3Cryptographic Protocols, Primitives, and Assumptions Strong RSAHomomorphicEncryptionUOWHFsPIRsID BasedEncryptionDense CryptoSystemElectronicVotingFactoringEncryptionDigitalSignaturesIdentificationElectronicCommerceRSAOne-WayFunctionsPseudo-RandomGeneratorsTrapdoorPermutationsObliviousTransferDDH
4Determining The Relationships Among Different Primitives Most tasks in complexity-based crypto imply P¹NP (or even OWF).Simplify our conception of the world.Construct protocols with as strong security guarantee as possible.Reductions: Given any secure implementation of primitive A, construct a secure implementation of primitive B.
5Some Known Reductions OWF TDP CLAW-FREE COM PRG UOWHF NIZK PKE OT ZK PRFSIGKACCA-PKEMACENCCF-HASHID
6Is the Existence of All Crypto Primitives Equivalent? If so: either no cryptography or Cryptomania!But some tasks seem “significantly harder” than others (e.g. private key vs. public key encryption).In what sense can we claim that primitive A does not imply primitive B if we believe that both exist? After all, a reduction of B to A can ignore A and build B from scratch ...
7Black-Box Separations – Where it Begun Impagliazzo-Rudich  While not clear how to formalize/show non-implications in general can do that wrt black-box reductions.
8What's a Black Box Reduction? What’s not? Think of your favorite crypto reduction …(not you Boaz!) …most likely it was black-box.Consider OWF KA, what would a (strongly) black-box reduction look like?Implementation: for any secure implementation f of a OWF give a secure implementation of a KA.Proof of security: for any adversary Eve that breaks the KA show an adversary Adv that inverts the KA.Black-box: both implementation and proof of security do not need to look at the internals of f and Eve. Instead only rely on input/output behavior (i.e., only use oracle access to f and Eve).Meaningful even if f and Eve are not efficient.
9More Formally: (Strongly) Black-Box Reductions (for OWF KA) eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]Various flavors:Reversing quantifiersMaking proof of security less black-box.EveAdvff(Alice,Bob)AB:There is a general construction of primitive B using primitive A as subroutine.AB :There is no black box reduction of B to A.Impossible to construct primitive B from A generically: virtually all current techniques would fail.Recall: We are interested in the main cryptographic primitives, including PKE and OT.
10Relativizing Reductions (OWF KA) Fully-BB reduction: eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]Relativizing reduction: a proof that oracle O if OWFs exist relative to O then so do KA schemes.“Exist relative to O”?For KA: eff. (Alice, Bob) s.t. (AliceO,BobO) is a secure KA even against EveO where Eve is an efficient oracle machine.Proposition: Fully BB-reduction is also relativizing.Idea: f and Eve have secure implementation relative to O so do (Alicef,Bobf) and Advf, Eve .AB:There is a general construction of primitive B using primitive A as subroutine.AB :There is no black box reduction of B to A.Impossible to construct primitive B from A generically: virtually all current techniques would fail.Recall: We are interested in the main cryptographic primitives, including PKE and OT.
11What's not Black Box? No idea … ask Boaz … Oh well … Cook-Levin reduction is used in: OWF “ZK proofs for all NP” [GMW91] Non–BB carries on to applications:Semi-honest OT malicious OT [GMW87]OWF ID schemes [FFS88]Similarly, circuit of f used in secure computation of f [Yao86,GMW87][Beaver96] Few OTs + OWF -> Many OTsBarak’s Non-BB ZK and subsequent results. Use both old and introduces new non-bb techniques.
12What do Black-Box Separations Mean? This talk will concentrate on mathematical rather than philosophical meaning. Still …Few Non black-box techniques (and in limited settings). Inherent limitation on efficiency.Therefore, black-box separations are explanation/indication for the hardness of finding reduction (esp. efficient ones).BB-reductions more robust – work wrt. “physical implementations” of primitives.
13What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)Few Examples:TDP seems to be of different complexity than OWF. [IR89] supports.Collision resistant hashing might have seemed similar in nature to OWFs. [Simon98] challenged (this is consistent with recent cryptanalysis attacks against popular hash functions).Insight on the role of interaction, adaptivity, …
14What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)Guidance for black-box constructions?Particular approach cannot be proved in BB manner? May be easier to change approach.Examples:Want to reduce Stat-Commit to OWF? Probably not a good approach: Stat-Commit -> OWP -> OWF.[Myers 04], shows no BB proof for one particular natural construction (static to adaptive security).
15What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.)Word of warning:Potentially, a non black-box proof may follow a black-box approach most of the way with a “small” non black-box fix.
16Black-Box and Oracle Separations [IR89] there exists an oracle relative to which one-way functions exist but key-agreement schemes do not. No (fully) black-box reduction of key-agreement to one-way function.Many other BB separations/lower bounds [Rud91,Sim98,KST99,KSS00,GKM+00,GT00,GMR01,CHL02,...]Various notions of BB reductions, in particular not always implying oracle separation (e.g. [GMR01]).
