Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley

Yevgeniy Dodis. New York UniversityIPAM Workshop2 Warning:

Yevgeniy Dodis. New York UniversityIPAM Workshop3 Randomness is Important

Yevgeniy Dodis. New York UniversityIPAM Workshop4 Even in Everyday Life

Yevgeniy Dodis. New York UniversityIPAM Workshop5 Even in Cryptography… Secret keys must have entropySecret keys must have entropy Many primitives must be randomized (encryption, commitment, ZK)Many primitives must be randomized (encryption, commitment, ZK) Common abstraction: perfect randomnessCommon abstraction: perfect randomness –strong assumption, hard to get right

Yevgeniy Dodis. New York UniversityIPAM Workshop6 Randomness is Hard to Get

Yevgeniy Dodis. New York UniversityIPAM Workshop7 Coins cannot be trusted too

Yevgeniy Dodis. New York UniversityIPAM Workshop8 Especially with Active Attackers

Yevgeniy Dodis. New York UniversityIPAM Workshop9 Perfect Randomness Hard to get as we just sawHard to get as we just saw Do we really need perfect randomness?Do we really need perfect randomness? Imperfect source: family of distributions satisfying some property (i.e., entropy)?Imperfect source: family of distributions satisfying some property (i.e., entropy)? “Tolerate” imperfect source: have one scheme correctly working for any D in the source“Tolerate” imperfect source: have one scheme correctly working for any D in the source Main Question: which imperfect sources are enough for Cryptography?Main Question: which imperfect sources are enough for Cryptography?

Yevgeniy Dodis. New York UniversityIPAM Workshop10 Extractable Sources Sources permitting (deterministic) extraction of nearly perfect randomnessSources permitting (deterministic) extraction of nearly perfect randomness –such sources suffice for (almost) anything perfect randomness is enough for However, many sources non-extractable However, many sources non-extractable  –E.g., entropy sources [SV86,CG89] Are extractable sources the only “good” sources for cryptography???Are extractable sources the only “good” sources for cryptography??? –Depends on application…

Yevgeniy Dodis. New York UniversityIPAM Workshop11 Current Answers Correctness/Soundness:Correctness/Soundness: –NO, can base BPP/IP on very weak sources [VV85,SV86,CG88,Zuc96,ACRT99,DOPS04] Authentication/Unpredictability:Authentication/Unpredictability: –NO, quite weak sources enough for MACs [MW97,RW03] and signatures [DOPS04] –Separation between authentication and extraction [DS02] Privacy/Indistinguishability???Privacy/Indistinguishability??? –All current techniques critically rely on perfect randomness. Is this inherent? Our Main Result: YES!!!

Yevgeniy Dodis. New York UniversityIPAM Workshop12 Current Answers Correctness/Soundness: NOCorrectness/Soundness: NO –Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04] Authentication/Unpredictability: NOAuthentication/Unpredictability: NO –Quite weak sources enough for MACs [MW97] (& even weaker for interactive MACs [RW03]) –Enough for signatures as well, assuming “strong OWPs” [DOPS04] –General sources: separation between authentication and extraction [DS02]

Yevgeniy Dodis. New York UniversityIPAM Workshop13 Privacy/Indistinguishability Mixed indications: −All known techniques (pseudorandomness,…) critically rely on perfect randomness −Studied non-extractable sources are not enough for privacy as well [MP91, DOPS04] +1-bit case [DS02,DPP06]: strict implications extraction  encryption  2−2 secret sharing  What about the general, multi-bit case???

Yevgeniy Dodis. New York UniversityIPAM Workshop14 Our Main Result Nearly perfect randomness is inherent for inform.-theoretic private key encryptionNearly perfect randomness is inherent for inform.-theoretic private key encryption Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can extract  b nearly perfect bits from S !Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can extract  b nearly perfect bits from S ! –Either the secret key length is exponential, or – S is perfect enough to apply the one-time pad! Theorem 2: There are non-extractable n -bit sources admitting a perfect encryption of b  ( log n  loglog n ) bitsTheorem 2: There are non-extractable n -bit sources admitting a perfect encryption of b  ( log n  loglog n ) bits

Yevgeniy Dodis. New York UniversityIPAM Workshop15 Our Main Result Nearly perfect randomness is inherent for inform.-theoretic private key encryptionNearly perfect randomness is inherent for inform.-theoretic private key encryption Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can deterministically extract  b nearly perfect bits from S !Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can deterministically extract  b nearly perfect bits from S ! –Note: if Enc is efficient, then so is Ext Theorem 2: There are non-extractable n -bit sources S admitting a perfect encryption of b  ( log n  loglog n ) bitsTheorem 2: There are non-extractable n -bit sources S admitting a perfect encryption of b  ( log n  loglog n ) bits

