hard to Reduce Interaction

• Rud 91 Separate k-message KA from
  (k-1)-message KA.
• For k3 oracle O contains f1, f2, f3, length
  tripling random functions, R defined below, ? -
  PSPACE complete.
• 3 KA
• On an incorrect input R outputs a random string.

31
Rud91 No 2-KA (? PKE) relative to O

• Without R no KA IR89
• Let (Alice,Bob) be two message protocol.
• Assume Alice makes a useful query R (s,m3).
• (s,m3) is a correct input to R ? must have been
  created by 3 correct consecutive invocations ?
  either Alice or Bob must already know z,r,s.
• If its Alice, R is not needed.
• Otherwise, Eve can also know (s,m3) and apply R.

32
How do we define BB access to a protocol?

• In Rudich91 and most subsequent works this
  means black-box access to the message function
  and output function of the parties.
• Can consider a more restricted notion where the
  access is to a third party implementing the
  functionality. (Closer in spirit to a physical
  implementation).
• May make arguments much simpler but need to be
  careful. For example OT in this model does not
  imply OWF.
• Other possible formalizations in between HKNRR05

33
OWF vs. Collision Resistant Hashing

• Simon98 gives an oracle separating the two.
• Here Simon Light In particular, consider only
  regular hash functions (every image has the same
  number of preimages).
• Regular coll. resistant implied by claw-free
  permutations.
• Oracle f - random functions, ? - PSPACE
  complete, and Q on input circuit C defined as
  follows If Cg is regular for every function g
  then Q outputs uniformly selected x and x such
  that Cf(x) Cf(x).
• Note relative to this oracle may have
  collision-resistant hash functions (using Q
  itself). Simon98 handles this case as well.

34
OWF vs. Collision Resistant Hashing Cont.

• Oracle f - random functions, ? - PSPACE
  complete, and Q on input circuit C defined as
  followsIf Cg is regular for every function g
  then Q outputs uniformly selected x and x such
  that Cf (x) Cf (x).
• Proof intuition Assume want to find f-1(y).
• Due to universal regularity, the only information
  given by x and x are the values of f queried by
  the evaluations Cf(x), and Cf(x).
• As long as none of these queries is f-1(y) not
  much help.
• By regularity, x and x are each uniformly
  distributed (though they are correlated).
• By union bound, only negligible chance to
  encounter f-1(y).

35
Limitation On Efficiency

• This line considers the most efficient
  (black-box) construction (rather than the minimal
  assumption necessary) KST99,GT00, GGK03.
• Example OWP ? PRG.
• Thm GT00 PRG that expands the seed by k bits
  requires ?(k/s) invocations of the OWP (where s
  is the security parameter of the OWP).

36
Limitation On Efficiency Cont.

• Thm GT00 PRG that expands the seed by k bits
  requires ?(k/s) invocations of the OWP (where s
  is the security parameter of the OWP).
• Idea Define f(w,z)g(w),z,where w is O(s)-bit
  long and g is random ? Each invocation only
  gives O(s) bits of randomness? Can simulate f
  using randomness from the seed.

37
Concluding Remarks

• Many more beautiful arguments we did not touch!
• BB separations - a useful research tool.
• The extent to which the proof of security is
  black-box plays a major role.
• Definitions are subtle, need to make sure we
  understand the mathematical/philosophical meaning
  of what we prove.

38
Some Open Problems

• More Non black-box techniques.
• Can we Razborov-Rudich Impagliazzo-Rudich ?
• Power of reductions that use code of primitive
  but are BB wrt adversary?

39
GKMVR00 incomparability of PKE and OT

• OT ? PKE by an extension of Rud91.PKE ? OT by
  oracle containing f1, f2, R, ?, (similar to
  Rud91) to allow PKE. But with a small twist

Important define f2 and R to output ? on
incorrect inputs (sort of validity tests) ?
Prevent this specific key agreement from being
fakable, and turns out to be sufficient.