Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor.

Published byPhilip Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor."— Presentation transcript:

1 1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor

2 2 The world(s) according to Impagliazzo 5 possibilities – based on different crypto- computational assumptions. The top two worlds: – Minicrypt – One Way Functions exist, some of crypto possible (shared key encryption, commitments, signatures…) – Cryptomania – Oblivious Transfer (OT) protocols exist, almost anything imaginable is possible. Cryptomania Minicrypt Pessiland Heuristica Avg NP = Avg P Algoritmica P=NP Cryptomania Minicrypt Pessiland Heuristica Avg NP = Avg P Algoritmica P=NP f:{01,} *  {0,1}* is one-way if is easy to compute but hard to invert. f(x) computable in poly-time No PPTM can find an inverse to f(x) for a random x

3 3 Oblivious Transfer Alice Bob b zbzb OT protocol: Bob learns z b. Bob doesn’t learn z 1-b. Alice does not learn b. z 0, z 1 Cryptomania Minicrypt Pessiland Heuristica Algoritmica Cryptomania Minicrypt Pessiland Heuristica Algoritmica OT is complete for Secure Computation ! –General framework that captures many cryptographic tasks, auctions, voting, e-commerce …) –Implies public key crypto

4 4 Oblivious Transfer The world according to Impagliazzo: 5 possibilities – based on different crypto-computational assumptions. The top two worlds: –Minicrypt – OWFs exist, some of crypto possible (shared key encryption, commitments, signatures…) –Cryptomania – Oblivious Transfer (OT) exists, almost anything possible. Alice Bob c scsc OT protocol: Bob gets s c. Bob doesn’t learn s 1-c. Alice does not learn c. s 0,s 1 Cryptomania Minicrypt Pessiland Heuristica Algoritmica Cryptomania Minicrypt Pessiland Heuristica Algoritmica OWFs not known to imply OT Impagliazzo and Rudich (89) prove that there is no black box construction of OT from OWF. OT is complete for Secure Computation ! General framework that captures many cryptographic tasks (e.g. public key crypto, auctions, voting, e-commerce…)

5 5 A more refined view OT Public Key Encryption CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor permutations One-way functions Computational Pseudorandomness 2 rounds Secret Key Exchange

6 6 Separating the worlds OT Public Key Encryption SKE CCA-Secure PKE PIR Secure MPC ZK Proofs for all of NP Shared-key Encryption and Authentication Commitment scheme Signature Scheme UOWHFs Coin flipping Efficient online memory checking minicrypt cryptomania Trapdoor permutations One-way functions Computational Psuedorandomness Impagliazzo and Rudich 1989: there is no blackbox construction of OT from OWF.

7 7 Separating the worlds Trapdoor Permutation Public Key Encryption Key Exchange Secure Multi-Party Computation (OT) Shared Key Encryption One Way Functions Digital Sig. Pseudorandom Generators Not even a hierarchy

8 8 The Minicrypt = Cryptomania question “Minicrypt = Cryptomania?” is the most important problem in complexity and cryptography where We do not know the answer There is a good chance to resolve it in the near future Omer Reingold: NL = L is a contender for the title

9 9 Recent RSA Cryptographers Panel Feb 2006 Adi Shamir’s prediction: no existing Public-key Cryptoysystem will survive 30 years from now Martin Hellman: very little genetic diversity in public-key cryptosystems. –RSA and Diffie-Hellman 1970’s –Elliptic curves – 1980’s Should add: lattice based schemes

10 10 Common View One-wayness is simple to come by But obtaining secret-key exchange or OT requires a lot of structure (and knowledge) Yuval Ishai: young nerd vs. Don Coppersmith

11 11 Approaches for showing Minicrypt = Cryptomania Via Secret Sharing for Generalized Access Structure –Due to Steven Rudich –Unpublished as far as I can tell Via compressibility of NP problems –Due to Harnik and Naor –See ECCC Report (or on home page) Bonus material: from SKE to OT via interactive oblivious sampling (IOS)

12 12 Secret sharing and Access Structures Dealer has secret x Gives to users P 1, P 2, …, P n shares s 1,s 2, …, s n. –The shares are a probabilistic function of x A subset of users A is either authorized or unauthorized Want: An authorized subset of users A = {i 1, i 2, …, i ℓ } to be able to reconstruct x based on their shares {s i 1, s i 2, … s i ℓ } An unauthorized subset not to gain any knowledge about x Famous example - Threshold Secret Sharing –Authorized subsets: those containing t or more users –Unauthorized subsets: those containing less than t users –Shamir’s solution: based on a degree t-1 polynomial q with q(0) = x and s i = q(i)