Yevgeniy Dodis. New York UniversityIPAM Workshop16 Interpretation Theorem 1: to encrypt b bitsTheorem 1: to encrypt b bits –Either the secret key length is exponential, or –S is extractable and, in fact, “perfect enough” to apply (an almost) b −bit one−time pad ! Thus, if b is “non-trivial”, thenThus, if b is “non-trivial”, then –Cannot afford to sample exponentially long key –Must find a source capable of extracting almost b random bits to begin with  –Might as well extract and use one−time pad –One−time pad is universal after all –One−time pad is universal after all

Yevgeniy Dodis. New York UniversityIPAM Workshop17 Interpretation Theorem 2: glimmer of hope Theorem 2: glimmer of hope  –Encryption of up to ( log n  loglog n ) bits does not imply extraction of even 1 bit –Non-trivially extends the 1-bit separation of [DS02] to ( log n  loglog n ) bits For encrypting very few bits true randomness is not inherentFor encrypting very few bits true randomness is not inherent

Yevgeniy Dodis. New York UniversityIPAM Workshop18 Extensions Computational security: implies extraction of  b pseudorandom bitsComputational security: implies extraction of  b pseudorandom bits –In particular, at least 1 statistical bit! Efficiency: poly-time encryption  poly-time extraction (non-explicit  )Efficiency: poly-time encryption  poly-time extraction (non-explicit  ) Other primitives: extends to public- key encryption, perfectly-binding commitmentsOther primitives: extends to public- key encryption, perfectly-binding commitments

Yevgeniy Dodis. New York UniversityIPAM Workshop19 Conclusions One-time pad is universal for private- key encryptionOne-time pad is universal for private- key encryption Strong indication that (nearly) perfect randomness is inherent for privacyStrong indication that (nearly) perfect randomness is inherent for privacy Open questions:Open questions: –De-randomize construction of extractor –Extend to other (all?) privacy applications –Classify crypto apps w.r.t. randomness

Yevgeniy Dodis. New York UniversityIPAM Workshop20 Let the fun begin!

Yevgeniy Dodis. New York UniversityIPAM Workshop21 Deterministic Extraction n -bit source S = family of distributions { K } on {0,1} nn -bit source S = family of distributions { K } on {0,1} n ℓ -bit extractor Ext for S:ℓ -bit extractor Ext for S: –Ext: {0,1} n  {0,1} ℓ Ext is  -fair if for all K  S, we have SD ( Ext( K ), U ℓ )  Ext is  -fair if for all K  S, we have SD ( Ext( K ), U ℓ )   S is ( ℓ,  )-extractable if there is an  -fair extractor Ext for SS is ( ℓ,  )-extractable if there is an  -fair extractor Ext for S

Yevgeniy Dodis. New York UniversityIPAM Workshop22 Private-Key Encryption Alice & Bob share n -bit key k  K, for K  SAlice & Bob share n -bit key k  K, for K  S b -bit encryption scheme (Enc, Dec) for S:b -bit encryption scheme (Enc, Dec) for S: –Enc: {0,1} b  {0,1} n  C, Dec: C  {0,1} n  {0,1} b –For all m  {0,1} b, k  {0,1} n, Dec(Enc( m, k ), k ) = m (Enc, Dec) is  -secure if for all K  S and m  {0,1} b  SD ( Enc( m, K ), Enc( U b, K ) )  (Enc, Dec) is  -secure if for all K  S and m  {0,1} b  SD ( Enc( m, K ), Enc( U b, K ) )   S is ( b,  )-encryptable if there is a  -secure b -bit encryption scheme (Enc, Dec) for SS is ( b,  )-encryptable if there is a  -secure b -bit encryption scheme (Enc, Dec) for S

Yevgeniy Dodis. New York UniversityIPAM Workshop23 Results Restated Theorem 1: If n -bit S is ( b,  )-encryptable and b > log n + 2 log(1/  ), then S must be ( b − 2 log(1/  ),  +  )-extractable Theorem 2: For b < log n − loglog n – 1, there is an n -bit S which is ( b, 0 )-encryptable, but not (1,  )-extractable, where

Yevgeniy Dodis. New York UniversityIPAM Workshop24 Proof of Theorem 1 Let S’ = { Enc( U b, k ) | k  {0,1} n }Let S’ = { Enc( U b, k ) | k  {0,1} n } Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact,Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact, Ext( k ) = Ext’(Enc(0, k )) Proof: take any K  S. ThenProof: take any K  S. Then

