Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.

Published byAlban Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions."— Presentation transcript:

1 Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions

2 1.Precisely define security goal (e.g., secure encryption) 2.Precisely stipulate computational intractability assumption (e.g., hardness of factoring) 1.Security Reduction: prove that any attacker A that break security of scheme π can be used to violate the intractability assumption. Modern Cryptography

3 A Celebrated Example: Commitments from OWFs [Naor,HILL] Task: Commitment Scheme –Binding + Hiding –Non-interactive Intractability Assumption: existence of OWF f –f is easy to compute but hard to invert Security reduction [Naor,HILL]: Com f, PPT R s. t. for every algorithm A that breaks hiding of Com f, R A inverts f –Reduction R only uses attacker A as a black-box; i.e., R is a Turing Reduction.

4 r CRARA Security reduction: R A breaks C whenever A breaks Hiding f(r) Reduction R may rewind and restart A. Turing Reductions

5 Provable Security In the last three decades, lots of amazing tasks have been securely realized under well-studied intractability assumptions –Key Exchange, Public-Key Encryption, Secure Computation, Zero- Knowledge, PIR, Secure Voting, Identity based encryption, Fully homomorphic Encryption, Leakage-resilient Encryption… But: several tasks/schemes have resisted security reductions under well-studied intractability assumptions.

6 Schnorr’s Identification Scheme [Sch’89] One of the most famous and widely employed identification schemes (e.g., Blackberry router protocol) Secure under a passive “eaves-dropper” attack based on the discrete logarithm assumption What about active attacks? –[BP’02] proven it secure under a new type of “one-more” inversion assumption –Can we based security on more standard assumptions?

7 Commitment Schemes under Selective Opening [DNRS’99] A commits to n values v 1, …, v n B adaptively asks A to open up, say, half of them. Security: Unopened commitments remain hidden –Problem originated in the distributed computing literature over 25 years ago Can we base selective opening security of non- interactive commitments on any standard assumption?

8 One-More Inversion Assumptions [BNPS’02] You get n target points y 1,…, y n in group G with generator g. Can you find the discrete logarithm to all n of them if you may make n- 1 queries to a discrete logarithm oracle (for G and g) One-more DLOG assumption states that no PPT algorithm can succeed with non-negligible probability –[BNPS] and follow-up work: Very useful for proving security of practical schemes Can the one-more DLOG assumption be based on more standard assumptions? –What about if we weaken the assumption and only give the attacker n^eps queries?

9 Unique Non-interactive Blind Signatures [Chaum’82] Signature Scheme where a user U may ask the signer S to sign a message m, while keeping m hidden from S. –Futhermore, there only exists a single valid signature per message –Chaum provided a first implementation in 1982; very useful in e.g., E-cash –[BNPS] give a proof of security in the Random Oracle Model based on a one-more RSA assumption. Can we base security of Chaum’s scheme, or any other unique blind signature scheme, on any standard assumption?

10 Sequential Witness Hiding of O(1)-round public-coin protocols Take any of the classic O(1)-round public-coin ZK protocols (e.g., GMW, Blum) Repeat them in parallel to get negligible soundness error. Do they suddenly leak the witness to the statement proved? [Feige’90] –Sequential WH: No verifier can recover the witness after sequentially participating in polynomially many proofs. Can sequential WH of those protocols be based on any standard assumption?

11 Main Result For a general class of intractability assumptions, there do NOT exists Turing security reductions for demonstrating security of any those schemes/tasks/assumptions Any security reduction R itself must constitutes an attack on assumption

12 Intractability Assumptions Following [Naor’03], we model an intractability assumption as a interaction between a Challenger C and an attacker A. –The goal of A is to make C accept –C may be computationally unbounded (different from [Naor’03], [GW’11]) –The only restriction is that the number of communication rounds is an a-priori bounded polynomial. r CA f(r) Intractability assumption (C,t) : “no PPT can make C output 1 w.p. significantly above t” E.g., 2-round: f is a OWF, Factoring, G is a PRG, DDH, Factoring, … O(1)-round: Enc is semantically secure (FHE), (P,V) is WH, O(1)-round with unbounded C: (P,V) is sound

13 Main Theorem Let (C,t) be a k(.)-round intractability assumption where k is a polynomial. If there exists a PPT reduction R for basing security of any of previously mentioned schemes, on the hardness of (C,t), then there exists a PPT attacker B that breaks (C,t) Note: restriction on C being bounded-round is necessary; otherwise we include the assumptions that the schemes are secure!

