On Black-Box Separations in Cryptography
advertisement
On Black-Box Separations in
Cryptography
Omer Reingold
Closed captioning and other considerations provided
by Tal Malkin, Luca Trevisan, and Salil Vadhan
Crypto - The Merry “Old” Days
Cryptographic Protocols,
Primitives, Homomorphic
and Assumptions
UOWHFs
Strong
RSA Encryption
ID Based
PIRs
Dense
Crypto
Encryption
Electronic
Factoring
Encryption VotingSystem
Digital
Electronic
Signatures Identification
Commerce
RSA
One-Way
Pseudo-Random
Functions
Generators
Oblivious
Trapdoor
Transfer
Permutations
DDH
Determining The Relationships
Among Different Primitives
Most tasks in complexity-based crypto imply
PNP (or even OWF).
• Simplify our conception of the world.
• Construct protocols with as strong security
guarantee as possible.
Reductions:
Given any implementation of primitive A,
construct implementation of primitive B.
Some Known Reductions
OWF
TDP
COM
PRG UOWHF
NIZK
ZK
PRF
CCA-PKE
ID
MAC
SIG
ENC
PKE
CLAW-FREE
OT
KA
CF-HASH
Are All Crypto Primitives Equivalent?
• If so: either no cryptography or Cryptomania!
• But some tasks seem “significantly harder” than
others (e.g. private key vs. public key encryption).
• In what sense can we claim that primitive A does
not imply primitive B if we believe that both
exist?
After all, a reduction of B to A can ignore A and
build B from scratch ...
Black-Box Separations – Where it Begun
Impagliazzo-Rudich [89]
While not clear how to formalize/show non-implications
in general can do that wrt black-box reductions.
(Fully) Black-Box Reductions
Given a black-box
implementation for
primitive A, construct
implementation of primitive B.
A
B
Usually, still not structured enough
to rule out: Need black-box
Adv.
proof of security (several
for A
flavors).
A
Adv.
for B
Such fully black-box reductions relativize (hold
relative to every oracle).
What's not Black Box?
• No idea … ask Boaz …
• Oh well … Cook-Levin reduction is used in:
OWF “ZK proofs for all NP” [GMW91]
Non–BB carries on to applications:
– Semi-honest OT malicious OT [GMW87]
– OWF ID schemes [FFS88]
• Similarly, circuit of f used in secure
computation of f. [Yao86,GMW87]
– [Beaver96] Few OTs + OWF -> Many OTs
• Barak’s Non-BB ZK and subsequent results. Use
both old and new non-bb techniques.
What do Black-Box Separations
Mean?
• This talk will concentrate on mathematical
rather than philosophical meaning. Still …
• Few Non black-box techniques (and in limited
settings). Inherent limitation on efficiency.
• Therefore, black-box separations are
explanation/indication for the hardness of
finding reduction (esp. efficient ones).
• BB-reductions more robust – work wrt.
“physical implementations” of primitives.
What do Black-Box Separations
Mean?
• Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.)
Analogy from complexity:
• A Cook/Karp reduction of problem A
to problem B is a black-box proof that
B P A P.
• SAT P QBF2 P true but inherently
non-BB (QBF2 is “quantified Boolean
formula with 2 alternations”).
What do Black-Box Separations
Mean?
• Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.)
Examples from cryptography:
• TDP seems to be of different
complexity than OWF. [IR89] supports.
• Collision resistant hashing might have
seemed similar in nature to OWFs.
[Simon98] challenged (this is consistent
with recent cryptanalysis attacks against
popular hash functions).
What do Black-Box Separations
Mean?
• Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.)
Guidance for black-box constructions?
• Particular construction cannot be proved
in BB? May be easier to change the
construction than overcome the obstacle.
• Examples:
– Want to reduce Stat-Commit to OWF? Probably not a
good approach: Stat-Commit -> OWP -> OWF.
– [Myers 04], shows no BB proof for one particular
natural construction (static to adaptive security).
What do Black-Box Separations
Mean?
• Insight into the relevant primitives. Guidance
for non black-box reductions or even for
black-box reductions. (Sometimes most
meaningful when looking inside the box.)
Word of warning:
• Potentially, a non black-box proof may
follow a black-box approach most of the
way with a “small” non black-box fix.
Black-Box and Oracle Separations
• [IR89] there exists an oracle relative to
which one-way function exists but keyagreement does not:
No fully black-box reduction of keyagreement to one-way function.
• Many other BB separations/lower bounds
[Rud91,Sim98,KST99,KSS00,GKM+00,GT00,
GMR01,CHL02,...]
