Presentation is loading. Please wait.

Presentation is loading. Please wait.

Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.

Published byHarold Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley."— Presentation transcript:

1

2 Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley

3 Yevgeniy Dodis. New York UniversityIPAM Workshop2 Warning:

4 Yevgeniy Dodis. New York UniversityIPAM Workshop3 Randomness is Important

5 Yevgeniy Dodis. New York UniversityIPAM Workshop4 Even in Everyday Life

6 Yevgeniy Dodis. New York UniversityIPAM Workshop5 Even in Cryptography… Secret keys must have entropySecret keys must have entropy Many primitives must be randomized (encryption, commitment, ZK)Many primitives must be randomized (encryption, commitment, ZK) Common abstraction: perfect randomnessCommon abstraction: perfect randomness –strong assumption, hard to get right

7 Yevgeniy Dodis. New York UniversityIPAM Workshop6 Randomness is Hard to Get

8 Yevgeniy Dodis. New York UniversityIPAM Workshop7 Coins cannot be trusted too

9 Yevgeniy Dodis. New York UniversityIPAM Workshop8 Especially with Active Attackers

10 Yevgeniy Dodis. New York UniversityIPAM Workshop9 Perfect Randomness Hard to get as we just sawHard to get as we just saw Do we really need perfect randomness?Do we really need perfect randomness? Imperfect source: family of distributions satisfying some property (i.e., entropy)?Imperfect source: family of distributions satisfying some property (i.e., entropy)? “Tolerate” imperfect source: have one scheme correctly working for any D in the source“Tolerate” imperfect source: have one scheme correctly working for any D in the source Main Question: which imperfect sources are enough for Cryptography?Main Question: which imperfect sources are enough for Cryptography?

11 Yevgeniy Dodis. New York UniversityIPAM Workshop10 Extractable Sources Sources permitting (deterministic) extraction of nearly perfect randomnessSources permitting (deterministic) extraction of nearly perfect randomness –such sources suffice for (almost) anything perfect randomness is enough for However, many sources non-extractable However, many sources non-extractable  –E.g., entropy sources [SV86,CG89] Are extractable sources the only “good” sources for cryptography???Are extractable sources the only “good” sources for cryptography??? –Depends on application…

12 Yevgeniy Dodis. New York UniversityIPAM Workshop11 Current Answers Correctness/Soundness:Correctness/Soundness: –NO, can base BPP/IP on very weak sources [VV85,SV86,CG88,Zuc96,ACRT99,DOPS04] Authentication/Unpredictability:Authentication/Unpredictability: –NO, quite weak sources enough for MACs [MW97,RW03] and signatures [DOPS04] –Separation between authentication and extraction [DS02] Privacy/Indistinguishability???Privacy/Indistinguishability??? –All current techniques critically rely on perfect randomness. Is this inherent? Our Main Result: YES!!!

13 Yevgeniy Dodis. New York UniversityIPAM Workshop12 Current Answers Correctness/Soundness: NOCorrectness/Soundness: NO –Can base BPP/IP on very weak sources [VV85, SV86, CG88, Zuc96, ACRT99, DOPS04] Authentication/Unpredictability: NOAuthentication/Unpredictability: NO –Quite weak sources enough for MACs [MW97] (& even weaker for interactive MACs [RW03]) –Enough for signatures as well, assuming “strong OWPs” [DOPS04] –General sources: separation between authentication and extraction [DS02]

14 Yevgeniy Dodis. New York UniversityIPAM Workshop13 Privacy/Indistinguishability Mixed indications: −All known techniques (pseudorandomness,…) critically rely on perfect randomness −Studied non-extractable sources are not enough for privacy as well [MP91, DOPS04] +1-bit case [DS02,DPP06]: strict implications extraction  encryption  2−2 secret sharing  What about the general, multi-bit case???

15 Yevgeniy Dodis. New York UniversityIPAM Workshop14 Our Main Result Nearly perfect randomness is inherent for inform.-theoretic private key encryptionNearly perfect randomness is inherent for inform.-theoretic private key encryption Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can extract  b nearly perfect bits from S !Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can extract  b nearly perfect bits from S ! –Either the secret key length is exponential, or – S is perfect enough to apply the one-time pad! Theorem 2: There are non-extractable n -bit sources admitting a perfect encryption of b  ( log n  loglog n ) bitsTheorem 2: There are non-extractable n -bit sources admitting a perfect encryption of b  ( log n  loglog n ) bits

16 Yevgeniy Dodis. New York UniversityIPAM Workshop15 Our Main Result Nearly perfect randomness is inherent for inform.-theoretic private key encryptionNearly perfect randomness is inherent for inform.-theoretic private key encryption Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can deterministically extract  b nearly perfect bits from S !Theorem 1: If n -bit source S admits a good b -bit encryption, where b > log n, then one can deterministically extract  b nearly perfect bits from S ! –Note: if Enc is efficient, then so is Ext Theorem 2: There are non-extractable n -bit sources S admitting a perfect encryption of b  ( log n  loglog n ) bitsTheorem 2: There are non-extractable n -bit sources S admitting a perfect encryption of b  ( log n  loglog n ) bits