17Crypto After IR (Impagliazzo’s Worlds) Not even an hierarchyof problems [GKMRV00]MiniCryptCryptoManiaTrapdoor PermutationSecure Multi-PartyComputation (OT)Public Key EncryptionKey AgreementPrivate KeyEncryptionPseudorandomGeneratorsOne WayFunctionsDigitalSig.Maybe remove factoringExplain what is key agreement.These equivalence results are non-trivial. The separations are very non-trivial.Would be nice to show that they are also all equivalent, and indeed many ppl thought this is the case. But alas…Folklore belief: while somewhat unclear, but thought that PKE OT, and probably they are equiv. But we show surprisingly that they are not.(we put here the separation results, but also we have actual constructions/implementations in special cases)Algoritmica, Heuristica, Pessiland
18This Talk[IR89]: The separation, its proof and interpretation of results.As many separations and proof intuitions. Focus on techniques and subtleties.Beware: some cheating involved
19The Impagliazzo-Rudich Results Thm: P=NP No Key Agreement (KA) even in the presence of a Random Oracle.Not that we care about KA if P=NP, but this means it is at least as hard to prove that KA exists with R.O. as to prove PNP.Cor 1: There is an oracle relative to which OWP exists and KA does not.The oracle: (f, PSPACE) since PPSPACE=NPPSPACECor 2: There is no fully-BB reduction from KA to OWP.Cor 3: …
20[IR89] - Why f is OWPIntuitively obvious: when trying to invert f on some y=f(x), have no chance unless accidentally query f on x.With q queries chances for that < 2q/2n Formally: M making q queries, n-bit y Prf[Mf(y) = f-1(y)] < (2q+2)/2nTo complete the proof need a couple of quantifier changes and saying Borel-Cantelli out loud.Not too bad but less trivial than one would imagine and uses that Turing machines are enumerable.
21Why f is OWP Against Circuits Too many circuit families for previous (uniform) argument.[GT00]: f is exponentially hard even against circuits.High level idea: Consider C that makes q queries and -inverts f.C gives some non-trivial information on f a compact description of f, relative to C.Setting parameters correctly: #descriptions relative to C << (2n)! C only -invert exponentially small fraction of the f’s.
22[IR89] – How Eve Finds the Secret Recall, we assume P=NP, and want to show that KA (Alice,Bob) eff. Eve s.t. Evef breaks (Alicef,Bobf).P=NP implies that without f no cryptographic hardness. In particular, no KA !In fact, for the purpose of oracle separation, we can essentially assume Eve, Alice and Bob are all powerful and only bounded by number of queries to f.In this setting, a clear characterization of “knowledge”: The queries made to f and its answers.
23[IR89] – How Eve Finds the Secret Cont. Alice’s view contains its secret randomness, the conversation transcript T of (Alicef,Bobf), and the list of query-answer pairs she made to f.Same for Bob.If s is the key agreed by Alice and Bob, can assume wlog that (s, f(s)) is in both their lists. Enough that Eve finds all “likely” intersection queries.
24[IR89] – How Eve Finds the Secret Cont. Eve’s algorithm (over simplified):Let T be the transcript of (Alicef,Bobf), let L be Eve’s list of queries and answers to f (initially empty).Repeat polynomial number of times:Simulate: sample a random view of Alice which is consistent with T and L.Update: Repeat all the queries made by “simulated Alice”, but this time to real f. Insert to L.Output a random query from L.Intuition:Whenever simulated Alice is consistent with real Bob’s view, simulated Alice has a fair chance to query s.Any inconsistency reveals one of Bob’s queries. This can happen only polynomial number of times.
25[IR89] Results – Revisited Thm: If P=NP, Key Agreement (KA) is impossible in the Random Oracle model.Cannot get a more natural and meaningful separation.How can a reduction overcome this separation?Traditional interpretation: to overcome the separation the construction of KA must use code of OWP.[RTV04] argues that there is no limitation in using OWP as a black box in construction of KA. Separation might be overcome using code of adversary in proof of security (as in [Bar01,Bar02]).
26Taxonomy of BB Reductions [RTV04] Fully-BB reduction: the proof of security is black box: need to consider any Eve – not necessarily an efficient one.Two steps towards a black-box construction with arbitrary proof:Semi-BB reduction: eff Eve eff. Adv[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]Mildly-BB reduction: eff Eve eff. Adv[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]Now Eve is really efficient.AB:There is a general construction of primitive B using primitive A as subroutine.AB :There is no black box reduction of B to A.Impossible to construct primitive B from A generically: virtually all current techniques would fail.Recall: We are interested in the main cryptographic primitives, including PKE and OT.Fully-BBRelativizingSemi-BBMildly-BBFreeFully-BBRelativizingSemi-BBMildly-BBFree
27OWF vs. OWP [IR,KSS00] Random Oracle separates OWF from OWP. A much simpler argument for weaker result:Thm. Gf is a permutation for every function f For all f can invert Gf (using a PSPACE-complete oracle).Adv algorithm on input y= Gf(x):Let L be a list of queries and answers to f (initially empty). Repeat polynomial number of times:Simulate: generate some f’ and x’ such that f’ is consistent with L and y= Gf’(x’).Update: Repeat all the “simulated queries” of Gf’(x’) but this time to real f. Insert to L.Output last x’.Correctness: If x’ x then the evaluations Gf(x) and Gf’(x’) must reveal a new inconsistency of f and f’.