– Various notions of BB reductions, in
particular not always implying oracle
separation (e.g. [GMR01]).
Crypto After IR (Impagliazzo’s Worlds)
Not even an hierarchy
of problems [GKMVR00]
Trapdoor Permutation
Secure Multi-Party
Computation (OT)
Public Key Encryption
Key Agreement
Private Key
Encryption
Pseudorandom
Generators
One Way
Functions
Algoritmica, Heuristica, Pessiland
Digital
Sig.
This Talk
• [IR89]: The separation, its proof and
interpretation of results.
• As many separations and proof intuitions. Focus on
techniques and subtleties.
Beware: some cheating involved
The Impagliazzo-Rudich Results
•
Thm: If P=NP, Key Agreement (KA) is impossible in the
Random Oracle model:
KA (Alice,Bob) Eve, for random permutation f,
Evef breaks (Alicef,Bobf)
•
Cor 1: There is an oracle relative to which OWP exists
and KA does not.
The oracle: (f, PSPACE) since PPSPACE=NPPSPACE
•
•
Cor 2: There is no fully-BB reduction from KA to OWP.
Cor 3: …
[IR89] - Why f is OWP
•
•
•
•
•
•
Intuitively obvious: when trying to invert f on some
y=f(x), have no chance unless accidentally query f on x.
With q queries chances for that < 2q/2n
More formally:
M making q queries, n-bit y
Prf[Mf(y) = f-1(y)] < (2q+2)/2n
Fix n, by Markov
Prf { Pry [Mf(y) = f-1(y)] > n2(2q+2)/2n } < 1/n2
M, with prob. 1 over f
Pry [Mf(y) = f-1(y)] > n2(2q+2)/2n
only finitely often ….
With prob. 1 over f, M …
Why f is OWP Against Circuits
•
•
•
•
•
•
Too many circuit families for uniform argument (not
enumerable).
[GT00]: f is exponentially hard even against circuits.
High level idea: Consider C that makes q queries and
-inverts f.
C gives some non-trivial information on f
a compact description of f, relative to C.
Loosely, the description of f contains two carefully
chosen subsets X and Y and f|{0,1}n\X
– f(X)=Y.
– Y contains ≥ 1/q frac. of y’s on which C inverts.
– X and Y allow reconstruction of f|X.
Setting parameters correctly: #descriptions << (2n)!
C only -invert exp. small fraction of the f’s.
[IR89] – How Eve Finds the Secret
•
Recall, we assume P=NP, and want to show that Evef
breaks (Alicef,Bobf).
•
P=NP implies that without f no cryptographic hardness.
In particular, no KA !
•
In fact, for the purpose of oracle separation, we can
essentially assume Eve, Alice and Bob are all powerful
and only bounded by number of queries to f.
•
In this setting, a clear characterization of
“knowledge”: The queries made to f and its answers.
[IR89] – How Eve Finds the Secret Cont.
•
If s is the key agreed by Alice and Bob, assume wlog
that both parties query f on s. Therefore s is an
“intersection query”.
Enough that Eve finds all “likely” intersection
queries.
Eve’s algorithm (over simplified):
• Let T be the transcript of (Alicef,Bobf), let L be a list
of queries and answers to f (initially empty). Repeat
polynomial number of times:
–
–
•
Simulate: sample a random view of Alice which is consistent
with T and L.
Update: Repeat all the “simulated queries” Alice makes, but
this time to real f. Insert to L.
Output a random query from L.
[IR89] – How Eve Finds the Secret Cont.
Eve’s algorithm (over simplified):
• Let T be the transcript of (Alicef,Bobf), let L be a list
of queries and answers to f (initially empty). Repeat
polynomial number of times:
–
–
Simulate: sample a random view of Alice which is consistent
with T and L.
Update: Repeat all the “simulated queries” Alice makes, but
this time to real f. Insert to L.
• Output a random query from L.
Intuition:
• Whenever simulated Alice is consistent with real Bob’s
view, simulated Alice has a fair chance to query s.
• Any inconsistency reveals one of Bob’s queries. This
can happen only polynomial number of times.
[IR89] Results – Revisited
•
Thm: If P=NP, Key Agreement (KA) is impossible in the
Random Oracle model.
•
Cannot get a more natural and meaningful separation.
•
•
How can a reduction overcome this separation?
Traditional interpretation: to overcome the separation
the construction of KA must use code of OWP.
•
[RTV04] shows that there is no limitation in using OWP
as a black box in construction of KA.