17 Yevgeniy Dodis. New York UniversityIPAM Workshop16 Interpretation Theorem 1: to encrypt b bitsTheorem 1: to encrypt b bits –Either the secret key length is exponential, or –S is extractable and, in fact, “perfect enough” to apply (an almost) b −bit one−time pad ! Thus, if b is “non-trivial”, thenThus, if b is “non-trivial”, then –Cannot afford to sample exponentially long key –Must find a source capable of extracting almost b random bits to begin with  –Might as well extract and use one−time pad –One−time pad is universal after all –One−time pad is universal after all

18 Yevgeniy Dodis. New York UniversityIPAM Workshop17 Interpretation Theorem 2: glimmer of hope Theorem 2: glimmer of hope  –Encryption of up to ( log n  loglog n ) bits does not imply extraction of even 1 bit –Non-trivially extends the 1-bit separation of [DS02] to ( log n  loglog n ) bits For encrypting very few bits true randomness is not inherentFor encrypting very few bits true randomness is not inherent

19 Yevgeniy Dodis. New York UniversityIPAM Workshop18 Extensions Computational security: implies extraction of  b pseudorandom bitsComputational security: implies extraction of  b pseudorandom bits –In particular, at least 1 statistical bit! Efficiency: poly-time encryption  poly-time extraction (non-explicit  )Efficiency: poly-time encryption  poly-time extraction (non-explicit  ) Other primitives: extends to public- key encryption, perfectly-binding commitmentsOther primitives: extends to public- key encryption, perfectly-binding commitments

20 Yevgeniy Dodis. New York UniversityIPAM Workshop19 Conclusions One-time pad is universal for private- key encryptionOne-time pad is universal for private- key encryption Strong indication that (nearly) perfect randomness is inherent for privacyStrong indication that (nearly) perfect randomness is inherent for privacy Open questions:Open questions: –De-randomize construction of extractor –Extend to other (all?) privacy applications –Classify crypto apps w.r.t. randomness

21 Yevgeniy Dodis. New York UniversityIPAM Workshop20 Let the fun begin!

22 Yevgeniy Dodis. New York UniversityIPAM Workshop21 Deterministic Extraction n -bit source S = family of distributions { K } on {0,1} nn -bit source S = family of distributions { K } on {0,1} n ℓ -bit extractor Ext for S:ℓ -bit extractor Ext for S: –Ext: {0,1} n  {0,1} ℓ Ext is  -fair if for all K  S, we have SD ( Ext( K ), U ℓ )  Ext is  -fair if for all K  S, we have SD ( Ext( K ), U ℓ )   S is ( ℓ,  )-extractable if there is an  -fair extractor Ext for SS is ( ℓ,  )-extractable if there is an  -fair extractor Ext for S

23 Yevgeniy Dodis. New York UniversityIPAM Workshop22 Private-Key Encryption Alice & Bob share n -bit key k  K, for K  SAlice & Bob share n -bit key k  K, for K  S b -bit encryption scheme (Enc, Dec) for S:b -bit encryption scheme (Enc, Dec) for S: –Enc: {0,1} b  {0,1} n  C, Dec: C  {0,1} n  {0,1} b –For all m  {0,1} b, k  {0,1} n, Dec(Enc( m, k ), k ) = m (Enc, Dec) is  -secure if for all K  S and m  {0,1} b  SD ( Enc( m, K ), Enc( U b, K ) )  (Enc, Dec) is  -secure if for all K  S and m  {0,1} b  SD ( Enc( m, K ), Enc( U b, K ) )   S is ( b,  )-encryptable if there is a  -secure b -bit encryption scheme (Enc, Dec) for SS is ( b,  )-encryptable if there is a  -secure b -bit encryption scheme (Enc, Dec) for S

24 Yevgeniy Dodis. New York UniversityIPAM Workshop23 Results Restated Theorem 1: If n -bit S is ( b,  )-encryptable and b > log n + 2 log(1/  ), then S must be ( b − 2 log(1/  ),  +  )-extractable Theorem 2: For b < log n − loglog n – 1, there is an n -bit S which is ( b, 0 )-encryptable, but not (1,  )-extractable, where

25 Yevgeniy Dodis. New York UniversityIPAM Workshop24 Proof of Theorem 1 Let S’ = { Enc( U b, k ) | k  {0,1} n }Let S’ = { Enc( U b, k ) | k  {0,1} n } Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact,Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact, Ext( k ) = Ext’(Enc(0, k )) Proof: take any K  S. ThenProof: take any K  S. Then

26 Yevgeniy Dodis. New York UniversityIPAM Workshop25 Proof of Theorem 1 Let S’ = { Enc( U b, k ) | k  {0,1} n }Let S’ = { Enc( U b, k ) | k  {0,1} n } Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact,Lemma 1: If S’ is ( ℓ,  )-extractable, then S is ( ℓ,  +  )-extractable. In fact, Ext( k ) = Ext’(Enc(0, k )) Lemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractableLemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractable

