Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.

Similar presentations


Presentation on theme: "On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan."— Presentation transcript:

1 On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan

2 Crypto - The Merry Old Days

3 Identification Digital Signatures Cryptographic Protocols, Primitives, and Assumptions Encryption Electronic Voting Electronic Commerce One-Way Functions Pseudo-Random Generators Trapdoor Permutations Factoring RSA DDH Oblivious Transfer Strong RSA Dense Crypto System Homomorphic Encryption UOWHFs ID Based Encryption PIRs

4 Determining The Relationships Among Different Primitives Most tasks in complexity-based crypto imply P NP (or even OWF ). Simplify our conception of the world. Construct protocols with as strong security guarantee as possible. Reductions: Given any secure implementation of primitive A, construct a secure implementation of primitive B.

5 OWF PRG PRF MACENC COM ZK ID UOWHF SIG TDP PKEOT KA CCA-PKE CLAW-FREE CF-HASH Some Known Reductions NIZK

6 Is the Existence of All Crypto Primitives Equivalent? If so: either no cryptography or Cryptomania! But some tasks seem significantly harder than others (e.g. private key vs. public key encryption). In what sense can we claim that primitive A does not imply primitive B if we believe that both exist? After all, a reduction of B to A can ignore A and build B from scratch...

7 Black-Box Separations – Where it Begun Impagliazzo-Rudich [89] While not clear how to formalize/show non-implications in general can do that wrt black-box reductions.

8 What's a Black Box Reduction? Whats not? Think of your favorite crypto reduction … (not you Boaz!) … most likely it was black-box. Consider OWF KA, what would a (strongly) black-box reduction look like? –Implementation: for any secure implementation f of a OWF give a secure implementation of a KA. –Proof of security: for any adversary Eve that breaks the KA show an adversary Adv that inverts the KA. –Black-box: both implementation and proof of security do not need to look at the internals of f and Eve. Instead only rely on input/output behavior (i.e., only use oracle access to f and Eve). –Meaningful even if f and Eve are not efficient.

9 More Formally: (Strongly) Black-Box Reductions (for OWF KA ) eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] Various flavors: –Reversing quantifiers –Making proof of security less black-box. f (Alice, Bob) Eve Adv f

10 Relativizing Reductions ( OWF KA ) Fully-BB reduction: eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] Relativizing reduction: a proof that oracle O if OWF s exist relative to O then so do KA schemes. Exist relative to O ? –For KA : eff. (Alice, Bob) s.t. (Alice O,Bob O ) is a secure KA even against Eve O where Eve is an efficient oracle machine. Proposition: Fully BB-reduction is also relativizing. Idea: f and Eve have secure implementation relative to O so do (Alice f,Bob f ) and Adv f, Eve.

11 What's not Black Box? No idea … ask Boaz … Oh well … Cook-Levin reduction is used in: OWF ZK proofs for all NP [GMW91] Non–BB carries on to applications: –Semi-honest OT malicious OT [ GMW87] –OWF ID schemes [FFS88] Similarly, circuit of f used in secure computation of f [Yao86,GMW87] –[Beaver96] Few OTs + OWF -> Many OTs Baraks Non-BB ZK and subsequent results. Use both old and introduces new non-bb techniques.

12 What do Black-Box Separations Mean? This talk will concentrate on mathematical rather than philosophical meaning. Still … Few Non black-box techniques (and in limited settings). Inherent limitation on efficiency. Therefore, black-box separations are explanation/indication for the hardness of finding reduction (esp. efficient ones). BB-reductions more robust – work wrt. physical implementations of primitives.

13 What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Few Examples: TDP seems to be of different complexity than OWF. [IR89] supports. Collision resistant hashing might have seemed similar in nature to OWF s. [Simon98] challenged (this is consistent with recent cryptanalysis attacks against popular hash functions). Insight on the role of interaction, adaptivity, …

14 What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Guidance for black-box constructions? Particular approach cannot be proved in BB manner? May be easier to change approach. Examples: –Want to reduce Stat-Commit to OWF ? Probably not a good approach: Stat-Commit -> OWP -> OWF. –[Myers 04], shows no BB proof for one particular natural construction (static to adaptive security).

15 What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Word of warning: Potentially, a non black-box proof may follow a black-box approach most of the way with a small non black-box fix.

16 Black-Box and Oracle Separations [IR89] there exists an oracle relative to which one-way functions exist but key- agreement schemes do not. No (fully) black-box reduction of key- agreement to one-way function. Many other BB separations/lower bounds [Rud91,Sim98,KST99,KSS00,GKM+00,GT00, GMR01,CHL02,...] –Various notions of BB reductions, in particular not always implying oracle separation (e.g. [ GMR01]).