Separation might be overcome using code of
adversary in proof of security (as in [Bar01,Bar02]).
Taxonomy of Black-Box Reductions I
(the case OWF ) KA) [RTV04]
Black-box implementation:
(Alice,
Bob)
f
eff. (Alice, Bob) s.t. OWF f
(Alicef,Bobf) is a secure KA.
Proof of security:
Eve breaking (Alicef,Bobf) ) Adv inverting f
Fully-BB reduction: eff. Adv Eve (even not eff)
[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]
Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
[IR89] No relativizing, thus also No Fully; If P=NP no Semi
Semi-BB vs. Relativizing
Fully-BB reduction: eff. Adv Eve (even not eff)
[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]
Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
[IR89] No relativizing, thus also No Fully; If P=NP no Semi
Semi: BB implementation with arbitrary pf of security?
No - [RTV04] No relativizing ) No Semi
•Pf idea: can embed into f an arbitrary oracle, in particular
can embed Eve. “Embedding technique” due to [Sim98]
Semi-BB vs. Relativizing
Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
[RTV04] No relativizing ) No Semi
Pf sketch:
– Let O be oracle s.t. 9 OWF g and no KA
– Define
– Every (Alicef,Bobf) can be broken in PPTf, but f cannot
be inverted in PPTf ) no semi-BB reduction
Taxonomy II – BB Implementation with
Free Proof of Security
Fully-BB reduction: eff. Adv Eve (even not eff)
[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]
Semi-BB reduction: eff Eve eff. Adv
[ Evef breaks (Alicef,Bobf) ) Advf inverts f ]
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]
Now Eve is really efficient.
Fully-BB
Relativizing
Semi-BB
Mildly-BB
Free
The Power of Mildly-BB
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]
Fully-BB
Relativizing
Semi-BB
Mildly-BB
Free
• Only Mildly-BB separations are about efficiency of
reductions [GT00,GGK03].
• Thm: 9 OWF ) 9 KA if and only if there is a
mildly-BB reduction from KA to OWF.
• Conclusion: the restriction is in BB proof of security
rather than in BB implementation.
The Power of Mildly-BB
Fully-BB
Relativizing
Semi-BB
Mildly-BB
Free
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]
• Thm: 9 OWF ) 9 KA if and only if there is a
mildly-BB reduction from KA to OWF.
• Pf sketch: Given OWF oracle f (against PPTf ), construct
secure KA (against PPT).
Case I: 9 KA
– Construction ignores oracle, just executes secure KA
The Power of Mildly-BB
Fully-BB
Relativizing
Semi-BB
Mildly-BB
Free
Mildly-BB reduction: eff Eve eff. Adv
[ Eve breaks (Alicef,Bobf) ) Advf inverts f ]
• Thm: 9 OWF ) 9 KA if and only if there is a
mildly-BB reduction from KA to OWF.
• Pf sketch: Given OWF oracle f (against PPTf ), construct
secure KA (against PPT).
Case II: No KA and therefore no OWF
– Every function easy to compute is easy to invert.
) Oracle-OWF f must be hard to compute.
– KA protocol: Alice sends random (x,r), agree on
hf(x),ri
OWF vs. OWP
• [IR,KSS00] Random Oracle separates OWF from OWP.
• A much simpler argument for weaker result:
Thm. Gf is a permutation for every function f For all f
can invert Gf (using a PSPACE-complete oracle).
Adv algorithm on input y= Gf(x):
• Let L be a list of queries and answers to f (initially
empty). Repeat polynomial number of times:
–
–
•
Simulate: generate some f’ and x’ such that f’ is consistent
with L and y= Gf’(x’).
Update: Repeat all the “simulated queries” of Gf’(x’) but this
time to real f. Insert to L.
Output last x’.
Correctness: If x’ x then the evaluations Gf(x) and
Gf’(x’) must reveal a new inconsistency of f and f’.
OWF vs. OWP Cont.
Where is the weakness? To argue that G is insecure we
assumed it is correct: Gf is a permutation for every
function f.
Is this legitimate?
More on Relatevizing vs. BB Reductions
•
In some scenarios (e.g. KA -> OWF),
No relativizing reduction , No fully-BB reduction.
•
Not always: Consider the construction of Trapdoor
(poly-1) Functions from PKE.
– [BHSV98] gives a construction in the random oracle model.
Hard to come up with an oracle separation (as the oracle may
potentially be used for BHSV-transformation).
– [GMR01] solves it by showing for any particular construction
an oracle that foils it (rather than giving one oracle that foils
all constructions).
