Presentation is loading. Please wait.

Presentation is loading. Please wait.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Published byKendall Cheesman Modified over 10 years ago

Similar presentations

Presentation on theme: "Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti."— Presentation transcript:

1 Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti

2 Lets assume P=NP But proof is non-constructive… … and we still have no idea how to factor… Is cryptography as we know it dead? NO! Do we need to resort to heuristics? NO! The security by reduction paradigm still works!

3 Lets assume P=NP But proof is non-constructive… … and we still have no idea how to factor… Is cryptography as we know it dead? NO! Do we need to resort to heuristics? NO! The security by reduction paradigm still works!

4 Lets assume P=NP But proof is non-constructive… … and we still have no idea how to factor… Is cryptography as we know it dead? NO! Do we need to resort to heuristics? NO! The security by reduction paradigm still works!

5 Lets assume P=NP But proof is non-constructive… … and we still have no idea how to factor… Is cryptography as we know it dead? Do we need to resort to heuristics? NO! The security by reduction paradigm still works!

6 Lets assume P=NP But proof is non-constructive… … and we still have no idea how to factor… Is cryptography as we know it dead? Do we need to resort to heuristics? NO! The security by reduction paradigm still works!

7 Lets assume P=NP But proof is non-constructive… … and we still have no idea how to factor… Is cryptography as we know it dead? Do we need to resort to heuristics? NO! The security by reduction paradigm still works!

8 Need to change mindset Can no longer assume There is no PT algorithm for factoring. But it doesnt matter: The universal quantifier is a nice mathematical abstraction, but doesnt really capture what we want… A good reduction to factoring is still as valid as before!

9 The case of Collision Resistant Functions [Rogaway 07]

10

11

12 So, sometimes the gist is in the reduction, not the assumption…

13 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function, Hellman table for a block cipher) – Advice depending on adversary program (non-uniform) (eg: Simulator in point obfuscation) – Advice depending on (public) randomness (eg: extractable functions /knowledge of exponent, ULE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

14 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function, Hellman table for a block cipher) – Advice depending on adversary program (non-uniform) (eg: Simulator in point obfuscation) – Advice depending on (public) randomness (eg: extractable functions /knowledge of exponent, ULE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

15 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function, Hellman table for a block cipher) – Advice depending on adversary program (non-uniform) (eg: Simulator in point obfuscation) – Advice depending on (public) randomness (eg: extractable functions /knowledge of exponent, ULE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

16 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function, Hellman table for a block cipher) – Advice depending on adversary program (non-uniform) (eg: Simulator in point obfuscation) – Advice depending on (public) randomness (eg: extractable functions /knowledge of exponent, ULE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

17 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function) – Advice depending on adversary program (non-uniform) (eg: inverse of advs challenge, Points queried in point obfuscation) J j

18 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function) – … + adversary program (non-uniform) (eg: inverse of advs challenge, Points queried in point obfuscation) – Advice depending on (public) randomness (eg: extractable functions /knowledge of exponent, ULE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

19 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function) – … + adversary program (non-uniform) (eg: inverse of advs challenge, Points queried in point obfuscation) – … + public randomness/ secrets (eg: extractable functions,knowledge of exponent/ UCE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

20 Classification of reductions By assumption and complexity: time, space, #queries,… By access to the underlying adversary: – One pass Black Box – Quantum (uncontrollable randomness) – Resettable Black Box – General (Non BB) By advice: – No advice: completely algorithmic (this is what we want!) – Advice depending on security parameter + primitive (eg: Collision in a hash function) – … + adversary program (non-uniform) (eg: inverse of advs challenge, Points queried in point obfuscation) – … + public randomness/ secrets (eg: extractable functions,knowledge of exponent/ UCE, DI-IO,…) Viewed this way, KOE & friends are not assumptions; they are holes in a reduction that we fill via external advice.

21 The new mindset * (This slide is a later addition… was indeed missing in the presentation) The goal when analyzing security of a scheme is to come up with a reduction to another problem. The result statement is now unconditional: We show how to transform an adversary that breaks X into an adversary that breaks Y. – If the transformation is not completely specified then need to be explicit about it This has multiple corollaries: – In of itself: A reduction to Human Ignorance – Non-u security of Y implies non-u security of X – Uniform security of Y implies uniform security of X – …advice. ((In fact, the mindset is pretty old… was around in the 80s )

22 The new mindset * (This slide is a later addition… was indeed missing in the presentation) The goal when analyzing security of a scheme is to come up with a reduction to another problem. The result statement is now unconditional: We show how to transform an adversary that breaks X into an adversary that breaks Y. – If the transformation is not completely specified then need to be explicit about it This has multiple corollaries: – In of itself: A reduction to Human Ignorance – Non-u security of Y implies non-u security of X – Uniform security of Y implies uniform security of X – …advice. ((In fact, the mindset is pretty old… was around in the 80s )

23 The new mindset * (This slide is a later addition… was indeed missing in the presentation) The goal when analyzing security of a scheme is to come up with a reduction to another problem. The result statement is now unconditional: We show how to transform an adversary that breaks X into an adversary that breaks Y. – If the transformation is not completely specified then need to be explicit about it This has multiple corollaries: – In of itself: A reduction to Human Ignorance – Non-u security of Y implies non-u security of X – Uniform security of Y implies uniform security of X – …advice. ((In fact, the mindset is pretty old… was around in the 80s )

24 The new mindset * (This slide is a later addition… was indeed missing in the presentation) The goal when analyzing security of a scheme is to come up with a reduction to another problem. The result statement is now unconditional: We show how to transform an adversary that breaks X into an adversary that breaks Y. – If the transformation is not completely specified then need to be explicit about it This has multiple corollaries: – In of itself: A reduction to Human Ignorance – Non-u security of Y implies non-u security of X – Uniform security of Y implies uniform security of X – …advice. ( (In fact, the mindset is pretty old… was around in the 80s )

Download ppt "Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
1 Recap (I) n -qubit quantum state: 2 n -dimensional unit vector Unitary op: 2 n  2 n linear operation U such that U † U = I (where U † denotes the conjugate.

1 Recap (I) n -qubit quantum state: 2 n -dimensional unit vector Unitary op: 2 n  2 n linear operation U such that U † U = I (where U † denotes the conjugate.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Similar presentations

Ads by Google