17 Crypto After IR (Impagliazzos Worlds) Trapdoor Permutation Public Key Encryption Key Agreement Secure Multi-Party Computation (OT) Private Key Encryption One Way Functions Digital Sig. Pseudorandom Generators Algoritmica, Heuristica, Pessiland Not even an hierarchy of problems [GKMRV00]

18 This Talk [IR89]: The separation, its proof and interpretation of results. As many separations and proof intuitions. Focus on techniques and subtleties. Beware: some cheating involved

19 The Impagliazzo-Rudich Results Thm: P=NP No Key Agreement ( KA ) even in the presence of a Random Oracle. Not that we care about KA if P=NP, but this means it is at least as hard to prove that KA exists with R.O. as to prove P NP. Cor 1: There is an oracle relative to which OWP exists and KA does not. The oracle: (f, PSPACE) since P PSPACE =NP PSPACE Cor 2: There is no fully-BB reduction from KA to OWP. Cor 3: …

20 [IR89] - Why f is OWP Intuitively obvious: when trying to invert f on some y= f (x), have no chance unless accidentally query f on x. With q queries chances for that < 2q/2 n Formally: M making q queries, n-bit y Pr f [M f (y) = f - 1 (y)] < (2q+2)/2 n To complete the proof need a couple of quantifier changes and saying Borel-Cantelli out loud. Not too bad but less trivial than one would imagine and uses that Turing machines are enumerable.

21 Why f is OWP Against Circuits Too many circuit families for previous (uniform) argument. [GT00]: f is exponentially hard even against circuits. High level idea: Consider C that makes q queries and -inverts f. C gives some non-trivial information on f a compact description of f, relative to C. Setting parameters correctly: #descriptions relative to C << (2 n )! C only -invert exponentially small fraction of the f s.

22 [IR89] – How Eve Finds the Secret Recall, we assume P=NP, and want to show that KA (Alice,Bob) eff. Eve s.t. Eve f breaks (Alice f,Bob f ). P=NP implies that without f no cryptographic hardness. In particular, no KA ! In fact, for the purpose of oracle separation, we can essentially assume Eve, Alice and Bob are all powerful and only bounded by number of queries to f. In this setting, a clear characterization of knowledge: The queries made to f and its answers.

23 [IR89] – How Eve Finds the Secret Cont. Alices view contains its secret randomness, the conversation transcript T of (Alice f,Bob f ), and the list of query-answer pairs she made to f. Same for Bob. If s is the key agreed by Alice and Bob, can assume wlog that (s, f (s)) is in both their lists. Enough that Eve finds all likely intersection queries.

24 [IR89] – How Eve Finds the Secret Cont. Eves algorithm (over simplified): Let T be the transcript of (Alice f,Bob f ), let L be Eves list of queries and answers to f (initially empty). Repeat polynomial number of times: –Simulate: sample a random view of Alice which is consistent with T and L. –Update: Repeat all the queries made by simulated Alice, but this time to real f. Insert to L. Output a random query from L. Intuition: Whenever simulated Alice is consistent with real Bobs view, simulated Alice has a fair chance to query s. Any inconsistency reveals one of Bobs queries. This can happen only polynomial number of times.

25 [IR89] Results – Revisited Thm: If P=NP, Key Agreement ( KA ) is impossible in the Random Oracle model. Cannot get a more natural and meaningful separation. How can a reduction overcome this separation? Traditional interpretation: to overcome the separation the construction of KA must use code of OWP. [RTV04] argues that there is no limitation in using OWP as a black box in construction of KA. Separation might be overcome using code of adversary in proof of security (as in [Bar01,Bar02]).

26 Taxonomy of BB Reductions [RTV04] Fully-BB reduction: the proof of security is black box: need to consider any Eve – not necessarily an efficient one. Two steps towards a black-box construction with arbitrary proof: Semi-BB reduction: eff Eve eff. Adv [ Eve f breaks (Alice f,Bob f ) ) Adv f inverts f ] Mildly-BB reduction: eff Eve eff. Adv [ Eve breaks (Alice f,Bob f ) ) Adv f inverts f ] Now Eve is really efficient. Fully-BBRelativizingSemi-BBMildly-BB Free Fully-BBRelativizingSemi-BBMildly-BB Free

27 OWF vs. OWP [IR,KSS00] Random Oracle separates OWF from OWP. A much simpler argument for weaker result: Thm. G f is a permutation for every function f For all f can invert G f (using a PSPACE-complete oracle). Adv algorithm on input y= G f (x): Let L be a list of queries and answers to f (initially empty). Repeat polynomial number of times: –Simulate: generate some f and x such that f is consistent with L and y= G f (x). –Update: Repeat all the simulated queries of G f (x) but this time to real f. Insert to L. Output last x. Correctness: If x x then the evaluations G f (x) and G f (x) must reveal a new inconsistency of f and f.