•
[Myers04] takes it further, considers one specific
(but very natural) construction and gives an oracle
that foils it.
Are we happy/unhappy with this?
[Rudich91]: Hard to Reduce Interaction
• [Rud 91] Separate k-message KA from (k-1)-message KA.
For k=3 oracle O contains: f1, f2, f3, length tripling random functions, R
defined below, П - PSPACE complete.
3 KA :
Alice
z,r
m1 =f1 (z,r)
m2 =f2 (s,m1)
Bob
s
m3 =f3 (z,r,m2)
z
On an “incorrect” input R outputs a random string.
z = R (s,m3)
[Rud91]: No 2-KA ( PKE) relative to O
Alice
z,r
Bob
m1 =f1 (z,r)
m2 =f2 (s,m1)
s
m3 =f3 (z,r,m2)
z
z = R (s,m3)
• Without R no KA [IR89]
• Let (Alice’,Bob’) be two message protocol.
• Assume Alice’ makes a useful query R (s,m3).
– (s,m3) is a “correct” input to R must have been
created by 3 “correct” consecutive invocations
either Alice’ or Bob’ must already know z,r,s.
– If its Alice’, R is not needed.
– Otherwise, Eve can also know (s,m3) and apply R.
How do we define BB access to a protocol?
• In [Rudich91] and most subsequent works this
means black-box access to the message and output
functions of the parties.
• Can consider a more restricted notion where the
access is to a third party implementing the
functionality. (Closer in spirit to a physical
implementation).
• May make arguments much simpler but need to be
careful. For example OT in this model does not
imply OWF.
• Other possible formalizations in between [HKNRR05]
OWF vs. Collision Resistant Hashing
• [Simon98] gives an oracle separating the two.
• Here “Simon Light”: In particular, consider only
regular hash functions (every image has the same
number of preimages).
– Regular coll. resistant implied by claw-free permutations.
• Oracle: f - random functions, П - PSPACE complete,
and Q on input circuit C defined as follows:
If Cg is regular for every function g then Q outputs
uniformly selected x and x’ such that Cf(x) = Cf(x’).
Note: relative to this oracle may have collisionresistant hash functions (using Q itself).
[Simon98] handles this case as well.
OWF vs. Collision Resistant Hashing Cont.
• Oracle: f - random functions, П - PSPACE complete, and
Q on input circuit C defined as follows:
If Cg is regular for every function g then Q outputs
uniformly selected x and x’ such that Cf (x) = Cf (x’).
Proof intuition: Assume want to find f-1(y).
• Due to universal regularity, the only information given
by x and x’ are the values of f queried by the
evaluations Cf(x), and Cf(x’).
• As long as none of these queries is f-1(y) not much help.
• By regularity, x and x’ are each uniformly distributed
(though they are correlated).
• By union bound, only negligible chance to
encounter f-1(y).
Limitation On Efficiency
• This line considers the most efficient (black-box)
construction (rather than the minimal assumption
necessary) [KST99,GT00, GGK03].
• Example: OWP PRG.
• Thm [GT00] PRG that expands the seed by k bits
requires (k/s) invocations of the OWP (where s is
the security parameter of the OWP).
f
seed
m bits
PRG
output
m+k bits
Limitation On Efficiency Cont.
• Thm [GT00] PRG that expands the seed by k bits
requires (k/s) invocations of the OWP (where s is
the security parameter of the OWP).
f
seed
m bits
PRG
output
m+k bits
• Idea: Define f(w,z)=g(w),z,
where w is O(s)-bit long and g is random
Each invocation only gives O(s) bits of randomness
Can simulate f using randomness from the seed.
Concluding Remarks
• Many more beautiful arguments we did not
touch!
• BB separations - a useful research tool.
• The extent to which the proof of security is
black-box plays a major role.
• Definitions are subtle, need to make sure we
understand the mathematical/philosophical
meaning of what we prove.
Some Open Problems
• More Non black-box techniques.
• Can we “Razborov-Rudich” ImpagliazzoRudich ?
• Power of reductions that use code of
primitive but are BB wrt adversary?
[GKMVR00] incomparability of PKE and OT
OT PKE by an extension of [Rud91].
PKE OT by oracle containing: f1, f2, R, П, (similar to
[Rud91]) to allow PKE. But with a small twist…
Alice
r
z = R (r,m2)
m1 =f1 (r)
m2 =f2 (z,s,m1)
Bob
z,s
z
Important: define f2 and R to output on “incorrect”
inputs (sort of validity tests)
Prevent this specific key agreement from being
“fakable”, and turns out to be sufficient.