13 13 Access Structures To define the requirements from such a scheme: FAccess Structure F –The collection of authorized subsets FTo make sense: F should be monotone FF if A’ ½ A and A’ 2 F then A 2 F F 0 –Can consider F 0 – the collection of all minimal sets of F Perfect secret sharing scheme: Any unauthorized subset gains absolutely no information on the secret. If the secret is a r.v. X then –for any distribution of X F –for any A  F H(X|A)=H(X). F Theorem [Ito, Saito and Nishizeki 1987] : for every access structure F there exists a perfect secret sharing scheme F 0 Size of shares: proportional to |F 0 |

14 14 The complexity of F and the size of shares Want efficient secret sharing schemes F Complexity of F : given a subset A ½ {P 1,P 2, …, P n } decide whether A is authorized or not authorized Theorem [Benaloh-Leichter 1988] : if authorization can be decided by a monotone formula , then there is a perfect secret sharing scheme where the size of a share is proportional to |  | Other computational devices: monotone span programs [Karchmer Wigderson 1993] Major question : can you prove a lower bound on the size of the shares for some access structure? –Even a non constructive result is interesting What about directed connectivity?

15 15 Computational Secret Sharing Perfect secret sharing scheme: –Any unauthorized subset gains absolutely no information on the secret. For any r.v. X for any A  F, H(X|A)=H(X). Computational secret sharing scheme: Any unauthorized subset gains no useful information on the secret. In the indistinguishability of encryption style: –for any PPT Adversary B –for any x 0 and x 1 for any A  F, –The advantage of B given the shares of A in distinguishing whether x=x 0 or x=x 1 is negligible

16 16 Computational Secret Sharing Theorem : suppose one-way functions exists: if authorization can be decided by a monotone circuit C there is a computational secret sharing scheme where the size of a share is proportional to |C| Construction reminiscent of Yao’s garbled circuit What about monotone access structure that have small non -monotone circuits? –Matching: users correspond to edges in the complete graph Authorized sets: those graphs containing a perfect matching WiWi WkWk WjWj PRG Gate

17 17 Secret Sharing and Oblivious Transfer –Hamiltonian: users correspond to edges in the complete graph Authorized sets: those graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the witness (cycle) Theorem : If One-way functions exist and An efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist. –i.e. Minicrypt = Cryptomania Construction is non-blackbox

18 18 Distinguishing Hamiltonian from Non-Hamiltonian Theorem : if one-way functions exist, then there exists a pair of poly-time distributions on graphs D 0 and D 1 such that G 2 D 0 is non-Hamiltonian (almost always) G 2 D 1 is Hamiltonian (generation process yields the cycle as well) D 0 and D 1 are indistinguishable : –for any PPT B t he advantage of B given G generated by D b in guessing b is negligible (in case of D 1 only the graph is given) Proof: if one-way functions exist then, there exist two indistinguishable distributions D’ 0 and D’ 1 on strings with (almost) disjoint support –Via bit commitment protocol –Possible to generate them with a witness Let g be the (Cook-Karp) reduction such that on a given y creates a graph that is Hamiltonian iff y is in the support of D’ 1 The distributions D 0 and D 1 are obtained by applying g to the output of D’ 0 and D’ 1 The non-blackbox part D’ 0 D’ 1

19 19 The Oblivious Transfer Protocol Protocol: Bob uses D 0 and D 1 to generate two graphs G 0 and G 1 such that G b is Hamiltonian and G 1-b is non-Hamiltonian. –Sends the graphs G 0 and G 1 to Alice –remembers the cycle in G b Alice runs the Hamiltonian secret sharing scheme twice, with secrets z 0 and z 1. –Sends to Bob the shares corresponding to the edges of G 0 for the first instance and G 1 for the second one Bob reconstructs the secret from the cycle he knows in G b and obtains z b Alice: Input to Alice: {z 0, z 1 } Alice does not learn b Bob: Input to Bob: b Bob learns z b. Bob doesn’t learn z 1-b Sufficient to come up with an honest-but-curious protocol Can use the GMW transformation to obtain a protocol in a malicious environment a non-blackbox result

20 20 Why does it work? Functionality: from the secret sharing Protecting Alice: the shares of z 1-b given to Bob do not yield useful information about it. Protecting Bob: Alice cannot guess b, since this would mean that she can distinguish between D 0 and D 1 Similar scheme for all NP-Complete graph embedding type problems Clique…