Yevgeniy Dodis. New York UniversityIPAM Workshop25 Proof of Theorem 1 Let S’ = { Enc( U b, k ) | k  {0,1} n }Let S’ = { Enc( U b, k ) | k  {0,1} n } Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact,Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact, Ext( k ) = Ext’(Enc(0, k )) Lemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractableLemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractable

Yevgeniy Dodis. New York UniversityIPAM Workshop26 Proof of Theorem 1 Let S’ = { Enc( U b, k ) | k  {0,1} n }Let S’ = { Enc( U b, k ) | k  {0,1} n } Lemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractableLemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractable Say X is b -flat if X is uniform on 2 b valuesSay X is b -flat if X is uniform on 2 b values Note: all X  S’ are b -flat (can decrypt!)Note: all X  S’ are b -flat (can decrypt!) Lemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractableLemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractable –Implies Lemma 2 and Theorem 1

Yevgeniy Dodis. New York UniversityIPAM Workshop27 Proof of Lemma 3 Lemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractableLemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractable Proof: Let ℓ = b − 2 log(1/  ), B = 2 b, L = 2 ℓ = B  2Proof: Let ℓ = b − 2 log(1/  ), B = 2 b, L = 2 ℓ = B  2 Pick random f :C  {0,1} ℓPick random f :C  {0,1} ℓ  b -flat X  S’, Chernoff + union bound   b -flat X  S’, Chernoff + union bound  Another union bound over all X  S’,Another union bound over all X  S’,

Yevgeniy Dodis. New York UniversityIPAM Workshop28 Observations [TV00]: enough to pick n -wise independent f[TV00]: enough to pick n -wise independent f Lemma 3’: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is efficiently ( b − 2 log(1/  ) − log n,  )- extractableLemma 3’: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is efficiently ( b − 2 log(1/  ) − log n,  )- extractable Corollary: If Enc is efficient  so is ExtCorollary: If Enc is efficient  so is Ext Extends to computational settingExtends to computational setting –Extract pseudorandom bits Perfect binding enoughPerfect binding enough –Covers public−key encryption and perfectly−binding commitment

Yevgeniy Dodis. New York UniversityIPAM Workshop29 Proof of Theorem 2 Theorem 2: For b < log n − loglog n – 1, there is an n -bit S which is ( b, 0 )-encryptable, but not (1,  )-extractable, where Theorem 2’: For b < log n − loglog n – 1, there is a b -bit E = (Enc,Dec) for which Good( E ) is not (1,  )-extractable, where Good( E ) = { K | E is Shannon-secure under K }

Yevgeniy Dodis. New York UniversityIPAM Workshop30 Proof of Theorem 2’ Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1)Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1) Note, N N 1/B ( > B for our params)Note, N N 1/B ( > B for our params) M=[ B ], C=[ S ], K={all B -tuples of ciphertexts}M=[ B ], C=[ S ], K={all B -tuples of ciphertexts} K = { k = (c 1 …c B ) | c i  c j for i  j } K = { k = (c 1 …c B ) | c i  c j for i  j } Enc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = cEnc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = c Take any Ext: [N]  {0,1}Take any Ext: [N]  {0,1} Case 1:  have 0-monochromatic perfect KCase 1:  have 0-monochromatic perfect K –Fix Ext to 0 with K, done Case 2:  no such 0-monochromatic perfect KCase 2:  no such 0-monochromatic perfect K –[Lemma]  perfect K’ s.t. Pr[Ext(K’) = 0] < B 2 /S

Yevgeniy Dodis. New York UniversityIPAM Workshop31 Proof of Main Lemma Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1)Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1) Note, N N 1/B ( > B for our params)Note, N N 1/B ( > B for our params) M=[ N ], C=[ S ], K={all B -tuples of ciphertexts}M=[ N ], C=[ S ], K={all B -tuples of ciphertexts} K = { k = (c 1 …c B ) | c i  c j for i  j } K = { k = (c 1 …c B ) | c i  c j for i  j } Enc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = cEnc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = c Main Lemma: if cannot fix Ext to 0, then  perfect K s.t. Pr[Ext(K) = 0] < B 2 /SMain Lemma: if cannot fix Ext to 0, then  perfect K s.t. Pr[Ext(K) = 0] < B 2 /S

Yevgeniy Dodis. New York UniversityIPAM Workshop32 Proof of Main Lemma Not to prove Theorem 2’ Not to prove Main Lemma

Yevgeniy Dodis. New York UniversityIPAM Workshop33 But don’t go, we need to prove main lemma !!!