28 OWF vs. OWP Cont. Where is the weakness? To argue that G is insecure we assumed it is correct: G f is a permutation for every function f. Is this legitimate?

29 More on Relatevizing vs. BB Reductions In some scenarios (e.g. KA -> OWF ), No relativizing reduction, No fully-BB reduction. Not always: Consider the construction of Trapdoor (poly-1) Functions from PKE. –[BHSV98] gives a construction in the random oracle model. Hard to come up with an oracle separation (as the oracle may potentially be used for BHSV-transformation). –[GMR01] solves it by showing for any particular construction an oracle that foils it (rather than giving one oracle that foils all constructions). [Myers04] takes it further, considers one specific (but very natural) construction and gives an oracle that foils it. Are we happy/unhappy with this?

30 [Rudich91]: Hard to Reduce Interaction [Rud 91] Separate k-message KA from (k-1)-message KA. For k=3 oracle O contains: f 1, f 2, f 3, length tripling random functions, R defined below, П - PSPACE complete. 3 KA : On an incorrect input R outputs a random string. Bob s Alice z,r z = R (s,m 3 ) m 1 =f 1 (z,r) m 2 =f 2 (s,m 1 ) m 3 =f 3 (z,r,m 2 ) z

31 [Rud91]: No 2-KA ( PKE) relative to O Without R no KA [IR89] Let (Alice,Bob) be two message protocol. Assume Alice makes a useful query R (s,m 3 ). –(s,m 3 ) is a correct input to R must have been created by 3 correct consecutive invocations either Alice or Bob must already know z,r,s. –If its Alice, R is not needed. –Otherwise, Eve can also know (s,m 3 ) and apply R. Bob s Alice z,r z = R (s,m 3 ) m 1 =f 1 (z,r) m 2 =f 2 (s,m 1 ) m 3 =f 3 (z,r,m 2 ) z

32 How do we define BB access to a protocol? In [Rudich91] and most subsequent works this means black-box access to the message function and output function of the parties. Can consider a more restricted notion where the access is to a third party implementing the functionality. (Closer in spirit to a physical implementation). May make arguments much simpler but need to be careful. For example OT in this model does not imply OWF. Other possible formalizations in between [HKNRR05]

33 OWF vs. Collision Resistant Hashing [Simon98] gives an oracle separating the two. Here Simon Light: In particular, consider only regular hash functions (every image has the same number of preimages). –Regular coll. resistant implied by claw-free permutations. Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows: If C g is regular for every function g then Q outputs uniformly selected x and x such that C f (x) = C f (x). Note: relative to this oracle may have collision- resistant hash functions (using Q itself). [Simon98] handles this case as well.

34 OWF vs. Collision Resistant Hashing Cont. Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows: If C g is regular for every function g then Q outputs uniformly selected x and x such that C f (x) = C f (x). Proof intuition: Assume want to find f - 1 (y). Due to universal regularity, the only information given by x and x are the values of f queried by the evaluations C f (x), and C f (x). As long as none of these queries is f - 1 (y) not much help. By regularity, x and x are each uniformly distributed (though they are correlated). By union bound, only negligible chance to encounter f - 1 (y).

35 Limitation On Efficiency This line considers the most efficient (black-box) construction (rather than the minimal assumption necessary) [KST99,GT00, GGK03]. Example: OWP PRG. Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP ). PRG seed m bits f output m+k bits

36 Limitation On Efficiency Cont. Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP ). Idea: Define f(w,z)=g(w),z, where w is O(s)-bit long and g is random Each invocation only gives O(s) bits of randomness Can simulate f using randomness from the seed. PRGseed m bits f output m+k bits

37 Concluding Remarks Many more beautiful arguments we did not touch! BB separations - a useful research tool. The extent to which the proof of security is black-box plays a major role. Definitions are subtle, need to make sure we understand the mathematical/philosophical meaning of what we prove.

38 Some Open Problems More Non black-box techniques. Can we Razborov-Rudich Impagliazzo- Rudich ? Power of reductions that use code of primitive but are BB wrt adversary?

39 [ GKMVR00 ] incomparability of PKE and OT OT PKE by an extension of [Rud91]. PKE OT by oracle containing: f 1, f 2, R, П, (similar to [Rud91]) to allow PKE. But with a small twist… Bob z,s Alice r z m 1 =f 1 (r) m 2 =f 2 (z,s,m 1 ) z = R (r,m 2 ) Important: define f 2 and R to output on incorrect inputs (sort of validity tests) Prevent this specific key agreement from being fakable, and turns out to be sufficient.


Download ppt "On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan."

Similar presentations


Ads by Google