21 21 Is there hope for a perfect scheme for Hamiltonian? Theorem: if there is a perfect (statistical) scheme for Hamiltonian, then NP µ Co-AM Proof : show an AM proof system for the non-Hamiltonicity of a graph G Verifier : –Pick a random secret x 2 {0,1} and generates shares for it. –Send the Prover the shares of the edges of G Prover : –Come up with random coins r 0 yielding the shares when x=0 and random coins r 1 yielding the shares when x=1 Actually: a public coins protocol NP Co-NP Co-AM

22 22 Is there hope for a perfect scheme for Hamiltonian? Perfect Hamiltonian secret sharing implies (honest verifier) perfect zero-knowledge protocol for Hamiltonicity : Verifier : –Pick a random secret x 2 R {0,1} and generates shares for it. –Send the Prover the shares of the edges of G Prover : –Reconstructs the secret x Recall : SZK = HVSZK µ AM  Co-AM Goldreich-Sahai-Vadahan Fortnow, Aiello-Hastad

23 23 Is there hope for a perfect scheme for Hamiltonian? Question: can we show that one-way functions are necessary for a (computational) scheme for Hamiltonicity?, Existence of one-way functions equivalent to existence of a pair of (poly-time) distributions that are statistically far but computationally indistinguishable. This should be the case if the graph is Hamiltonian. But the graph prevents the result from being fully constructive –[Ostrovsky-Wigderson]: non trivial zk ~ implies one-way functions

24 24 Open Problems Perfect Secret-Sharing Scheme for Directed connectivity –How to cope with the fan-out Computational Secret Sharing Scheme for Matching –How to cope with negation A secret sharing scheme for Hamiltonicity based on heavy cryptographic machinery – just for feasibility purposes.

25 25 OWF PRG PRF MACENC COM ZK ID UOWHF SIG TDP PKEOT SKE CCA-PKE CLAW-FREE CF-HASH Some Known Reductions NIZK

26 26 A non-blackbox reduction NIZK + PKE yields CCA secure [NY, DDN] The reduction is non-blackbox: need to prove consistency of encryption Another nbb result: if one-way functions exist, then zero- knowledge identification is possible Omer Reingold: while blackbox reduction do not assure efficiency non-black box reductions assure inefficiency…

27 27 Compressing Instances Rather than solving a problem, we are interested in compressing it to be solved sometime in the future. Compression should be solution preserving rather than input preserving. For a language L we seek an efficient algorithm Z and a language L’ such that: 1.Z(x)  L’ iff x  L 2.|Z(x)| < x Do not require that x can be restored from Z(x) !

28 28 Compressing NP Instances – Definition The specific setting: an NP languages with short witnesses. We consider two parameters: m – Instance length n – Witness length For every x of length m, if x  L then it has a witness of length n. The interesting case: n << m Compression for L : an efficient algorithm Z, a polynomial p(·, ·) and a language L’ such that for every x of length m : 1.Z(x)  L’ iff x  L 2.|Z(x)| < p(n,logm)

29 29 Notes on the Definition Length of Z(x ) is dominated by witness length potentially, Z(x) can be significantly shorter than x. Compression does not necessarily imply an efficient solution to the problem. Why p(n, log m) ? This may be relaxed: For complexity study log m may be replaced by any sub- polynomial function of m For some applications a compression of m 1-ε suffices. Definition is only interesting when n << m E.g. 3-SAT is not an interesting problem for compression Compression for L: An efficient algorithm Z a polynomial p( ·, · ) and a language L ’ such that for every x of length m: 1.Z(x)  L ’ iff x  L 2.|Z(x)| < p(n,logm)

30 30 Talk overview Introduce and define compression of NP instances. Motivation: Cryptographic applications On CRH from one-way functions On OT from one-way functions Study of Compression: Can all NP be compressed? Example of compression: Vertex Cover Complexity study W-reductions The VC hierarchy Further Issues…

31 31 Collision Resistant Hash A collection of collision resistant hash functions (CRH) is a family H of hash functions s.t. for a random h  H it is hard to find a “collision”. A pair x  x ’ s.t. h(x)=h(x ’ ) Length reducing functions For a PPTM h x x’x’ Important primitive with wide range of cryptographic applications (e.g. [K92,M94,B01]).