14 Related Work Several earlier lower bounds: –One-more inversion assumptions [BMV’08] –Selective opening [BHY’09] –Witness Hiding [P’06,HRS’09,PTV’10] –Blind Signatures [FS’10] But they only consider restricted types of reductions (a la [FF’93,BT’04]), or (restricted types of) black-box constructions (a la [IR’88]) –Only exceptions [P’06,PTV’10] provide conditional lower-bounds on constructions of certain types of WH proofs based on OWF Our result applies to ANY Turing security reduction and also non-black-box constructions.

15 Proof Outline 1.Sequential Witness Hiding is “complete” –A positive answer to any of the questions implies the existence of a “special” O(1)-round sequential WH proof/argument for a language with unique witnesses. 2.Sequential WH of “special” O(1)-round proofs/arguments for languages with unique witnesses cannot be based on poly-round intractability assumptions using a Turing reduction.

16 Special-sound proofs [CDS,Bl] X is true a a b0b0 c0c0 b1b1 c1c1 Can extract a witness w b 0, b 1  R {0,1} n Relaxations: multiple rounds computationally sound protocols (a.k.a. arguments) need p(n) transcripts (instead of just 2) to extract w Generalized special-sound

17 Main Lemma Let (C,t) be a k(.)-round intractability assumption where k is a polynomial. Let (P,V) be a O(1)-round generalized special-sound proof of a language L with unique witnesses. If there exists a PPT reduction R for basing sequential WH of (P,V) on the hardness of (C,t), then there exists a PPT attacker B that breaks (C,t)

18 Proof Idea r CRARA Assume R A breaks C whenever A completely recovers witness of any statement x it hears sufficiently many sequential proofs of. f(r) Goal: Emulate in PPT a successful A’ for R thus break C in PPT (the idea goes back to [BV’99] “meta-reduction”, and even earlier [Bra’79])

19 Proof Idea r CR Assume R A breaks C whenever A breaks seq WH of some special-sound proof for language with unique witness f(r) Assume reduction R is “nice” [BMV’08,HRS’09,FS’10] Only asks a single query to its oracle (or asks queries sequentially) Then, simply “rewind” R feeding it a new “challenge” and extract witness x w Unique witness requirement crucial to ensure we emulate a good oracle A’

20 General Reductions: Problem I R x1x1 Problem: R might nest its oracle calls. “naïve extraction” requires exponential time (c.f., Concurrent ZK [DNS’99]) Solution: If we require R to provide many sequential proofs, then we can find (recursively) find one proof where nesting depth is “small” Use Techniques reminiscent of Concurrent ZK a la [RK’99], [CPS’10] x2x2 x3x3 rewinding here: redo work of nested sessions w2w2 w3w3 w1w1

21 General Reductions: Problem II Problem: R might not only nest its oracle calls, but may also rewind its oracle Special-soundness might no longer hold under such rewindings. Solution: Pick messages from oracle using hashfunction. Use Techniques reminiscent of Black-box ZK lower-bound of [GK’90],[P’06] O(1)-round restriction on (P,V) is here crucial

22 General Reductions: Problem III CR x w Problem: Oracle calls may be intertwined with interaction with C Solution: If we require R to provide many sequential proofs, then at least one proof is guaranteed not to intertwine

23 1.Security of several “classic” cryptographic tasks/schemes---which are believed to be secure--- cannot be proven secure (using Turing reduction) based on “standard” intractability assumptions. 1.Establish a connection between lower-bounds for security reductions and Concurrent Security In Sum

24 The GOOD: Provably secure under standard assumptions The BAD: broken The ANNOYING : not broken, not provably secure* …but very efficient 

25 Ways Around It? Super Polynomial Security Reductions: Basing security on “super-poly” intractability assumptions Possible to overcome some, but not all, lower-bounds  Full characterization in the paper. Non-black-box security reductions: Allow R to look at the code of A Our lower-bound do NOT apply  Possible to overcome the Main Lemma [B’01,PR’06] PPT Turing security reductions provide stronger security guarantees: any attacker---even if I don’t know the description of his brain--with reproducible behavior can be be efficiently used to break challenge New types of assumptions? Instead of intractability, tractability [W’10]? “knowledge”-assumptions? Hard to “falsify” [Naor’03]

26 Thank You

Download ppt "Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
7. Asymmetric encryption-

7. Asymmetric encryption-
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.

Similar presentations

Ads by Google