28OWF vs. OWP Cont.Where is the weakness? To argue that G is insecure we assumed it is correct: Gf is a permutation for every function f.Is this legitimate?
29More on Relatevizing vs. BB Reductions In some scenarios (e.g. KA -> OWF), No relativizing reduction , No fully-BB reduction.Not always: Consider the construction of Trapdoor (poly-1) Functions from PKE.[BHSV98] gives a construction in the random oracle model. Hard to come up with an oracle separation (as the oracle may potentially be used for BHSV-transformation).[GMR01] solves it by showing for any particular construction an oracle that foils it (rather than giving one oracle that foils all constructions).[Myers04] takes it further, considers one specific (but very natural) construction and gives an oracle that foils it.Are we happy/unhappy with this?
30[Rudich91]: Hard to Reduce Interaction [Rud 91] Separate k-message KA from (k-1)-message KA.For k=3 oracle O contains: f1, f2, f3, length tripling random functions, R defined below, П - PSPACE complete.3 KA :On an “incorrect” input R outputs a random string.Bob sAlice z,rz = R (s,m3)m1 =f1 (z,r)m2 =f2 (s,m1)m3 =f3 (z,r,m2)z
31[Rud91]: No 2-KA ( PKE) relative to O Without R no KA [IR89]Let (Alice’,Bob’) be two message protocol.Assume Alice’ makes a useful query R (s,m3).(s,m3) is a “correct” input to R must have been created by 3 “correct” consecutive invocations either Alice’ or Bob’ must already know z,r,s.If its Alice’, R is not needed.Otherwise, Eve can also know (s,m3) and apply R.Bob sAlice z,rz = R (s,m3)m1 =f1 (z,r)m2 =f2 (s,m1)m3 =f3 (z,r,m2)z
32How do we define BB access to a protocol? In [Rudich91] and most subsequent works this means black-box access to the message function and output function of the parties.Can consider a more restricted notion where the access is to a third party implementing the functionality. (Closer in spirit to a physical implementation).May make arguments much simpler but need to be careful. For example OT in this model does not imply OWF.Other possible formalizations in between [HKNRR05]
33OWF vs. Collision Resistant Hashing [Simon98] gives an oracle separating the two.Here “Simon Light”: In particular, consider only regular hash functions (every image has the same number of preimages).Regular coll. resistant implied by claw-free permutations.Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows: If Cg is regular for every function g then Q outputs uniformly selected x and x’ such that Cf(x) = Cf(x’).Note: relative to this oracle may have collision-resistant hash functions (using Q itself). [Simon98] handles this case as well.
34OWF vs. Collision Resistant Hashing Cont. Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows: If Cg is regular for every function g then Q outputs uniformly selected x and x’ such that Cf (x) = Cf (x’).Proof intuition: Assume want to find f-1(y).Due to universal regularity, the only information given by x and x’ are the values of f queried by the evaluations Cf(x), and Cf(x’).As long as none of these queries is f-1(y) not much help.By regularity, x and x’ are each uniformly distributed (though they are correlated).By union bound, only negligible chance to encounter f-1(y).
35Limitation On Efficiency This line considers the most efficient (black-box) construction (rather than the minimal assumption necessary) [KST99,GT00, GGK03].Example: OWP PRG.Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP).PRGseedm bitsfoutputm+k bits
36Limitation On Efficiency Cont. Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP).Idea: Define f(w,z)=g(w),z, where w is O(s)-bit long and g is random Each invocation only gives O(s) bits of randomness Can simulate f using randomness from the seed.PRGseedm bitsfoutputm+k bits
37Concluding Remarks Many more beautiful arguments we did not touch! BB separations - a useful research tool.The extent to which the proof of security is black-box plays a major role.Definitions are subtle, need to make sure we understand the mathematical/philosophical meaning of what we prove.
38Some Open Problems More Non black-box techniques. Can we “Razborov-Rudich” Impagliazzo-Rudich ?Power of reductions that use code of primitive but are BB wrt adversary?
39[GKMVR00] incomparability of PKE and OT OT PKE by an extension of [Rud91]. PKE OT by oracle containing: f1, f2, R, П, (similar to [Rud91]) to allow PKE. But with a small twist…Bob z,sAlice rzm1 =f1 (r)m2 =f2 (z,s,m1)z = R (r,m2)Important: define f2 and R to output on “incorrect” inputs (sort of validity tests) Prevent this specific key agreement from being “fakable”, and turns out to be sufficient.