32 32 One-way functions A one-way function (OWF) is a function f that is easy to compute but hard to invert. –f(x) computable in poly-time –No PPTM can find an inverse to f(x) for a random x OWFs are the most fundamental building block in computationally based crypto. –Necessary for most crypto tasks. –Sufficient for many others (shared key encryption). CRH and OWFs: CRH implies OWFs OWF not known to imply CRH –No “black box” construction of CRH from OWF [Simon98]

33 33 C j,s,x C j,s C j,s,x C m,s,x CRH from OWF? Theorem: There exists a language L s.t. if there is an errorless compression of L then there exists a construction of CRH from any OWF. There exists a family of such languages, e.g. SAT, Clique … Proof: Input to hash: an m bit string x Let s be a commitment to an index i  [m] For every j, define the circuit C j,s,x to be a circuit that is satisfiable iff s is a commitment to j and x(j)=1 Define the circuit C s,x to be the OR of all C j,s,x for every j  [m]  C s,x is satisfiable iff x(i)=1 x m OR C s,x is the OR of m circuits, each of size n Can actually tolerate an error of up to 2 -Ω(m) Commitment Scheme: The digital analogue of a locked box. Sender generates a string s that hides a value i and sends it to the receiver. –Binding: s can only be “opened” to the value i. –Hiding: A computationally bounded receiver learns nothing about the value i. Commitments can be based on any OWF [N89], [HILL90]. Can Generate C j,s,x without knowing the value i

34 34 CRH from OWF cont. Let Z be a algorithm compression algorithm for the circuit C s,x Takes as input a circuit C and randomness r Every h  H is described by a commitment s and randomness r for Z h s,r (x) = Z r (C s,x ) h is indeed shrinking due to the compression. Let x  x’ be s.t. h s,r (x) = h s,r (x’). If s is a commitment to i then it must be that x(i)=x’(i). If x and x’ differ in the j th bit, then we can deduce that s is not a commitment to the value j !! x m C j,s OR An adversary that can find a collision can deduce information about s contradicting the hiding of the commitment C j,s C j,s,x C m,s,x Notes about the construction: The construction is inherently non-black-box. –Uses the code of the OWF via the commitment. The compressed problem is never actually solved…

35 35 Talk overview Introduce and define compression of NP instances. Motivation: Cryptographic applications On CRH from one-way functions On OT from one-way functions Study of Compression: Can all NP be compressed? Example of compression: Vertex Cover Complexity study W-reductions The VC hierarchy Further Issues…

36 36 Oblivious Transfer Impagliazzo (95) describes 5 possible worlds based on different computational assumptions. The top two worlds: –Minicrypt – OWFs exist, some of crypto possible (shared key encryption, commitments, signatures…) –Cryptomania – Oblivious Transfer (OT) exists, almost anything possible. Alice Bob c scsc OT protocol: Bob gets s c. Bob doesn’t learn s 1-c. Alice does not learn c. s 0,s 1 Cryptomania Minicrypt Pessiland Heuristica Algoritmica Cryptomania Minicrypt Pessiland Heuristica Algoritmica OWFs not known to imply OT Impagliazzo and Rudich (89) prove that there is no black box construction of OT from OWF. OT is complete for Secure Computation ! General framework that captures many cryptographic tasks (e.g. public key crypto, auctions, voting, e-commerce…)

37 37 OT from OWF? Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania Suppose instance x  L with witness w x. The compressed instance y=Z(x) has witness w y to y  L’. Compression is witness retrievable if it is possible to obtain w y in poly-time from y and w x. x wxwx wywy y Z E.g., SAT, Clique …

38 38 OT from OWF? Proof: Construct a Private Information Retrieval (PIR) protocol. PIR implies OT [DMO00]. Input: Database x of m bits. Given a commitment s to an index i  [m], define the circuit C s,x (as in the CRH case). –C s,x is satisfiable iff x(i)=1 –C s,x is the OR of m circuits, each of size n x m C j,s C j,s,x C m,s,x OR Alice Bob i  [m] x(i) x  {0,1} m Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania PIR protocol: Alice holds m bit database x. Bob holds index i. Bob learns x(i). – Alice does not learn i. – Total communication is less than m bits!

39 39 Theorem: There exists a language L such that if there is a witness retrievable compression of L then Minicrypt = Cryptomania OT from OWF, cont. Proof: Bob creates a commitment s to his choice index i  [m]. Sends s to Alice. Alice generates the circuit C s,x based on x and s. Alice sends Z(C s,x ) to Bob. Z(C s,x ) contains the information about the bit x(i). Bob can retrieve it using the witness retrieval property. Security: –Bob’s i is hidden by the commitment – total communication is low. Alice Bob ix s Z(C s,x ) x(i) Generates a 2-message PIR: Sufficient also for Public Key Encryption from any OWF!

Download ppt "1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor."

Similar presentations

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Similar presentations

Ads by Google