27 Yevgeniy Dodis. New York UniversityIPAM Workshop26 Proof of Theorem 1 Let S’ = { Enc( U b, k ) | k  {0,1} n }Let S’ = { Enc( U b, k ) | k  {0,1} n } Lemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractableLemma 2: If b > log n + 2 log(1/  ), then S’ is ( b − 2 log(1/  ),  )-extractable Say X is b -flat if X is uniform on 2 b valuesSay X is b -flat if X is uniform on 2 b values Note: all X  S’ are b -flat (can decrypt!)Note: all X  S’ are b -flat (can decrypt!) Lemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractableLemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractable –Implies Lemma 2 and Theorem 1

28 Yevgeniy Dodis. New York UniversityIPAM Workshop27 Proof of Lemma 3 Lemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractableLemma 3: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is ( b − 2 log(1/  ),  )-extractable Proof: Let ℓ = b − 2 log(1/  ), B = 2 b, L = 2 ℓ = B  2Proof: Let ℓ = b − 2 log(1/  ), B = 2 b, L = 2 ℓ = B  2 Pick random f :C  {0,1} ℓPick random f :C  {0,1} ℓ  b -flat X  S’, Chernoff + union bound   b -flat X  S’, Chernoff + union bound  Another union bound over all X  S’,Another union bound over all X  S’,

29 Yevgeniy Dodis. New York UniversityIPAM Workshop28 Observations [TV00]: enough to pick n -wise independent f[TV00]: enough to pick n -wise independent f Lemma 3’: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is efficiently ( b − 2 log(1/  ) − log n,  )- extractableLemma 3’: If b > log n + 2 log(1/  ), then any collection S’ of 2 n b -flat distributions is efficiently ( b − 2 log(1/  ) − log n,  )- extractable Corollary: If Enc is efficient  so is ExtCorollary: If Enc is efficient  so is Ext Extends to computational settingExtends to computational setting –Extract pseudorandom bits Perfect binding enoughPerfect binding enough –Covers public−key encryption and perfectly−binding commitment

30 Yevgeniy Dodis. New York UniversityIPAM Workshop29 Proof of Theorem 2 Theorem 2: For b < log n − loglog n – 1, there is an n -bit S which is ( b, 0 )-encryptable, but not (1,  )-extractable, where Theorem 2’: For b < log n − loglog n – 1, there is a b -bit E = (Enc,Dec) for which Good( E ) is not (1,  )-extractable, where Good( E ) = { K | E is Shannon-secure under K }

31 Yevgeniy Dodis. New York UniversityIPAM Workshop30 Proof of Theorem 2’ Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1)Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1) Note, N N 1/B ( > B for our params)Note, N N 1/B ( > B for our params) M=[ B ], C=[ S ], K={all B -tuples of ciphertexts}M=[ B ], C=[ S ], K={all B -tuples of ciphertexts} K = { k = (c 1 …c B ) | c i  c j for i  j } K = { k = (c 1 …c B ) | c i  c j for i  j } Enc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = cEnc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = c Take any Ext: [N]  {0,1}Take any Ext: [N]  {0,1} Case 1:  have 0-monochromatic perfect KCase 1:  have 0-monochromatic perfect K –Fix Ext to 0 with K, done Case 2:  no such 0-monochromatic perfect KCase 2:  no such 0-monochromatic perfect K –[Lemma]  perfect K’ s.t. Pr[Ext(K’) = 0] < B 2 /S

32 Yevgeniy Dodis. New York UniversityIPAM Workshop31 Proof of Main Lemma Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1)Let N = 2 n ; B = 2 b ; S s.t. N  S(S−1)…(S−B+1) Note, N N 1/B ( > B for our params)Note, N N 1/B ( > B for our params) M=[ N ], C=[ S ], K={all B -tuples of ciphertexts}M=[ N ], C=[ S ], K={all B -tuples of ciphertexts} K = { k = (c 1 …c B ) | c i  c j for i  j } K = { k = (c 1 …c B ) | c i  c j for i  j } Enc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = cEnc(m,(c 1 …c B )) = c m, Dec(c,(c 1 …c B )) = m s.t. c m = c Main Lemma: if cannot fix Ext to 0, then  perfect K s.t. Pr[Ext(K) = 0] < B 2 /SMain Lemma: if cannot fix Ext to 0, then  perfect K s.t. Pr[Ext(K) = 0] < B 2 /S

33 Yevgeniy Dodis. New York UniversityIPAM Workshop32 Proof of Main Lemma Not to prove Theorem 2’ Not to prove Main Lemma

34 Yevgeniy Dodis. New York UniversityIPAM Workshop33 But don’t go, we need to prove main lemma !!!

Download ppt "Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley."

Similar presentations

Truthful Mechanisms for Combinatorial Auctions with Subadditive Bidders Speaker: Shahar Dobzinski Based on joint works with Noam Nisan & Michael Schapira.

Truthful Mechanisms for Combinatorial Auctions with Subadditive Bidders Speaker: Shahar Dobzinski Based on joint works with Noam Nisan & Michael Schapira.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

Similar presentations

Ads by Google