counterexamples to hardness amplification beyond negligible

COUNTEREXAMPLESTO

HARDNESS AMPLIFICATION

BEYOND NEGLIGIBLE

Yevgeniy Dodis, Abhishek Jain, Tal Moran, Daniel Wichs

Hardness Amplification

Go from “weak” security to “strong” security.

Weakly Secure Strongly Secure

50% Defective

Hardness Amplification for OWFs

Security of One-Way Functions: A function is -secure if for all poly-time , . Standard OWF: secure for all . Weak OWF: secure for .

Hardness Amplification for OWFs

Direct Product: The k-wise direct product of is the function .

Direct-Product Theorem: [Yao82,Goldreich89]

If is a weak OWF, then is a OWF when .

Intuition: Attack fails on each with prob > ½ and are indep.

Problem: Attacker need not work independently.

Direct-Product Theorems

Direct-product theorems hold for:One-way functions, weakly verifiable puzzles, hard functions, signatures, MACs, public-coin interactive games, etc.

[Yao82,Lev87,Gold89,Imp95,GNW95,CHS05,PW07,PV07,IJK08,IJKW09,DIJK09,

Hait09,Jutla10,HPPW10,MT10,Hol11]

Direct-Product theorems do not hold in general for interactive games. [BIN97,PW07]

Direct-Product Theorems (Closer Look)

Direct-Product Theorem: [Yao82, Goldreich89]

If is a weak OWF, then is a OWF when .

How secure is ? Know: -secure for all . Optimistic: secure. Cautiously Optimistic: Can get or at least

security when is sufficiently large.

Call this “Dream” DP Theorem. [GNW 95]

Difficult to prove “dream” DP Theorem

Want to show -hardness of assuming ½-hardness of .

Reduction: Attacker A with advantage on Attacker B with advantage ½ on .

A may only respond on (random) -fraction of inputs. B is forced to run A at least times just to get an answer!

May be able to show -hardness for (all) polynomial , but not beyond that!

Can be formalized into a black-box separation.

[Rudich]

Is “dream” DP Theorem true?

This work: NO! First counterexamples to “dream” Direct-Product theorem.

Counterexample for OWFs: Construct an artificial weak OWF whose hardness does not amplify to . is -secure. In fact, will already be standard OWF. For all poly k, can break with advantage.

Relies on a non-standard assumption on hash functions.

Counterexample for Signatures. Standard assumptions.

Counterexample for OWFs

1. Construct a hard NP problem for which the -wise DP never amplifies security below .

2. Show how to embed this problem inside a OWF.

3. Modify parameters to get counterexample for .

h

output

Extended Second-Preimage Resistance

Hard problem for hash function.

ESPR Problem: Attacker get challenge . Attacker wins if it finds:

A Merkle-path extending . A second preimage of this path.

ESPR implied by collision-resistance. Need ESPR to hold for a fixed

function . Holds in “RO model with advice”

[Unruh07]

𝒙𝟑

𝒙𝒙𝟏

𝒙𝟐

𝒙𝟒

h

preimage

h

h

: ss.t..t. ..

ESPR Does Not Amplify

Get independent instances : Build Merkle-Tree. Single output , pre-image . Guess second preimage . Good with prob . If guess is good, can break all instances!

𝒙𝟏 𝒙𝟐

h

𝒙𝟑 𝒙𝟒

h

𝒙𝟓 𝒙𝟔

h

𝒙𝟕 𝒙𝟖

h

h h

h

z

𝑦

ESPR Does Not Amplify

Get independent instances : Build Merkle-Tree. Single output , pre-image . Guess second preimage . Good with prob . If guess is good, can break all instances!

𝒙𝟓 𝒙𝟔

h

h

h

z

𝑦

h (𝒙𝟕 , 𝒙𝟖)

h (…)

Counterexample for OWFs

1. Construct a hard NP problem for which the -wise direct product never amplifies beyond .

2. Show how to embed this problem inside a OWF.

3. Modify parameters to get counterexample for .

Embed ESPR Problem in OWF

Let be a regular OWF.

Define:

On random input, w.o.p. To invert need to either:

Find or Find such that

Claim: is a OWF. Claim: is no more secure than -wise DP of ESPR

problem.

Counterexample for OWFs

1. Construct a hard NP problem for which the -wise direct product never amplifies beyond .

2. Show how to embed this problem inside a OWF.

3. Modify parameters to get counterexample for .

Counterexample for OWFs

Have function such that: is secure OWF. is not secure, for any .

Define : On security parameter , behaves like with security parameter . is still secure in standard sense. (poor exact

security) is not secure, for any .

Scale Down

Assume (time = , )-security.

Counterexample for OWFs

Theorem: Assuming exponential security of ESPR problem, there exists a (weak) OWF whose -wise DP does not amplify security to no matter how large is.

Counterexample for Signatures

Standard direct-product theorem holds for stateless signatures (weak standard security). [DIJK09]

Show: Dream DP theorem does not hold.

Main idea: embed a multi-party computation (MPC) protocol inside a signature scheme.

Toy Example: Stateful Signatures

Take any signature scheme, and a multi-party coin-tossing protocol .

Modify signature algorithm. On message m: Sign m using original scheme.

If m = “init_prot: parties=, role=” begin executing party protocol acting as party . (stateful) For future m, run on m and append output to the

signature. If terminates with output : output sk with signature.

Stand-alone scheme is secure. Attacker can’t cause execution of to output .

Toy Example: Stateful Signatures

To break -wise DP, pass messages between the signing oracles to execute a single (honest) instance of . With probability can break all instances!

𝑆𝑖𝑔𝑛𝑠 𝑘1(⋅) 𝑆𝑖𝑔𝑛𝑠 𝑘2

(⋅) 𝑆𝑖𝑔𝑛𝑠 𝑘𝑘(⋅)…

Stateful to Stateless Signatures

Use “stateless/resettable MPC” [CGGM00, Goyal-Maji 11] Parties are stateless. Attacker passes messages

between them to drive protocol execution. Attacker can only “reset” computation and try again.

For coin-tossing, attacker has poly tries to get output .

Theorem: Assuming stateless MPC for coin-tossing, there exist signature schemes whose -wise DP does not amplify security below no matter what is.

Conclusions

In general, “direct product” may not amplify security beyond negligible, even to .

Open problems: Counterexample for OWFs under standard

assumptions. Counterexample for a natural OWF. Or

conjecture exponential amplification for a sub-class of OWFs?

Counterexample for XOR Lemma.

THANK YOU